Friday, 27 April


Ubuntu 18.04 LTS (Bionic Beaver) released []

Ubuntu 18.04, a long-term-support release, is out. "Codenamed 'Bionic Beaver', 18.04 LTS continues Ubuntu's proud tradition of integrating the latest and greatest open source technologies into a high-quality, easy-to-use Linux distribution. The team has been hard at work through this cycle, introducing new features and fixing bugs." It features a 4.15 kernel, a new GNOME-based desktop environment, and more. See the release notes and this overview for details.

View Not From a Hotel Window 4/26/18: Bradford, OH [Whatever]

And there’s a very nice sunset to welcome me home. 

There is one more event, at the Troy-Miami County Public Library, on Monday at 6:30, but it’s one I can drive to from my house. So for all the people who came to see me in all the places I had to fly and train to and from, thank you! Nearly every single one of you were fabulous.

And now I’m gonna sleep for a couple of days.


Schaller: Warming up for Fedora Workstation 28 []

Christian Schaller looks forward to the Fedora 28 release (which will evidently be the first on-time Fedora release ever). "The Spectre/Meltdown situation did hammer home to a lot of people the need to have firmware updates easily available and easy to update. We created the Linux Vendor Firmware service for Fedora Workstation users with that in mind and it was great to see the service paying off for many Linux users, not only on Fedora, but also on other distributions who started using the service we provided. I would like to call out to Dell who was a critical partner for the Linux Vendor Firmware effort from day 1 and thus their users got the most benefit from it when Spectre and Meltdown hit. Spectre and Meltdown also helped get a lot of other vendors off the fence or to accelerate their efforts to support LVFS and Richard Hughes and Peter Jones have been working closely with a lot of new vendors during this cycle to get support for their hardware and devices into LVFS."

Oakland: Stand Up for Community Control of Police Spy Tech [EFF Action Center]

The Surveillance and Community Safety ordinance is straightforward: it requires essential transparency and accountability for all surveillance technology proposals. It thus it ensures the public has the opportunity to learn about the civil rights and civil liberties impact of surveillance technologies, and how they may burden minority and immigrant communities, before local officials acquire them.

The power to decide whether these tools are acquired, and how they are utilized, should not stand unilaterally with agency executives. Instead, elected City Council members should be empowered to approve or reject surveillance technology. Most importantly, all residents must be provided an opportunity to comment on proposed surveillance technologies and the policies constraining their use, before representatives decide whether to adopt them.

Public safety requires trust between law enforcement and the community served. It's time to tell your City Council members to stand with the people of Oakland in the fight to maintain the privacy and community safety the people of Oakland deserve.

Please write to the City Council and urge them to adopt the Surveillance and Community Safety Ordinance.


[$] Repurposing page->mapping []

The page structure is one of the most complex in the kernel due to the need to cram the maximum amount of information into as little space as possible. Each field is so heavily overloaded that developers prefer to avoid making changes to struct page if they can avoid it. That didn't deter Jérôme Glisse from proposing a significant change during two plenary sessions at the 2018 Linux Storage, Filesystem, and Memory-Management Summit, though. There are some interesting benefits on offer, but getting there will not be a simple task.

Feeds | Brexit Data Challenge event [Planet GridPP]

Brexit Data Challenge event s.aragon 27 April 2018 - 9:00am

Linux applications on Chrome OS will use Material Design [OSNews]

After the recent news about Linux applications coming to Chrome OS, we now also know what they will look like. The Chrome OS developers have been working out the stylistic elements of what you'll see once you open your first native Linux apps in Chrome OS, and they've opted for Adapta, a popular Material Design-inspired Gtk theme that can be used on many of your favorite GNU/Linux distributions. This project may finally make Linux on the desktop happen.

Apple officially discontinues AirPort wireless router lineup [OSNews]

Apple has officially ended development on its AirPort line of products, which includes the AirPort Express ($99), the AirPort Extreme ($199), and the AirPort Time Capsule ($299). This makes me sad. I have the latest AirPort Extreme, and it's one of those products I have absolutely zero complaints about. It's easy to use, works like a charm, has far better performance than any other router I've ever had, and looks unassuming. If it ever fails. I'll probably take a look at something like Eero.

How the Nintendo Switch prevents downgrades [OSNews]

Downgrade prevention has been a cat-and-mouse game between consumers and companies since the inception of remote updates. The Nintendo Switch adopts a worrisome-strategy of preventing firmware downgrades by permanently modifying your device every time it updates. While this isn’t a new concept (the Xbox 360 was doing it back in 2007), it is part of a greater effort to prevent end users from modifying their devices to their liking. The Nintendo Switch use an Nvidia Tegra X1 SoC, which comes with a fuse driver. This allows it to programmatically blow fuses - permanently modifying the device, making it impossible to revert to a previous state. Despite being used in an anti-consumer manner, the technology is fascinating.

MacOS monitoring the open source way [OSNews]

Let's say a machine in your corporate fleet gets infected with malware. How would you detect it? How could you find out what happened on the machine? What did the malware do? Did it steal your browser's passwords? What network connections did the malware make? Was it looking for crypto currency? By having good telemetry and a good host monitoring solution for your machines you can collect the context necessary to answer these important questions. Proper host monitoring on macOS can be very difficult for some organizations. It can be hard to find mature tools that proactively detect security incidents. Even when you do find a tool that fits all your needs, you may run into unexpected performance issues that make the machine nearly unusable by your employees. You might also experience issues like having hosts unexpectedly shut down due to a kernel panic. Even if you are able to pinpoint the cause of these issues you may still be unable to configure the tool to prevent the issue from recurring. Due to difficulties like these at Dropbox, we set out to find an alternative solution. Exactly what it says on the tin.

Thursday, 26 April


Steinar H. Gunderson: Anandtech and HPET issues [Planet Debian]

Anandtech spots differences in their Intel-vs-Ryzen benchmarks compared to other media, [pinpoints it to differences in whether HPET or TSC is used as the primary system timer on Windows](], and goes on to immediately retract their Ryzen 2000-series benchmarks for correction.

That's… impressive integrity and competence. I already trusted their benchmarks a far bit, and this doesn't exactly hurt.


Link [Scripting News]

Sam Yates: "When Google starts lobbying for 'ad network neutrality' and Facebook for 'social graph neutrality' then I will be impressed."


1118: Negatively Affected [Order of the Stick]


Link [Scripting News]

BTW, since Frontier is the topic du jour, if I could wish for one new feature, a big one, I'd like to have JavaScript integrated as a fully co-equal language to UserTalk. I'd like it to be a special version of JavaScript, that has synchronous versions of code that does various net-related things, most important, a verb that makes an HTTP call and returns what's at the specified address. Without that it isn't much of a scripting language. I'd start with the codebase that Ted has been working on (see Frontier love, below).

Link [Scripting News]

I don’t support net neutrality until it’s supported at all levels. The way it’s framed now, we’re giving control to Google, Facebook, Apple over ISPs. I don’t see any reason users should take a side in that fight since they’re all fighting over who gets to screw us. đŸ˜˛



Richard Stallman - "A Free Digital Society" (São Paulo, Brazil) [Events]

There are many threats to freedom in the digital society. They include massive surveillance, censorship, digital handcuffs, nonfree software that controls users, and the War on Sharing. Other threats come from use of web services. Finally, we have no positive right to do anything in the Internet; every activity is precarious, and can continue only as long as companies are willing to cooperate with it.

Richard Stallman's speech will be nontechnical, admission is gratis, and the public is encouraged to attend.

Speech start time to be determined.

Location: School of Arts, Science and Humanities (Escola de Artes, Ciências e Humanidades - EACH) - University of São Paulo (USP) - Rua Arlindo Béttio, 1000 - Vila Guaraciaba, ZIP: 03828-000, São Paulo, Brazil

Please fill out our contact form, so that we can contact you about future events in and around São Paulo.


Raleigh-Durham, I’m headed your way! CORRECTED! [Cory Doctorow's]

CORRECTION! The Flyleaf event is at 6PM, not 7!

I’m delivering the annual Kilgour lecture tomorrow morning at 10AM at UNC, and I’ll be speaking at Flyleaf Books at 6PM — be there or be oblong!

Also, if you’re in Boston, Waterloo or Chicago, you can catch me in the coming weeks!.

Abstract: For decades, regulators and corporations have viewed the internet and the computer as versatile material from which special-purpose tools can be fashioned: pornography distribution systems, jihadi recruiting networks, video-on-demand services, and so on.

But the computer is an unprecedented general purpose device capable of running every program we can express in symbolic language, and the internet is the nervous system of the 21st century, webbing these pluripotent computers together.

For decades, activists have been warning regulators and corporations about the peril in getting it wrong when we make policies for these devices, and now the chickens have come home to roost. Frivolous, dangerous and poorly thought-through choices have brought us to the brink of electronic ruin.

We are balanced on the knife-edge of peak indifference — the moment at which people start to care and clamor for action — and the point of no return, the moment at which it’s too late for action to make a difference. There was never a more urgent moment to fight for a free, fair and open internet — and there was never an internet more capable of coordinating that fight.

Raleigh-Durham, I'm headed your way! (CORRECTED!) [Boing Boing]

UPDATE: The event at Flyleaf is at 6PM, not 7!

I'm delivering the annual Kilgour lecture tomorrow morning at 10AM at UNC, and I'll be speaking at Flyleaf Books at 6PM -- be there or be oblong! (more…)


Nike Sued for Running Pirated Software [TorrentFreak]

Virtually every piece of software is cracked and made available on the Internet, through a myriad of pirate sources.

These are generally visited by regular people out to save a few bucks, but according to Quest Software, pirated license keys found their way to Nike’s office as well.

The company, known for developing a variety of database software, filed a lawsuit in an Oregon federal court this week, accusing Nike of copyright infringement. Both parties have had a software license agreement in place since 2001, but during an audit last year, Qwest noticed that not all products were properly licensed.

“That audit revealed that Nike had deployed Quest Software Products far in excess of the scope allowed by the parties’ SLA,” Quest writes in their complaint, filed at a federal court in Oregon.

Quest keeps a database of all valid keys and found that Nike used “cracked” versions, which are generally circulated on pirate sites. This is something Nike must have been aware of, it adds.

“The audit also revealed that Nike had used pirated keys to bypass the Quest License Key System and made unauthorized copies of certain Quest Software Products by breaking the technological security measures Quest had in place,” Quest writes.

“Upon information and belief, to obtain a pirated key for Quest Software Products, customers must affirmatively seek out and obtain pirated keys on download sites known to traffic in counterfeit or illegally downloaded intellectual property, such as BitTorrent.”

Pirated keys?

When the software company found out, it confronted Nike with the findings. However, according to the complaint, Nike refused to purchase the additional licenses that were required for its setup. This prompted Quest to go to court instead.

At this point, it’s not entirely clear to Quest how many pirated keys were used on Nike computers. That’s something the company would like to find out during the discovery process.

Quest is certain, however, that its customer crossed a line. It accuses Nike of copyright infringement, breach of contract, and violating the DMCA’s circumvention provisions.

The company requests an injunction restraining Nike from any infringing activity and demands compensation for the damages it suffered as a result. The exact height of these damages will have to be determined at trial.

A copy of the complaint is available here (pdf).

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

Frontier love [Scripting News]

Hearing from lots of Frontier users after Gruber's writeup yesterday.

I didn't know that he had used Frontier. It was really interesting to read his perspective. The connection between the language and the object database is something so simple it can be hard to explain. đŸ’Ľ

Some people wish it would "come back." For them I have good news. Thanks to solid engineering and generous work from Ted C Howard, Frontier runs on today's Macs, except now it's called The OPML Editor, because it's configured as an outliner. Long story. It's totally Frontier.

I'm using v10.1b19 as my IDE for my JavaScript work. I've built a real sweet code deployment environment, it's as if S3 is my file system. All this to say that Frontier is as rock-solid as ever. If you're a Mac user and want a Frontier experience, it's available to you. Not as a memory.

Ted maintains a GitHub repository with the latest version. The list is in reverse chronologic order.

There is a Windows version, I don't know how well it runs. You can download it from

PS: For questions, there's a rebooted Frontier-user list on Google Groups.

Today in GPF History for Thursday, April 26, 2018 [General Protection Fault: The Comic Strip]

Dwayne makes an ominous observation about Nicole's law firm's acronym...


Little Brother is 10 years old today: I reveal the secret of writing future-proof science fiction [Cory Doctorow's]

It’s been ten years since the publication of my bestselling novel Little Brother; though the novel was written more than a decade ago, and though it deals with networked computers and mobile devices, it remains relevant, widely read, and widely cited even today.

In an essay for, I write about my formula for creating fiction about technology that stays relevant — the secret is basically to assume that people will be really stupid about technology for the foreseeable future.

And now we come to how to write fiction about networked computers that stays relevant for 12 years and 22 years and 50 years: just write stories in which computers can run all the programs, and almost no one understands that fact. Just write stories in which authority figures, and mass movements, and well-meaning people, and unethical businesses, all insist that because they have a *really good reason* to want to stop some program from running or some message from being received, it *must* be possible.

Write those stories, and just remember that because computers can run every program and the internet can carry any message, every device will someday be a general-purpose computer in a fancy box (office towers, cars, pacemakers, voting machines, toasters, mixer-taps on faucets) and every message will someday be carried on the public internet. Just remember that the internet makes it easier for people of like mind to find each other and organize to work together for whatever purpose stirs them to action, including terrible ones and noble ones. Just remember that cryptography works, that your pocket distraction rectangle can scramble messages so thoroughly that they can never, ever be descrambled, not in a trillion years, without your revealing the passphrase used to protect them. Just remember that swords have two edges, that the universe doesn’t care how badly you want something, and that every time we make a computer a little better for one purpose, we improve it for every purpose a computer can be put to, and that is all purposes.

Just remember that declaring war on general purpose computing is a fool’s errand, and that that never stopped anyone.

Ten Years of Cory Doctorow’s Little Brother [Cory Doctorow/]

(Image: Missy Ward, CC-BY)

Two stable kernels []

Stable kernels 4.16.5 and 4.14.37 have been released. They both contain important fixes and users should upgrade.

Security updates for Thursday []

Security updates have been issued by Debian (drupal7, gcc-4.9-backport, ghostscript, and openslp-dfsg), Fedora (anki, composer, perl, and perl-Module-CoreList), Red Hat (kernel and rh-mysql56-mysql), and SUSE (kernel, kvm, and zsh).


GridPP storage news | Impact of Firmware updates of Spectra and Meltdown Mitigation. [Planet GridPP]

In order to address the security issues associated with the Spectra / Meltdown hardware bug found in many modern operating system AND CPUs firmware, CPU microcode updates are required. The microcode updates addresses the Spectre variant 2 attack. Spectre variant 2 attacks work by persuading a processor's branch predictor to make a specific bad prediction about which code will be executed and from which information can be obtained about the process.

Much has been said about the performance impact of Spectra / meltdown mitigation caused by the kernel patches. Less is known about the impact of the firmware updates on system performance. Most of the concern is about the performance impact on processes that switch between user and system calls. These are typically applications that perform disk or network operations.

After one abortive attempt Intel has released a new set of CPU microcode updates that promise to provide stability ( We have run some IO intensive benchmarks tests on our servers testing different firmware on our Intel Haswell CPUs (E5 2600 V3).

Our test setup up is made up of 3 HPE DL60 servers each with one OS disk and three data disks (1 TB SATA hard drives). One node is used for control while the other two will be involved in the actual benchmark process. The servers have Intel E5 2650 V3 CPUs and 128GB of RAM. Each server is connected at 10Gb/s SFP+ to a non blocking switch. All system are running scientific linux 6.9 (aka CentOS 6.9) with all the latests updates installed.

The manufacture, HPE, has provided a BIOS update which will deploy this new microbe version and we will investigate the impact of updating the microcode to 0x3C(BIOS 2.52) from previous version 0x3A(2.56) while keeping everything else constant. One nice feature of the HPE servers is the ability to swap to a backup BIOS so updates can be reverted.

Our first test uses a HDFS test called DFSIO with a  Hadoop setup (1 name node, 2 data nodes with 3 data disks each). The test will write 1TB of data across the 6 disks and then reads it back. The command run are

yarn jar /usr/local/hadoop/share/hadoop/mapreduce/hadoop-mapreduce-client-jobclient-2.8.3-tests.jar TestDFSIO -D -write -nrFiles 1000 -fileSize 1000
yarn jar /usr/local/hadoop/share/hadoop/mapreduce/hadoop-mapreduce-client-jobclient-2.8.3-tests.jar TestDFSIO -D -read -nrFiles 1000 -fileSize 1000

The results, in minutes taken, clearly show a major performance impact, of order 20%, in using the new microcode update! 

As a cross check we did a similar test using IOzone. Here we used the distributed mode of IOzone to run tests on the six disks of the two data nodes. The command run was 
iozone -+m clustre.cfg -r 4096k -s 85g -i 0 -i 1 -t 12 1TB, 12 threads, were clustre.cfg defines the nodes and disks used.

The results, in kb/s throughput, again show a measurable impact in performance of using the new firmware, although at a smaller scale (5%).

Instead of using local idisk (direct attached storage) we also did the test over the network, using our Lustre file system instead of the local disks, we saw no performance impact in either test however in this case the 10Gb/s link was a bottle neck and may have influenced the results. We will investigate further as time allows.

How can I have my program execute some code only if run from the Visual Studio debugger? [The Old New Thing]

A customer wanted their program to operate in a special mode if it is being debugged from inside the Visual Studio development environment. Say, if being run from Visual Studio via the "Start with debugging" menu, it should display a diagnostic window that contains additional information.

You should think twice before you do this.

Sure. you could use a function like Is­Debugger­Present to sniff whether your process is being debugged, and if so turn on additional features suitable for debugging. But you also run into the risk of having a bug that occurs only when your program isn't being debugged.¹ And everybody hates those types of bugs.

You should have a command line switch that enables the diagnostic window. You can configure Visual Studio so that when you run the program under Visual Studio, it gets the command line switch. That way, when you have a bug that goes away when the diagnostic window is open, you can remove the command line switch and debug it. (It also means that when run outside Visual Studio, you can give the special command line switch and get the diagnostics window even though no debugger is running.)

As a compromise, you could enable the diagnostic window by default if Is­Debugger­Present reports that there is a debugger, but make sure you have a command line switch to override that call and disable the diagnostic window so that you can debug the bugs that occur only when the diagnostic window is not present.

¹ Maybe the diagnostic window calls some functions that have side effects which are masking a bug in the program. For example, the diagnostic window might perform extra logging, which introduces a change in timing that masks a race condition.

The predictable dystopian trajectory of China's Citizen Scores [Boing Boing]

China's Citizen Score system combines surveillance of your social media and social graph with your credit report, your purchase history and state spy agencies and police files on you to produce a "trustworthiness" score -- people who score low are denied access to high-speed travel, financial products, and other services like private school for their kids. (more…)

A who's-who of tech manufacturers sent scaremongering letters to the Illinois legislature to kill Right to Repair [Boing Boing]

Illinois is one of 18 states where Right to Repair legislation has been introduced -- rules that would force manufacturers to end the practice of undermining the independent repair sector with hidden service documents, unavailable parts, and DRM. (more…)

Security researchers can turn Alexa into a transcribing, always-on listening device [Boing Boing]

Checkmarx researchers including Erez Yalon have created a "rogue Alexa skill" that bypasses Amazon's security checks: it lurks silently and unkillably in the background of your Alexa, listening to all speech in range of it and transcribing it, then exfiltrating the text and audio of your speech to the attacker. (more…)

Little Brother is 10 years old today: I reveal the secret of writing future-proof science fiction [Boing Boing]

It's been ten years since the publication of my bestselling novel Little Brother; though the novel was written more than a decade ago, and though it deals with networked computers and mobile devices, it remains relevant, widely read, and widely cited even today. (more…)

"Phooey": a pre-eminent cryptographer responds to Ray Ozzie's key escrow system [Boing Boing]

I have a lot of respect for ex-Microsoft Chief Software Architect Ray Ozzie, but when I saw that he'd taken to promoting a Clipper-Chip-style key escrow system, I was disheartened -- I'm a pretty keen observer of these proposals and have spent a lot of time having their problems explained to me by some of the world's leading cryptographers, and this one seemed like it had the same problems as all of those dead letters. (more…)


How to customize an Istio service mesh [All - O'Reilly Media]

Choose an Istio sidecar for reliability, observability, and security.

Even though service meshes provide value outside of the use of microservices and containers, it's in these environments that many teams first consider using a service mesh. The sheer volume of services that must be managed on an individual, distributed basis with microservices (versus centrally for a monolith) creates challenges for ensuring reliability, observability, and security of these services.

Adoption of a container orchestrator addresses a layer of infrastructure needs, but leaves some application or service-level needs unmet. Rather than attempting to overcome distributed systems concerns by writing infrastructure logic into application code, some teams choose to manage these challenges with a service mesh. A service mesh can help by ensuring the responsibility of service management is centralized, avoiding redundant instrumentation, and making observability ubiquitous and uniform across services.

Choosing a service mesh

Factors such as your teams’ operational and technology expertise, existing observability, and access control tooling will influence the service mesh components, adapters, and deployment model you choose. Among others, Istio is a popularly adopted, open source service mesh. Some choose Istio (or any service mesh) for the automatic and immediate visibility it provides into top-line service metrics. In fact, many become hooked on service meshes for the observability they provide alone.

As a microservices platform, Istio is extensible through the way in which it offers choice of adapters and sidecars. Istio envelops and integrates with other open source projects to deliver a full-service mesh, which both bolsters its set of capabilities and offers a choice of which specific projects are included and deployed. Whether through Mixer adapters for observability or through swapping sidecars, Istio allows you to choose which components to include in your deployment.

Customizing an Istio service mesh

There are multiple deployment models you can use to lay down a service mesh. One of the most popular options is to deploy your service proxies as sidecars. Sidecarring your service proxy offers benefits like fine-grained policy enforcement and intra-cluster service-to-service encryption. This deployment model is the model of choice for Istio. Other Istio deployment choices include:

  • Mixer adapters: typically used for integrating with access control, telemetry, quota enforcement, and billing systems.
  • Service proxies: abstract the network, translating requests between a client and service.

Though Envoy is the default service proxy sidecar, you may choose another service proxy for your sidecar. While there are multiple service proxies in the ecosystem, outside of Envoy, only two have currently demonstrated integration with Istio: Linkerd and NGINX. The arrival of choice in service proxies for Istio has generated a lot of excitement. Linkerd’s integration was created early in Istio’s 0.1.6 release. Similarly, the nginMesh project has drawn much interest in the use of NGINX as Istio’s service proxy, as many organizations have broad and deep operational expertise built around this battle-tested proxy.

This post is a collaboration between O'Reilly and NGINX. See our statement of editorial independence.

Continue reading How to customize an Istio service mesh.

Microsoft sends recycler to jail for reinstalling obsolete, licensed copies of Windows on refurbished PCs [Boing Boing]

Eric Lundgren is an environmental hero, whose California business diverts literal tons of e-waste from landfills, refurbishes it, and puts it in the hands of people who can make good use of it. (more…)


Teaching and implementing data science and AI in the enterprise [All - O'Reilly Media]

The O’Reilly Data Show Podcast: Jerry Overton on organizing data teams, agile experimentation, and the importance of ethics in data science.

In this episode of the Data Show, I spoke with Jerry Overton, senior principal and distinguished technologist at DXC Technology. I wanted the perspective of someone who works across industries and with a variety of companies. I specifically wanted to explore the current state of data science and AI within companies and public sector agencies. As much as we talk about use cases, technologies, and algorithms, there are also important issues that practitioners like Overton need to address, including privacy, security, and ethics. Overton has long been involved in teaching and mentoring new data scientists, so we also discussed some tips and best practices he shares with new members of his team.

Continue reading Teaching and implementing data science and AI in the enterprise.

Trump's finance watchdog wants to make the taxpayer-funded database of crooked banks go dark [Boing Boing]

The Consumer Financial Protection Bureau is Elizabeth Warren's gift that keeps on giving -- one of the most effective US government agencies, handing out real punishment to banks that break the law, fighting loan-sharks that prey on poor people, and maintaining a database of vetted consumer complaints against banks that have ripped them off. (more…)


Building tools for the AI applications of tomorrow [All - O'Reilly Media]

We’re currently laying the foundation for future generations of AI applications, but we aren’t there yet.

For the last few years, AI has been almost synonymous with deep learning (DL). We’ve seen AlphaGo touted as an example of deep learning. We’ve seen deep learning used for naming paint colors (not very successfully), imitating Rembrandt and other great painters, and many other applications. Deep learning has been successful in part because, as François Chollet tweeted, “you can achieve a surprising amount using only a small set of very basic techniques.” In other words, you can accomplish things with deep learning that don’t require you to become an AI expert. Deep learning’s apparent simplicity--the small number of basic techniques you need to know--makes it much easier to “democratize” AI, to build a core of AI developers that don’t have Ph.D.s in applied math or computer science.

But having said that, there’s a deep problem with deep learning. As Ali Rahimi has argued, we can often get deep learning to work, but we aren’t close to understanding how, when, or why it works: “we’re equipping [new AI developers] with little more than folklore and pre-trained deep nets, then asking them to innovate. We can barely agree on the phenomena that we should be explaining away.” Deep learning’s successes are suggestive, but if we can’t figure out why it works, its value as a tool is limited. We can build an army of deep learning developers, but that won’t help much if all we can tell them is, “Here are some tools. Try random stuff. Good luck.”

However, nothing is as simple as it seems. The best applications we’ve seen to date have been hybrid systems. AlphaGo wasn’t a pure deep learning engine; it incorporated Monte Carlo Tree Search, and at least two deep neural networks. At O’Reilly’s New York AI Conference in 2017, Josh Tenenbaum and David Ferrucci sketched out systems they are working on, systems that combine deep learning with other ideas and methods. Tenenbaum is working with one-shot learning, imitating the human ability to learn based on a single experience, and Ferrucci is working on building cognitive models that enable machines to understand human language in a meaningful way, not just pattern matching. DeepStack’s poker playing system combines neural networks with counterfactual regret minimization and heuristic search.

Adding structure to improve models

The fundamental idea behind deep learning is very simple: deep learning systems are neural networks with several hidden layers. Each neuron is very simple: it takes a number of inputs from previous layers, combines them according to a set of weights, and produces an output that’s passed to the next layer. The network doesn’t really care whether it’s processing images, text, or telemetry. That simplicity, though, is a hint that we’re missing out on a lot of structure that’s inherent in data. Images and texts aren’t the same; they’re structured differently. Languages have a lot of internal structure. As the computational linguist Chris Manning says:

I think the current era where everyone touts this mantra of fast GPUs, massive data, and these great deep learning algorithms has ... sent computational linguistics off-track. Because it is the case that if you have huge computation and massive amounts of data, you can do a lot ... with a simple learning device. But those learners are extremely bad learners. Human beings are extremely good learners. What we want to do is build AI devices that are also extremely good learners. ... The way to achieve those learners is to put much more innate structures.

