Tuesday, 16 April
23:14
Tell the U.S. Senate: STOP RISAA, the FISA Mass Surveillance Expansion [EFF Action Center]
Section 702 allows the government to conduct surveillance of foreigners inside the United States. While Section 702 prohibits the NSA and FBI from intentionally targeting Americans, these agencies routinely acquire innocent Americans' communications “incidentally”. The government can then search Amercians’ “incidentally collected” communications , all without a probable cause warrant.
The government has repeatedly abused Section 702 by searching its databases for Americans’ communications. In 2021 alone, the FBI reported conducting up to 3.4 million warrantless searches of Section 702 data using Americans’ identifiers.
This loophole, and many other things, need to change before Congress acts to renew Section 702.
Ubuntu 24.04 supports easy installation of OpenZFS root file-system with encryption [OSnews]
So with Ubuntu 24.04 LTS is the ability to continue with a standard EXT4 file-system install, an encrypted file-system using LVM, or using OpenZFS with/without encryption. Ubuntu 24.04 LTS also has the ability to enjoy hardware-backed full-disk encryption with TPM as another new experimental option. Or, of course, the Ubuntu desktop installer continues supporting manual (custom) partitioning as well.
↫ Michael Larabel
I just use whatever Btrfs setup Fedora automatically recommends when I let it take over a disk – file systems for desktops seems a bit like a solved problem to me personally – but I’m still curious what benefits, for instance, an OpenZFS setup could bring to a desktop user compared to Btrfs or a basic Ext4 setup. Why should a desktop user use OpenZFS?
21:42
Speaking Freely: Lynn Hamadallah [Deeplinks]
Lynn Hamadallah is a Syrian-Palestinian-French Psychologist based in London. An outspoken voice for the Palestinian cause, Lynn is interested in the ways in which narratives, spoken and unspoken, shape identity. Having lived in five countries and spent a lot of time traveling, she takes a global perspective on freedom of expression. Her current research project investigates how second-generation British-Arabs negotiate their cultural identity. Lynn works in a community mental health service supporting some of London's most disadvantaged residents, many of whom are migrants who have suffered extensive psychological trauma.
York: What does free speech or free expression mean to you?
Being Arab and coming from a place where there is much more speech policing in the traditional sense, I suppose there is a bit of an idealization of Western values of free speech and democracy. There is this sense of freedom we grow up associating with the West. Yet recently, we’ve come to realize that the way it works in practice is quite different to the way it is described, and this has led to a lot of disappointment and disillusionment in the West and its ideals amongst Arabs. There’s been a lot of censorship for example on social media, which I’ve experienced myself when posting content in support of Palestine. At a national level, we have witnessed the dehumanization going on around protesters in the UK, which undermines the idea of free speech. For example, the pro-Palestine protests where we saw the then-Home Secretary Suella Braverman referring to protesters as “hate marchers.” So we’ve come to realize there’s this kind of veneer of free speech in the West which does not really match up to the more idealistic view of freedom we were taught about.
With the increased awareness we have gained as a result of the latest aggression going on in Palestine, actually what we’re learning is that free speech is just another arm of the West to support political and racist agendas. It’s one of those things that the West has come up with which only applies to one group of people and oppresses another. It’s the same as with human rights you know - human rights for who? Where are Palestinian’s human rights?
We’ve seen free speech being weaponized to spread hate and desecrate Islam, for example, in the case of Charlie Hebdo and the Quran burning in Denmark and in Sweden. The argument put forward was that those cases represented instances of free speech rather than hate speech. But actually to millions of Muslims around the world those incidents were very, very hateful. They were acts of violence not just against their religious beliefs but right down to their sense of self. It’s humiliating to have a part of your identity targeted in that way with full support from the West, politicians and citizens alike.
And then, when we— we meaning Palestinians and Palestine allies—want to leverage this idea of free speech to speak up against the oppression happening by the state of Israel, we see time and time again accusations flying around: hate speech, anti-semitism, and censorship. Heavy, heavy censorship everywhere. So that’s what I mean when I say that free speech in the West is a racist concept, actually. And I don’t know that true free speech exists anywhere in the world really. In the Middle East we don’t have democracies but at least there’s no veneer of democracy— the messaging and understanding is clear. Here, we have a supposed democracy, but in practice it looks very different. And that’s why, for me, I don’t really believe that free speech exists. I’ve never seen a real example of it. I think as long as people are power hungry there’s going to be violence, and as long as there’s violence, people are going to want to hide their crimes. And as long as people are trying to hide their crimes there’s not going to be free speech. Sorry for the pessimistic view!
York: It’s okay, I understand where you’re coming from. And I think that a lot of those things are absolutely true. Yet, from my perspective, I still think it’s a worthy goal even though governments—and organizationally we’ve seen this as well—a lot of times governments do try to abuse this concept. So I guess then I would just as a follow-up, do you feel that despite these issues that some form of universalized free expression is still a worthy ideal?
Of course, I think it’s a worthy ideal. You know, even with social media – there is censorship. I’ve experienced it and it’s not just my word and an isolated incident. It’s been documented by Human Rights Watch—even Meta themselves! They did an internal investigation in 2021—Meta had a nonprofit called Business for Social Responsibility do an investigation and produce a report—and they’ve shown there was systemic censorship of Palestine-related content. And they’re doing it again now. That being said, I do think social media is making free speech more accessible, despite the censorship.
And I think—to your question—free speech is absolutely worth pursuing. Because we see that despite these attempts at censorship, the truth is starting to come out. Palestine support is stronger than it’s ever been. To the point where we’ve now had South Africa take Israel to trial at the International Court of Justice for genocide, using evidence from social media videos that went viral. So what I’m saying is, free speech has the power to democratize demanding accountability from countries and creating social change, so yes, absolutely something we should try to pursue.
York: You just mentioned two issues close to my heart. One is the issues around speech on social media platforms, and I’ve of course followed and worked on the Palestinian campaigns quite closely and I’m very aware of the BSR report. But also, video content, specifically, that’s found on social media being used in tribunals. So let me shift this question a bit. You have such a varied background around the world. I’m curious about your perspective over the past decade or decade and a half since social media has become so popular—how do you feel social media has shaped people’s views or their ability to advocate for themselves globally?
So when we think about stories and narratives, something I’m personally interested in, we have to think about which stories get told and which stories remain untold. These stories and their telling is very much controlled by the mass media— BBC, CNN, and the like. They control the narrative. And I guess what social media is doing is it’s giving a voice to those who are often voiceless. In the past, the issue was that there was such a monopoly over mouthpieces. Mass media were so trusted, to the point where no one would have paid attention to these alternative viewpoints. But what social media has done… I think it’s made people become more aware or more critical of mass media and how it shapes public opinion. There’s been a lot of exposure of their failure for example, like that video that went viral of Egyptian podcaster and activist Rahma Zain confronting CNN’s Clarissa Ward at the Rafah border about their biased reporting of the genocide in Palestine. I think that confrontation spoke to a lot of people. She was shouting “ You own the narrative, this is our problem. You own the narrative, you own the United Nations, you own Hollywood, you own all these mouthpieces— where are our voices?! Our voices need to be heard!” It was SO powerful and that video really spoke to the sentiment of many Arabs who have felt angry, betrayed and abandoned by the West’s ideals and their media reporting.
Social media is providing a voice to more diverse people, elevating them and giving the public more control around narratives. Another example we’ve seen recently is around what’s currently happening in Sudan and the Democratic Republic of Congo. These horrific events and stories would never have had much of a voice or exposure before at the global stage. And now people all over the world are paying more attention and advocating for Sudanese and Congolese rights, thanks to social media.
I personally was raised with quite a critical view of mass media, I think in my family there was a general distrust of the West, their policies and their media, so I never really relied personally on the media as this beacon of truth, but I do think that’s an exception. I think the majority of people rely on mass media as their source of truth. So social media plays an important role in keeping them accountable and diversifying narratives.
York: What are some of the biggest challenges you see right now anywhere in the world in terms of the climate for free expression for Palestinian and other activism?
I think there’s two strands to it. There’s the social media strand. And there’s the governmental policies and actions. So I think on social media, again, it’s very documented, but it’s this kind of constant censorship. People want to be able to share content that matters to them, to make people more aware of global issues and we see time and time again viewership going down, content being deleted or reports from Meta of alleged hate speech or antisemitism. And that’s really hard. There’ve been random strategies that have popped up to increase social media engagement, like posting random content unrelated to Palestine or creating Instagram polls for example. I used to do that, I interspersed Palestine content with random polls like, “What’s your favorite color?” just to kind of break up the Palestine content and boost my engagement. And it was honestly so exhausting. It was like… I’m watching a genocide in real time, this is an attack on my people and now I’m having to come up with silly polls? Eventually I just gave up and accepted my viewership as it was, which was significantly lower.
At a government level, which is the other part of it, there’s this challenge of constant intimidation that we’re witnessing. I just saw recently there was a 17-year-old boy who was interviewed by the counterterrorism police at an airport because he was wearing a Palestinian flag. He was interrogated about his involvement in a Palestinian protest. When has protesting become a crime and what does that say about democratic rights and free speech here in the UK? And this is one example, but there are so many examples of policing, there was even talk of banning protests all together at one point.
The last strand I’d include, actually, that I already touched on, is the mass media. Just recently we’ve seen the BBC reporting on the ICJ hearing, they showed the Israeli defense part, but they didn’t even show the South African side. So this censorship is literally in plain sight and poses a real challenge to the climate of free expression for Palestine activism.
York: Who is your free speech hero?
Off the top of my head I’d probably say Mohammed El-Kurd. I think he’s just been so unapologetic in his stance. Not only that but I think he’s also made us think critically about this idea of narrative and what stories get told. I think it was really powerful when he was arguing the need to stop giving the West and mass media this power, and that we need to disempower them by ceasing to rely on them as beacons of truth, rather than working on changing them. Because, as he argues, oppressors who have monopolized and institutionalized violence will never ever tell the truth or hold themselves to account. Instead, we need to turn to Palestinians, and to brave cultural workers, knowledge producers, academics, journalists, activists, and social media commentators who understand the meaning of oppression and view them as the passionate, angry and, most importantly, reliable narrators that they are.
