Wednesday, 23 January


CodeSOD: Internal Validation [The Daily WTF]

If you’re doing anything financial in Brazil, you have to manage “CNPJ” numbers. These numbers are unique identifiers for every business and every branch of that business, along with a pair of...


Mike Gabriel: MATE desktop in Debian buster becomes remote desktop aware (RDA) [Planet Debian]

The MATE desktop environment in Debian will be the first desktop environment in Debian that has (still basic) support for detecting its graphical context (esp. detecting, if it is run inside a remote session).

With the packages mate-panel 1.20.4-2 and mate-screensaver 1.20.3-3, two new (preview) features entered Debian recently.

RDA in MATE's panel

If MATE is running inside an X2Go session, the MATE panel will (a) hide the "System" menu's shutdown menu item from users and (b) offer a menu item that allows users to suspend (disconnect) the X2Go session. See upstream PR #824 [1]. More integrations may come, patches welcome.

RDA in MATE's screensaver

Same with MATE's screensaver. If the MATE screensaver locks a MATE session running inside X2Go, it will offer a [ Disconnect X2Go ] button in the screensaver unlock dialog. See upstream PR #159.

While working on this code, I noticed another flaw in MATE screensaver that looks like a variant of CVE-2018-20681 [2]. MATE's screensaver reveals the desktop session's content when (a) resuming a suspend session and (non-critical IMHO, resuming requires user auth) or (b) when resizing the X2Go session window (critical, resizing requires local access to the X2Go client host only). See upstream issue #177 [3].

Remote Desktop Awareness

The concept of these features have been designed in a 3rd party shared library called RDA (Reemote Desktop Awareness) [4].

Testing it...

If you install MATE from Debian unstable (package will migrated in a few days to testing), then you can test this new feature.

On the server (for testing scenarios, server and client can be the same host):

$ sudo apt install x2goserver mate-desktop-environment

Make sure you get mate-panel 1.20.4-2 and mate-screensaver 1.20.3-3 installed (or newer versions).

On the client (recommending Debian testing):

$ sudo apt install pyhoca-cli

Then, on the client:

$ pyhoca-cli --server=<server> --port=<sshport> --user=<remote-user> --command=MATE

If you prefer, using X2Go Client (Qt GUI for X2Go) for testing this, then you can do that, as well, and click your way through the GUI to set up a session profile.

Future Prospects

All this RDA stuff is still work-in-progress and it is neither limited to X2Go nor limited to the MATE desktop environment. Please consider this implementation a proof of concept that may grow in the near and far future.


The job interview approach [Seth's Blog]

That meeting on your calendar, the one scheduled for tomorrow. What if it were the final interview for a job you care about?

Would you show up on time?

Where would you sit?

What sort of questions would you ask?

What would you wear?

Would you reschedule it at the last minute?

Why is it okay to act any less professionally than that for a meeting with a co-worker, a salesperson or an entrepreneur looking for funding?

It’s entirely possible that we can honor a reflexive property. When we are contributing we can show up with the same enthusiasm we use when we’re asking for something.


Netflix Becomes a Member of the MPAA [TorrentFreak]

The Motion Picture Association of America (MPAA) has been protecting the interests of Hollywood since its formation in 1922.

It generates most of its revenue from contributions by the six major Hollywood studios – Disney, Paramount, Sony, Twentieth Century Fox, Universal, and Warner Bros.

But now, in a historic move, a significant new member has joined the movie and TV show trade association.

“On behalf of the MPAA and its member companies, I am delighted to welcome Netflix as a partner,” MPAA Chairman and CEO Charles Rivkin said in a statement.

“All of our members are committed to pushing the film and television industry forward, in both how we tell stories and how we reach audiences. Adding Netflix will allow us to even more effectively advocate for the global community of creative storytellers, and I look forward to seeing what we can all achieve together.”

The addition of Netflix to the MPAA fold doesn’t come as a complete surprise.

As reported in 2018, the MPAA faces a shrinking budget following Disney’s acquisition of 20th Century Fox. Despite reporting revenues of $57m (including studio contributions of almost $50m) in its latest public filings, that figure was down from $73 million in the previous year.

Disney previously promised to pay Fox’s MPAA contributions for a year after the finalization of the deal but that still had the potential to leave the MPAA down one-sixth in membership dues. Presuming that the streaming service will pay an equal share, Netflix’s membership of the trade group should go a long way to filling the Fox-shaped hole in its budget.

The addition of Netflix to the MPAA is groundbreaking on a few fronts.

Perhaps most significantly, Netflix isn’t a Hollywood studio, so its membership breaks with almost a century of tradition. And, of course, this is the first time that a dedicated streaming service has become so closely aligned with the interests of the 97-year-old organization.

“Joining the Motion Picture Association further exemplifies our commitment to ensuring the vibrancy of these creative industries and the many talented people who work in them all over the world,” said Ted Sarandos, Netflix Chief Content Officer.

“We look forward to supporting the association team and their important efforts.”

While Netflix settles in as the MPAA’s newest member, the streaming service is no stranger to working with the major Hollywood studios in respect of content protection.

In 2017, Netflix was revealed as one of the founding members of the Alliance for Creativity and Entertainment  (ACE), a global anti-piracy group featuring the studios of the MPAA and dozens of other companies. As a key member, Netflix was granted full voting rights on ACE business, including the approval of initiatives and public policy, anti-piracy strategy, budget-related matters, plus approval of legal action.

If the MPAA is looking to expand further still, it’s possible that Amazon could yet join the fold. Not only is Amazon a founding member of ACE, but the company was also touted as a potential new MPAA member during 2018.

Amazon, however, is still a member of the Internet Association, a pro-tech group organization that Netflix parted company with recently, just in advance of joining the MPAA.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

Feeds | Northwest Universities R Day event [Planet GridPP]

Northwest Universities R Day event s.aragon 23 January 2019 - 9:41am

By Reka Solymosi, University of Manchester. In October 2018 I was part of a team who organised the first ever (UK) North West Universities R Day. Inspired by the series of events organised by the R user groups based at the University of Manchester (UoM) and Manchester Metropolitan University (MMU), we decided to host a one day conference to bring people together around the topic of using R.


Louis-Philippe Véronneau: A Cold BSP [Planet Debian]

Some people really dislike winter, but it's a season I've always enjoyed. I like cold weather and I would take snow over rain any day. That said, I have my limits too; the weather in Montréal last weekend was downright extreme. Weather forecast said it was the first time in a hundred years we had a violent snow storm and temperatures under -20°C at the same time. With the wind, the apparent temperature was around -35°C. Brrrr...

Sunday morning weather

Sadly for us, the Montreal Bug Squashing Party was also taking place that weekend. I have to say I was worried people wouldn't show up, but we ended up being fourteen on Saturday and eight on Sunday!

On Saturday morning, I arrived pretty early, bootstrapped networking and installed an apt proxy. Turns out it's surprisingly easy to setup. Anarcat then gave a quick "BSP 101" workshop and we started to work on fixing bugs.

On Sunday Anarcat gave another workshop, "Packaging 101" this time. Even though I've been there the last 3 times he gave that workshop, it was the first time I had time to attend it. Debian packaging is now much clearer for me!

All and all, we did some pretty good work and closed a bunch of bugs. I even updated a package to a new version (my very first upload in Debian)!

Some of the attendees of the Mtl BSP

So yeah, BSPs are fun! With the Buster release closing in, you should try to join or organise one!

Many thanks to the fabulous people at Eastern Bloc and to the Debian project for feeding us!


Winter-een-mas 2019, p12 [Ctrl+Alt+Del Comic]

It’s almost here! Winter-een-mas begins on Friday! Let me know if you’ll be doing anything special for the holiday! Planning a get together with friends? Got a game you’re going to be playing this weekend? Something new, or perhaps digging out an old favorite?

My plan is to start with the Resident Evil 2 remake, which happens to release on Friday, and go from there!

The post Winter-een-mas 2019, p12 appeared first on Ctrl+Alt+Del Comic.


258 [LFG Comics]

The post 258 appeared first on Tiny Dick Adventures.

Louis-Philippe Véronneau: Migrating from Pelican 3 to Pelican 4 [Planet Debian]

A couple of days ago, pelican got updated from version 3.7.1 in testing to 4.0.1. Good news is that it's now written in Python 3, bad news is that breaking changes in the main configuration file need to be made.

Here's two things you'll need to change in to migrate:

1. %s in the Atom feed path needs to be replaced by either {slug} or {lang}, depending on the variable.

For example:

-TAG_FEED_ATOM = 'feeds/tags/%s.atom.xml'
+TAG_FEED_ATOM = 'feeds/tags/{slug}.atom.xml'

2. FEED_MAX_ITEMS now needs to be an integer and not a string.

My previous configuration had FEED_MAX_ITEMS = '20' and this crashed pelican with this error:

CRITICAL: TypeError: '<' not supported between instances of 'int' and 'str'
Traceback (most recent call last):
  File "/usr/bin/pelican", line 11, in <module>
    load_entry_point('pelican==4.0.1', 'console_scripts', 'pelican')()
  File "/usr/lib/python3/dist-packages/pelican/", line 623, in main
  File "/usr/lib/python3/dist-packages/pelican/", line 190, in run
  File "/usr/lib/python3/dist-packages/pelican/", line 688, in generate_output
  File "/usr/lib/python3/dist-packages/pelican/", line 335, in generate_feeds
  File "/usr/lib/python3/dist-packages/pelican/", line 131, in write_feed
    max_items = min(self.settings['FEED_MAX_ITEMS'], max_items)
TypeError: '<' not supported between instances of 'int' and 'str'

This can be fixed this way:



Shirish Agarwal: Epilepsy, Javascript, Security and Debian [Planet Debian]

This would be quite a long post so would request everybody to relax, have their favorite hot/cold drink in their hand, kick up their feet and relax as it’s going to take time.

The first update I wanna share is about my epilepsy. For those who didn’t know I suffered a series of epileptic seizures about a year and a half back. I stayed in an hospital for about 3 months, luckily medicines helped me and didn’t had to go for brain surgery (which was a real possibility), needed a month and a half of physiotherapy to regain balance and muscular movement. It is still not 100% but can move around which is more than enough to be thankful for.

Last month, after coming from the Kerala trip, took the brave step of getting an MRI and a battery of tests. While the expenditure of the tests and MRI was expensive ( INR 25k), I was more apprehensive if it would result in a further stay in hospital which I was really afraid of. Thankfully, the doctors had said that 99% of the issue is gone. While I am supposed to visit him once every few months, he has advised to take another similar test around 6 months to a year from now but that’s upto us. The moment the doctor shared this, I felt like an unimaginary weight I had been putting on my shoulders had been lifted.

Due to my own experience, I tried to read as much as I could about epilepsy. While I have been lucky than most, from what little I could garner and understand epileptic seizures and strokes happen when some sort of abnormal chemical reaction happens in a brain. Why it happens could be for any number of reasons. In my case, it apparently was that the blood which flows to the brain had become thick and hence had to take blood-thinning medicines.

Some of the probable reasons for thick blood could be fatty tissue ( I am fat), thinking too much or just being out in the sun too much. I don’t know which of the reasons to believe as all and either of them is as likely as other or not. The only realization I have from the various explanations given is that probably that the doctors don’t know (more research is needed) . One of the other causes which I found out is also pollution which could have been a contributing factor. I say this as most people who were next to me were patients who had similar issues and most of them were in the prime of their health and still they got it.

One of the interesting things I came to know while I was researching about MRI (after the first check happened) after I was able to sit on the computer and use the web on my own was to know that MRI was actually named NMRI i.e. Nuclear Magnetic Resonance Imagining but due to the word ‘nuclear’ having negative connotations probably due to the association with the Atomic Bomb explosions. Ironically, I am a bit thankful as at least I was able to understand and empthasize a bit with people who may be going with something similar.

People who suffer from depression or mania of some sort come to know inherently that it’s not something they can control or be in charge of, at the most they try to find ways to learn to live with it. Most people, including me, more than ever before are hard on ourselves even though we are as if not more falliable than the next person. We are going to make more mistakes, whether it is in our spelling or our understanding of things. I hope this message and prayer brings some sort of peace and understanding to those who are either going through it or are part of people who are living through it. To have emotional outbursts and frustrations is pretty common as we are not in control as we were before. I would stop here now.


Last week I had volunteered to be part of JSFOO . I had been hearing about JSFOO from friends, colleagues for quite some time now. I volunteered and shared I would write about my experience and as well as help them with the report of the event. Having attended the event, I have mixed feelings about the event. Perhaps my expectations were too high, but most talks I found boring simply because it was another version of ‘My Javascript is better’ and at the most ‘hello world’ kinda script was shown . While there were two tracks, I could be in only one I found them to be too basic to my liking even though I am no Javascript developer. The first one I attended was from Ironswap security which was about XSS . I found the talk to be a bit confusing and at the same time was surprised when a couple of attendees asked me what XSS was. I don’t think even the presenter asked if people knew what XSS was and just went about his presentation.

One of the other things which irked me when some lady gave a sort of caricature explanation of what Open-Source is. I don’t know whether I heard her wrong, or she didn’t know what Open-Source is. While I am more of a free software person, I still understand the various nuances and the reason why open-source came in and what it means both from a business and a legal perspective. I just groaned inwardly for some new developer who might be thinking what open-source is and went with a vagueish understanding or definition.

There was an interesting presentation though about Frappe charts though. Although the lady sharing it was too fast, probably to get the whole thing under 20 minutes. I do hope nobody had to subtitle that talk as I know from personal experience how taxing, frustrating such an experience might be, more so if the person speaking, is speaking fast. You can’t roll the subtitles fast enough than the eyes and the brain can process. I do wish she had slowed down and gave some more attention to charting as it’s both as a business decision-making process function but woefully misunderstood and rated lower unless you are into stocks or bonds or have to give some sort of cost-benefit analysis to your peers, seniors etc. IMO how to make charts and how different ways to make chart is able to get different visual ways and understandings should be 101 for any student irrespective of whatever background s(he) is from.

One of the other interesting presentations was by Jyotsana Gupta who was from Mozilla who tried to share about some of the security addons. I wish she had taken more of a time and had gone more a bit in-depth, would have enjoyed that quite a bit.

The other interesting conversation was from somebody from Amazon Alexa and how to program for sound. He had a full day free workshop for the next day which I was unable to attend although I guess it would have been just as enriching. For India, it seems next to impossible as there are just so many dialects and ways of speaking and having probably more than a dozen or two dozen words and phrases for something or the other. While I could guess-work it still seems a long-haul from the basic ‘keyword’ patterns which people use and privacy issues but that’s another potboiler altogether 🙂

One of the things I kept hoping, probably against hope is somebody would talk about the Javascript Trap and share about librejs but that was not to be, although with some recent conversations and understandings that may also be a long road indeed, sharing below.

DevSecOps Pune 2 – Lean Coffee format

I almost didn’t go to this meetup. I called up the number of the organizer but then hung up as I ain’t a security expert, while this meetup was for security experts. The only thing which kinda pulled me for this meetup was not really the security aspect but the lean coffee methodology which I hadn’t heard about before so was curious. Somehow the organizer called me and I agreed to be part of the meetup although I had no idea what I would talk about. I have played with some security tools for myself and my clients but not in a serious manner. Anyways, turned up the next day and was lucky to call before as I was thinking that it would start at 11:00 hrs. but started at 10:00 hrs. The place is also near to my place so was able to make in one piece without much sweat. I had gone with the idea of not participating much. Also one of the rules of the game was not to talk of products but processes hence just went like that.

We were passed chits and I just wrote Debian on it, thinking it probably wouldn’t be picked up. As per lean coffee setup, was given a marker and any two choices I could put the marker too, I put my marker on what most people were interested in and anyway I had no knowledge of the two subjects. Somehow two people put a mark to Debian .

The first topic was taken up by Muneeb, a long-time friend whom I had not met up for a long time. He started with passwords (shared secrets) and shortcomings of the same. He shared about PKI but only asynchronous PKI or PKI with a certifying authority which I knew from the many public and not so public fallouts is and was a broken infrastructure. He also shared a bit about digital certificates which again has been on the way out in almost all countries except India. It is good if you are making money either as an agent or being a certifying authority but doesn’t do anything in terms of making the infrastucture any safer. There was talk of SSL but even as a novice web-user I know that all SSL is not the same. There used to be a slew of excellent add-ons such as certificate patrol, perspectives and convergence of which only certificate patrol has managed to still eke out a web presence. The site itself answers the many questions about how SSL itself is broken. It is an excellent resource for those who want to know about it.

While I didn’t go into the details of either how SSL is broken or MITM attacks are possible, I did share about synchronous public-private key infrastructure, Web of Trust and getting the public key signed by multiple developers. I did share the whole key-signing party which happens and how people trust or don’t trust you depending on n number of factors, part of which may be their own paranoia which depending on how you look at it can be healthy or not.

The other topics which were shared by people were often compliance and war stories they had encountered when dealing with different companies and compliance methods. I remember sharing about LTP and getting blank looks about it. I had actually been thinking about if as an attacker I would either do multiple DOS attacks on a machine/network and use one or the vulnerability to worm my way through. My question was about if they offered such kind of services and was told that in most companies they weren’t allowed to do even basic pentesting so what I was wondering is far out there from the reality. This is when some of their client companies are apparently doing software exports to other countries.

Something which I have seen for quite sometimes is the kind of password requirements esp. in Indian sites are. This is an example of an Indian site where I wanted to put a password –

Now while I won’t share the site name. It is a common occurence. Now why it doesn’t work most probably is because whoever coded for the password was looking at having just single numerical character, a single lower character and a single special character.

If you look at most user’s pyschology they would usually try to have a password which meets the least requirements rather than full. If I were an attacker, I would say it is a weak system as the attacker would know that most people would use something like this to fulfill requirements but also give easy access to an attacker. Password – Shirishag75; or something similar as most people use the common username to have the same profile everywhere. The attacker’s job becomes much much easier in such cases. And while I have shared one, there are probably hundreds of Indian sites which use similar methodology to ‘safeguard’ user passwords. What would have been better is the ability to have multiple special characters, multiple upper and lower characters and multiple numerical characters. Anything which improves entropy or randomness should decrease the chance of attack. This of course also depends upon the user to exercise and use that understanding but that’s a topic for another day.

When it came to Debian I shared the short history of free software, the four principles, Redhat and inspiration about Debian and the number of software packages we support and the number of hardware architectures we support. While I did share about the debian-security team and debian-security tools, I didn’t share anything about Debian Hardening as I knew we have a long way to go. Historically, we have taken a lot from BSD world as well shared back.

There was also the whole systemd debate and for a change, I decided to be the devil’s advocate. I knew the multitude reasons when we had to use it instead of the aging SystemV. From what I could remember, we had become de-facto upstream of SystemV which were taking developer resources and not giving enough return out of it. I remember meeting Lennart Poettering when he came to Pune in 2013/14 for Fudcon or some other Fedora event and had been reading lot of flame-wars in 2013, 2014 over systemd, some of which is still causes heartburn today.

One of the arguments which to my mind is the strawman argument is when systemd doesn’t start, the whole system collapses. This is a strawman to my mind as all things will fail eventually, for any number of reasons. For e.g. grub may fail, filesystems may fail, the only things which should probably prevent complete meltdowns are hetrogeneous systems but that probably would have been a topic for a different day altogether.

I do have machines running on systemd and SystemV and find the ones from systemd to be a tad bit more responsive. At some point if I am able to get a new machine, I probably will try OpenRC too as that’s now in Debian as well.

All in all, it was much more of an enriching experience as I was able to share some things while also learn a bit about topics I had no idea about, like compliance.

Before sharing about Debian, there was an inspiring coverage about 2 women who tried to enter Sabarimala and the travails they shared. What is and was interesting is that they were aware of the risks they were taking and still they went for it. There is also probably a semi-fictional movie story called Soni . I say semi-fictional because the way it has been shot and shown, seems to be real. While there isn’t enough data yet, it still tends to suggest that we have a long way to go through either as part of gender-justice or even better law governance. So with the above as inspiration, let’s see what’s been happening in Debian.


Debian has been in a bit of drama over the last couple of months. If I were to describe Debian as an organization, the mental picturization I would have of it as of today would be of a town-hall. It has beaureacracy, with the current organizational structure. From the current drama, one question which came to my mind is why we have 3 DAM’s for say around 35-50 odd AM’s. If nothing else, it seems quite a bit of strain on the workload of DAM as it is vis-a-vis the number of AM’s . Of course, it’s hard to gauge the amount of work the DAM’s may be going through as there aren’t any statistics which tells the number of hours they have to work, in addition of whatever day-jobs they hold. AFAIK apart from the special privilege of admitting a new member, refusing membership and revoking membership of an existing memeber and perhaps making reports and documentation which probably is shared with the Debian Leader.

Before starting with the drama at Debian, I would like to share an interesting article/blog post which was shared by a free software friend. I found it interesting because FSF for a long time had positioned itself as a vanguard of free software. As with most free software activists, I have no clue as to what to feel. I do feel shocked and more than a tad disasppointed with the way things have moved. For those who are and might be new to the world of free software, ‘FSF’ was always cherished to be ‘the unreasonable people’ . Unreasonable in the sense that they would uphold free software values. They would look to uphold small businesses and user freedoms. They were the reason ‘open source’ was born which is and was born with the idea of supporting ‘big business’. Now if FSF starts supporting Microsoft or any other big company how are they different from ‘open source’ or ‘OSI‘ .

Now coming to the drama, I first came to know about it from a mail at debian-dug-in which led me to provocatively titled mail message called ‘bits from the censorship team‘ , the trail led me to a humongous thread on debian-project, one of which seeks to explain the ‘crisis‘ in Debian. While I don’t know the reasons, from whatever interactions I have had with either Daniel Pocock both via blog posts and emails have been thoroughly professional. While I stand (sadly) by the reasons I had that day and today he has been a complete gentleman as far as I’m concerned. While I probably have had less than 50 odd interactions via mail I did find him to be respectful in all his replies. The same can be said of Nortbert with whom I had a chance to interact a bit more as I use some of the tex packages which IIRC were/are his baby. Whenever I did put up a bug-report or something, he did reach out and fixed those bugs in a timely fashion which is what attracted me to Debian in the first place. The third gentleman I have no idea about hence wouldn’t know. I have to point out though, that if you just read those two mails then they may result in a biased viewpoint. I would request people to read through the whole thread. There are many balanced voices which makes Debian a vibrant community.

What did hurt though was when I came to know about concerns being raised about Praveen’s contributions. While I could understand Rhonda’s concerns, I do wish she had framed in much better way. Most DD’s and even DM’s abandon packages when they are not working on it or they are retiring. If Praveen felt like that, he would do it that way only. I didn’t see any reason to expect any different way from him.

FWIW I have known the gentleman (Praveen) for almost a decade and more. He is and has been generous to a fault and has been a prime motivator for almost all the Debian-related activity, especially events which happen in India. Even last week, he was in Orissa which is known as a backward state due to number of reasons, one major reason being a perennially flooded every couple years or so. So even in a state where the basics are lacking for many, he is there sharing and enhancing digital literacy. Even here, Praveen was able to put a call out and now he has quite a few number of people who are willing to contribute and take over in case he needs to setep aside . Remember this is in a country which has no form of pension or Universal Coverage like most western countries do. While I wanted to share his some of his talks listed without his phone number, for some reason gimp is not co-operating today 😦


Lastly, brexit seems to be like a slow train knowing it’s going to crash. Whenever I see any news about brexit, I am reminded of the incident in the Quwaiti Bazaar where a gentleman from Pakistan was unable to buy dates because he had the UK pound while Euro was ok. This was 2 years back. Incidentally today on twitter, a gentleman went through all the laws that Europe imposed on UK and all the laws seem sane. In fact, I remember on agriculture that Indian farmers and businesses wanted to sell some Indian-grown fruits and England denied them saying they had carcigiones, pesticides and what not and they turn around and say no when Europe wants the same standards for everybody.


Online Ranters and How to Defeat Them [Diesel Sweeties webcomic by rstevens]

this is a diesel sweeties comic strip

Tonight’s comic is about one of the few joys left on Twitter.

Girl Genius for Wednesday, January 23, 2019 [Girl Genius]

The Girl Genius comic for Wednesday, January 23, 2019 has been posted.


Link [Scripting News]

Poll: Would you be willing to picket a nearby airport in support of government workers who aren't being paid?


Bomb Threat, Sextortion Spammers Abused Weakness at [Krebs on Security]

Two of the most disruptive and widely-received spam email campaigns over the past few months — including an ongoing sextortion email scam and a bomb threat hoax that shut down dozens of schools, businesses and government buildings late last year — were made possible thanks to an authentication weakness at, the world’s largest domain name registrar, KrebsOnSecurity has learned.

Perhaps more worryingly, experts warn this same weakness that let spammers hijack domains registered through GoDaddy also affects a great many other major Internet service providers, and is actively being abused to launch phishing and malware attacks which leverage dormant Web site names currently owned and controlled by some of the world’s most trusted corporate names and brands.

In July 2018, email users around the world began complaining of receiving spam which began with a password the recipient used at some point in the past and threatened to release embarrassing videos of the recipient unless a bitcoin ransom was paid. On December 13, 2018, a similarly large spam campaign was blasted out, threatening that someone had planted bombs within the recipient’s building that would be detonated unless a hefty bitcoin ransom was paid by the end of the business day.

Experts at Cisco Talos and other security firms quickly drew parallels between the two mass spam campaigns, pointing to a significant overlap in Russia-based Internet addresses used to send the junk emails. Yet one aspect of these seemingly related campaigns that has been largely overlooked is the degree to which each achieved an unusually high rate of delivery to recipients.

Large-scale spam campaigns often are conducted using newly-registered or hacked email addresses, and/or throwaway domains. The trouble is, spam sent from these assets is trivial to block because anti-spam and security systems tend to discard or mark as spam any messages that appear to come from addresses which have no known history or reputation attached to them.

However, in both the sextortion and bomb threat spam campaigns, the vast majority of the email was being sent through Web site names that had already existed for some time, and indeed even had a trusted reputation. Not only that, new research shows many of these domains were registered long ago and are still owned by dozens of Fortune 500 and Fortune 1000 companies. 

That’s according to Ron Guilmette, a dogged anti-spam researcher. Researching the history and reputation of thousands of Web site names used in each of the extortionist spam campaigns, Guilmette made a startling discovery: Virtually all of them had at one time been registered via, a Scottsdale, Ariz. based domain name registrar and hosting provider.

Guilmette told KrebsOnSecurity he initially considered the possibility that GoDaddy had been hacked, or that thousands of the registrar’s customers perhaps had their GoDaddy usernames and passwords stolen.

But as he began digging deeper, Guilmette came to the conclusion that the spammers were exploiting an obscure — albeit widespread — weakness among hosting companies, cloud providers and domain registrars that was first publicly detailed in 2016.


In August 2016, security researcher Matthew Bryant wrote about spammers exploiting a security vulnerability to hijack some 20,000 established domain names to blast out junk email. A few months later, Bryant documented the same technique being used to take over more than 120,000 trusted domains for spam campaigns. And Guilmette says he now believes the attack method detailed by Bryant also explains what’s going on in the more recent sextortion and bomb threat spams.

Grasping the true breadth of Bryant’s prescient discovery requires a brief and simplified primer on how Web sites work. Your Web browser knows how to find a Web site name like thanks to the global Domain Name System (DNS), which serves as a kind of phone book for the Internet by translating human-friendly Web site names ( into numeric Internet address that are easier for computers to manage.

When someone wants to register a domain at a registrar like GoDaddy, the registrar will typically provide two sets of DNS records that the customer then needs to assign to his domain. Those records are crucial because they allow Web browsers to figure out the Internet address of the hosting provider that’s serving that Web site domain. Like many other registrars, GoDaddy lets new customers use their managed DNS services for free for a period of time (in GoDaddy’s case it’s 30 days), after which time customers must pay for the service.

The crux of Bryant’s discovery was that the spammers in those 2016 campaigns learned that countless hosting firms and registrars would allow anyone to add a domain to their account without ever validating that the person requesting the change actually owned the domain. Here’s what Bryant wrote about the threat back in 2016:

“In addition to the hijacked domains often having past history and a long age, they also have WHOIS information which points to real people unrelated to the person carrying out the attack. Now if an attacker launches a malware campaign using these domains, it will be harder to pinpoint who/what is carrying out the attack since the domains would all appear to be just regular domains with no observable pattern other than the fact that they all use cloud DNS. It’s an attacker’s dream, troublesome attribution and an endless number of names to use for malicious campaigns.”


For a more concrete example of what’s going on here, we’ll look at just one of the 4,000+ domains that Guilmette found were used in the Dec. 13, 2018 bomb threat hoax. is a domain registered via GoDaddy in 2013 and currently owned by The Mozilla Corporation, a wholly owned subsidiary of the Mozilla Foundation — the makers of the popular Firefox Web browser.

The domain’s registration has been renewed each year since its inception, but the domain itself has sat dormant for some time. When it was initially set up, it took advantage of two managed DNS servers assigned to it by GoDaddy —, and

GoDaddy is a massive hosting provider, and it has more than 100 such DNS servers to serve the needs of its clients. To hijack this domain, the attackers in the December 2018 spam campaign needed only to have created a free account at GoDaddy that was assigned the exact same DNS servers handed out to ( and After that, the attackers simply claim ownership over the domain, and tell GoDaddy to route all traffic for that domain to an Internet address they control.

Mozilla spokesperson Ellen Canale said Mozilla took ownership of in September 2017 after a trademark dispute, but that the DNS nameserver for the record was not reset until January of 2019.

“This oversight created a state where the DNS pointed to a server controlled by a third party, leaving it vulnerable to misuse,” Canale said. “We’ve reviewed the configuration of both our registrar and nameservers and have found no indication of misuse. In addition to addressing the immediate problem, we have reviewed the entire catalog of properties we own to ensure they are properly configured.”

According to both Guilmette and Bryant, this type of hijack is possible because GoDaddy — like many other managed DNS providers — does little to check whether someone with an existing account (free or otherwise) who is claiming ownership over a given domain actually controls that domain name.

Contacted by KrebsOnSecurity, GoDaddy acknowledged the authentication weakness documented by Guilmette.

“After investigating the matter, our team confirmed that a threat actor(s) abused our DNS setup process,” the company said in an emailed statement.

“We’ve identified a fix and are taking corrective action immediately,” the statement continued. “While those responsible were able to create DNS entries on dormant domains, at no time did account ownership change nor was customer information exposed.”


Guilmette has dubbed the criminals responsible as “Spammy Bear” because the majority of the hijacked domains used in the spam campaigns traced back to Internet addresses in Russia.

In the case of Mozilla’s domain, historic DNS records archived by Farsight Security show that indeed on Dec. 13, 2018 — the very same day that spammers began blasting out their bomb threat demands — the Internet address in the domain’s DNS records at GoDaddy were changed to 194.58.58[.]70, a server in the Russian Federation owned by a hosting company there called

The record above, indexed by Farsight Security, shows that the Internet address for was changed to an ISP in Russia on Dec. 13, 2018, the same day spammers used this domain and thousands of others for a mass emailed bomb threat.

In fact, Guilmette found that that at least 3,500 of the commandeered domains traced back to and to a handful of other hosting firms in Russia. The next largest collection of fraudulently altered Internet addresses were assigned to hosting providers in the United States (456), although some of those providers (e.g. Webzilla/WZ Communications) have strong ties to Russia. The full list of Internet addresses is available here.

Guilmette’s sleuthing on the 4,000+ domains abused in both 2018 spam campaigns, combined with data from Farsight, suggest the spammers hijacked domains belonging to a staggering number of recognizable corporations who registered domains at GoDaddy, including but not limited to:

Abbott Laboratories;; AutodeskCapital One; CVS Pharmacy; SSL provider Digicert; Dow Chemical; credit card processors Elavon and Electronic Merchant Systems; Fair Isaac Corp.; Facebook; Gap (Apparel) Inc; Fifth Third Bancorp; Hearst CommunicationsHilton InterntionalING Bank; the Massachusetts Institute of Technology (MIT); McDonalds Corp.NBC Universal MediaNRG Energy; Oath, Inc (a.k.a Yahoo + AOL); OracleTesla Motors; Time WarnerUS Bank; US Steel Corp.; National Association; Viacom International; and Walgreens.

In an interview with KrebsOnSecurity, Bryant said the domain hijacking technique can be a powerful tool in the hands of spammers and scammers, who can use domains associated with these companies not only to get their missives past junk and malware filters, but also to make phishing and malware lures far more believable and effective.

“This is extremely advantageous to attackers because they don’t have to pay any money to set it all up, and there’s a strong reputation attached to the domain they’re sending from,” Bryant said. “A lot of services will flag email from unknown domains as high risk, but the domains being hijacked by these guys have a good history and reputation behind them. This method also probably greatly complicates any sort of investigatory efforts after the spam campaign is over.”


Guilmette said managed DNS providers can add an extra layer of validation to DNS change requests, checking to see if a given domain already has DNS servers assigned to the domain before processing the request. Providers could nullify the threat by simply choosing a different pair of DNS servers to assign to the request. The same validation process would work similarly at other managed DNS providers.

“As long as they’re different, that ruins this attack for the spammers,” Guilmette said. “The spammers want the DNS servers to be the same ones that were already there when the domain was first set up, because without that they can’t pull of this hack. All GoDaddy has to do is see if this particularly odd set of circumstances apply in each request.”

Bryant said after he published his initial research in 2016, a number of managed DNS providers mentioned in his blog posts said they’d taken steps to blunt the threat, including Amazon Web Services (AWS), hosting provider Digital Ocean, and Google Cloud. But he suspects this is still a “fairly common” weakness and hosting providers and registrars, and many providers simply aren’t convinced of the need to add this extra precaution.