If we’re going to make AI applications that understand language as well as humans do, we will have to take advantage of the structures that are in language. From that standpoint, deep learning has been a fruitful dead end: it’s a shortcut that has prevented us from asking the really important questions about how knowledge is structured. Gary Marcus makes an argument that’s even more radical:

There is a whole world of possible innate mechanisms that AI researchers might profitably consider; simply presuming by default it is desirable to include little or no innate machinery seems, at best, close-minded. And, at worst, an unthinking commitment to relearning everything from scratch may be downright foolish, effectively putting each individual AI system in the position of having to recapitulate a large portion of a billion years of evolution.

Deep learning began with a model that was, at least in principle, based on the human brain: the interconnection of neurons, and the ancient notion that human brains start out as a blank slate. Marcus is arguing that humans are born with innate abilities which are still very poorly understood--for example, the ability to learn language, or the ability to form abstractions. For AI to progress beyond deep learning, he suggests that researchers must learn how to model these innate abilities.

There are other paths forward. Ben Recht has written a series of posts sketching out how one might approach problems that fall under reinforcement learning. He is also concerned with the possibility that deep learning, as practiced today, promises more than it can deliver:

If you read Hacker News, you’d think that deep reinforcement learning can be used to solve any problem. ... I personally get suspicious when audacious claims like this are thrown about in press releases, and I get even more suspicious when other researchers call into question their reproducibility.

Recht argues for taking a comprehensive view, and reviews the possibility for augmenting reinforcement learning with techniques from optimal control and dynamical systems. This allows RL models to benefit from research results and techniques used in many real-world applications. He notes:

By throwing away models and knowledge, it is never clear if we can learn enough from a few instances and random seeds to generalize.

AI is more than machine learning

As Michael Jordan pointed out in a recent post, what is called AI is often machine learning (ML). As someone who organizes AI conferences, I can attest to this: many of the proposals we receive are for standard machine learning applications. The confusion was inevitable: when calling a research project “artificial intelligence” was hardly respectable, we used the term “machine learning.” ML became a shorthand for “the parts of AI that work.” These parts, up to and including deep learning, were basically large-scale data analysis. Now that the tides of buzz have shifted, and everyone wants AI, machine learning applications are AI again.

But a full-fledged AI application, such as an autonomous vehicle, requires much more than data analysis. It will require progress in many areas that go well beyond pattern recognition. To build an autonomous vehicle and other true AI applications, we will need significant advances in sensors and other hardware; we will need to learn how to build software for “edge devices,” which includes understanding how to partition problems between the edge devices and some kind of “cloud”; we will need to develop infrastructure for simulation and distributed computation; and we will need to understand how to craft the user experience for truly intelligent devices.

Jordan highlights the need for further research in two important areas:

Intelligence augmentation (IA): Tools that are designed to augment human intelligence and capabilities. These include search engines (which remember things we can’t), automated translation, and even aids for artists and musicians. These tools might involve high-level reasoning and thought, though current implementations don’t.

Intelligent infrastructure (II): Jordan defines II as “a web of computation, data, and physical entities exist that make human environments more supportive, interesting and safe.” This would include networks to share medical data safely, systems to make transportation safer (including smart cars and smart roads), and many other applications. Intelligent infrastructure is about managing flows of data in ways that support human life.

What’s most important about Jordan’s argument, though, is that we won’t get either IA or II if we focus solely on deep learning. They are inherently multidisciplinary. Deep learning will inevitably be part of the solution, but just as inevitably, it won’t be the whole solution. It may even be a very small part.

Closing thoughts

Researchers from many institutions are building tools for creating the AI applications of the future. While there is still a lot of work to be done on deep learning, researchers are looking well beyond DL to build the next generation of AI systems. UC Berkeley's RISE Lab has sketched out a research agenda that involves systems, architectures, and security.

Ameet Talwalkar’s recent post lists a number of research directions that should benefit industrial machine learning platforms. Industrial machine learning will have to meet system requirements, such as memory limitations, power budgets, and hard real time; they must be easy to deploy and to update, particularly since data models tend to grow stale over time; and they must be safe. Humans must understand how applications make decisions, along with the likely consequences of those decisions. These applications must take ethics into account.

These are all requirements for Jordan’s intelligent infrastructure. Over the past few years, we’ve seen many examples of machine learning put to questionable purposes, ranging from setting bail and determining prison sentences to targeted advertising, emotional manipulation, and the spreading of misinformation, that point us to a different set of needs. The research agenda for AI needs to take into account fairness and bias, transparency, privacy and user control over data, and the models built from that data. These issues encompass everything from ethics to design: getting informed consent, and explaining what that consent means, is not a trivial design problem. We’re only starting to understand how these disciplines connect to research in artificial intelligence. Fortunately, we’re seeing increasing interest within the data community in connecting ethics to practice. Events like the Data For Good Exchange (D4GX), the Conference on Fairness, Accountability, and Transparency (FAT*), and others are devoted to data ethics.

Talwalkar notes that air travel didn’t become commonplace until nearly 50 years after the Wright Brothers. While they were the first to achieve flight, many more developments were needed to make flying safe, inexpensive, and convenient. We’re at a similar stage in the history of AI. We’ve made progress in a few basic areas, and what we ultimately build will no doubt be amazing. We’re currently laying the foundation for future generations of AI applications, but we aren’t there yet.

Related content:

Continue reading Building tools for the AI applications of tomorrow.

Four short links: 26 April 2018 [All - O'Reilly Media]

DNA for Data, Project Names, VGA SDR, and Image Magic

  1. Exabytes in a Test Tube: The Case for DNA Data Storage -- still in its infancy, but researchers are drawn by high storage density (up to 1E12 GB/gram), unpowered, and durable in "ideal" conditions. There are even people working on random-access tech.
  2. Waggle Dance -- Hive federation service. Enables disparate tables to be concurrently accessed across multiple Hive deployments. (Hive is an Apache data warehouse project.) This easily wins today's award for Best Project Name. (Circus Train is a good name, but not as {fingerkiss} as Waggle Dance.
  3. VGA as SDR -- this is wild. osmo-fl2k allows you to use USB 3.0 to VGA adapters based on the Fresco Logic FL2000 chip, which are available for around $5, as general purpose DACs and SDR transmitter generating a continuous stream of samples by avoiding the HSYNC and VSYNC blanking intervals. Can transmit low-power FM, DAB, DVB-T, GSM, UMTS, and GPS signals.
  4. Image Inpainting for Irregular Holes Using Partial Convolutions -- the video is solid gold wow. (via NVIDIA developer news)
  5. Note: The email edition of Four Short Links will be discontinued on Monday, April 30. New editions of Four Short Links will still be published every weekday at and through the Four Short Links feed. Please send questions about this change to

Continue reading Four short links: 26 April 2018.


CodeSOD: If Not Null… [The Daily WTF]

Robert needed to fetch some details about pump configurations from the backend. The API was poorly documented, but there were other places in the code which did that, so a quick search found this...


The trap of listening to feedback [Seth Godin's Blog on marketing, tribes and respect]

"If I listened to feedback, I would have quit on the first day."

You're devoting your life to making something important. Something helpful. Something that matters. Mostly, something that hasn't been done before, that's going to bend the curve and make an impact.

If you begin and end with surveys and focus groups, all you're going to do is what's been done before.

We're counting on you to trust yourself enough to speak your own version of our future. Yes, you'll need the empathy to put yourself in our shoes, and the generosity to care enough to make it worth our time and trust. But no, don't outsource the hard work of insight and creation to the rest of us.

That's on you.



Under-Fire “Kodi Box” Company “Sold to Chinese Investor” For US$8.82m [TorrentFreak]

Back in 2016, an article appeared in Kiwi media discussing the rise of a new company pledging to beat media giant Sky TV at its own game.

My Box NZ owner Krish Reddy told the publication he was selling Android boxes loaded with Kodi software and augmented with third-party addons.

Without any hint of fear, he stated that these devices enabled customers to access movies, TV shows and live channels for free, after shelling out a substantial US$182 for the box first, that is.

“Why pay $80 minimum per month for Sky when for one payment you can have it free for good?” a claim on the company’s website asked.

Noting that he’d been importing the boxes from China, Reddy suggested that his lawyers hadn’t found any problem with the business plan.

“I don’t see why [Sky] would contact me but if they do contact me and … if there’s something of theirs that they feel I’ve unlawfully taken then yeah … but as it stands I don’t [have any concerns],” he said.

At this point, Reddy said he’d been selling the boxes for just six weeks and had shifted around 80 units. To get coverage from a national newspaper at this stage of the game must’ve been very much appreciated but Reddy didn’t stop there.

In a bulk advertising email sent out to 50,000 people, Reddy described his boxes as “better than Sky”. However, by design or misfortune, the email managed to land in the inboxes of 50 Sky TV staff and directors, something that didn’t go unnoticed by the TV giant.

With Reddy claiming sales of 8,000 units, Sky ran out of patience last April. In a letter from its lawyers, the pay-TV company said Reddy’s devices breached copyright law and the Fair Trading Act. Reddy responded by calling the TV giant “a playground bully”, again denying that he was breaking the law.

“From a legal perspective, what we do is completely within the law. We advertise Sky television channels being available through our website and social media platforms as these are available via streams which you can find through My Box,” he said.

“The content is already available, I’m not going out there and bringing the content so how am I infringing the copyright… the content is already there, if someone uses the box to search for the content, that’s what it is.”

The initial compensation demand from Sky against Reddy’s company My Box ran to NZD$1.4m, around US$1m. It was an amount that had the potential rise by millions if matters got drawn out and/or escalated. But despite picking a terrible opponent in a battle he was unlikely to win, Reddy refused to give up.

“[Sky’s] point of view is they own copyright and I’m destroying the market by giving people content for free. To me it is business; I have got something that is new … that’s competition,” he said.

The Auckland High Court heard the case against My Box last month with Judge Warwick Smith reserving his judgment and Reddy still maintaining that his business is entirely legal. Sales were fantastic, he said, with 20,000 devices sold to customers in 12 countries.

Then something truly amazing happened.

A company up to its eyeballs in litigation, selling a commodity product that an amateur can buy and configure at home for US$40, reportedly got a chance of a lifetime. Reddy revealed to Stuff that a Chinese investor had offered to buy his company for an eye-watering NZ$10 million (US$7.06m).

“We have to thank Sky,” he said. “If they had left us alone we would just have been selling a few boxes, but the controversy made us world famous.”

Reddy noted he’d been given 21 days to respond to the offer, but refused to name the company. Interestingly, he also acknowledged that if My Box lost its case, the company would be liable for damages. However, that wouldn’t bother the potential investor.

“It makes no difference to them whether we win or lose, because their operations won’t be in New Zealand,” Reddy said.

According to the entrepreneur, that’s how things are playing out.

The Chinese firm – which Reddy is still refusing to name – has apparently accepted a counter offer from Reddy of US$8.8m for My Box. As a result, Reddy will wrap up his New Zealand operations within the next 90 days and his six employees will be rendered unemployed.

Given that anyone with the ability to install Kodi and a few addons before putting a box in the mail could replicate Reddy’s business model, the multi-million dollar offer for My Box was never anything less than a bewildering business proposition. That someone carried through with it an even higher price is so fantastic as to be almost unbelievable.

In a sea of unhappy endings for piracy-enabled Kodi box sellers globally, this is the only big win to ever grace the headlines. Assuming this really is the end of the story (and that might not be the case) it will almost certainly be the last.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.


1186 [LFG Comics]

The post 1186 appeared first on Looking For Group.


Too Much in Common [Diesel Sweeties webcomic by rstevens]

sleep is dumb

Tonight's comic is about hating everyone, except...


A True Connoisseur [QC RSS]

melon no

I am in Calgary for CALGARY EXPO this weekend! YOU SHOULD COME SAY HI IMHO



Con Season 2018: Calgary Expo [LFG Comics]

Ah, Calgary! The land of rodeos, the Red Mile and beef. Glorious, glorious beef. But what does this have to do with you, oh, faithful LFG readers? Well, for you in the general Calgary area, I’m here to tell you […]

The post Con Season 2018: Calgary Expo appeared first on Looking For Group.

[$] Weekly Edition for April 26, 2018 []

The Weekly Edition for April 26, 2018 is available.

Linux apps on Chrome OS: an overview [OSNews]

Here's all you need to know about Google's year-long secretive development of Linux app functionality in Chrome OS, also known as Project Crostini. In a nutshell, it's a way to run regular Linux applications on Chrome OS without compromising security or enabling developer mode. The (not yet available) official setting states that it's to "Run Linux tools, editors, and IDEs on your Chromebook." Crostini is a culmination of several years of development that enabled the functionality to run securely enough to meet Chrome OS's high-security standards. To understand why it's only just appearing, it's best to look at what came before. This should make easy to manage, safe, and secure ChromeBooks infinitely more attractive to developers.


Wakefield 2018 RISC OS show report [OSNews]

It was a glorious sunny day in Wakefield and a very upbeat RISC OS show with lots of interesting hardware and software. You can see some show pictures, and here are my show notes if you were not able to attend. A detailed description of the Wakefield 2018 RISC OS show.

Towards secure system graphics: Arcan and OpenBSD [OSNews]

Let me preface this by saying that this is a (very) long and medium-rare technical article about the security considerations and minutiae of porting (most of) the Arcan ecosystem to work under OpenBSD. The main point of this article is not so much flirting with the OpenBSD crowd or adding further noise to software engineering topics, but to go through the special considerations that had to be taken, as notes to anyone else that decides to go down this overgrown and lonesome trail, or are curious about some less than obvious differences between how these things "work" on Linux vs. other parts of the world. You know you're getting something good with a preface like this.

Google launches major Gmail redesign [OSNews]

Email is a necessity for most of us. We use it to stay in touch with colleagues and friends, keep up with the latest news, manage to-dos at home or at work - we just can't live without it. Today we announced major improvements to Gmail on the web to help people be more productive at work. Here's a quick look at how the new Gmail can help you accomplish more from your inbox. A major redesign of the Gmail web interface is now available for testing.

Wednesday, 25 April


Link [Scripting News]

Nice write-up for 30 years of Frontier on Daring Fireball. Thanks!


The Humble Book Bundle: Classic Sci Fi & Fantasy &... [Humble Bundle Blog]

The Humble Book Bundle: Classic Sci Fi & Fantasy & Audiobooks! 

Here’s a bundle of great books both readable and listenable! Find authors like Isaac Asimov, Bruce Coville, Jo Nesbø, Tamora Pierce, and more. With titles like My Teacher is an Alien and Doctor Proctor’s Fart Powder, how can you go wrong?

Assets for Press and Partners

Link [Scripting News]

The demo river on Glitch now runs in HTTPS. (Yes, I support it in my products, when I can, but my websites won't, not until we get Google to kick back. No one owns the web. That's an absolute.)

View From a Hotel Window, 4/25/18: Washington DC [Whatever]

Honestly it’d be better if that stupid dome wasn’t in the way, blocking my view of everything.

Tonight: I’m at Politics and Prose at the Wharf, at 7pm. Please come! I understand we may be having the event near a wharf, but I can’t say for certain. Please come with life preservers, or alternately, just bring yourself and everyone you know.

Tomorrow: Home! And a few days of sleep. But then on Monday at 6:30, I’ll be having my final event of the tour at the Troy-Miami County Library, in Troy, Ohio. Which I can drive to! In my own car, even! Yay!


Toward the Jet Age of machine learning [All - O'Reilly Media]

Solving the challenges of efficiency, automation, and safety will require cooperation between researchers and engineers spanning both academia and industry.

Machine learning today resembles the dawn of aviation. In 1903, dramatic flights by the Wright brothers ushered in the Pioneer Age of aviation, and within a decade, there was widespread belief that powered flight would revolutionize transportation and society more generally. Machine learning (ML) today is also rapidly advancing. We have recently witnessed remarkable breakthroughs on important problems including image recognition, speech translation, and natural language processing, and major technology companies are investing billions of dollars to transform themselves into ML-centric organizations. There is a growing conviction that ML holds the key to some of society’s most pressing problems.

A new engineering discipline brought aviation into the Jet Age
Figure 1. The Wright brothers’ first powered airplane traveled 120 feet during its initial 12 second flight on December 17, 1903, at Kitty Hawk. Credit Stacy Pancake.

However, this excitement should also be met with caution. For all the enthusiasm that the Wright brothers generated, nearly half a century would pass before widespread commercial aviation finally became a reality. During the Pioneer Age, aviation was largely restricted to private, sport, and military use. Getting to the Jet Age required a series of fundamental innovations in aeronautical engineering—monoplane wings, aluminum designs, turbine engines, stress testing, jumbo jets, etc.

commercial Jet Age in the 1950s
Figure 2. Decades of advances in aeronautical engineering led to the Jet Age in the 1950s, which fundamentally changed societal behavior and enabled us to tackle new challenges—e.g., space exploration. Credit: Stacy Pancake.

Simply put, we needed to invent aeronautical engineering before we could transform the aviation industry. Similarly, we need to invent a new kind of engineering to build ML applications. Data-driven software development is radically different from conventional software development, as it targets complex applications domains (e.g., vision, speech, language) and focuses on learned behaviors instead of rule-based operations (e.g., training deep neural networks on massive data sets versus hand-coded if-then-else statements). Currently, very few organizations have the expertise to do this kind of engineering, and we are just scratching the surface of the potential for ML-powered technology. We describe three key challenges of this new development paradigm below.

The turbine engine
Figure 3. The turbine engine, developed over several decades, resulted in planes that were dramatically faster and more efficient, enabling travel around the world in less than a day. Credit: Stacy Pancake.

Challenge 1: Efficiency

Modern ML applications typically involve complex models and massive data sets, requiring significant computational and storage resources. For instance, engineers at Google Brain needed more than 250,000 GPU hours to train a neural translation model for a single pair of languages (English and German), which costs about $200,000 on Google Compute Engine.[1] In response, a wide range of specialized hardware solutions are being developed (e.g., GPUs, TPUs, massively parallel CPUs, FPGAs) to improve the speed, energy efficiency, and cost of ML-powered applications.

However, effectively leveraging heterogenous hardware will require us to fundamentally redesign ML software itself. In particular, systems-aware algorithms and software are needed (i) to efficiently train models on massively parallel and heterogeneous hardware, and (ii) to satisfy service level agreements (SLAs) related to latency, power consumption, and memory footprint constraints for production deployments. Advances in hardware must be closely coupled with algorithmic and software innovation in order to develop and deploy ML-based applications in a timely and economical fashion.

Automation in modern commercial aviation
Figure 4. Automation is widespread in modern commercial aviation, including plane manufacturing / testing, air traffic control, and even operating planes. Credit: Stacy Pancake.

Challenge 2: Automation

In addition to being computationally intensive, ML-powered applications are incredibly labor-intensive for ML engineers to train, debug, and deploy. First, even selecting the appropriate computational platform is challenging, given the rapidly changing hardware landscape and diverse set of available cloud-based offerings. Second, the quality of an ML model is highly sensitive to hyperparameters; tuning these hyperparameters is crucial for accuracy but is often labor-intensive and expensive in computational cost. Third, utilizing parallel hardware at training time is highly non-trivial. Naively boosting computational power often does not result in meaningful speedups, and fair and effective sharing of cluster resources among users can be challenging.

To make things worse, developing ML applications is not a one-shot process: data changes over time, and therefore models and systems must adapt. Diagnosing and updating stale models is challenging, and exacerbated by the surprising difficulty (and sometimes impossibility[2]) of reproducing the behavior of ML applications. These issues are due to many factors, including (i) the statistical or "fuzzy" nature of these applications; (ii) the complexity of ML applications (e.g., pipeline jungles[3]); and (iii) ad-hoc development processes in which both code and data evolve over time with inadequate (and sometimes non-existent) controls. Given the shortage and cost of ML talent and the increased demands for ML technology, there is a pressing need to automate and simplify these development and deployment processes.

aviation safety
Figure 5. The widespread adoption of commercial aviation hinged on dramatic advances in aviation safety, including advances in plane design and testing, as well as the creation of international and domestic regulatory bodies—e.g., the ICAO and FAA. Credit: Stacy Pancake.

Challenge 3: Safety

As ML applications become more ubiquitous and increasingly influence societal interactions (e.g., curating news, determining credit worthiness, influencing criminal sentencing, navigating vehicles autonomously), the safety risks associated with the misuse or misunderstanding of this technology are magnified. It is, thus, critical to understand and audit the behavior of ML applications: do we understand how models are making their decisions? What is the confidence / uncertainty associated with individual decisions? Do these predictions pose immediate threats to an individual or to society? What are the broader ethical ramifications of a given ML application? What information is being used to make decisions? Is individual privacy adequately being preserved?

Unfortunately, ML applications do not provide us with straightforward answers to these questions. They are inherently data-driven and not based on simple rules, and we have a fundamental lack of understanding as to why leading ML approaches (e.g., deep learning models) even work in the first place. In addition to advancing our basic scientific understanding, it is paramount that we develop robust ML-centric engineering processes to mitigate potential safety risks. These new processes must address the complexity and uncertainty inherent to ML applications.

The interdisciplinary path forward

These challenges—efficiency, automation, and safety—won’t be solved overnight. It is clear that they touch a broad set of disciplines, and consequently devising effective solutions will require cooperation between researchers and engineers spanning both academia and industry.

From an academic perspective, we are already witnessing encouraging signs of interdisciplinary progress, as these core challenges have spurred the development of new research communities. Two notable examples are: (i) the SysML[4] research community that works at the intersection of systems and ML to design system-aware algorithms and identify best practices for learning systems; and (ii) the FatML[5] research community that brings together a diverse set of social and quantitative researchers and practitioners concerned with fairness, accountability, and transparency in ML.

However, we ultimately want to move beyond academic research, and leverage cutting-edge theoretical advances in order to design and build increasingly robust and sophisticated engineering systems. To do so will require coordination between researchers working on more abstract and theoretical problems and engineers who understand industrial processes and real-world deployment requirements. While we have a long way to go before we arrive at the Jet Age of ML, continued collaborative efforts will truly enable ML to take flight.

Related content:

Continue reading Toward the Jet Age of machine learning.

04/25/18 PHD comic: 'How good' [PHD Comics]

Piled Higher & Deeper by Jorge Cham
Click on the title below to read the comic
title: "How good" - originally published 4/25/2018

For the latest news in PHD Comics, CLICK HERE!

Jonathan McDowell: Using collectd for Exim stats [Planet Debian]

I like graphing things; I find it’s a good way to look for abnormal patterns or try to track down the source of problems. For monitoring systems I started out with MRTG. It’s great for monitoring things via SNMP, but everything else needs some custom scripts. So at one point I moved my home network over to Munin, which is much better at graphing random bits and pieces, and coping with collecting data from remote hosts. Unfortunately it was quite heavyweight on the Thecus N2100 I was running as the central collection point at the time; data collection resulted in a lot of forking and general sluggishness. So I moved to collectd, which is written in C, relies much more on compiled plugins and doesn’t do a load of forks. It also supports a UDP based network protocol with authentication + encryption, which makes it great for running on hosts that aren’t always up - the collection point doesn’t hang around waiting for them when they’re not around.

The problem is that when it comes to things collectd doesn’t support out of the box it’s not quite so easy to get the stats - things a simple script would sort in MRTG need a bit more thought. You can go the full blown Python module route as I did for my Virgin Super Hub scripts, but that requires a bit of work. One of the things in particular I wanted to graph were stats for my mail servers and having to write a chunk of Python to do that seemed like overkill. Searching around found the Tail plugin, which follows a log file and applies regexes to look for stats. There are some examples for Exim on that page, but none were quite what I wanted. In case it’s of interest/use to anyone else, here’s what I ended up with (on Debian, of course, but I can’t see why it wouldn’t work elsewhere with minimal changes).

First I needed a new data set specification for email counts. I added this to /usr/share/collectd/types.db:

mail_count              value:COUNTER:0:65535

Note if you’re logging to a remote collectd host this needs to be on both the host where the stats are collected and the one receiving the stats.

I then dropped a file in /etc/collectd/collectd.conf.d/ called exim.conf containing the following. It’ll need tweaked depending on exactly what you log, but the first 4 <Match> stanzas should be generally useful. I have some additional logging (via log_message entries in the exim.conf deny statements) that helps me track mails that get greylisted, rejected due to ClamAV or rejected due to being listed in a DNSRBL. Tailor as appropriate for your setup:

LoadPlugin tail

<Plugin tail>
    <File "/var/log/exim4/mainlog">
        Instance "exim"
        Interval 60
            Regex "S=([1-9][0-9]*)"
            DSType "CounterAdd"
            Type "ipt_bytes"
            Instance "total"
            Regex "<="
            DSType "CounterInc"
            Type "mail_count"
            Instance "incoming"
            Regex "=>"
            DSType "CounterInc"
            Type "mail_count"
            Instance "outgoing"
            Regex "=="
            DSType "CounterInc"
            Type "mail_count"
            Instance "defer"
            Regex ": greylisted.$"
            DSType "CounterInc"
            Type "mail_count"
            Instance "greylisted"
            Regex "rejected after DATA: Malware:"
            DSType "CounterInc"
            Type "mail_count"
            Instance "malware"
            Regex "> rejected RCPT <.* is listed at"
            DSType "CounterInc"
            Type "mail_count"
            Instance "dnsrbl"

Finally, because my mail servers are low volume these days, I added a scaling filter to give me emails/minute rather than emails/second. This went in /etc/collectd/collectd.conf.d/filters.conf:

PreCacheChain "PreCache"
LoadPlugin match_regex
LoadPlugin target_scale

<Chain "PreCache">
        <Match "regex">
            Plugin "^tail$"
            PluginInstance "^exim$"
            Type "^mail_count$"
            Invert false
        <Target "scale">
            Factor 60

Update: Some examples…

Total email bytes Incoming email count Outgoing email count Deferred email count Emails rejected due to DNSRBL Greylisted email count Emails rejected due to malware


News Post: I Have A Mouth And I Can Scream With It [Penny Arcade]

Tycho: There is a lot to like about Labo, which is firmly indicated by the amount of pixels emitted in its praise.  The thing that excites me the most is that the first two boxes have the subtitle Toy-Con 1 and Toy-Con 2.  What I want more than anything is a Toy-Con to be followed by more and more numbers.  We have submitted a possible Toy-Con 3 option but we’re easy; it doesn’t have to be exactly like this but it’s one idea and you’re welcome to it. There’s a division of “labo” at my house, and I don’t know if its common.  I…

DDoS-for-Hire Service Webstresser Dismantled [Krebs on Security]

Authorities in the U.S., U.K. and the Netherlands on Tuesday took down popular online attack-for-hire service and arrested its alleged administrators. Investigators say that prior to the takedown, the service had more than 136,000 registered users and was responsible for launching somewhere between four and six million attacks over the past three years.