21:21
[$] Identifying dependencies used via dlopen() [LWN.net]
The recent XZ backdoor has sparked a lot of discussion about how the open-source community links and packages software. One possible security improvement being discussed is changing how projects like systemd link to dynamic libraries that are only used for optional functionality: using dlopen() to load those libraries only when required. This could shrink the attack surface exposed by dependencies, but the approach is not without downsides — most prominently, it makes discovering which dynamic libraries a program depends on harder. On April 11, Lennart Poettering proposed one way to eliminate that problem in a systemd RFC on GitHub.
20:56
If Tesla went out of business, would my Model Y stop working??
How Political Campaigns Use Your Data to Target You [Deeplinks]
Data about potential voters—who they are, where they
are, and how to reach them—is an extremely valuable commodity
during an election year. And while the right to a secret ballot is
a cornerstone of the democratic process, your personal information
is gathered, used, and sold along the way. It's not possible to
fully shield yourself from all this data processing, but you can
take steps to at least minimize and understand it.
Political campaigns use the same invasive tricks that behavioral ads do—pulling in data from a variety of sources online to create a profile—so they can target you. Your digital trail is a critical tool for campaigns, but the process starts in the real world, where longstanding techniques to collect data about you can be useful indicators of how you'll vote. This starts with voter records.
Your IRL Voting Trail Is Still Valuable
Politicians have long had access to public data, like voter registration, party registration, address, and participation information (whether or not a voter voted, not who they voted for). Online access to such records has made them easier to get in some states, with unintended consequences, like doxing.
Campaigns can purchase this
voter information from most states. These
records provide a rough idea of whether that person will vote or
not, and—if they're registered to a particular
party—who they might lean toward voting for. Campaigns use
this to put every voter into broad categories, like "supporter,"
"non-supporter," or "undecided." Campaigns gather such information
at in-person events, too, like door-knocking and rallies, where you
might sign up for emails or phone calls.
Campaigns also share information about you with other campaigns, so if you register with a candidate one year, it's likely that information goes to another in the future. For example, the website for Adam’s Schiff’s campaign to serve as U.S. Senator from California has a privacy policy with this line under “Sharing of Information”:
With organizations, candidates, campaigns, groups, or causes that we believe have similar political viewpoints, principles, or objectives or share similar goals and with organizations that facilitate communications and information sharing among such groups
Similar language can be found on other campaign sites, including those for Elizabeth Warren and Ted Cruz. These candidate lists are valuable, and are often shared within the national party. In 2017, the Hillary Clinton campaign gave its email list to the Democratic National Committee, a contribution valued at $3.5 million.
If you live in a state with citizen initiative ballot measures, data collected from signature sheets might be shared or used as well. Signing a petition doesn't necessarily mean you support the proposed ballot measure—it's just saying you think it deserves to be put on the ballot. But in most states, these signature pages will remain a part of the public record, and the information you provide may get used for mailings or other targeted political ads.
How Those Voter Records, and Much More, Lead to Targeted Digital Ads
All that real world information is just one part of the
puzzle these days. Political campaigns tap into the same intrusive
adtech tracking systems used to deliver online
behavioral ads. We saw a glimpse into how this
worked
after the Cambridge Analytica scandal, and
the system has only grown
since then.
Specific details are often a mystery, as a political
advertising profile may be created by combining disparate
information—from consumer scoring data brokers like Acxiom or
Experian, smartphone data, and publicly available voter
information—into a jumble of data points that’s often
hard to trace in any meaningful way. A simplified version of the
whole process might go something like this:
- A campaign starts with its voter list, which includes names, addresses, and party affiliation. It may have purchased this from the state or its own national committee, or collected some of it for itself through a website or app.
- The campaign then turns to a data broker to enhance this list with consumer information. The data broker combines the voter list with its own data, then creates a behavioral profile using inferences based on your shopping, hobbies, demographics, and more. The campaign looks this all over, then chooses some categories of people it thinks will be receptive to its messages in its various targeted ads.
- Finally, the campaign turns to an ad targeting company to get the ad on your device. Some ad companies might use an IP address to target the ad to you. As The Markup revealed, other companies might target you based on your phone's location, which is particularly useful in reaching voters not in the campaign's files.
In 2020,
Open Secrets found political groups paid 37
different data brokers at least $23 million for access to services
or data. These data brokers collect information from browser
cookies, web beacons, mobile phones, social media platforms, and
more. They found that some companies specialize in more general
data, while others, like i360, TargetSmart, and Grassroots
Analytics, focus on data useful to campaigns or
advocacy.
A sample of some categories and inferences in a political data broker file that we received through a CCPA request shows the wide variety of assumptions these companies may make.
These political data brokers make a lot of promises to
campaigns. TargetSmart claims to have 171 million highly
accurate cell phone numbers, and i360
claims
to have data on 220 million voters. They also tend to offer
specialized campaign categories that go beyond the offerings of
consumer-focused data brokers. Check out data broker L2’s
“National
Models & Predictive Analytics” page,
which breaks down interests, demographics, and political
ideology—including details like "Voter Fraud Belief," and
"Ukraine Continue." The New York Times
demonstrated
a particularly novel approach to these sorts
of profiles where a voter analytics firm created a “Covid
concern score” by analyzing cell phone location, then ranked
people based on travel patterns during the pandemic.
Some of these companies target based on location data. For
example, El Toro claims
to have once “identified over 130,000
IP-matched voter homes that met the client’s targeting
criteria. El Toro served banner and video advertisements up to 3
times per day, per voter household – across all devices
within the home.”
That “all devices within the home” claim may prove important in the coming elections: as streaming video services integrate more ad-based subscription tiers, that likely means more political ads this year. One company, AdImpact, projects $1.3 billion in political ad spending on “connected television” ads in 2024. This may be driven in part by the move away from tracking cookies, which makes web browsing data less appealing.
In the case of connected televisions, ads can also
integrate data based on what you've watched, using information
collected through automated content recognition (ACR). Streaming
device maker and service provider
Roku's pitch to potential political advertisers is
straightforward: “there’s an
opportunity for campaigns to use their own data like never before,
for instance to reach households in a particular district where
they need to get out the vote.” Roku claims to have
at least 80 million users. As a platform for
televisions and “streaming sticks,” and especially if
you opted into ACR (we’ll detail how to check below), Roku
can collect and use a lot of your viewing data ranging from apps,
to broadcast TV, or even to video games.
This is vastly different from traditional broadcast TV
ads, which might be targeted broadly based on a city or state, and
the show being aired. Now, a campaign can target an ad at one
household, but not their neighbor, even if they're watching the
same show. Of the main streaming companies,
only Amazon and Netflix don’t accept
political ads.
Finally, there are Facebook and Google, two companies that have amassed a mountain of data points about all their users, and which allow campaigns to target based on some of those factors. According to at least one report, political ad spending on Google (mostly through YouTube) is projected to be $552 million, while Facebook is projected at $568 million. Unlike the data brokers discussed above, most of what you see on Facebook and Google is derived from the data collected by the company from its users. This may make it easier to understand why you’re seeing a political ad, for example, if you follow or view content from a specific politician or party, or about a specific political topic.
What You Can Do to Protect Your Privacy
Managing the flow of all this data might feel impossible, but you can take a few important steps to minimize what’s out there. The chances you’ll catch everything is low, but minimizing what is accessible is still a privacy win.
Install Privacy Badger
Considering how much data
is collected just from your day-to-day web browsing, it’s a
good idea to protect that first. The simplest way to do so is with
our own tracking blocker extension, Privacy
Badger.
Disable Your Phone Advertising ID and Audit Your Location
Settings
Your phone
has an ad identifier that makes it simple
for advertisers to track and collate everything you do. Thankfully,
you can make this much harder for those advertisers by disabling
it:
- On iPhone: Head into Settings > Privacy & Security > Tracking, and make sure “Allow Apps to Request to Track” is disabled.
- On Android: Open Settings > Security & Privacy > Privacy > Ads, and select “Delete advertising ID.”
Similarly, as noted above, your location is a valuable asset for campaigns. They can collect your location through data brokers, which usually get it from otherwise unaffiliated apps. This is why it's a good idea to limit what sorts of apps have access to your location:
- On iPhone: open Settings > Privacy & Security > Location Services, and disable access for any apps that do not need it. You can also set location for only "While using," for certain apps where it's helpful, but unnecessary to track you all the time. Also, consider disabling "Precise Location" for any apps that don't need your exact location (for example, your GPS navigation app needs precise location, but no weather app does).
- On Android: Open Settings > Location > App location permissions, and confirm that no apps are accessing your location that you don't want to. As with iOS, you can set it to "Allow only while using the app," for apps that don't need it all the time, and disable "Use precise location," for any apps that don't need exact location access.
Opt Out of Tracking on Your TV or Streaming Device, and Any
Video Streaming Service
Nearly every brand of TV is
connected to the internet these days.
Consumer Reports has a guide for disabling
what you can on most popular TVs and software platforms. If you use
an Apple TV, you can disable the ad
identifier following the exact same directions as
on your phone.
Since the passage of a number of state privacy laws,
streaming services, like other sites, have offered a way for users
to opt out of the sale of their info. Many have extended this right
outside of
states that require it. You'll need to be
logged into your streaming service account to take action on most
of these, but
TechHive has a list of opt out links for
popular streaming services to get you started. Select the "Right to
Opt Out" option, when offered.
Don't Click on Links in (or Respond to) Political Text
Messages
You've likely been receiving political texts
for much of the past year, and that's not going to let up until
election day. It is increasingly difficult to
decipher whether they're legitimate or spam,
and with links that often use a URL shortener or odd looking
domains, it's best not to click them. If there's a campaign you
want to donate to, head directly to the site of the candidate or
ballot sponsor.
Create an Alternate Email and Phone Number for Campaign
Stuff
If you want to keep updated on campaign or
ballot initiatives, consider setting up an email specifically for
that, and nothing else. Since a phone number is also often
required, it's a good idea to set up a secondary phone number for
these same purposes (you can do so for free through services like
Google Voice).