“A lot of the providers are of the opinion that it’s down to a user mistake and not a vulnerability they should have to fix,” he said. “But it’s clearly still a big problem.”

Update, 10:38 p.m.: An earlier version of this story stated that Guilmette had identified more than 5,000 domains associated with the Spammy Bear campaigns. The true number is closer to 4,000. The discrepancy was my mistake and due to a formatting error in a spreadsheet.


Modifying Microsoft Flight Simulator 4 to run on three immersive monitors [OSnews]

How I modified DOSBox and the original Microsoft Flight Simulator 4 from 1989 to run on my immersive multi-display flight simulator set up. If that simple one-sentence introduction doesn’t get you to read this article from June 2017, nothing will.

Android Q will include more ways for carriers to SIM lock your phone [OSnews]

Over the weekend, four commits were posted to various parts of Android’s Gerrit source code management, all entitled “Carrier restriction enhancements for Android Q.” In them, we see that network carriers will have more fine-grained control over which networks devices will and will not work on. More specifically, it will be possible to designate a list of “allowed” and “excluded” carriers, essentially a whitelist and a blacklist of what will and won’t work on a particular phone. This can be done with a fine-grained detail to even allow blocking virtual carrier networks that run on the same towers as your main carrier. I’m sure carriers won’t abuse this functionality at all.

Gear S3 gets Tizen 4 update with a host of new features [OSnews]

Samsung is pushing out a big update to the Gear S3 which introduces a host of new features to the smartwatch. It carries the firmware version R760XXU2DSA1 and also bumps the device to Tizen version The update is currently available in the US, with a wider roll out expected in the coming days. An update like this would normally barely even register on my radar, but the fact of the matter is that Samsung’s smartwatches are one of the very few sets of devices running Tizen – along with Samsung smart TVs.

Google is fined $57 million under Europe’s data privacy law [OSnews]

In the first major example, the French data protection authority announced Monday that it had fined Google 50 million euros, or about $57 million, for not properly disclosing to users how data is collected across its services — including its search engine, Google Maps and YouTube — to present personalized advertisements. The penalty is the largest to date under the European Union privacy law, known as the General Data Protection Regulation, which took effect in May, and shows that regulators are following through on a pledge to use the rules to push back against internet companies whose businesses depend on collecting data. Facebook is also a subject of several investigations by the data protection authorities in Europe. Peanuts for a company like Google, but still – the GDPR at work here.

Savage Love [The Stranger, Seattle's Only Newspaper: Savage Love]

Her husband loves furry porn more than sex with her. by Dan Savage

I'm an early-30s hetero woman in a monogamous relationship with my mid-30s hetero guy. We've been together 10 years, married seven, no kids. We have a lot of fun—traveling, shared hobbies, mutual friends, etc. We have sex fairly regularly, and it's not bad. However, his primary sexual fetish and main turn-on is furry porn—namely, cartoon images. He doesn't self-identify as a furry; he doesn't have a fursuit or fursona. To his credit, he was up front about this with me once we started getting serious. However, I think at that younger age, I conflated the emotional openness and acceptance of his sexuality with actually being satisfied with the sexual component of our relationship. He seems only marginally attracted to me, and it bums me out that his more intense sexual drives are funneled into furry porn. I feel somewhat helpless, as his fetish doesn't allow me to meet him halfway. Real-life furry action (fursuits and the like) does not interest him (I've offered). We have sex regularly, but I always initiate, and his enthusiasm is middling until we get going, at which point I think we both enjoy ourselves. But I've found that this turns into a negative feedback loop, where his lack of initial interest leads to me being less attracted to him, and so on. I consider myself a fairly sexual person and I get a lot of pleasure out of being desired. We're talking about starting a family, and I'm scared that the pressures that come with parenthood would only make this worse.

Fretting Under Relationship Shortcomings

Nothing I write is going to fix this—and nothing I write is going to fix him, FURS, not that your husband is broken. He is who he is, and he had the decency to let you know who he was before you married him. But nothing I write is going to put you at the center of your husband's erotic inner life. Nothing I write is going to inspire him to initiate more (or at all) or cause him to be more enthusiastic about sex. Nothing I write is going to make your husband want you the way you want to be wanted, desire you the way you want to be desired, and fuck you the way you want to be fucked.

So the question you need to ask yourself before you make babies with this man—the question I would have urged you to ask yourself before you married this man—is whether you can live without the pleasure you get from being desired. Is that the price of admission you're willing to pay to be with this man? Maybe it once was, but is it still? Because if monogamy is what you want or what he wants or what you both want, FURS, then choosing to be with this man—choosing to be with someone you enjoy spending time with, who's "not bad" at sex, whose most passionate erotic interests direct him away from you—means going without the pleasure of being wanted the way you want to be wanted, desired the way you want to be desired, and fucked the way you want to be fucked.

Your husband was up front with you about his sexuality before you got married. Everyone should be, of course, but so few people are—particularly people who have been made to feel ashamed of their sexuality or their fetishes or both—that we're inclined to heap praise on people who manage to clear what should be a low bar. At the time, you mistook "emotional openness" and your willingness to accept his sexuality for both sexual compatibility and sexual satisfaction. I think you owe it to yourself to be up front with your husband before you have kids. He's getting a good deal here—decent sex with the wife and the freedom to take care of needs his wife can't meet. And you're free to ask for a similar deal—decent sex with your husband and the freedom to take care of needs your husband can't meet.

There's a far greater degree of risk involved in you going outside the relationship to feel desired, of course; you seeing another man or men comes bundled with emotional and physical risks that wanking to furry porn does not. This isn't an apples-to-apples comparison. But if your shared goal as a couple is mutual sexual fulfillment—and that should be every couple's goal—and if you want to avoid becoming so frustrated that you make a conscious decision to end your marriage (or a subconscious decision to sabotage it), FURS, then opening up the relationship needs to be a part of the discussion.

Please discuss cuckolding in all its forms. Also all of the emotional risks and potential sexual rewards.

A Potential Cuckoldress

It would take two years' worth of columns—even more—to discuss cuckolding in all its forms, unpack all the risks, and game out all the potential rewards. Since I can't possibly do that, APC, I'm going to send you to Keys and Anklets (, a terrific podcast dedicated to "the cuckold and hotwife lifestyle." The host, Michael C., is engaging, funny, and wise, and his interviews with cuck couples and bulls are incredibly illuminating. If you're considering entering into a cuckold relationship, you'll definitely want to start listening to Keys and Anklets.

I'm a twentysomething woman engaged to a wonderful twentysomething man. I'm the kinky one. I've dabbled in BDSM and definitely have a taste for pain and degradation. My boyfriend, meanwhile, considers himself a feminist and struggles with degrading me. I've been very patient and settled for very vanilla sex for a couple of years now. However, every now and then, he'll joke about peeing on me when we shower together. I'm curious about watersports and would totally give it a try! I've tried to get more information from him on where these jokes are coming from, but he always changes the subject. And recently when I tried to make a joke back, I said the absolute wrong thing: "Okay, R. Kelly, settle down." This was right before we watched Surviving R. Kelly. I'm afraid that joke may have sent any potential watersports play down the toilet. (Pun intended!) Any advice on how to get him to open up next time he makes one of these jokes?

Wants A Totally Exciting Relationship

You might want to reread the first letter in this week's column, WATER, and then dig into the Savage Love archives and check out the thousands of letters I've responded to from people who failed to establish basic sexual compatibility before marrying their partners. Settling down requires some settling for, of course, and everyone winds up paying the price of admission. But sexual compatibility is something you want to establish before the wedding, not after.

At the very least, WATER, don't marry a man to whom you can't make simple observations about sex and ask simple questions about sex. Like this statement/question/statement combo: "You joke about peeing on me, and I want to know if you would actually like to pee on me, because I would like to be peed on." Pissing on you doesn't make him R. Kelly, a man who has been credibly accused of raping underage girls and sexually and emotionally abusing—even imprisoning—adult women. If R. Kelly had raped numerous women and girls in the missionary position, WATER, all the other men out there who enjoy sex in the missionary position don't become rapists by default. Where there is consent—enthusiastic consent—then it, whatever it is (missionary position sex, peeing on a partner), isn't abusive. Sex play involving pain or degradation often requires more detailed conversations about consent, of course, but jokes and hints are a shitty way to negotiate consent for any kind of sex. Always go with unambiguous statements ("I would like to be peed on") and direct questions ("Would you like to pee on me?").

On the Lovecast, a case against Grindr for online harassment:

Follow Dan on Twitter @fakedansavage

[ Comment on this story ]

[ Subscribe to the comments on this story ]


Senator Mark Warner's Stop STUPIDITY Act would protect federal employees' pay during shutdowns [Cory Doctorow – Boing Boing]

Senator Mark Warner [D-VA] has introduced the Stop STUPIDITY (Shutdowns Transferring Unnecessary Pain and Inflicting Damage In The Coming Years) Act, which would "keep the government running in the case of a lapse in funding by automatically renewing government funding at the same levels as the previous year," while continuing to leave the the legislative branch and the Executive Office of the President unfunded, which "will force Congress and the White House to come to the negotiating table without putting at risk the economy or hurting the American public."

Tuesday, 22 January


One more week of the Humble Double Fine Presents Bundle! This... [Humble Bundle Blog]

One more week of the Humble Double Fine Presents Bundle! 

This bundle includes games like Everything, Gang Beasts, 140, and more! Plus, your purchase supports Extra Life and/or a charity of your choice – so you can pay what you want and pay it forward, too.

Assets for Press and Partners


01/22/19 [Flipside]

9 days left in the FLIPSIDE KICKSTARTER! In case you missed it, I'm currently raising money for Book 10! You can get a copy of the new book or some of the older books, with a pencil or ink sketch. You can also get a special thank you in the book. And for the first time I am offering an original comic page used to make the comic! I even just added a crazy reward tier where you can get your own Flipside costume made!



New Books and ARCs, 1/22/19 [Whatever]

This week I have two — count them, two! — super sized stacks of new books and ARCs for you, and here is the first of them, filled with reading goodness. What here is calling to you through the computer? Tell us in the comments!


Wandersong now available on PS4!Wandersong, the indie musical... [Humble Bundle Blog]

Wandersong now available on PS4!

Wandersong, the indie musical adventure game from Greg Lobanov, has arrived at PlayStation Store! If you’re a fan of games with heartfelt stories and amazing soundtracks, dance your way over and check this title out.

The Humble Caffeine Bundle! Take a sip of this hot bundle from a... [Humble Bundle Blog]

The Humble Caffeine Bundle! 

Take a sip of this hot bundle from a blend of creators, all brewed up by social broadcasting platform Caffeine! You’ll get This War of Mine, Tyranny, Shadow Tactics: Blades of the Shogun, Treadnauts, and more. It’ll perk your library right up!

Assets for Press and Partners

MPAA and RIAA Want Site Blocking in New US-UK Trade Deal [TorrentFreak]

US music and movie industry companies helped to get pirate sites blocked in countries all around the globe.

On their home turf, however, pirate sites remain freely accessible.

After the SOPA protests, the blocking issue became a no-go issue in the US. Blocking efforts continued elsewhere though, including in the UK, where hundreds of pirate domains have been blocked.

Slowly but steadily, copyright holders now appear ready to reintroduce the idea of site blocking. Recent filings from Hollywood’s MPAA and the music industry’s RIAA believe that a new US-UK trade agreement is a good opportunity to do so.

The trade deal is required if the UK leaves the EU. To gauge what various stakeholders would like to see in a new agreement, the US Trade Representative (USTR) requested comments from the public.

Responding to this request the RIAA provides a list of priorities for the negotiations. This includes known talking points such as increasing liability for online platforms, but site-blocking also get a prominent mention.

In the UK copyright holders can request site-blocking injunctions fairly easily, and the RIAA would like to see the same in the US.

“Website blocking is a highly-effective form of copyright enforcement in the UK, and in numerous other jurisdictions around the world to combat infringing websites, and is a critical tool in ensuring legitimate trade in digital products and services,” the RIAA writes.

The music group adds that blocking has proven to be very effective in reducing traffic to the affected sites.

“Website blocking has been successful in the United Kingdom with 63 music sites being ordered to be blocked following music right holders’ initiatives. On average this produces a reduction in the use of those sites by UK users by approximately 75 percent.”

The RIAA further highlights the more recent “live” or “dynamic” blocking orders. These are currently targeting pirated football and boxing streams as they are broadcasted, and are limited to the duration of a season or event.

The music group is not alone in this request. The Digital Creators Working Group, which includes the Association of American Publishers, News Media Alliance, as well as the RIAA and MPAA, highlighted it as well.

In a separate submission to the USTR, the organizations list “website blocking, including “dynamic” blocking as provided in UK law,” as one of the priorities for a new trade deal.

The MPAA itself also sent in a list of priorities. In a carefully worded statement, which doesn’t mention the word “blocking,” it points out that the UK is ahead of the US in many regards when it comes to anti-piracy enforcement.

“With regard to online enforcement, a U.S.-UK agreement should include disciplines that can effectively address online piracy. In many ways, the UK has more nimbly and effectively responded to digital piracy than the U.S.,” MPAA notes.

The MPAA would like to pick the best elements from US and UK policy and combine them into an even more effective agreement.

“To promote a modernized IP trade framework, MPAA recommends moving to high-level language that reflects the fundamental principles on which the DMCA is based and which identifies key elements of the UK system, including no fault injunctive relief orders, as satisfying the standard. 

“Such an approach would be fully consistent with U.S. law and preserve the high levels of protection in the UK’s enforcement framework,” the MPAA adds. 

While blocking isn’t mentioned specifically, the “no fault injunctive relief orders” the Hollywood group refers to are generally used against ISPs to compel these companies to block pirate sites.

The submissions clearly show that major rightsholder groups are no longer avoiding the blocking issue in the US. This already became apparent a few weeks ago, when music industry outfits brought it up in comments sent to the Intellectual Property Enforcement Coordinator.

RIAA’s full submission is available here (pdf). MPAA’s response can be found here (pdf) and the  Digital Creators Working Group’s submission is here (pdf).

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.


Republican Arizona lawmaker revives doomed "porn tax" to fund Trump's doomed border-wall [Cory Doctorow – Boing Boing]

Anti-porn troll Chris Sevier (previously) has built his career by convincing grandstanding Republican state lawmakers to introduce doomed, unconstitutional porn-tax laws that would require in-state ISPs to implement default-on censorship of "adult sites" (or, more specifically, "sites appearing an an arbitrary, unaccountable secret blacklist of allegedly adult material") and then charge $20/subscriber to turn off the filters.

This is unconstitutional and stupid, which makes it perfect for patsy state Republican lawmakers (who are like federal Republican lawmakers, but even stupider and more bigoted and less well-versed in the Constitution) to introduce, grandstand over, raise money on, and then allow to die.

The latest state Republican to field one of these bills is Rep. Gail Griffin [R-Hereford], whose HB2444, AKA the "Human Trafficking and Child Exploitation Prevention Act" will use the porn tax to fund Trump's wall.

Sevier wouldn't admit to Motherboard's Samantha Cole that he was behind this bill, but he did say that states customize his model legislation to suit their needs.

Hereford is the majority whip in the AZ house.

This bill demonstrates, yet again, the power of advocates for various causes to get identical (or very similar) legislation introduced at a state level. All it takes is one or a few lawmakers to introduce the legislation and create new talking points. It’s the same tactic that has been used by groups like the American Legislative Exchange Council and big telecom to pass industry-friendly bills in many states and anti-abortion activists like Americans United for Life to get more than 60 pieces of legislation considered in states around the country.

This latest bill will likely fizzle out in Arizona just like the other, similar porn-blocking bills in the past. But it’s concerning that lawmakers continue to do little research around the legislation they support—especially when the consequences would erode constitutional rights.

Arizona Bill Would Charge Porn Consumers $20 to Fund Trump’s Border Wall [Samantha Cole/Motherboard]


An annotated bibliography of anarchism in science fiction [Cory Doctorow – Boing Boing]

Ben Beck has relaunched his 30+ year-old AnarchySF site, with new contributions from Eden Kupermintz and Yanai Sened; it's billed as "an open-source repository of anarchist or anarchy-adjacent science fiction" and the relaunch incorporates "modern content management frameworks to allow a community to form around the archive and help maintain it." My cursory examination confirms that the site is an excellent resource already, but still really use work, especially on non-English sources.

The sad history of Livejournal as a lens for understanding the state of social media today [Cory Doctorow – Boing Boing]

Like Facebook, Livejournal was built in a bright student's dormroom; but unlike Facebook, LJ wasn't built "for nonconsensually rating the fuckability of stolen photos of undergrads," but rather as a community-minded platform for self-expression and connection-forging.

Today, LJ is Russian-owned and Russian-hosted, and while it remains hugely influential in Russia, it is also viewed with great sorrow by its non-Russian exiles, who left, or were forced to leave, by a series of minor and major catastrophes that are a kind of microcosm of the ways that online communities can both excel and fail.

Steven T Wright's potted history of LJ on Ars Technica is a fascinating read on the subject, tracing LJ's history from a nonprofit, volunteer-run project that used borrowed space in a small ISP (literally a closet) to host itself, to a small, struggling business that tried to balance a commitment to its users with the need to keep the lights on, to a division of Six to Start, where the new managers struggled to rebalance that commitment, sometimes getting it wrong and sometimes being needlessly tormented by both trolls and users who refused all change, to the site's sad situation today.

The most interesting part of Wright's history is that difficult balancing act between the commercial needs of the service and the ethos of prioritizing users' comfort. Sometimes, this made the service too timid, and other times it was far too bold. It's important to remember that in this day of giant services that are almost totally unresponsive to users' needs (from Facebook to Tumblr), there's also nothing about "listening to users" that automatically guarantees that you'll produce something they like (or that you can financially sustain).

Multiple subjects point to a particular kerfuffle as an example of LiveJournal’s rowdy userbase in action: a 2006 controversy over bare breasts in user icons that the employees dubbed their “Nipplegate.” According to Paolucci, it all started when a trollish user set their default user icon to a picture of The Golden Girls’ Bea Arthur photoshopped on the head of a naked woman. Since your default icon was used in search indexing, the site-wide policy disallowed nudity on it, though it was fine elsewhere. The team asked the user to remove it—but instead of complying, the user decided to start reporting any nudity he saw on fellow user icons, many of which belonged to a pro-breastfeeding group that liked to exhibit their children breastfeeding as part of their icons. The LiveJournal team recognized this behavior as malicious reporting, but they felt handcuffed by their own rules. Soon, the breastfeeding groups were asked to remove their icons as well, resulting in a national PR nightmare for Six Apart. At least one major activist group protested outside their offices.

Hassan says it was a shock for the employees of Six Apart, especially those who weren’t devoted LJ users. “It was in our weekly company meetings, and we’re reporting on this new policy, and whether or not you can show the areola,” he says. “The rest of the company had not engaged with this. They were used to selling to businesses, not dealing with the chaos that a direct userbase can bring...Today, on Facebook or Twitter, everything is a form response, or an auto-response. But early on, we set the expectation that if you wrote in to us, you would get a personalized response. We should’ve been more severe. We didn’t have that level of nuance in our policy. It was like, are breasts OK? No, then, done. We should’ve taken more of a stance on what ‘sexualized’ meant, and moved in the direction of community standards, like what [image sharing site] Flickr had, rather than freedom of speech.”

Hassan’s response echoes a common refrain of these one-time LiveJournal employees: the inertia of user expectations could become almost impossible to overcome. For instance, soon after Six Apart bought the company, a conveyor belt of project managers were brought on to try to harness the chaos of the company into something more profitable. These new analysts took aim at the site’s freemium model, only to be stymied by the weight of past promises. “We were always saying that we were fighting for the users, that we would run everything by the community before we did anything,” says Mark Smith, a software engineer who worked on LiveJournal and became the co-creator of Dreamwidth. “Well, as it turns out, when you do that, you end up with the community telling you that they want everything to stay the same, forever. We had promised to never include ads on the site, and all of a sudden we have our new management telling us, ‘The site needs ads, the site needs ads.’ It was an impossible situation.”

“The Linux of social media”—How LiveJournal pioneered (then lost) blogging [Steven T. Wright/Ars Technica]


First Pass Oscar Predictions, 2019 [Whatever]

Most of you know I was a professional film critic waaaay back in the day, and one of my hobbies every year is to look at the Academy Award nomination list when it comes out and guess, based on my experience, which people/films will walk away the awards. My prediction rate: Pretty decent! Usually I get five of the six main categories (Best Picture, Director, and the lead and supporting acting categories).

This year, before I begin, I’ll note: Kind of a weird year, nomination-wise. There are some heavily expected films/filmmakers in there, but also a bunch who… really weren’t? At least, they were a surprise to me. And there were some surprise omissions as well. All of which makes this a pretty damn interesting year for the Oscars, and for guessing who will win.

So let’s check out this year’s list and see how it goes.


Black Panther
Bohemian Rhapsody
The Favourite
Green Book
A Star Is Born

Eight nominations this year out of a possible ten, and an interesting spread. For years my usual advice would be to toss out of consideration any film that doesn’t also have a Best Director nod — which this year would punt Black Panther, Bohemian Rhapsody, Green Book and A Star is Born — but this year I wouldn’t do that.

Two of these films, however, I think we can take out of contention immediately: Black Panther and Bohemian Rhapsody are the first off the boat. Black Panther gets a deserved nod in the category, but its other six nominations are in (sorry) undercard categories: No directing, acting or screenwriting nods here. Plus it’s a superhero film. It took the Academy until 2003 to honor a fantasy film, and it took another fifteen years after that to honor a science fiction film. It is correctly nominated in the category, but I don’t think the Academy can bring itself to give the nod to a superhero film (here; more on this later). Bohemian Rhapsody, on the other hand, has a Bryan Singer problem, as the director is in bad odor at the moment for being an alleged sexual harasser and predator, and also for being fired off the film essentially for being a flake. Rhapsody winning would be an embarrassment; these aren’t the Golden Globes, after all. People would actually care.

After that? It gets tricky! Honestly I feel like there are good arguments for each after this point. But let me rank them anyway. I don’t think The Favourite is actually the favorite, but 10 nominations, including director, screenplay and its domination of the actress categories, really can’t be overlooked. It could pull off a surprise. Likewise, BlacKkKlansman isn’t one I see making the final cut, mostly for subject reasons (it’s not usual winner fare), but it was well-regarded and it represents a comeback for Spike Lee, who, honorary awards aside, is fucking owed a competitive Oscar if you ask me. No one can say BlacKkKlansman isn’t of sufficient quality for a win. It could win.

Green Book is next out for me. It did well at the Golden Globes, but its awards season PR campaign has been a bit of a nightmare, what with its primary white actor tossing about the unexpurgated N-word in interviews, its screenwriter having to apologize for bigoted tweets and its director having to apologize for (checks notes) flashing his dick on previous movie sets. So all of that is a thing. Plus, you know, that whole “Driving Miss Daisy 2.0” issue, which maybe isn’t 100% fair, but when you have a Best Picture field that also includes Black Panther and BlacKkKlansman, it’s not hard to see which film in the field is targeted at white folks who want to feel good about how far we’ve all come. And, well. Here in 2019 and in the thick of the Trump Years, “how far we’ve all come” is well up for debate, isn’t it. Which brings us to Vice, which, whatever its other qualities, is a film about Dick Cheney, so, uh, yeah. Maybe I’m overestimating liberal filmmaking’s visceral disgust of the former vice president, but I don’t seeing it making it first past post out there in the Hollywoods.

So we’re down to A Star is Born and Roma. For me the big surprise of the Oscars is Bradley Cooper’s omission in the Best Director category (don’t feel too bad for him, he’s nominated in three other categories), and I think that’s indicative of how much the heat behind this seeming-juggernaut of the awards season has cooled. But cooled or not, I still think it’s one of the two films that has the best chance, especially if the actors branch of the Academy is scandalized that one of their own was not honored as director and seeks retribution/compensation (See: Argo). Beyond this the story is classic Hollywood, frequently told but as it happens rarely honored with awards, so maybe this time is the charm.

But then there’s Roma, which is brilliant and distinctive and classy and everything the Academy loves to see in a Best Picture winner, has great production story to boot, and is from a director who everyone loves (who also shot and wrote the film and is nominated in those categories). It’s the closest thing this year to the front runner, buuuuuuuut there are two wrinkles: It’s also nominated for Best Foreign Language Film and it’s from Netflix. I’s fair to say the Academy hasn’t quite figured out what it thinks about, or wants from, that streaming service, and maybe there’s some residual animosity/whatever there (Disclosure: I have deals with Netflix for things in development/production. I like Netflix, personally. They give me money!).

The A Star is Born-winning scenario is Roma winning the Foreign Language award and Alfonso Cuarón winning Best Director (and/or screenplay or cinematography), leaving the field open for Bradley Cooper’s film. It seems unlikely the Academy will vote for Roma for Foreign Language and Best Picture. So who the Foreign Language winner is will be your first big clue of how the evening will go.

If you put a gun to my head about it, I’d say Best Picture will go to A Star is Born, because, aside from everything else, it wouldn’t hurt the Academy these days to honor as Best Picture a film that made more than $100 million at the domestic box office (the last one to do that: Argo, six years ago). The Academy members know their organization is reeling from PR issues and could use a hit, in more ways than one. But Roma could very definitely take it, and possibly should. If neither of them do it, who knows? The only thing I do know is that if Green Book takes it, black Twitter is going to be lit for the next week afterward.

Will Win: A Star is Born
Should Win: Roma 


Spike Lee, BlacKkKlansman
Pawel Pawlikowski, Cold War
Yorgos Lanthimos, The Favourite
Alfonso Cuarón, Roma
Adam McKay, Vice

Congratulations to Pawlikowski for (probably) punting Bradley Cooper out of the fifth Best Director slot and for raising his profile considerably. He won’t win here, but if Cold War wins in Foreign Language (which it probably will, if Roma does not), he’ll still get his moment and it will probably be good news for Roma, too. So everyone wins (except, uh, A Star is Born). I’m pretty sure Lanthimos and McCay are along for the ride here, although of the two I think Lanthimos has an outside chance, and we should all watch the next few weeks to see if The Favourite’s star rises generally. I think Spike Lee has a reasonable chance although again this might just be me projecting my come on for fuck’s sake it’s Spike Lee feelings here. For all that I’ll be mildly shocked if Cuarón doesn’t walk with this one. This is as close to a gimme as this year is giving us.

Will Win: Cuarón
Should Win: Cuarón


Yalitza Aparicio, Roma
Glenn Close, The Wife
Olivia Colman, The Favourite
Lady Gaga, A Star Is Born
Melissa McCarthy, Can You Ever Forgive Me?

Probably the most competitive category because there are good arguments for everyone here: McCarthy is stretching herself as an actor and the Academy loves that; Aparicio is literally coming out of nowhere (from the Hollywood point of view) and that’s a deeply attractive thing for voters; Colman is an actor’s actor and I suspect has a lot of admirers in the acting branch and beyond; and Lady Gaga is Lady Gaga and she basically carries A Star is Born on her surprisingly naturalistic shoulders.

In any other year, I’d put chips on Gaga and Colman, but here’s the thing: This is Glenn Close’s seventh Oscar nomination, and if anyone deserves the “career award” path to an acting Oscar win — in which the Oscar win is less about the particular performance than the recognition that the person should seriously have won by now — it’s Close. Does Close deserve the Actress Oscar for The Wife, against all the other performers in the field this year? Maaaaaaybe? Does she deserve an Oscar? Oh hell yes she does. I suspect the Academy members know it, too.

Will Win: Close
Should Win: Colman


Christian Bale, Vice
Bradley Cooper, A Star Is Born
Willem Dafoe, At Eternity’s Gate
Rami Malek, Bohemian Rhapsody
Viggo Mortensen, Green Book

I think Mortensen is one of our most interesting actors generally and I can watch him in just about anything, but he certainly hasn’t been helping himself recently on the PR front, and I don’t really see this being the role that nets him an Oscar (I suspect Mortensen, who is quirky, is probably okay not winning, so). Aaaaand I don’t think Actor is the Oscar Vice is going to get, Bale’s method acting aside (he’s already got an Oscar, and he’ll be back, so he’ll be fine). So that leaves Cooper, Dafoe and Malek. Malek’s possible, and in fact I think this is Rhapsody’s best chance at a big award, but Cooper is in a similar(ish) role and his film is generally less problematic. On the other hand, if Star wins Best Picture, Cooper picks up an award there, and Academy members do like to spread awards around these days. But on the other other hand: Willem Dafoe, who like Close is certainly eligible for the “Career Oscar” treatment, and whose performance as Vincent Van Gogh is widely acclaimed. I am personally vaguely annoyed that a 63-year-old actor is playing “the final years” of a man who died at 37, but honestly who cares what I think about that.

This category I’m not sold on any particular person being the front runner, but for now I’ll go with Dafoe and see if it sticks in the next few weeks. If not Defoe, I’ll say Malek, with Cooper consoling himself(!) with a mere Best Picture statuette.

Will Win: Dafoe
Should Win: Bale


Mahershala Ali, Green Book
Adam Driver, BlacKkKlansman
Sam Elliott, A Star Is Born
Richard E. Grant, Can You Ever Forgive Me?
Sam Rockwell, Vice

Ali and Rockwell have won Oscars within the last couple of years and I don’t think there is a huge belief among Academy members that they absolutely must have another one right now, so I’m going to go ahead and drop them out of consideration. Adam Driver I think is happy to be here! Good for him, I think we’ll see him in this category again at least a couple more times in the future. I don’t think it’s his year (although if it is, that’s gonna be a good sign for Spike Lee). I’m delighted to see Grant in the category as I’ve been a fan of his since How to Get Ahead in Advertising, and I think there is a pretty good chance he’ll get the nod. But at the end of the day I think it’s Sam Elliot’s to lose, and I will be surprised if he does.

Will Win: Elliot
Should Win: Elliot


Amy Adams, Vice
Marina de Tavira, Roma
Regina King, If Beale Street Could Talk
Emma Stone, The Favourite
Rachel Weisz, The Favourite

Stone and Weisz already have Oscars and again there’s not a huge rush to give either another. And after that, who knows? Any of the other three could take it. My money is on Adams, who is a multiple nominee, is edging into “she should have an Oscar as some point so why not now” territory, and whose Oscar win would take care of Vice’s Oscar recognition generally. But King and de Tavira should not be counted out, particularly King, who already won a Golden Globe for this role, and otherwise has recently won an Emmy. So: We’ll see!

Will Win: Adams
Should Win: King

Other Awards: I’ve already talked about Foreign Language — if Roma wins, it’s likely to be A Star Is Born’s night; if not, then Roma is still in the running for Best Picture. If Lady Gaga doesn’t get Actress, she will be able to content herself with an Original Song Oscar, as “Shallow,” which she co-wrote, is a prohibitive favorite in the category. In the screenplay categories, I’m feeling The Favourite and also maaaaaaybe BlacKkKlansman, the latter being a place where Academy members have a chance to give Spike Lee his competitive Oscar (but I’m very soft on that prediction). If you’re wondering where Black Panther has a shot, see Costume and Production Design, with (I think) Costume being the best chance (It’s also up in the Sound categories, but I don’t have a feel for those).

I do think a superhero film will win an Oscar: Spider-Man: Into the Spider-Verse is I think the hot tip for the Animated Film Oscar. Incredibles 2 might still take it (which would not be the worst thing, it’s perfectly good!), and I have to say I have a soft spot for Ralph Breaks the Internet, because my pal Pamela Ribon co-wrote the screenplay, and it’s hilarious. But, yeah. Spider-Man was a game-changer, and if it doesn’t win, it was robbed.

I’ll check in again just before the actual ceremony to see if my feelings about the categories have changed at all. In the meantime, you may now entertain your own Oscar thoughts in the comments.


Matt Taibbi on Alexandria Ocasio-Cortez vs the US political establishment [Cory Doctorow – Boing Boing]

Matt Taibbi (previously) is in characteristically fine form here: the average Congressjerk is mythologized as a "brilliant 4-D chess player" but "would lose at checkers to a zoo gorilla": they are only in office because "someone with money sent them there, often to vote yes on a key appropriation bill or two. On the other 364 days of the year, their job is to shut their yaps and approximate gravitas anytime they’re in range of C-SPAN cameras."

Meanwhile AOC "won in spite of the party and big donors, not because of them" and while "that doesn’t make anything she says inherently more or less correct" it does give her a different job from the average Congress-sponge: her backers sent her there to make noise, not to keep her mouth shut.

This is why the "thinkfluencers," and other establishment figures are so bent on giving her unsought advice to shut up and decide whether "to be an effective legislator or just continue being a Twitter star."

The shut-up-and-play-nice camp likes to draw comparisons between AOC and Trump, on the grounds that their grassroots followings let them escape the gravity of their party's machines and the power-brokers that stoke them, but the real comparison is that both were elected by people who were rejecting DC establishment politics (which has refused to bring forward insanely popular policies).

That means that, as with Trump, every time a despicable establishment figure denounces AOC, it increases her influence and power (possibly the nicest thing you could say about Trump is that he is hated by the looter Mitt Romney and the war criminal George Bush, and every time either one of those weasels talks Trump down, I'm tempted to reconsider my strict I-wouldn't-piss-on-him-if-he-was-on-fire policy).

The Lieberman example is the most amazing. Here’s a person who was explicitly rejected by his own party in 2006 and had to run as an Independent against the Democratic nominee to keep his seat. Yet he somehow still has the stones to opine that if Ocasio-Cortez is the “new face” of the Democrats, the party does not have a “bright future.”