The action, dubbed “Operation Power Off,” targeted (previously, one of the most active services for launching point-and-click distributed denial-of-service (DDoS) attacks. WebStresser was one of many so-called “booter” or “stresser” services — virtual hired muscle that anyone can rent to knock nearly any website or Internet user offline. (formerly, as it appeared in 2017.

“The damage of these attacks is substantial,” reads a statement from the Dutch National Police in a Reddit thread about the takedown. “Victims are out of business for a period of time, and spend money on mitigation and on (other) security measures.”

In a separate statement released this morning, Europol — the law enforcement agency of the European Union — said “further measures were taken against the top users of this marketplace in the Netherlands, Italy, Spain, Croatia, the United Kingdom, Australia, Canada and Hong Kong.” The servers powering WebStresser were located in Germany, the Netherlands and the United States, according to Europol.

The U.K.’s National Crime Agency said WebStresser could be rented for as little as $14.99, and that the service allowed people with little or no technical knowledge to launch crippling DDoS attacks around the world.

Neither the Dutch nor U.K. authorities would say who was arrested in connection with this takedown. But according to information obtained by KrebsOnSecurity, the administrator of WebStresser allegedly was a 19-year-old from Prokuplje, Serbia named Jovan Mirkovic.

Mirkovic, who went by the hacker nickname “m1rk,” also used the alias “Mirkovik Babs” on Facebook where for years he openly discussed his role in programming and ultimately running WebStresser. The last post on Mirkovic’s Facebook page, dated April 3 (the day before the takedown), shows the young hacker sipping what appears to be liquor while bathing. Below that image are dozens of comments left in the past few hours, most of them simply, “RIP.”

A story in the Serbia daily news site notes that two men from Serbia were arrested in conjunction with the WebStresser takedown; they are named only as “MJ” (Jovan Mirkovik) and D.V., aged 19 from Ruma.

Mirkovik’s fake Facebook page (Mirkovik Babs) includes countless mentions of another Webstresser administrator named “Kris” and includes a photograph of a tattoo that Kris got in 2015. That same tattoo is shown on the Facebook profile of a Kristian Razum from Zapresic, Croatia. According to the press releases published today, one of the administrators arrested was from Croatia.

Multiple sources are now pointing to other booter businesses that were reselling WebStresser’s service but which are no longer functional as a result of the takedown, including powerboot[dot]net, defcon[dot]pro, ampnode[dot]com, ripstresser[dot]com, fruitstresser[dot]com, topbooter[dot]com, freebooter[dot]co and rackstress[dot]pw.

Tuesday’s action against WebStresser is the latest such takedown to target both owners and customers of booter services. Many booter service operators apparently believe (or at least hide behind) a wordy “terms of service” agreement that all customers must acknowledge, under the assumption that somehow this absolves them of any sort of liability for how their customers use the service — regardless of how much hand-holding and technical support booter service administrators offer customers.

In October the FBI released an advisory warning that the use of booter services is punishable under the Computer Fraud and Abuse Act, and may result in arrest and criminal prosecution.

In 2016, authorities in Israel arrested two 18-year-old men accused of running vDOS, until then the most popular and powerful booter service on the market. Their arrests came within hours of a story at KrebsOnSecurity that named the men and detailed how their service had been hacked.

Many in the hacker community have criticized authorities for targeting booter service administrators and users and for not pursuing what they perceive as more serious cybercriminals, noting that the vast majority of both groups are young men under the age of 21. In its Reddit thread, the Dutch Police addressed this criticism head-on, saying Dutch authorities are working on a new legal intervention called “Hack_Right,” a diversion program intended for first-time cyber offenders.

“Prevention of re-offending by offering a combination of restorative justice, training, coaching and positive alternatives is the main aim of this project,” the Dutch Police wrote. “See page 24 of the 5th European Cyber Security Perspectives and stay tuned on our THTC twitter account #HackRight! AND we are working on a media campaign to prevent youngsters from starting to commit cyber crimes in the first place. Expect a launch soon.”

In the meantime, it’s likely we’ll sooner see the launch of yet more booter services. According to reviews and sales threads at stresserforums[dot]net — a marketplace for booter buyers and sellers — there are dozens of other booter services in operation, with new ones coming online almost every month.


[$] Supporting Intel/AMD memory encryption []

Once a niche feature, memory encryption is becoming mainstream with support in both Intel and AMD processors, Kirill Shutemov said at the beginning of his session during the memory-management track of the 2018 Linux Storage, Filesystem, and Memory-Management Summit. Memory encryption can harden the system against attack, but it also presents some interesting challenges for the kernel.

Link [Scripting News]

Unread 1.9.3 supports titleless items in feeds. Thanks! Next, let's ask Inoreader and NewsBlur to do so as well. Here's a feed to test with. This is an important historic feature dating back to the origins of RSS. Today, it's how blogging can grow into Twitter's space, without its limits (with linking, styles, and no length limit). It was there before Twitter even existed, btw. If you look at the archive of my blog going back to the 90s you'll see lots of titleless items. This is one of the ways Google Reader screwed up the blogging world, by refusing to support this required feature. Let's undo that mistake and grow our world. It's really easy. đŸ’Ľ


Comic: I Have A Mouth And I Can Scream With It [Penny Arcade]

New Comic: I Have A Mouth And I Can Scream With It


Today in GPF History for Wednesday, April 25, 2018 [General Protection Fault: The Comic Strip]

Dexter and Lynn try to convince Patty to try her hand at table-top role-playing...

Incentives matter: the Mr Market LOOOOOVES death squads [Boing Boing]

In 1970, Chile elected Salvador Allende, a socialist, to office; he instituted sweeping reforms aimed at ending the corrupt rule of a small, monied, brutal elite; in 1973, the dictator Augusto Pinochet led a US-backed military coup that involved horrific torture and mass executions of political enemies. (more…)


Who is Producer X? [Nina Paley's Blog]

Astute observers of Seder-Masochism will notice one “Producer X” on the poster:


This is consistent with the film’s opening credits:


and end credits:


Why? Who? WTF?

I made Sita Sings the Blues almost entirely alone. That caused an unforeseen problem when it came time to send the film out into the world: I was usually the only person who could represent it at festivals. Other films have producers who aren’t also the director. Other films also have crews, staff, multiple executives, and money. As SSTB’s only executive, I couldn’t be everywhere at once. Often I couldn’t be anywhere at once, due to having a life that includes occasional crises. Sometimes, if I was lucky, I could send an actor like Reena Shah, or musician like Todd Michaelesen, or narrator like Aseem Chaabra, or sound designer Greg Sextro. But most of the time it meant there was no human being representing the film when it screened at film festivals.

I’m even more hermitic now, and made Seder-Masochism in splendid isolation in Central Illinois. This time I worked with no actors, narrators, or musicians. I did try recording some friends discussing Passover, but that experiment didn’t make it into the film. Greg Sextro is again doing the sound design, but we’re working remotely (he’s in New York).

I like working alone. But I don’t like going to film festivals alone. And sometimes, I can’t go at all.

Such as right now: in June, Seder-Masochism is having its world premiere at Annecy, but I have to stay in Illinois and get surgery. I have an orange-sized fibroid in my cervix, and finally get to have my uterus removed. (I’ve suffered a lifetime of debilitating periods, but was consistently instructed to just suck it up, buttercup; no doctor bothered looking for fibroids over the last 30 years in spite of my pain. But now that I’m almost menopausal, out it goes at last!)

Film festivals are “people” events, and having a human there helps bring attention to the film. The reason I want my film in festivals is to increase attention. The more attention, the better for the film, especially as a Free Culture project. So I want a producer with it at festivals.

Fortunately, Producer X has been with Seder-Masochism from the very beginning. After Sita’s festival years, I knew that credit would be built into my next film.

So who is Producer X?

Whoever I say it is.

She’ll see you in Annecy!


flattr this!

VK: A ‘Notorious Pirate Site’ Praised by The Music Industry [TorrentFreak]

For several years vKontakte, or VK, has been marked as a notorious piracy facilitator by copyright holders and even the US Government.

Like many other user-generated content sites, Russia’s largest social media network allows its millions of users to upload anything, from movies and TV shows to their entire music collections.

However, copyright holders have often claimed that, unlike its competitors, the site lacks proper anti-piracy measures.

“vKontakte’s ongoing facilitation of piracy causes very substantial damage,” the RIAA complained two years ago, and more recently the IIPA labeled the site as a “major infringement hub for illegal film materials.”

As a result of the ongoing critique, particularly from the movie industry, the US Trade Representative included VK in its most recent list of notorious pirate sites. While this isn’t the first time that VK has ended up there, it’s an intriguing position considering the praise the social network received from the music business this week.

After several major labels reached licensing agreements with VK in 2016, it has transformed from one of the music industry’s largest foes to a rather helpful friend. This milestone was clearly marked in IFPI’s most recent Global Music Report, which was just released.

“[Russia has] become an interesting market. The local services are meaningful now, and VKontakte has gone from being the number one most notorious copyright infringer to being a positive contributor,” says Dennis Kooker, Sony Music’s President Global Digital Business.

Moving from a site that does substantial damage to being a positive contributor is quite a feat, something that’s also highlighted by Warner Music’s Head of Digital Strategy, John Rees.

“We’re starting to see encouraging growth in a number of markets which historically have been completely overwhelmed by piracy,” Rees says.

“We work with VKontakte, which last year launched a licensed music service that’s helping unlock the Russian market alongside our other paid streaming partners such as Apple Music, Yandex and Zvooq. There’s huge potential in Russia, and, considering the population size, we’ve only recently begun to scratch the surface,” he adds.

This means that the same platform that helps the music industry to grow in Russia is seen as a notorious pirate site by Hollywood and the US Government, which mention it in the same breath as The Pirate Bay.

The music industry’s positive signals haven’t gone completely unnoticed by the US Trade Representative. However, it believes that the social media platform should help to protect all copyright holders.

“VK continues to be listed pending the institutionalization of appropriate measures to promote respect on its platform for IPR of all right holders, not just those with whom it has contracts, which are comparable to those measures used by other social media sites,” USTR wrote a few weeks ago.

In recent years VK has implemented a wide variety of anti-piracy measures including fingerprinting techniques but, apparently, more is needed to appease the movie industry.

While the music industry can scrap VK from the piracy agenda, it still has plenty of other worries. IFPI’s Global Music Report highlights the “value gap” as a major issue and stresses that stream-ripping is the fastest growing form of music copyright infringement.

The shutdown of in 2016 is highlighted as a major success, but there’s still a long way to go before piracy is a problem of the past, if it ever will be.

“The actions taken by the industry are having a positive impact and reducing stream ripping across major music markets. However, the problem is far from solved and we will continue to take on these illegal sites wherever they are operating around the world,” IFPI’s Frances Moore says.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

Security updates for Wednesday []

Security updates have been issued by Debian (lucene-solr and psensor), Oracle (librelp and PackageKit), Red Hat (kernel, librelp, and PackageKit), Scientific Linux (librelp), and Ubuntu (mysql-5.5 and packagekit).

Link [Scripting News]

You might try listening to someone who is sure they're right, no matter what their age. Sometimes they're right, I've found.


Link [Scripting News]

An update on the work with River5 and Glitch. The demo river is still working, amazingly. Before I close the thread, I'd like to do a little cleanup work so there's a good example to build on for others, and for when we pick the thread up in the future.

Event - "GNU Health Con 2018" (Las Palmas de Gran Canaria, Spain) [Events]

GNU Health Con

GNU Health Con is an annual conference that brings together enthusiasts and developers of the Free/Libre Health & Hospital Information System.

GNU Health is this year holding the III International GNU Health Conference, GNU Health Con 2018. This conference will gather the community of activists and developers who have been working on the project during the past 10 years.

Location: Las Palmas de Gran Canaria, Spain

Register here.

Please fill out our contact form, so that we can contact you about future events in and around Las Palmas.

Microspeak: Tented [The Old New Thing]

Here's a citation for the Microspeak term tented from an old Microsoft job listing that is no longer available, maybe because the req has been filled.

You and your team will decide how the Office clients and services measure their success in performance sensitive areas like latency, memory/disk footprint, and battery life not only for the devices of today but also on the evolving ecosystem of hardware including new, tented devices that Microsoft is building.

What is a "tented device"?

No it's not a two-in-one laptop in the tent configuration.

It's also not a data center in a tent.

The term started in Windows 8. The hardware team was developing some new hardware devices. One was a tablet that would run Windows on an ARM processor. (That device would eventually be marketed under the name Surface RT.) Another was a tablet that would run Windows on a desktop-class processor. (That device was marketed under the name Surface Pro.)

These were top secret projects, with access very tightly controlled. They were so top secret that you weren't even allowed to say the product code names in the presence of people who weren't cleared for access, because the mere act of saying a code name discloses the fact that the project exists at all. The code phrase for saying that somebody has been cleared for access to the top secret projects was in the tent. If you wanted to know whether it was okay to discuss the top secret projects with Alice, you would ask whether Alice was in the tent.

This phrase in the tent had some catchiness to it, so people started applying it to any case where there was a top secret project. And since all cool words get verbed eventually, the term in the tent led to the verb tented.

  • "Is Alice tented for project X?" = "Has Alice been granted access to information about project X?" which basically boils down to "Is it okay to discuss project X with Alice?"
  • "This relates to a tented project." = "This related to a project for which access to any information is tightly restricted."
  • "This is a feature for a tented device." = "This is a feature for a device for which access to any information is tightly restricted."

Few projects rise to this level of secrecy, but in case you have one, there's a Microspeak term to describe it.

Bonus chatter: Some years later, I learned that the concept of being "in the tent" is recursive: There are tents inside tents! Even though you are tented for some project X, there may be a part of that project that is double-top-secret, and you need to be tented for that part of the project to know about it.

In 60 seconds, security researchers can clone the master hotel-room keys for 140,000 hotels in 160 countries [Boing Boing]

The Vingcard Vision locks are RFID-based hotel locks; at this week's Infiltrate conference in Miami, Tomi Tuominen and Timo Hirvonen from F-Secure will present a method for combining a $300 Proxmark RFID tool with any discarded key from a given hotel to derive the master keys that allow them to unlock every room in the hotel, a process that takes less than 60 seconds. (more…)

Bernie Sanders' New Deal: ending involuntary unemployment with guaranteed $15/hour infrastructure jobs [Boing Boing]

Bernie Sanders has a plan to solve America's wage stagnation and its long-neglected infrastructure: tax the super-rich and massively profitable corporations, then use the money to fix the multi-trillion-dollar infrastructure overhand left behind by decades of neglect, and hire Americans at $15/hour, plus full healthcare, to do the work. (more…)


[$] Fixing error reporting—again []

After a session at last year's Linux Storage, Filesystem, and Memory Management Summit (LSFMM), Jeff Layton was able to make some improvements to block-layer error handling. Those changes, which added a new errseq_t type to hold an error number and sequence number, seemed to help and were well received—except by the PostgreSQL developers. So Layton led a session at the 2018 LSFMM to discuss ways to improve things further; it would be followed later in the week with a session by one of the PostgreSQL developers to look at the specifics of the problem from their perspective.

[$] Removing the kthread freezer? []

Using the kernel thread (kthread) freezer has been a longtime problem for a variety of reasons. It is meant as a way to suspend kthreads on the way toward system suspend, but in practice has proved problematic to the point that it came up at both the 2015 and 2016 Kernel Summits (as well as on the mailing lists over the years); the intent is to try to remove the kthread freezer entirely. To that end, Luis Rodriguez led a discussion in the filesystem track of the 2018 Linux Storage, Filesystem, and Memory-Management Summit on the problems and possible solutions.


Into the Gray [Original Fiction –]

“You’re using me,” I said.

“That might be true, but I also love you.”

One is the Lady of the Waking Waters, an immortal mermaid. The other is a thief, who steals lives until a wish can be fulfilled, and a life-changing choice must be made.



I only led the worst of men down to the Waking Waters and death, down to my love in the pool below the falls. I only led the foul men with filth on their tongues, the rich men who contrived to rule other men. I only led the men with hatred in their hearts and iron in their hands. I spurred them on with tales of hidden silver or the sight of my girlish thigh, down out from the mountain town of Scilla, down to the hills and the pines and the ruttish perfume of wildflowers.

All so that the Lady of the Waters might love me.

Well, that and so I could rob their corpses.

The morning sun sat low in the western sky, and the streets were empty near the edge of town. The man with me that day was handsome. He was twenty-five years my senior, with three teeth of silver, a gold-hilted sword and dagger, and a string of badges he’d won by gambling his life for the King’s glory in a foreign land. A town like Scilla saw men like him only once a year, only for the night market.

He’d found me walking with a basket of flowers. I caught his eye and smiled him over and yet he seemed to think he was the one propositioning me.

For a moment, I considered laying with him anyways, without taking part in his death, maybe just taking a few of his things while he slept. For all his pomp and arrogance, I liked the shape of his jaw and the fervor in his eyes.

We walked arm in arm away from the market, the daisies under my arm.

“And you swear you’re not a working girl?”

There was no good answer to a question like that. The answer was no: I don’t exchange labor for coin, I murder and rob. Of course I couldn’t tell him that, nor could I in good conscience distance myself from those among my friends who work more honestly.

I giggled instead. Men seem to like when I giggle at them. I don’t understand how they don’t see through it.

He jangled his full purse, laughing his horrid laugh. “Too many people think only about coin.” As if it would be strange for those of us without to be concerned about acquiring what we need to feed ourselves, clothe ourselves, house ourselves. “It’s weakness, pure and simple, and what people don’t understand is that weakness is our enemy. We must kill the weakest parts of ourselves as surely as we put down our weakest foes before they gather strength.”

He must have done terrible things to win awards like those pinned to his chest. If I focused on that, I could excuse the terrible things I planned to do.

“I know a better place than your room at the inn,” I said.

“If you’re not a working girl, there’s no shame to be seen with you.”

“I know a place, a better place, where the wind runs cool off the water. Where I can rinse, where you can rinse, where we’d taste our best for one another while only the deer of the forest look on.”

“You’ve done this before,” he said. He was hungry at my words, at the thought of watching me bathe.

I had. Twice before. He would be my third.

“So have you,” I said.

“What do I call you?” he asked.


“A harlot’s name.”

“Fitting, then,” I said, starting out for the edge of town with him in my wake. I didn’t ask his name, because I didn’t care to know it and because no one would ever call him it or anything else again.

He followed me along the long road that wound down from Scilla. I promised him it wasn’t far, and I wasn’t lying. We skirted off from the road into the pines and followed the sound of the water. We went downhill and downhill, to the tall and tranquil Waking Waters falls, then downhill to the pool at their base.

There are more impressive waterfalls in this world, but the Waking Waters has a beauty of the sort that has no need to be spectacular. On midsummer evenings, like that one, the sun sets behind the top of the falls and makes it glow while the shadows turn darker everywhere else.

My quarry’s eyes flit across the woods around us, as though suddenly aware I might be leading him to ambush, but he was looking in the wrong place.

“After you,” he said, gesturing at the water. He didn’t trust me. He was a terrible man, but not an entirely stupid one.

I slipped off my shift with a smile, first at the man and then at the world around me. Wind carried a bit of mist and the scents of summer off of the water, and I strode toward and into the pool.

With each step, the water lapped at my skin. With each step, the water washed away the filth of poverty and the filth of the town and the filth of work–honest work, illicit work, it’s all work.

He watched me, of course. I would have watched me too. I was beautiful.

The Lady found me when I was waist-deep, running her human hand along my thigh. I dove. She swam alongside me, pressing her body to mine, with her bare breasts and her fish-tail.

We kissed, there, underwater, and I ran my tongue along her sharp fish teeth until just a drop of blood found its way into her mouth. I liked to tease her. I liked when she was hungry.

We emerged. The man on the bank, now stripped down to muscle, watched with wide, incredulous eyes.

“The Lady of the Waking Waters,” I said, by way of introduction.

I needn’t say more. I’d never needed say more.

She’s never told me a more proper name. I call her the Lady because I must call her something. For her own purposes, she has no need of a name.

A mermaid has her own magic, stronger than that of any creature born with legs, and even though she smiled and her teeth were white, thin razors, her eyes were bright and hazel. Her hair changed color as the sun, the wind, and the mist played off of it. Her skin was a perfect medium-brown. She could enchant any man alive.

He walked into the water, willingly, and I stepped out onto land.

He didn’t scream, because she removed most of his throat in the first bite. The rust-red, blood-red water slipped away over the rocks to feed the forest.

It’s always beautiful to watch someone perform their life’s work. The man we’d murdered, perhaps he’d been beautiful at war. He might have been beautiful on top of me, inside me. But the Lady, she was beautiful as she stripped flesh from bone.

Only the worst of men. I had honor as a thief, so damned if I wouldn’t have honor as a murderer.

I went to his belt, found his purse, and took those coins he’d rattled. The sun was hot on me as I worked my way through his clothes, unraveling the gold wire woven into his hems, unraveling the gold wire he’d wrapped around the hilt of his dagger to announce his wealth. I’d have to find someone to melt down the medals.

At last, I turned my attention from my work and back to the pool. The Lady was sunbathing on the rocks on the far side, and the water ran clear once more. She smiled, and I strode back into the water, back out to the Lady, my lover.

I put my mouth on hers, and she was gentle with me, kinder than anyone with two legs had ever been. When a mermaid’s lips are against your skin, time slows. The white noise of the waterfall became a low and quiet roar and I saw every sweet drop of water as it cascaded down the mountainside.

She pleased me with her hands and mouth while my feet dangled in the cold pool, and she had me breathing fast and easy, fast and hard, fast and easy, fast and hard, while the world crawled by around me.

For a moment, with the last of the sun on me, I had coin enough, and I had love enough.


“Can I just stay here with you?” I asked. The moon had risen, a crescent scythe in the field of stars. I hadn’t told her of my plans. In truth, I was afraid she’d dissuade me.

She was in the water to her neck, and I laid on my side on a rock with my face near hers. The roar of the waterfall cut out the sounds of the night, yet I could hear my heart hammering in my chest.

“Of course not,” she said. “I live in the water, and it would be the death of you by drowning to join me.”

“I don’t care if it kills me,” I said, weeping.

“I do,” she said. “I want you to still bring me men every few years when your hair has gone white and your skin hangs loose on your frame.”

“You only want to see me every few years,” I said.

“We’re not the same,” she told me. “It’s not possible for us to lead the same life.”

“What if it was possible, though? What if I changed? What if I found magic enough?”

“I love you as you are, Laria,” the Lady said. She brushed the wet hair, plastered to my face, away from my eyes. “I love the way things are between us.” She was sad, and smiling.

“You’re using me,” I said.

“That might be true, but I also love you.”

The world was blurry, through the haze of my tears. She kissed my cheeks, awkwardly, like a boy just learning what romance tastes like. Time slowed again, and I realized no matter how fast she’d killed that man with her teeth, he’d had all the time in the world to experience death.

I envied him, a short moment, for losing his life to the Lady’s teeth. Why are death and love and sex and change all tied up together in our heads?

But as her fingers ran down my neck, I grew calm. I was as happy as I ever was. She climbed out of the water, her tail transformed to legs. I laid on my bare back, and she straddled my hips, and we let time run slow once more.


The night was full-dark, with clouds obscuring the moon, when I made it back to Scilla. The sun had gone to rest, but the town had not. Vendors from all over the island were setting up under eaves and on the cobbles. Fifty weeks a year, my home was a dry husk of a town. Two, it drew the finest wares and wanderers in the country.

There was good work to be had at the night market. All kinds of work, legal and not. But with the weight of gold in my purse, I had no need. I wasn’t there for work. I was there for the witch.

A heavily-scarred cheesemonger cut into a wheel of something pungent and rich, and my stomach informed me I hadn’t eaten since the sun was at its peak.

“He’s sleeping off wine, that’s what I figure,” I heard. Next to the cheesemonger, two men-at-arms sat on a bench eating fried lamb, their polearms resting in the nooks of their arms. They spoke in the way of men who aren’t used to manners, of men who don’t care who hears them.

“The King’s Fifty are not the sort to abandon their posts,” the other man said, his voice full of gravel.

I’d killed one of the King’s Fifty. Pride and terror fought for control of my emotions.

“He’s probably fucking or drunk or just fucking drunk,” the first man laughed. “He’ll get here.”

I hurried away into the crowd, lest they somehow see the heft of my purse and the medals within. I had to be careful. There likely wasn’t a moneychanger disreputable enough to trust with my gold, not even the wire. As rumors raced through the market–a knight has been slain–my caution escalated to fear, and the physical sensation coursed through my body.

If I couldn’t trust a moneychanger, then better to trust the witch.

I found her tent set between a child selling counterfeit treasure maps and a cooper as old as the moon. Such was the night market.

Henrietta the Haggard, people call her, though it said Henrietta the Honored on the tapestry hanging on the side of her tent. I couldn’t read it, but once I saw a gentry-girl read it aloud to her father. I used to think it was funny, how Henrietta the Haggard had the wrong name written on her tent. Now it’s not so funny. I know what it’s like to need to advertise to the world what you are, so that people don’t just assume you are what they think you are.


“I have the coin to pay you,” I told Henrietta.

The thick canvas walls blocked the light from the street, and only the red ember glow from a dying brazier lit either of us at all. Thick incense, of a scent too exotic to place, tickled my nose.

Weary lines were etched into the witch’s dry skin, and she looked as old as the town, as old as the kingdom. Henrietta had as much magic as anyone on the island; she could look however she wanted. She chose to look decrepit. I liked that about her.

“You wish to become a creature of the lakes and rivers and the sea?” she asked.

I nodded.

Henrietta frowned. “Better to just let me read your palm and go.”

I pulled the coins and the coiled gold wire out from my purse and placed them on the counter. They gleamed, even in the scarce light of the embers.

“A spell like that would leave me drained a fortnight, at least. I’d lose all my other work. That’s quite a wealth of gold you have, child, and it could buy most anything in the market. It cannot buy Henrietta for a fortnight.”

I nodded. I’d expected that. I went back into my bag and pulled out the medals.

Her eyes grew wild, with surprise, greed, or suspicion.

“Tell me more specifically,” she said. “What do you desire to become?”

“A mermaid.”

“I can give you the tail of a fish and gills on your throat. I can point your teeth and give you a gullet built for blood. I will not work the dark magic required to make you immortal. I can’t grant you magic of your own, and you won’t be able to shift your tail to legs to move on land. You will be a creature of the water, and of the water only.”

I’d figured that was likely.

“Tell me, child,” Henrietta said, “have you been talking to the Lady of the Waking Waters?”

I thought no one knew of her but me. If Henrietta recognized the medals, she would know what happened to the soldier. She’d know my culpability in his death, sure, I’d counted on that–but she’d know the Lady’s involvement as well.

“Breathe, child,” Henrietta said. “Your eyes are wide and wild with guilt and it won’t do to be seen that way. I’m in the business of revealing the truth of the future and the past, but I’m not in the business of informing on my customers.”

She stood up–an imposing figure, like a stooped giantess–and went to close the flap of her tent. No light, no sound, came in through that canvas. The incense seemed thicker, the air hazier.