Keep an Eye Out for Deceptive Check
Boxes
Speaking of signing up for updates, be mindful
of when you don't intend to sign
up for emails. Campaigns might use
pre-selected options for everything from
donation amounts to signing up for a newsletter. So, when you sign
up with any campaign, keep an eye on any options you might not
intend to opt into.
Mind Your Social Media
Now's a great time to
take any sort of "privacy checkup" available on whatever social
media platforms you use to help minimize any accidental data
sharing. Even though you can't completely opt out of behavioral
advertising on Facebook, review your ad
preferences and opt out whatever you can. Also be
sure to disable access to
off-site activity. You should also opt out of
personalized ads on Google's services. You
cannot disable behavioral ads on TikTok, but
the company doesn't allow political ads.
If you're curious to learn more about why you're seeing an ad to begin with, on Facebook you can always click the three-dot icon on an ad, then click "Why am I seeing this ad?" to learn more. For ads on YouTube, you can click the "More" button and then "About this advertiser" to see some information about who placed the ad. Anywhere else you see a Google ad you can click the "Adchoices" button and then "Why this ad?"
You shouldn't need to spend an afternoon jumping through
opt out hoops and tweaking privacy settings on every device you own
just so you're not bombarded with highly targeted ads. That’s
why EFF supports
comprehensive consumer data privacy
legislation, including a
ban on online behavioral ads.
Democracy works because we participate, and you should be able to do so without sacrificing your privacy.
Americans Deserve More Than the Current American Privacy Rights Act [Deeplinks]
EFF is concerned that a
new federal bill would freeze consumer data privacy protections
in place, by preempting existing state laws and preventing states
from creating
stronger protections in the future. Federal law should
be the floor on which states can build, not a ceiling.
We also urge the authors of the American Privacy Rights Act (APRA)
to strengthen other portions of the bill. It should be easier to
sue companies that violate our rights. The bill should limit
sharing with the government and expand the definition of
sensitive data. And it should narrow exceptions that allow
companies to exploit our biometric information, our so-called
“de-identified” data, and our data obtained in
corporate “loyalty” schemes.
Despite our concerns with the APRA bill, we are glad Congress is
pivoting the debate to a
privacy-first approach to online regulation. Reining in
companies’ massive collection, misuse, and transfer of
everyone’s personal data should be the unifying goal of those
who care about the internet. This debate has been absent at the
federal level in the past year, giving breathing room to
flawed
bills that focus on censorship and content blocking,
rather than privacy.
In general, the APRA would require companies to minimize their
processing of personal data to what is necessary, proportionate,
and limited to certain enumerated purposes. It would specifically
require opt-in consent for the transfer of sensitive data, and most
processing of biometric and genetic data. It would also give
consumers the right to access, correct, delete, and export their
data. And it would allow consumers to universally opt-out of the
collection of their personal data from brokers, using a registry
maintained by the Federal Trade Commission.
We welcome many of these privacy protections. Below are a few of
our top priorities to correct and strengthen the APRA bill.
Allow States to Pass Stronger Privacy Laws
The APRA should not preempt existing and future state data privacy laws that are stronger than the current bill. The ability to pass stronger bills at the state and local level is an important tool in the fight for data privacy. We ask that Congress not compromise our privacy rights by undercutting the very state-level action that spurred this compromise federal data privacy bill in the first place.
Subject to exceptions, the APRA says that no state may “adopt, maintain, enforce, or continue in effect” any state-level privacy requirement addressed by the new bill. APRA would allow many state sectoral privacy laws to remain, but it would still preempt protections for biometric data, location data, online ad tracking signals, and maybe even privacy protections in state constitutions or some other limits on what private companies can share with the government. At the federal level, the APRA would also wrongly preempt many parts of the federal Communications Act, including provisions that limit a telephone company’s use, disclosure, and access to customer proprietary network information, including location information.
Just as important, it would prevent states from creating stronger privacy laws in the future. States are more nimble at passing laws to address new privacy harms as they arise, compared to Congress which has failed for decades to update important protections. For example, if lawmakers in Washington state wanted to follow EFF’s advice to ban online behavioral advertising or to allow its citizens to sue companies for not minimizing their collection of personal data (provisions where APRA falls short), state legislators would have no power to do so under the new federal bill.
Make It Easier for Individuals to Enforce Their Privacy Rights
The APRA should prevent coercive forced arbitration agreements and class action waivers, allow people to sue for statutory damages, and allow them to bring their case in state court. These rights would allow for rigorous enforcement and help force companies to prioritize consumer privacy.
The APRA has a private right of action, but it is a half-measure that still lets companies side-step many legitimate lawsuits. And the private right of action does not apply to some of the most important parts of the law, including the central data minimization requirement.
The favorite tool of companies looking to get rid of privacy lawsuits is to bury provision in their terms of service that force individuals into private arbitration and prevent class action lawsuits. The APRA does not address class action waivers and only prevents forced arbitration for children and people who allege “substantial” privacy harm. In addition, statutory damages and enforcement in state courts is essential, because many times federal courts still struggle to acknowledge privacy harm as real—relying instead on a cramped view that does not recognize privacy as a human right. In addition, the bill would allow companies to cure violations rather than face a lawsuit, incentivizing companies to skirt the law until they are caught.
Limit Exceptions for Sharing with the Government
APRA should close a loophole that may allow data brokers to sell data to the government and should require the government to obtain a court order before compelling disclosure of user data. This is important because corporate surveillance and government surveillance are often the same.
Under the APRA, government contractors do not have to follow the bill’s privacy protections. Those include any “entity that is collecting, processing, retaining, or transferring covered data on behalf of a Federal, State, Tribal, territorial, or local government entity, to the extent that such entity is acting as a service provider to the government entity.” Read broadly, this provision could protect data brokers who sell biometric information and location information to the government. In fact, Clearview AI previously argued it was exempt from Illinois’ strict biometric law using a similar contractor exception. This is a point that needs revision because other parts of the bill rightly prevent covered entities (government contractors excluded) from selling data to the government for the purpose of fraud detection, public safety, and criminal activity detection.
The APRA also allows entities to transfer personal data to the government pursuant to a “lawful warrant, administrative subpoena, or other form of lawful process.” EFF urges that the requirement be strengthened to at least a court order or warrant with prompt notice to the consumer. Protections like this are not unique, and it is especially important in the wake of the Dobbs decision.
Strengthen the Definition of Sensitive Data
The APRA has heightened protections for sensitive data, and it includes a long list of 18 categories of sensitive data, like: biometrics, precise geolocation, private communications, and an individual’s online activity overtime and across websites. This is a good list that can be added to. We ask Congress to add other categories, like immigration status, union membership, employment history, familial and social relationships, and any covered data processed in a way that would violate a person’s reasonable expectation of privacy. The sensitivity of data is context specific—meaning any data can be sensitive depending on how it is used. The bill should be amended to reflect that.
Limit Other Exceptions for Biometrics, De-identified Data, and Loyalty Programs
An important part of any bill is to make sure the exceptions do not swallow the rule. The APRA’s exceptions on biometric information, de-identified data, and loyalty programs should be narrowed.
In APRA, biometric information means data “generated from the measurement or processing of the individual’s unique biological, physical, or physiological characteristics that is linked or reasonably linkable to the individual” and excludes “metadata associated with a digital or physical photograph or an audio or video recording that cannot be used to identify an individual.” EFF is concerned this definition will not protect biometric information used for analysis of sentiment, demographics, and emotion, and could be used to argue hashed biometric identifiers are not covered.
De-identified data is excluded from the definition of personal data covered by the APRA, and companies and service providers can turn personal data into de-identified data to process it however they want. The problem with de-identified data is that many times it is not. Moreover, many people do not want their private data that they store in confidence with a company to then be used to improve that company’s product or train its algorithm—even if the data has purportedly been de-identified.
Many companies under the APRA can host loyalty programs and can sell that data with opt-in consent. Loyalty programs are a type of pay-for-privacy scheme that pressure people to surrender their privacy rights as if they were a commodity. Worse, because of our society’s glaring economic inequalities, these schemes will unjustly lead to a society of privacy “haves” and “have-nots.” At the very least, the bill should be amended to prevent companies from selling data that they obtain from a loyalty program.
We welcome Congress' privacy-first approach in the APRA and encourage the authors to improve the bill to ensure privacy is protected for generations to come.
They’re looting the internet [OSnews]
This is the state of the modern internet — ultra-profitable platforms outright abdicating any responsibility toward the customer, offering not a “service” or a “portal,” but cramming as many ways to interrupt the user and push them into doing things that make the company money. The greatest lie in tech is that Facebook and Instagram are for “catching up with your friends,” because that’s no longer what they do. These platforms are now pathways for the nebulous concept of “content discovery,” a barely-personalized entertainment network that occasionally drizzles people or things you choose to see on top of sponsored content and groups that a relational database has decided are “good for you.”
↫ Edward Zitron
Corporate social media has gotten so bad, they’re basically unusable. The rare times I open Facebook to like a picture my mother posted or whatever, I’m just gobsmacked by how utterly unusable it has become. I’ve never used Instagram, but whenever I accidentally end up there, I have no idea how to navigate that place. YouTube is more ads than video if you don’t pay for Premium (which I do, because I use YouTube a lot so I get enough value out of it). Twitter is barely worth a mention – it’s no surprise that a social network bought and run by a nazi is now even fuller of nazis than it already was.
It’s not just social networks, either. The web as a whole feels like it’s been looted and plundered, and turned into a flyover state strip mall. Browsing the web is, for me at least, virtually impossible without autoplay blockers, my Pi-Hole, Consent-O-Matic, and settings to permanently block requests for location and notification access. The rise of “AI” has only made everything even worse, especially now that the big, wealthy content networks that, yes, own all your favourite technology news websites are also looking into it.
Luckily, there’s also a countermovement brewing. I’ve focused OSNews’ entire “social” strategy on Mastodon (and the various other ActivityPub tools), as it’s the only social medium that’s usable and enjoyable. With the nazis remaining on Twitter, and all the brands and influencers on Facebook (or Threads or whatever), everyone else interested in technology coalesced around the Fediverse, and it’s been a massive boon for a small website like OSNews trying to steer clear from all the SEO enshittification. There’s no spam, only relatively small, approachable brands, no influencers, no algorithms – just real, ordinary people, who also care about a usable, fair, and equitable web.