How many Democrats, do you think, heard that and immediately thought the opposite – that if Joe Lieberman disapproves, Ocasio-Cortez must be on the right track? Sixty percent? Seventy?

I have no idea if Ocasio-Cortez will or will not end up being a great politician. But it’s abundantly clear that her mere presence is unmasking many, if not most, of the worst and most tired Shibboleths of the capital.

Moreover, she’s laying bare the long-concealed fact that many of their core policies are wildly unpopular, and would be overturned in a heartbeat if we could somehow put them all to direct national referendum.

Alexandria Ocasio-Cortez, Crusher of Sacred Cows [Matt Taibbi/Rolling Stone]


Petter Reinholdtsen: Debian now got everything you need to program Micro:bit [Planet Debian]

I am amazed and very pleased to discover that since a few days ago, everything you need to program the BBC micro:bit is available from the Debian archive. All this is thanks to the hard work of Nick Morrott and the Debian python packaging team. The micro:bit project recommend the mu-editor to program the microcomputer, as this editor will take care of all the machinery required to injekt/flash micropython alongside the program into the micro:bit, as long as the pieces are available.

There are three main pieces involved. The first to enter Debian was python-uflash, which was accepted into the archive 2019-01-12. The next one was mu-editor, which showed up 2019-01-13. The final and hardest part to to into the archive was firmware-microbit-micropython, which needed to get its build system and dependencies into Debian before it was accepted 2019-01-20. The last one is already in Debian Unstable and should enter Debian Testing / Buster in three days. This all allow any user of the micro:bit to get going by simply running 'apt install mu-editor' when using Testing or Unstable, and once Buster is released as stable, all the users of Debian stable will be catered for.

As a minor final touch, I added rules to the isenkram package for recognizing micro:bit and recommend the mu-editor package. This make sure any user of the isenkram desktop daemon will get a popup suggesting to install mu-editor then the USB cable from the micro:bit is inserted for the first time.

This should make it easier to have fun.

As usual, if you use Bitcoin and want to show your support of my activities, please send Bitcoin donations to my address 15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b.


Teen Vogue explainer: what are "resistance, rebellion, and revolution?" [Cory Doctorow – Boing Boing]

Teen Vogue continues its excellent tradition of radical reporting with Lucy Diavolo's explainer on the definitions and relative merits and demerits of "resistance," "rebellion" and "revolution."

Diavolo cites George Ciccariello-Maher (visiting scholar at the Hemispheric Institute of Performance and Politics) and Keeanga-Yamhatta Taylor (African-American Studies professor at Princeton University).

Resistance: "Something that we do or can do every day, that we can do in a multiplicity of ways...not babbling about Russian interference on MSNBC every single day of the f*cking week." (George Ciccariello-Maher)

Rebellion: "A more explosive, momentary instance, in which resistance takes a more concrete, combative form in the streets, in popular protests — crucially, I think historically, in riots, whether it's Ferguson and Baltimore or the many riots that have put into motion political transformation historically...The moments that really crystallize something that needs to be changed, and transform consciences of millions of people in a relatively quick period of time," (George Ciccariello-Maher)

Revolution: "A wholly different plane [from resistance and rebellion]: When you're talking about revolution, you're talking about the complete and utter transformation of society and the way that it functions. And we haven't witnessed that... I do think it is possible, and we don't have a choice. We don't have forever to try to figure this out" (Keeanga-Yamhatta Taylor)

Resistance, Rebellion, Revolution: What They Are and How They Intersect [Lucy Diavolo/Teen Vogue]

(via Naked Capitalism)



Security updates for Tuesday []

Security updates have been issued by Debian (apt and aria2), Fedora (kernel-headers, kernel-tools, and openssh), openSUSE (webkit2gtk3), Oracle (perl), Red Hat (perl), SUSE (freerdp, python-urllib3, systemd, and wireshark), and Ubuntu (apt, poppler, and tiff).


Michal Čihař: Weblate 3.4 [Planet Debian]

Weblate 3.4 has been released today. The most visible new feature are guided translation component setup or performance improvements, but there are several other improvements as well.

Full list of changes:

  • Added support for XLIFF placeholders.
  • Celery can now utilize multiple task queues.
  • Added support for renaming and moving projects and components.
  • Include chars counts in reports.
  • Added guided adding of translation components with automatic detection of translation files.
  • Customizable merge commit messages for Git.
  • Added visual indication of component alerts in navigation.
  • Improved performance of loading translation files.
  • New addon to squash commits prior to push.
  • Improved displaying of translation changes.
  • Changed default merge style to rebase and made that configurable.
  • Better handle private use subtags in language code.
  • Improved performance of fulltext index updates.
  • Extended file upload API to support more parameters.

If you are upgrading from older version, please follow our upgrading instructions.

You can find more information about Weblate on, the code is hosted on Github. If you are curious how it looks, you can try it out on demo server. Weblate is also being used on as official translating service for phpMyAdmin, OsmAnd, Turris, FreedomBox, Weblate itself and many other projects.

Should you be looking for hosting of translations for your project, I'm happy to host them for you or help with setting it up on your infrastructure.

Further development of Weblate would not be possible without people providing donations, thanks to everybody who have helped so far! The roadmap for next release is just being prepared, you can influence this by expressing support for individual issues either by comments or by providing bounty for them.

Filed under: Debian English SUSE Weblate

The Intel 80386, part 2: Memory addressing modes [The Old New Thing]

All of the memory addressing mode demonstrations will be some form of this instruction:

    MOV     somewhere, 0

which stores a zero somewhere.

In practice, the registers used to calculate effective addresses will be 32-bit registers.¹

All the addressing modes look like

    size PTR [something]

where the size specifies the number of bytes being accessed, and the something specifies which memory you want to access.

If you are simply reading disassembly, then you don't need to know the rules about which combinations of registers are legal for which types of addressing modes. You can assume the compiler generated valid code. From a disassembly point of view, you can treat all addressing modes as

    size PTR [expression]


    BYTE PTR [expression]                   ; *(int8_t*)(expression)
    WORD PTR [expression]                   ; *(int16_t*)(expression)
    DWORD PTR [expression]                  ; *(int32_t*)(expression)
    QWORD PTR [expression]                  ; *(int64_t*)(expression)
    TWORD PTR [expression]                  ; *(int80_t*)(expression)


   MOV     BYTE PTR ds:[01234567h], 0       ; *(int8_t*)(0x01234567) = 0
   MOV     WORD PTR [eax], 0                ; *(int16_t*)(eax) = 0
   MOV     DWORD PTR [ecx*2+2Ch], 0         ; *(int32_t*)(ecx*2+0x2c) = 0
   MOV     DWORD PTR [eax+ebx*4-12h], 0     ; *(int32_t*)(eax+ebx*4-0x12) = 0

Note that there is a ds: prefix on the first instruction. For some reason, the Windows disassembler doesn't trust itself when performing access to an absolute memory address and prints a superfluous ds: prefix on the instruction. Don't worry about it. For now.

The 80386 permits unaligned memory access, except where noted. Unaligned access may be slower than aligned access, however.

If all you care about is reading disassembly, then that is all you really need to know for now. The rest of today is digging into the various types of expressions you are allowed to put inside the square brackets.

Absolute: The address is a constant.

    MOV     BYTE PTR ds:[01234567h], 0      ; *(int8_t*)(0x01234567) = 0

Register indirect: The address is the value of a register.

    MOV     WORD PTR [eax], 0               ; *(int16_t*)eax = 0

Register indirect with short displacement: The address is the value of a register plus a signed 8-bit immediate.

    MOV     DWORD PTR [eax-7], 0            ; *(int32_t*)(eax-7) = 0

Register indirect with long displacement: The address is the value of a register plus a 32-bit signed immediate.²

    MOV     BYTE PTR [eax+123h], 0         ; *(int8_t*)(eax+0x123) = 0

The remaining memory addressing modes are more complicated.

Register indexed: The address is the sum of the values of two registers.

    MOV     BYTE PTR [eax+ebx], 0           ; *(int8_t*)(eax+ebx) = 0

Register indexed with short displacement: The address is the sum of the values of two registers plus a signed 8-bit immediate.

    MOV     WORD PTR [eax+ebx+12h], 0       ; *(int16_t*)(eax+ebx+0x12) = 0

Register indexed with long displacement: The address is the sum of the values of two registers plus a signed 32-bit immediate.

    MOV     DWORD PTR [eax+ebx+1234h], 0    ; *(int32_t*)(eax+ebx+0x1234) = 0

Register scaled: The address is the value of a register multiplied by 2, 4, or 8.

    MOV     BYTE PTR [eax*2], 0             ; *(int8_t*)(eax*2) = 0

Register scaled with short displacement: The address is the value of a register multiplied by 2, 4, or 8, plus a signed 8-bit immediate.

    MOV     WORD PTR [eax*4+2], 0           ; *(int16_t*)(eax*4+2) = 0

Register scaled with long displacement: The address is the value of a register multiplied by 2, 4, or 8, plus a signed 32-bit immediate.

    MOV     BYTE PTR [eax*4+01234567h], 0   ; *(int8_t*)(eax*4+0x1234567) = 0

Register scaled indexed: The address is the value of a register plus the value of a register multiplied by 2, 4, or 8.

    MOV     WORD PTR [eax+ebx*2], 0         ; *(int16_t*)(eax+ebx*2) = 0

Register scaled indexed with short displacement: The address is the value of a register, plus the value of a register multiplied by 2, 4, or 8, plus a signed 8-bit immediate.

    MOV     BYTE PTR [eax+ecx*2-8], 0       ; *(int8_t*)(eax+ecx*2-8) = 0

Register scaled indexed with long displacement: The address is the value of a register, plus the value of a register multiplied by 2, 4, or 8, plus a signed 32-bit immediate.

    MOV     DWORD PTR [eax+ecx*2+01234567h], 0 ; *(int32_t*)(eax+ecx*2+0x1234567) = 0

The ebp register cannot be used with register indirect addressing because its encoding pattern is used to indicate that the addressing mode is one of the complicated ones. (These complicated ones use a so-called SIB, or scaled index byte, to help encode the operands.) If you want to perform a register indirect access through ebp, you can get the same effect by using a register indirect with displacement, and specify a displacement of zero.

The Microsoft assembler³ allows you to specify the terms in any order.

    MOV     DWORD PTR [eax+ebx*2+1234h], 0  ; *(int32_t*)(eax+ebx*2+0x1234) = 0
    MOV     DWORD PTR [ebx*2+eax+1234h], 0  ; *(int32_t*)(eax+ebx*2+0x1234) = 0
    MOV     DWORD PTR [1234h+ebx*2+eax], 0  ; *(int32_t*)(eax+ebx*2+0x1234) = 0

It also allows you to move a value out of the brackets, or to have multiple sets of brackets, in which case the values are combined via addition.

; assume "array" is a global variable

    MOV     DWORD PTR array[ebx*2], 0       ; *(int32_t*)(array+ebx*2) = 0
    MOV     DWORD PTR array[4], 0           ; *(int32_t*)(array+4) = 0
    MOV     DWORD PTR [ebx*2][eax][4], 0    ; *(int32_t*)(eax+ebx*2+4) = 0

You can omit the square brackets if the reference is to a global variable. The assembler assumes you want to access the memory at that address and inserts the brackets automatically.

; assume "array" is a global variable

    MOV     DWORD PTR [array], 0            ; *(int32_t*)(array) = 0
    MOV     DWORD PTR array, 0              ; *(int32_t*)(array) = 0

You can also omit the size PTR if the size of the operand can be inferred. For example, most instructions have the rule that the source and destination be the same size. If one of the arguments has an ambiguous size, the assembler may be able to infer its size from the other argument. Examples:

    MOV     [eax+ebx*2], ecx                ; *(int32_t*)(eax+ebx*2) = ecx

; assume "array" is a global variable of type DWORD

    MOV     array[eax], 0                   ; *(int32_t*)(array+eax) = 0

In the first example, the assembler infers that you meant DWORD PTR because the other operand is a 32-bit register. In the second example, the assembler infers that you meant DWORD PTR because the array variable is of type DWORD.

There are some instructions that have implied memory address operands; we'll discuss those as they arise.

The debugger does not use any of the above shorthands. It always specifies the memory size explicitly, and it always uses square brackets to indicate a memory access. These two instructions are quite different:

    MOV     DWORD PTR [eax], 0              ; *(int32_t*)eax = 0
    MOV     eax, 0                          ; eax = 0

Next time, we'll look at the flags register.

¹ It is technically legal to use 16-bit registers to calculate the effective address, but your options are much more limited. Furthermore, only the least significant 16 bits of the result are used as the effective address, so the exercise is already pointless because the bottom 64KB of address space is left unmapped. You went to all the effort of calculating an address that cannot be used.

² You might wonder why we specify that the immediate is signed, since there is no sign extension from a 32-bit value to a 32-bit value. But the disassembler knows that it's signed, because it displays values greater than 7FFFFFFFFh as negative offsets.

³ Note that other assemblers, most notably NASM, follow different rules from the Microsoft assembler (MASM).


English and Welsh Ramblers have seven years left to catalogue the nation's footpaths, or they will be absorbed into private lands [Cory Doctorow – Boing Boing]

There are an estimated 140,000 miles of footpaths in England and Wales, public rights of way that cut across all manner of private land, and due to various quirks of history they have never been fully mapped.

It's been 19 years since an Act in Parliament set a deadline of Jan 1, 2026 to map every footpath, and after that, footpaths that are not mapped can be reabsorbed into the private lands they cross, ending ancient rights of way.

The Ramblers, a hiking society with radical roots that fomented the creation of the nation's national parks, are leading the charge to complete the maps, through the Don't Lose Your Way campaign.

While many of the footpaths they're struggling to save have simply been forgotten, others have been deliberately obscured, often by farmers who want to keep strangers from crossing their fields, and resort to trickery like misleading signs and barbed wire to obfuscate the footpaths.

I've spent many happy hours rambling, mostly in Norfolk, where all the paths we took were well-marked, well-loved and well-maintained. The footpaths are a visible remnant of the ancient compact between private landowners and the common people, embodied in such documents as the Charter of the Forest, a much more important and radical document than the Magna Carta.

Until last year, when Fraser applied for the path to be recorded, the owner of a nearby house had a gate across it, which was now gone. When you attempt to open an old path, you have to inform landowners who might be affected. “He said, ‘You’re just a troublemaker, you are,’ ” Fraser recalled. “And he stanked off.” “Stank” is a Cornish word for walk. Britain’s byways have their own language, too. One of the best sources for lost paths are old maps of the countryside made for tax purposes. Public rights of way show up between parcels of land called “hereditaments.” A valid claim to reinstate a lost path is known as “a reasonable allegation.” Campaigners refer to the 2026 deadline as the Extinguishment.

The Search for England’s Forgotten Footpaths [Sam Knight/New Yorker]


The Big Idea: Django Wexler [Whatever]

Every hero has a journey — or so it would seem — but does that have to be the journey we expect them to take? Django Wexler asks that very question in this Big Idea for his new novel Ship of Smoke and Steel.


There’s a story we like to tell in science fiction and fantasy: call it the “journey to power”.

The parameters of it are so obvious they almost don’t bear repeating. Our protagonist (orphan farmboy, penniless waif, lowly ensign) begins in a position with no power or authority. Over the course of the story, they gradually improve their lot, often as a side effect of pursuing other, more altruistic goals. The farmboy becomes a master swordsman, the waif leads a revolution against the oppressive state, the ensign assumes command of the starship in a crisis. By the conclusion, they can look back from the dizzying heights and reflect on how far they’ve come, and perhaps laugh about how provincial concerns like local bullies seem on the eve of the Final Battle.

I’m being reductive, of course, but this thread or something like it is at the root of many, many SFF narratives, and for good reason. It’s immensely satisfying — the underdog who we identify with almost automatically slowly getting the upper hand. Often there’s a contrast between those in power at the start of the story, who abuse their authority, and the hero, who wields power justly and honestly. It’s a story most of us can identify with, because almost everyone knows what it’s like to begin at the bottom of some field, and we can all enjoy the fantasy of becoming powerful enough to give petty tyrants their comeuppance.

Let me stress that this is a good story, which is part of some of my absolute favorite works. It’s in Harry Potter, The Wheel of Time, and Star Wars. (The journey to power overlaps, but is not identical to, the more familiar Hero’s Journey of Campbellian fame.) I’ve used it in my own works, many times. Winter’s story, in The Shadow Campaigns, follows her journey from lowly ranker through sergeant, regimental officer, and finally commanding general, from the front lines to the heights of power.

In my middle-grade fantasy, The Forbidden Library, the protagonist Alice becomes a powerful Reader over the course of the series, accumulating contracts with magical creatures than increase her repertoire of abilities. In fact, one of my favorite moments in that series comes in the fourth book: having spent nearly all her time since encountering magic in strange alternate worlds battling monsters, Alice finds herself spat out, alone and penniless, on a Florida beach. (The story takes place in the early 1930s, so no cell phones or internet to the rescue …) She makes her way back to her home in Pittsburgh, and in the process discovers just how powerful her abilities make her in the “normal” world — she can go anywhere, do anything, and no one stop her. I like it as a moment of reflection, that pause just before the summit where we look down at how far we’ve come.

Ship of Smoke and Steel, my new YA fantasy, has a very long history in my archives. It was originally called Soliton (the name of the colossal ghost ship that is the primary setting) and it made good use of the journey to power. Our protagonists (originally there were two of them) were poor orphans, unaware of their magical abilities, who were abducted to be given to Soliton, which collects mage-bloods for mysterious reasons. Once aboard, they had to make their way in the dangerous, lawless society of the monster-haunted ship, gradually uncovering their own power along the way.

That first attempt never quite worked out — it was part of a somewhat ill-conceived Massive Worldbuilding Project, the sort of thing that starts with “Year 0: The World is Created by The Gods” and pages of maps on millimeter graph paper, and it collapsed under its own weight — and the ideas for Soliton lay dormant in my files for many years. (Writer pro tip: never throw anything away.) When I got the chance to return to them, after more than a decade and nine novels, I decided to take a different approach. (n.b. different as in “different from what I had done before” — I certainly have no claim to originality in the genre!)

Isoka, the protagonist of Ship of Smoke and Steel, is a powerhouse from the beginning of the story. She is an adept of Melos, one of the Nine Wells of Sorcery, the Well of combat and war, which grants her energy blades and nearly impenetrable armor. When we first meet her, she’s an enforcer in a criminal organization, laying waste to a gang of rivals. And while she learns a few new tricks over the course of the book, by and large this is not a story about her coming into her power — she’s already done that.

Instead, Isoka’s story is what you might call a journey to empathy. Apart from a younger sister, to whom she’s obsessively devoted, Isoka starts the book with a callous disregard for the feelings or welfare of others, happy to slaughter her way to the solution of any problem. Soliton, when she’s shanghaied on board, presents her with a situation that can’t be solved by cutting it to pieces, both physically (it’s full of giant monsters and other adepts) and emotionally (much to her surprise, she falls in love with a princess). Her struggle with this is the heart of the book.

Why do it this way? Some of it is just how the characters came to me, of course. Some of it, as I said, is just wanting to try something I haven’t done before. And I think some of it comes from the outside world — this book was written in 2017, and with times being what they are, it’s the journey to empathy that really speaks to me right now. I had a lot of fun writing it, and I hope it speaks to all of you, too.


Ship of Smoke and Steel: Amazon|Barnes & Noble|Indiebound|Powell’s

Read an excerpt. Visit the author’s site. Follow him on Twitter.


A list of all the booze in Casablanca (surprisingly long!) [Cory Doctorow – Boing Boing]

Bruce Sterling cataloged all the onscreen booze in Casablanca, producing a surprisingly long list (Sterling: "ranted, they’ve all got plenty to drink about, but gee whiz.")

A French 75 sounds a little sweet for my taste, but I might just have to try one the next time we've opened a bottle of bubbly without managing to finish it.

Wine – English couple in the opening scene are drinking wine at the outside cafe when robbed by a sly pickpocket. Cocktail – A desperado is waiting, waiting, waiting and drinks while lamenting that he will never get out of Casablanca.
Cocktail – Man tries to negotiate a passage out of Casablanca.
Wine – Man buys passage on a fishing vessel
Wine – Women trying to get more money for her jewels

Cocktail – Englishmen are served by Sascha in Rick’s bar, and toasting cheerio.
Wine – Women gambling at Rick’s while drinking
Champagne glass (already empty) – In front of Rick as he is toying with a chess problem
Wine – Ugarte drinks while bargaining with Rick.

Brandy (Boss’s Private Stock) – Sacha serves the good stuff to the spurned Yvonne, because Yvonne is Rick’s private stock
Brandy – Captain Louis Renault drinks at Ricks. He’s a steady customer, since the bar also has loose women.
Brandy – the Italian Fascist Captain Tonelli drinks while harassed by Lieutenant Casselle in Rick’s.
Brandy – Rick gives some free brandy to Renault in Rick’s office.
Veuve Cliquot 1926 – The top French champagne that Renault recommends to Strasser as the Nazi crassly gobbles caviar.

Wine – Ugarte has a glass when arrested
Wine – Resistance member Berger drinks wine at the bar as Laszlo and Ilsa walk into Rick’s.
Cointreaux – Laszlo orders two for himself and Ilsa as their first of many drink orders in Rick’s.
Champagne – Captain Renault orders “a bottle of the best” when invited by Laszlo to join him and Ilsa at their table.
Champagne Cocktail – Laszlo orders one he joins Berger to conspire at the bar.
Champagne Cocktail – Renault orders for himself and Laszlo at the bar as Berger flees.
Champagne – Renault orders some for Rick when Rick joins the Laszlo party.
Bourbon – Rick drinks American bourbon to console himself for former mistress Ilsa somehow walking into his gin-joint, of all the gin-joints in the world

Champagne – Rick opens a bottle of champagne in Ilsa’s flashback room in their happy liaison in Paris.
Wine – Rick and Ilsa drink in Paris at the Cafe Pierre.
Champagne – Rick, Ilsa, and Sam hastily guzzle three bottles of Mumm Cordon Rouge as the Nazis occupy Paris.

“The Bourbon” – Ferrari demands his special bourbon in his own bar, the Blue Parrot, when Rick arrives to negotiate. Somehow, Rick refuses the bourbon, saying he never drinks in the morning.
Wine – The pickpocket toasts another sucker in Rick’s before he robs him.
Brandy – Rick is drinking heavily on the second night in his club and Renault joins him for a brandy.

French 75s – The cocktail Yvonne orders when she comes in as the brand-new floozy of a German officer. A “French 75” is an American drink named after a caliber of French artillery in World War One.

Recipe of the “French 75” cocktail
2 oz French cognac
5 oz of chilled champagne
1.5 oz lemon juice
1 tsp. superfine sugar

Champagne – Strasser and fellow German officers are joined by Renault while living it up for the second night in Ricks.
Brandy – Carl serves brandy to the Leuctags to salute their escape to America.
Brandy – Rick offers brandy to Annina (Bulgarian refugee girl) as she prepared to prostitute herself to Renault to save herself and her husband.
Cognac – Laszlo orders for himself and Ilsa the second night in Rick’s.
Brandy – Rick continues drinking recklessly at his own bar.

Champagne – After the publicly defiant singing of the Marseillaise, Lazslo and the French officers toast the humiliation of the Germans.
Champagne – Ilsa and Rick drink in Rick’s room the second night.
Whisky – Rick doses Laszlo with medicinal whisky after Laszlo gets roughed-up while escaping a police crackdown on the Resistance. ,P> Vichy Water – Renault pours himself this non-alcoholic drink of this after Rick has shot Strasser, but in a symbolic act drops Vichy into the trash.

All the booze in all the gin-joints in this crazy world [Bruce Sterling/Beyond the Beyond]


Reproducible builds folks: Reproducible Builds: Weekly report #195 [Planet Debian]

Here’s what happened in the Reproducible Builds effort between Sunday January 13th and Saturday January 19th 2019:

Packages reviewed and fixed, and bugs filed

diffoscope development

diffoscope is our in-depth “diff-on-steroids” utility which helps us diagnose reproducibility issues in packages. There was a few updates this week including contributions from:

Version 108 was then uploaded to Debian unstable by Chris Lamb and was subsequently backported to the stretch-backports distribution by Mattia Rizzolo.

Website development

There were a number of updates to the project website this week, including:

  • Hervé Boutemy:
  • Holger Levsen:
  • Peter Wu:
    • Mention QT_RCC_SOURCE_DATE_OVERRIDE and add some more CMake, RPATH and Qt notes on the deterministic build systems page. [] [] [].
    • Document the use of -fmacro-prefix-map and -ffile-prefix-map on the build path page. []
    • Fix some links and typos on the contribute page, some dead links to Salsa and correct some link formatting issues. [] [] []

Test framework development

We operate a comprehensive Jenkins-based testing framework that powers This week:

  • Arch Linux is the first project being built on nodes dedicated from OSUOSL.

    Interestingly, these new nodes are running 4.19 Linux kernels from the stretch-backports distribution as Qt in Arch needs a newer kernel than the kernel in Debian stretch to build. As a result of this we are now seeing 1,736 builds of Arch packages in the last 24h, meaning our subset of packages are being fully rebuilt every 5 or 6 days.

  • F-Droid became the second project to be tested on these new nodes after Holger Levsen increased the size of various partitions to accommodate the builds, as well as to provide a Squid proxy for all our OSUOSL nodes.

The following more-specific changes were made:

  • Eli Schwartz:
    • Import Arch Linux GnuPG keys before running makepkg. []
    • Perform a giant cleanup of trailing whitespaces. []
  • Holger Levsen:
    • Arch Linux-specific changes:
      • Adjust the rescheduling of packages which have been tested X days ago. [] [] []
      • Adopt maintenance job to work with the new OSUOSL nodes. []
      • Support OpenSSH running on ports other than 22. []
      • Fix the path to the Arch Linux mirrorlist. []
    • Debian-specific changes:
      • Fix warning message to include the name of broken package sets [] and also show the total number of packages in a package set [].
      • Don’t update pbuilder and Debian schroots on OSUOSL nodes. []
      • Clarify “stalled” status of the LeMaker HiKey960 boards. []
      • Document how to access Codethink’s arm64 nodes. []
    • F-Droid-specific changes:
      • Remove duplicate job definitions. []
    • Misc/generic changes:
      • Update the “job health page”, adding a helpful footer. [] []
      • Use as the NTP server for OSUOSL nodes, for the rest. []
      • Warn if we detect the wrong [Maximum Transmission Unit (MTU))[ []
      • Drop another mention of LEDE. []
    • Node maintenance. ([], [], [], [], [], [], [], [], [], etc.)
  • Mattia Rizzolo:
    • Fix a variable name in the “deploy Jenkins” script. []
    • Fix a non-fatal syntax error in the “health check” script. []
    • Node maintenance. ([], etc.)
  • Vagrant Cascadian:
    • Node maintenance. ([], [], etc.)

This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, heinrich5991, Holger Levsen, Mattia Rizzolo, Vagrant Cascadian & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.


Hacking Construction Cranes [Schneier on Security]

Construction cranes are vulnerable to hacking:

In our research and vulnerability discoveries, we found that weaknesses in the controllers can be (easily) taken advantage of to move full-sized machines such as cranes used in construction sites and factories. In the different attack classes that we've outlined, we were able to perform the attacks quickly and even switch on the controlled machine despite an operator's having issued an emergency stop (e-stop).

The core of the problem lies in how, instead of depending on wireless, standard technologies, these industrial remote controllers rely on proprietary RF protocols, which are decades old and are primarily focused on safety at the expense of security. It wasn't until the arrival of Industry 4.0, as well as the continuing adoption of the industrial internet of things (IIoT), that industries began to acknowledge the pressing need for security.

News article. Report.


The trinity of errors in financial models: An introductory analysis using TensorFlow Probability [All - O'Reilly Media]

An exploration of three types of errors inherent in all financial models.

At Hedged Capital, an AI-first financial trading and advisory firm, we use probabilistic models to trade the financial markets. In this blog post, we explore three types of errors inherent in all financial models, with a simple example of a model in TensorFlow Probability (TFP).

Finance is not physics

Adam Smith, generally recognized as the founder of modern economics, was in awe of Newton’s laws of mechanics and gravitation. Ever since then, economists have endeavored to make their discipline into a science like physics. They aspire to formulate theories that accurately explain and predict the economic activities of human beings at the micro and macro levels. This desire gathered momentum in the early 20th century with economists like Irving Fisher and culminated in the Econophysics movement of the late 20th century.

Figure 1. Image by Mike Shwe and Deepak Kanungo. Used with permission.

Despite all the complicated mathematics of modern finance, its theories are woefully inadequate, especially when compared to those of physics. For instance, physics can predict the motion of the moon and the electrons in your computer with jaw-dropping precision. These predictions can be calculated by any physicist, at any time, anywhere on the planet. By contrast, market participants have trouble explaining the causes of daily market movements or predicting the price of a stock at any time, anywhere in the world.

Perhaps finance is harder than physics. Unlike atoms and pendulums, people are complex, emotional beings with free will and latent cognitive biases. They tend to behave inconsistently and continually react to the actions of others. Furthermore, market participants profit by beating or gaming the systems in which they operate.

After losing a fortune on his investment in the South Sea Company, Newton remarked, “I can calculate the movement of the stars, but not the madness of men.” Note that Newton was not “retail dumb money.” He served as the Warden of the Mint in England for almost 31 years, helping put the British pound on the gold standard where it would stay for over two centuries.

All financial models are wrong

Models are used to simplify the complexity of the real world, thus enabling us to focus on the features of a phenomenon that interests us. Clearly, a map will not be able to capture the richness of the terrain it models. George Box, a statistician, famously quipped, “All models are wrong, but some are useful.”

This observation is particularly applicable to finance. Some academics have even argued that financial models are not only wrong, but also dangerous; the veneer of a physical science lulls adherents of economic models into a false sense of certainty about the accuracy of their predictive powers. This blind faith has led to many disastrous consequences for their adherents and for society at large. The most successful hedge fund in history, Renaissance Technologies, has put its critical views of financial theories into practice. Instead of hiring people with a finance or Wall Street background, they prefer to hire physicists, mathematicians, statisticians, and computer scientists. They trade the markets using quantitative models based on non-financial theories such as information theory, data science, and machine learning.

Whether financial models are based on academic theories or empirical data mining strategies, they are all subject to the trinity of modeling errors explained below. All models, therefore, need to quantify the uncertainty inherent in their predictions. Errors in analysis and forecasting may arise from any of the following modeling issues: using an inappropriate functional form, inputting inaccurate parameters, or failing to adapt to structural changes in the market.

The trinity of modeling errors

1. Errors in model specification: Almost all financial theories use the normal distribution in their models. For instance, the normal distribution is the foundation upon which Markowitz’s Modern Portfolio Theory and Black-Scholes-Merton Option Pricing Theory are built. However, it is a well documented fact that stocks, bonds, currencies, and commodities have fat-tailed distributions. In other words, extreme events occur far more frequently than predicted by the normal distribution.

If asset price returns were normally distributed, none of the following financial disasters would occur within the age of the universe: Black Monday, the Mexican Peso Crisis, Asian Currency Crisis, the bankruptcy of Long Term Capital Management (which incidentally was led by two “Nobel-prize” winning economists), or the Flash Crash. “Mini flash crashes” of individual stocks occur with even higher frequency than these macro events.

Yet, finance textbooks, programs, and professionals continue to use the normal distribution in their asset valuation and risk models because of its simplicity and analytical tractability. These reasons are no longer justifiable given today’s advanced algorithms and computational resources. This reluctance in abandoning the normal distribution is a clear example of “the drunkard’s search”: a principle derived from a joke about a drunkard who loses his key in the darkness of a park but frantically searches for it under a lamppost because that’s where the light is.

2. Errors in model parameter estimates: Errors of this type may arise because market participants have access to different levels of information with varying speeds of delivery. They also have different levels of sophistication in processing abilities and different cognitive biases. These factors lead to profound epistemic uncertainty about model parameters.

Let’s consider a specific example of interest rates. Fundamental to the valuation of any financial asset, interest rates are used to discount uncertain future cash flows of the asset and estimate its value in the present. At the consumer level, for example, credit cards have variable interest rates pegged to a benchmark called the prime rate. This rate generally changes in lock-step with the federal funds rate, an interest rate of seminal importance to the U.S. and the world economies.

Let’s imagine that you would like to estimate the interest rate on your credit card one year from now. Suppose the current prime rate is 2% and your credit card company charges you 10% plus prime. Given the strength of the current economy, you believe the Federal Reserve is more likely to raise interest rates than not. The Fed will meet eight times in the next 12 months and will either raise the federal funds rate by 0.25% or leave it at the previous level.

In the following TFP code example (see entire Colab), we use the binomial distribution to model your credit card’s interest rate at the end of the 12-month period. Specifically, we’ll use the TensorFlow Probability Binomial distribution class with the following parameters: total_count = 8 (number of trials or meetings), probs = {0.6, 0.7,0 .8, 0.9}, for our range of estimates about the probability of the Fed raising the federal funds rate by 0.25% at each meeting.

# First we encode our assumptions.
num_times_fed_meets_per_year = 8.
possible_fed_increases = tf.range(
limit=num_times_fed_meets_per_year + 1)
possible_cc_interest_rates = 2. + 10. + 0.25 * possible_fed_increases 
prob_fed_raises_rates = tf.constant([0.6, 0.7, 0.8, 0.9])
# Now we use TFP to compute probabilities in a vectorized manner.
# Pad a dim so we broadcast fed probs against CC interest rates.
prob_fed_raises_rates = prob_fed_raises_rates[…, tf.newaxis]
prob_cc_interest_rate = tfd.Binomial(

In the graphs below, notice how the probability distribution for your credit card rate in 12 months depends critically on your estimate about the probability of the Fed raising rates at each of the eight meetings. You can see that for every increase of 0.1 in your estimate of the Fed raising rates at each meeting, the expected interest rate for your credit card in 12 months increases by about 0.2%.