“Why?” she asked.

“Does it matter?”


It took me a moment to collect my thoughts. “Because I’m in love,” I said.

“Is that a reason to give up your life on land and your body?”

“What life?” I asked. “Selling flowers for copper? Risking everything, constantly, to steal gold? This is the third town I’ve lived in in five years.”

“How will you run from your troubles, without legs?”

“I’ll have the whole of the ocean!”

“All right,” Henrietta said. “Stand up then, let’s have a look at you.”

I stood.

“You’re a boy under all of that?” she asked. There was no judgment in her voice. Ever since I’d taken a woman’s name and worn women’s clothes, people quickly sorted themselves into three categories: those who wanted to fuck me, those who were repulsed by me, and those who simply didn’t care. Henrietta didn’t care.

“More or less,” I said. It was hard to think of myself as a boy at all.

“Won’t matter soon enough,” she said. “Soon enough you’ll be a fish. Come on then, let’s get down to the water. I know a cove that should work.”

“Right now?” I asked.

“You sounded like you were sure before.”

“Shouldn’t we wait until tomorrow? So I can, I don’t know, get my affairs in order?”

“I thought there was nothing for you on land?”

Nothing suddenly felt like an exaggeration. There was Nettle and Fitch, the two girls I shared a room with in the loft over the stables. Would they be able to make copper enough for the landlord without me? And Fitch, the way she looked at me. I was in love with the Lady, that was as certain as the sun, but I liked the way Fitch looked at me too.

“I’ll meet you down there,” I said. “Give me, I don’t know, an hour.”

“I will cast the spell as the first light of dawn breaks over the water.”

I started to collect my gold from the table.

“Leave that here,” Henrietta said.


“Leave that here so I know you’re serious, so I know this isn’t a prank, a waste of Henrietta the Honored’s time. I will destroy some not-inexpensive things in preparation for this working, and I won’t be cheated.”

“Where’s the cove?” I asked.

“Where the Waking Water feeds into the ocean. Don’t be late, child. A spell works on its schedule, not yours. If I prepare the spell, it will be cast at dawn regardless of what any of us desire.”

I nodded, and stood. The incense had me dizzy, and I stumbled out of the tent, back into the noise of crowded humanity.


At least a dozen men-at-arms crowded together near the front gate, strapping on coat-of-plates and brigandine. Each of the men towered over me, and the heads of halberds and pikes towered over them in turn. I shied back. Menace was in the air, and my head was still fogged with the incense and magic from Henrietta’s tent.

“Saw him leave with a girl,” one man, a hostler in town for the market, said.

I flipped up my hood, hiding my feminine hair, and took a half step back into the gathered and gathering crowd.

“You tell me when they left, how tall this girl was, and I’ll track Holann down sure as your mother’s milk.” The man who said that was a gray-haired old ranger, stocky and short with a glint of malice in his remaining eye.

Holann. The man I killed had been named Holann. Didn’t matter.

“What,” another soldier asked, “so we can catch him with another whore in the woods? Just let him sleep it off, we’ll see him in the morning.”

“You ever known him to abandon his post?” the ranger asked.

They argued for a while after that. The crowd lost interest and dispersed, and I found the shadow of a glassblower’s stall to hide in.

They were going to find the Lady.

They would follow my tracks down the hills and through the trees and to the water, and they would find the Lady, and all the magic she could bring to bear wouldn’t be enough to stop a company of the King’s own men. Not if she didn’t know they were coming.

Henrietta could wait. My transformation could wait. I ran.


If I’d had time, I could have misled the tracker. I’m not sure how. I could have thought of something. There wasn’t time.

I walked out of the town gate, through the crowd of arrivals, with my hood still obscuring my face. I made it to the tree line, stepped through, and went back to running.

There was no direct path, just a series of gullies and deer trails, and darkness obscured the forest. I didn’t get lost. I’d gone that way a hundred times. I skinned my knee, deep, on the rocks when I slipped near the end, but I scarcely registered the pain. My love was in danger.

I stumbled out of the trees and waded into the pool at the base of the falls. I would have shouted her name, had she a name, had I not been afraid of calling attention to our location.

The night had grown cold, and the water sapped at my strength if not my resolve. I plunged through the falls and into the alcove behind. Phosphorescent moss cast faint light that glistened on wet stone.

I saw her sleeping on the shelf, with legs. It was so easy to imagine she slept with legs because she wanted to sleep next to me. It was so easy to imagine that land was her first home, that water was simply another realm she could travel within.

It wasn’t fair, that she could walk and swim and I had to choose forever between one or the other. It wasn’t fair that I should be the one who would sacrifice for us to be together, when it would be so much easier for her.

She was beautiful. In the usual ways, yes, but she was also beautiful in the ways that anyone might become, when you get to know the secret language of their body and their lives. She’d been alive so long, seen so much, developed so much beauty. The longer I might know her, the more of her hidden beauty I might unearth.

“My Lady,” I whispered. I couldn’t hear my own words over the roar of the water.

“My Lady!” I shouted.

She woke, twitching, thrashing like a fish, and for a moment she wasn’t human. She was never human.

“You’re back,” she said, as she came to her senses. “So soon.”

“They’re coming,” I said.


“Too many,” I said. “Men-at-arms. Friends of the man you…we…killed.”

She nodded.

A crueler person–maybe any human–would have blamed me.

“Have you come to die for me? With me?” she asked. There was no fear in her voice, nor even grim determination. She asked it like she might ask my thoughts on the weather. No, she asked it like she asked before she kissed me, before she touched me. She was asking for my consent.

For a moment, I wanted to die alongside her as fiercely as I wanted to kiss her. My life had been brief, to be sure, but many lives are, and length alone is no grounds on which to judge.

“I’ve come to warn you,” I said, as the urge passed, “and I’ve no intention of dying. We have to make for the ocean.”

“I chose this pool a hundred years ago, as a yearling. It is my home,” she said.

“You’ll find another.”

“Is that what you do? Go from place to place, rootless?”

“Every time they come after me,” I agreed.

“I can’t live like you. I wouldn’t survive, any more than you’d survive drowning.”

“I want a home,” I said. “I want you to be home. I don’t care where it is, as long as you’re there.”

“I can’t live like you.”

Tears fought their way down my cheeks and I was glad for the cold spray of the falls that disguised them.

“Can you do it this once?” I asked. “Leave your home?”

“No,” she said. “It would be nicer to stay here, don’t you think? Nicer to enjoy one another, then fight and die?” She kissed me then, and I had endless time to consider it.

She might have kissed me longer than I thought, because when my mouth broke from hers, I heard a distant crashing that likely couldn’t be anything but an armored man sliding down a slope.

I took her by the hand. I had no weapons but a knife, and no training in combat. If I stayed, it would be purely symbolic. There was no reason not to run, not to save myself. Still, I didn’t let go.

“I see them!” someone shouted. “There, in the pool!”

“Just a couple of girls!” another man’s voice called back. He kept speaking, too, after that, but I couldn’t make out the words.

I couldn’t see them. They were hidden by the trees.

I tried to lead the Lady away, but she resisted.

“We can’t fight them all,” I said.

“Yes we can,” she said. “We might not be able to stop them all, but we can certainly fight them.”

Then they came out of the woods as fog began to rise, and they were terrible. The white-painted armor of the King lent them a ghostly look, made worse by the rising fog and the starlight. Their pikes were death, their swords were death, and contrary to every song ever sung, death is the opposite of love.

I wanted love.

My body was numb with adrenaline and cold water, and I was up to my waist in the pool. I got my knife into my hand.

They approached with their pikes and shouted their words that insisted on surrender but I don’t know that I heard them or anything at all.

A spear reached for me, and the Lady took it by the haft and pulled its wielder off balance, and another spear sliced her shoulder while she did and her dark blood ran into the water. More spears were coming.

Something broke in her as her skin split apart. “You’re right,” she said. “I’ll make for the ocean.”

We dove under, swam until the pool grew too shallow, then ran along the creek.

As I vaulted a fallen log, I rested my left hand on the trunk of a nearby tree for balance. A crossbow bolt shot through my palm, pinning me.

The Lady broke the shaft of the quarrel and I pulled free my hand. Another bolt cut through my cape.

Every obstacle we crossed increased our lead, because a thief and a fey can move faster through the woods than those who are armed and armored. Soon they gave up on shooting at us entirely. Soon after, we couldn’t hear them.

“They know we’re following the creek,” I said. “If we break from it, we can lose them in the fog.”

“If I can’t be in my pool, I need to be in the ocean. You can hide in the fog. I can make my way alone.”

“No,” I whispered, and kept going, my wounded hand wrapped in my cloak.

We reached the top of another waterfall, one that sent the creek cascading down to the beach. I looked down into the dark gray nothing of the morning. Somewhere down there was the ocean, and presumably Henrietta on the beach nearby. It wasn’t too late for the spell.

It would be a hell of a climb to get down there, however.

The Lady turned to me, looked me in the eyes. She was searching, trying to understand me.

“There’s a witch,” I said, as I held her by the waist, “meeting me at the beach. She said she can transform me.”

“Into a creature of the sea?” the Lady asked.


“Is that what you want?”

“I want to be with you,” I said. “However I can.”

“Then do it,” she said. Her eyes were still searching my face. “Be with me.”

Was there no passion in her voice because I didn’t know how to listen for it? Was there no passion in her voice because there was none in her heart? Or was there passion, deep passion, and my terror kept me from hearing it?

Without another word, the Lady knelt down and climbed over the edge of the cliff. I’d have to climb down after, with my left hand useless.

Nothing to do but to do it. I knelt down, looking for a ledge.

A crossbow bolt found my leg and I pitched forward, down into the fog, down into the gray.


The ocean has its own kind of cold, a rough and salty cold that will kill you as sure as the snowmelt cold of mountain rivers. I hit that cold and it cracked me into consciousness, but my leg wouldn’t respond to my commands and my hand was warm with blood.

There was no surface in sight.

I’d tried. No one could say I hadn’t tried.

Most people would say I’d gotten what I deserved, and maybe they’d be talking about me being a thief and murderer but more than a few would say it because I was a monster and I’d always been a monster.

Nettle and Fitch would miss me, and Fitch might miss me for more than my share of the rent. But mourning isn’t always just a hardship, it’s part of the beauty of life. My death might lend them beauty.

I’d also saved my love.

Who, to be honest, I shouldn’t have loved.

Water made its way into my lungs. Cold water shouldn’t feel like fire. It did.

She loved me, in her way. I loved her, in mine. We could have had that love slowly. I could have not become obsessed. I could have fed her men and those men’s coins could have fed me.

Instead, I was drowning.

I closed my eyes because I couldn’t see anything anyway, and there was that fire in my chest. Better to sleep than to burn.

I slept.

I woke on shore with her mouth on mine and the fire was out of my chest, in every way, all at once. I wasn’t drowning anymore. That was her magic. I wasn’t obsessed anymore. That was mine.

Behind her, a stooped giantess of a witch held aloft a raw crystal the size of a boulder. The mist seemed to shrink away from it and her, leaving us in a bubble of clarity in an obscured world.

“Good morning, child,” Henrietta said, with an uncharacteristic giggle in her voice. “I’m glad you could make it.”

“Laria,” the Lady said. Even then, even as I stood on the precipice of death, her face was without emotion.

“I’m fine,” I said, because I wasn’t dead and I probably wasn’t even dying, and by that standard, everything was fine. I struggled to my knees. Gentle waves lapped against me, and the sand was cool beneath me.

“The spell is cast,” Henrietta said. “The dawn will break in a moment, and the first ray will strike this crystal and all you must do is stand in its light if you choose. The Sea Mother will take you for her own.”

“Wait,” I said.

“I cannot.”

“Stand down!” a man’s voice shouted, louder than the waves, echoing against the cliffside.

He approached, a silhouette with a crossbow drawn. The Lady ran at him. He shot once, missed.

He stepped out of the mist and into the circle, dropping his crossbow and drawing a short sword. It was the tracker. He must have come ahead of the rest of the men, being the only one capable of climbing down the cliff.

“Stand down!” he shouted again.

The Lady lunged for his sword hand, but he was too fast. He swung at her and missed.

They danced, both too experienced to easily defeat the other. Since he had friends coming, however, time was on his side.

He cut the Lady, shallow across the other shoulder as she’d been cut before, and her blood ran red. I could see the color this time. It was almost dawn.

“I killed him!” I said, standing, shouting. “I killed that man whose name I don’t care to know; I stole every copper he’s ever taken from a corpse in war.”

It worked. The man turned his attention to me. I limped closer, until I was just outside the range of his blade.

“I am going to live my life on land so that I can kill a thousand like him, starting with you.”

“You won’t kill me, baedling,” the tracker said. “You’ll hang by sundown.”

Dawn broke, the crystal caught the first ray, and it shot toward me. I dove at the tracker. He swung, reflexively, but missed. My body slammed into his legs. He fell over me into the light, into the spell.

Incoherent red rage consumed his body and he blistered and he screamed. His legs fused and grew scales, his neck split open into bloody gills, and he screamed. His teeth fell into the sand and fangs grew in their stead, and he screamed.

The lady took the sword from his hand, held it to his throat.

“Should we gut him?” she asked.

“Help him into the water,” I answered. “Let the Sea Mother take him.”

The Lady and I rolled him across the wet sand and into the waves. He stopped screaming. Soon he was gone, cursed to the depths.

“What now?” the Lady asked.

I had to leave town. The rest of the men would be after me. Maybe Nettle and Fitch would come with me, maybe not. I’d make it work. I had before, I would again.

“We’ll go our ways,” I said. Dawn brought clarity the way it’s supposed to. “I’ll grow old, and I’ll bring you men once every few years.”

“That will be enough for you?”

“It will.”

Copyright © 2018 by Margaret Killjoy
Art copyright © 2018 by Alyssa Winans


Two NSA Algorithms Rejected by the ISO [Schneier on Security]

The ISO has rejected two symmetric encryption algorithms: SIMON and SPECK. These algorithms were both designed by the NSA and made public in 2013. They are optimized for small and low-cost processors like IoT devices.

The risk of using NSA-designed ciphers, of course, is that they include NSA-designed backdoors. Personally, I doubt that they're backdoored. And I always like seeing NSA-designed cryptography (particularly its key schedules). It's like examining alien technology.


Four short links: 25 April 2018 [All - O'Reilly Media]

Music Biz, Amazon DNS Hijack, Embedded Platform, and Tech Change

  1. Music Industry's "Fantastic 2017" -- That $1.4 billion of growth puts the global total just below 2008 levels ($17.7 billion), meaning that the decline wrought through much of the last 10 years has been expunged. The recorded music business is locked firmly in growth mode, following nearly $1 billion growth in 2016. Cory Doctorow makes the point that while the "music industry" is booming, artist incomes aren't growing at the same rate. Or, indeed, at all.
  2. Amazon's DNS Hijacked For Two Hours -- in service of raiding a cryptocurrency website.
  3. Nerves -- Pack your whole application into as little as 12MB and have it start in seconds by booting a lean cross-compiled Linux directly to the battle-hardened Erlang VM. Let Nerves take care of the network, discovery, I/O, firmware updates, and more. Focus on what matters, and have fun writing robust and maintainable software. Nifty approach to a very real problem.
  4. Five Things We Need to Know About Technological Change (Neil Postman) -- this is incredibly prescient and good. Technological change is not additive; it is ecological.[...] A new medium does not add something; it changes everything. In the year 1500, after the printing press was invented, you did not have old Europe plus the printing press. You had a different Europe. After television, America was not America plus television. Television gave a new coloration to every political campaign, to every home, to every school, to every church, to every industry, and so on. That is why we must be cautious about technological innovation. The consequences of technological change are always vast, often unpredictable, and largely irreversible. See also a related talk by Postman. (via Daniel G. Siegel)
  5. Note: The email edition of Four Short Links will be discontinued on Monday, April 30. New editions of Four Short Links will still be published every weekday at and through the Four Short Links feed. Please send questions about this change to

Continue reading Four short links: 25 April 2018.

The Search for Truth [The Daily WTF]

Every time you change existing code, you break some other part of the system. You may not realize it, but you do. It may show up in the form of a broken unit test, but that presumes that a) said unit...


Julien Danjou: Correct HTTP scheme in WSGI with Cloudflare [Planet Debian]

Correct HTTP scheme in WSGI with Cloudflare

I've recently been using Cloudflare as an HTTP frontend for some applications, and getting things working correctly with WSGI was unobvious.

In Python, WSGI is the standard protocol to write a Web application. All Web frameworks that I know follows it. And many of those Web frameworks leverage some request environment variables to learn how the request has been made.

One of those environment variables is wsgi.url_scheme, and it contains either http or https, depending on the protocol that has been used to connect to your WSGI server.

And that's where things can get messy. If you enable SSL at Cloudflare in "Flexible" mode, your visitor will connect to your Web site using HTTPS, but Cloudflare will connect to your backend using HTTP. That means that for your application, the traffic will appear to be over HTTP, and not HTTPS: wsgi.url_scheme will be set to http.

Correct HTTP scheme in WSGI with Cloudflare

That can lead to several problems with some frameworks. For example, the function url_for of Flask will rely on this variable to generate the scheme part of any URL. In this case, it would, therefore, generate URL starting with http:// whereas your visitors are using https.

The usual workaround is to leverage the X-Forwarded-Proto that is actually set by Cloudflare. In the case where Cloudflare proxies the request to your HTTP host, this will be set to https. By using the werkzeug.contrib.fixers.ProxyFix module, the variable wsgi.url_scheme will be set to what X-Forwarded-Proto is set.

That would work fine for any application that is directly behind Cloudflare, or any single HTTP reverse proxy.

But that does not work as soon as you have multiple reverse proxies. If your application runs on top of Heroku for example, they already provide a reverse proxy and overwrite those headers. That gives the following: Visitor -HTTPS-> Cloudflare -HTTP-> Heroku proxy -HTTP-> Heroku dyno. Once your dyno is reacher, X-Forwarded-For will be set to http.

Damn it!

The proper solution is, therefore, to have all your proxies implement RFC7239. This RFC defines a new Forwarded header that can contain all the hops that have forwarded this request, including all the scheme and IP addresses. Unfortunately, this is not implemented by Cloudflare nor Heroku. Bummer!

Finally, Cloudflare provides yet another custom header named Cf-Visitor. It contains a JSON payload with the original HTTP scheme used by the visitor: we can use that to solve our issue. Here's a WSGI middleware to do that:

class CloudflareProxy(object):
    """This middleware sets the proto scheme based on the Cf-Visitor header."""

    def __init__(self, app): = app

    def __call__(self, environ, start_response):
        cf_visitor = environ.get("HTTP_CF_VISITOR")
        if cf_visitor:
                cf_visitor = json.loads(cf_visitor)
            except ValueError:
                proto = cf_visitor.get("scheme")
                if proto is not None:
                    environ['wsgi.url_scheme'] = proto
        return, start_response)

You can then use it to encapsulate your WSGI application with app = CloudflareProxy(app).

If you're using JavaScript, I noticed that the forwarded library provides that same support for Cloudflare along all the other headers – even RFC7239!

Good customer service [Judith Proctor's Journal]

 I can happily recommend RS components for good customer service (and good prices).

I ordered 10m of black velcro.  It was delivered the next morning, postage included in the price.

I realised I'd accidentally ordered hook tape instead of hook and loop tape.

Even through the fault was mine for ordering the wrong item, the friendly man on the phone gave me a free return label.

I think they mostly sell to maintenance engineers: they stock a wide range of batteries, tools and tool storage of every kind, PPE, electronic components, lots of kit for testing and measuring, etc.  If you need the ultimate spanner kit, then this may be a good place to look.

(I slag off firms when they screw me up, so I always and post something nice when a firm goes the extra mile)

What do I need double sided velcro for?

Morris bells are expensive, so I buy a lot of these:

They cost about £5 if you buy them individually in Hawkin's Bazzar as "Jingle bands" but I've just discovered a firm that sells them in bulk under a different name for £34 for 20 bands!

They will fit around a child's wrist, but not an adult's knee.  However, add a strip of double-sided velcro and the gap is perfectly bridged!

comment count unavailable comments

Good customer service [Tales From the Riverbank]

 I can happily recommend RS components for good customer service (and good prices).

I ordered 10m of black velcro.  It was delivered the next morning, postage included in the price.

I realised I'd accidentally ordered hook tape instead of hook and loop tape.

Even through the fault was mine for ordering the wrong item, the friendly man on the phone gave me a free return label.

I think they mostly sell to maintenance engineers: they stock a wide range of batteries, tools and tool storage of every kind, PPE, electronic components, lots of kit for testing and measuring, etc.  If you need the ultimate spanner kit, then this may be a good place to look.

(I slag off firms when they screw me up, so I always and post something nice when a firm goes the extra mile)

What do I need double sided velcro for?

Morris bells are expensive, so I buy a lot of these:

They cost about £5 if you buy them individually in Hawkin's Bazzar as "Jingle bands" but I've just discovered a firm that sells them in bulk under a different name for £34 for 20 bands!

They will fit around a child's wrist, but not an adult's knee.  However, add a strip of double-sided velcro and the gap is perfectly bridged!

This entry was originally posted on Dreamwidth where it has comment count unavailable comments.


About that tantrum [Seth Godin's Blog on marketing, tribes and respect]

A note to the customer who just had a meltdown. To the groom without a perfect wedding, to the rental car customer who had to wait twenty minutes, and to the boss who's furious that the delivery wasn't as promised.

We heard you. We, as in the people you were seeking to impact, and we as in the rest of us as well, the innocent bystanders.

Actually, we heard you the first time. Ever since then, the only information that's being communicated is about you, not the people you're angry with.

You're demonstrating your privilege (because you need to have plenty of resources in order to waste so many on an emotional, non-productive tirade.)

You're demonstrating your entitlement.

You're demonstrating a surprising lack of self control. Toddlers have tantrums. Adults should solve problems.

And you're demonstrating your fear, most of all. The fear that fuels a narrative of being unheard. The fear that you're not good enough. The fear that this might be the last chance you get to make everything exactly perfect.

Working with the outside world is an act of communication and mutual respect. You deserve to be heard, but you don't have a right to have a tantrum.



Page 40 [Flipside]

Page 40 is done.


Tough Love [Ctrl+Alt+Del Comic]

I am savoring the shit out of God of War. This is one of those games you remember for years and years after the fact. So many incredible moments. Sindri is my new obsession.

However, I don’t know if its just me, but as the father to two little boys, it is hard to watch Kratos give his kid the cold shoulder at the start of the game. The boy’s mother just died (you literally spend your first moments in the game constructing a funeral pyre for her), and Kratos (as I guess you’d imagine), expresses all the compassion of a giant, concrete sculpture of a middle finger.

On a couple of occassions, he even almost reaches out to comfort the boy, and rather than giving you, the player, the option, he retracts his unnoticed gesture.

Now, a caveat here, as spoiler-free as I can make it: as you continue to play the game and learn more and more about Kratos and Atreus’ distant relationship, the game does… things to show you something deeper. Kratos doesn’t become warm and fuzzy, but the game illustrates his love for the boy in very nuanced and powerful unspoken ways. I know that particular father-son dynamic doesn’t sound like anything that hasn’t been done before, but it’s executed really well in this game. It’s something that’s going to stick with me.

That’s all I’m going to say about that because, again, I don’t want to get into spoilery territory. But as difficult as it is to watch Kratos deny his son some basics like praise and compassion (and honestly, the tough love approach does make sense in the world they’re living in, and given Kratos’ background), you do at least get to see something below the surface.

On a different note, I think my four-year-old is starting to wonder why I’ve begun addressing him as “boy.”


219 [LFG Comics]

The post 219 appeared first on Tiny Dick Adventures.


Girl Genius for Wednesday, April 25, 2018 [Girl Genius]

The Girl Genius comic for Wednesday, April 25, 2018 has been posted.


Sympathy For the Batman [Diesel Sweeties webcomic by rstevens]

sleep is dumb

Tonight's comic is why I should be in charge of Batman.


[$] A page-table isolation update []

Dave Hansen did much of the work to get kernel page-table isolation (PTI) into the kernel in response to the Meltdown CPU vulnerability. In the memory-management track of the 2018 Linux Storage, Filesystem, and Memory-Management Summit, he ran a discussion on how PTI came about, what the costs are, and what can be done to minimize its performance impact.


The Humble Capcom X SEGA PlayStation Bundle: Capcom and SEGA are... [Humble Bundle Blog]

The Humble Capcom X SEGA PlayStation Bundle: 

Capcom and SEGA are back with a bundle of PS3, PS4, and PS Vita games. Get Mega Man Legacy Collection, Alien: Isolation, Dead Rising 2 HD, and more. We got plenty of games down at the ‘Station!

Assets for Press and Partners

Savage Love [The Stranger, Seattle's Only Newspaper: Savage Love]

He's a liar, a cheat, a user, and a manipulator—and it just keeps happening. by Dan Savage

I'm a straight male in my 30s. I've been with my wife for 12 years. I have had several affairs. Not one-night-stand scenarios, but longer-term connections. I didn't pursue any of these relationships. Instead, women who knew I was in an "exclusive" relationship have approached me. These have included what turned into a one-year affair with a single woman, a three-year affair with a close friend of my wife, a seven-month affair with a married coworker, and now a fairly serious four-months-and-counting relationship with a woman who approached me on Instagram. On the one hand, I do not regret my time with any of these women. On the other hand, I have been deceitful and manipulative for almost my entire adult life. I am a terrible husband in this respect. Also, I'm going to get busted eventually, right? Finding out about this would crush my wife. I love her, we get along great, and the sex is good—if I wasn't such a lying piece of shit, you could even say we make a pretty good team. We are also very socially and financially entangled. I don't want to leave, but I suspect I should. And if so, I need help considering an exit strategy. Part of my motivation for writing is that I am particularly attached to the woman I'm having an affair with now, and both of us fantasize about being together openly. I'm a liar, a cheat, a user, and a manipulator—and it just keeps happening.

A Seriously Shitty Husband On Losing Everything

P.S. I'm expecting you to rip me to shreds.

It doesn't "just keep happening," ASSHOLE, you keep doing it. And these women didn't "turn into" one-year, three-year, seven-month, and four-months-and-counting affairs on their own. You turned them into affairs by continuing to show up. And while you claim that each of these women pursued you despite knowing you were in an exclusive relationship, it doesn't sound like you ran from any of them. At best, you broke into (or slowed to) a trot, which allowed each one of these lady predators to overtake you.

The first step toward holding yourself accountable for your appalling actions—a close friend of your wife? really?—is doing away with the passive voice. Don't ask yourself, "How'd that happen?!?" as if the universe were conspiring against you somehow. You weren't hit by a pussy meteor every time you left the house. You did these things. You had these affairs. You.

Zooming out: If all it takes for some rando to get her hands on your otherwise committed cock is to DM you on Instagram, you have no business making monogamous commitments. If you'd sought out a partner who wanted an open relationship—a wide-open one—you could have had concurrent, committed, nonexclusive relationships and avoided being "a liar, a cheat, a user," etc.