I hope that OSNews can eventually be run without any ads at all, but that’s going to take a lot more consistent work from me to convince more and more people to support us through Patreon or Ko-Fi, or for companies to become sponsors. However, I am convinced it’s a better route to take than trying to chase the SEO dragon, because we all know where that leads to.
20:07
Tell the FCC It Must Clarify Its Rules to Prevent Loopholes That Will Swallow Net Neutrality Whole [Deeplinks]
The Federal Communications Commission (FCC) has
released draft
rules to reinstate net neutrality, with a vote on
adopting the rules to come on
the 25th of April. The FCC needs to close some
loopholes in the draft rules before then.
Proposed Rules on Throttling and Prioritization Allow for
the Circumvention of Net Neutrality
Net neutrality is the principle that all ISPs should treat
all traffic coming over their networks without discrimination. The
effect of this principle is that customers decide for themselves
how they’d like to experience the internet. Violations of
this principle include, but are not limited to, attempts to block,
speed up, or slow down certain content as means of controlling
traffic.
Net neutrality is critical to ensuring that the internet
remains a vibrant place to learn, organize, speak, and innovate,
and the FCC recognizes this. The draft mostly reinstates the
bright-line rules of the landmark 2015 net neutrality protections
to ban blocking, throttling, and paid
prioritization.
It
falls short, though, in a critical way: the FCC seems to think that
it’s not okay to favor certain sites or services by slowing
down other traffic, but it might be okay to favor them by giving
them access to so-called fast lanes such as 5G network slices.
First of all, in a world with a certain amount of finite bandwidth,
favoring some traffic necessarily impairs other traffic. Secondly,
the harms to speech and competition would be the same even if an
ISP could conjure more bandwidth from thin air to speed up traffic
from its business partners. Whether your access to Spotify is
faster than your access to Bandcamp because Spotify is sped up or
because Bandcamp is slowed down doesn’t matter because the
end result is the same: Spotify is faster than Bandcamp and so you
are incentivized to use Spotify over
Bandcamp.
The
loophole is especially bizarre because the 2015 FCC already got
this right, and there has been bipartisan support for net
neutrality proposals that explicitly encompass both favoring and
disfavoring certain traffic. It’s a distinction that
doesn’t make logical sense, doesn’t seem to have
partisan significance, and could potentially undermine the rules in
the event of a court challenge by drawing a nonsensical distinction
between what’s forbidden under the bright-line rules versus
what goes through the multi-factor test for other potentially
discriminatory conduct by
ISPs.
The FCC needs
to close this loophole for unpaid
prioritization of certain applications or classes of traffic.
Customers should be in charge of what they do online, rather than
ISPs deciding that, say, it’s more important to consume
streaming entertainment products than to participate in video calls
or that one political party’s websites should be served
faster than another’s.
The FCC Should Clearly Rule Preemption to be a Floor, Not a
Ceiling
When the FCC under the previous administration abandoned net neutrality protections in 2017 with the so-called “Restoring Internet Freedom” order, many states—chief among them California—stepped in to pass state net neutrality laws. Laws more protective than federal net neutrality protections—like California's should be explicitly protected by the new rule.
The FCC currently finds that California’s law
“generally tracks [with] the federal rules[being] restored.
(269)” It goes on to find that state laws are fine so long as
they do not “interfere with or frustrate…federal
rules,” are not “inconsistent,” or are not
“incompatible.” It then reserves the right to revisit
any state law if evidence arises that a state policy is found to
“interfere or [be] incompatible.”
States should be able to build on federal laws to be more
protective of rights, not run into limits to available protections.
California’s net neutrality is in some places stronger than
the draft rules. Where the FCC means to evaluate
zero-rating, the practice of exempting
certain data from a user’s data cap, on a case-by-case basis,
California outright bans the practice of zero rating select
apps.
There is no guarantee that a Commission which finds
California to “generally track” today will do the same
in two years time. The language as written unnecessarily sets a low
bar for a future Commission to find California’s, and other
states’, net neutrality laws to be preempted. It also leaves
open unnecessary room for the large internet service providers
(ISPs) to challenge California’s law once again. After all,
when California’s law was first passed, it was immediately
taken to court by these same ISPs and only after years of
litigation did the courts
reject the industry’s arguments and
allow enforcement of this gold standard law to
begin.
We urge the Commission to clearly state that, not only is
California consistent with the FCC’s rules, but that on the
issue of preemption the FCC considers its rules to be the
floor to build on, and that further state protections are not
inconsistent simply because they may go further than the FCC
chooses to.
Overall, the order is a great step for net neutrality. Its rules go a distance in protecting internet users. But we need clear rules recognizing that the creation of fast lanes via positive discrimination and unpaid prioritization are violations of net neutrality just the same, and assurance that states will continue to be free to protect their residents even when the FCC won’t.
Tell the FCC to Fix the Net Neutrality Rules:
1. Go to this link
2. For
"Proceeding" put 23-320
3. Fill out the form
4. In "brief comments" register your thoughts on net neutrality. We
recommend this, which you can copy and paste or edit for
yourself:
Net neutrality is the principle that all internet service providers treat all traffic coming through their networks without discrimination. The effect of this principle is that customers decide for themselves how they’d like to experience the internet. The Commission’s rules as currently written leave open the door for positive discrimination of content, that is, the supposed creation of fast lanes where some content is sped up relative to others. This isn’t how the internet works, but in any case, whether an ISP is speeding up or slowing down content, the end result is the same: the ISP picks the winners and losers on the internet. As such the Commission must create bright line rules against all forms of discrimination, speeding up or slowing down, against apps or classes of apps on general traffic in the internet.
Further, while the Commission currently finds state net neutrality rules, like California’s, to not be preempted because they “generally track” its own rules, it makes it easy to rule otherwise at a future date. But just as we received net neutrality in 2015 only to have it taken away in 2017, there is no guarantee that the Commission will continue to find state net neutrality laws passed post-2017 to be consistent with the rules. To safeguard net neutrality, the Commission must find that California’s law is wholly consistent with their rules and that preemption is taken as a floor, not a ceiling, so that states can go above and beyond the federal standard without it being considered inconsistent with the federal rule.
19:21
Person of Interest: Taha Ebrahimi [The Stranger]
She knows all the secret spots to see the cherry blossom trees this season. by Megan Seling
It was kind of by accident that Taha Ebrahimi wrote a book. Especially an illustrated one about trees.
“This is a kismet, happenstance COVID project,” she told me. “Basically, during COVID, I had all this extra time, and I was always interested in trees, but I don’t have any background in illustration or horticulture. I always thought people who knew stuff about plants and trees, those were the people who had authority. I don’t know why! Those Latin names, they just give you this impostorism.”
She started taking walks to get out of the house during lockdown, and it was on those walks that a deeper love for trees began to, ahem, blossom. She picked up a copy of The Sibley Guide to Trees, which is mostly pictures, and Arthur Jacobson’s Trees of Seattle, which has tons of data and specific locations of specific species but is mostly text, and she slowly began to piece together her own map of notable specimens while wandering from neighborhood to neighborhood.
The result is Street Trees of Seattle: An Illustrated Walking Guide, a charming book full of hand-drawn maps, detailed sketches of leaf and petal shapes and bark patterns, and tons of very nerdy, very fascinating history about how certain species of trees got to Seattle in the first place.
For instance, the giant sequoia at Fourth Avenue and Stewart Street, the one a man climbed and lived in for 24 hours in 2016? It was “originally on Aurora,” says Ebrahimi. Or, have you ever wondered why there’s so much holly in Beacon Hill? In the book, Ebrahimi explains, “...the story of holly in Seattle truly begins in 1927, when Lillian McEwan (wife of the owner of Ballard’s Seattle Cedar Lumber Manufacturing Company) founded the Washington State Society for the Conservation of Wild Flowers and Tree Planting and began her inexplicable personal mission to plant so much English holly that Washington could one day become ‘the Holly State.’”
Today, Ebrahimi adds, “The King County Noxious Weed Board classifies holly as a ‘weed of concern.’” Thanks for nothing, McEwan!
On a chilly February afternoon, when it was too cold to go tree spotting, I hopped on a call with Ebrahimi to learn more about her favorite Seattle trees and, of course, to inquire about a few secret spots to see those dopamine-triggering cherry blossoms.
You mention in the book that the average lifespan for a street tree is something like 13 years. I didn’t realize it was so short! Do you know, is it because that dataset includes trees that were maybe moved or cut down to make room for development?
People would be very surprised to know that many new trees that we plant don’t make it to maturity. There are always tree-planting events, then people will forget about the tree. It’s a grand idea to say we’re going to plant trees, but the resources have to go into also taking care of them. A mature tree provides 10 times the human health benefits as small trees. They’re still trying to do a lot of research to find out how these health benefits tend to come to us, but I felt it on my walks. Just being outside in nature, doing nothing else but walking, and having a destination, it forced my brain to process things in a different way and to go slower. I was born and raised in Seattle, but I found myself seeing the city in this completely different way.
Since you grew up here, you know, then, about all of the hikes and mountains that are just outside of the city—or even wooded areas in the city, like Discovery Park—and we’re encouraged to go enjoy those places, but what people don’t realize is that nature is also right there, right outside your door.
One hundred percent. When I started doing this project, it was largely out of wanting to share this experience with those who might have been in the same situation as I was. I didn’t have a car, and Seattle isn’t a great city to get around if you don’t have a car, and it was during COVID. I wanted to see some trees, and the only ones that were available were the ones that were right outside my door, which more people have access to. Although we do know that there are fewer street trees in areas of low income, more people do have access to the street trees, and it’s this overlooked forest that is literally right there. You forget that they’re there, but they’re doing us good.
London plane (Platanus acerifolia) 600 1st Ave.
COURTESY OF SASQUATCH BOOKS
Was there one tree that kind of sparked this love affair with trees, or was it just the experience overall?