Figure 2. Image by Josh Dillion and Deepak Kanungo. Used with permission.

Even if all market participants used the binomial distribution in their models, it’s easy to see how they could disagree about the future prime rate because of the differences in their estimate for probs. Indeed, this parameter is hard to estimate. Many institutions have dedicated analysts, including previous employees of the Fed, analyzing the Fed’s every document, speech, and event to try to estimate this parameter.

Recall that we assumed this parameter probs was constant in our model for each of the next eight Fed meetings. How realistic is that? Members of the Federal Open Market Committee (FOMC), the rate setting body, are not just a set of biased coins. They can and do change their individual biases based on how the economy changes over time. The assumption that the parameter probs will be constant over the next 12 months is not only unrealistic, but also risky.

3. Errors from the failure of a model to adapt to structural changes: The underlying data-generating stochastic process may vary over time—i.e., the process is not stationary ergodic. We live in a dynamic capitalist economy characterized by technological innovations and changing monetary and fiscal policies. Time-variant distributions for asset values and risks are the rule, not the exception. For such distributions, parameter values based on historical data are bound to introduce errors into forecasts.

In our example above, if the economy were to show signs of slowing down, the Fed might decide to adopt a more neutral stance in its fourth meeting, making you change your probs parameter from 70% to 50% going forward. This change in your probs parameter will in turn change the forecast of your credit card interest rate.

Sometimes the time-variant distributions and their parameters change continuously or abruptly, as in the Mexican Peso Crisis. For either continuous or abrupt changes, the models used will need to adapt to evolving market conditions. A new functional form with different parameters might be required to explain and predict asset values and risks in the new regime.

Suppose after the fifth meeting in our example, the U.S. economy is hit by an external shock—say a new populist government in Greece decides to default on its debt obligations. Now the Fed may be more likely to cut interest rates than to raise them. Given this structural change in the Fed’s outlook, we will have to change the binomial probability distribution in our model to a trinomial distribution with appropriate parameters.


Finance is not a precise predictive science like physics. Not even close. So, let’s not treat academic theories and models of finance as if they were models of quantum physics.

All financial models, whether based on academic theories or data mining strategies, are at the mercy of the trinity of modeling errors. While this trifecta of errors can be mitigated with appropriate modeling tools, it cannot be eliminated. There will always be asymmetry of information and cognitive biases. Models of asset values and risks will change over time due to the dynamic nature of capitalism, human behavior, and technological innovation.

Financial models need a framework that quantifies the uncertainty inherent in predictions of time-variant stochastic processes. Equally importantly, the framework needs to continually update the model or its parameters—or both—based on materially new data sets. Such models will have to be trained using small data sets, since the underlying environment may have changed too quickly to collect a sizable amount of relevant data.


We thank the TensorFlow Probability team, especially Mike Shwe and Josh Dillon, for their help in earlier drafts of this blog post.


  1. The Money Formula, by David Orrell and Paul Wilmott, Wiley, 2017
  2. Nobels For Nonsense, by J.R. Thompson, L.S. Baggett, W.C. Wojciechowski, and E.E. Williams, Journal of Post Keynesian Economics, Fall 2006
  3. Model Error, by Katerina Simons, New England Economic Review, November 1997
  4. Bayesian Risk Management, by Matt Sekerke, Wiley, 2015

Continue reading The trinity of errors in financial models: An introductory analysis using TensorFlow Probability.

Four short links: 22 January 2019 [All - O'Reilly Media]

Data Science with Puzzles, Formal Methods, Sketching from Photos, and Teaching Machines

  1. Teaching Data Science with Puzzles (Irene Steves) -- genius! The repo has the puzzles in an R project.
  2. Why Don't People Use Formal Methods? -- a really good introduction to the field and current challenges. And entertainingly written: Proofs are hard. Obnoxiously hard. “Quit programming and join the circus” hard. Surprisingly, formal code proofs are often more rigorous than the proofs most mathematicians write! Mathematics is a very creative activity with a definite answer that’s only valid if you show your work. Creativity, formalism, and computers are a bad combination.
  3. Photo Sketching: Inferring Contour Drawings from Images -- the examples in the paper are impressive.
  4. History of Teaching Machines (Audrey Watters) -- a bit of context for the ZOMG APPS WILL SAVE EDUCATION mania.

Continue reading Four short links: 22 January 2019.


CodeSOD: Why Is This Here? [The Daily WTF]

Oma was tracking down a bug where the application complained about the wrong parameters being passed to an API. As she traced through the Java code, she spotted a construct like this: Long s =...


9 trends to watch in systems engineering and operations [All - O'Reilly Media]

From artificial intelligence to serverless to Kubernetes, here’s what's on our radar.

If your job or business relies on systems engineering and operations, be sure to keep an eye on the following trends in the months ahead.


Artificial intelligence for IT operations (AIOps) will allow for improved software delivery pipelines in 2019. This practice incorporates machine learning in order to make sense of data and keep engineers informed about both patterns and problems so they can address them swiftly. Rather than replace current approaches, however, the goal of AIOps is to enhance these processes by consolidating, automating, and updating them. A related innovation, Robotic Process Automation (RPA), presents options for task automation and is expected to see rapid and substantial growth as well.

Knative vs. AWS Lambda vs. Microsoft Azure Functions vs. Google Cloud

The serverless craze is in full swing, and shows no signs of stopping—since December 2017 alone, the technology has grown 22%, and Gartner reports that by 2020, more than 20% of global enterprises will be deploying serverless. This is a huge projected increase from the mere 5% that are currently utilizing it. The advantages of serverless are numerous: it saves money and allows organizations to scale and pivot quickly, and better manage development and testing.

While Knative was introduced in July at Google Next—as a joint initiative of Google, Red Hat, Pivotal, SAP, and IBM—the jury’s still out as to whether it will become the industry standard for building serverless applications on top of Kubernetes. It does have a lot going for it, though—namely, that it’s open source and portable between cloud providers. Because it’s not linked to any specific cloud platform (unlike its competitors Amazon Web Services Lambda, Microsoft Azure Functions, and Google Cloud), it may also be more appealing to organizations looking to avoid obligations to a particular vendor, and in turn has the potential to unify the serverless world.

Cloud-native infrastructure

Another fast-growing trend, cloud-native applications in production have seen a 200% spike in the past year. This development marks a clear shift from merely doing business in the cloud. Instead, it moves the focus to creating cloud-native applications, and puts the spotlight on the advantages of cloud-based infrastructure.


As both security threats and compliance pressures grow, automating security and baking security controls into the software development process is now critical. With recently established GDPR regulations that necessitate the notification of a security breach within 72 hours, DevOps and security practices are becoming intertwined not only in process, but in culture as well. Gone are the days of simply responding to issues as they pop up. Instead, a proactive approach that seamlessly weaves security into the development lifecycle will optimize productivity and efficiency for development teams into next year and beyond.

Service mesh

The movement from monolith to microservices has already started, and service meshes will be a key component in fast-tracking the transition. A service mesh can best be described as a dedicated layer of infrastructure that enables rapid, secure, and dependable communication between and among service instances. Among the vendors to watch are Istio, HashiCorps, and Linkerd.

DevOps breaks down more silos; rise of the SRE

Teams and departments will continue to merge across organizations, as both data management and security requirements demand cross-functional processes and the lines between traditional role definitions blur. Reliability will be key to ensuring always-on, always-available performance so we’ll see more engineers and administrators adding reliability to their titles. Database reliability engineers (DBREs), for starters, will replace database administrators (DBAs), incorporating site reliability engineering processes into their day-to-day routine, and adopting the same code review and practices as DevOps teams use to create and deploy applications.


The current industry standard for container orchestration, Kubernetes will continue to own the spotlight in 2019 as more organizations start to walk the talk—either by implementing their own Kube-based infrastructure or letting their cloud vendor manage the complexity through a hosted solution like Microsoft’s Azure Kubernetes Service (AKS), Amazon’s EKS, or Google’s Kubernetes Engine. A recent O’Reilly survey found that less than 40% of respondents have actually implemented Kubernetes, suggesting that the hype currently outweighs the reality. There’s still plenty of room for adoption and growth within organizations—despite how oversaturated the landscape may currently seem. If you haven’t worked with Kubernetes yet, you likely will soon.

Distributed tracing

Distributed tracing, a tool for monitoring and debugging microservices applications, is poised to become a critical trend going forward. The prevalence of heterogeneous distributed systems has made it slightly more difficult to put distributed tracing into practice there. However, service meshes—another hot topic—have made communication between services more hassle-free, so the time is right for this method to shine. While there are a variety of open source distributed tracing tools, including Google's Dapper and Open Tracing API, Twitter’s Zipkin is currently the most buzzed about, and it will likely rise to the top and set a precedent for the industry.


According to a 2018 survey of 576 IT leaders, 44% were planning to replace at least a portion of their virtual machines with containers. There are a number of reasons for this switch—namely, C-suite executives’ ever-increasing dissatisfaction with VM licensing fees. In addition to a major infrastructure change, the move to containers also necessitates the adoption of both DevOps processes and culture, affecting the makeup of IT departments.

Continue reading 9 trends to watch in systems engineering and operations.


Cheap overseas phone calls [Tales From the Riverbank]

 If you live in the UK and want an affordable way of calling overseas, one good option is Planet Numbers -

Calls are typically one or two pence per minute, and they also have good online help - I hit a problem, and the person on the chat line worked with me until I'd sorted it out and successfully made the call.

I had a chat with Vjezkova in the Czech Republic yesterday and look forward to chatting to her again before long.

This entry was originally posted on Dreamwidth where it has comment count unavailable comments.


Cheap overseas phone calls [Judith Proctor's Journal]

 If you live in the UK and want an affordable way of calling overseas, one good option is Planet Numbers -

Calls are typically one or two pence per minute, and they also have good online help - I hit a problem, and the person on the chat line worked with me until I'd sorted it out and successfully made the call.

I had a chat with Vjezkova in the Czech Republic yesterday and look forward to chatting to her again before long.

comment count unavailable comments


Feeds | Sustain Summit 2018 [Planet GridPP]

Sustain Summit 2018 s.aragon 22 January 2019 - 9:21am

By Raniere Silva, Community Officer, Software Sustainability Institute. Sustainer is "the individual or organisation who is concerned with the fragile state and future of highly-used and impactful open source projects." A diverse and fantastic group of sustainers met in London at the end of October for a day discussion related to the sustainability of open source projects.


The thing about the chickens [Seth's Blog]

Evolution, whether by natural selection or artificial, whether in species or in ideas, is all around us.

It happens slowly. Usually more slowly than we’re aware of, and definitely more slowly than we have the patience for.

The Economist has a short article about how the price of chicken has fallen by almost 50% in real dollars over the course of my lifetime. We didn’t see it happening, didn’t vote on the benefits and the costs, didn’t realize it was transforming a species (and us).

I’m doing a two-part podcast on how creatures (and culture) evolve. You can hear last week’s episode here, and the second part goes to subscribers on Wednesday, January 23.

Drip by drip isn’t a crowd pleaser, but that’s what makes real change happen.


Three Manga Pirates Sentenced to Prison in Japan [TorrentFreak]

With the support of the Japanese government, content creators in Japan are attempting to crack down on the unauthorized reproduction and sharing of copyrighted content.

Due to their effect on local markets, those who offer copyrighted manga and anime works appear to be a priority.

The latest to fall foul of the authorities are three men said to be the operators of once-popular site ‘Haruka Yume no Ato’, a platform that indexed links to manga content without permission from rights holders.

The initial legal action against the site was documented in 2017 when police arrested nine suspects under suspicion of violating the Copyright Act. According to Anime News Network, at the time it was one of the largest so-called ‘leech sites’ (platforms that index content hosted elsewhere) in Japan.

Now, after more than a year, three operators of the site have been sentenced for their crimes.

The Osaka District Court handed down prison sentences of three years and six months for the “mastermind”, three years for the server operator, and two years and four months for another key player.

According to a statement from local publisher Kodansha, which worked on the case with other publishers including Kadokawa and Square Enix, the men are former student graduates in their 20s.

“It is seriously meaningful that all three of the principal offenders have been sentenced to imprisonment,” the company added.

The Association of Copyright for Computer Software (ACCS) also welcomed the sentencing, noting that the three men had conspired with “multiple upload actors” to keep content flowing.

“These heavy prison sentences sound alarm bells for similar cases and we, along with our member companies, will continue to take decisive action against malicious acts of copyright infringement in the future,” the group said.

“We will promote activities towards the realization of a society where copyright is respected through dissemination of information and raising awareness of proper use.”

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

Vasectomy [Oh Joy Sex Toy]

A huge thank you to Carlos who was game to share his vasectomy story with me this week!

As mentioned at the end of the comic, there’s still lots of info about vasectomies out there that warrant further research if you’re contemplating it. Take a peek at Planned Parenthood.

Don’t fancy yourself a permanent form of birth control? We’ve covered several other forms here (but not all of them, of course!). Hopefully, soon we’ll have comics on tubular ligation and bilateral salpingectomy for those of you with uteruses.

Since we’re weeks away from Valentine’s Day, it’s worth reminding you all that our best-sex-toys of the year list can be found here, and if you are looking for a store to shop with, well, we love ALL the ones we list on our site: seriously, I’ve not been swapping any of them out these past few years, because they are all wonderful people with ace stores.

ALSO, the day AFTER valentine’s, Erika and I will be in SEATTLE doing a book signing at Babeland!!! Check it out here.


Sune Vuorela: KookBook 0.2.1 – now actually kind of useful [Planet Debian]

There was a snag in the KookBook 0.2.0 release, and 0.2.1 is available.

Get it here: kookbook-0.2.1.tar.xz

Btw, anyone can tell me the purpose of

git archive --prefix=foo

compared to

git archive --prefix=foo/

When would anyone use the former?


I'm Not Sure What This Comic Implies For These Titles [Diesel Sweeties webcomic by rstevens]

this is a diesel sweeties comic strip

Tonight's comic spends too much time in its own head.


Footing The Bill [QC RSS]

r o b o t f e e t


Clint Adams: The kids of today should defend themselves against the '70s [Planet Debian]

This story is not true.

In 1971, Atlantic Records released John Prine's eponymous debut album. The third track (on the first side) was a song called “Hello in There”.

In 1972, Atlantic Records released Bette Midler's debut album, The Divine Miss M. The seventh track (the second track on the second side) was a song called “Hello in There”, written by John Prine.

In 1973, Asylum Records released Tom Waits's debut album, Closing Time. The sixth track on that album was a song called “Martha”.

Later that year, Bette Midler's concert tour took her to Radio City Music Hall in New York City, where she performed from December 3 until December 22. On one of those nights, she sang “Hello in There” while a young John Prine sat in the cheap seats, thinking to himself, “Someday I'll be up on that stage.”

In 1977, both Tom Waits and Bette Midler, who were dating, released albums with a duet by Waits called “I Never Talk to Strangers”.

In 1979, Bette Midler, who was no longer dating Waits, performed on Saturday Night Live a version of “Martha”.

On Friday, April 13, 2018, Sturgill Simpson took the stage at Radio City Music Hall, acoustic and solo. After he finished, John Prine appeared, and for the first time of his life on stage at Radio City, he performed “Hello in There”, nearly 45 years after declaring he would.

For his final encore, he played “When I Get to Heaven” while his niece and nephew played kazoo and Brandi Carlisle yodeled.

If you received this story through a blog aggregator of some kind and are annoyed because this story is not true, you may find that the administrators are more than eager to be complicit in censorship reactions in response to your complaint.

Posted on 2019-01-22
Tags: mintings

Monday, 21 January


News Post: Brightgrave 1 [Penny Arcade]

Gabe: Jerry is a pro when it comes to streaming his D&D games, and I can do it when summoned, but I much prefer to run my games at home and without an audience. That being said, I just started a new campaign and I’d like to share it with you all because making things and showing you is what I do. So in lue of a streamed game I’ll be doing updates here on the site. I will include art and photos of props when applicable. I’ll post maps and rules that we make up as we go. Basically I’ll do my best to make sure those of you who want to, can follow along at home as we build this world of…


Link [Scripting News]

When someone says you are difficult, I think that means they wanted something from you and you said no.


Page 15 [Flipside]

Page 15 is done.

Link [Scripting News]

A picture from the OPML meetup in NYC in July 2005.

Link [Scripting News]

It is wicked cold out there. Just took a 40-minute walk in the elements, and by the end the cold had gotten through all my layers. My core was getting cold. Can't remember that ever happening. (Actually the first few nights I was in Madison were like that. Then I learned how to dress in sub-zero weather.)


Latvia opens up its KGB files and names 4,000+ "informants," many of whom claim they were framed [Cory Doctorow – Boing Boing]

When Latvia attained independence in 1991, the retreating KGB left behind two sacks and two briefcases containing indexed records of the secret informants who had been paid to turn in their neighbors for offenses including anti-Kremlin activism and watching pornography.

After decades of deliberation, the Latvian Parliament voted to release the contents of the bags, naming 4,141 KGB informants, many of whom are still alive, and vigorously deny any involvement with the KGB; also named in the release is at least one journalist who was killed by Soviet forces while sympathetically covering the pro-independence movement.

The people who say they were falsely accused offer different theories to explain how their names came to be in the files: some say that they were added to KGB operatives' rosters of informants as part of the operatives' campaigns to impress their bosses and/or line their pockets with payouts for informants who were not, in fact, working for them. Others say it was a false flag planted by the KGB as they left Latvia, a way to slowly poison the independent state by sowing internal discord.

“It is impossible that the K.G.B. would leave behind a real list of agents in what it considered enemy territory,” Mr. Tjarve said. The files, he said, must have been doctored and deliberately left as a “special gift” to Latvia, now a member of NATO, as part of a “disinformation operation” by retreating Soviet officers.

Latvians found “in the bags,” the term of art for people who have turned up in the files, include a two-time former prime minister, the chief justice of the Supreme Court, a onetime foreign minister, leaders of the Catholic and Orthodox churches, three post-independence rectors of the University of Latvia, celebrated filmmakers and assorted television stars and writers. Some names leaked years ago or appeared in a Latvian documentary, “Lustrum,” released late last year.

But the publication of the full list has still caused dismay.

4,141 Latvians Were Just Outed as K.G.B. Informants [Andrew Higgins/New York Times]

(via The Grugq)

(Image: The Latvian Institute)


Reddit SoccerStreams Effectively Shuts Down Following Piracy Complaints [TorrentFreak]

Watching most top-tier soccer or football is an expensive option in most regions. Billions are paid out by broadcasters for the rights to matches and this cost has to be passed down to fans.

While millions dig deep to fund what has become a pricey sport to follow, others seek a free fix, often in the shape of an unauthorized online stream. These come in many formats, from websites with embedded players through to IPTV and streaming torrent links.

While these are widely available online, having these sources listed in one place is much more convenient for the end user. Until two days ago, Reddit’s /r/soccerstreams subreddit aimed to fill that gap.

With in excess of 420,000 subscribers, /r/soccerstreams was undoubtedly popular but like similar sections on Reddit offering links to infringing content, the subreddit was also plagued with copyright infringement complaints from upset rightsholders.

According to the moderators of /r/soccerstreams, these recently reached “critical mass”, something which effectively shut down the subreddit.

“I regret to inform you all that a few days ago, the Reddit Admins got in touch with us about an impending ban of this subreddit if changes weren’t made,” moderator ‘notsoyoungpadawan‘ wrote in an announcement.

“The only way to save it, from our perspective, was to cease all user related activity here.”

Since the users of the subreddit were the ones posting the links, the announcement means that while /r/soccerstreams still technically exists, the lack of any streaming soccer links means that the show is effectively over. However, the subreddit will now act as a “home base for the official Soccer Streams mod team.”

With /r/soccerstreams being used for announcements and news moving forward, the mod team has revealed that two new subreddits have been created for Premier League content and content from other leagues. There is also a Discord Server for the former.

“The aforementioned two are, for the moment, temporary solutions. We are working on a more permanent solution, however, due to the short notice we’ve had to work with what we have,” the mod teams says.

The indication that these are only temporary solutions is unsurprising.

While it’s unclear which leagues filed copyright infringement complaints with Reddit, it’s more than likely that the Premier League was heavily involved so will take a dim view of any new section set up to carry out the same function as /r/soccerstreams.

There seems little doubt that if they gain any traction on Reddit or Discord, these new sharing venues will eventually be shut down too since both Reddit and Discord have policies that outlaw copyright infringement and the increasing importance of repeat infringer policies.

This voluntary shutdown features just one in a line of similar subreddits that have been shut down following copyright complaints in recent times. Last year /r/megalinks suffered a similar fate as did /r/crackedsoftware.


Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.


Shoshana Zuboff discusses her new book, "Surveillance Capitalism" [Cory Doctorow – Boing Boing]

Ever since academic Shoshana Zuboff coined the term "Surveillance Capitalism" in 2015, it's become a touchstone for the debate over commercial surveillance (we've cited it hundreds of times). This week, Zuboff published her (very thick) book on the subject, to excellent early notices; I haven't read it yet, but it's next on my list.

Though I'm familiar with the general shape of Zuboff's argument, I'm really eager to get to grips with the specifics, and to see how it's evolved over the last three-and-some years.

Here's a head-start: in this weekend's Observer, John Naughton (previously) interviewed Zuboff at length about her book, and what she said bodes well for the book.

That said, I want to mark out an area of caution that I have with what I've seen so far of her argument -- a problem that I've had with other critical books about the rise of Big Tech: locating the original sin of Big Tech in advertising and surveillance, rather than concentration and monopoly.

Derek Powazek's memorable phrase, "If you're not paying for the product, you are the product" is true, but incomplete. It's true that companies that use surveillance and data to pay their bills view their "customers" as the advertisers, rather than the users.

"You're the product" is true in advertising models, but it's also true in for-pay models. Whether it's Apple sustaining itself by blocking third-party repairs, extracting rents from app vendors, and sneakily degrading the performance of its products over time; or John Deere ripping off farmers for repairs to six-figure purchases, or GM locking out independent repair and third-party spares.

The kind of capitalism that's the problem isn't "surveillance" capitalism, it's unfettered capitalism, where market concentration and regulatory capture allows companies to monopolize whole sectors and then abuse the customers they control. It's true that some giants moderate their behavior (Apple voluntarily eschewing surveillance), but this is only ever instrumental, about positioning a place in the market, and never about principle (Apple's got a very flexible attitude toward privacy indeed).

The problem with this misdiagnosis is that it implies that if only there were cost barriers to participation in online discourse, we'd dispense with the pathologies of surveillance capitalism. But in our highly unequal times, a cost barrier just means that the rich get to talk and the rest of us have to listen -- or worse yet, we'll only get to participate in forums where the wealthy set the rules on the basis of ideologies much more specific and targeted than profit-at-any-cost.

But as I say, I'm basing this on Zuboff's summary of her position and not the book itself. Watch this space for a full review as soon as I get a chance to read the book.

While it is impossible to imagine surveillance capitalism without the digital, it is easy to imagine the digital without surveillance capitalism. The point cannot be emphasised enough: surveillance capitalism is not technology. Digital technologies can take many forms and have many effects, depending upon the social and economic logics that bring them to life. Surveillance capitalism relies on algorithms and sensors, machine intelligence and platforms, but it is not the same as any of those.

'The goal is to automate us': welcome to the age of surveillance capitalism [John Naughton/The Observer]

(Image: Shoshana Zuboff , CC-BY)


1152: Reunion [Order of the Stick]


News Post: New DM Smell [Penny Arcade]

Tycho: Seeing as the cliffhanger for the last Acquisitions Incorporated game at Unplugged had one Jim Darkmagic standing atop a small elevated stage while no less than six articulated saws tried to make his insides outsides.  Coulda gone a couple ways. Independent of actually watching him and knowing for yourself the level of fucking execution the man is capable of, Jeremy Crawford is Chris Perkins’ DM.  I feel like that is a very succinct way of establishing his credentials.  But!  We also had WWE Superstar Xavier Woods at the table.  I got in trouble with Sony PR…


[$] Persistent memory for transient data []

Arguably, the most notable characteristic of persistent memory is that it is persistent: it retains its contents over power cycles. One other important aspect of these persistent-memory arrays that, we are told, will soon be everywhere, is their sheer size and low cost; persistent memory is a relatively inexpensive way to attach large amounts of memory to a system. Large, cheap memory arrays seem likely to be attractive to users who may not care about persistence and who can live with slower access speeds. Supporting such users is the objective of a pair of patch sets that have been circulating in recent months.


The Humble Book Bundle: Computer Music by MIT Press: Make the... [Humble Bundle Blog]

The Humble Book Bundle: Computer Music by MIT Press: 

Make the music of the byte with this bundle from MIT Press! Score ebooks like VOICE: Vocal Aesthetics in Digital Arts and Media, Digital Signatures: The Impact of Digitization on Popular Music Sound, Machine Musicianship, and more.

Assets for Press and Partners


Kernel prepatch 5.0-rc3 []

The 5.0-rc3 kernel prepatch has been released. "This rc is a bit bigger than usual. Partly because I missed a networking pull request for rc2, and as a result rc3 now contains _two_ networking pull updates. But part of it may also just be that it took a while for people to find and then fix bugs after the holiday season."


The EU's ambitious, fearless antitrust czar is unlikely to win another term [Cory Doctorow – Boing Boing]

Margrethe Vestager (previously) has been the EU antitrust commissioner for five years, and now she is getting ready to step down (her party is unlikely to prevail next year, so she will likely be replaced), having presided over an unprecedented era of antitrust enforcement that has seen billions of euros extracted in penalties from Google, Apple and Facebook, with Amazon now under her microscope.

Vestager formerly served as the Danish deputy PM and economy minister, as part of a centre-left, market-oriented party founded by her great-grandfather. Her record in Danish politics is something of a mixed bag (among other things, she presided over swingeing welfare cuts).

She's got a much better record as antitrust commissioner. Her enforcement hasn't been limited to the tech sector: she's also gone after Starbucks, McDonald's, Nike, Fiat and Gazprom, taking on both anticompetitive behaviour and tax dodging (she's also done much to end competition among EU governments to create tax-havens that lure in multinationals to create headquarters-of-convenience).

That said, her vision for the next steps of antitrust enforcement are a little...weird. For example, she wants to build on the GDPR's requirements to disclose how personal information is used by encouraging the creation of "Independent digital assistants that will make sure that your privacy settings are maintained no matter where you go."

The upcoming EU elections are going to be game-changing in more ways than one. The insurgent parties are ascendant, and some are left wing, and others are far-right xenophobes, suggesting a kind of scaled-up version of the current state of Italian politics, which is to say: a mess.

"When you look at our cases you'd see that what they have in common is not nationality. It's the fact that they're multinationals," she said.

Her aim, she says, is to keep competition fair.

"That was the idea before the world became digital," Vestager said. "And it becomes an even more important idea when the world becomes digital because things are so fast moving."

EU's antitrust cop lays groundwork for more tech scrutiny [Kelvin Chan/]

(Image: Johannes Jansson, CC-BY)

The Boing Boing blog turns 19 today [Cory Doctorow – Boing Boing]

Nineteen years ago today, Mark decided to do some research on the new Blogger service for an article in The Industry Standard, and so he created a blog and started posting to it (the Standard spiked the story, on the basis that blogging was probably a passing fad).

Less than a year later, I started a stint as a guestblogger that is still going, more than 18 years later.

David came on board a couple months after me, and Xeni's guestblogging stint started late the next year and, like mine, never ended; Rob kicked off in 2005, and Jason's first post was in 2010, tho he joined us in 2006.

And now we are 19, and old, and still weird, but the internet is less weird in some important ways ("a group of five websites, each consisting of screenshots of text from the other four").


Today in GPF History for Monday, January 21, 2019 [General Protection Fault: The Comic Strip]

Nick, Ki, and Fooker follow a fire truck down GPF's street and make a shocking discovery...


Comic: New DM Smell [Penny Arcade]

New Comic: New DM Smell


"Capitalism has outlived its usefulness" -Martin Luther King, Jr [Cory Doctorow – Boing Boing]

"I imagine you already know that I am much more socialistic in my economic theory than capitalistic. And yet I am not so opposed to capitalism that I have failed to see its relative merits. It started out with a noble and high motive, viz, to block the trade monopolies of nobles, but like most human systems, it falls victim to the very thing it was revolting against. So today capitalism has outlived its usefulness. It has brought about a system that takes necessities from the masses to give luxuries to the classes."

"As I have walked among the desperate, rejected, and angry young men, I have told them that Molotov cocktails and rifles would not solve their problems. I have tried to offer them my deepest compassion while maintaining my conviction that social change comes most meaningfully through nonviolent action. But they asked, and rightly so, “What about Vietnam?” They asked if our own nation wasn’t using massive doses of violence to solve its problems, to bring about the changes it wanted. Their questions hit home, and I knew that I could never again raise my voice against the violence of the oppressed in the ghettos without having first spoken clearly to the greatest purveyor of violence in the world today: my own government. …"

“I started thinking about the fact that right here in our country we spend millions of dollars every day to store surplus food. And I said to myself: ‘I know where we can store that food free of charge — in the wrinkled stomachs of the millions of God’s children in Asia, Africa, Latin America, and even in our own nation, who go to bed hungry at night.’"

Dr King: "... the greatest purveyor of violence in the world today: my own government" [Jim P/Daily Kos]

Martin Luther King Jr. Celebrations Overlook His Critiques of Capitalism and Militarism [Zaid Jilani/The Intercept]


Security updates for Monday []

Security updates have been issued by Fedora (gitolite3, gvfs, php, radare2, and syslog-ng), Mageia (libssh, php, python-django16, and rdesktop), openSUSE (podofo), and SUSE (libraw, openssh, PackageKit, and wireshark).

“A Model Dog”: A New Short Story, From Me, Over at The Verge [Whatever]

Hey, there! Would you like a short story from me to help you get through your Monday? Of course you would. So here it is: “A Model Dog,” which I wrote for The Verge as part of its “Better Worlds” series of optimistic science fiction. In it, two engineers at a very large tech company are tasked with building a robot dog. Why? And for what purpose? That’s in the story, of course. It’s a short piece (under three thousand words), and I think it’s pretty fun. There’s even an animated version, adapted from the story. It’s pretty cute too.

When you’re done reading/viewing the story, there’s also an interview with me on the site, talking about pets and tech and privacy and other such things. I may make mention of Smudge, who I know is a favorite around here. Check that out, too.

Not an entirely bad way to start the week, I’d say.


Copyright Negotiations Canceled As ‘Article 13’ Opposition Rises [TorrentFreak]

A year ago “Article 13” was only known to a select audience with a particular interest in copyright issues.

Today, EU’s copyright reform proposals and the potential ‘Internet filters’ have gone mainstream.

Last September the European Parliament backed the controversial Article 13 plans. This set in motion a round of trilogue negotiations during which the final text would be drawn up.

Initially, the last negotiation round was scheduled for last December, but that was later postponed to today. However, there are no negotiations today either.

Last Friday, EU members voted on the negotiating mandate for the Council. With 11 countries voting against a compromise position on Article 13 and Article 11, they failed to reach an agreement.

As a result, today’s round of final negotiations was canceled. This doesn’t mean that the controversial proposals will be shelved, but it creates another delay. And as time passes, opposition only seems to grow.

Early on, most protests came from the public at large and activist groups who believe that Article 13 will lead to broad upload filters, possibly censoring fair use content.

However, as lawmakers tried to seek compromises, various rightsholders were no longer happy and retracted their support as well. This includes movie and TV-companies, as well as music groups, which initially backed the proposal.

Copyright holders are still in favor of the original Article 13 text, but they believe that the latest proposals are watered down to a degree where they might be worse off than before.

The original Article 13 opponents, meanwhile, argue that it’s best to remove the article from the broader copyright reform proposals entirely and to do the same with Article 11, also known as the ‘link tax.’

Julia Reda, Member of the European Parliament for the Pirate Party, hopes for the latter.

The outcome of today’s Council vote also shows that public awareness of the copyright reform is having an effect, Reda writes.

“Keeping up the pressure in the coming weeks will be more important than ever to make sure that the most dangerous elements of the new copyright proposal will be rejected,” she adds.

While Article 13 is not off the table, it appears that the compromise strategy of EU lawmakers isn’t helping. And after today’s postponed vote, there will likely be more protests and lobbying efforts from both sides.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

Link [Scripting News]

I finished the Flickr archive project. I wrote it up here. It consists of 5815 pages like this. Cross-country drives. Famous NY delis. Tech conferences. Devastation from Hurricane Katrina. Berkeley streets (it really is a beautiful place). Friends. Graphic illustration. A joint-rolling tutorial. Shea Stadium. My old house in Woodside (a few days before it was torn down, sadly). Screen shots. Sights in NYC on foot and on bike. Mr Natural. Seattle's amazing public library. And much more. Use the Random button to find a good place, and then hit Prev to find the beginning of the sequence, and step through them with the Next button. I added a link to the Scripting News page for the day the photo was taken. Often there's a connection between what I posted on Flickr and what I posted on my blog.

The Intel 80386, part 1: Introduction [The Old New Thing]

Windows NT stopped supporting the Intel 80386 processor with Windows 4.0, which raised the minimum requirements to an Intel 80486. Therefore, the Intel 80386 technically falls into the category of "processor that Windows once supported but no longer does." This series focuses on the portion of the x86 instruction set available on an 80386, although I will make notes about future extensions in a special chapter.