Seeing as you're a reader, ASSHOLE, I suspect you knew an honest open relationship was an option—that ethical nonmonogamy was an option—but you didn't pursue that. And why not? Maybe because you don't want to be with a woman who is free to sit on other dicks. Or maybe the wrongness and the self-loathing—the whole bad-boy-on-the-rack routine—turn you on. Or maybe you're the wrong kind of sadist: the un-self-aware emotional sadist. You say you love your wife, but you also say she'd be crushed—destroyed—if she discovered what you've been doing. Be honest, ASSHOLE, just this once: Is the destruction of your wife a bug or is it a feature? I suspect the latter. Because cheating on this scale isn't about succumbing to temptation or reacting to neglect. It's about the annihilation of your partner—a (hopefully) subconscious desire to punish and destroy someone, anyone, fool enough to love you.

The tragedy is how unnecessary your choices have been. There are women out there who aren't interested in monogamy, there are female cuckolds out there (cuckqueans) who want cheating husbands, and there are masochistic women (and men) out there who get off on the thought of being with a person who would like to crush them. So long as those desires are consciously eroticized, fully compartmentalized, and safely expressed, you could have done everything you wanted, ASSHOLE, without harming anyone.

So what do you do now?

It seems like you want out, and your wife definitely deserves better, so cop to one affair, since copping to all of them would crush her—or so you think. People are often way more resilient than we give them credit for, and convincing ourselves that our partners can't handle the truth is often a convenient justification for lying to them. But on the off chance it would crush your wife to be told everything, just tell her about Ms. Instagram. That should be enough.

P.S. Get your ass into therapy, ASSHOLE.

I'm a 42-year-old gay man. I've been with my husband for 21 years. We met in college and, except for a six-month break, we've been together ever since. I made an open relationship a requirement at the start. While my husband had jealousy and trust issues, he hooked up with others regularly. After a few tense years, we started couples therapy. During therapy, my husband revealed that he was never in favor of the openness. After trying some new arrangements—only together, only at sex parties, DADT—he realized he wasn't comfortable with any situation. He told our therapist that every time I hooked up with someone, he was retraumatized because it reminded him of the time I broke up with him for six months 20 years ago. I agreed to a monogamous relationship, and I've gone a year without hooking up with anyone else. He seemed genuinely relieved and said he felt more secure. But almost immediately, he began talking about how he wanted to hook up with others. I'm at a loss. I feel tremendous guilt for even thinking about splitting up, so I keep hoping we'll stumble on the thing that will work for us. I don't know what to say when he says I should be monogamous to him while he gets to hook up with others. He says this would be best, since my hooking up triggers him. We are at an impasse. It sucks that we could break up over this.

Gay Marriage Having Crisis

I've written about a few gay couples—and a few straight ones—where one half gets to hook up with others while the other half doesn't. But they were cuckold couples, GMHC, and the half who didn't "get to" hook up with others didn't want to hook up with others. The cuck half of a cuckold couple gets off on their partner "cheating" on them. While people outside the relationship might perceive that as unfair—one gets to cheat, the other doesn't—what's more ideal than both halves of a couple getting just what they want?

But if an eroticized power imbalance—an honestly erotized one—doesn't turn you on, the creepily manipulative arrangement your husband is proposing certainly isn't going to work.

Which means it's both ultimatum and bluff-calling time. So long as your husband thinks he can dictate terms by pointing to his triggers and his trauma, GMHC, he has every incentive to continue being triggered and traumatized. So with your couples therapist there to mediate, tell him your marriage is either open or closed. You're not interested in being his cuckold and he can't point to his trauma to force you into that role. You're a handsome couple—thanks for enclosing the lovely picture (sometimes it's nice to see the face of the person I'm responding to!)—with a long history together, and here's hoping things work out. But if they don't, GMHC, neither of you is going to have a problem finding a new partner. He can get himself a guy who likes being dictated to, if that's really what he wants. And you can find a guy who wants an open and egalitarian relationship, which is what you deserve.

P.S. If your therapist is taking your husband's side in this, GMHC, get a new therapist.

On the Lovecast, piss play! With the hosts of American Sex Podcast:


[ Comment on this story ]

[ Subscribe to the comments on this story ]


Tuesday, 24 April


Carl Chenet: Use Nginx Unit 1.0 with your Django project on Debian Stretch [Planet Debian]

Nginx Unit 1.0 was released 2018, April the 12th. It is a new application server written by the Nginx team.

Some features are really interesting, such as:

  • Fully dynamic reconfiguration using RESTful JSON API
  • Multiple application languages and versions can run simultaneously

I was setting up a new Django project at this time and it was a great opportunity to start using Unit. It has some unexpected pitfalls to install and configure.

1. Installing Nginx Unit for Django

Installing Unit is quite straightforward. I use a Debian Stretch. If you have another system, have a look at the official documentation.

If you install Unit on a dedicated server using a grsecurity kernel, it won’t work. Using the kernel of your GNU/Linux distributions solves this issue.

First we need to get the key of the remote Debian Nginx repository:

# wget -q -O - | apt-key add

Next, create the /etc/apt/sources.list.d/unit.list file with the following lines:

deb stretch unit
deb-src stretch unit

Now update your list of repositories, install Nginx Unit and the module for Python 3:

# apt-get update
# apt install unit unit-python3.5

Now activate the Systemd unit service (yep, confusing, poor name choice IMO) and start Nginx Unit :

# systemctl enable unit
# systemctl start unit
# systemctl status unit
 ● unit.service - NGINX Unit
 Loaded: loaded (/lib/systemd/system/unit.service; enabled; vendor preset: enabled)
 Active: active (running) since Sat 2018-04-21 16:51:31 CEST; 18h ago

2. Configure Nginx Unit

In order to configure Unit, you need to write a JSON file and post it to the Unit sock file on your server.

Here is my JSON configuration:

 "listeners": {
   "": {
   "application": "myapp"

"applications": {
  "myapp": {
    "type": "python",
    "processes": 5,
    "module": "myapp.wsgi",
    "user": "myapp",
    "group": "myapp",
    "path": "/home/myapp/prod/myapp"

Ok, here is a pitfall. You need to understand that Unit will use the path parameter as your application root, then try to load the from the module parameter. So here it means that my is located in /home/myapp/prod/myapp/myapp/

Now we’re ready to inject our Unit configuration with curl:

# curl -X PUT -d @myapp.unit.json --unix-socket /var/run/control.unit.sock http://localhost/
 "success": "Reconfiguration done."

Great, now we need our good ol’ Nginx web server as a web proxy in front of Nginx Unit.

3. Install and configure Nginx with Let’s Encrypt

Let’s start by installing the Nginx webserver:

# apt install nginx

To configure Nginx, we will define an upstream receiving the requests from the Nginx web server. We also define a /static/ to indicate the Django static directory.

Here is the Nginx configuration you can put in /etc/nginx/conf.d:

upstream unit_backend {

server {
 listen 80;
 return 301$request_uri;

server {
 listen 443 ssl;
 ssl_certificate /etc/letsencrypt/live/;
 ssl_certificate_key /etc/letsencrypt/live/;

 access_log /var/log/nginx/;
 error_log /var/log/nginx/myapp.error.log;

root /home/myapp/prod/myapp;

location = /favicon.ico { access_log off; log_not_found off; }
 location /static {
 root /home/myapps/prod/myapp;

location / {
 proxy_pass http://unit_backend;
 proxy_set_header Host $host;
 location /.well-known {
 allow all;

Before starting Nginx (stop it if it is running), we’ll get our SSL certificate from Let’s Encrypt.

# certbot certonly -d

Spin a temporary web server and get your certificate.

Now we’re almost ready. Start the Nginx web server:

# systemctl start nginx

4. Configure Django for production

Your Django settings file, here the /home/myapp/prod/myapp/myapp/ file should use paths existing on your server e.g you should have  the following STATIC_ROOT in the of your app:

STATIC_ROOT = '/home/myapp/prod/myapp/static/'

Pitfall here: the root in the Nginx configuration for the static we wrote above is one level upper: /home/myapp/prod/myapp Use the correct path or your static won’t appear.

Just a last step for Django: at the root of your Django app, you need to collect the static files in the dedicated directory with the following command:

$ python3 collectstatic


This setup runs in production. Except two pitfalls, it’s quite straightforward to setup. If you encounter any error, please write a comment below and I’ll fix the article.

About Me

Carl Chenet, Free Software Indie Hacker, Founder of, a job board for Free and Open Source Jobs in France.

Follow Me On Social Networks



View From a Hotel Window, 4/24/18: New York City [Whatever]

Actually more out the window, since I slipped the cell phone out the sill to get the street view. Hello, Manhattan!

Tonight: 7pm! The Strand! Come see me! Don’t let me be alone!

Tomorrow: I’m down in DC at the the Politics and Prose Wharf store. Also 7pm. Come see me in our nation’s capital! Bring everyone you know!


MPAA Chief Says Fighting Piracy Remains “Top Priority” [TorrentFreak]

After several high-profile years at the helm of the movie industry’s most powerful lobbying group, last year saw the departure of Chris Dodd from the role of Chairman and CEO at the MPAA.

The former Senator, who earned more than $3.5m a year championing the causes of the major Hollywood studios since 2011, was immediately replaced by another political heavyweight.

Charles Rivkin, who took up his new role September 5, 2017, previously served as Assistant Secretary of State for Economic and Business Affairs in the Obama administration. With an underperforming domestic box office year behind him fortunately overshadowed by massive successes globally, this week he spoke before US movie exhibitors for the first time at CinemaCon in Las Vegas.

“Globally, we hit a record high of $40.6 billion at the box office. Domestically, our $11.1 billion box office was slightly down from the 2016 record. But it exactly matched the previous high from 2015. And it was the second highest total in the past decade,” Rivkin said.

“But it exactly matched the previous high from 2015. And it was the second highest total in the past decade.”

Rivkin, who spent time as President and CEO of The Jim Henson Company, told those in attendance that he shares a deep passion for the movie industry and looks forward optimistically to the future, a future in which content is secured from those who intend on sharing it for free.

“Making sure our creative works are valued and protected is one of the most important things we can do to keep that industry heartbeat strong. At the Henson Company, and WildBrain, I learned just how much intellectual property affects everyone. Our entire business model depended on our ability to license Kermit the Frog, Miss Piggy, and the Muppets and distribute them across the globe,” Rivkin said.

“I understand, on a visceral level, how important copyright is to any creative business and in particular our country’s small and medium enterprises – which are the backbone of the American economy. As Chairman and CEO of the MPAA, I guarantee you that fighting piracy in all forms remains our top priority.”

That tackling piracy is high on the MPAA’s agenda won’t comes as a surprise but at least in terms of the numbers of headlines plastered over the media, high-profile anti-piracy action has been somewhat lacking in recent years.

With lawsuits against torrent sites seemingly a thing of the past and a faltering Megaupload case that will conclude who-knows-when, the MPAA has taken a broader view, seeking partnerships with sometimes rival content creators and distributors, each with a shared desire to curtail illicit media.

“One of the ways that we’re already doing that is through the Alliance for Creativity and Entertainment – or ACE as we call it,” Rivkin said.

“This is a coalition of 30 leading global content creators, including the MPAA’s six member studios as well as Netflix, and Amazon. We work together as a powerful team to ensure our stories are seen as they were intended to be, and that their creators are rewarded for their hard work.”

Announced in June 2017, ACE has become a united anti-piracy powerhouse for a huge range of entertainment industry groups, encompassing the likes of CBS, HBO, BBC, Sky, Bell Canada, CBS, Hulu, Lionsgate, Foxtel and Village Roadshow, to name a few.

The coalition was announced by former MPAA Chief Chris Dodd and now, with serious financial input from all companies involved, appears to be picking its fights carefully, focusing on the growing problem of streaming piracy centered around misuse of Kodi and similar platforms.

From threatening relatively small-time producers and distributors of third-party addons and builds (1,2,3), ACE is also attempting to make its mark among the profiteers.

The group now has several lawsuits underway in the United States against people selling piracy-enabled IPTV boxes including Tickbox, Dragon Box, and during the last week, Set TV.

With these important cases pending, Rivkin offered assurances that his organization remains committed to anti-piracy enforcement and he thanked exhibitors for their efforts to prevent people quickly running away with copies of the latest releases.

“I am grateful to all of you for recognizing what is at stake, and for working with us to protect creativity, such as fighting the use of illegal camcorders in theaters,” he said.

“Protecting our creativity isn’t only a fundamental right. It’s an economic necessity, for us and all creative economies. Film and television are among the most valuable – and most impactful – exports we have.

Thus far at least, Rivkin has a noticeably less aggressive tone on piracy than his predecessor Chris Dodd but it’s unlikely that will be mistaken for weakness among pirates, nor should it. The MPAA isn’t known for going soft on pirates and it certainly won’t be changing course anytime soon.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

Switch hacked through unpatchable exploit [OSNews]

Nintendo Switch has been hacked, with two similar exploits released in the last 24 hours following a complete dump of the console's boot ROM. The hacks are hardware-based in nature and cannot be patched by Nintendo. The only way forward for the platform holder in fully securing the console will be to revise the Nvidia Tegra X1 processor itself, patching out the boot ROM bug. In the short term, homebrew code execution is possible and a full, touch-enabled version of Linux with 3D acceleration support is now available. I'm a little hesitant to try this out on my own Switch out of fear of messing it up and leaving me with a bricked console, but this is great news for the homebrew community.


Epic Responds to Cheating Fortnite Kid’s Mom in Court [TorrentFreak]

Last fall, Epic Games released Fortnite’s free-to-play “Battle Royale” game mode, generating massive interest among gamers.

This also included thousands of cheaters, many of whom were subsequently banned. Epic Games then went a step further by taking several cheaters to court for copyright infringement.

One of the alleged cheaters turned out to be a minor, who’s referred to by his initials C.R. in the Carolina District Court. Epic Games wasn’t aware of this when it filed the lawsuit, but the kid’s mother let the company know, loud and clear.

“This company is in the process of attempting to sue a 14-year-old child,” the mother informed the Court last fall.

Among other defenses, the mother highlighted that the EULA, which the game publisher relies heavily upon in the complaint, isn’t legally binding. The EULA states that minors require permission from a parent or legal guardian, which was not the case here.

“Please note parental consent was not issued to [my son] to play this free game produced by Epic Games, INC,” the mother wrote in her letter.

After this letter, things went quiet. Epic managed to locate and serve the defendant with help from a private investigator, but no official response to the complaint was filed. This eventually prompted Epic to request an entry of default.

However, US District Court Malcolm Howard wouldn’t allow Epic to cruise to a win that easily. Instead, he ruled that the mother’s letter should be seen as a motion to dismiss the case.

“While it is true that defendant has not responded since proper service was effectuated, the letter from defendant’s mother detailing why this matter should be dismissed cannot be ignored,” Judge Howard wrote earlier this month.

As a result, Epic Games had to reply to the letter, which it did yesterday. In a redacted motion the game publisher argues that most of the mother’s arguments failed to state a claim and are therefore irrelevant.

Epic argues that the only issue that remains is the lack of parental consent when C.R. agreed to the EULA and the Terms. The mother argued that these are not valid agreements because her son is a minor, but Epic disagrees.

“This ‘infancy defense’ is not available to C.R,” Epic writes, pointing to jurisprudence where another court ruled that a minor can’t use the infancy defense to void contractual obligations while keeping the benefits of the same contract.

“C.R. affirmatively agreed to abide by Epic’s Terms and EULA, and ‘retained the benefits’ of the contracts he entered into with Epic. Accordingly, C.R. should not be able to ‘use the infancy defense to void [his] contractual obligations by retaining the benefits of the contract[s]’.”

Epic further argues that it’s clear that the cheater infringed on Epic’s copyrights and facilitated others to do the same. As such, the company asks the Court to deny the mother’s motion to dismiss.

If the Court agrees, Epic can request an entry of default. It did the same in a related case against another minor defendant earlier, which was granted by the Court late last week.

If that happens, the underage defendants risk a default judgment. This is likely to include a claim for monetary damages as well as an injunction prohibiting the minors from any copyright infringement or cheating in the future.

A copy of Epic Games’ redacted reply is available here (pdf).

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

Haiku monthly activity report, March 2018 [OSNews]

Haiku's monthly activity report for March is out has been out for weeks now, and it contains some interesting nuggets as the team moves closer to beta, but one stood out to me: Kalisti5 got the PowerPC build working again. It is still not possible to boot PowerPC images very far, but at least it is now possible to compile them, and our buildbots are now happily doing so. I find it interesting that there's people at Haiku still working on PowerPC support. It'd be interesting if they ever manage to support Apple PowerPC hardware, if only to offer yet another choice besides MorphOS.

Microsoft is making another Windows variant: Windows 10 Lean [OSNews]

Windows 10 Lean appears to live up to its name: an installation is about 2GB smaller than Windows 10 Pro, and it is missing a bunch of things, such as desktop wallpaper, Registry Editor, the MMC management console, and more. Lucan reports that Lean does not seem to apply the same restrictions as S Mode, and as such it is capable of running both Universal Windows Programs from the Store and traditional Win32 applications. The latest build also has some new telephony APIs, which is fueling speculation of a Surface Phone.

Baseball Code [Schneier on Security]

Info on the coded signals used by the Colorado Rockies.


Four short links: 24 April 2018 [All - O'Reilly Media]

IoT, Migrations, Prisoner's Dilemma, and Security

  1. IoT Inspector -- The Princeton University research team is digging into the traffic that IoT devices do, to identify malicious or otherwise dodgy behaviour. They want to know what IoT devices you have so they can test them. They'll release their packet capture and analysis tool as open source. (via BoingBoing)
  2. Migrations (Will Larson) -- very good explanation of how to manage migrations which are usually the only available avenue to make meaningful progress on technical debt. (via Simon Willison)
  3. Beating the Prisoner's Dilemma -- In 2013 as the semester ended in December, students in Fröhlich’s "Intermediate Programming," "Computer System Fundamentals," and "Introduction to Programming for Scientists and Engineers" classes decided to test the limits of the policy, and collectively planned to boycott the final. Because they all did, a zero was the highest score in each of the three classes, which, by the rules of Fröhlich’s curve, meant every student received an A. How did they manage to avoid defection? (If just one student sat the test, that person would get an A and everyone else fail) The students waited outside the rooms to make sure that others honored the boycott, and were poised to go in if someone [broke the pact]. No one did, though. Prisoner's Dilemma only works if the prisoners can't communicate. (via Freakonomics and Ian Miers)
  4. Computer Security: The Achilles' Heel of the Air Force? -- incredibly prescient 1979 article on the important problems of security. The stories of repeatedly improving early systems like GCOS and MULTICS are super-interesting and rich with parallels for today. A contract cannot provide security. Basically, the same GCOS system was selected for a major command and control system. Advocates assured the users that it would be made multilevel secure because security was required by the contract. An extensive tiger team evaluation found there were many deep and complex security flaws that defied practical repair—the computer was finally deemed not only insecure but insecurable.
  5. Note: The email edition of Four Short Links will be discontinued on Monday, April 30. New editions of Four Short Links will still be published every weekday at and through the Four Short Links feed. Please send questions about this change to

Continue reading Four short links: 24 April 2018.

[$] The impact of page-table isolation on I/O performance []

Ever since kernel page-table isolation (PTI) was introduced as a mitigation for the Meltdown CPU vulnerability, users have worried about how it affects the performance of their systems. Most of that concern has been directed toward its impact on computing performance, but I/O performance also matters. At the 2018 Linux Storage, Filesystem, and Memory-Management Summit, Ming Lei presented some preliminary work he has done to try to quantify how severely PTI affects block I/O operations.

Prof says he'll grade students on a curve, so they organize a boycott of the exams and all get As [Boing Boing]

Johns Hopkins Computer Science prof Professor Peter Fröhlich grades his students on a curve: the highest score on the final gets an A and everyone else is graded accordingly. (more…)


Cops shoot man, then interrupt his funeral to press his corpse's finger to his Iphone [Boing Boing]

Linus F. Phillip was 30 years old when Largo, Florida cops shot him when he drove his car away from a gas-station where he had been stopped by police. (more…)

The problem isn't that Facebook is creepy, it's that it's creepy AND HUGE [Boing Boing]

Writing in Wired, Rep David N. Cicilline [D-RI], the ranking Democrat on the House Judiciary’s Antitrust Subcommittee; and Terrell McSweeny, outgoing Democratic commissioner at the Federal Trade Commission write about the real problem with Facebook: it's a creepy, surveillant company that's also really, really big. (more…)


Today in GPF History for Tuesday, April 24, 2018 [General Protection Fault: The Comic Strip]

After Nick's "date" with Trish is a bust, he and Ki learn she's been fired...

Thanks to streaming, recording industry revenues are back up to pre-internet levels, but musicians are poorer than ever [Boing Boing]

Since the days of Napster, record labels have recruited recording artists as allies in their fight against unauthorized music services, arguing that what was good for capital was also good for labor. (more…)


Stable kernel updates []

Stable kernels 4.16.4, 4.14.36, 4.9.96, 4.4.129, and 3.18.106 have been released. All of them contain important fixes and users should update.

Security updates for Tuesday []

Security updates have been issued by Arch Linux (roundcubemail, xfig, and zsh), Debian (linux-tools), Fedora (java-1.8.0-openjdk and mingw-libid3tag), Gentoo (chromium), openSUSE (hdf5, ocaml, PackageKit, phpMyAdmin, salt, and virtualbox), Oracle (patch), Red Hat (java-1.6.0-sun, java-1.7.0-oracle, java-1.8.0-oracle, patch, and python-paramiko), Scientific Linux (patch), SUSE (kernel and PackageKit), and Ubuntu (linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux, linux-raspi2, linux-azure, linux-euclid, linux-hwe, linux-gcp, linux-oem, linux-lts-xenial, linux-aws, and mysql-5.5, mysql-5.7).


It's 2018, and Google just proposed an instant messaging tool with no encryption [Boing Boing]

It's 2018, five years after Edward Snowden's documents revealed the scope of US and allied mass surveillance; after a string of revelations about creepy private-sector cyber-arms-dealers who sell spying tools to stalkers, criminals, and autocratic governments, Google has proposed "Chat," a new Android standard for instant messaging with no encryption and hence zero protection against snooping. (more…)

A handheld version of Oregon Trail! [Boing Boing]

The Oregon Trail Handheld Game is a Target exclusive at $25, but for $29.20 you can get resold/new ones with Prime -- it's a straight port of the Apple ][+ game with a specialized keypad, about the size of a G1 Gameboy. (via Red Ferret)


Link [Scripting News]

Until now podcasting has been free of lock-in. The better Google is, the worse it could be for the future of podcasting. Lots of history here.

I like w3schools [Scripting News]

I saw a thread on Twitter the other day where some developers were dissing the w3schools website. There are apparently browser plugins that block the site? I don't know why they don't like it, if given a choice to point to this page or this one, I'll generally pick the one on w3schools, because there's a chance that people who don't know Node will understand it, and might learn something, and learning imho is a universal good.

Similarly, I appreciate it when traveling if people don't make fun of the fact that I don't know where everything is in their hometown, and try to return the favor when people need help finding their way around my hometown. If I know a little bit of their language I try to throw it in -- grazie! prego! buon giorno!

I like w3schools because they tend to show you the info you need in the order you need it. Other developer docs more often show you stuff in the wrong order, and leave out details that are necessary to understanding the topic. They may work well for experienced programmers, but what's so bad about making what we do more accessible to the non-initiated?

It rather involved being on the other side of this airtight hatchway: Passing invalid parameters from kernel mode to another kernel-mode function corrupts the kernel (who knew?) [The Old New Thing]

A customer reported a vulnerability in a kernel function, let's call it kfunc.

The kernel-mode kfunc function doesn't validate any of the pointers passed to it. As a result, you can pass anything you want as the output pointer, and it will blindly try to write to it. If you pass null, you will crash the kernel. Or if you pass a pointer to memory you want to corrupt, you can corrupt an arbitrary 4-byte value.

Maybe I can find a way to pass an invalid parameter from user space all the way down to the kfunc function.

Please contact us soon regarding this issue!

Okay, first things first. In the first paragraph, there is no elevation. The kernel-mode kfunc function is callable only from kernel mode. The caller is in kernel mode, and it is tricking a kernel mode function into writing to an arbitrary memory location. But so what? The caller could just save itself the trouble of using kfunc as the middle man and just corrupt the memory directly. In other words, instead of

void attack_the_kfunc()

you can just do

void attack_the_kfunc()
 *crazy_pointer_value = 42;

This is even more powerful, because not only do you get to corrupt the memory at crazy_pointer_value, you even get to pick what value to corrupt it with!

Now, if there were a way to call the kfunc function with parameters controlled by user mode, then you would be onto something.

Which leads us to the next paragraph, which boils down to "Maybe there is a way to call the kfunc function with parameters controlled by user mode." In other words, the second paragraph says, "Maybe I can find a vulnerability."

Yeah, maybe you can find a vulnerability. Let us know if you do.

But so far, you haven't found a vulnerability. All you've said is "Maybe there is somebody who is doing a bad thing."

"Industrial paper-cutting machines are dangerous and expensive. We keep the paper-cutting machine in a special room, and only people who have gone through training are allowed in the room. Maybe there is a way to get somebody who has access to the special room to put an unauthorized object in the paper-cutting machine and damage it."

Yeah, maybe. If you find such a person, let us know. Because they're in a lot of trouble.

Gorgeous, betentacled machined sculpture from Chris Bathgate: the BU 622411311751 [Boing Boing]

Machinist/sculptor Chris Bathgate (previously) is taking a break from small fidget toys and has returned to large format work with the BU 622411311751, which has a distinctly cthuloid/tentacly aspect. (more…)

ISO rejects the NSA's IoT crypto standard, believing it to be backdoored [Boing Boing]

For three years, International Standards Organization has been wrangling over which cryptographic algorithms will be incorporated into a standard for interoperability in "Internet of Things" gadgets; at issue has been the NSA's insistence that "Simon" and "Speck" would be the standard block cipher algorithms in these devices. (more…)


[$] Filesystem metadata memory management []

It is a good thing that strong coffee was served at the 2018 Linux Storage, Filesystem, and Memory-Management Summit; full awareness was required from the first session, in which Josef Bacik discussed some issues that have arisen in the interaction between filesystems and the memory-management subsystem. Filesystems cache a lot of data from files, but also a lot of metadata about those files. It turns out, though, that management of the cached metadata does not work as well as one might like.

Glitch and River5 [Scripting News]

TL;DR -- We're seeing if it's possible to run River5 on Glitch.

Update #2 -- the current demo server has been configured to write all of River5's data into a folder named .data -- this folder is supposed to persist across launches. The proof will be if the server is still updating in 12 hours, i.e. 2:30AM Eastern time.

Update #1 -- maybe there is a way forward. They do something special with a folder named .data -- and luckily River5 can be told to maintain its data anywhere you like through config.json. We may be back in business here. See the thread for details.