I think it was the experience overall, but there have been a couple of really cool trees that stick out in my memory. One is the giant sequoia on Capitol Hill. It’s near Volunteer Park. It’s this massive tree and it’s leaning a little bit like the Tower of Pisa, and it is just so grand and majestic. And there’s this really cool—it’s the second-widest-diameter pine in Seattle, I believe. It’s up in Wedgwood, and it blocks somebody’s stairway, their entryway to their door. And they haven’t cut it down. I ran into the owners when I was looking at it and they told me that the previous homeowners remembered having like a Tarzan swing or something that they hung on the branch so that they could swoop down to the sidewalk from their home. I love that no one cut that tree.
Do you have any secret tips for people who want to enjoy the spring flowers but in a less obvious place than, say, the University of Washington? People climb on the cherry blossom trees at the UW for Instagram! How do you stay out of that mess while still getting out there and loving some of the spring trees?
Street trees are really the secret spot where you can go visit these beautiful cherry blossom trees without those massive crowds. There’s actually two streets I would recommend in Seattle—there are so many! To narrow it down is really difficult, but 33rd Avenue Northwest in Ballard, kind of above Northwest 75th Street, that street is lined with beautiful Yoshino cherries that bloom at the same time as the UW cherries. Kind of late March, early April-ish. Also, around the same time—these are also a variation of the Yoshino cherry—on Capitol Hill at 21st Avenue East, above East Aloha Street. That is a little-known secret. [Laughs] Maybe not so much anymore.
Taha Ebrahimi will read from Street Trees of Seattle at Elliott Bay Book Company Wednesday, April 17, at 7 pm, free, all ages.
18:35
In search of the Ballmer Peak, and other results from SIGBOVIK 2024 [The Old New Thing]
The Special Interest Group on Harry Q. Bovik (SIGBOVIK) is an annual event at the Carnegie Mellon School of Computer Science’s Association for Computational Heresy, featuring research papers which try to make up for lack of merit with excess of entertainment.
The Proceedings of the 2024 SIGBOVIK were published a few weeks ago, and I’d like to call out a few papers for your attention.
All page numbers are nominal. Add four to get physical page numbers.
The one that perhaps has the greatest industry application is The Ballmer Peak: An Empirical Search by Twm Stone and Jaz Stoddart (page 48), which takes a phenomenon originally isolated by researcher Randall Munroe in 2007 and seeks to refine its estimated value through experiments designed to identify the optimal blood alcohol content for computer coding. And they found it.
A paper that may help you with your software architecture decisions is An empirical performence [sic] evaluation between Python and Scratch by Morgan Nordberg (page 174), which undertakes a detailed performance comparison between two popular programming languages.
One of the great joys of research is discovering an entire new field of study which serves as a wellspring for future research. We were able to observe the birth of one such field with the paper An Empirically Verified Lower Bound for The Number Of Empty Pages Allowed In a SIGBOVIK Paper by Frans Skarman (page 249). The initial paper merely sets the groundwork, and I look forward to future papers that expand our understanding.
The paper Are Centaurs Actually Half Human and Half Horse? by Kyle Batucal (page 367) employs image classification theory to determine whether wisdom from the ancient Greeks holds up. And the paper A computer-assisted proof that e is rational by Rémi Garcia and Alexandre Goldsztejn (page 375) produces a surprising result that may revolutionize our understanding of numbers.
And hidden among all the silly papers is a real research paper: A Genius Solution: Applications of the Sprague-Grundy Theorem to Korean Reality TV by Jed Grabman (page 438), which takes the combinatorial game theory of impartial games and applies it to an elimination game used in the Korean reality television program The Genius.
I’m sentimentally partial to that last paper because my advisors during my brief academic career include John H. Conway and Elwyn Berlekamp, two of the three authors of Winning Ways for Your Mathematical Plays, one of the foundational texts for combinatorial game theory. The work in the Genius Solution paper is exactly the sort of thing we would work out as a goofy exercise.
The post In search of the Ballmer Peak, and other results from SIGBOVIK 2024 appeared first on The Old New Thing.
Dubious security vulnerability: Program allows its output to be exfiltrated [The Old New Thing]
A security vulnerability report came in for the reg.exe program.
There is an information disclosure vulnerability in the reg.exe program. It is possible to use this program to exfiltrate data, as demonstrated by the following proof of concept.
The proof of concept was a program that ran reg.exe, captured the program output, and then uploaded the results to a presumed malicious web server.
The finder explained that the system should not have allowed this to happen. The reg.exe program should not have allowed its presumed sensitive output to be captured and sent to another system, and the system should not have allowed the malicious proof of concept program to run.
The first thing to note is that reg.exe did nothing wrong. It had one job: reading the data from the registry and printing it to its standard output, and it did it. There was no security boundary crossed: The reg.exe program doesn’t grant the user access to data that the user doesn’t already have access to. And the reg.exe cannot control what happens to the output it generated. Not only is this not reg.exe‘s responsibility, it would require the power of clairvoyance!
var secret_data = read_output("reg.exe HKLM\Something\Valuable")
if (prompt("Should I send this to somebody?")) {
send(secret_data);
}
Does this program disclose sensitive data? Well, it depends on how the user answers the question.
“Well, then reg.exe should refuse to generate the data if it could potentially be disclosed for any input.”
Great, let’s try this program:
var secret_data = read_output("reg.exe HKLM\Something\Valuable")
if (find_counterexample_to_collatz_conjecture()) {
send(secret_data);
}
To determine whether this discloses information, we would have to solve a famous unsolved problem in mathematics.
“Well, then, reg.exe should play it safe and refuse to generate the data if it’s not sure.”
If you put it that way, then you’re basically saying that reg.exe should never produce any data.
From a security standpoint, what happened here is that the user ran a malicious program. The user did so voluntarily. There was nothing that forced the user to run the program, there was nothing that tricked the user into running the program, there was nothing that ran the program automatically. It was just assumed that the user ran the program.¹
If the program were downloaded, then tools like SmartScreen could warn the user “Hey, you’re downloading a program that has a low reputation. Do you really want to download it?” Running reg.exe is not inherently suspicious, and sending data to a Web server is something that users probably want to happen when they do things like, oh I dunno, visit a Web site. Even if the program manages to get onto the system, anti-malware tools like Windows Defender will also do their best to block malicious programs. But what this program does is not obviously malicious. It gathered information from the registry and sent it to a Web server. This sounds like just the sort of thing that a product support troubleshooting tool would do: Read some registry keys and send them to a Web site for product support purposes.
The finder suggested that the system should outright refuse to run untrusted programs. Well, you can do that if you want. There are a multitude of policies for locking down systems to different degrees. For example, you could use Windows S-Mode to block any programs that did not come through the Microsoft Store.
But requiring a program to refuse to allow its output to be used in undesirable ways is asking for the impossible. It’s like instructing someone, “You are not allowed to say anything that could possibly be used in a way I don’t like.” The only way to comply is simply never to say anything. A program that refuses to generate any output is certainly secure, but it’s also not very useful.
Bonus chatter: You might say, “Well, the program should produce encrypted output, so that even if it gets exfiltrated, only someone with the correct key can decode it.” I’m sure everybody that runs reg.exe will be thrilled that the output of the program is unreadable by humans. And besides, it won’t help you, because the malicious program would just decrypt the output before uploading!
¹ If you can find a way to force the user to run a malicious program, or trick the user into running a malicious program, or cause the malicious program to run automatically, then you may be onto something, but this report never made such a claim. It assumed that code execution had already been achieved. This is just another case of if I can run an arbitrary program, then I can do arbitrary things, or what we sometimes jokingly call MS07-052: Code execution results in code execution.
The post Dubious security vulnerability: Program allows its output to be exfiltrated appeared first on The Old New Thing.
18:21
Top Cozy Games by State (2024) [Humble Bundle Blog]
Now that we’ve officially entered Spring, there is no better time to investigate the cozy gaming genre, which usually features thematic elements of fresh starts, natural beauty, and bursts of color. Cozy games are known for their calming and relaxing gameplay coupled with beautiful graphics and soothing soundtracks. These games are perfect for unwinding after a long day or spending a lazy weekend afternoon. If …
The post Top Cozy Games by State (2024) appeared first on Humble Bundle Blog.
17:49
Slog AM: Dozens of Pro-Palestine Protesters Arrested for Blocking Sea-Tac Airport, SCOTUS Allows Idaho's Gender-Affirming Care Ban to Take Effect, Trump Nods Off at Trial [The Stranger]
The Stranger's morning news roundup. by Rich Smith
Pro-Palestine protesters block Sea-Tac airport: At around 3 pm Monday, a group protesting the US-funded genocide in Gaza parked cars along the airport's expressway. Some locked their arms together and sat on the pavement. In response, the airport closed the road, cops hopped on bikes to confront the protesters, and trucks towed away the vehicle blockade as some travelers exited their conveyances to approach the airport on foot, according to footage from KOMO. The road to the airport reopened about three hours later, and police arrested 46 people at the peaceful protest.
The airport protest happened in concert with demonstrations across the country, including in San Francisco (where they shut down the Golden Gate Bridge) and Chicago (where they blocked a terminal at O'Hare). In a statement, the Seattle group called out politicians for ignoring calls for a "permanent ceasefire" and approving weapons sales to Israel. The Seattle action aimed to hit companies such as Boeing (which builds weapons) and Alaska Airlines (which works with Boeing) in their pocketbooks. "While the full economic important of today's action is yet to be quantified, the blockade will cost the airport money in delayed flights as well as reduced commerce inside the airport," they wrote. An airport spokesperson described flight disruptions as "pretty minimal," according to the Seattle Times, thanks to the slow time of day and to Sea-Tac's rapid response plan.
Tow are moving quickly to take away the vehicles used to block the road. 3 cars towed so far. pic.twitter.com/VGZuMEGbJD
— Jeremy Harris (@JeremyHarrisTV) April 15, 2024
A transit strategy? According to KING 5, travelers en route to the airport yesterday filled the light rail when news of the protest broke. The outlet quoted an airport employee saying, "I've never seen that many crowded people ever in my life coming out of the airport going to the train."
Washington gubernatorial candidates weigh in: On x.com, Democratic frontrunner and WA Attorney General Bob Ferguson called the demonstration "unacceptable" and congratulated the cops for clearing the blockade. On the other side, establishment Republican Dave Reichert said he did not take freedom of speech "lightly," but, he argued, "When a protest is imposed on everyone else's freedom, it's neither lawful or justified." With these statements, both candidates clearly want to accomplish the same goal but from different sides. Ferguson wants to come off like a fascist to appeal to so-called independent voters who are open to voting blue this year because Trump man bad, and Reichert wants to come off like a thoughtful gentleman cop to appeal to people whose only politics are civility politics.