The Intel 80386 is the next step in the evolution of the processor series that started with the Intel 8086 (which was itself inspired by the Intel 8080, which was in turn inspired by the Intel 8008). Even at this early stage, it had a long history, which helps to explain many of its strange corners.

As with all the processor retrospective series, I'm going to focus on how Windows NT used the Intel 80386 in user mode because the original audience for all of these discussions was user-mode developers trying to get up to speed debugging their programs. Normally, this means that I omit instructions that you are unlikely to see in compiler-generated code. However, I'll set aside a day to cover some of the legacy instructions that are functional but not used in practice.

The Intel 80386 has eight integer registers, each 32 bits wide.

Register Meaning Preserved?
eax accumulator No
ebx base register Yes
ecx count register No
edx data register No
esi source index Yes
edi destination index Yes
ebp base pointer Yes
esp stack pointer Sort of

The register names are rather unusual due to the history of the processor line. That history also explains why the instruction encoding uses the non-alphabetical-order eax, ecx, edx, ebx.

Also for historical reasons, there are also names for selected partial registers.

Register Meaning
ax Lower 16 bits of eax
bx Lower 16 bits of ebx
cx Lower 16 bits of ecx
dx Lower 16 bits of edx
si Lower 16 bits of esi
di Lower 16 bits of edi
bp Lower 16 bits of ebp
sp Lower 16 bits of esp
ah Upper 8 bits of ax
al Lower 8 bits of ax
bh Upper 8 bits of bx
bl Lower 8 bits of bx
ch Upper 8 bits of cx
cl Lower 8 bits of cx
dh Upper 8 bits of dx
dl Lower 8 bits of dx

Operations on these register fragments affect only the indicated bits; the other bits of the 32-bit register remain unaffected. For example, storing a value into the ax register leaves the most-significant 16 bits of the eax register unchanged.¹

Windows NT requires that the stack be kept on an 4-byte boundary. There is no red zone.

The 80386 also has eight 80-bit extended precision floating point registers named st0 through st7. The floating point system is rather unusual: In addition to the fact that the registers are extended precision, the programming model for the floating point registers is as a stack. Values are pushed onto the floating point stack, operations are performed on the stack, and results are popped off.

Floating point support is optional and is provided by the 80387 coprocessor chip, which runs concurrently with the main CPU. If a floating point instruction is executed on a system that lacks a floating point coprocessor, the floating point instruction traps, and the kernel emulates the instruction.

There are also some non-integer registers which are difficult/impossible to get to, but which still participate in user-mode instructions.

Register Meaning Notes
eip instruction pointer program counter
eflags flags
cs code segment Don't worry about it
ds data segment Don't worry about it
es extra segment Don't worry about it
fs F segment For TEB access
gs G segment Not used

Windows NT uses the 80386 in flat mode, which means that applications see a contiguous 32-bit address space. The segment registers largely don't come into play when in flat mode, with the exception of the fs register, which we'll learn about more when we get to the TEB.

The flags register is updated by many instructions. We'll learn more about flags when we study conditionals.

The 80386 is unusual in that it supports multiple calling conventions. Common to all the calling conventions are the register preservation rules and the return value rules: The function return value is placed in eax. If the return value is a 64-bit value, then the most significant 32 bits are returned in edx. If the return value is a floating point value, it is returned in st0, and possibly st1 (for complex numbers).

Furthermore, link-time code generation is permitted to manufacture ad hoc calling conventions which may not even follow the register preservation rules. It's crazy free-for-all time.

The architectural names for data sizes are as follows:

  • byte: 8-bit value
  • word: 16-bit value
  • dword (doubleword): 32-bit value
  • qword (quadword): 64-bit value
  • tword (ten-byte word): 80-bit value

Instruction encoding is highly irregular. Instructions are variable-length, and instructions can begin at any byte boundary.

The general pattern for multi-operand opcodes is

    opcode  destination, source

Note that the destination is on the left. Note also that three-operand instructions are rare. This will become interesting when we get to arithmetic.

Here's the notation I will use when introducing instructions:

Notation Meaning
rn n-bit register
mn n-bit memory
in n-bit immediate
r/mn n-bit register or n-bit memory
r/m/in n-bit register, n-bit memory, n-bit immediate,
or 8-bit immediate sign-extended to n bits
  • If n is omitted, then 8, 16, and 32 are permitted. For example, "r/m" means "r/m8, r/m16, or r/m32".
  • Immediates are sign-extended as necessary.
  • The first operand is called "d" (destination).
  • The second operand (if any) is called "s" (source).
  • The third operand (if any) is called "t" (second source).
  • At most one of the operands can be a memory operand.
  • All operands must have the same size.

Exceptions to the above rules will be called out as necessary.

For example:

    ADD     r/m, r/m/i          ; d += s,      set flags

The ADD instruction takes two operands. The first is a register or memory, and the second is a register or memory or immediate or single-byte immediate. They cannot both be memory operands. They must be the same size.

Many instructions have a more compact encoding if the destination register is al, ax, or eax.

The assembly language overloads multiple variations of instructions into a single opcode. This is different from most other processors, where each opcode maps to an instruction template, where all that's left to fill in are the registers and immediates. For example, the MIPS R4000 has two different shift opcodes depending on whether the shift amount is specified by an immediate or a register. But the 80386 assembly language uses the same opcode for both, and it's the assembler's job to figure out which variant you intended.

The 80386 does not not perform speculation, does not have an on-chip cache, does not have a branch predictor, and does not reorder memory accesses. Life was simpler then.

Okay, that's enough background. We'll dig in next time by looking at memory addresing modes.

¹ This partial register behavior wasn't a big deal at the time, but it ended up creating register dependencies that made it much harder to add out-of-order execution to later versions of the processor. It even created a register version of the store-to-load forwarding problem.

The x86-64 architecture took a different approach when it extended the 32-bit registers to 64-bit registers: If the destination register is encoded as a 32-bit subset of a 64-bit register, the upper 32 bits of the destination register are zeroed.


My Contribution to the Pile of Lunar Eclipse Photos From Last Night [Whatever]

Lunar eclipse, 1/20/19

This one taken around 11:45pm with my Nikon, and for which I did no prep; this is basically me taking a couple dozen shots freehand and picking the least blurry one. This is the one that turned out the best. It’s not too bad, all things considered. And of course it was beautiful in the sky.

It was in fact a just about perfect night for a lunar eclipse: cold as hell and no wind, so the atmosphere was not jumping all around the place, and cloudless so there was no chance the eclipse would be obscured. Athena and I watched it outside for a few minutes and then went back into the house before frostbite set in. It was worth it.

Did you see the eclipse where you were?


Four short links: 21 January 2019 [All - O'Reilly Media]

Programming Spreadsheets, Star Emulator, AI for Social Good, Participatory Democracy

  1. Applying Programming Language Research Ideas to Transform Spreadsheets (Microsoft) -- an Excel cell can now contain a first-class record, linked to external data sources. And ordinary Excel formulas can now compute array values, that “spill” into adjacent cells (dynamic arrays). There is more to come: we have a working version of full, higher-order, lexically scoped lambdas (and let-expressions) in Excel’s formula language and we are prototyping sheet-defined functions and full nesting of array values.
  2. Darkstar: A Xerox Star Emulator -- this blog post describes the journey of building the emulator for this historic system. From the good folks at the Living Computer Museum in Seattle.
  3. AI for Social Good Impact Challenge -- $25M pool, $500K-$2M for 1-3 years. If you are selected to receive a grant, the standard grant agreement will require any intellectual property created with grant funding from Google be made available for free to the public under a permissive open source license.
  4. Decidim -- free open source participatory democracy for cities and organizations.

Continue reading Four short links: 21 January 2019.


Clever Smartphone Malware Concealment Technique [Schneier on Security]

This is clever:

Malicious apps hosted in the Google Play market are trying a clever trick to avoid detection -- they monitor the motion-sensor input of an infected device before installing a powerful banking trojan to make sure it doesn't load on emulators researchers use to detect attacks.

The thinking behind the monitoring is that sensors in real end-user devices will record motion as people use them. By contrast, emulators used by security researchers­ -- and possibly Google employees screening apps submitted to Play­ -- are less likely to use sensors. Two Google Play apps recently caught dropping the Anubis banking malware on infected devices would activate the payload only when motion was detected first. Otherwise, the trojan would remain dormant.


Relative Versioning [The Daily WTF]

Today's submission comes from someone going by Albert Einstein. Before we look at what they sent us, let's talk a little bit about version numbers. Version numbers, if you think about it,...


1263 [LFG Comics]

The post 1263 appeared first on Looking For Group.

1261 [LFG Comics]

The post 1261 appeared first on Looking For Group.

1259 [LFG Comics]

The post 1259 appeared first on Looking For Group.

1258 [LFG Comics]

The post 1258 appeared first on Looking For Group.

1256 [LFG Comics]

The post 1256 appeared first on Looking For Group.


Justice is scarce [Seth's Blog]

It always is. That’s its natural state.

Never enough opportunity, fairness and connection. Never enough time for a student who needs it, or dignity for a person who deserves it. A chance to be seen and understood.

But just because we’re always running short doesn’t mean we can’t try.

There’s always a chance to contribute and the opportunity to speak up. And if we don’t, who will?

Happy birthday.


Voluntary Live Sports Piracy Blocking Implemented in Portugal [TorrentFreak]

In July 2015, Portugal’s Ministry of Culture announced the signing of a an anti-piracy memorandum between the General Inspection of Cultural Activities (IGAC), the Portuguese Association of Telecommunication Operators (APRITEL), various rightsholder groups, the body responsible for administering Portugal’s .PT domain, and representatives from the advertising industry.

The aim of the memorandum was the creation of a super-streamlined anti-piracy mechanism which could be triggered following complaints from rightsholders. As a result, local anti-piracy outfit MAPINET regularly collates evidence on pirate site activities and ISPs block the platforms, with no court intervention required.

Since then, a huge number of sites have been blocked, with new domains added to the country’s unofficial blacklist every month. At the time of writing there are more than 1,900 sites blocked in the country, many on copyright grounds. Now, however, there appears to be a significant new addition to this controversial scheme.

With what appears to have been little if any public scrutiny, back in December a new agreement was signed between IGAC, APRITEL, and rightsholder groups including FEVIP and GEDIPE. The aim was the protection of live sports with the introduction of a regime to block ‘pirate’ streams of live sports broadcasts.

Discussions online indicate that those accessing recent live matches were interrupted by ISP blockades which prevented them from accessing unauthorized platforms. After being questioned by local publication Exame Informática, IGAC confirmed that the practice is indeed going ahead as per the December agreement.

“Live events, by their very nature and under penalty of futility, require a faster action of the entities involved in the course of unauthorized transmissions,” said IGAC Inspector General Silveira Botelho.

Botelho told the publication that the original memorandum wasn’t designed to combat illicit streams of live sports. The new agreement, however, operates on information obtained shortly before live events get underway, in order to block illicit transmissions more effectively.

As usual, rightsholders provide the initial notification to IGAC which then makes the decision whether or not to block the resource. Instructions are then handed to ISPs to block the online locations associated with the illegal streaming activities.

Unlike the regular blocking process, bans aren’t permanent but are lifted as soon as the events the rightsholders wish to protect have been concluded.

This appears to be similar to the blocking activities carried out in the UK by the Premier League and a pair of boxing promotions (1,2). The difference is that these are fully authorized by High Court injunction whereas the Portugal efforts are entirely voluntary.

“The agreement applies to all live events and is open to the inclusion of other entities that wish to contribute to the achievement of the objectives therein and to accept the respective terms and conditions,” says IGAC’s Botelho.

While all live events are covered by the memorandum, reports online suggest that only soccer matches have been affected thus far. The blocking was confirmed by Revolução dos Bytes (Bytes’ Revolution), the group behind and site unblocking service Ahoy!, who told TorrentFreak that there has been a ‘huge’ increase in new detected blocked sites.

“I’m worried about this new easy and expedited way of blocking sites, it probably means that they have developed a new tool for this particular purpose, making the process of censoring sites less tedious and with even less red tape,” team member Henrique Mouta says.

“I don’t know how their system works behind the scenes, but I highly doubt that anyone is double checking if the site actually meets the criteria defined in the memorandum.”

In any event, the Ahoy! tool is still being updated to unblock affected sites, although Henrique says the team are having to do “a lot more work” to keep up with the increased volume.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

Top 10 Most Pirated Movies of The Week on BitTorrent – 01/21/19 [TorrentFreak]

Photo: Warner Bros.

This week we have six newcomers in our chart.

A Star is Born is the most downloaded movie.

The data for our weekly download chart is estimated by TorrentFreak, and is for informational and educational reference only. All the movies in the list are Web-DL/Webrip/HDRip/BDrip/DVDrip unless stated otherwise.

RSS feed for the articles of the recent weekly movie download charts.

This week’s most downloaded movies are:
Movie Rank Rank last week Movie name IMDb Rating / Trailer
Most downloaded movies via torrents
1 (…) A Star is Born 8.0 / trailer
2 (…) Hunter Killer 6.7 / trailer
3 (1) First Man 7.5 / trailer
4 (…) The Girl in The Spider’s Web 6.1 / trailer
5 (2) Aquaman (HDTC) 7.7 / trailer
6 (3) Venom 7.0 / trailer
7 (…) The Nutcracker and the Four Realms 5.6 / trailer
8 (…) Bumblebee (Subbed HDRip) 7.2 / trailer
9 (4) The Vanishing 6.0 / trailer
10 (…) Bohemian Rhapsody (DVDScr) 8.3 / trailer

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

Kai-Chung Yan: My Open-Source Activities from November to December 2018 [Planet Debian]

Welcome, reader! This is a infrequently updated post series that logs my activities within open-source communities. I want my work to be as transparent as possible in order to promote open governance, a policy feared even by some “mighty” nations.

I do not work on open-source full-time, although I sincerely would love to. Therefore the posts may cover a ridiculously long period (even a whole year).


Debian is a general-purpose Linux distribution that is widely used on the planet. I am a Debian Developer who works on packages related to Android SDK and the Java ecosystem.

After a month of hardwork, I finally finished the packaging of android-platform-art. The tricky part was that this package is the first of our Android SDK packages that fails to build using GCC, which was realized only after I had patched an awful lot of code.

Other activities include:

Voidbuilder Release 0.3.0

Voidbuilder is a simple program that mimics pbuilder but uses Docker as the container engine. I have been using it privately and am quite satisfied.

I released 0.3.0 in December. A notable change is that it now prints the build result in details, just like sbuild does.

Other Activities

Pushed a patch to AOSP that removes a SUN API usage for Base64. Now let’s see if it will get accepted in 10 years… 😪


Winter-een-mas 2019, p11 [Ctrl+Alt+Del Comic]

Get your Winter-een-mas Pin yet?!

The post Winter-een-mas 2019, p11 appeared first on Ctrl+Alt+Del Comic.


Kurt Kremitzki: Free Software Activities in December 2018 [Planet Debian]

Hello again for another of my monthly updates on my work on Debian Science and the FreeCAD ecosystem.

There's only a few announcement items since I was mostly enjoying my holidays, but several important things were accomplished this month. Also, since there's not much time left before the release of Debian 10, there's some consideration to be done towards what I'll be working on in the next few months.

gmsh bugfix; no gmsh 4 yet


At the beginning of the month, I uploaded gmsh 3.0.6+dfsg1-4. This had a patch submitted by Joost van Zwieten (thanks!) to fix Debian bug #904946 which was preventing gmsh usage in FreeCAD, as well as adding an autopkgtest to make sure that behavior remains.

New Coin3D transition; Pivy uploaded!


Near the middle of the month, Leo Palomo-Avellaneda, Anton Gladky, and I finished the transition for the coin3 package, which is a scene graph library and high-level wrapper of OpenGL. The new version is a pre-release coin3 4.0.0 which adds CMake support. It also fixes Debian bug #874727 which caused FreeCAD to segfault when importing an SVG. FreeCAD also uses pivy, a Python wrapper for coin, as a runtime dependency, and completing this transition has finished the last blocker for a Python 3 FreeCAD package, so thanks to Leo and Anton!

New release for med-fichier (not by me)


Another FreeCAD dependency had a new release this month, med-fichier 4.0.0. This software is developed by Électricité de France and built on the HDF5 library and file format but is specialized for mesh data. It is also a dependency of gmsh which introduced some difficulty for the gmsh package.

OpenFOAM upstream switch; from to


The final noteworthy item for this month was an interesting bit of correspondence I received concerning the OpenFOAM package. As I had mentioned in previous posts, the current OpenFOAM version in Debian is 4.x, and I had worked on updating the package for OpenFOAM 6.x. My packaging was working and complete last summer, but for an inexplicable reason it stopped building late summer, started building again for about a week in September, and then stopped again. I would really like an up-to-date OpenFOAM in Debian 10, and so when I received an email from the people at about packaging their version, I was very intrigued. You see, the version in Debian is currently from Besides the TLD difference, there is a bit of history between the two versions, but for end users there should major difference. If you're interested in more background, you can consult this video by József Nagy.

Similarly, it seems likely that the OpenFOAM package will be changing over to the version soon. I've already succesfully built the latest OpenFOAM from this source, version 1812, and plan to submit it soon.

Thanks to my sponsors

This work is made possible in part by contributions from readers like you! You can send moral support my way via Twitter @thekurtwk. Financial support is also appreciated at any level and possible on several platforms: Patreon, Liberapay, and PayPal.


Girl Genius for Monday, January 21, 2019 [Girl Genius]

The Girl Genius comic for Monday, January 21, 2019 has been posted.


Link [Scripting News]

The AWS CLI is much faster than the web interface.

Link [Scripting News]

It took a while but I got the static Flickr site uploaded. I'll write more about it tomorrow. Meanwhile the Random button is fun.

Survivor's Guilt [Diesel Sweeties webcomic by rstevens]

this is a diesel sweeties comic strip

Tonight's comic is about the one thing worse than surviving the robot apocalypse.


Russ Allbery: Review: New York 2140 [Planet Debian]

Review: New York 2140, by Kim Stanley Robinson

Publisher: Orbit
Copyright: March 2017
Printing: March 2018
ISBN: 0-316-26233-1
Format: Kindle
Pages: 624

About forty years in our future, world-wide sea levels suddenly rose ten feet over the course of a decade due to collapse of polar ice, creating one of the largest disasters in history. It was enough to get people to finally take greenhouse effects and the risks of fossil fuels seriously, but too late to prevent the Second Pulse: a collapse of Antarctic ice shelves that raised global ocean levels another forty feet. Now, about fifty years after the Second Pulse, New York is still standing but half-drowned. The northern half of Manhattan Island is covered with newly-constructed superscrapers. The skyscrapers in the southern half, anchored in bedrock, survive in a precarious new world of canals, underwater floors, commuter boats, high-tech sealants, and murky legal structures.

The Met Life Tower is one of those surviving buildings and is home to the cast of this novel: two quants (programmers and mathematicians who work on financial algorithms) living in temporary housing on the farm floor, the morose building super, the social worker who has headed the building co-op board for decades, a chief inspector for the NYPD, a derivatives trader who runs a housing index for the half-drowned intertidal areas, a streaming video star who takes on wildlife preservation projects in her dirigible Assisted Migration, and a couple of orphan street kids (in this world, water rats) endlessly looking for their next adventure. The characters start the book engrossed in their day-to-day lives, which have settled into a workable equilibrium. But they're each about to play a role in another great disruption in economic life.

This is my sixth try for Kim Stanley Robinson novels, and I've yet to find a book I really liked. It may be time to give up.

I really want to like Robinson's writing. He's writing novels about an intersection of ecology and politics that I find inherently interesting, particularly since he emphasizes people's ability to adapt without understating the magnitude of future challenges. I think he's getting better at characterization (more on that in a moment). But this sort of book, particularly the way Robinson writes it, elevates the shape of the future world to the role of protagonist, which means it has to hold up to close scrutiny. And for me this didn't.

As is typical in Robinson novels, New York 2140 opens with an extended meander through the everyday lives of multiple protagonists. This is laying the groundwork for pieces of later plot, but only slowly. It's primarily a showcase for the Robinson's future extrapolation, here made more obvious by a viewpoint "character" whose chapters are straight infodumps about future history. And that extrapolated world is odd and unconvincing in ways that kept throwing me out of the story. The details of environmental catastrophe and adaptation aren't the problem; I suspect those are the best-researched parts of the book, and they seemed at least plausible to me. It's politics and economics that get Robinson into trouble.

For example, racism is apparently not a thing that exists in 2140 New York on any systematic scale. We're at most fifty years past what would be the greatest refugee crisis in the history of humanity, one that would have caused vast internal dislocation in the United States let alone in the rest of the world. Migrant and refugee crises in Syria and Central America in the current day that are orders of magnitude less severe set off paroxysms of racist xenophobia. And yet, this plays no role whatsoever in the politics of this book.

It's not that the main characters wouldn't have noticed. One is a social worker who works specifically with refugees on housing, and whose other job is running a housing co-op. In our world, racism is very near the center of US housing policy. Another, the police inspector, is a tall black woman from a poor background, but the only interaction she has with racism in the whole book is a brief and odd mention of how she might appear to a private security mercenary that she faces down. It seriously tries my suspension of disbelief that racism would not be a constant irritant, or worse, through her entire career.

Racism doesn't need to be a central topic of every book, and sometimes there's a place for science fiction novels that intentionally write racism out as an optimistic statement or as momentary relief. But the rest of this book seems focused on a realistic forward projection, not on that sort of deep social divergence. Robinson does not provide even a hint of the sort of social change that would be required for racism to disappear in a country founded on a racial caste system, particularly given 100 years of disruptive emigration crises of the type that have, in every past era of US history, substantially increased systematic racism.

In a similar omission, the political organization of this world is decidedly strange. For most of the book, politics are hyperlocal, tightly focused on organizations and communities in a tiny portion of New York City. The federal government is passive, distant, ignored, and nearly powerless. This is something that could happen in some future worlds, but this sort of government passivity is an uneven fit with the kind of catastrophe that Robinson is projecting. Similar catastrophes in human history, particularly in the middle of a crisis of mass migration, are far more likely to strengthen aggressive nationalists who will give voice to fear and xenophobia and provide a rallying point.

Every future science fiction novel is, of course, really about the present or the past in some way. It becomes clear during New York 2140 that, despite the ecological frame, this book is primarily concerned with the 2008 financial crisis. That makes some sense of the federal government in this book: Robinson is importing the domestic economic policy of Bush and Obama to make a point about the crisis they bungled. Based on publication date, he probably also wrote this book before Trump's election. But given the past two years, not to mention world history, these apathetic libertarian politics seem weirdly mismatched with the future history Robinson postulates.

There are other problems, such as Robinson's narrative voice convincing me that he doesn't understand how sovereign debt works, and as a result I kept arguing with the book instead of being drawn into the plot. That's a shame, since this is some of the best character work Robinson has done. It's still painfully slow; about halfway through the book, I wasn't sure I liked anyone except Vlade, the building super, and I was quite certain I hated Franklin, the derivative trader obsessed with seducing a woman. But Robinson pulls off a fairly impressive pivot by the end of the book. Charlotte, the social worker and co-op president who determinedly likes all of the characters, turns out to be a better judge of character than I was. I never exactly liked Franklin, but Robinson made me believe in his change, which takes some doing.

Amelia, the streaming video star, deserves a special mention due to some subtle but perceptive bits of characterization. She starts out as a stereotype whose popularity has a lot to do with her tendency to lose her clothes, and I wish Robinson hadn't reinforced that idea. (I suspect he was thinking of the (in)famous PETA commercials, but this stereotype is a serious problem for real-world female streamers.) But throughout the story Amelia is so determinedly herself that she transcends that unfortunate start. The moment I started really liking her was her advertisement for Charlotte, which is both perfectly in character and more sophisticated than it looks. And her character interactions and personal revelations at the very end of the book made me want to read more about her.

There were moments when I really liked this book. The plot finally kicks in about 70% of the way through, much too late but still with considerable effectiveness. This is about the time when I started to warm to more of the characters, and I thought I'd finally found a Robinson book I could recommend. But then Robinson undermined his own ending: he seemed so focused on telling the reader that life goes on and that any segment of history is partial and incomplete that he didn't give me the catharsis I wanted after a harrowing event and the clear villainy of some of the players. For a book that's largely about confronting the downsides of capitalism, it's weirdly non-confrontational. What triumph the characters do gain is mostly told, narrated away in yet another infodump, rather than shown. It left me feeling profoundly unsatisfied.

There's always enough meat to a Kim Stanley Robinson novel that I understand why people keep nominating them for awards, but I come away vaguely dissatisfied with the experience. I think some people will enjoy this, particularly if you don't get as snarled as I was in the gaps left in Robinson's political tale. He is clearly getting better on characterization, despite the exceptionally slow start. But the story still doesn't have enough power, or enough catharsis, or enough thoughtful accuracy for me to recommend it.

Rating: 6 out of 10


Introducing Darkstar: a Xerox Star emulator [OSnews]

Given its history and relationship to the Alto, the Star seemed appropriate for my next emulation project. (You can find the Alto emulator, ContrAlto, here). As with the Alto a substantial amount of detailed hardware documentation had been preserved and archived, making it possible to learn about the machine’s inner workings… Except in a few rather important places. Fortunately, Al Kossow at Bitsavers was able to provide extra documentation that filled in most of the holes. Cross-referencing all of this with the available schematics, it looked like there was enough information to make the project possible. This is an amazing project, and the article provides a lot of details about the process of writing the emulator. I’m definitely going to try this out this week to see if I can get it running. I’ve never used the Star, and that’s likely never going to change – they’re rare, expensive, and in museums – so this is the next best thing. I think most of us owe it to ourselves to try this out.


zkeme80: a Forth-based OS for the TI-84+ calculator [OSnews]

If you’ve been looking at operating systems for the TI-84+, chances are you’ve come across KnightOS. It’s well developed and has plenty of Unix-like features such as filesystems and tasks, and even a C compiler. But maybe that’s not what you want. You want an minimal operating system that allows you to extend it in any way you wish, bonus points if you don’t need to know Z80 assembly to do so. zkeme80 is that operating system, a minimal core with a mostly ANS standard conforming Forth interpreter/compiler. From words covering sprites and graphics, to text and memory access, everything you need to make the next hit Snake clone or RPN-based layer is already there. zkeme80 lowers the barrier of entry for customizing an operating system and enable rapid development cycles. Below the Forth layer, you’ll find two lowest level and highest level languages, Z80 assembly and Scheme. The best assembler is an extensible one, where writing macros should be a joy, not a pain, and Scheme has that macro system. I wish I still had the TI-83 I used back in high school. A friend and I bought a communication cable for our TI-83s so that we could play multiplayer Bomberman during classes. Fun times.

Windows 98 icons are great [OSnews]

Rather than some designer’s flashy vision of the future, Windows 98 icons made the operating system feel like a place to get real work done. They had hard edges, soft colors and easy-to-recognize symbols. It’s obvious that the icons were meticulously crafted. Each 256-color .ico file includes a pixel-perfect 16×16, 32×32 and 48×48 version that looks equally good on the taskbar and desktop. They are, indeed, quite good. Most platforms from that era had exquisite icon design – think Mac OS 9 or BeOS – and we really seem to have lost some of that usability. I feel like Haiku’s current icon set best captures that same aesthetic, but in a modern coat (and a unique, custom-designed vector icon format).


CES-goer says his camera was killed by a self-driving car's LIDAR [Cory Doctorow – Boing Boing]

Jit Ray Chowdhury attended CES in his capacity as an autonomous vehicle engineer, and while there, snapped a picture of a self-driving car equipped with a LIDAR system from Aeye; he says the LIDAR's laser lanced through his camera's aperture and zapped its optical sensor, burning a permanent spot into it and ruining the camera (Aeye has offered to replace it).

LIDAR systems need to comply with rigorous safety rules to ensure that they don't blind human eyes, but camera eyes are much more sensitive (this is the basis for IR-reflective materials that confuse CCTVs).

Self-driving cars use both conventional cameras and LIDAR to guide themselves so any camera-blinding potential in LIDAR systems on autonomous vehicles could wreak havoc with other nearby cars.

AEye uses 1550nm lasers. And unfortunately for Chowdhury, cameras are not filled with fluid like human eyes are. That means that high-power 1550nm lasers can easily cause damage to camera sensors even if they don't pose a threat to human eyes.

AEye is known for claiming that its lidar units have much longer range than those of competitors. While most lidar makers say their high-end lidars can see 200 or 300 meters, AEye says that its lidar has a range of 1,000 meters. When I talked to AEye CEO Luis Dussan about this claim last month, he said that one factor in AEye's long range is the use of a powerful fiber laser.

"One of the most important things about fiber lasers is that they can be amplified," Dassan said. "Very short pulse, huge amount of signal."

Man says CES lidar’s laser was so powerful it wrecked his $1,998 camera [Timothy B Lee/Ars Technica]

(via Hackaday)


Even with the Google/Fossil deal, Wear OS is doomed [OSnews]

It’s all being blown way out of proportion. The Fossil deal is not going to fix Wear OS. This is not the acquisition that will lead to a Pixel Watch. In reality, the deal was probably too small to really matter. Let’s pour some cold water on all this optimism. Wear OS is still doomed. I wouldn’t call Wear OS “doomed” per se, but to say it’s not doing particularly well is a massive understatement.


Carl Chenet: How I Switched Working From Office Full Time to Remote 3 Days A Week [Planet Debian]

Remote work is not for everyone. It depends a lot of anyone’s taste. But it’s definitely for me. Here is why and how I switched from working full time in an office to 3 days of remote work.

TL;DR: After working from home for a few months, I was convinced remote work was my thing. I had to look for a new freelance contract including remote work and I had to refuse a lot of good offers banning remote work. At least in my country (France), finding remote work, even part time, is still difficult. It greatly depends on the company culture. I’m lucky enough, my current client promotes remote work.


If you follow my blog on a regular basis (RSS feed if you like it), you know I’ve been working remotely for a while, starting one day a weekwhen I was working part time in order to be more productive for my side projects.

But this article will explain why and how I decided to start working remotely and what kind of choice – professional and personal – I had to do in order to achieve this goal.

Why working remotely suits me

I’m a freelance since 2012 and usually work at the office of my clients.  I had 2 intense years some time ago and it was so intense I needed a break.That’s not optimal because, as you know, a freelance does not earn money when he does not work. No paid vacation. Moreover the freelancer can not count on any unemployment compensation (at least in France). I work on side projects since 2015 but I’m far from being self-sufficient. After my previous mission, I took a 6 month break and had important personal finance issue after that. You guess. So it’s obvious if I want to remain freelance, I need to work on a regular basis.


Paris is a quite crowded city. Public transportation are overcrowded and some subway lines are too old. It generates a lot of stress for everyone, public transportation workers and users. When you go to work and especially if you live in Paris suburbs, after a chaotic ride from home, it usually means you haven’t started to work but you’re already stressed out. You also waste between 45mn and 1h30mn for each ride, between 1h30 and 3 hours each day!

Given the fact I work on several side projects, helping communities to grow and developing online services, I need time. Even the lunch break time. I’m not a workaholic, I love playing squash, watching movies, reading, playing poker so I’m not going to work everyday until 2 or 3am.

Playing Squash during lunch break on remote days (Paris, Charléty stadium)

Once my daily job is finished, I need my free time. And don’t talk to me about waking up at 5am. Tried that. Once. Never again.

My main job is system architect. I mostly work on complex issues, like scalability of high-trafic websites or migrating old platform to the cloud. I need peace and long period of time without interruptions in order to think.

Open space is a waste of both my time and resources, given the fact I can not manage useless interruptions when I’m at the office as efficiently as while I work remotely (I just don’t reply). Some jobs need a lot of interactions with others (managers), others need silence and peace. It’s a fact. Meetings are sometimes useful, but I don’t need to be at the office 5 days a week for these. And online tools are now quite efficient for short meetings.

How I switched

During my 6-month break, I have been working on my side projects from home. I knew I was ready.

When I started to search for a new contract, I was looking for companies allowing remote work. In France it’s not so common and sometimes remote workers are seen as slackers. Given this reputation, I had to stand firm about it while candidating.

Another issue comes from the recruiters. Some of them are overoptimistic about remote work and tell candidates that remote work will be allowed soon in their company. That is not often the case and even if it is, it could take months or years. Moreover remote work is a culture, it’s not so simple to set up. If the company culture is not ready, it’s only a matter of time before cancellation. Yahoo! has a famous record about it, banning work from home.

I finally chose for a company being the best fit for me. Given the price of venues in Paris, the company still growing , they had to encourage working from home. A really good point for me. During the interview, my boss told me members of the team were working remotely on a regular basis, 1 or 2 times a week.

Of course I started slow and for some months worked full time in the office. I started with only one day a week. I was not bored to death working at home. I was still efficient. Even more efficient on complex tasks. Less interruption, less noise and I was not forced to use headphone any more.

At home, drinking tea all day long

I soon started to work 2 times a week from home. Working remotely is written in the DNA of this company and anybody is easily reachable. Being quite self-sufficient on my projects, I mostly need to go to the office for enjoying the team and for meetings. From a technical point of view, being at home or at the office is exactly the same thing. We use a laptop and a VPN. Most of the company tools are Software As A Service (SAAS), reachable from anywhere around the world.

These days, depending on business or team meetings, I work up to 3 days from home. and I enjoy doing so.

To be continued

Working remotely is a great asset some positions can offer. Definitely not for all kinds of jobs, but it allows to improve some real issues like commuting and allows a better personal time management. I guess the taste for working remotely is different for anyone, but in my case it suits my lifestyle and I’ll make it a requirement for my next jobs.