Notes from earlier in the day follow...

Yesterday I posted a link to a River5 server running on Glitch, the result of a braintrust query earlier in the day. This was significant because Glitch is easy to get started with for people new to running servers, a good thing, and it's free. Seeing it run River5 was great. Alas, when I came back an hour later, the server had lost its memory of previous stories and had started over. You can see this by watching the dashboard page on the server.

I found a doc that explains its technical limits, notably:

Projects sleep after 5 minutes if they are not used, and those running for more than 12 hours are stopped. Both wake again when they receive a HTTP request.

This is similar to what happens on Heroku with free projects. So I tried what had worked for Heroku, I wrote a script that runs on my desktop that reads a fast page on the server once a minute. It should, according to their warning, keep the server running.

River5 maintains the data about the feeds its following and the stories it has seen in the local filesystem. That gets recreated when the server is shut down and then restarted. So, even with a keep-alive script, it will lose its memory after 12 hours.

However this paragraph seems to contradict that conclusion --

Projects have a limit of 128MB of space on the container. Though things written to '/tmp' don't count towards that, nor do your Node modules, and we use compression to squeeze the most out of that space. Plus, there's an additional 512MB of assets storage space too.

I'm guessing they have an API for this? Not sure. River5 just keeps JSON files in the filesystem. It uses the Node fs package to read and write.


Olivier Berger: Added docker container to my org-teaching framework to ease org-mode exports [Planet Debian]

I’ve improved a bit the org-teaching framework in order to prepare for the next edition of the CSC4101 classes.

I’ve now added a docker container which is in charge of performing the HTML or PDF exports of the slides (using org-reveal) or handbooks (using LaTeX).

Emacs and org-mode are still advised for editing contents, but having this container in the loop ensures that colleagues are able to preview the changes to the teaching material, and I’m no longer a bottleneck for generating the handouts. This also allows to export in a reproducible way, which doesn’t depend on my Emacs config tweaks.

I’ve also added Gitlab pages to the project’s CI so that the docs are updated live at

It’s probably not yet rady for use by anyone else, but I’d be glad to get feedback 😉

The Big Idea: Bryan Camp [Whatever]

Luck is a thing that often happens (provided, of course, everything else falls into place). It happens enough that it caused Bryan Camp to consider its fundamental nature for The City of Lost Fortunes — in no small part because of the luck he’s had in his own life, and what it’s meant to him.


In the handful of days before Hurricane Katrina made landfall, when it was still a relatively weak storm in the lower half of the Gulf that was supposedly headed for Texas, I spent my time—when I wasn’t in class or working my usual shifts at a restaurant—packing up everything I owned and loading it into my truck. If you’re not familiar with hurricane evacuations, this isn’t normal preparedness.

Because there’s a “cone of uncertainty” about where a storm might actually go, you often spend a week watching satellite imagery and projected paths before it’s clear that any given storm will actually threaten your home. Usually, you’ve only got a day, maybe two, between making the decision to leave (if you’ve got the means) and needing to be on the road. Since you might be within that cone of uncertainty as many as four or five times in a given hurricane season, people don’t tend to pack up their whole lives every time. Most people here keep a single box of all their “absolutely must not lose this,” paperwork to bring with them, along with valuables, pets, a few changes of clothing, and maybe a few precious pictures taken off the wall.

I don’t imagine a single person evacuates without realizing they’ve left something behind that they wished they hadn’t forgotten. But I had every single possession I owned carefully boxed and labeled, ready to go a full day before the storm even started to strengthen. I didn’t have some prescient warning about the danger the storm posed, nor am I an overly cautious person by nature who does this for every storm. In truth, I was barely aware of Katrina until it started to get suddenly, scarily strong.

So why, then, did I pack up everything I owned? Because I was broke. That weekend, I just so happened to be moving out of the house I shared with a few friends and back in with my folks to save rent money.

Blind, dumb luck, in other words.

My life has been full of those kinds of moments. Missing an author’s reading and, instead, lucking into a date with the woman I would one day marry. Switching jobs right before a round of layoffs. A font size mishap forcing me to submit one story instead of another. Lucky break after lucky break that starts to look like destiny, like this is the trajectory my life is “supposed” to be on.

Because they’re two sides of the same coin, aren’t they? A flat tire is bad luck, but a flat tire that avoids a car accident is all part of the plan. I thought about this relationship a lot after the storm and in the years that followed, as I wrote and rewrote this novel about the life and death of a Fortune god. Yes, it’s a murder mystery, and yes, it’s about loss and recovery and finding oneself in the wake of tragedy, but the question at the core of this book is whether we live in a chaotic world of blind luck, or whether all that seeming randomness comes together as part of some grand design, if it all happens for a reason.

The easy answer, of course, is that it’s impossible to know for sure. The deeper, harder to swallow conclusion that I came to, though, is that luck or destiny or fortune or whatever you want to call it, is both real, and is a non-renewable resource. It’s not just wealth and it’s not just privilege, though those things are certainly tied up in all this. For many, it’s both of those and even more besides. The simple, maddening, unfair truth of life is that it’s just straight up easier for some people.

In that little anecdote about my pre-Katrina stroke of good fortune, for example, I was able to pack up all my possessions on my own without it impacting my work or my studies because, in part, I am able-bodied. I had the support of my middle-class family to fall back on when rent became burdensome. We had the means to evacuate, which many here did not and still do not, and the means to return once the storm passed, while some life-long residents of New Orleans will never come home. I was, and am, lucky.

When the good things in your life look like luck to you, it’s relatively easy to spread that good fortune around. But one doesn’t need to look very hard at this world to find examples of those who see their excess of fortune as predestined. They turn a blind eye to all the ways the machinery of the world is greased in their favor, and look only to the results. “Look,” they say, “at all the blessings the universe has bestowed on me. Surely this is mine because I deserve it.”

Enter Trickster.

Trickster stories are my favorite fables and myths, not because they depict figures really worth emulating, but because Tricksters perform a very specific, necessary task in the wider world: they upset the balance. They trip up the mighty and, as the once overly-fortunate tumble down from that lofty perch, steal a little of that good luck for themselves and others (usually for themselves, but hey, nobody’s perfect).  

And so I look at this world of ours, with a very few people hoarding so much of the easy living that it makes life just that much harder for the rest of us, and I long for Trickster. Someone who can show the ones who believe that destiny has granted them dominion over the Earth that, no, mostly they’re just lucky.

Because I’ve had a little taste of what good fortune is really like, and I’m here to tell you folks, it really is better to be lucky than good.


The City of Lost Fortunes: Amazon|Barnes & Noble|Indiebound|Powell’s

Read an excerpt. Visit the author’s site. Follow him on Twitter.


The Intertwingularity is near: When humans transcend print media [All - O'Reilly Media]

Both reproducible science and open source are necessary for collaboration at scale—the nexus for that intermingling is Jupyter.

(Apologies to Ray Kurzweil for the title puns)

Recent one-day events showcased the Jupyter community in Boston and Atlanta, with another Jupyter Pop-up event coming on May 15 in Washington, D.C. At the same time, Project Jupyter has been in the news. We’re finding overlap between the themes explored at these community events and recent articles written about Jupyter. That overlap, in turn, illustrates the kinds of dialog that we’re looking forward to at JupyterCon this August.

In the news, notably there was the James Somers article, “The Scientific Paper Is Obsolete”, in The Atlantic, and a subsequent piece, “Jupyter, Mathematica, and the Future of the Research Paper”, by Paul Romer, former chief economist at the World Bank. Both articles compare and contrast between Wolfram Research’s Mathematica and Project Jupyter. On the surface these two approaches both implement notebooks, with excellent examples coming from both communities. However, Paul Romer nailed the contrast between them with a one-liner: “The tie-breaker is social, not technical. The more I learn about the open source community, the more I trust its members.”

Under the surface, the parallels end. Mathematica, which came first, is a popular commercial software product. Jupyter is an open standard for a suite of network protocols that support remote execution environments—plus a spectrum of open source software projects that build extensible environments atop, such as JupyterLab, JupyterHub, Binder, etc. Organizations leverage Jupyter as a foundation for shared data infrastructure at scale. Organizational challenges emerge along with those implementations at scale: collaboration, discovery, security, compliance, privacy, ethics, provenance, etc. Through this open, community-centered approach, we get open standards, open source implementations, and open discussions about best practices for shared concerns.

For common threads between the two, James Somers’ distillation is subtle: “Software is a dynamic medium; paper isn’t.” It’s been 27 years since the public debut of the World Wide Web, though we’re still barely scratching the surface of what that invention made possible. Frankly, an overwhelming amount of “digital paper” persists on the web. While the promise of WWW implies dynamic, interactive media shared across global infrastructure, questions linger about how best to make it happen. Some of those questions have also been in the news recently.

Rolling the clock back a few decades further, one gem on my bookshelf is Computer Lib/Dream Machines, by Ted Nelson, first published in 1974. Nelson explored hypertext, which he’d been working to implement since 1963—though, arguably, that notion traces back to Vannevar Bush and Jorge Luis Borges in the 1940s. To capture the essence of hypertext, Computer Lib also introduced the concept of "intertwingularity": complex interrelations within human knowledge. Nelson’s vision had documents representing the world’s knowledge, documents which could interact and intermingle. Borges prefigured a poetic glimpse of this in his 1941 short story, El jardín de senderos que se bifurcan: the legend of Ts’ui Pên constructing an infinite labyrinth, in which all would lose their way, along with a WWII espionage drama unfolding around that legend.

Out of the many neologisms and one-liners that have attempted to describe Jupyter, intertwingularity nails it. One may “perform science” by authoring a research paper in a journal. That’s science with a lowercase “s,” on paper or something approximating it—merey navigating a single corner of Ts’ui Pên’s labyrinth. Ted Nelson’s vision, however, had documents interacting, intermingling. The practice of reproducible science, which is rapidly unfolding around Jupyter, also relies on documents interacting and intermingling. That opens the door to software as a dynamic medium, "Science" with an uppercase “S.” Not merely a library of “digital paper,” but an entirely new way of collaborating, extending our understanding. Potentially as a map through the entire labyrinth.

Reproducible science via Jupyter finds immediate applications in many places. Certainly there are the “hard sciences”: at JupyterCon, we’ll have session talks ranging across astrophysics, quantum chemistry, genomics, geospatial analysis, climatology, and scientific computing in general. During the Jupyter Day Atlanta event, one excellent example was “Classification and Characterization of Metal Powder in Additive Manufacturing using Convolutional Neural Networks,” by Anna Smith from CMU.

Beyond research, reproducible science is vital for any organization that depends on analysis—and that forms Jupyter’s direct link to data science. During the Jupyter Pop-up Boston event, Dave Stuart presented “Citizen Data Science campaign,” about an open source project called nbgallery, which thousands of DoD analysts use to discover and share Jupyter notebooks. While some teams have computational needs in common, they may not be allowed to share data. Similar data privacy concerns are encountered in finance, health care, social media, etc. The DoD project provides a fascinating approach to discovery (search, recommendations) for interactive content in highly regulated enterprise environments.

In Atlanta, two industry use cases addressed similar needs: Peter Parente from Valassis Digital with “Give a Little Bit of Your Notebooks to Me”—also about sharing and discovering notebook content across an enterprise organization—and John Patanian from General Electric with “Achieving Reproducible and Deployable Data Science Workflows,” about using templates for reproducible workflows.

Similar efforts are changing the classroom. In Boston, we had Allen Downey, Taylor Martin, and Doug Blank join the “Jupyter in Education” panel. In particular, reproducible science via Jupyter notebooks helps instructors manage the scaffolding needed to make course materials more engaging, more immediately hands-on, to give learners confidence and direct experience. Ryan Cooper from UConn presented “Flipping the classroom with Jupyter and GitHub” as a case study for this. In Atlanta, Carol Willing guided us through several excellent examples in “STEAM Workshops with Binder and JupyterHub.”

At a higher level of abstraction, reproducible science has an impact on computer science. In Boston, David Koop and Colin Brown from UMassD presented “Supporting Reproducibility in Jupyter through Dataflows.” Also, see a related project called Nodebook at Stitch Fix by Kevin Zielnicki. By default, cells in a Jupyter Notebook run from top to bottom—although, a person needs to “Run All” to be sure that results are correct. The Dataflows and Nodebook projects track inputs and outputs for each cell so that notebooks can be guaranteed to “rerun” successfully. The UMassD project also allows for rearranging cell order: for example, while you may need a long list of Python imports to initialize a notebook, why not move that cell to the end, so that the initial part of a notebook can jump directly into core code? On the one hand, that supports better scaffolding. On the other hand, these projects represent Jupyter Notebooks as dependency graphs, with pre- and post-conditions for each cell. That’s only a few steps away from Petri nets and other automata used for formal analysis of computer programs, concurrency, business process, reliability engineering, security audits, etc. An imaginable next step could be to leverage machine learning to start generating unit tests—and for code gen in general.

Here’s an intertwingled idea that weaves together most of the above. Generations of modern science have brought us to a point where reproducible science becomes a priority. Collaboration at a global scale can’t proceed further without it. Meanwhile, open source software, since roughly 1998, has similarly evolved to support collaboration at a global scale, leading to standard practices such as versioning (e.g., git), testing, documentation, pull requests, etc. Most of those practices support reusability. Adding some DevOps, continuous integration/continuous deployment is the software analogy for reproducible science.

We’re at a point where those two cultures, science and open source, have much to learn from each other. Science must learn to reuse and improve common software tools, while software must embrace reproducible science. Both are necessary for collaboration at scale. The nexus for that intermingling is Jupyter, where (and when) humans move beyond using digital mimics of print media to take better advantage of what software and collaboration promise in the long term.

Join us at Jupyter Pop-up D.C. on Tuesday, May 15, 2018, at the GWU Marvin Center, from 9:00 a.m. to 5:00 p.m. We’ll have a mix of talks from government, industry, and education about Jupyter, along with a lot of opportunities for networking. It’s a great preview for what’s to come at JupyterCon, August 21-24, 2018, in New York City.

Continue reading The Intertwingularity is near: When humans transcend print media.

The Big Balls of… [The Daily WTF]

The dependency graph of your application can provide a lot of insight into how objects call each other. In a well designed application, this is probably mostly acyclic and no one node on the graph...

Computer Alarm that Triggers When Lid Is Opened [Schneier on Security]

"Do Not Disturb" is a Macintosh app that send an alert when the lid is opened. The idea is to detect computer tampering.

Wired article:

Do Not Disturb goes a step further than just the push notification. Using the Do Not Disturb iOS app, a notified user can send themselves a picture snapped with the laptop's webcam to catch the perpetrator in the act, or they can shut down the computer remotely. The app can also be configured to take more custom actions like sending an email, recording screen activity, and keeping logs of commands executed on the machine.

Can someone please make one of these for Windows?


Japan ISP Says it Will Voluntarily Block Pirate Sites as Major Portal Disappears [TorrentFreak]

Speaking at a news conference during March, Japan’s Chief Cabinet Secretary Yoshihide Suga said that the government was considering measures to prohibit access to pirate sites. The country’s manga and anime industries were treasures worth protecting, Suga said.

“The damage is getting worse. We are considering the possibilities of all measures including site blocking. I would like to take countermeasures as soon as possible under the cooperation of the relevant ministries and agencies,” he added.

But with no specific legislation that allows for site-blocking, particularly not on copyright infringement grounds, it appeared that Japan might face an uphill struggle. Indeed, the country’s constitution supports freedom of speech and expressly forbids censorship. Earlier this month, however, matters quickly began to progress.

On Friday April 13, the government said it would introduce an emergency measure to target websites hosting pirated manga, anime and other types of content. It would not force ISPs to comply with its blocking requests but would simply ask for their assistance instead.

The aim was to establish cooperation in advance of an expansion of legislation later this year which was originally introduced to tackle the menace of child pornography.

“Our country’s content industry could be denied a future if manga artists and other creators are robbed of proceeds that should go to them,” said Prime Minister Shinzo Abe.

The government didn’t have to wait long for a response. The Nippon Telegraph and Telephone Corp. (NTT) announced yesterday that it will begin blocking access to sites that provide unauthorized access to copyrighted content.

“We have taken short-term emergency measures until legal systems on site-blocking are implemented,” NTT in a statement.

NTT Communications Corp., NTT Docomo Inc. and NTT Plala Inc., will block access to three sites previously identified by the government – Mangamura, AniTube! and MioMio which have a particularly large following in Japan.

NTT said that it will also restrict access to other sites if requested to do so by the government. The company added that at least in the short-term, it will prevent access to the sites using DNS blocking.

While Anitube and MioMio will be blocked in due course, Mangamura has already disappeared from the Internet. The site was reportedly attracting 100 million visits per month but on April 17 went offline following an apparent voluntary shutdown by its administrators.

AnimeNewsNetwork notes that a news program on NHK dedicated to Mangamura aired last Wednesday. A second episode will reportedly focus on the site’s administrators which NHK claims can be traced back to the United States, Ukraine, and other regions. Whether this exposé played a part in the site’s closure is unclear but that kind of publicity is rarely welcome in the piracy scene.

To date, just three sites have been named by the government as particularly problematic but it’s now promising to set up a consultation on a further response. A bill will also be submitted to parliament to target sites that promote links to content hosted elsewhere, an activity which is not illegal under current law.

Two other major access providers in Japan, KDDI Corp. and SoftBank Corp., have told local media that their plans to block pirate sites have not yet been finalized.

“The fact that neglecting the situation of infringement of copyright etc. cannot be overlooked is recognized and it is recognized as an important problem to be addressed urgently,” Softbank said in a statement.

“However, since there is concern that blocking infringes secrecy of communications, we need careful discussion. We would like to collaborate with industry organizations involved in telecommunications and consider measures that can be taken from various viewpoints, such as laws, institutions, and operation methods.”

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

Reproducible builds folks: Reproducible Builds: Weekly report #156 [Planet Debian]

Here’s what happened in the Reproducible Builds effort between Sunday April 15 and Saturday April 21 2018:

  • Holger Levsen announced preliminary result of our poll for our logo which was subsequently verified by Chris Lamb. The winner was “#6”, shown above.

  • Chris Lamb will present at foss-north 2018 on Monday April 23rd in Gothenburg, Sweden to speak about diffoscope, our in-depth “diff-on-steroids” to analyse reproducible issues in packages. He will then be keynoting at FLOSSUK 2018 in Edinburgh, Scotland on April 26th to speak about reproducible builds more generally.

  • Jan Bundesmann, Reiner Herrmann and Holger Levsen wrote an article about Reproducible Builds titled Aus der Schablone (“From the template”) for the May issue of the German “iX” magazine.

  • Holger Levsen began a discussion with the Debian System Administrators regarding redirecting this blog in the future away from the (deprecated) Alioth service. Chris Lamb subsequently started on the migration work.

Packages reviewed and fixed, and bugs filed

In addition, Chris Lamb’s patch to the Freeland VPN client was merged upstream and build failure bugs were reported by Adrian Bunk (48), Paul Gevers (5) and Rafael Laboissière (1). development

A large number of changes were made to our Jenkins-based testing framework, including:

Reviews of unreproducible packages

43 package reviews have been added, 49 have been updated and 97 have been removed in this week, adding to our knowledge about identified issues.

One new issue was added by Chris Lamb: build_path_in_index_files_generated_by_qdoc. In addition, three issue types were removed (random_ispell_hash_files, randomness_in_python_setuptools_pkg_info & timestamps_in_documentation_generated_by_asciidoctora) and one was updated (timestamp_in_pear_registry_files).


This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Reproducible builds folks: Reproducible Builds: Weekly report #155 [Planet Debian]

Here’s what happened in the Reproducible Builds effort between Sunday April 8 and Saturday April 14 2018:

Patches filed

In addition, 38 build failure bugs were reported by Adrian Bunk.

strip-nondeterminism development

Version 0.041-1 was uploaded to unstable by Chris Lamb: development

Mattia Rizzolo made a large number of changes to our Jenkins-based testing framework, including:


This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb and Holger Levsen & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Entrepreneurship is not a job [Seth Godin's Blog on marketing, tribes and respect]

You don't apply. You don't get a salary. No one picks you.

Bragging about how much money you've raised or what your valuation is a form of job thinking.

Entrepreneurship is a chance to trade a solution to someone who has a problem that needs solving.

Solve more problems, solve bigger problems, solve problems more widely and you're an entrepreneur.

It's tempting to industrialize this work, to make it something with rules and bosses and processes. But that's not the heart of it.

The work is to solve problems in a way that you're proud of.



Uncle Batman's Vengeance Juice [Diesel Sweeties webcomic by rstevens]

sleep is dumb

I have used my science and found the connection between Batman and coffee.


Eagle Week Continues [QC RSS]

I will be at Calgary Expo this week! Table BMO 417! You should come say hi!


so this happened (one in an ongoing series) [WIL WHEATON dot NET]

Since last week, I’ve been working on the season finale of The Big Bang Theory, and today we shot Amy and Sheldon’s wedding. It was an incredible day, and I […]


Holger Levsen: 20180423-technohippieparadise [Planet Debian]

Trouble in techno hippie paradise

So I'm in some 'jungle' in Brasil, enjoying a good time with some friends which another friend jokingly labeled as cryptohippies, enjoying the silence, nature, good food, some cats & dogs and 3g internet. Life is good here.

And then we decided to watch "Stare into the lights my pretties" and while it is a very good and insightful movie, it's also disturbing to see just how much we, as human societies, have changed ourselves mindlessly (or rather, out of our own minds) in very recent history.

Even though not a smartphone user myself and while seemingly aware and critical of many changes happening in the last two decades, the movie was still eyeopening to me. Now if there only werent 100 distractions per day I would maybe be able to build up on this. Or maybe I need to watch it every week, though this wouldn't work neither, as the movie explains so well...

The movie also reminded me why I dislike being cc:ed on email so much (unless urgent and when I'm subscribed to the list being posted to). Because usually during the day I (try to) ignore list mails, but I do check my personal inboxes. And if someone cc:s me, this breaks my lines of thoughts. So it seems I still need to get better at ignoring stuff, even if something is pushed to me. Maybe especially then. (And hints for good .procmail rules for this much appreciated.)

Another interesting point: while the number of people addicted to nicotine has been going down globally lately, the number of network addicts has outnumbered those by far now. And yet the long term effects of being online almost 24/365 have not yet been researched at all. The cigarette companies claimed that most doctors smoke. The IT industry claims it's normal to be online. What's your wakeup2smartphone time? Do you check email every day?

This movie also made me wonder what Debian's role will, can and should be in this future. (And where of course I don't only mean Debian, but free software, free societies, in general.)

So, this movie brings up many questions. (And nicely explains why people rather don't like that.) So go watch this movie! You will be touched, think and check your email/smartphone afterwards.

(And finally, of course it's ironic that the movie is on youtube. And so I learned that to download subtitles you need to tell youtube-dl so, and it's easiest by using --all-subs. And btw, youtube-dl-gui needs help with running with python3 and thus with getting into Debian.)


[$] A successful defense against a copyright troll []

At the 2018 Legal and Licensing Workshop (LLW), which is a yearly gathering of lawyers and technical folks organized by the Free Software Foundation Europe (FSFE), attendees got more details on a recent hearing in a German GPL enforcement case. Marcus von Welser is a lawyer who represented the defendant, Geniatech, in a case that was brought by Patrick McHardy. In the presentation, von Welser was joined by Armijn Hemel, who helped Geniatech in its compliance efforts. The hearing was of interest for a number of reasons, not least because McHardy withdrew his request for an injunction once it became clear that the judge was leaning in favor of the defendants—effectively stopping this case dead in its tracks.

Colorado Senate Republicans introduce legislation to fire, imprison striking teachers [Boing Boing]

SB18-264 -- AKA the Prohibit Public School Teacher Strikes Bill -- was introduced by Colorado Senator Bob Gardner [R-12/303-866-4880/@senbobgardner] and Representative Paul Lundeen [R-19/303-866-2924/@paul_lundeen]; it allows school districts to seek court injunctions banning public school teachers from striking, so that they can be held in contempt should they withdraw their labor, and be imprisoned for contempt. (more…)

Monday, 23 April


Benjamin Mako Hill: Is English Wikipedia’s ‘rise and decline’ typical? [Planet Debian]

This graph shows the number of people contributing to Wikipedia over time:

The Rise and Decline of Wikipedia The number of active Wikipedia contributors exploded, suddenly stalled, and then began gradually declining. (Figure taken from Halfaker et al. 2013)

The figure comes from “The Rise and Decline of an Open Collaboration System,” a well-known 2013 paper that argued that Wikipedia’s transition from rapid growth to slow decline in 2007 was driven by an increase in quality control systems. Although many people have treated the paper’s finding as representative of broader patterns in online communities, Wikipedia is a very unusual community in many respects. Do other online communities follow Wikipedia’s pattern of rise and decline? Does increased use of quality control systems coincide with community decline elsewhere?

In a paper that my student Nathan TeBlunthuis is presenting Thursday morning at the Association for Computing Machinery (ACM) Conference on Human Factors in Computing Systems (CHI),  a group of us have replicated and extended the 2013 paper’s analysis in 769 other large wikis. We find that the dynamics observed in Wikipedia are a strikingly good description of the average Wikia wiki. They appear to reoccur again and again in many communities.

The original “Rise and Decline” paper (we’ll abbreviate it “RAD”) was written by Aaron Halfaker, R. Stuart Geiger, Jonathan T. Morgan, and John Riedl. They analyzed data from English Wikipedia and found that Wikipedia’s transition from rise to decline was accompanied by increasing rates of newcomer rejection as well as the growth of bots and algorithmic quality control tools. They also showed that newcomers whose contributions were rejected were less likely to continue editing and that community policies and norms became more difficult to change over time, especially for newer editors.

Our paper, just published in the CHI 2018 proceedings, replicates most of RAD’s analysis on a dataset of 769 of the  largest wikis from Wikia that were active between 2002 to 2010.  We find that RAD’s findings generalize to this large and diverse sample of communities.

We can walk you through some of the key findings. First, the growth trajectory of the average wiki in our sample is similar to that of English Wikipedia. As shown in the figure below, an initial period of growth stabilizes and leads to decline several years later.

Rise and Decline on Wikia The average Wikia wikia also experience a period of growth followed by stabilization and decline (from TeBlunthuis, Shaw, and Hill 2018).

We also found that newcomers on Wikia wikis were reverted more and continued editing less. As on Wikipedia, the two processes were related. Similar to RAD, we also found that newer editors were more likely to have their contributions to the “project namespace” (where policy pages are located) undone as wikis got older. Indeed, the specific estimates from our statistical models are very similar to RAD’s for most of these findings!

There were some parts of the RAD analysis that we couldn’t reproduce in our context. For example, there are not enough bots or algorithmic editing tools in Wikia to support statistical claims about their effects on newcomers.