Protest while you can, everybody: On Monday, the Supreme Court declined to hear the case against Black Lives Matter organizer DeRay Mckesson, which leaves a decision from the batshit Fifth Circuit Court of Appeals in place. That decision renders protest leaders financially liable for the behavior of anyone who shows up to protests and breaks something or someone, which means that staging a mass protest in Texas, Mississippi, and Louisiana just got a whole lot riskier, reports Vox.
Speaking of bad Supreme Court rulings: Yesterday, SCOTUS ruled that Idaho can enforce its gender-affirming health care ban, which threatens doctors with 10 years in prison if they prescribe care backed by "every major medical organization, including the American Medical Association, the American Academy of Pediatrics and the American Psychiatric Association," according to the Associated Press. Expect more refugees from Idaho and other states to visit Washington for care, stressing a health care system that's already stressed by the nationwide legislative assault against trans people. Moreover, analysts say the procedural arguments underlying this decision restricts judicial power to temporarily block laws that violate civil liberties as they move through the courts, which leaves us all more vulnerable to right-wing lunacy.
The SCOTUS decision today on the Idaho gender affirming care ban wasn't about the care. It was a wholesale attack on civil rights jurisprudence that will allow states to wantonly violate constitutional rights while judicial relief is severely restricted.
— Alejandra Caraballo (@Esqueer_) April 16, 2024
Good news break:
BREAKING: An appeals court blocked a West Virginia law banning transgender girls from playing on teams consistent with their gender identity, finding the law violates Title IX and the U.S. Constitution.
— ACLU (@ACLU) April 16, 2024
It's time for Supreme Court Justice Sonia Sotomayor to hang up the keys. Jay Willis over at Balls and Strikes makes the case, and he's right: "The case for Sotomayor’s retirement, in other words, is not about her precise position on an actuarial table. It is certainly not about the clarity of her voice, or the quality of her jurisprudence. It is about the urgent need for Democrats to reconceptualize what it means to serve responsibly on the Supreme Court, where a single bad break can disappear a cherished fundamental right in two years flat."
Local democracies aren't very democratic: New research from Professor Katherine Levine Einstein at Boston University proves what we've been screaming about for years: Seattle's decision to hold local elections on odd years leads to a vast overrepresentation of old homeowners who do not reflect the city's demographics.
Important new paper. State & local candidates are like "unlike those fatcats in DC, I'm close to the people" but lower level elections have the most unrepresentative electorates & donors, lowest info, and are most influenced by money.
— Jake M. Grumbach (@JakeMGrumbach) April 14, 2024
ungated: https://t.co/4nFC4vYmFB pic.twitter.com/iYsNPj41ar
The Stranger's Pizza Week hath begun: More than a dozen pizza places all over town are offering FRESH and FANCY-LOOKING pizzas for $4 per slice or $25 for the whole pie. I have not eaten any of these pizzas, but judging by the promo photos, Stevie's Famous "CHEESE!" pie looks right up my alley for crust reasons, as does Palermo's "chicken, bacon, ranch swirl."I attribute my deep appreciation of that flavor trio to my Missouri roots, one of the few graces of growing up in the midwest.
Fremont Brewing sold: The Seattle Hospitality Group, "which holds stakes in Ethan Stowell Restaurants, Pike Brewing and more," will own the brewery started by Matt Lincecum Seattle City Council President Sara Nelson, the Puget Sound Business Journal reports. They didn't reveal the price tag, but I wonder if the sale includes the anti-homeless eco blocks surrounding the Ballard facility.
One-hundred more affordable homes coming to Capitol Hill: St. Mark's plans to turn that big building next to the cathedral into apartments that people can sort of afford! Capitol Hill Seattle blog has the details.
Gaza updates: Images from a UN satellite show that Israel has destroyed at least one-third of Gaza's farmland as famine grips the country, Al Jazeera reports. The outlet also flagged an increase in violent acts from settlers in the West Bank. And the US keeps talking about of both sides of its mouth with regard to Iran. Even as US officials allegedly urge Israeli leaders not to continue the retaliation cycle, State Department weasel Matthew Miller called our commitment to defending Israel "sacrosanct." This whole thing is and has been getting way too holy war-ish for me.
Speaking of weapons: After weeks of failure, US House Speaker Mike Johnson plans to separate military aid for Ukraine, Israel, and Taiwan into three different bills, and then propose a grab-bag bill that would tie the military aid to a TikTok ban and sanctions on Russian billionaires. According to Politico, some hard-right freaks still seem prohibitively skeptical, but Dems could decide to help out if they join Republicans on certain procedural votes that would force floor votes on the bills, which they rarely do.
First president to fall asleep at his own criminal trial: The Trump Trial Show is off to an amazing start, as one might suspect. As a judge considered a bunch of pretrial motions that could determine his fate as a free man, "Mr. Trump appeared to nod off a few times, his mouth going slack and his head drooping onto his chest," the New York Times reports. Trump later asked the judge to skip next week's hearing so he could root for / bully the Supreme Court Justices, who are slated to hear arguments on his presidential immunity case, but the judge rebuffed him. The jury selection process continues today, and analysts think it could take two weeks to find an impartial group in NYC.
ALERT: NY judge Juan Merchan rejects Trump's request to skip attending trial next Thursday to attend Supreme Court hearing on his "presidential immunity" argument
— Scott MacFarlane (@MacFarlaneNews) April 15, 2024
Judge: "Your client is a criminal defendant in New York. He is required to be here. He is not required to be in…
I leave you with this: Over the weekend, I saw a video of Olivia Rodrigo joining No Doubt onstage at Coachella to sing "Bathwater," and it made me ache for ska Gwen Stefani.
17:35
[$] Fedora 40 firms up for release [LWN.net]
Fedora 40 Beta was released on March 26, and the final release is nearing completion. So far, the release is coming together nicely with major updates for GNOME, KDE Plasma, and the usual cavalcade of smaller updates and enhancements. As part of the release, the project also scuttled Delta RPMs and OpenSSL 1.1.
16:49
PuTTY 0.81 security release [LWN.net]
Version 0.81 of the PuTTY SSH client is out with a fix for CVE-2024-31497; some users will want to update and generate new keys:
PuTTY 0.81, released today, fixes a critical vulnerability CVE-2024-31497 in the use of 521-bit ECDSA keys (ecdsa-sha2-nistp521). If you have used a 521-bit ECDSA private key with any previous version of PuTTY, consider the private key compromised: remove the public key from authorized_keys files, and generate a new key pair.However, this only affects that one algorithm and key size. No other size of ECDSA key is affected, and no other key type is affected.
(Thanks to Joe Nahmias).
15:42
Good morning NBA fans. Today is the official beginning of the post-season, and this Knicks fan is one freaking happy camper. Just thought I'd get that outta the way before getting down to business.
Working together [Scripting News]
Each form of online discussion has a grain to it. Doc and I used to talk about how something "follows the grain of the web." Twitter has its own grain, formed by its character limit, what information is shared (ie number of followers in both directions).
I made a list of some of the social networks I've been on starting in the mid-70s. The list is very long. And each of them had their own limits, rules and features, and each led to a certain kinds of relationships between the participants. Mail lists that gain traction always flame out. It's hard to get people to read your blog. If you make it easier it changes into something else. Instagram, Youtube, TikTok form hierarchies of influencers. I think of thos as the networks Taylor Lorenz covers.
But there isn't a structure that I'm aware of that leads to people working together. It's a puzzle I keep trying to figure out.
We need "working together" to survive climate change and fascism. It would be good to crack this nut.
One of the nicest things about ChatGPT is that it's always up for working with together with you. The critics of AI don't begin to understand this. As an example, I'm going to ask ChatGPT to draw a picture of people working together. Here it is.
What got me thinking this way this morning is a bit of collaboration I did with palafo on Threads. It's remarkable. We actually did some work together. It may be hard to read the thread but if you're curious about collaborative systems, here's a real example. Serendipitous, unplanned, but we figured something out by combining our experiences. Fantastic.
Later, Ben Werdmuller, a person who I've gotten to know a little recently, is intelligent and asks good questions. He asked one today, how do they get the live audience on SNL to laugh when they want them to laugh. I had an idea and shared it.
If you take away one thing from this post it's that we can collaborate with the machines, and maybe that will unlock collaboration between humans. In fact, in a way they are facilitating the collaboration. If you want to be part of the collective human intelligence, you may be thinking about the machines in the wrong way. Maybe they're the most human thing we have, because AI is made up of humans, like Soylent Green. 😄
PS: I asked ChatGPT to draw a picture of humans working together to clean up a mess.
PPS: Yesterday I gave John O'Nolan what I think is a good idea for getting his Ghost blogs federating with Threads, Mastodon et al. I didn't expect thanks or even a response, but I wonder if he even heard it. Most of the time, trying to help other people results in not even an acknowledgment that they saw it. If I were him I'd look for a painless, quick way to get maximum interop. Something like ghost.social. I'd give the same advice to Matt at Automattic (in fact I think I did).
PPPS: I think acknowledgment is a key part of "working together" on the web. Nothing more than "I wanted you to know I saw it" is often all that's needed to grease the skids of discourse. I've had a friendly disagreement with Manton at micro.blog about this.
15:21
Security updates for Tuesday [LWN.net]
Security updates have been issued by Debian (php7.4 and php8.2), Fedora (c-ares), Mageia (python-pillow and upx), Oracle (bind and dhcp, bind9.16, httpd:2.4/mod_http2, kernel, rear, and unbound), SUSE (eclipse, maven-surefire, tycho, emacs, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, nodejs16, nodejs18, nodejs20, texlive, vim, webkit2gtk3, and xen), and Ubuntu (gnutls28, klibc, libvirt, nodejs, and webkit2gtk).
15:00
I've never been to TED or SXSW.