About The Author

Carl Chenet, Free Software Indie Hacker, Founder of, a Job board dedicated to Free and Open Source Software Jobs in the US (soon to be released).

Follow Me On Social Networks


Sunday, 20 January


Link [Scripting News]

New header image, MLK at a rally. Previous, almost-frozen pond in upstate NY.

Link [Scripting News]

Clear-thinking and goal-oriented users are a blessing for software developers.


Link [Scripting News]

Icy light this afternoon in the park.


Torrent Paradise Creates Decentralized ‘Pirate Bay’ With IPFS [TorrentFreak]

IPFS, short for InterPlanetary File System, has been around for a few years now.

While the name sounds alien to most people, it has a growing userbase among the tech-savvy.

In short, IPFS is a decentralized network where users make files available among each other. If a website uses IPFS, it is served by a “swarm” of people, much like BitTorrent users do when a file is shared.

The advantage of this system is that websites can become completely decentralized. If a website or other resource is hosted with IPFS, it remains accessible as long as the computer of one user who “pinned” it remains online.

The advantages of IPFS are clear. It allows archivists, content creators, researchers, and many others to distribute large volumes of data over the Internet. It’s censorship resistant and not vulnerable to regular hosting outages.

It’salso a perfect match for ‘pirate’ sites. The decentralized nature makes IPFS sites virtually impossible to shut down. This aspect was already highlighted by Pirate Bay co-founder Peter Sunde, back in 2016.

“IPFS is really good and if everyone started using that instead it would be great. It would be working perfectly with less centralization. The problem is that the big sites like TPB and KAT are not really good at using new technology,” Sunde said.

KAT was shut down shortly after Sunde commented and while The Pirate Bay remains online, it now suffers more downtime than ever. Still, none of the major pirate sites have shown an interest in IPFS thus far.

There are others who’ve taken up this challenge though. A developer going by the handle ‘Urban Guacamole’ recently launched Torrent-Paradise, a torrent index which is powered with IPFS.

“I feel like decentralizing search is the natural next step in the evolution of the torrent ecosystem. File sharing keeps moving in the direction of more and more decentralization, eliminating one single point of failure after another,” he informs TF.

To start the site Torrent-Paradise used a copy of The Pirate Bay database. This was transformed into a searchable index with help from and the site’s operator has a DHT crawler which, at the moment, adds approximately 20,000 new torrents per day.

This all sounds positive but there are also some drawbacks.

One of the main hurdles is that IPFS has to be installed and configured if you want to become a node. This is a relatively easy process, but the average web user may not be familiar with using a command line to set it up, which is a requirement.

However, there are also IPFS gateways available. Cloudflare, for example, introduced one recently. This allows anyone to access sites such as Torrent-Paradise through a custom URL, but these people don’t help to share the site.

Another downside is that the static index which the site relies on is only updated once a day. This isn’t a technical restriction, but more a practical one. In theory, it could be updated in near real-time.

At the moment there’s both a regular Torrent-Paradise website, accessible to all, as well as an IPFS version which will remain ad-free. The site itself is fairly basic, but the real point of it is to showcase the power of decentralization.

The decentralization of file-sharing has been ongoing for decades. The BitTorrent protocol is decentralized, for example. And The Pirate Bay moved this further by removing its tracker and torrents, relying on DHT and magnet links instead.

“Decentralizing torrent search is next,” Urban Guacamole says, who believes that IPFS could become more common among torrent sites in the future.

Torrent-Paradise’s operator sees ‘availability’ as one of the main advantages. In this case, that goes hand in hand with being censorship resistant.

“Because each update of Torrent Paradise is an IPFS hash, it is impossible for anyone, including me, to take down the site. As long as there’s someone pinning it (the IPFS equivalent of seeding), the site will be available.”

Since the site started out as a Pirate Bay copy, rightsholders may eventually come in with complaints. While the site will comply with DMCA notices, it can’t control the hashes that are already shared in the network.

For the time being, Urban Guacamole plans to continue his work on the site. With a free domain name and Cloudflare support, it only costs roughly $4 a month, so the cost is not a factor.

Perhaps something for The Pirate Bay to consider?

“It most definitely would help them keep their site available when their servers are down,” Urban Guacamole says.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

Link [Scripting News]

I'm even older than Aaron Sorkin, and I can't believe he said that. The "young people" he's talking about is of course AOC who should keep doing exactly what she's doing. So brilliant and clear-thinking and joyful. Exactly what we need now. And of course she has the answer.


Sune Vuorela: KookBook 0.2.0 available – now manage your cooking recipes better [Planet Debian]

I got a bit traction on KookBook and decided to fix a few bugs, mostly in the touch client, and add some features.

Get it here: kookbook-0.2.0.tar.xz

KookBook is now also available in Debian, thanks to Stuart Prescott

KRecipe converter
Some people has a large recipe collection in KRecipe and would like to try out KookBook. I wrote a convertion python script now available. It works in “current directory” and reads the krecipe database from there and outputs KookBook markdown files in same repository. It has so far been tried on 1 database.

Bug fixes

  • Fix install of touch client
  • Fixes in desktop files
  • Fixes in touch client’s file open dialog
  • Touch client now show images in recipes
  • You could end up with no dock widgets and no toolbar and no way to recover in the desktop client. This is now fixed
  • Build fixes

Some people have started talking about maybe translation of the interface. I might look into that in the future.

And I wouldn’t be sad if some icon artists provided me with a icon slightly better than the knife I drew. Feel free to contact me if that’s the case.

Happy kooking!


My Flickr photos on [Scripting News]

If you recall, I asked Flickr for the archive of my photos. I got most of them. Spent some time trying to understand the connection between the JSON bits and the JPEG bits. Finally found the correlation. Then I spent a day building a static site from all that info, and uploaded it to a folder on, which is a bucket on Amazon S3.

The result is 5815 pages like this.

I like to hit the Random button and when I find something interesting, hit the prev button until I find the beginning of the sequence, and then hit the next button to go through them.

I also included a link to the Scripting News blog page for the day the photo was taken. Often you'll get an idea of the context, where I was, what I was doing, maybe even some comments on the picture itself. I tended to upload pictures to Flickr when I was traveling somewhere. To Amsterdam, New Orleans, driving cross country, going to a political convention, or a tech conference.


Link [Scripting News]

It's not a project I could undertake personally, but I would love a version of Frontier that runs on Ubuntu. Then I could move my whole act there. It's the only reason I have to use a Mac for my dev work.


Essay: Religion is Like a Fungus [Nina Paley's Blog]

Some of the most maladaptive social behaviors I see seem to indicate deep human longings for religion and/or magic. Here’s something I wrote about religion in December. It’s weird. You don’t have to agree.


Religion is like a fungus: seemingly toxic, but an essential part of an ecosystem we don’t understand.

Culture is alive. Just as physical living organisms are interconnected in complex ways, so are cultural organisms.

Our usual approach to Life is to think of organisms as discrete individuals. The plant is one thing, the soil is another, the insects another, and the fungus is some pathogen or pest. The animal is an individual, whose life processes are carried out by its individual organs. A human is one thing, culture is another; an intestine is one thing, gut flora are another.

Only recently have we acknowledged that animal digestion relies on bacteria. Without internal bacteria, animals cannot live. That bacteria is communicated through a complex living environment we remain mostly stupid about.

Religion is like a fungus. Consider Penicillium: a mold that spoils bread. No one wants moldy bread. If our bread is moldy, we curse the mold, and perhaps dream of a world in which mold is eliminated.

Suppose we succeed in wiping out the nasty bread mold. Do we end up with clean, pure bread? No, we open the door to far more toxic organisms.

I am highly critical of established religions. Terrible things are done in their names. They do seem toxic.

But a human mind without religion does not become some pure, rational ideal. The human mind never was and never will be pure or discrete. The human mind exists in a cultural ecosystem we do not fully (or even begin to) understand.

Because cultural ecosystems are barely acknowledged, let alone studied, there aren’t well-developed ways to talk about them. I use the metaphor of soil: human minds are the soil in which culture lives. Culture itself may be “airborne,” like spores. A human mind with permeable ears and eyes will be colonized by music, images, language, gestures, sounds, patterns, and much more we can’t even name. Trying to stop culture from entering a mind by enclosing it just makes the system unhealthy – like wrapping food in plastic. It works for a short time, but eventually traps colonies of microbes, and not the ones you want.

Better to keep the mind nicely aired out, with an open flow of culture around it, so it can stay healthy.

Established religions may protect minds against even more toxic cultural organisms, just as Penicillium makes bread inhospitable for pathological bacteria. For all its faults, Abrahamism may protect minds from even worse ideologies.

Atheism has become very popular in the West over the last few decades. I’m all for it. Except…it has coincided with the rise of some pretty toxic new religions. Foremost is genderism, the belief in an unprovable, indefinable gendered essence (soul) that can be born in the wrong body. Genderism is remarkably popular among professed atheists.  Danielle Muscato is a prime example.

This is anecdotal, and I am only one data point, BUT: I’ve noticed that the most toxic, extreme genderists tend to identify as atheists, while many of the most benign and rational genderists I’ve encountered practice a traditional religion (Christianity). They may not even be genderists per se, but they are transsexuals. I speculate their established religion protects them from the worst cultural toxins – misogny, dishonesty, entitlement, violence – attendant to gender extremism.

For all my criticism of religion, I conclude that humans may need it. Killing off religion may be like killing off “pests”: seemingly beneficial in the short term, but having complex effects on the larger ecosystem that can be catastrophic. Healthy soil needs – largely is – fungi and bacteria. Healthy minds – the soil of culture – may require similarly unsympathetic cultural organisms. Like physical Life on Earth, most mental life is “below ground,” and staggeringly complex. The writhing colonies of organisms that live in dark places may disgust us, but our life and health depend on them.


flattr this!

Today in GPF History for Sunday, January 20, 2019 [General Protection Fault: The Comic Strip]

Fooker quickly finds that a "pay as you go" mobile data plan has its caveats...


Link [Scripting News]

At DLD, an annual tech conference in Munich, the week before Davos, Sheryl Sandberg asks What Kind of Internet Do We Want? Her company is suffocating the open web, so it’s really not her question to ask. Imho, ultimately we'll think of the big tech companies the way we think of any powerful dominant industry. Imagine the CEO of Exxon on stage asking What Kind of Environment Do We Want? The pundits would say "see there's nothing to worry about, Exxon wants the best for us." And of course they don't. Not their job.

Link [Scripting News]

Also I see what she did there. Sandberg asks what kind of internet do we want. Hah. As if what we want has anything to do with it. They hire good PR consultants and speech writers at Facebook. The best. Remember, never automatically accept the premise of a question.

Link [Scripting News]

James Ball writing in the Columbia Journalism Review says tech companies should not fund journalism, for the same reasons I've been giving for decades. But he misses one. Tech has created a level playing field where you and I have equal chance to write the news as any comfortable Church of The Savvy pundit. Journalism wants money from tech so they can keep pretending they are the source of truth for the masses, when their lazyness and corruption have made our lives worse. We need an Indivisible for journalism. Journalism should compete with tech, as distasteful as it may be for them to create a level playing field where all of us can report the news. Tech had the guts to give all of us an equal voice. Journalism must match that.


Popular BitTorrent tracker Linkomanija Must Be Blocked, Appeal Court Rules [TorrentFreak]

It’s certainly not difficult to see why Linkomanija is a major irritant to copyright holders in Lithuania and further afield.

For well over a decade the site has been a major force involved in the sharing of unlicensed content. Even today, despite years of conflict and attacks against the site, Linkomanija is not only Lithuania’s most popular torrent index but also the 18th most popular site in the country, period.

Now, however, copyright holders hope that traffic to the site can be brought under control with the introduction of a court-ordered ISP blockade.

The Lithuanian Copyright Protection Association (LATGA) began its blocking efforts against Linkomanija back in 2016 when it filed a lawsuit at the Regional Court of Vilnius demanding that several local ISPs prevent their subscribers from accessing the site.

In November 2017, the Court issued an order which required the country’s largest Internet providers including Telia, Bitė, LRTC, Cgates, Init, and Balticum TV, to start blocking access to the popular torrent tracker.

However, the Court ordered the costs associated with blocking to be borne by the plaintiff and with ISP Telia complaining that blocking the entire site (which has been used by rightsholders to distribute legal content) could amount to a restriction on free speech, an appeal was quickly on the cards.

After more than a year, the case has now been decided. ISPs will have to begin blocking Linkomanija with immediate effect.

“For two years, we have been in court with this Linkomanija case,” LATGA lawyer Andrius Iškauskas told Delfi.

“The court of first instance made a favorable decision for us, then it was appealed, and the Court of Appeal dismissed the appeal and essentially confirmed all our arguments that blocking Linkomanija is an appropriate and effective measure.

“This decision can still be appealed to the Supreme Court, but it is already valid and operators will have to execute it and block access to Linkomanija. I think that this decision will help to protect the rights of creators,” Iškauskas added.

LATGA director Jonas Liniauskas says that he’s pleased the Court listened to the concerns of rights holders and notes that legislative changes helped the case along.

“We are very pleased that the Lithuanian courts have finally heard authors who lose a large part of their income due to pirate activity,” he said.

“I have no doubt that such decisions have been greatly influenced by the amendments to the Lithuanian Law on Copyright and Related Rights, as well as European case law, which will make it possible to protect authors more effectively from pirates on the Internet.”

In common with all regions where the blocking of one site is ordered, further blocks against more sites are now expected in Lithuania.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.


Take your seats for a fight at the opera | David Mitchell [David Mitchell | The Guardian]

Nothing enhances our lives quite like a good spat between cultural purists and the supposed riff-raff

Sometimes I think I’m the perfect person to analyse the cultural impact of music. I’m pretty sure no one else has ever thought that about me, though. And actually, even I don’t think it very often.

My weakness in the role would undoubtedly be my ignorance of music. Not complete ignorance: it’s impossible, it turns out, no matter how little interest you show, to remain alive for 44 years in modern Britain without having heard of Mozart and Rihanna – though I had to check the spelling of the latter. And, come to think of it, I’m quite partial to Magic FM on a car journey and also I watched that Bros documentary everyone’s going on about.

It’s not about music, it’s about a group defining itself around something from which it derives a sense of superiority

Continue reading...


The fourth cycle of the hive mind (and what to do about it) [Seth's Blog]

The first cycle of computers was good at:

  • arithmetic
  • and storing data

This meant that if you wanted to know how strong a bridge was going to be, or how to schedule a complicated series of truck deliveries, a computer was the very best way to do it. The 1960s and 70s were transformed by these two simple tasks. We were able to send a rocket to the moon, design more efficient engines and compute weighted class rank using centralized, expensive computers.

The second cycle, though, was the dawn of the connection economy. These computers permitted us to bring distant events next to each other. This was the telephone plus the fax machine equals remote coordination.

And so you could use a credit card anywhere in the world, call an 800 number to place an order, and have your insurance updated immediately. It meant that workers and productivity were even more measured, and so were students.

Email and the internet populated large databases. It gave us Wikipedia, a web page for every business, eBay, LinkedIn and Paypal.

We used the powers of the first cycle, sure, but the second cycle added connection.

The third cycle combines the first two and it permits us to shift place and time.

You can watch a twenty-year old movie or participate in a video call with someone halfway around the world. Someone in Bulgaria can retouch your photos. Your phone knows where you are and who has been there before. Each cycle builds on the one before. Google maps is arithmetic plus data plus remote data entry plus location.

And the fourth cycle, which is now arriving, shifts direction from the previous two (which were about connection more than processors) and brings prediction to the table. Call it AI if you want to, but to be specific, it’s a combination of analyzing information and then predicting what we would do if we knew what the computer knew.

The prediction of the fourth cycle isn’t simply done in a centralized location, because the previous cycle put the computer everywhere. So now, we’re connecting all the computers the way we previously connected all the people. Now, we’re giving those computers the ability to make predictions based on what thousands of people before us have done.

If you’re a mediocre lawyer or doctor, your job is now in serious jeopardy. The combination of all four of these cycles means that the hive computer is going to do your job better than you can, soon.

With each cycle,  the old cycles continue to increase. Better databases, better arithmetic. Better connectivity, more people submitting more data, less emphasis on where you are and more on what you’re connected to and what you’re doing.

We’d like to think that this is it, that Facebook plus Apple plus Amazon plus Google is the status quo going forward.

But just as we made a massive leap in just fifteen years, the next leap will take less than ten. Because each cycle supports the next one.

Welcome to the fourth cycle. The hive will see you now.


Unity by Tintin Pantoja [Skin Horse]

Shaenon: Oh my gosh, look at this!  The wonderful graphic novel artist Tintin Pantoja drew a portrait of Unity.  Thank you so much!  I really want to work with Tintin on a comic, but I haven’t managed to write a good script.  Sorry, Tintin!  It will happen!

Channing: Ee! That’s amazifying! I love the expression. Thanks so much!

Saturday, 19 January


Fundraising to save Burbank's horror bookstore Dark Delicacies [Cory Doctorow – Boing Boing]

Burbank's amazing quarter-century institution Dark Delicacies is a horror book-, memoribilia- and clothing-store that is a community hub for genre creators, hosting a wonderful stream of events, signings, and even an annual chance to get your photo took with Krampus at a Christmas open-house.

It's also a potential casualty of the skyrocketing rents in Magnolia Park, where greedy landlords are throwing out the neighborhood's unique indie tenants as fast as they can in the hopes of luring in multinational corporations to open stores that can already be found in every mall and that will destroy any reason for people to come to the neighborhood in the first place.

I live a five-minute walk from Dark Delicacies and they've hosted events and fulfilled signed-book orders for me in the past. They're great, community-minded people, and due to a rent-hike, they're moving to a space around the corner (it could be worse -- until they found the new space, they were going to shut down altogether).

But having run a shoestring, passion business for so many years, they lack the funds to pay for the move, so they're hoping their supporters in the neighborhood will kick in for a GoFundMe where they're hoping to raise $20,000. They're at $3,400 right now and I just kicked in $100.

One of our greatest joys has been giving back, by sponsoring and hosting numerous charity events for both our two and four-legged friends. We are very proud of the “people of horror,” whose support and generosity have helped so many.

We knew we would never become rich running the store, and that was okay. We just wanted to be able to do something we loved and be a part of the community we cherished.

Unfortunately, like so many other places, the landscape in Burbank is changing. Rents have skyrocketed, and many of the unique stores that put the area on the map have been forced to move or close their doors altogether. This little neck of the woods is so beloved, a Save Magnolia Park campaign and video were created.

With our lease up in May, Sue and I thought it was the end of our brick and mortar store. We resigned ourselves to the fact that we would be forced to close, just shy of our 25th anniversary. We were heartbroken.

Then, a store front around the corner became available. A possible new location, coupled with all the people who wrote and stopped by asking us to stay in business, made Sue and I realize we weren’t ready to go quietly into the night.

Dark Delicacies Relocation Fundraiser [Del Howison/GoFundMe]


TVZion ‘Pirate’ App Dev Threatens Anti-Piracy Measures to Screw Pirates [TorrentFreak]

Put on your protective irony suits folks, you’re definitely going to need them. Facepalming is also allowed, especially if accompanied by a slow head-shake.

With the downfall of Android-based apps like TerrariumTV, pirates everywhere are looking for the next big thing. Lots of content in a Netflix-style interface is the order of the day, and there is no shortage of contenders.

One player gaining traction with pirates is TVZion. The Android-based software looks good, performs well, and is a perfect fit for those looking to access all the latest movies and TV shows.

TVZion – Pretty and functional

The standard version of TVZion is free and supported by ads. There is a ‘pro’ version too which is advertised as “100% Ad free, premium features, priority requests and more.” Being in the ‘club’, however, comes at a price.

While some pirates are indeed happy to purchase the type of service detailed below (and indeed subscribe to the likes of Netflix and Spotify), the operator of TVZion appears exasperated by a growing number of users who want pro features at zero cost.

It’s cheap – but some people want cheaper

Such a thing is indeed an option, via modded TVZion APK files that are widely available and being promoted heavily by YouTubers. Trouble is, this apparent freeloading is grinding the dev’s gears while simultaneously undermining his product.

“So yesterday I had to take down the server momentarily to deploy yet another optimization. Upon checking logs now it’s safe to say about 35% users are mod users. Thanks to mindless youtubers, they are only linking to the modded versions,” he wrote on Reddit this week.

“Needless to say a server based app will not sustain this way because eventually I will run out of optimizations and server rent. So I am thinking of a countermeasure to deter users from wanting to use the modded version and also deter youtubers to linking to one.”

Presuming these freeloaders can be identified, the simplest method to end their fun would be to ban them from the service but according to the developer, he’s “looking for something more than that”, something that will act as a deterrent to prevent people using modded APKs altogether.

​If this sounds like the start of an anti-piracy brainstorming session, hold onto your hats folks – this one is something special. Here are the options for punishing ‘illegal’ pro version users, as suggested by the developer:

  1. Log mod users for Ip addresses, timestamps and contents accessed and keep this information to be used as I see fit if it ever comes to that
  2. Crypto mining – Mine crypto currency in the background. From my experience this’ll only overwork the device for very little money
  3. Use device as proxy – This will essentially turn their device into a proxy server which will be rented to others (NOT A FAN OF THIS)

“Everything else that comes in my mind is rather more malicious so no point exploring that. The most graceful way to deal with this [in my opinion] is to simply let the user know that this is a mod app and now they are being logged. Let me know what do you think?” he added.

Even the most hardcore pirates in the world can’t fail to appreciate the irony here.

TVZion is an application that is designed to offer content that otherwise would cost a fee to access. Movie and TV studios all over the world are complaining that their stuff costs billions to make and pirates are undermining their business models. In some cases, these companies employ copyright trolls to log IP addresses with the aim of later punishing them.

And what we have here is a developer of a pirate application, complaining that his business model is being undermined by pirates, so the solutions should perhaps include logging their IP addresses with the aim of punishing them at a later point.

There can be no doubt that this developer has invested plenty of time and energy into what seems to be a very competent application that achieves its stated goals. That classic anti-piracy tactics are being discussed as a solution to protect revenues is ironic at best and mind-boggling at worst.

If we want to argue that the guy is justified in protecting his investment, we can do that. If we want to state he has every right to log the IP addresses of freeloaders taking his service for free, we can do that as well.

What we can’t do in parallel is criticize entertainment and anti-piracy companies for making the same case for logging infringers and taking subsequent action against them. Either taking other people’s content and monetizing it is fair game for all, or the entire house of cards comes tumbling down.

Although it’s impossible to say what is going on behind the scenes of the TVZion app, at least for now it appears that these suggestions haven’t been put into practice. Trouble is, once you talk about doing this kind of thing voluntarily to save a business model, what happens when the authorities come calling and action is required to save a skin?

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.


[1053] What Would An Adelaide Do [Twokinds]

Comic for January 19, 2019


Two podcasts [Scripting News]

I took a longish walk this morning up to Zabar's and back, and listened to two podcasts on the way, Friday's Daily and last week's Radio Open Source. The Daily was about the splintering of the Women's March along racial lines. They discussed the issues that the march stood for, all of them women's issues, but they didn't get my perspective, and I marched, so I feel I'm entitled to an opinion. I didn't mind that they called it the Women's March, but I felt it was a march by everyone who was opposed to Trump. I was unhappy when they didn't let people who are anti-abortion speak (I am pro-choice btw). And it was totally predictable, based on experience in the antiwar movement of the 60s and 70s, that they would splinter and drift into irrelevance, taking our hopes of organizing against Trump with them.

The Radio Open Source episode was about the Green New Deal and our hero AOC. I am a huge fan of the podcast, and I have the same comment about this episode as I do about every one. What people want is meaning in their lives. That's why it's brilliant that AOC included the idea that any American can get a public service job helping America transition to the new energy system. Why is it so exciting? Because people want to make a difference, we all want our lives to mean something. Otherwise everything in the show was illuminating, as always, lots of new facts about solar and wind energy, and a general optimism which is what I enjoy most about the show.


Happy Birthday, Edgar Allan Poe! [Cory Doctorow – Boing Boing]

Neil Gaiman says Edgar Allan Poe should be read aloud, and he's right: he recorded this video of him reading "The Raven" in 2016 as part of Pat Rothfuss's Worldbuilders charity drive. It's Poe's birthday today, and I can think of no better way to celebrate it than to listen to it again.

Other ways to celebrate this magnificent torch:

* The spectacular pop-up edition

* The 50s hipster argot edition

* The 1969 rock-and-roll version

* Vincent Price and Boris Karloff's Raven-inspired magic duel

(Reposted from last year)

The EU's plan to impose mandatory copyright filters is on life-support and may die [Cory Doctorow – Boing Boing]

This Monday, the final "trilogue" (a meeting between the European Parliament, the European Presidency, and the EU member-states) was supposed to convene to wrap up the negotiations on the first update to the Copyright Directive since 2001, including the controversial Article 13 (mandatory copyright filters for online services) and Article 11 (letting news sites decide who can link to them and charging for the privilege).

But that meeting has been cancelled and now the whole thing is on life-support. If the Trilogue can be reconvened in a matter of days, then it's just possible that it could finish it work and send a final draft to the Parliament to be voted on, but that's getting less likely by the second, and a delay of more than a day or two will mean that this is off the table until after the next EU Parliamentary elections in the spring -- which is also after Brexit -- and which will likely result in a very different landscape for this kind of legislative gift to corporate lobbyists (between the rise of insurgent parties in the EU, and Brexit eliminating the UK MEPs most likely to carry water for companies like EMI and Sky).

Here's a very short version of how the Trilogue got cancelled and the Directive got put on life-support: back in the spring, Axel Voss, a German MEP, took over the drafting of the Directive, and revived the no-compromise versions of Articles 11 and 13, throwing out years of negotiations in order to give the record industry and aristocratic German newspaper families a huge legislative favour.

This kicked off massive public anger, with more than four million Europeans writing to the Parliament to ask for this to be reversed; it also mobilized some of the top technical experts, copyright scholars, investigative journalists, and many others speaking out against it.

After just barely surviving an unprecedented vote in the Parliament, Voss and his backers scrambled to rescue Articles 11 and 13. The corporations behind the law poured an ocean of dark money into it, while Voss draped a series of tiny, largely ornamental changes over the Directive in order to obfuscate its true objectives.

But the backers of Articles 11 and 13 were hardline, no-compromise copyright ultras who rejected any compromise language. The movie studio and TV divisions of the corporations that had backed Article 13 (through their music-label divisions) denounced Article 13 and called for it to be deleted from the Directive. They had won a ridiculous court victory in Germany and hoped to leverage that into effectively forcing all the internet companies out of business, so they could be turned into subsidiary arms of the entertainment conglomerates, much in the same way that Napster was just absorbed into BMG. Creating a rule that Big Tech could follow, even one as onerous as Article 13, scuttled that plan.

Then, the music industry also denounced the "compromise version" of Article 13, because it had been amended so that it was just barely possible for Google and the other Big Tech companies to actually comply with -- the record industry had been hoping to stick Big Tech with an impossible-to-follow rule, and then to use that rule as negotiating leverage to get them to pay more for music licenses ("Now you have to license from us, on our terms, because it is impossible for you to comply with Article 13, and only we can relieve you of the obligation to abide by it"). There are lots of problems with this, but the biggest one is that even after securing permission from the record labels, Big Tech would still be liable to enforcement from millions of other rightsholders.

Big Content's intransigence was the anvil, but the hammer was ordinary Europeans, leaning on their national governments. A campaign to get citizens of key nations to contact their governments was hugely successful, and the targeted countries let the EU Presidency know that they, too, would not stand for the Directive with Articles 11 and 13 intact.

Faced with both popular anger and corporate backers who had massively overplayed their hands, the EU Presidency threw in the towel, announced that there was no basis for negotiations, and canceled Monday's trilogue.

This stands a very high likelihood of killing off Articles 11 and 13 for good. As noted above, without a miraculous last-minute reprieve, the trilogue will almost certainly not reconvene until after the elections, and after Brexit, and that's going to be a very different world.

But the bad news is that as a result of Voss taking the Copyright Directive hostage to serve the parochial interests of German newspaper families and the vice-presidents of the entertainment companies' music divisions, the EU might not get all the other, noncontroversial, overdue technical updates to its copyright rules, long negotiated and badly needed. This should be remembered come the elections this spring: Voss's kack-handed attempt to sacrifice free speech, competition, the EU tech sector, and privacy to eke out some marginal gains for special interest groups has been a catastrophe, and it's all on him.

MEP Julia Reda now has the full breakdown of the votes, noting that 11 countries voted against the "compromise" text: Germany, Belgium, the Netherlands, Finland, Slovenia, Italy, Poland, Sweden, Croatia, Luxembourg and Portugal. That's... a pretty big list. Reda points out that most of those countries were concerned about the impact on users' rights (Portugal and Croatia appear to be outliers). That's pretty big -- as it means that any new text (if there is one) should move in a better direction, not worse.

As Reda notes, this does not mean that the Copyright Directive or Article 13 are dead. They could certainly be revived with new negotiations (and that could happen soon). But, it certainly makes the path forward a lot more difficult. Throughout all of this, as we've seen in the past, the legacy copyright players plowed forward, accepting no compromise and basically going for broke as fast as they could, in the hopes that no one would stop them. They've hit something of a stumbling block here. It won't stop them from still trying, but for now this is good news. The next step is making sure Article 13 is truly dead and cannot come back. The EU has done a big thing badly in even letting things get this far. Now let's hope they fix this mess by dumping Articles 11 and 13.

EU Cancels 'Final' Negotiations On EU Copyright Directive As It Becomes Clear There Isn't Enough Support [Mike Masnick/Techdirt]


Today in GPF History for Saturday, January 19, 2019 [General Protection Fault: The Comic Strip]

Fooker has a plan to break up Trudy and her new boyfriend (and his old bully), Butch...


AOC's debut speech as Congresswoman is the most popular Congressional video in C-SPAN history [Cory Doctorow – Boing Boing]

It's been three days since C-SPAN posted Alexandria Ocasio-Cortez's amazing, stirring freshman speech from the floor of Congress, and it has smashed all Congressional C-SPAN records with 3.1m views (as of the time of writing); at this rate, it may catch up with C-SPAN's most popular Senate video, the Kamala Harris/Brett Kavanaugh video, with 7.14m views.


Clint Adams: Using hkt findpaths in a more boring way [Planet Debian]

Did dkg certify his new key with something I've certified?

hkt findpaths --keyring ~/.gnupg/pubring.gpg '' \
        2100A32C46F895AF3A08783AF6D3495BB0AE9A02 \
        C4BC2DDB38CCE96485EBE9C2F20691179038E5C6 2>/dev/null


I (№ 46) have certified № 31 (0EE5BE979282D80B9F7540F1CCD2ED94D21739E9) which has certified № 257 (C4BC2DDB38CCE96485EBE9C2F20691179038E5C6).

Posted on 2019-01-19
Tags: quanks

Regular says she was banned from eating at the bar at Manhattan's scammy Nello restaurant because she might be a sex-worker [Cory Doctorow – Boing Boing]

After marketing executive Clementine Crawford published an essay about being banned from eating at the bar at her favorite New York restaurant, Nello (a notorious ripoff joint), because the owner (already notorious for labor abuses) was "cracking down on escorts" and had decreed that only men would be permitted to dine at the bar, The Cut tried to get a comment on it from Balan, whose employees repeatedly hung up on them.

According to Crawford, when she told the owner that his policy was unfair and discriminatory and reminded him that she was a regular who'd spent a small fortune eating at his bar, the owner said "he could run his business as he pleased, and that I was no longer welcome to eat at the bar, only at a table."

I travel a lot and one of my favorite things to do when I'm out of town is "take myself out on a date." Often I've been in intensely social situations all day, speaking to a crowd, or being in close company with a group of colleagues, and -- hermit that I am -- I'm ready for some solo time.

So I'll go to a nice restaurant, the kind of place you usually need a reservation for, and just get a seat at the bar, where I can eyeball the whisky selection and find a really nice one to sample, and then I order stinky things that I normally avoid because my wife won't kiss me after I've eaten them (she's allergic to shellfish, so this is my chance to eat a lot of oysters).

Refusing to seat women at the bar is all kinds of wrong, and as a fellow hardcore traveller, my heart goes out to Crawford. As to Balan, between his disrespect for all women, his disrespect for his workers, and his disrespect for sex workers, well, New York has a a lot of great restaurants to choose from, and Eater description of Nello ("known for its luxe scene, mediocre food, and ridiculous prices") makes it clear that even without the gender discrimination and labor issues, there's no reason to try the place.

Angry at an apparent double standard, Crawford reportedly flagged down a waiter she “knew best,” who, she says, quietly advised that she “shouldn’t cause a scene and that there was nothing to be done.” Crawford, however, didn’t let it drop: She pressed the matter, and says that she eventually found out the owner, Nello Balan, intended to “crack down” on escorts. Apparently, he had made some assumptions about her job, which — while not offensive to Crawford — smacked of discrimination. Crawford says she asked to speak to the Balan (who, incidentally, has been sued by his workforce for allegedly withholding pay and allegedly breaking other labor laws): “He told me that he could run his business as he pleased, and that I was no longer welcome to eat at the bar, only at a table,” she writes.

When I called Nello for comment, the maitre d’ hung up on me twice, the second time saying that the owner was not available, and to call back later. (The staffer ended the call as I asked when the owner would return.) An emailed request for comment had not been answered at time of publication.