At the same time, we were able to do some things that the RAD authors could not.  Most importantly, our findings discount some Wikipedia-specific explanations for a rise and decline. For example, English Wikipedia’s decline coincided with the rise of Facebook, smartphones, and other social media platforms. In theory, any of these factors could have caused the decline. Because the wikis in our sample experienced rises and declines at similar points in their life-cycle but at different points in time, the rise and decline findings we report seem unlikely to be caused by underlying temporal trends.

The big communities we study seem to have consistent “life cycles” where stabilization and/or decay follows an initial period of growth. The fact that the same kinds of patterns happen on English Wikipedia and other online groups implies a more general set of social dynamics at work that we do not think existing research (including ours) explains in a satisfying way. What drives the rise and decline of communities more generally? Our findings make it clear that this is a big, important question that deserves more attention.

We hope you’ll read the paper and get in touch by commenting on this post or emailing Nate if you’d like to learn or talk more. The paper is available online and has been published under an open access license. If you really want to get into the weeds of the analysis, we will soon publish all the data and code necessary to reproduce our work in a repository on the Harvard Dataverse.

Nate TeBlunthuis will be presenting the project this week at CHI in Montréal on Thursday April 26 at 9am in room 517D.  For those of you not familiar with CHI, it is the top venue for Human-Computer Interaction. All CHI submissions go through double-blind peer review and the papers that make it into the proceedings are considered published (same as journal articles in most other scientific fields). Please feel free to cite our paper and send it around to your friends!

This blog post, and the open access paper that it describes, is a collaborative project with Aaron Shaw, that was led by Nate TeBlunthuis. A version of this blog post was originally posted on the Community Data Science Collective blog. Financial support came from the US National Science Foundation (grants IIS-1617129,  IIS-1617468, and GRFP-2016220885 ), Northwestern University, the Center for Advanced Study in the Behavioral Sciences at Stanford University, and the University of Washington. This project was completed using the Hyak high performance computing cluster at the University of Washington.

Link [Scripting News]

New header graphic, a distinctive white plant I spotted in a planter on Arlington Ave in Berkeley in (let's say) 2007. The previous header was a springtime picture of Kim of North Korea and Xi of China.

Link [Scripting News]

I would think that given the hype about blockchain that by now there would at least be a demo of something interesting to an average person.

The fifth age of Macintosh: what happens if Apple dumps Intel? [OSNews]

Regardless, the Fifth Age of the Macintosh is at hand. We just don’t know what form it’ll take. The first age began with the original 1984 Mac. The second age was marked by maturity and stability of the environment that came with Mac System Software 6 in 1988. 2001’s OS X did nothing less than save the entire platform. And when Apple finally figured out notebooks - around 2006-2008, with the introductions of the MacBook Pro and the MacBook Air - the company brought the sexy back to the Mac. Which brings us to Five. The next major step could be a revolutionary spin on the Mac that goes way beyond merely keeping pace with modern computing and makes the Mac into an influential platform once more. We can even dare to hope that by building its own CPUs, consolidating the Mac’s hardware design further, and incorporating iPad manufacturing methods, Apple can finally produce a great Mac that sells for way under $900. Or, it could be equally significant as The Last Version Of MacOS That Apple Ever Ships. I have a distinct feeling - and I've had that feeling for years now - that something big is about to happen to the Mac. I do not believe that the Mac as we know it today will be around for much longer; what form it will take, exactly, is up for debate, but I wouldn't be surprised to see the platform slowly but surely move towards ARM, probably from the bottom (MacBook Air) to the top (Mac Pro). MacOS and iOS aren't going to become unified in the sense they're the same on an iPhone and a Mac, but they will run the exact same applications, just with different UIs depending on the input method (and screen size) used. The upcoming Mac Pro might very well be the last traditional x86 Apple workstation.

Why I left Mac for Windows: Apple has given up [OSNews]

If you ask anyone who knows me, I'm probably the biggest Apple fan they know. Ask for a suggestion of what computer to get, and I'll almost certainly either tell you the MacBook Pro, or to wait, because Apple is about to update its hardware finally. But recently, I realized I'd gotten tired of Apple's attitude toward the desktop. The progress in macOS land has basically been dead since Yosemite, two years ago, and Apple's updates to the platform have been incredibly small. I'm a developer, and it seems to me Apple doesn't pay any attention to its software or care about the hundreds of thousands of developers that have embraced the Mac as their go-to platform. Something's obviously afoot in Mac land.

Transcription Service Leaked Medical Records [Krebs on Security]

MEDantex, a Kansas-based company that provides medical transcription services for hospitals, clinics and private physicians, took down its customer Web portal last week after being notified by KrebsOnSecurity that it was leaking sensitive patient medical records — apparently for thousands of physicians.

On Friday, KrebsOnSecurity learned that the portion of MEDantex’s site which was supposed to be a password-protected portal physicians could use to upload audio-recorded notes about their patients was instead completely open to the Internet.

What’s more, numerous online tools intended for use by MEDantex employees were exposed to anyone with a Web browser, including pages that allowed visitors to add or delete users, and to search for patient records by physician or patient name. No authentication was required to access any of these pages.

This exposed administrative page from MEDantex’s site granted anyone complete access to physician files, as well as the ability to add and delete authorized users.

Several MEDantex portal pages left exposed to the Web suggest that the company recently was the victim of WhiteRose, a strain of ransomware that encrypts a victim’s files unless and until a ransom demand is paid — usually in the form of some virtual currency such as bitcoin.

Contacted by KrebsOnSecurity, MEDantex founder and chief executive Sreeram Pydah confirmed that the Wichita, Kansas based transcription firm recently rebuilt its online servers after suffering a ransomware infestation. Pydah said the MEDantex portal was taken down for nearly two weeks, and that it appears the glitch exposing patient records to the Web was somehow incorporated into that rebuild.

“There was some ransomware injection [into the site], and we rebuilt it,” Pydah said, just minutes before disabling the portal (which remains down as of this publication). “I don’t know how they left the documents in the open like that. We’re going to take the site down and try to figure out how this happened.”

It’s unclear exactly how many patient records were left exposed on MEDantex’s site. But one of the main exposed directories was named “/documents/userdoc,” and it included more than 2,300 physicians listed alphabetically by first initial and last name. Drilling down into each of these directories revealed a varying number of patient records — displayed and downloadable as Microsoft Word documents and/or raw audio files.

Although many of the exposed documents appear to be quite recent, some of the records dated as far back as 2007. It’s also unclear how long the data was accessible, but this Google cache of the MEDantex physician portal seems to indicate it was wide open on April 10, 2018.

Among the clients listed on MEDantex’s site include New York University Medical Center; San Francisco Multi-Specialty Medical Group; Jackson Hospital in Montgomery Ala.; Allen County Hospital in Iola, Kan; Green Clinic Surgical Hospital in Ruston, La.; Trillium Specialty Hospital in Mesa and Sun City, Ariz.; Cooper University Hospital in Camden, N.J.; Sunrise Medical Group in Miami; the Wichita Clinic in Wichita, Kan.; the Kansas Spine Center; the Kansas Orthopedic Center; and Foundation Surgical Hospitals nationwide. MEDantex’s site states these are just some of the healthcare organizations partnering with the company for transcription services.

Unfortunately, the incident at MEDantex is far from an anomaly. A study of data breaches released this month by Verizon Enterprise found that nearly a quarter of all breaches documented by the company in 2017 involved healthcare organizations.

Verizon says ransomware attacks account for 85 percent of all malware in healthcare breaches last year, and that healthcare is the only industry in which the threat from the inside is greater than that from outside.

“Human error is a major contributor to those stats,” the report concluded.

Source: Verizon Business 2018 Data Breach Investigations Report.

According to a story at BleepingComputer, a security news and help forum that specializes in covering ransomware outbreaks, WhiteRose was first spotted about a month ago. BleepingComputer founder Lawrence Abrams says it’s not clear how this ransomware is being distributed, but that reports indicate it is being manually installed by hacking into Remote Desktop services.

Fortunately for WhiteRose victims, this particular strain of ransomware is decryptable without the need to pay the ransom.

“The good news is this ransomware appears to be decryptable by Michael Gillespie,” Abrams wrote. “So if you become infected with WhiteRose, do not pay the ransom, and instead post a request for help in our WhiteRose Support & Help topic.”

Ransomware victims may also be able to find assistance in unlocking data without paying from

KrebsOnSecurity would like to thank India-based cybersecurity startup Banbreach for the heads up about this incident.

View From a Hotel Window, 4/23/18: St. Louis [Whatever]

Inspiring, no? I’m in a hotel where the window looks out to the interior, and also to a wall. But you know what? The room’s nice enough, and that’s fine.

Tonight: I am at the St. Louis County Library! Everything starts at 7pm! Come on down, Missouri! I want to see all of you.

Tomorrow: I am in New York City, at the venerable Strand Bookstore, also at 7pm. It will be my first time ever doing an event there. I am very excited about that.


IoT Inspector: Princeton releases a tool to snoop on home IoT devices and figure out what they're doing [Boing Boing]

IoT Inspector is a new tool from Princeton's computer science department; it snoops on the traffic from home IoT devices and performs analysis to determine who they phone home to, whether they use encryption, and what kinds of data they may be leaking. (more…)


The Humble Book Bundle: Learn to Play Music by Wiley! He’s... [Humble Bundle Blog]

The Humble Book Bundle: Learn to Play Music by Wiley! 

He’s a music man. 🥁🎺 Or he will be, once he picks up this bundle! Get Pro Tools All-in-One For Dummies, Logic Pro X For Dummies, Ukulele Exercises, Music Theory for Dummies, and more ebooks from Wiley.

Assets for Press and Partners

Court Denies TVAddons’ Request to Dismiss U.S. Piracy Lawsuit [TorrentFreak]

Last year, American satellite and broadcast provider Dish Network targeted two well-known players in the third-party Kodi add-on ecosystem.

In a complaint filed in a federal court in Texas, add-on ZemTV and the TVAddons library were accused of copyright infringement. As a result, both are facing up to $150,000 in damages for each offense.

While the case was filed in Texas, neither of the defendants live there, or even in the United States. The owner and operator of TVAddons is Adam Lackman, who resides in Montreal, Canada. ZemTV’s developer Shahjahan Durrani is even further away in London, UK.

According to the legal team of the two defendants, this limited connection to Texas is reason for the case to be dismissed. They filed a motion to dismiss in January, asking the court to drop the case.

“Lackman and Durrani have never been residents or citizens of Texas; they have never owned property in Texas; they have never voted in Texas; they have never personally visited Texas; they have never directed any business activity of any kind to anyone in Texas […] and they have never earned income in Texas,” the motion reads.

Dish saw things differently, however. The broadcast provider replied to the motion, submitting hundreds of pages of evidence documenting TVAddons and ZemTV’s ties to the United States.

Among other things, Dish pointed the court towards TVAddons own data, which showed that most of its users came from the United States. More than one-third of the total user base were American, it argued.

“The United States was Defendants’ largest market with approximately 34% of all TV Addons traffic coming from users located in the United States, which was three times the traffic from the second largest market.”

Late last week District Court Judge Vanessa Gilmore ruled on the motion to dismiss from both defendants, which is denied.


At the time of writing, there is no additional information available as to how Judge Gilmore reached her decision. However, it is clear that the case will now move forward.

This lawsuit is one of several related to Kodi-powered pirate steaming boxes. While TVAddons and ZemTV didn’t sell any fully loaded boxes directly, Dish argues that they both played a significant role in making copyright-infringing content available.

Earlier this year, the manufacturer of the streaming device DragonBox was sued in a separate case by Netflix, Amazon and several major Hollywood studios.

A few days ago Dragon Media denied all piracy allegations in the complaint, but the lawsuit remains ongoing. The same is true for a related case against Tickbox, another Kodi-powered box manufacturer.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.


Russia is Banning Telegram [Schneier on Security]

Russia has banned the secure messaging app Telegram. It's making an absolute mess of the ban -- blocking 16 million IP addresses, many belonging to the Amazon and Google clouds -- and it's not even clear that it's working. But, more importantly, I'm not convinced Telegram is secure in the first place.

Such a weird story. If you want secure messaging, use Signal. If you're concerned that having Signal on your phone will itself arouse suspicion, use WhatsApp.


Vetter: Linux Kernel Maintainer Statistics []

Daniel Vetter looks at some kernel-development statistics, with a focus on patches written by the maintainers who commit them. "Naively extrapolating the relative trend predicts that around the year 2025 large numbers of kernel maintainers will do nothing else than be the bottleneck, preventing everyone else from getting their work merged and not contributing anything of their own. The kernel community imploding under its own bureaucratic weight being the likely outcome of that. This is a huge contrast to the 'everything is getting better, bigger, and the kernel community is very healthy' fanfare touted at keynotes and the yearly kernel report. In my opinion, the kernel community is very much not looking like it is coping with its growth well and an overall healthy community."


News Post: Comet Inducing [Penny Arcade]

Tycho: I’m good on comet shit, thanks.  I’m a position to know what the margins are like on enthusiast media properties, and so I know that it’s incumbent on them to beat the shit out of whatever is getting views, but it’s lead to a state of affairs where the stats are functionally writing the content and it looks it. The only upside I can think of it is that maybe the algorithm is sentient and is consciously manipulating humanity toward some end we can’t project.  That’s how far out I have to get to validate this reality. Nintendo Labo dominated our…

Link [Scripting News]

Braintrust query: Tom Critchlow wants to run River5 on Glitch. Has anyone had any success with this?

Link [Scripting News]

What has become of Anthony Hopkins??

MIT has developed a 'system for dream control' [OSNews]

There is a borderland between waking life and the uncharted wilderness of sleep that we all traverse each night, but we rarely stop to marvel at the strangeness of this liminal world. If we do, we find that it is full of hallucinations both wonderful and terrifying, a mental goulash of reality and fantasy. Usually we pass through this state of half-wakefulness on our way to deep sleep within minutes. We may experience microdreams during the transition, but the content of these microdreams appear to be random and we usually don't have any memory of them when we wake. A team of researchers led by MIT doctoral candidate Adam Horowitz wants to change that. Horowitz and his colleagues at the MIT Media Lab have developed a relatively simple device called Dormio to interface with this unique stage of sleep. Their hypothesis is that this liminal period between wakefulness and sleep is a fount of creativity that is usually lost in the ocean of sleep. The thinking is that if you’re able to descend into that stage of sleep and return to consciousness without descending deeper into sleep, you will benefit from the intensely associative thinking that characterizes the strange microdreams experienced during the transition to sleep. There's so much we don't know about sleeping, dreaming, and the brain as a whole, that I'd be quite nervous about using devices like these before we have a better understanding of our brain. Still, if it works, this is quite cool.

Bringing Objective-C to the Amiga [OSNews]

After porting ObjFW (and at the same time Objective-C) to MorphOS and starting to port it to AmigaOS 4, I thought: It's nice to have Objective-C on a modern Amiga-like operating system. But what if we could have it on the real thing? And thus, I ported it to AmigaOS 3 today. These are cool developments for the Amiga world.


Kickstarting a playable version of the CIA's previously secret training card-game [Boing Boing]

When Freedom of Information Act enthusiast Douglas Palmer used public records requests to explore the games that the CIA uses to train its analysts, he laid the groundwork for republishing these games for general use. (more…)

The used cars that Europe sends to Nigeria are filled with illegal, toxic e-waste [Boing Boing]

EU and Nigerian law both ban the export of e-waste to Nigeria, but a new study jointly authored by scholars from UN University and the Basel Convention Coordinating Centre for Africa found that exported used cars represent a smuggler's bonanza for the illegal dumping of toxic waste. (more…)


Page 39 [Flipside]

Page 39 is done.

[$] Rewiring x86 system-call dispatch []

Each kernel development cycle includes a vast number of changes that are not intended to change visible behavior and which, as a result, go unnoticed by most users and developers. One such change in 4.17 is a rewiring of how system-call implementations are invoked within the kernel. The change is interesting, though, and provides an opportunity to look at the macro magic that handles system-call definitions.

Link [Scripting News]

A new kind of software I want to do. Starting with Node.js on the server and JavaScript in the browser as the foundation, ship sample apps or code examples that solve common problems with a neat simple API. We did this inside Frontier for many years, so there's plenty of prior art. The first one is a simple feed reading API. It takes the URL of a feed and calls back with either an error, or a JavaScript object containing the content of the feed, in a standard form, flattening the differences between the formats. Your code doesn't care. It also handles charset encoding. It's as simple as it can be. Now there's no excuse for not adding a feed reading capability to your Node app.

Today in GPF History for Monday, April 23, 2018 [General Protection Fault: The Comic Strip]

How do you spell "desperate"? How about Dexter taking dating advice from Fred...


French Minister of Culture Calls For Pirate Streaming Blacklist [TorrentFreak]

Nearly a decade ago, France was on the anti-piracy enforcement frontline.

The country was the first to introduce a graduated response system, Hadopi, where Internet subscribers risked losing their Internet connections if they were caught sharing torrents repeatedly.

Today this approach is no longer as effective as it once was. The bulk of all online piracy has moved from P2P downloading to streaming, and the latter isn’t traceable by anti-piracy watchdogs.

This hasn’t gone unnoticed by the French Government, Minister of Culture Françoise Nyssen in particular, who highlighted the issue to reporters a few days ago.

“The Hadopi response is no longer suitable because piracy is now 80% by streaming,” she said, quoted by local media.

While Hadopi may have outgrown its usefulness, France is not giving up the piracy fight. On the contrary, the country is now pondering new measures to target the current epidemic of pirate streaming sites.

Nyssen hopes that local authorities will implement a national pirate site blocklist to address the problem. Ideally, this should be constantly updated to ensure that pirate streaming sites remain inaccessible.

The Minister told reporters that France must “act on the sites,” by implementing “a blacklist which is constantly updated to keep them offline”.

This list would be maintained by the Hadopi agency which can then circulate it among several online intermediaries. This can include Internet providers, but also search engines and advertising networks.

The tough language will be music to the ears of the film industry and the timing doesn’t appear to be a total coincidence either.

The comments from the French Minister of Culture come shortly after several film industry groups boycotted a reception at the ministry. According to the groups, France dropped the ball on enforcement against piracy, which is blamed for more than a billion euros in losses.

The renewed promise may calm the waters for a while, but for now, it’s little more than that. It will likely take time before an effective pirate site blacklist is established, if it gets that far.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

Security updates for Monday []

Security updates have been issued by Debian (gunicorn, libreoffice, libsdl2-image, ruby1.8, and ruby1.9.1), Fedora (java-1.8.0-openjdk, jgraphx, memcached, nghttp2, perl, perl-Module-CoreList, and roundcubemail), Gentoo (clamav, librelp, mbedtls, quagga, tenshi, and unadf), Mageia (freeplane, libcdio, libtiff, thunderbird, and zsh), openSUSE (cfitsio, chromium, mbedtls, and nextcloud), and Red Hat (chromium-browser, kernel, and rh-perl524-perl).

Link [Scripting News]

Without a strong tech press we can't have open formats and protocols, because the big tech companies will just usurp them, monetize them, squeeze all the juice out of them, and leave what remains to rot. We don't have journalism today that watches and reports on the power grabs of the tech industry. That's why it's so easy to expose corruption. It's lying around in the open for all to see. But if you look deeper you'll see how it all connects. No reporter has yet had the will or the requisite technology background to do it.

Link [Scripting News]

I got a confusing email this morning from Flickr, saying I'd have to migrate my site to SmugMug by May 25, or download and delete my site. Then I read their FAQ that said I would only be agreeing to new terms and privacy policy. In 2014 I wrote a post saying someday Flickr will die. Today is not that day, but it certainly raises the question again. I don't know much about SmugMug. Not the greatest name ever. Might want to just call it Flickr, a better-known name that has been on shaky ground for a long time. Saying it's part of SmugMug now probably doesn't do much to add confidence. Just sayin.

The BBC finally admits that MI5 secretly vetted its employees, an open secret for generations [Boing Boing]

My wife -- whose father is a TV director who'd worked for the BBC -- learned as a little girl that the British spy agency MI5 secretly vetted people who applied for work at the BBC and denoted possible subversives by putting a doodle of a Christmas tree on their personnel files; people who were thus blacklisted were discriminated against within the Beeb. (more…)

Strange and maddening rules [Joel on Software]

There’s this popular idea among developers that when you face a problem with code, you should get out a rubber duck and explain, to the duck, exactly how your code was supposed to work, line by line, what you expected to see, what you saw instead, etc. Developers who try this report that the very act of explaining the problem in detail to an inanimate object often helps them find the solution.

Stack Overflow April Fools Joke 2018This is one of many tricks to solving programming problems on your own. Another trick is divide and conquer debugging. You can’t study a thousand lines of code to find the one bug. But you can divide them in half and quickly figure out if the problem happens in the first half or the second half. Keep doing this five or six times and you’ll pinpoint the single line of code with the problem.

It’s interesting, with this in mind, to read Jon Skeet’s checklist for writing the perfect question. One of the questions Jon asks is “Have you read the whole question to yourself carefully, to make sure it makes sense and contains enough information for someone coming to it without any of the context that you already know?” That is essentially the Rubber Duck Test. Another question is “If your question includes code, have you written it as a short but complete program?” Emphasis on the short—that is essentially a test of whether or not you tried divide and conquer.

What Jon’s checklist can do, in the best of worlds, is to help people try the things that experienced programmers may have already tried, before they ask for help.

Sadly, not everybody finds his checklist. Maybe they found it and they don’t care. They’re having an urgent problem with code; they heard that Stack Overflow could help them; and they don’t have time to read some nerd’s complicated protocol for requesting help.

One of the frequent debates about Stack Overflow is whether the site needs to be open to questions from programming novices.

When Jeff and I were talking about the initial design of Stack Overflow, I told him about this popular Usenet group for the C programming language in the 1980s. It was called comp.lang.c.

C is a simple and limited programming language. You can get a C compiler that fits in 100K. So, when you make a discussion group about C, you quickly run out of things to talk about.

Also. In the 1990s, C was a common language for undergraduates who were learning programming. And, in fact, said undergraduates would have very basic problems in C. And they might show up on comp.lang.c asking their questions.

And the old-timers on comp.lang.c were bored. So bored. Bored of the undergraduates showing up every September wondering why they can’t return a local char array from a function et cetera, et cetera, ad nauseum. Every damn September.

The old timers invented the concept of FAQs. They used them to say “please don’t ask things that have been asked before, ever, in the history of Usenet” which honestly meant that the only questions they really wanted to see were so bizarre and so esoteric that they were really enormously boring to 99% of working C programmers. The newsgroup languished because it catered only to the few people that had been there for a decade.

Jeff and I talked about this. What did we think of newbie questions?

We decided that newbies had to be welcome. Nothing was too “beginner” to be a reasonable question on Stack Overflow… as long as you did some homework before asking the question.

We understood that this might mean that some of the more advanced people might grow bored with duplicate, simple questions, and move on. We thought that was fine: Stack Overflow doesn’t have to be a lifetime commitment. You’re welcome to get bored and move on if you think that the newbies keep asking why they can’t return local char arrays (“but it works for me!”) and you would rather devote the remaining short years of your life to something more productive, like sorting your record albums.

The mere fact that you are a newbie doesn’t mean that your question doesn’t belong on Stack Overflow. To prove the point, I asked “How do you move the turtle in Logo,” hoping to leave behind evidence that the site designers wanted to allow absolute beginners.

Thanks to the law of unintended consequences, this caused a lot of brouhaha, but not because the question was too easy. The real problem there was that I was asking the question in bad faith. Jeff Atwood explained it: “Simple is fine. No effort and research is not.” (Also this.)

To novices, the long bureaucratic rigmarole associated with asking your first question on Stack Overflow can feel either completely unnecessary, or just plain weird. It’s like Burning Man. You just want to go to a nice glittery dance party in the desert, but the Burning People are yammering on about their goddamn 10 principles, and “radical self-expression” and so on and so forth, and therefore after washing your dishes you must carefully save the dirty dishwater like a cherished relic and remove every drop of it from the Playa, bringing it home with you, in your check-in luggage if necessary. Every community has lots of rules and when you join the community they either seem strange and delightful or, if you’re just desperately trying to get some code to work, they are strange and maddening.

A lot of the rules that are important to make Burning Man successful are seemingly arbitrary, but they’re still necessary. The US Bureau of Land Management which makes the desert available for Burning Man requires that no contaminated water be poured out on the ground because the clay dirt doesn’t really absorb it so well and it can introduce all kinds of disease and whatnot, but who cares because Burning Man simply will not be allowed to continue if the participants don’t pack out their used water.

Similarly for Stack Overflow. We don’t allow, say, questions that are too broad (“How do I make a program?”). Our general rule is that if the correct length of an answer is a whole book you are asking too much. These questions feel like showing up on a medical website and saying something like “I think my kidney has been hurting. How can I remove it?” It’s crazy—and incidentally, insulting to the people who spent ten years in training learning to be surgeons.

One thing I’m very concerned about, as we try to educate the next generation of developers, and, importantly, get more diversity and inclusiveness in that new generation, is what obstacles we’re putting up for people as they try to learn programming. In many ways Stack Overflow’s specific rules for what is permitted and what is not are obstacles, but an even bigger problem is rudeness, snark, or condescension that newcomers often see.

I care a lot about this. Being a developer gives you an unparalleled opportunity to write the script for the future. All the flak that Stack Overflow throws in the face of newbies trying to become developers is actively harmful to people, to society, and to Stack Overflow itself, by driving away potential future contributors. And programming is hard enough; we should see our mission as making it easier.

We’re planning a lot of work in this area for the next year. We can’t change everybody and we can’t force people to be nice. But I think we can improve some aspects of the Stack Overflow user interface to encourage better behavior, for example, we could improve the prompts we provide on the “Ask Question” page, and we could provide more tools for community moderation of comments where the snark currently runs unchecked.

We’re also working on new features that will let you direct your questions to a private, smaller group of people on your own team, which may bring some of the friendly neighborhood feel to the big city of Stack Overflow.

Even as we try to make Stack Overflow more friendly, our primary consideration at Stack Overflow has been to build the world’s greatest resource for software developers. The average programmer, in the world, has been helped by Stack Overflow 340 times. That’s the real end-game here. There are other resources for learning to program and getting help, but there’s only one site in the world that developers trust this much, and that is worth preserving—the programming equivalent to the Library of Congress.


The early history of redundant function pointer casts: MakeProcInstance [The Old New Thing]

If you look through old code, you see a lot of redundant function pointer casts. (If you're writing new code, you should get rid of as many function pointer casts as possible, because a function pointer cast is a bug waiting to happen.) Why does old code have so many redundant function pointer casts?

Because back in the old days, they weren't redundant.

In the days of 16-bit Windows, function prologues were required to take very specific forms in order to make stack walking work, and stack walking was necessary in order to simulate an MMU on a CPU that didn't have one.