14:42
Reproducing the printer hack of Windows 95 [OSnews]
During my daily web crawl I encountered a very interesting gif that I haven’t seen in a long time. It was a hack of an unspecified version of Windows 95, which showed how to bypass the login screen with the help of the menu and printing dialog. However, after a brief check, I found a fair amount of people stating that “just hitting the cancel” button would do the same. Sharp-eyed viewers would notice that it was the very first action taken in the picture. In order to find out if the hack is real at all, I decided to reproduce it and document it for the good of the internet.
↫ David Polakovic
So this hack is actually a lot more involved than I thought it was going to be, and yet, it still feels utterly insane that operating systems were this easy to get into, passwords were this easy to decrypt, and security settings were this trivial to disable. Anyway, the gif is sort-of real, in that yes, you can ‘hack’ Windows 95’s login security through the printing and help subsystems.
Things were different back then, man. I vaguely remember that my high school used to lock us out of the desktop, File Explorer, the Control Panel, and so on, making it impossible for us to access DOS or the games built into Windows 9x. I don’t remember the exact things we used to do, but most of us were aware and used several different methods of bypassing the school lockdowns just to mess around. We never did anything malicious – this is pre-internet, and we just wanted to play some Solitaire or Pinball – but anybody with malicious intent surely could’ve.
14:35
The Big Idea: Christine Ma-Kellams [Whatever]
History doesn’t always repeat, but echoes of what has happened before turn up in new variations in the present. Christine Ma-Kellams uses one of those echoes for dramatic effect in The Band, in a way that involves… kitchen appliances.
CHRISTINE MA-KELLAMS:
The most terrifying part about evil is not so much its magnitude but its proximity—how ordinary it is, how close to home.
Exactly one decade and a day ago, I woke up from nap-time with my then-toddler in our one-bedroom Cambridge apartment with my man hovering over me.
“Did you hear what happened?” he whispered.
I didn’t at the time, but soon found out about the pressure cooker bomb that went off at the Boston Marathon—an event we almost went to that fateful morning but decided against at the last minute—when two brothers who lived down the street from us in Inman Square did the unthinkable. We spent the rest of the afternoon sheltering in place after the governor shut down the entire city to look for the perpetrators.
Seven years later, when I (along with the rest of the country) underwent another shelter in place—a much longer one this time, because of a totally different kind of disaster—a strange deja vu set in. I invariably thought of how the Tsarnaev brothers used a household kitchen appliance to wreak deadly havoc on innocent Bostonians on an otherwise ordinary April day.
The last lockdown was also when I started writing The Band, so it probably comes as no surprise that a pressure cooker bomb makes a cameo in the climax of my own novel as well. I didn’t want to just recycle history though; I wanted to rewrite the future in a never-before-seen configuration. Stuck at home, I looked around my kitchen. At that point, a 7-in-one electronic device changed my life twice over: first, when it made me into a domestic goddess who no longer had the plan ahead for dinners, and second, when it became a turning point in my novel.
Because in the seven years between the two lockdowns, something else notable happened: the Instant Pot became a national sensation. Somewhere around 2016, it became the “It’ thing to have in every kitchen in America. I, being prone to suggestibility, could not resist. Technically, the Instant Pot is a pressure cooker. But crucial to the unexpected turn of events that unfold in The Band, it’s not your usual pressurized device. All the ingenious bells and whistles that made the Instant Pot inventor—a software engineer named Robert Wang—rich and famous also accounts for the critical twist that comes about in my own novel when one villainess’ plot doesn’t go as expected. Evil—like everything else—doesn’t always go according to plan, and that makes it all the more more interesting.
Household appliance-turned bombs aside, there is another layer of evil that ends up being the sub-flooring for The Band. It’s the kind of wrong we commit not out of hate, but indifference, which strikes me as the true opposite of goodness and love. When terrible things happen because well-intentioned people trying to do the “right” thing are not paying sufficient attention to what is really going on—that just might be the real mystery of the universe, one we have yet to solve.
The Band: Amazon|Barnes & Noble|Bookshop|Powell’s
13:56
What we want to believe and what is true are seldom the same thing.
By George Monbiot, published in the Guardian 15th April 2024
We draw our moral lines in arbitrary places. We might believe we’re guided only by universal values and proven facts, but often we’re swayed by deep themes of which we might be unaware. In particular, we tend to associate the imagery and sensations of our earliest childhood with what is good and right. When we see something that chimes with them, we are powerfully drawn to it and attach moral value to it.
This results from a combination of two factors: finding safety and comfort in the familiar, and what psychologists call “the primacy effect” – the first thing we hear about a topic is the one we tend to recall and accept. These tendencies contribute to the illusory truth effect: what is familiar is judged to be true. We go to war for such illusory truths, and sacrifice our lives to them.
Few illusions reach us earlier than the story of the benign livestock farm. Pre-literate children are repeatedly exposed to farmyard tales. The impression these books and animations create – the animal farm as a place of kindness and harmony – seems extremely hard to shake, regardless of people’s later exposure to the realities of the industry. When we see imagery that reminds us of farmyard storybooks, we feel a glow of recognition. When we hear arguments that chime with these stories, we want to believe them.
This, I think, explains the popularity of films that provide a rosy view of livestock farming, such as Kiss The Ground and The Biggest Little Farm. The latest contribution to the genre is a British film called Six Inches of Soil, now enjoying considerable success in independent cinemas. It follows the travails of three young farmers, “during the first year of their regenerative journey”. It’s well produced, makes some good points and tells some good stories. But it is also, in recounting the story we want to hear, fatally one-sided and, in crucial respects, wrong.
Livestock farming ranks with the fossil fuel industry as one of the two most destructive industries on Earth. But because of those farmyard tales, reinforced by stories we’re told as adults in endless books and films celebrating the pastoral, we apply entirely different standards to it. Parts of this film could be clipped and used as advertisements for the most damaging of all livestock products: beef. Astonishingly, it was made not by meat companies but by environmentalists.
It purports to show a cattle farm in Cornwall helping to prevent climate breakdown. Hannah Jones, from an organisation called Farm Carbon Toolkit, tells the farmer that, through the growth of his hedges and woodland, “you are removing more greenhouse gases from the atmosphere than you’re actually emitting”. The farmer, Ben Thomas, responds: “It’s such a great marketing tool for us.”
I see this sequence as highly misleading. Before long the farmer will need to cut the hedges, releasing much of the carbon they’ve captured. Even in the film, we see him coppicing trees in his woods to make way for his cattle, which will oxidise most of the carbon they’d accumulated over 20 years. More importantly, the counterfactual scenario went unmentioned: if his cattle were removed from the land and it was allowed to rewild, far more carbon would accumulate, both above and below ground, and this would not be counteracted by the farm’s emissions. The government’s Climate Change Committee estimates that switching from grassland to woodland in England would eventually “increase the soil carbon stock by 25 tonnes of carbon per hectare” on average. Given that we reduce our land use by an average of 76% when we switch to a plant-based diet, the opportunity cost of using land for a cattle farm should feature in any discussion of whether or not it is saving carbon.
The conversation moved on to soil. The film created the clear impression that Thomas had made even bigger savings across the year by increasing the carbon content of his soil. Pointing to a massive rise in soil carbon in Jones’s “table of emissions and sequestration”, he remarks, “So the hedgerows are amazing anyway, and the woods are pretty good. But the soil has absolutely smashed it.”
This seemed extremely unlikely. First, there’s no academic study anywhere, meeting the necessary criteria, that shows sustained net greenhouse gas removal through soil carbon storage by a cattle farm. Recent research explains why such efforts have failed, and always will: partly because soil carbon soon saturates, while farm emissions continue. Second, the technologies required to demonstrate such an annual shift do not exist. Moreover, to establish that carbon has stayed in the soil, rather than simply cycling through it, you would need to show that the shift had been sustained for at least 20 to 30 years.
When I asked Farm Carbon Toolkit how such a claim could be justified, it dropped a bombshell: the sequence, after being “edited down by the film-makers”, failed to make clear that they were discussing not the actual figures on the farm but “a modelled scenario”. In other words, though viewers were not told, the numbers weren’t real. When I challenged the film-makers, they accepted this, and told me “it’s possible” that they might change the editing for the video-on-demand release of the film. I hope they do. In the meantime, cinema audiences should be warned that it creates a misleading impression.
These sequences look to me like moo-woo: the oft-repeated and oft-debunked story that cows can protect the atmosphere. It’s as if environmentalists had made a film about artisanal coal mining, told heroic stories about the workers, and allowed their viewers to believe that coal mined this way is good for the planet.
This story is perfectly aligned with the livestock industry’s greenwashing. Like the film, it liberally uses the term “regenerative”, which means whatever you want it to. It wrongly claims that cattle can be carbon neutral or carbon negative and that beef-eating can be eco-friendly.
Such persuasion narratives have real and massive impacts. The European Union is currently deleting its nature restoration proposals in response to farm lobbying. In the UK, a culture war against Natural England, whipped up by livestock farmers on Dartmoor and their supporters in parliament, threatens the protection of our nature sites. No other industry has benefited as much from unpaid propagandists: well-meaning people unwittingly acting on its behalf.
A magnificent aspect of our humanity is that we can change our beliefs in response to evidence. It’s time to exercise this faculty, and put away childish things.
www.monbiot.com
Google’s Generic Kernel Image now required on all Android form factors [OSnews]
New TVs that launch with Android TV 14 or later on Linux kernel 5.15 or higher will be required to meet Google’s Generic Kernel Image (GKI) requirements in order to pass certification!
This means that GKI is now enforced on all major Android form factors with AArch64 chipsets: handhelds, watches, automotive, & televisions.
↫ Mishaal Rahman
What this means is that all the major Android form factors will be running kernels that adhere to the GKI requirements, which means SoC and board support is not part of the core kernel, but instead achieved through loadable modules. This should, in theory, make it easier to provide long-term support.
13:49
Pluralistic: Rebecca Roque's "Till Human Voices Wake Us" (16 Apr 2024) [Pluralistic: Daily links from Cory Doctorow]
Today's links
- Rebecca Roque's "Till Human Voices Wake Us": A brilliant technorealist teen thriller/murder mystery.
- Hey look at this: Delights to delectate.
- This day in history: 2004, 2014, 2019, 2023
- Upcoming appearances: Where to find me.
- Recent appearances: Where I've been.