Fancy Manhattan Restaurant Allegedly Won’t Let Women Sit Alone at the Bar [Claire Lampen/The Cut]

The night I was mistaken for a call girl [Clementine Crawford/Drug Store Culture]

(via Naked Capitalism)

(Image: Nello)

Firefox is finally fixing its broken screenshot tool [Cory Doctorow – Boing Boing]

Firefox's screenshot tool has a lot going for it, but after two days of trying to use it I gave up and went back to using Ksnapshot (now Spectacle) for the near-constant screenshotting I do, all day long: that's because when you hit "save" in Firefox's screenshot UI, it didn't save it to your hard-drive, rather, it uploaded it to a Mozilla server, which, in addition to being time-consuming and stupid, was also a potential huge privacy risk (if, for example, you were screenshotting a sensitive document to retain for later).

Thankfully, this will be fixed, after months of user complaints, as part of the shut-down of the Test Pilot program, which runs the servers that the screenshots were uploaded to.

On Zdnet, Catalin Cimpanu calls this a "dark pattern," and it's easy to understand why: so many online services try to trick you into using the cloud, storing data remotely even when there's no good reason for it, to train us to use other peoples' computers rather than our own.

I don't know that Mozilla has that same motivation, but this really was a terrible piece of UI with real risks to users, and it's so good to see it finally dying in a fire.

You can turn off the antifeature right now by going to about:config and ticking on the extensions.screenshots.upload-disabled setting.

Firefox to remove misleading button after months of complaints [Catalin Cimpanu/Zdnet]


Do you have a chocolate problem or an oxygen problem? [Seth's Blog]

Run out of chocolate, and that’s a shame. Run out of oxygen and you’re doomed.

Sometimes, we overdo our reliance on chocolate. It’s better in small doses–too much and it loses its magic. And sometimes we confuse the thing we want with the thing we need…

If your day or your project or your organization focuses too much on finding the next piece of chocolate, you might forget to focus on the oxygen you actually need.


Anti-Piracy Group BREIN ‘Dealt With’ 339 Pirate Sites Last Year [TorrentFreak]

When it comes to civil anti-piracy enforcement, BREIN is without a doubt one of the best-known players in the industry.

The group, which receives support from Hollywood and other content industries, has shuttered hundreds of smaller sites in recent history and even took on the likes of Mininova and The Pirate Bay.

In 2018 BREIN continued these enforcement actions. Besides targeting pirate sites throughout the world, it also increased its focus on vendors that offer illegal IPTV subscriptions.

The group has just published a detailed overview of its accomplishments over the past 12 months. This provides clear insight into the group’s anti-piracy priorities and offers a glimpse of what to expect in the near future.

BREIN’s copyright enforcement actions cover a broad range of pirate avenues. Steaming may be the prime focus for Hollywood at the moment, but the anti-piracy group isn’t letting other outlets out of its sight.

“BREIN’s approach focuses on all forms of illegal supply, regardless of the technology used for it, such as bittorrent, cyberlockers and Usenet and websites or social media linking to it,” BREIN notes.

Looking at the numbers we see that the anti-piracy group is closing the books on a productive 12 months.

Over the past year, BREIN received hundreds of notices from rightsholders about problematic activity. It concluded a total of 511 investigations and 97 remain ongoing at the start of the new year.

Shutting down pirate sites is high on the agenda. BREIN says that it ‘dealt with’ 339 illegal websites and services. These include torrent sites, Usenet linking services, and cyberlockers. Some of the sites shut down completely and others were forced to leave their hosting providers.

BREIN’s results
Speaking with TorrentFreak, BREIN director Tim Kuik says a close eye will be kept on sites that continue to operate despite its efforts. These are candidates for further ISP blocking processes, which remain on the agenda for the coming years.

Last year the group achieved some additional results in its Pirate Bay blocking case. Following a ruling at Europe’s highest court, the local Pirate Bay blockade was expanded to several other Dutch ISPs. There are still some issues to resolve, but BREIN expects that the blockade will stand.

As mentioned in the past, BREIN also has vendors of pirate streaming boxes on its radar.  Last year, it convinced 79 vendors of copyright-infringing IPTV and VOD services to halt their sales.

In addition, BREIN also caught 17 prolific uploaders, removed 20 Facebook groups where infringing content was being shared, removed 1,291,384 search results, 12,470 files from cyberlockers, and took down 46,203 ads for illegal content.

In some cases, settlements were reached with the infringers. Last year, BREIN signed 31 agreements amounting to hundreds of thousands of euros in damages.

Looking ahead, BREIN plans to continue its enforcement efforts in the new year. Several years ago it announced plans to go after frequent seeders of pirated material. The group is still collecting IP-address data and hopes to launch the campaign in 2019.

2018 has been a special year for the anti-piracy group which also celebrated its 20th anniversary. For this special occasion it released some additional statistics, boasting its efforts.

Since its inception, BREIN has dealt with more than 41,000 websites, removed over 17 million search engine results, and targeted more than 6,000 online sellers of copyright infringing content, the group notes.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

Microsoft to end Windows 10 Mobile updates and support in December [OSnews]

Microsoft is planning to end support for Windows 10 Mobile devices in December. While Microsoft revealed back in 2017 that the company was no longer developing new features or hardware for Windows 10 Mobile, security and software updates have continued. These security updates will now cease on December 10th 2019, and devices will be unsupported after this date. “Windows 10 Mobile, version 1709 (released October 2017) is the last release of Windows 10 Mobile and Microsoft will end support on December 10, 2019,” reads a Microsoft support note that was updated this week. Microsoft is now recommending that Windows 10 Mobile users move to iOS or Android devices. “With the Windows 10 Mobile OS end of support, we recommend that customers move to a supported Android or iOS device,” explains a FAQ on Windows 10 Mobile end of life. After Microsoft pulls support in December, device backups for settings and some apps will continue for three months until March 10th, 2020. Microsoft notes “some services including photo uploads and restoring a device from an existing device backup may continue to work for up to another 12 months from end of support.” It’s yet another one of those moments where Windows Phone dies a little more, and every time, it makes me sad. I was a first-day adopter of both Windows Phone 7.x and 8.x, and to this day I maintain it was the most pleasant to use modern mobile operating system. I’m still sad Microsoft was unable to attract the third party developers required to keep a smartphone platform afloat.


Daniel Kahn Gillmor: New OpenPGP certificate for dkg, 2019 [Planet Debian]


I've scrapped my first try at a new OpenPGP certificate for 2019 (the one i published yesterday). See the history discussion at the bottom of this post for details. This blogpost has been updated to reflect my revised attempt.

2019 OpenPGP transition (try 2)

My old OpenPGP certificate will be 12 years old later this year. I'm transitioning to a new OpenPGP certificate.

You might know my old OpenPGP certificate as:

pub   rsa4096 2007-06-02 [SC] [expires: 2019-06-29]
uid          Daniel Kahn Gillmor <>
uid          Daniel Kahn Gillmor <>

My new OpenPGP certificate is:

pub   ed25519 2019-01-19 [C] [expires: 2021-01-18]
uid          Daniel Kahn Gillmor <>
uid          Daniel Kahn Gillmor <>

If you've certified my old certificate, I'd appreciate your certifying my new one. Please do confirm by contacting me via whatever channels you think are most appropriate (including in-person if you want to share food or drink with me!) before you re-certify, of course.

I've published the new certificate to the SKS keyserver network, as well as to my personal website -- you can fetch it like this:

wget -O- | gpg --import

A copy of this transition statement signed by both the old and new certificates is available on my website, and you can also find further explanation about technical details, choices, and rationale on my blog.

Technical details

I've made a few decisions differently about this certificate:

Ed25519 and Curve25519 for Public Key Material

I've moved from 4096-bit RSA public keys to the Bernstein elliptic curve 25519 for all my public key material (EdDSA for signing, certification, and authentication, and Curve25519 for encryption). While 4096-bit RSA is likely to be marginally stronger cryptographically than curve 25519, 25519 still appears to be significantly stronger than any cryptanalytic attack known to the public.

Additionally, elliptic curve keys and the signatures associated with them are tiny compared to 4096-bit RSA. I certified my new cert with my old one, and well over half of the new certificate is just certifications from the old key because they are so large.

This size advantage makes it easier for me ship the public key material (and signatures from it) in places that would be more awkward otherwise. See the discussion about Autocrypt below.

Split out ACLU identity

Note that my old certificate included some additional identities, including job-specific e-mail addresses. I've split out my job-specific cryptographic credentials to a different OpenPGP certificate entirely. If you want to mail me at, you can use the certificate with fingerprint 888E6BEAC41959269EAA177F138F5AB68615C560 (which is also published on my work bio page).

This is in part because the folks who communicate with me at my ACLU address are more likely to have old or poorly-maintained e-mail systems than other people i communicate with, and they might not be able to handle curve 25519. So the ACLU keys use 3072-bit RSA, which is universally supported by any plausible OpenPGP implementation.

This way i can experiment with being more forward-looking in my free software and engineering community work, and shake out any bugs that i might find there, before cutting over the e-mails that come in from more legal- and policy-focused colleagues.

Isolated Subkey Capabilities

In my new certificate, the primary key is designated certification-only. There are three subkeys, one each for authentication, encryption, and signing. The primary key also has a longer expiration time (2 years as of this writing), while the subkeys have 1 year expiration dates.

Isolating this functionality helps a little bit with security (i can take the certification key entirely offline while still being able to sign non-identity data), and it also offers a pathway toward having a more robust subkey rotation schedule. As i build out my tooling for subkey rotation, i'll probably make a few more blog posts about that.


Finally, several of these changes are related to the Autocrypt project, a really great collaboration of a group of mail user agent developers, designers, UX experts, trainers, and users, who are providing guidance to make encrypted e-mail something that normal humans can use without having to think too much about it.

Autocrypt treats the OpenPGP certificate User IDs as merely decorative, but its recommended form of the User ID for an OpenPGP certificate is just the e-mail address wrapped in angle brackets. Unfortunately, i didn't manage to get that particular form of User ID into this certificate at this time (see discussion of split User IDs below).

Autocrypt is also moving toward 25519 elliptic curve keys, so this gives me a chance to exercise that choice.

I'm proud to be associated with the Autocrypt project, and have been helping to shepherd some of the Autocrypt functionality into different clients (my work on my own MUA of choice, notmuch is currently stalled, but i hope to pick it back up again soon). Having an OpenPGP certificate that works well with Autocrypt, and that i can stuff into messages even from clients that aren't fully-Autocrypt compliant yet is useful to me for getting things tested.

Documenting workflow vs. tooling

Some people may want to know "how did you make your OpenPGP cert like this?" For those folks, i'm sorry but this is not a step-by-step technical howto. I've read far too many "One True Way To Set Up Your OpenPGP Certificate" blog posts that haven't aged well, and i'm not confident enough to tell people to run the weird arbitrary commands that i ran to get things working this way.

Furthermore, i don't want people to have to run those commands.

If i think there are sensible ways to set up OpenPGP certificates, i want those patterns built into standard tooling for normal people to use, without a lot of command-line hackery.

So if i'm going to publish a "how to", it would be in the form of software that i think can be sensibly maintained and provides a sane user interface for normal humans. I haven't written that tooling yet, but i need to change certs first, so for now you just get this blog post in English. But feel free to tell me what you think i could do better!


This is my second attempt at an OpenPGP certificate transition in 2019. My earlier attempt uncovered a bunch of tooling issues with split-out User IDs. The original rationale for trying the split, and the problems i found are detailed below.

What were Separated User IDs?

My earlier attempt at a new OpenPGP certificate for 2019 tried to do an unusual thing with the certificate User IDs. Rather than two User IDs:

  • Daniel Kahn Gillmor <>
  • Daniel Kahn Gillmor <>

the (now revoked) earlier certificate had the name separate from the e-mail addresses, making three User IDs:

  • Daniel Kahn Gillmor

There are a couple reasons i tried this.

One reason is to simplify the certification process. Traditional OpenPGP User ID certification is an all-or-nothing process: the certifier is asserting that both the name and e-mail address belong to the identified party. But this can be tough to reason about. Maybe you know my name, but not my e-mail address. Or maybe you know my over e-mail, but aren't really sure what my "real" name is (i'll leave questions about what counts as a real name to a more philosophical blog post). You ought to be able to certify them independently. Now you can, since it's possible to certify one User ID independently of another.

Another reason is because i planned to use this certificate for e-mail, among other purposes. In e-mail systems, the human name is a confusing distraction, as the real underlying correspondent is the e-mail address. E-mail programs should definitely allow their users to couple a memorable name with an e-mail address, but it should be more like a petname. The bundling of a human "real" name with the e-mail address by the User ID itself just provides more points of confusion for the mail client.

If the user communicates with a certain person by e-mail address, the certificate should be bound to the e-mail protocol address on its own. Then the user themselves can decide what other monikers they want to use for the person; the User ID shouldn't force them to look at a "real" name just because it's been bundled together.

Alas, putting this attempt into public practice uncovered several gaps in the OpenPGP ecosystem.

User IDs without an e-mail address are often ignored, mishandled, or induce crashes:

And User IDs that are a raw e-mail address (without enclosing angle-brackets) tickle additional problems.

Finally, Monkeysphere's ssh user authentication mechanism typically works on a single User ID at a time. There's no way in Monkeysphere to say "authorize access to account foo by any OpenPGP certificate that has a valid User ID Alice Jones and a valid User ID <>. I'd like to keep the ~/.monkeysphere/authorized_user_ids that i already have in place working OK. I have enough technical debt to deal with for Monkeysphere (including that it only handles RSA currently) that i don't need the additional headache of reasoning about split/joint User IDs too.

Because of all of these issues, in particular the schleuder bugs, i'm not ready to use a split User ID OpenPGP certificate on today's Internet, alas. I have revoked the OpenPGP certificate that had split User IDs and started over with a new certificate with a more standard User ID layout, as described above. Better to rip off the band-aid quickly!


27-13 [LFG Comics]

The post 27-13 appeared first on Non-Playable Character.

27-12 [LFG Comics]

The post 27-12 appeared first on Non-Playable Character.

27-11 [LFG Comics]

The post 27-11 appeared first on Non-Playable Character.

27-10 [LFG Comics]

The post 27-10 appeared first on Non-Playable Character.

27-9 [LFG Comics]

The post 27-9 appeared first on Non-Playable Character.


Sailfish OS 3.0.1 released [OSnews]

Sailfish OS 3.0.1 has been released. From the release notes: Sipoonkorpi is mainly a bug fixing update, bringing in just a few new features. We’ve added Bulgarian language support and improved the handling of email folders. You can now create light ambiences, and respond to meeting invitations through Exchange and Google. We’ve also tuned up SD card encryption and protected critical Top Menu toggles with the security code. It’s available for Jolla devices and the Xperia X and XA2.


Is C++ fast? [OSnews]

A library that I work on often these days, meshoptimizer, has changed over time to use fewer and fewer C++ library features, up until the current state where the code closely resembles C even though it uses some C++ features. There have been many reasons behind the changes – dropping C++11 requirement allowed me to make sure anybody can compile the library on any platform, removing std::vector substantially improved performance of unoptimized builds, removing algorithm includes sped up compilation. However, I’ve never quite taken the leap all the way to C with this codebase. Today we’ll explore the gamut of possible C++ implementations for one specific algorithm, mesh simplifier, henceforth known as simplifier.cpp, and see if going all the way to C is worthwhile.

Friday, 18 January



Friday Squid Blogging: Squid Lollipops [Schneier on Security]

Two squid lollipops, handmade by Shinri Tezuka.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.


Link [Scripting News]

A bunch of people are using Electric Pork these days. Somehow it caught on??


Facebook Sued For Refusing to Remove Copyrighted Photo [TorrentFreak]

Every day millions of people post photos online, without approval from the rightsholder. This is particularly prevalent on social media platforms such as Facebook.

Many photographers don’t have the time or resources to go after these types of infringements, but some are clearly drawing a line in the sand.

This week, photographer Kristen Pierson filed a complaint against Facebook at a New York District Court. Pierson accuses the social media platform of hosting and displaying one of her works without permission.

Normally these issues are resolved with a DMCA takedown notice but in this case that didn’t work.

Last year, Pierson noticed that the Facebook account “Trusted Tech Tips” had used one of her works, a photo of Rhode Island politician Robert Nardolillo, without permission. When she requested Facebook to remove it, the company chose to leave it up instead.

“Hi-, Thanks for your report. Based on the information you’ve provided, it is not clear that the content you’ve reported infringes your copyright,” the Facebook representative wrote in reply.

“It appears that the content you reported is being used for the purposes of commentary or criticism. For this reason, we are unable to act on your report at this time.”

Facebook’s reply
The takedown notice was sent March last year and the post in question remains online at the time of writing, with the photo included. This prompted Pierson to file a complaint at a New York Federal Court this week accusing Facebook of copyright infringement.

According to the Rhode Island-based photographer, Facebook failed to comply with the takedown request and can’t rely on its safe harbor protection.

“Facebook did not comply with the DMCA procedure on taking the Photograph down. As a result, Facebook is not protected under the DMCA safe harbor as it failed to take down the Photograph from the Website,” the complaint reads.

The ‘infringing’ post (exhibit d)
The short five-page complaint accuses Facebook of copyright infringement and Pierson requests compensation for the damages she suffered.

“Facebook infringed Plaintiff’s copyright in the Photograph by reproducing and publicly displaying the Photograph on the Website. Facebook is not, and has never been, licensed or otherwise authorized to reproduce, publically display, distribute and/or use the Photograph,” it reads.

The photographer is not new to these types of lawsuits. She has filed similar cases against other outlets such as Twitter. The latter case was eventually dismissed, likely after both parties reached an agreement.

In the present case, Pierson requests a trial by jury but it wouldn’t be a surprise if this matter is settled behind closed doors, away from the public eye.

A copy of the complaint against Facebook is available here (pdf).

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.


Android malware uses accelerometer readings to figure out if it was running on a real phone or in emulation [Cory Doctorow – Boing Boing]

Malware authors have a problem: they want their software to run aggressively when no one is looking at it, but to shut down entirely if the device it's running on is actually in some malware researcher's lab.

So malware authors have a whole host of tricks they use to determine whether they're running on a device in the field, or inside a researcher's emulator where all of their secrets are laid bare. For example, the creator(s) of the Wannacry malware had the program try to reach a nonexistent website (

Malware researchers' emulators usually answer any attempt to research an outside website in the hopes of gaining insight about how the software interacts with its command and control server, so by checking whether the nonexistent website existed, each copy of Wannacry was able to decide whether it was living in reality or trapped in the Matrix. That's why when a security researcher registered Wannacry's nonexistent domain and stood a webserver up at that address, every copy of Wannacry in the world shut down.

A new Matrix-detecting tool in malware has been discovered: strains of Android malware distributed through the Google Play store were found to be using calls to the phone's motion-detector to determine whether it was running on a real phone or inside an emulator. Mobile emulators don't bother to fake data from emulated motion-sensors, so from the malware's perspective, emulators have an unnatural stillness that tips it off to stay hidden.

As with the Wannacry killswitch, this technique won't be hard to overcome, since spoofing plausible data from an emulated motion-sensor is pretty basic stuff. But for now, the technique is very effective (and very clever).

Security firm Trend Micro found the motion-activated dropper in two apps—BatterySaverMobi, which had about 5,000 downloads, and Currency Converter, which had an unknown number of downloads. Google removed them once it learned they were malicious.

The motion detection wasn’t the only clever feature of the malicious apps. Once one of the apps installed Anubis on a device, the dropper used requests and responses over Twitter and Telegram to locate the required command and control server.

“Then, it registers with the C&C server and checks for commands with an HTTP POST request,” Trend Micro researcher Kevin Sun wrote. “If the server responds to the app with an APK command and attaches the download URL, then the Anubis payload will be dropped in the background.” The dropper then tried to trick users into installing the app using the fake system update shown below:

Google Play malware used phones’ motion sensors to conceal itself [Dan Goodin/Ars Technica]

(Image: Blogtrepreneur, CC-BY)


View From a Hotel Window, 1/18/19: Detroit [Whatever]

Actually the picture is from yesterday, but since the view is essentially unchanged (including the sky), I figure it’s probably fine to post. We’re in Detroit for the annual ConFusion convention, which I have been attending since 2005 and which I consider my “home” convention. It’s a lot of fun and I wouldn’t miss it for much. I’ll be hosting a dance tonight, even, which should be fun. Don’t expect to see me here much this weekend. But I hope your weekend will be a fabulous one. If you like, you can share your plans in the comments.


Page 14 [Flipside]

Page 14 is done.


An archive of Freedom, Paul Robeson and Louis Burnham's radical Harlem newspaper [Cory Doctorow – Boing Boing]

Freedom, published in Harlem during the Cold War and McCarthy years, was Paul Robeson and Louis Burnham's radical black paper that "ppenly challenged racism, imperialism, colonialism, and political repression and advocated for civil rights, labor rights and world peace"; NYU's Freedom archive holds browsable (but not searchable, alas!) scans of issues with contributions from "W.E.B. Du Bois, Alice Childress and Lorraine Hansberry" and many others. (Thanks, Fipi Lele!)

Unsealed court documents reveal that Facebook knew kids were being tricked into spending thousands of dollars on their parents' credit cards [Cory Doctorow – Boing Boing]

In 2012, Facebook settled a class-action suit with parents who claimed that their kids were being tricked into spending real money on game items, thinking they were spending virtual in-game currency; the parents said that Facebook had structured its system to allow kids to use their parents' credit cards without the parents' intervention, unlike competitors like Google and Apple, who required password re-entries when a card was re-charged for in-game purchases.

When the case was settled, the court records were sealed, but thanks to legal action from Reveal, they are now in the public domain, and they paint a picture of a company whose internal staff raised multiple red flags about kids using their parents' cards in this way, and whose concerns were brushed off in the name of profits.

One very disturbing exchange has a Facebook employee referring to a child who had charged thousands of dollars on their parents' credit card as a "whale," a term the casino uses to refer to high-rollers who lose fortunes while gambling.

Gillian: Would you refund this whale ticket? User is disputing ALL charges…

Michael: What’s the users total lifetime spend?

Gillian: It’s $6,545 – but card was just added on Sept. 2. They are disputing all of it I believe. That user looks underage as well. Well, maybe not under 13.

Michael: Is the user writing in a parent, or is this user a 13ish year old

Gillian: It’s a 13ish yr old. says its 15. looks a bit younger. she* not its. Lol.

Michael: … I wouldn’t refund

Gillian: Oh that’s fine. cool. agreed. just double checking

Judge unseals trove of internal Facebook documents following our legal action [Nathan Halverson/Reveal]

(via Dan Hon)

(Image: Jeff Kubina, CC-BY-SA)

Why charter schools are the flashpoint for the LA teachers' strike [Cory Doctorow – Boing Boing]

When teachers from the largest school district in America walked off the job this week, they were not campaigning for wages: rather, they were demanding smaller classes; more librarians, counselors, aides and special-ed teachers; and to rein in the Charter school movement, and that last demand is the key to understanding the whole thing.

Charter schools were developed in the wake of the Brown v Board of Ed decision, which found that racially segregated public schools were illegal; charter schools let white supremecists skirt the decision by diverting public funds into private schools that could exclude Black children.

Today, the charter school movement has evolved into a darling of billionaires and vast, illegal dark-money pools, working in alliance with racists and Christian Dominionists who want Biblical doctrine taught at public expense. Like the Reagan coalition, the fundamentalists supply the warm bodies, the billionaires supply the seed capital, and then the billionaires make out like bandits while the poor evangelical rank-and-file get screwed.

But even if you want to send your kid to a public school, charter schools can make it impossible to make such a choice. Charter schools can cream off the kids with wealthy parents, high test scores and no special needs, sucking money out of the public system, which still has the same per-pupil funding that has to stretch farther to cover fixed costs (just because your students leave, it doesn't make your school cheaper to heat or maintain).

The results is that schools end up raiding the per-pupil educational budget to cover fixed costs, leaving the public system with a disproportionate fraction of kids who need extra support, and less money per pupil to pay for it. So many parents who want to support the public system still put their kids in charters to avoid this mess, making it even worse.

That's why the LA teachers are on strike: to stop the stealth privatization of our public schools and ensure that every kid gets the education they're entitled to.

Charter schools in Los Angeles have become integral features of what’s wrong. There are 277 charter schools operating in L.A. Unified, the largest number of charter schools of any school district in the nation. Charters serve nearly 119,000 students, nearly one-fifth of the students in the district. About 50 charters are operated by the district, which gives them some degree of greater autonomy, but the rest are completely independent of district rules and regulations. And many of the independent charters are also co-located on existing public school campuses.

When charter schools pull funding from a public school, it damages the school’s abilityto educate the students who remain because a lot of the school’s costs are “fixed” and can’t be reduced on a per-pupil basis. Schools that find they have to cover the same costs, with reduced revenues due to student attrition to charters, frequently resort to cutting non-teacher personnel such as counselors and librarians—exactly the additional staff LA teachers are saying their schools lack.

In the situation where a charter co-locates on an existing public school campus, space on the campus is divided up between the two schools, which increases class sizes as student remaining in the public campus have to jam into smaller spaces and limit their access to common spaces—again, grievances the teachers are bringing to the table.

“It’s a vicious cycle,” writes Miriam Pawel in the New York Times. “The more overcrowded and burdened the regular schools, the easier for charters to recruit students. The more students the district loses, the less money, and the worse its finances. The more the district gives charters space in traditional schools, the more overcrowded the regular classrooms.”

How Teacher Strikes Are Exposing the Corrupt Charter School Agenda [Jeff Bryant/Naked Capitalism]

(Image: UTLA)


A megathread of dirty industry secrets that you'll be glad you know even as you wish you didn't [Cory Doctorow – Boing Boing]

Holly, a Harvard seminarian and activist, invited Twitter users to DM her the dirty secrets of their industries, which she then anonymized and posted in a megathread with more than 600 parts (as of this writing); while many of them are mild or self-evident, many of them are the kind of sphincter-tightening or blood-boiling confessions that you always suspected might be true but hoped like hell were not.

Some of them are also a little uplifting (library workers are reliably helpers with immigration paperwork, say, but also increasingly wracked by violence and the effects of unchecked poverty and the erosion of social services), and others are, well, just terrible:

* Arkansas teachers beat the shit out of their students, especially disabled kids, kids with developmental delays, etc

* Whether you get arrested in NYC is largely a function of whether the cop is eligible for overtime

* Your always-on smart speaker is sending your private conversations to random, badly paid contractors

* "Celibate" priests are getting laid like crazy

* Starbucks' rulebook is full of gotchas that let managers discriminate against troublemakers, racialized people, and anyone else they dislike

* Billion dollar battleships are built by stoned meth-freaks

* Remote disconnect meters are crapgadgets built by low-bidders and they are prone to bursting into flames

* Southern universities have a quiet understanding with racist old white alums that their donations will only to scholarships for white kids

* Environmentally sound plastics are ignored so that big companies can shave pennies off their costs

Lots more, too.

(via Naked Capitalism)

Now EVERYBODY hates the new EU Copyright Directive [Cory Doctorow – Boing Boing]

Until last spring, everyone wanted to see the new European Copyright Directive pass; then German MEP Axel Voss took over as rapporteur and revived the most extreme, controversial versions of two proposals that had been sidelined long before as the Directive had progressed towards completion.

After all, this is the first refresh on EU copyright since 2001, and so the Directive is mostly a laundry list of overdue, uncontroversial technical tweaks with many stakeholders; the last thing anyone wanted was a spoiler in the midst.

Anyone, that is, except for German newspaper families (who loved Article 11, who could charge Big Tech for the privilege of sending readers to their sites) and the largest record labels (who had long dreamed of Article 13, which would force the platforms to implement filters to check everything users posted, and block anything that resembled a known copyrighted work, or anything someone claimed was a known copyrighted work).

These were the clauses that Voss reinserted, and in so doing, triggered a firestorm of opposition to the Directive from all sides: more than four million Europeans publicly opposed it, along with leading copyright and technical experts—and also the notional beneficiaries of the rules, from journalists to the largest movie studios, TV channels and sports leagues in Europe.

Voss has found himself increasingly isolated in his defense of the Directive, just him and the record labels against the rest of the world.

And now it's just Voss.

The record labels have joined the movie studios in denouncing the working version of Article 13, and calling for the impossible: a rollback of the tiny, largely ornamental changes made in order to give the Directive a hope of passing (they were complaining about Monday's version of the Directive, but the version that leaked yesterday doesn't fix any of their problems).

The record labels are willing to risk the whole thing going down in flames rather than tolerate the symbolic gestures to compromise that have been gently draped over the spiderwebbing of cracks in the Directive.

Now that Article 13 has not a single friend in the world, save for a single, lonely German MEP, maybe it's time we stopped holding the future of European copyright to ransom for the sake of a few recording companies who are willing to sacrifice the free expression of 500,000,000 Europeans to eke out a few more points of profit.

With the national governments and EU going into what is meant to be their final meeting on Monday, now is the time for Europeans to contact their national governments and tell them to stand firm and reject Article 13, lest it bring down the whole Copyright Directive.

(Crossposted from EFF Deeplinks)

Regardless of whether it ends his term, impeaching Trump have five likely benefits [Cory Doctorow – Boing Boing]

Yoni Appelbaum's longread in The Atlantic on the case for impeaching Trump draws on heterodox interpretations of the Clinton and Johnson impeachments, as well as the Nixon impeachment, to argue that despite (or even because of) the Senate's near-certain inaction on impeachment, there are real benefits to impeaching Trump, which is looking very likely if accusations of suborning perjury before Congress are true.

Appelbaum argues that history's verdict on the Clinton and Johnson impeachments -- that they were divisive, partisan exercises that did more harm than good -- is misguided. Rather than viewing impeachment as a denergous constitution-undermining exercise that weakens the institution of the presidency, Appelbaum says that the framers wouldn't have put impeachment into the Constitution if it wasn't part of the normal functioning of a Constitutional democracy, a check on an otherwise imperial presidency (and incidentally, he argues that the presidency has grown increasingly imperial and is overdue for a good trimming).

In addition to making a case that impeachment is itself a reasonable action under some circumstances, Appelbaum makes the fairly easy case that we are living through those circumstances right now, reciting a greatest hits of Trump's many qualifying sins.

Then he gets to the interesting part: we know that the Senate isn't going to do anything about a successful impeachment of Trump by the Democrats in Congress, so what's the point?

According to Appelbaum, history teaches us that impeaching a president has five major benefits even if they are not removed from office: it changes the way that the press covers the issue, switching from letting the president set a fearmongering agenda to piecing together a coherent narrative of the president's unfitness; it sidelines the president's agenda and forces them to focus on the impeachment; it moves away from the piecemeal Congressional committee investigations of individual scandals and puts the focus on the big picture of how they all fit together; it channels public and governmental anger with the government into a peaceful and lawful system of redressing grievances, forestalling potential political violence; and it permanently damages the impeached president's political prospects, putting them under a cloud for the rest of their political lives.

And what if the Senate does not convict Trump? The fifth benefit of impeachment is that, even when it fails to remove a president, it severely damages his political prospects. Johnson, abandoned by Republicans and rejected by Democrats, did not run for a second term. Nixon resigned, and Gerald Ford, his successor, lost his bid for reelection. Clinton weathered the process and finished out his second term, but despite his personal popularity, he left an electorate hungering for change. “Many, including Al Gore, think that the impeachment cost Gore the election,” Paul Rosenzweig, a former senior member of Independent Counsel Kenneth Starr’s team, told me. “So it has consequences and resonates outside the narrow four corners of impeachment.” If Congress were to impeach Trump, whatever short-term surge he might enjoy as supporters rallied to his defense, his long-term political fate would likely be sealed.

In these five ways—shifting the public’s attention to the president’s debilities, tipping the balance of power away from him, skimming off the froth of conspiratorial thinking, moving the fight to a rule-bound forum, and dealing lasting damage to his political prospects—the impeachment process has succeeded in the past. In fact, it’s the very efficacy of these past efforts that should give Congress pause; it’s a process that should be triggered only when a president’s betrayal of his basic duties requires it. But Trump’s conduct clearly meets that threshold. The only question is whether Congress will act.

Impeach Donald Trump [Yoni Appelbaum/The Atlantic]

(via Kottke)




Today in GPF History for Friday, January 18, 2019 [General Protection Fault: The Comic Strip]

Fred doesn't take kindly to Pi's unilateral anti-Physaric bigotry...


[$] A proposed API for full-memory encryption []

Hardware memory encryption is, or will soon be, available on multiple generic CPUs. In its absence, data is stored — and passes between the memory chips and the processor — in the clear. Attackers may be able to access it by using hardware probes or by directly accessing the chips, which is especially problematic with persistent memory. One new memory-encryption offering is Intel's Multi-Key Total Memory Encryption (MKTME) [PDF]; AMD's equivalent is called Secure Encrypted Virtualization (SEV). The implementation of support for this feature is in progress for the Linux kernel. Recently, Alison Schofield proposed a user-space API for MKTME, provoking a long discussion on how memory encryption should be exposed to the user, if at all.

Rhonda D'Vine: Enigma [Planet Debian]

Just the other day a working colleague asked me what kind of music I listen to, especially when working. It's true, music helps me to focus better and work more concentrated. But it obviously depends on what kind of music it is. And there is one project I come to every now and then. The name is Enigma. It's not disturbing, good for background, with soothing and non-intrusive vocals. Here are the songs:

  • Return To Innocence: This is quite likely the song you know from them, which also got me hooked up originally.
  • Push The Limits: A powerful song. The album version is even a few minutes longer.
  • Voyageur: Love the rhythm and theme in this song.

Like always, enjoy.