Another rule for prologues has to do with state management. The full prologue for a far function looks like this:

    mov     ax, ds
    inc     bp
    push    bp
    mov     bp, sp
    push    ds
    mov     ds, ax

Before we can dig into those instructions, we need to know a bit about how code segments worked in real-mode 16-bit Windows. In real-mode 16-bit Windows, there was a single address space for all applications because the CPU had no concept of per-process address spaces. The kernel simulated separate address spaces by managing instances. The instance (represented by an instance handle) specified the location of the data segment the code should operate on. If you have two copies of a program running, the code is shared, but each program has its own data. The instance handle tells you where that data is.

And the instance handle is kept in the ds register.

Therefore, it is essential that every function have its ds register set to the instance handle that describes where the code should find its data. You can think of it as a "global this pointer for the process."

Okay, so let's look at the function prologue again. First, it copies ds to ax via a two-byte mov ax, ds instruction. Then there is a nop. This pads the prologue size to three bytes.

The next four instructions build the stack frame: The inc bp marks the stack frame as a far frame. The push bp and mov bp, sp build the bp chain. And the push ds saves the original ds register, which also provides breathing room for return address patching.

And then we move ax back into ds. The instance handle just took a little tour of the ax register and then returned back home. What was the point of that?

Recall that in 16-bit Windows, every far function called from another segment was listed in the module's Entry Table.

When a far function is placed in the exported function table, the loader patches the first three bytes of the function to three nop instructions. Non-exported functions remain unchanged. This means that non-exported functions do the redundant ds rigamarole. It's a little extra work, but it's ultimately harmless.

The effect of patching out the initial mov ax, ds is that the function ends up doing this:

  • Build a far stack frame, which includes saving the original ds.
  • Set ds to whatever was passed in the ax register.

The second step means that the code, when it executes, operates on the data associated with the handle passed in the ax register.

Okay, great, but this means that you can't call an exported function directly, because it will set the ds register to whatever value is passed in the ax register. Since the ax register is not part of the calling convention, its value is garbage.

But that's okay. We made things worse so we can make them better.

The Make­Proc­Instance function creates a stub function that loads the ax register with the instance handle you provide, and then jumps to the function you provide. Really. That's all it did. (When you're done, you call Free­Proc­Instance to free the memory back to the system.)

This stub function was known as a procedure instance thunk, or a proc instance for short. Hence the name Make­Proc­Instance.

Okay, finally the punch line. The Make­Proc­Instance function didn't care what kind of function pointer you passed it. Whatever you passed in, it returned the same kind of pointer back out, because all the stub did was twiddle the ax register and then jump to the real function. The parameters on the stack didn't change, the cleanup convention didn't change, nothing else changed.

The Make­Proc­Instance function was declared as returning a FARPROC, which is a typedef for a far function that takes no parameters and returns nothing. The parameters and return value are irrelevant; it just had to be something.

But what this means is that when you take your function, like a window enumeration callback, and create a procedure instance for it, the thing you get back has been type-erased to a generic function pointer. To make it useful again, you need to cast it back to what it was originally.

For example, if what you passed was a WNDENUMPROC, then you need to cast the procedure instance back to a WNDENUMPROC. If you passed a TIMERPROC, then you need to cast the procedure instance back to a TIMERPROC. You could anachronistically express this as

template<typename R, typename ...Args>
auto MakeProcInstanceT(R (FAR *func)(Args...), HINSTANCE inst)
  return (decltype(func))MakeProcInstance((FARPROC)func, inst);

Of course, you didn't have this fancy template deduction in 1983-era C, so you had to cast the return value manually.

And that brings us to today. Even though Make­Proc­Instance has been obsolete for decades, some people imprinted on the "gotta cast your function pointers to get them to compile" pattern, either because they wrote code when the cast was required and fell into the habit, or or (more likely) they learned from code that was written by someone who inherited this habit from somebody else. And yes, this inherited folk wisdom can even be found in MSDN.

The redundant function pointer cast is now a type of folklore, passed down from developer to developer, even though it's no longer needed and in fact will mask problems caused by mismatched prototypes.

The Big Idea: Jack McDevitt [Whatever]

The Long Sunset by Jack McDevitt

In today’s Big Idea, Nebula Award-winning author Jack McDevitt looks at the concept of alien invasions and how they might not be what we expect — and how our interaction with alien civilizations might be different than we might imagine — and how it all fits in with his latest novel, The Long Sunset.


Recently Michael Hippke, an astronomer at the Sonnenberg Observatory in Germany, collaborated with John Learning of the University of Hawaii to produce a study stipulating that our terrestrial civilization might be in danger of an alien attack. This was a variant, however, from the standard notion of giant warships arriving to unleash a direct World War II-style assault. The nature of the threat now is described as electronic contamination. It might constitute nothing more than an e-mail arriving in your mailbox and offering you a large cash prize. Or immortality. ‘Simply open the attachment.’

Actually that sounds like a good title for a modern version of Damon Knight’s classic “To Serve Man.” Open the attachment and download a virus that allows the interstellar hacker to take over the entire electronic grid. Seated quietly inside his bedroom on Aldebaran III, it may simply play games with us, or shut us down completely.

Scientists have been signing statements in substantial numbers urging us to cut back as much as possible on the radio signals which, they say, are alerting high-tech nearby civilizations, if they’re actually there, about our presence. Leading the charge in recent years has been Stephen Hawking. Recently, he had been at the forefront of the Breakthrough Listen Project, which has been scanning nearby systems in an effort to locate aliens. But as determined as he was to find out whether there was life in the neighborhood, he had no interest in reaching out to anyone who showed up on the scopes. It would simply be too dangerous.

Some will argue that there are no nearby high-tech civilizations, otherwise how do you explain the unrelenting silence? One answer to that might be it’s because they’ve been bombing one another out of existence. Or that they understand the danger and keep their transmitters shut down.

How much more intense, one wonders, would the resistance be if we had an FTL drive, and the capability to visit other star systems? That we were actually doing it while scientists and politicians complained that we could not be sure who or what might be following us home. That is the reality in which star pilot Priscilla Hutchins lives.

But there is good news: Although a substantial number of living worlds have been visited, hitech civilizations are almost nonexistent. There had been a few, but they are long gone. Nevertheless, the discovery of collapsed worlds does not make anyone feel safer. The countries that have participated in the space program are backing away, and reports have gotten out that interstellar flight is about to be shut down.

While the struggle goes on, a new super telescope is brought online, and we pick up a transmission, from thousands of light-years away, an incredible signal: a mixture of music and images of a waterfall.

We think we know the system it derived from, and an effort is quickly put together to launch the Barry Eiferman.

Priscilla has had a good career as a pilot, and she is quickly tabbed to lead the mission. They are trying to launch from the terrestrial space station when the shutdown order arrives. The Eiferman proceeds anyway, thereby guaranteeing the animosity of several political leaders, including the U.S. president.

Nothing proceeds as expected, and they encounter several surprises. Among them is an ocean world, with friendly creatures living on islands. The occupants are pleased to have visitors, showing none of the fears that have taken over the climate at home. They have electricity, radios, cars, and steamships. Priscilla and her team enjoy their time on the planet. There is obviously no connection with the waterfall transmission.

They have a temple with a globe perched atop its steeple. After Priscilla’s team has gotten some command of the language, they ask about the globe. The being who operates the temple stares down at the globe and spreads his hands over it. “It’s a dangerous world,” he says. “We are all in it together.”

But Priscilla and her team have been keeping something from their hosts: The ocean world is on the verge of being destroyed. Is there a way to help? Should we even tell them? “No,” says Priscilla. “Not unless we can talk the people at home into getting behind an all-out effort.”

It was hard to see how that could happen.


The Long Sunset: Amazon|Barnes & Noble|Indiebound|Powell’s

Read an excerpt. Visit the author’s site. Follow him on Facebook.


Yet Another Biometric: Ear Shape [Schneier on Security]

This acoustic technology identifies individuals by their ear shapes. No information about either false positives or false negatives.


Four short links: 23 April 2018 [All - O'Reilly Media]

Metrics and Incentives, Facebook as Fire Starter, Meeting Mastery, and Weird Chart Types

  1. Heart Surgeons Avoid Difficult Operations to Avoid Poor Performance Rankings -- Just under one-third of the 115 specialists who responded said they had recommended a different treatment path to avoid adding another death to their score. And 84% said they were aware of other surgeons doing the same. Reminds me of MySociety's hard-learned lessons with their MP scorecard, whereby MPs would ask pointless questions in Parliament just to get their numbers up.
  2. When Countries are Tinderboxes, and Facebook is a Match (NYT) -- where institutions are weak or undeveloped, Facebook’s newsfeed can inadvertently amplify dangerous tendencies. Designed to maximize user time on site, it promotes whatever wins the most attention. Posts that tap into negative, primal emotions like anger or fear, studies have found, produce the highest engagement, and so proliferate. Plenty of horrifying examples of lynchings and riots triggered by Facebook posts.
  3. Reflections (Matt Webb) -- Much of any founder's time will be spent meeting advisors and investors. There's a knack to running the room and getting what you want out of it, while maintaining a feeling of collaboration and conversation. Meetings aren't just time you spend in a room together. Meetings are an atomic unit of work. They should have purpose and outcomes, although these don't necessarily need to be stated. There are a lot of small ways to make sure attendees don't drift or feel lost. Really fascinating notes about how he coaches his founders through the incubator program.
  4. -- weird but (sometimes) useful charts.

Continue reading Four short links: 23 April 2018.


Representative Line: The Truth About Comparisons [The Daily WTF]

We often point to dates as one of the example data types which is so complicated that most developers can’t understand them. This is unfair, as pretty much every data type has weird quirks and edge...


Missing from your job description [Seth Godin's Blog on marketing, tribes and respect]

If you're working in an office, here are some of the checklist items that might have been omitted:

  • Add energy to every conversation
  • Ask why
  • Find obsolete things on your task list and remove them
  • Treat customers better than they expect
  • Offer to help co-workers before they ask
  • Feed the plants
  • Leave things more organized than you found them
  • Invent a moment of silliness
  • Highlight good work from your peers
  • Find other great employees to join the team
  • Cut costs
  • Help invent a new product or service that people really want
  • Get smarter at your job through training or books
  • Encourage curiosity
  • Surface and highlight difficult decisions
  • Figure out what didn't work
  • Organize the bookshelf
  • Start a club
  • Tell a joke at no one's expense
  • Smile a lot.

Now that it's easier than ever to outsource a job to someone cheaper (or a robot) there needs to be a really good reason for someone to be in the office. Here's to finding several.


[Heads up: Today's the early priority deadline for the summer session of the altMBA.

Also! Tonight, just after 6 pm ET, the one and only Simon Sinek is joining me for a Facebook Live conversation, on location.]



Registrars Suspend 11 Pirate Site Domains, 89 More in the Crosshairs [TorrentFreak]

In addition to website blocking which is running rampant across dozens of countries right now, targeting the domains of pirate sites is considered to be a somewhat effective anti-piracy tool.

The vast majority of websites are found using a recognizable name so when they become inaccessible, site operators have to work quickly to get the message out to fans. That can mean losing visitors, at least in the short term, and also contributes to the rise of copy-cat sites that may not have users’ best interests at heart.

Nevertheless, crime-fighting has always been about disrupting the ability of the enemy to do business so with this in mind, authorities in India began taking advice from the UK’s Police Intellectual Property Crime Unit (PIPCU) a couple of years ago.

After studying the model developed by PIPCU, India formed its Digital Crime Unit (DCU), which follows a multi-stage plan.

Initially, pirate sites and their partners are told to cease-and-desist. Next, complaints are filed with advertisers, who are asked to stop funding site activities. Service providers and domain registrars also receive a written complaint from the DCU, asking them to suspend services to the sites in question.

Last July, the DCU earmarked around 9,000 sites where pirated content was being made available. From there, 1,300 were placed on a shortlist for targeted action. Precisely how many have been contacted thus far is unclear but authorities are now reporting success.

According to local reports, the Maharashtra government’s Digital Crime Unit has managed to have 11 pirate site domains suspended following complaints from players in the entertainment industry.

As is often the case (and to avoid them receiving even more attention) the sites in question aren’t being named but according to Brijesh Singh, special Inspector General of Police in Maharashtra, the sites had a significant number of visitors.

Their domain registrars were sent a notice under Section 149 of the Code Of Criminal Procedure, which grants police the power to take preventative action when a crime is suspected. It’s yet to be confirmed officially but it seems likely that pirate sites utilizing local registrars were targeted by the authorities.

“Responding to our notice, the domain names of all these websites, that had a collective viewership of over 80 million, were suspended,” Singh said.

Laxman Kamble, a police inspector attached to the state government’s Cyber Cell, said the pilot project was launched after the government received complaints from Viacom and Star but back in January there were reports that the MPAA had also become involved.

Using the model pioneered by London’s PIPCU, 19 parameters were applied to list of pirate sites in order to place them on the shortlist. They are reported to include the type of content being uploaded, downloaded, and the number of downloads overall.

Kamble reports that a further 89 websites, that have domains registered abroad but are very popular in India, are now being targeted. Whether overseas registrars will prove as compliant will remain to be seen. After booking initial success, even PIPCU itself experienced problems keeping up the momentum with registrars.

In 2014, information obtained by TorrentFreak following a Freedom of Information request revealed that only five out of 70 domain registrars had complied with police requests to suspend domains.

A year later, PIPCU confirmed that suspending pirate domain names was no longer a priority for them after ICANN ruled that registrars don’t have to suspend domain names without a valid court order.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

Top 10 Most Pirated Movies of The Week on BitTorrent – 04/23/18 [TorrentFreak]

This week we have three newcomers in our chart.

Pacific Rim: Uprising is the most downloaded movie.

The data for our weekly download chart is estimated by TorrentFreak, and is for informational and educational reference only. All the movies in the list are Web-DL/Webrip/HDRip/BDrip/DVDrip unless stated otherwise.

RSS feed for the weekly movie download chart.

This week’s most downloaded movies are:
Movie Rank Rank last week Movie name IMDb Rating / Trailer
Most downloaded movies via torrents
1 (…) Pacific Rim: Uprising (Subbed HDrip) 5.9 / trailer
2 (3) 12 Strong 6.8 / trailer
3 (2) Den of Thieves 7.0 / trailer
4 (1) Maze Runner: The Death Cure 6.8 / trailer
5 (…) Red Sparrow (Subbed HDrip) 6.7 / trailer
6 (8) Black Panther (HDTS) 7.9 / trailer
7 (6) Hostiles 7.3 / trailer
8 (5) The Greatest Showman 7.9 / trailer
9 (4) The Commuter 6.4 / trailer
10 (…) Bleeding Steel 5.3 / trailer

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.


Comic: Comet Inducing [Penny Arcade]

New Comic: Comet Inducing

What Is This, A Menu For Ants?! [Ctrl+Alt+Del Comic]

Game of the Year contender. That about sums up God of War so far.

I am blown away by this game, and I’d love to talk more about it once I’m further along, but wow that menu text size. They even patched in an option to increase (ie, magnify) the text size, and it barely made a difference.

And that’s a shame, too, because the game is dripping with cool tidbits of norse world-lore, as written from Atreus’ (AKA: Boy) perspective. Some of it is a little… weak. Tips against certain enemies along the gist of “These bad guys like to use attacks. Perhaps if my father blocked with his shield, he could block their attack.” Like, thanks for the heads up, bud.

But there is a lot of great stuff to digest here, but every time I hop into the menus, I feel like my eyes have to take a second to adjust and focus, prepping themselves to decipher the tiny text. It’s like I’m taking an eye exam and being asked to read the bottom row.

Still, not denting my enjoyment of the game. If you have a PS4, it’s a must-play.

More on Dad of War later this week.


1185 [LFG Comics]

The post 1185 appeared first on Looking For Group.

Vincent Bernat: A more privacy-friendly blog [Planet Debian]

When I started this blog, I embraced some free services, like Disqus or Google Analytics. These services are quite invasive for users’ privacy. Over the years, I have tried to correct this to reach a point where I do not rely on any “privacy-hostile” services.


Google Analytics is an ubiquitous solution to get a powerful analytics solution for free. It’s also a great way to provide data about your visitors to Google—also for free. There are self-hosted solutions like Matomo—previously Piwik.

I opted for a simpler solution: no analytics. It also enables me to think that my blog attracts thousands of visitors every day.


Google Fonts is a very popular font library and hosting service, which relies on the generic Google Privacy Policy. The google-webfonts-helper service makes it easy to self-host any font from Google Fonts. Moreover, with help from pyftsubset, I include only the characters used in this blog. The font files are lighter and more complete: no problem spelling “Antonín Dvořák”.


  • Before: YouTube
  • After: self-hosted

Some articles are supported by a video (like “OPL2LPT: an AdLib sound card for the parallel port“). In the past, I was using YouTube, mostly because it was the only free platform with an option to disable ads. Streaming on-demand videos is usually deemed quite difficult. For example, if you just use the <video> tag, you may push a too big video for people with a slow connection. However, it is not that hard, thanks to hls.js, which enables to deliver video sliced in segments available at different bitrates. Users with Java­Script disabled are still delivered with a progressive version of medium quality.

In “Self-hosted videos with HLS”, I explain this approach in more details.


Disqus is a popular comment solution for static websites. They were recently acquired by Zeta Global, a marketing company and their business model is supported only by advertisements. On the technical side, Disqus also loads several hundred kilobytes of resources. Therefore, many websites load Disqus on demand. That’s what I did. This doesn’t solve the privacy problem and I had the sentiment people were less eager to leave a comment if they had to execute an additional action.

For some time, I thought about implementing my own comment system around Atom feeds. Each page would get its own feed of comments. A piece of Java­Script would turn these feeds into HTML and comments could still be read without Java­Script, thanks to the default rendering provided by browsers. People could also subscribe to these feeds: no need for mail notifications! The feeds would be served as static files and updated on new comments by a small piece of server-side code. Again, this could work without Javascript.

Day Planner by Fowl Language Comics
Fowl Language Comics: Day Planner or the real reason why I didn't code a new comment system.

I still think this is a great idea. But I didn’t feel like developing and maintaining a new comment system. There are several self-hosted alternatives, notably Isso and Commento. Isso is a bit more featureful, with notably an imperfect import from Disqus. Both are struggling with maintenance and are trying to become sustainable with a paid hosted version.1 Commento is more privacy-friendly as it doesn’t use cookies at all. However, cookies from Isso are not essential and can be filtered with nginx:

proxy_hide_header Set-Cookie;
proxy_hide_header X-Set-Cookie;
proxy_ignore_headers Set-Cookie;

In Isso, there is currently no mail notifications, but I have added an Atom feed for each comment thread.

Another option would have been to not provide comments anymore. However, I had some great contributions as comments in the past and I also think they can work as some kind of peer review for blog articles: they are a weak guarantee that the content is not totally wrong.

Search engine🔗

A way to provide a search engine for a personal blog is to provide a form for a public search engine, like Google. That’s what I did. I also slapped some Java­Script on top of that to make it look like not Google.

The solution here is easy: switch to DuckDuckGo, which lets you customize a bit the search experience:

<form id="lf-search" action="">
  <input type="hidden" name="kf" value="-1">
  <input type="hidden" name="kaf" value="1">
  <input type="hidden" name="k1" value="-1">
  <input type="hidden" name="sites" value="">
  <input type="submit" value="">
  <input type="text" name="q" value="" autocomplete="off" aria-label="Search">

The Java­Script part is also removed as DuckDuckGo doesn’t provide an API. As it is unlikely that more than three people will use the search engine in a year, this seems a good idea to not spend too much time on this non-essential feature.


  • Before: RSS feed
  • After: still RSS feed but also a MailChimp newsletter

Nowadays, RSS feeds are far less popular they were before. I am still baffled as why a technical audience wouldn’t use RSS, but some readers prefer to receive updates by mail.

MailChimp is a common solution to send newsletters. It provides a simple integration with RSS feeds to trigger a mail each time new items are added to the feed. From a privacy point of view, MailChimp seems a good citizen: data collection is mainly limited to the amount needed to operate the service. Privacy-conscious users can still avoid this service and use the RSS feed.

Less Java­Script🔗

  • Before: third-party Java­Script code
  • After: self-hosted Java­Script code

Many privacy-conscious people are disabling Java­Script or using extensions like uMatrix or NoScript. Except for comments, I was using Java­Script only for non-essential stuff:

For mathematical formulae, I have switched from MathJax to KaTeX. The later is faster but also enables server-side rendering: it produces the same output regardless of browser. Therefore, client-side Java­Script is not needed anymore.

For sidenotes, I have turned the Java­Script code doing the transformation into Python code, with pyquery. No more client-side Java­Script for this aspect either.

The remaining code is still here but is self-hosted.

Memento: CSP🔗

The HTTP Content-Security-Policy header controls the resources that a user agent is allowed to load for a given page. It is a safeguard and a memento for the external resources a site will use. Mine is moderately complex and shows what to expect from a privacy point of view:3

  default-src 'self' blob:;
  script-src  'self' blob:;
  object-src  'self';
  img-src     'self' data:;
  style-src   'self' 'unsafe-inline';
  font-src    'self' about: data:;
  worker-src  blob:;
  media-src   'self' blob:;
  connect-src 'self';
  frame-ancestors 'none';

I am quite happy having been able to reach this result. 😊

  1. For Isso, look at For Commento, look at↩︎

  2. You may have noticed I am a footnote sicko and use them all the time for pointless stuff. ↩︎

  3. I don’t have issue with using a CDN like CloudFront: it is a paid service and Amazon AWS is not in the business of tracking users. ↩︎


FeedRSSLast fetchedNext fetched after
XML 01:53, Friday, 27 April 02:33, Friday, 27 April
a bag of four grapes XML 01:53, Friday, 27 April 02:33, Friday, 27 April
A Smart Bear: Startups and Marketing for Geeks XML 01:53, Friday, 27 April 02:33, Friday, 27 April
All - O'Reilly Media XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Anarcho's blog XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Ansible XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Bad Science XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Black Doggerel XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Blog – Official site of Stephen Fry XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Boing Boing XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Broodhollow XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Charlie Brooker | The Guardian XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Charlie's Diary XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Chasing the Sunset - Comics Only XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Clay Shirky XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Coding Horror XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Cory Doctorow's XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Ctrl+Alt+Del Comic XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Cyberunions XML 01:53, Friday, 27 April 02:33, Friday, 27 April
David Mitchell | The Guardian XML 01:53, Friday, 27 April 02:33, Friday, 27 April
DC's Improbable Science XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Debian GNU/Linux System Administration Resources XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Deeplinks XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Diesel Sweeties webcomic by rstevens XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Dork Tower XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Edmund Finney's Quest to Find the Meaning of Life XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Eerie Cuties XML 01:53, Friday, 27 April 02:33, Friday, 27 April
EFF Action Center XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Erin Dies Alone XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Events XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Falkvinge on Liberty XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Flipside XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Free software jobs XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Full Frontal Nerdity by Aaron Williams XML 01:53, Friday, 27 April 02:33, Friday, 27 April
General Protection Fault: The Comic Strip XML 01:53, Friday, 27 April 02:33, Friday, 27 April
George Monbiot XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Girl Genius XML 01:53, Friday, 27 April 02:33, Friday, 27 April
God Hates Astronauts XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Graeme Smith XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Groklaw XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Hackney Anarchist Group XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April;_render=rss XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April^876&maxPrice=240000&minBedrooms=2&displayPropertyType=houses&oldDisplayPropertyType=houses&primaryDisplayPropertyType=houses&oldPrimaryDisplayPropertyType=houses&numberOfPropertiesPerPage=24 XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Humble Bundle Blog XML 01:53, Friday, 27 April 02:33, Friday, 27 April
I, Cringely XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Irregular Webcomic! XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Joel on Software XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Judith Proctor's Journal XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Krebs on Security XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Lambda the Ultimate - Programming Languages Weblog XML 01:53, Friday, 27 April 02:33, Friday, 27 April
LFG Comics XML 01:53, Friday, 27 April 02:33, Friday, 27 April
LLVM Project Blog XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Loomio Blog XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Menage a 3 XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Mimi and Eunice XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Neil Gaiman's Journal XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Nina Paley's Blog XML 01:53, Friday, 27 April 02:33, Friday, 27 April
O Abnormal – Scifi/Fantasy Artist XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Oglaf! -- Comics. Often dirty. XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Order of the Stick XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Original Fiction – XML 01:53, Friday, 27 April 02:33, Friday, 27 April
OSNews XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Paul Graham: Unofficial RSS Feed XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Penny Arcade XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Penny Red XML 01:53, Friday, 27 April 02:33, Friday, 27 April
PHD Comics XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Phil's blog XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Planet Debian XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Planet GridPP XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Planet Lisp XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Property is Theft! XML 01:53, Friday, 27 April 02:33, Friday, 27 April
QC RSS XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Scenes From A Multiverse XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Schneier on Security XML 01:53, Friday, 27 April 02:33, Friday, 27 April
SCHNEWS.ORG.UK XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Scripting News XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Seth Godin's Blog on marketing, tribes and respect XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Skin Horse XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Starslip by Kris Straub XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Tales From the Riverbank XML 01:53, Friday, 27 April 02:33, Friday, 27 April
The Adventures of Dr. McNinja XML 01:53, Friday, 27 April 02:33, Friday, 27 April
The Bumpycat sat on the mat XML 01:53, Friday, 27 April 02:33, Friday, 27 April
The Command Line XML 01:53, Friday, 27 April 02:33, Friday, 27 April
The Daily WTF XML 01:53, Friday, 27 April 02:33, Friday, 27 April
The Monochrome Mob XML 01:53, Friday, 27 April 02:33, Friday, 27 April
The Non-Adventures of Wonderella XML 01:53, Friday, 27 April 02:33, Friday, 27 April
The Old New Thing XML 01:53, Friday, 27 April 02:33, Friday, 27 April
The Open Source Grid Engine Blog XML 01:53, Friday, 27 April 02:33, Friday, 27 April
The Phoenix Requiem XML 01:53, Friday, 27 April 02:33, Friday, 27 April
The Rogues Gallery XML 01:53, Friday, 27 April 02:33, Friday, 27 April
The Stranger, Seattle's Only Newspaper: Savage Love XML 01:53, Friday, 27 April 02:33, Friday, 27 April
TorrentFreak XML 01:53, Friday, 27 April 02:33, Friday, 27 April
towerhamletsalarm XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Twokinds XML 01:53, Friday, 27 April 02:33, Friday, 27 April
UK Indymedia Features XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Uploads from ne11y XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Uploads from piasladic XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Wayward Sons: Legends - Sci-Fi Full Page Webcomic - Updates Daily XML 01:53, Friday, 27 April 02:33, Friday, 27 April
What If? XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Whatever XML 01:53, Friday, 27 April 02:33, Friday, 27 April
Whitechapel Anarchist Group XML 01:53, Friday, 27 April 02:33, Friday, 27 April
WIL WHEATON dot NET XML 01:53, Friday, 27 April 02:33, Friday, 27 April
wish XML 01:53, Friday, 27 April 02:33, Friday, 27 April XML 01:53, Friday, 27 April 02:33, Friday, 27 April