/music | permanent link | Comments: 0 | Flattr this


Security updates for Friday []

Security updates have been issued by Debian (drupal7), Fedora (electrum and perl-Email-Address), Mageia (gthumb), openSUSE (gitolite, kernel, krb5, libunwind, LibVNCServer, live555, mutt, wget, and zeromq), SUSE (krb5, mariadb, nodejs4, nodejs8, soundtouch, and zeromq), and Ubuntu (irssi).


Link [Scripting News]

Good morning sports fans!

Link [Scripting News]

Thanks to all the people who Like my posts here. I always look to see who's checking in. True story. A friend was talking, face-to-face, about one of my podcasts. I asked why he didn't Like it. He said he did. I checked later, and sure enough he had Liked it. Ever since I've been checking them every day, sometimes more than once. 🚀


How do I get the effect of C#’s async void in a C++ coroutine? Part 3: Simpifying the boilerplate [The Old New Thing]

Last time, we figured out how to use a coroutine in a place where the caller expects a function returning void. It required some wrapping, and our research led to this pattern:

void MyClass::MyEventHandler(int a, int b)
  [](auto lambda1)
   -> Concurrency::task<void>
   co_await lambda1();
  }([=, lifetime = std::shared_from_this(this)]()
   -> Concurrency::task<void>
   // actual work goes here
   co_await GetSetAsync(b);
   Go(a, b);

You might think "Maybe I can macro-ize this thing so I don't have to repeat the boilerplate all the time."

#define INVOKE_ASYNC_LAMBDA(lambda) \
  [](auto lambda1) \
   -> Concurrency::task<void> \
  { \
   co_await lambda1(); \

void MyClass::MyEventHandler(int a, int b)
   [=, lifetime = std::shared_from_this(this)]()
   -> Concurrency::task<void>
   co_await GetSetAsync(b);
   Go(a, b);

But then you realize that you've gone too far, because you've created a macro that requires people to pass a lambda as a macro parameter, and that road leads to sadness.

So you might wrack your brains for a while to see if there's a way to get the boilerplate code generated without requiring the lambda as a macro parameter. Maybe something like this:

  [](auto lambda1) \
   -> Concurrency::task<void> \
  { \
   co_await lambda1(); \

Since all we do with the lambda is spit it back out, including parentheses, and the regurgitation is as the very last tokens of the macro expansion we can cheat and avoid capturing the parameter at all. The macro spits out the boilerplate, and then what looks like the argument to the macro is actually just text that comes after the macro, and a parenthesized lambda happens to be exactly what we want to come next, so jackpot.

But then you remember the C++ Core Guidelines which says,

Scream when you see a macro that isn't just used for source control (e.g., #ifdef)

Is there a way to do this that avoids macros entirely?

Indeed there is, but you have to back up a step. The step prior to our "final" version went like this:

void MyClass::MyEventHandler(int a, int b)
  auto lambda2 = [](auto lambda1)
   -> Concurrency::task<void>
   co_await lambda1();

  lambda2([=, lifetime = std::shared_from_this(this)]()
   -> Concurrency::task<void>
   co_await GetSetAsync(b);
   Go(a, b);

The captureless lambda can be factored out into a templated free function.

template<typename TLambda>
invoke_async_lambda(TLambda lambda)
  co_await lambda();

void MyClass::MyEventHandler(int a, int b)
  [=, lifetime = std::shared_from_this(this)]()
   -> Concurrency::task<void>
   co_await GetSetAsync(b);
   Go(a, b);

And then we can generalize the function further by having it return the same type of task that the lambda does.¹

template<typename TLambda>
auto invoke_async_lambda(TLambda lambda)
 -> decltype(lambda())
  return co_await lambda();

Now you can use it for async lambdas that return any kind of awaitable object, like a Concurrency::task<int>, or a winrt::Windows::Foundation::IAsync­Action, or a std::experimental::future<std::string>. And since it returns the resulting coroutine, you can continue operating with it.

 std::array<Concurrency::task<void>, 3> tasks =
  invoke_async_lambda([=] -> Concurrency::task<void>
   ... first task ...
  invoke_async_lambda([=] -> Concurrency::task<void>
   ... second task ...
  invoke_async_lambda([=] -> Concurrency::task<void>
   ... third task ...

 return Concurrency::when_all(begin(tasks), end(tasks));

¹ The result is one of those cryptic functions that doesn't seem to do anything, but in fact does quite a bit, but in a very subtle way. The C++ standard library has a lot of functions like that, such as std::move, std::forward, and std::launder.


News Post: ‘Tis Better [Penny Arcade]

Tycho: Of course, the latest version of the story dutifully presented to is that - let me see if I have this correctly - all games exist in a kind of superposition in a silvery twilight realm, at once real and not real, so the open world game they used to distract us from the previous, higher profile cancellation served its purpose…?  We posit a quantum conundrum in today’s . incomparable strip. For me, Electronic Arts is now the company that pays Respawn to make games and honestly that’s fine.  I guess they also make the sports games that Gabriel plays for two…


Satya Nadella teases Microsoft 365 subscription for consumers [OSnews]

Microsoft first unveiled its Microsoft 365 bundle of Windows 10 and Office for businesses and schools back in 2017. While a bundle of buying Office and Windows licenses makes sense for commercial customers, Microsoft is also looking to launch a similar bundle for consumers. Speaking to journalists at a media event earlier this week, attended by The Verge, CEO Satya Nadella gave some hints that Microsoft 365 will appear for consumers. I already have an Office 365 subscription, and the idea of adding Windows to that certainly seems appealing to me. It’s easy, straightforward, and doesn’t require any periodic large purchases either.


Evaluating the GCHQ Exceptional Access Proposal [Schneier on Security]

The so-called Crypto Wars have been going on for 25 years now. Basically, the FBI -- and some of their peer agencies in the UK, Australia, and elsewhere -- argue that the pervasive use of civilian encryption is hampering their ability to solve crimes and that they need the tech companies to make their systems susceptible to government eavesdropping. Sometimes their complaint is about communications systems, like voice or messaging apps. Sometimes it's about end-user devices. On the other side of this debate is pretty much all technologists working in computer security and cryptography, who argue that adding eavesdropping features fundamentally makes those systems less secure.

A recent entry in this debate is a proposal by Ian Levy and Crispin Robinson, both from the UK's GCHQ (the British signals-intelligence agency -- basically, its NSA). It's actually a positive contribution to the discourse around backdoors; most of the time government officials broadly demand that the tech companies figure out a way to meet their requirements, without providing any details. Levy and Robinson write:

In a world of encrypted services, a potential solution could be to go back a few decades. It's relatively easy for a service provider to silently add a law enforcement participant to a group chat or call. The service provider usually controls the identity system and so really decides who's who and which devices are involved -- they're usually involved in introducing the parties to a chat or call. You end up with everything still being end-to-end encrypted, but there's an extra 'end' on this particular communication. This sort of solution seems to be no more intrusive than the virtual crocodile clips that our democratically elected representatives and judiciary authorise today in traditional voice intercept solutions and certainly doesn't give any government power they shouldn't have.

On the surface, this isn't a big ask. It doesn't affect the encryption that protects the communications. It only affects the authentication that assures people of whom they are talking to. But it's no less dangerous a backdoor than any others that have been proposed: It exploits a security vulnerability rather than fixing it, and it opens all users of the system to exploitation of that same vulnerability by others.

In a blog post, cryptographer Matthew Green summarized the technical problems with this GCHQ proposal. Basically, making this backdoor work requires not only changing the cloud computers that oversee communications, but it also means changing the client program on everyone's phone and computer. And that change makes all of those systems less secure. Levy and Robinson make a big deal of the fact that their backdoor would only be targeted against specific individuals and their communications, but it's still a general backdoor that could be used against anybody.

The basic problem is that a backdoor is a technical capability -- a vulnerability -- that is available to anyone who knows about it and has access to it. Surrounding that vulnerability is a procedural system that tries to limit access to that capability. Computers, especially internet-connected computers, are inherently hackable, limiting the effectiveness of any procedures. The best defense is to not have the vulnerability at all.

That old physical eavesdropping system Levy and Robinson allude to also exploits a security vulnerability. Because telephone conversations were unencrypted as they passed through the physical wires of the phone system, the police were able to go to a switch in a phone company facility or a junction box on the street and manually attach alligator clips to a specific pair and listen in to what that phone transmitted and received. It was a vulnerability that anyone could exploit -- not just the police -- but was mitigated by the fact that the phone company was a monolithic monopoly, and physical access to the wires was either difficult (inside a phone company building) or obvious (on the street at a junction box).

The functional equivalent of physical eavesdropping for modern computer phone switches is a requirement of a 1994 U.S. law called CALEA -- and similar laws in other countries. By law, telephone companies must engineer phone switches that the government can eavesdrop, mirroring that old physical system with computers. It is not the same thing, though. It doesn't have those same physical limitations that make it more secure. It can be administered remotely. And it's implemented by a computer, which makes it vulnerable to the same hacking that every other computer is vulnerable to.

This isn't a theoretical problem; these systems have been subverted. The most public incident dates from 2004 in Greece. Vodafone Greece had phone switches with the eavesdropping feature mandated by CALEA. It was turned off by default in the Greek phone system, but the NSA managed to surreptitiously turn it on and use it to eavesdrop on the Greek prime minister and over 100 other high-ranking dignitaries.

There's nothing distinct about a phone switch that makes it any different from other modern encrypted voice or chat systems; any remotely administered backdoor system will be just as vulnerable. Imagine a chat program added this GCHQ backdoor. It would have to add a feature that added additional parties to a chat from somewhere in the system -- and not by the people at the endpoints. It would have to suppress any messages alerting users to another party being added to that chat. Since some chat programs, like iMessage and Signal, automatically send such messages, it would force those systems to lie to their users. Other systems would simply never implement the "tell me who is in this chat conversation" feature­which amounts to the same thing.

And once that's in place, every government will try to hack it for its own purposes­ -- just as the NSA hacked Vodafone Greece. Again, this is nothing new. In 2010, China successfully hacked the back-door mechanism Google put in place to meet law-enforcement requests. In 2015, someone -- we don't know who -- hacked an NSA backdoor in a random-number generator used to create encryption keys, changing the parameters so they could also eavesdrop on the communications. There are certainly other stories that haven't been made public.

Simply adding the feature erodes public trust. If you were a dissident in a totalitarian country trying to communicate securely, would you want to use a voice or messaging system that is known to have this sort of backdoor? Who would you bet on, especially when the cost of losing the bet might be imprisonment or worse: the company that runs the system, or your country's government intelligence agency? If you were a senior government official, or the head of a large multinational corporation, or the security manager or a critical technician at a power plant, would you want to use this system?

Of course not.

Two years ago, there was a rumor of a WhatsApp backdoor. The details are complicated, and calling it a backdoor or a vulnerability is largely inaccurate -- but the resultant confusion caused some people to abandon the encrypted messaging service.

Trust is fragile, and transparency is essential to trust. And while Levy and Robinson state that "any exceptional access solution should not fundamentally change the trust relationship between a service provider and its users," this proposal does exactly that. Communications companies could no longer be honest about what their systems were doing, and we would have no reason to trust them if they tried.

In the end, all of these exceptional access mechanisms, whether they exploit existing vulnerabilities that should be closed or force vendors to open new ones, reduce the security of the underlying system. They reduce our reliance on security technologies we know how to do well -- cryptography -- to computer security technologies we are much less good at. Even worse, they replace technical security measures with organizational procedures. Whether it's a database of master keys that could decrypt an iPhone or a communications switch that orchestrates who is securely chatting with whom, it is vulnerable to attack. And it will be attacked.

The foregoing discussion is a specific example of a broader discussion that we need to have, and it's about the attack/defense balance. Which should we prioritize? Should we design our systems to be open to attack, in which case they can be exploited by law enforcement -- and others? Or should we design our systems to be as secure as possible, which means they will be better protected from hackers, criminals, foreign governments and -- unavoidably -- law enforcement as well?

This discussion is larger than the FBI's ability to solve crimes or the NSA's ability to spy. We know that foreign intelligence services are targeting the communications of our elected officials, our power infrastructure, and our voting systems. Do we really want some foreign country penetrating our lawful-access backdoor in the same way the NSA penetrated Greece's?

I have long maintained that we need to adopt a defense-dominant strategy: We should prioritize our need for security over our need for surveillance. This is especially true in the new world of physically capable computers. Yes, it will mean that law enforcement will have a harder time eavesdropping on communications and unlocking computing devices. But law enforcement has other forensic techniques to collect surveillance data in our highly networked world. We'd be much better off increasing law enforcement's technical ability to investigate crimes in the modern digital world than we would be to weaken security for everyone. The ability to surreptitiously add ghost users to a conversation is a vulnerability, and it's one that we would be better served by closing than exploiting.

This essay originally appeared on


Four short links: 18 January 2019 [All - O'Reilly Media]

Remove Filters, Quantum Cables, Embedded Vision, and Citizen Developers

  1. Desnapify -- deep convolutional generative adversarial network (DCGAN) trained to remove Snapchat filters from selfie images.
  2. Quantum Computer Component Shortage (MIT TR) -- cables for superconducting quantum computing experiments turn out to be hard to find at Radio Shack. Reminder: QC is in its infancy.
  3. SOD -- an embedded computer vision and machine learning library (CPU optimized and IoT capable).
  4. Devsumer -- interesting argument: lots of people with exposure to programming via Hour of Code type things, as IT departments are too busy to build all the apps people want, so [a] number of products have emerged that allow people to build simple software applications, or to use templated applications for their own work flow or productivity. You can think of this as taking a SQL database or excel spreadsheet and turning it into an app platform.

Continue reading Four short links: 18 January 2019.


Error'd: An Internet of Crap [The Daily WTF]

"One can only assume the CEO of Fecebook is named Mark Zuckerturd," writes Eric G..   "Crucial's website is all about consumer choice and I just can't decide!" writes...


cheerfully pointless post about squeezeboxes. [Judith Proctor's Journal]

 Because everyone gets them confused...

An accordion is a large instrument where all the keys play the same note whether the bellows are being pushed or pulled.  One hand plays the melody, the other had buttons to push for chords.

A melodeon is smaller than an accordion.  It has different notes on the push and pull.  ie.  Each key plays two notes, which is why it's a smaller, lighter instrument.  The left hand had buttons for chords.  The keys for melody are buttons rather than piano keys, as the arrangement of notes is different from a piano.  Melodeons play in only one or twokeys, one per row of buttons.

An 'English' concertina has hexagonal ends and straps for the little finger and a rest for the thumb.  It plays one note per key (same note on push and pull) and is fully chromatic. (plays in any key)

An Anglo (Anglo/Geman) concertina, has hexagonal ends, and a strap that goes over the wrist, and a totally different layout of buttons.  It has (like a melodeon) two notes per button.  It plays in one or two keys, but may have buttons for accidentals to allow extra keys.  Great instruments for morris - I have one.

comment count unavailable comments

cheerfully pointless post about squeezeboxes. [Tales From the Riverbank]

 Because everyone gets them confused...

An accordion is a large instrument where all the keys play the same note whether the bellows are being pushed or pulled.  One hand plays the melody, the other had buttons to push for chords.

A melodeon is smaller than an accordion.  It has different notes on the push and pull.  ie.  Each key plays two notes, which is why it's a smaller, lighter instrument.  The left hand had buttons for chords.  The keys for melody are buttons rather than piano keys, as the arrangement of notes is different from a piano.  Melodeons play in only one or twokeys, one per row of buttons.

An 'English' concertina has hexagonal ends and straps for the little finger and a rest for the thumb.  It plays one note per key (same note on push and pull) and is fully chromatic. (plays in any key)

An Anglo (Anglo/Geman) concertina, has hexagonal ends, and a strap that goes over the wrist, and a totally different layout of buttons.  It has (like a melodeon) two notes per button.  It plays in one or two keys, but may have buttons for accidentals to allow extra keys.  Great instruments for morris - I have one.

This entry was originally posted on Dreamwidth where it has comment count unavailable comments.


Austrian Telecoms Regulator Rejects “Informal” Pirate Site Blocks [TorrentFreak]

Since the turn of the decade, Austria has been grappling with the controversial issue of pirate site blocking.

While rights holders have long-insisted that blocking is an appropriate and proportionate response to large-scale infringement, local Internet service providers have remained unconvinced, despite many legal processes.

Last November, the Supreme Court finally ruled that The Pirate Bay and other “structurally-infringing” sites including can indeed be blocked, if rights holders have exhausted all other options. However, the decision wasn’t without complications.

The Telecom Single Market (TSM) Regulation established the principle of non-discriminatory traffic management in the EU. It does allow for the blocking of copyright-infringing websites but only when supported by a clear administrative or judicial decision.

However, rights holders have also written to ISPs in Austria demanding that they block sites that are potentially related to a blocked platform (such as a mirror or proxy) but aren’t specifically detailed in an official order.

Last January, this problem finally came to head when, after ‘voluntarily’ blocking several Pirate Bay clones, ISP T-Mobile reported itself to the Austrian Regulatory Authority for Broadcasting and Telecommunications (RTR) for a potential net neutrality breach. As reported by Tarnkappe, other providers including A1, Drei, Kabelplus, Liwest, and UPC later followed suit.

“The decision of the providers to self-disclose may seem surprising at first glance,” says Maximilian Schubert, Secretary General of Internet Service Providers Austria (ISPA).

“However, this self-disclosure will hopefully open the eyes of many people entrusted with the topic of how unclear and almost worrying the situation is in this country.”

At issue is whether local ISPs are obliged to block ‘pirate’ sites following an informal request from rights holders and in the absence of an official order. It now transpires, thanks to pressure from the ISPs, that they do not have to block following such requests.

Telecoms regulator Telecom Control Commission will now get involved when a block is requested which will lead to a supervisory process and a full review by the agency. Informal blocking of domains following a simple request from rights holders is therefore ruled out.

“From ISPA’s point of view, this has sent another clear signal that network blocking constitutes a serious infringement of fundamental rights,” Schubert says.

“To rely on an informal system of ‘bartering’ in such a sensitive matter, as the rights holders have requested, is simply incompatible with the principles of a modern constitutional state. It is now up to the legislator, while respecting the fundamental rights concerned, to find a solution that takes account of the different interests.”

Moving forward, ISPA says that ISPs want an “independent judicial body” to confirm in advance the legality of any blocking while ensuring that a minimum of time and resources are expended on the blocking process.

“In addition, users need to be able to clearly understand why they are being blocked and thus have the opportunity to fight the block directly at the crucial point. Furthermore, the providers must be compensated for their costs and protected against any claims of third parties,” ISPA concludes.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.


Feeds | Highlights of the Fellowship Programme 2019 Launch Webinar [Planet GridPP]

Highlights of the Fellowship Programme 2019 Launch Webinar s.aragon 17 January 2019 - 4:10pm

By Raniere Silva, Community Officer, Software Sustainability Institute. On Friday 11th January 2019 we hosted the Fellowship Programme 2019 Launch Webinar with the participation of Fellows Becky Arnold, Martin Donnelly, Vincent Knight, Danny Wong and Yo Yehudi. Applications to the Fellowship Programme are open until 3rd February 2019.


Problems and boundaries [Seth's Blog]

All problems have solutions.

That’s what makes them problems.

The solution might involve trade-offs or expenses that you don’t want to incur. You might choose not to solve the problem. But there is a solution. Perhaps you haven’t found it yet. Perhaps you need to do more research or make some tradeoffs in what you’re hoping for.

If there is no solution, then it’s not a problem.

It’s a regrettable situation. It’s a boundary condition. It’s something you’ll need to live with.

Which might be no fun, but there’s no sense in worrying about it or spending time or money on it, because it’s not a problem.

“I want to go to the wedding, but it’s a thousand miles away.” That’s a problem. You can solve it with a plane ticket and some cancelled plans.

“I want to go to the wedding, but I’m not willing to cancel my meeting.” That’s not a problem. That’s an unavoidable conflict. If you need to violate a law of physics to get out of a situation, it’s not a problem. But you’ve already given up turning it into a problem, so it doesn’t pay to pretend it’s solvable.

Once we can walk away from unsolvable situations that pretend to be problems, we can focus our energy on the real problems in front of us.

HT David Deutsch


FeedRSSLast fetchedNext fetched after
XML 12:21, Wednesday, 23 January 13:02, Wednesday, 23 January
a bag of four grapes XML 11:49, Wednesday, 23 January 12:31, Wednesday, 23 January
A Smart Bear: Startups and Marketing for Geeks XML 12:21, Wednesday, 23 January 13:02, Wednesday, 23 January
All - O'Reilly Media XML 11:49, Wednesday, 23 January 12:31, Wednesday, 23 January
Anarcho's blog XML 11:56, Wednesday, 23 January 12:40, Wednesday, 23 January
Ansible XML 12:21, Wednesday, 23 January 13:01, Wednesday, 23 January
Bad Science XML 12:14, Wednesday, 23 January 13:03, Wednesday, 23 January
Black Doggerel XML 12:21, Wednesday, 23 January 13:02, Wednesday, 23 January
Blog – Official site of Stephen Fry XML 12:14, Wednesday, 23 January 13:03, Wednesday, 23 January
Broodhollow XML 12:21, Wednesday, 23 January 13:02, Wednesday, 23 January
Charlie Brooker | The Guardian XML 11:49, Wednesday, 23 January 12:31, Wednesday, 23 January
Charlie's Diary XML 12:07, Wednesday, 23 January 12:55, Wednesday, 23 January
Chasing the Sunset - Comics Only XML 12:14, Wednesday, 23 January 13:03, Wednesday, 23 January
Clay Shirky XML 11:56, Wednesday, 23 January 12:40, Wednesday, 23 January
Coding Horror XML 12:07, Wednesday, 23 January 12:54, Wednesday, 23 January
Cory Doctorow – Boing Boing XML 12:21, Wednesday, 23 January 13:02, Wednesday, 23 January
Cory Doctorow's XML 11:49, Wednesday, 23 January 12:31, Wednesday, 23 January
Ctrl+Alt+Del Comic XML 12:07, Wednesday, 23 January 12:55, Wednesday, 23 January
Cyberunions XML 12:14, Wednesday, 23 January 13:03, Wednesday, 23 January
David Mitchell | The Guardian XML 11:56, Wednesday, 23 January 12:39, Wednesday, 23 January
Debian GNU/Linux System Administration Resources XML 12:21, Wednesday, 23 January 13:02, Wednesday, 23 January
Deeplinks XML 11:56, Wednesday, 23 January 12:40, Wednesday, 23 January
Diesel Sweeties webcomic by rstevens XML 11:56, Wednesday, 23 January 12:39, Wednesday, 23 January
Dork Tower XML 11:49, Wednesday, 23 January 12:31, Wednesday, 23 January
Edmund Finney's Quest to Find the Meaning of Life XML 11:56, Wednesday, 23 January 12:39, Wednesday, 23 January
Eerie Cuties XML 12:07, Wednesday, 23 January 12:54, Wednesday, 23 January
EFF Action Center XML 11:56, Wednesday, 23 January 12:39, Wednesday, 23 January
Enspiral Tales - Medium XML 11:56, Wednesday, 23 January 12:41, Wednesday, 23 January
Erin Dies Alone XML 12:07, Wednesday, 23 January 12:54, Wednesday, 23 January
Events XML 12:07, Wednesday, 23 January 12:55, Wednesday, 23 January
Falkvinge on Liberty XML 12:07, Wednesday, 23 January 12:55, Wednesday, 23 January
Flipside XML 11:49, Wednesday, 23 January 12:31, Wednesday, 23 January
Free software jobs XML 12:21, Wednesday, 23 January 13:01, Wednesday, 23 January
Full Frontal Nerdity by Aaron Williams XML 12:07, Wednesday, 23 January 12:55, Wednesday, 23 January
General Protection Fault: The Comic Strip XML 12:07, Wednesday, 23 January 12:55, Wednesday, 23 January
George Monbiot XML 11:56, Wednesday, 23 January 12:39, Wednesday, 23 January
Girl Genius XML 11:56, Wednesday, 23 January 12:39, Wednesday, 23 January
God Hates Astronauts XML 12:07, Wednesday, 23 January 12:55, Wednesday, 23 January
Graeme Smith XML 11:56, Wednesday, 23 January 12:40, Wednesday, 23 January
Groklaw XML 12:07, Wednesday, 23 January 12:55, Wednesday, 23 January
Hackney Anarchist Group XML 12:14, Wednesday, 23 January 13:03, Wednesday, 23 January XML 12:21, Wednesday, 23 January 13:01, Wednesday, 23 January XML 11:56, Wednesday, 23 January 12:41, Wednesday, 23 January XML 11:56, Wednesday, 23 January 12:42, Wednesday, 23 January XML 11:56, Wednesday, 23 January 12:42, Wednesday, 23 January XML 11:56, Wednesday, 23 January 12:39, Wednesday, 23 January XML 11:56, Wednesday, 23 January 12:39, Wednesday, 23 January XML 12:07, Wednesday, 23 January 12:54, Wednesday, 23 January;_render=rss XML 11:56, Wednesday, 23 January 12:42, Wednesday, 23 January XML 12:07, Wednesday, 23 January 12:54, Wednesday, 23 January XML 11:56, Wednesday, 23 January 12:41, Wednesday, 23 January XML 11:56, Wednesday, 23 January 12:42, Wednesday, 23 January XML 12:14, Wednesday, 23 January 13:03, Wednesday, 23 January XML 11:56, Wednesday, 23 January 12:40, Wednesday, 23 January XML 11:49, Wednesday, 23 January 12:31, Wednesday, 23 January XML 12:07, Wednesday, 23 January 12:55, Wednesday, 23 January XML 11:56, Wednesday, 23 January 12:40, Wednesday, 23 January XML 12:14, Wednesday, 23 January 13:03, Wednesday, 23 January XML 11:56, Wednesday, 23 January 12:40, Wednesday, 23 January XML 12:07, Wednesday, 23 January 12:55, Wednesday, 23 January XML 12:21, Wednesday, 23 January 13:01, Wednesday, 23 January XML 12:21, Wednesday, 23 January 13:01, Wednesday, 23 January XML 12:21, Wednesday, 23 January 13:02, Wednesday, 23 January XML 12:21, Wednesday, 23 January 13:01, Wednesday, 23 January XML 12:21, Wednesday, 23 January 13:02, Wednesday, 23 January XML 12:14, Wednesday, 23 January 13:03, Wednesday, 23 January XML 12:14, Wednesday, 23 January 13:03, Wednesday, 23 January XML 12:07, Wednesday, 23 January 12:54, Wednesday, 23 January XML 11:56, Wednesday, 23 January 12:42, Wednesday, 23 January XML 12:21, Wednesday, 23 January 13:01, Wednesday, 23 January XML 11:56, Wednesday, 23 January 12:39, Wednesday, 23 January XML 11:56, Wednesday, 23 January 12:41, Wednesday, 23 January XML 12:21, Wednesday, 23 January 13:02, Wednesday, 23 January XML 12:07, Wednesday, 23 January 12:54, Wednesday, 23 January^876&maxPrice=240000&minBedrooms=2&displayPropertyType=houses&oldDisplayPropertyType=houses&primaryDisplayPropertyType=houses&oldPrimaryDisplayPropertyType=houses&numberOfPropertiesPerPage=24 XML 11:56, Wednesday, 23 January 12:39, Wednesday, 23 January
Humble Bundle Blog XML 12:07, Wednesday, 23 January 12:54, Wednesday, 23 January
I, Cringely XML 12:07, Wednesday, 23 January 12:55, Wednesday, 23 January
Irregular Webcomic! XML 12:21, Wednesday, 23 January 13:02, Wednesday, 23 January
Joel on Software XML 11:56, Wednesday, 23 January 12:42, Wednesday, 23 January
Judith Proctor's Journal XML 12:21, Wednesday, 23 January 13:01, Wednesday, 23 January
Krebs on Security XML 12:21, Wednesday, 23 January 13:02, Wednesday, 23 January
Lambda the Ultimate - Programming Languages Weblog XML 12:21, Wednesday, 23 January 13:01, Wednesday, 23 January
LFG Comics XML 11:56, Wednesday, 23 January 12:40, Wednesday, 23 January
LLVM Project Blog XML 11:56, Wednesday, 23 January 12:41, Wednesday, 23 January
Loomio Blog XML 11:56, Wednesday, 23 January 12:42, Wednesday, 23 January XML 12:21, Wednesday, 23 January 13:02, Wednesday, 23 January
Menage a 3 XML 11:56, Wednesday, 23 January 12:40, Wednesday, 23 January
Mimi and Eunice XML 11:56, Wednesday, 23 January 12:41, Wednesday, 23 January
Neil Gaiman's Journal XML 12:21, Wednesday, 23 January 13:01, Wednesday, 23 January
Nina Paley's Blog XML 12:07, Wednesday, 23 January 12:54, Wednesday, 23 January
O Abnormal – Scifi/Fantasy Artist XML 11:56, Wednesday, 23 January 12:41, Wednesday, 23 January
Oglaf! -- Comics. Often dirty. XML 12:07, Wednesday, 23 January 12:55, Wednesday, 23 January
Oh Joy Sex Toy XML 11:56, Wednesday, 23 January 12:40, Wednesday, 23 January
Order of the Stick XML 11:56, Wednesday, 23 January 12:40, Wednesday, 23 January
Original Fiction – XML 11:49, Wednesday, 23 January 12:31, Wednesday, 23 January
OSnews XML 11:56, Wednesday, 23 January 12:41, Wednesday, 23 January
Paul Graham: Unofficial RSS Feed XML 11:56, Wednesday, 23 January 12:41, Wednesday, 23 January
Penny Arcade XML 11:49, Wednesday, 23 January 12:31, Wednesday, 23 January
Penny Red XML 11:56, Wednesday, 23 January 12:41, Wednesday, 23 January
PHD Comics XML 12:14, Wednesday, 23 January 13:03, Wednesday, 23 January
Phil's blog XML 12:07, Wednesday, 23 January 12:55, Wednesday, 23 January
Planet Debian XML 11:56, Wednesday, 23 January 12:41, Wednesday, 23 January
Planet GridPP XML 12:07, Wednesday, 23 January 12:54, Wednesday, 23 January
Planet Lisp XML 12:14, Wednesday, 23 January 13:03, Wednesday, 23 January
Property is Theft! XML 12:21, Wednesday, 23 January 13:01, Wednesday, 23 January
QC RSS XML 12:07, Wednesday, 23 January 12:54, Wednesday, 23 January
Scenes From A Multiverse XML 12:07, Wednesday, 23 January 12:54, Wednesday, 23 January
Schneier on Security XML 12:21, Wednesday, 23 January 13:01, Wednesday, 23 January
SCHNEWS.ORG.UK XML 11:56, Wednesday, 23 January 12:40, Wednesday, 23 January
Scripting News XML 11:49, Wednesday, 23 January 12:31, Wednesday, 23 January
Seth's Blog XML 11:56, Wednesday, 23 January 12:42, Wednesday, 23 January
Skin Horse XML 11:49, Wednesday, 23 January 12:31, Wednesday, 23 January
Starslip by Kris Straub XML 11:49, Wednesday, 23 January 12:31, Wednesday, 23 January
Tales From the Riverbank XML 12:14, Wednesday, 23 January 13:03, Wednesday, 23 January
The Adventures of Dr. McNinja XML 11:56, Wednesday, 23 January 12:41, Wednesday, 23 January
The Bumpycat sat on the mat XML 12:21, Wednesday, 23 January 13:01, Wednesday, 23 January
The Command Line XML 11:56, Wednesday, 23 January 12:42, Wednesday, 23 January
The Daily WTF XML 11:56, Wednesday, 23 January 12:42, Wednesday, 23 January
The Monochrome Mob XML 12:21, Wednesday, 23 January 13:02, Wednesday, 23 January
The Non-Adventures of Wonderella XML 11:56, Wednesday, 23 January 12:39, Wednesday, 23 January
The Old New Thing XML 11:56, Wednesday, 23 January 12:40, Wednesday, 23 January
The Open Source Grid Engine Blog XML 12:07, Wednesday, 23 January 12:54, Wednesday, 23 January
The Phoenix Requiem XML 12:21, Wednesday, 23 January 13:01, Wednesday, 23 January
The Rogues Gallery XML 12:07, Wednesday, 23 January 12:55, Wednesday, 23 January
The Stranger, Seattle's Only Newspaper: Savage Love XML 11:56, Wednesday, 23 January 12:41, Wednesday, 23 January
TorrentFreak XML 11:56, Wednesday, 23 January 12:39, Wednesday, 23 January
towerhamletsalarm XML 11:56, Wednesday, 23 January 12:42, Wednesday, 23 January
Twokinds XML 11:49, Wednesday, 23 January 12:31, Wednesday, 23 January
UK Indymedia Features XML 11:49, Wednesday, 23 January 12:31, Wednesday, 23 January
Uploads from ne11y XML 11:56, Wednesday, 23 January 12:42, Wednesday, 23 January
Uploads from piasladic XML 11:56, Wednesday, 23 January 12:39, Wednesday, 23 January
Wayward Sons: Legends - Sci-Fi Full Page Webcomic - Updates Daily XML 11:56, Wednesday, 23 January 12:42, Wednesday, 23 January
What If? XML 12:21, Wednesday, 23 January 13:02, Wednesday, 23 January
Whatever XML 12:14, Wednesday, 23 January 13:03, Wednesday, 23 January
Whitechapel Anarchist Group XML 12:14, Wednesday, 23 January 13:03, Wednesday, 23 January
WIL WHEATON dot NET XML 11:56, Wednesday, 23 January 12:40, Wednesday, 23 January
wish XML 11:56, Wednesday, 23 January 12:41, Wednesday, 23 January XML 11:56, Wednesday, 23 January 12:39, Wednesday, 23 January