- Latest books: You keep readin' em, I'll keep writin' 'em.
- Upcoming books: Like I said, I'll keep writin' 'em.
- Colophon: All the rest.
Rebecca Roque's "Till Human Voices Wake Us" (permalink)
"Till Human Voices Wake Us" is Rebecca Roque's debut novel: it's a superb teen thriller, intricately plotted and brilliantly executed, packed with imaginative technological turns that amp up the tension and suspense:
https://www.blackstonepublishing.com/till-human-voices-wake-us-gn3a.html#541=2790108
Modern technology presents a serious problem for a thriller writer. Once characters can call or text one another, a whole portfolio of suspense-building gimmicks – like the high-speed race across town – just stop working. For years, thriller writers contrived implausible – but narratively convenient – ways to go on using these tropes. Think of the shopworn "damn, my phone is out of battery/range just when I need it the most":
https://www.youtube.com/watch?v=XIZVcRccCx0
When that fails, often writers just lean into the "idiot plot" – a plot that only works because the characters are acting like idiots:
https://en.wikipedia.org/wiki/Idiot_plot
But even as technology was sawing a hole in the suspense writer's bag of tricks, shrewd suspense writers were cooking up a whole new menu of clever ways to build suspense in ways that turn on the limitations and capabilities of technology. One pioneer of this was Iain M Banks (RIP), whose 2003 novel Dead Air was jammed with wildly ingenious ways to use cellphones to raise the stakes and heighten the tension:
https://web.archive.org/web/20030302073539/http://www.wired.com/wired/archive/11.03/play.html?pg=8
This is "techno-realism" at its best. It's my favorite mode of storytelling, the thing I lean into with my Little Brother and Martin Hench books – stories that treat the things that technology can and can't do as features, not bugs. Rather than having the hacker "crack the mainframe's cryptography in 20 minutes when everyone swears it can't be done in less than 25," the techno-realist introduces something gnarlier, like a supply-chain attack that inserts a back-door, or a hardware keylogger, or a Remote Access Trojan.
Back to Roque's debut novel: it's a teen murder mystery told in the most technorealist way. Cia's best friend Alice has been trying to find her missing boyfriend for months, and in her investigation, she's discovered their small town's dark secret – a string of disappearances, deaths and fires that are the hidden backdrop to the town's out-of-control addiction problem.
Alice has something to tell Cia, something about the fire that orphaned her and cost her one leg when she was only five years old, but Cia refuses to hear it. Instead, they have a blazing fight, and part ways. It's the last time Cia and Alice ever see each other: that night, Alice kills herself.
Or does she? Cia is convinced that Alice has been murdered, and that her murder is connected to the drug- and death-epidemic that's ravaging their town. As Cia and her friends seek to discover the town's secret – and the identity of Alice's killer – we're dragged into an intense, gripping murder mystery/conspiracy story that is full of surprises and reversals, each more fiendishly clever than the last.
But as good as the storytelling, the characterization and the mystery are, Roque's clever technological gambits are even better. This book is a master-class in how a murder mystery can work in the age of social media and ubiquitous mobile devices. It's the first volume in a trilogy and it ends on a hell of a cliff-hanger, too.
Hey look at this (permalink)
- Schools Were Just Supposed To Block Porn. Instead They Sabotaged Homework and Censored Suicide Prevention Sites https://themarkup.org/digital-book-banning/2024/04/13/schools-were-just-supposed-to-block-porn-instead-they-sabotaged-homework-and-censored-suicide-prevention-sites (h/t Naked Capitalism)
-
What’s next for me… https://dangillmor.com/2024/04/14/whats-next-for-me/
-
All Bad Bosses at Amazon Are Now Named ‘Wayne’ https://www.404media.co/bad-amazon-bosses-wayne/
This day in history (permalink)
#20yrsago Canadian government spending public funds to develop DRM https://web.archive.org/web/20040508011338/www.pch.gc.ca/pc-ch/pubs/2004/4_e.cfm#5
#15yrsago Pirate Bay defendants found guilty, sentenced to jail https://www.theguardian.com/technology/2009/apr/17/the-pirate-bay-trial-guilty-verdict
#15yrsago London cops mug tourist for his bus-station photos https://www.theguardian.com/uk/2009/apr/16/police-delete-tourist-photos
#5yrsago On the eve of a contentious election, Twitter suspends the accounts of progressive activists https://www.sprawlcalgary.com/twitter-suspends-left-leaning-albertans-before-election
#5yrsago Your kid’s “smart watch” lets anyone in the world trace their location. Again. https://www.pentestpartners.com/security-blog/tic-toc-pwned/
#1yrago How To Make the Least-Worst Mastodon Threads https://pluralistic.net/2023/04/16/how-to-make-the-least-worst-mastodon-threads/
Upcoming appearances (permalink)
- The Bezzle at Anderson's Books (Chicago), Apr 17
https://www.andersonsbookshop.com/event/cory-doctorow-1 -
Torino Biennale Tecnologia, Apr 21
https://www.turismotorino.org/en/experiences/events/biennale-tecnologia -
The Bezzle at Book Passage Corte Madera (Marin County), April 27
https://www.bookpassage.com/event/cory-doctorow-bezzle-martin-hench-novel-corte-madera-store -
Canadian Centre for Policy Alternatives (Winnipeg), May 2
https://www.eventbrite.ca/e/cory-doctorow-tickets-798820071337 -
Wordfest (Calgary), May 3
https://wordfest.com/2024/event/wordfest-presents-cory-doctorow-2/ -
Massy Arts (Vancouver), May 4
https://www.eventbrite.ca/e/solo-reading-cory-doctorow-the-bezzle-tickets-876989167207 -
Tartu Prima Vista Literary Festival, May 5-11
https://tartu2024.ee/en/kirjandusfestival/ -
Tim O’Reilly and Cory Doctorow on “Enshittification” and the Future of AI, May 14
https://www.oreilly.com/live-events/tim-oreilly-and-cory-doctorow-on-enshittification-and-the-future-of-ai/0642572001651/ -
"Finding the Money" screening (LA), May 15
https://www.laemmle.com/film/finding-money?date=2024-05-15 -
Media Ecology Association keynote (Amherst, NY), Jun 6-9
https://media-ecology.org/convention -
American Association of Law Libraries keynote (Chicago), Jul 21
https://www.aallnet.org/conference/agenda/keynote-speaker/
Recent appearances (permalink)
- Deep Dive podcast
https://open.spotify.com/episode/0bS0DS1H7ghHkiyx4KzXBV?si=fe7242019e734d61 -
Digital capitalism course: What is digital capitalism? (Transnational Institute)
https://www.youtube.com/watch?v=oCzWpEQcd7E -
The Scam Economy (Lost Dollar Business Club)
https://www.youtube.com/watch?v=SChg9ZiY_bk
Latest books (permalink)
- The Bezzle: a sequel to "Red Team Blues," about prison-tech and other grifts, Tor Books (US), Head of Zeus (UK), February 2024 (the-bezzle.org). Signed, personalized copies at Dark Delicacies (https://www.darkdel.com/store/p3062/Available_Feb_20th%3A_The_Bezzle_HB.html#/).
-
"The Lost Cause:" a solarpunk novel of hope in the climate emergency, Tor Books (US), Head of Zeus (UK), November 2023 (http://lost-cause.org). Signed, personalized copies at Dark Delicacies (https://www.darkdel.com/store/p3007/Pre-Order_Signed_Copies%3A_The_Lost_Cause_HB.html#/)
-
"The Internet Con": A nonfiction book about interoperability and Big Tech (Verso) September 2023 (http://seizethemeansofcomputation.org). Signed copies at Book Soup (https://www.booksoup.com/book/9781804291245).
-
"Red Team Blues": "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books http://redteamblues.com. Signed copies at Dark Delicacies (US): and Forbidden Planet (UK): https://forbiddenplanet.com/385004-red-team-blues-signed-edition-hardcover/.
-
"Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin", on how to unrig the markets for creative labor, Beacon Press/Scribe 2022 https://chokepointcapitalism.com
-
"Attack Surface": The third Little Brother novel, a standalone technothriller for adults. The Washington Post called it "a political cyberthriller, vigorous, bold and savvy about the limits of revolution and resistance." Order signed, personalized copies from Dark Delicacies https://www.darkdel.com/store/p1840/Available_Now%3A_Attack_Surface.html
-
"How to Destroy Surveillance Capitalism": an anti-monopoly pamphlet analyzing the true harms of surveillance capitalism and proposing a solution. https://onezero.medium.com/how-to-destroy-surveillance-capitalism-8135e6744d59?sk=f6cd10e54e20a07d4c6d0f3ac011af6b) (signed copies: https://www.darkdel.com/store/p2024/Available_Now%3A__How_to_Destroy_Surveillance_Capitalism.html)
-
"Little Brother/Homeland": A reissue omnibus edition with a new introduction by Edward Snowden: https://us.macmillan.com/books/9781250774583; personalized/signed copies here: https://www.darkdel.com/store/p1750/July%3A__Little_Brother_%26_Homeland.html
-
"Poesy the Monster Slayer" a picture book about monsters, bedtime, gender, and kicking ass. Order here: https://us.macmillan.com/books/9781626723627. Get a personalized, signed copy here: https://www.darkdel.com/store/p2682/Corey_Doctorow%3A_Poesy_the_Monster_Slayer_HB.html#/.
Upcoming books (permalink)
- Picks and Shovels: a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books, February 2025
-
Unauthorized Bread: a graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2025
Colophon (permalink)
Today's top sources:
Currently writing:
- A Little Brother short story about DIY insulin PLANNING
-
Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. FORTHCOMING TOR BOOKS JAN 2025
-
Vigilant, Little Brother short story about remote invigilation. FORTHCOMING ON TOR.COM
-
Spill, a Little Brother short story about pipeline protests. FORTHCOMING ON TOR.COM
Latest podcast: Capitalists Hate Capitalism https://craphound.com/news/2024/04/14/capitalists-hate-capitalism/
This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.
https://creativecommons.org/licenses/by/4.0/
Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.
How to get Pluralistic:
Blog (no ads, tracking, or data-collection):
Newsletter (no ads, tracking, or data-collection):
https://pluralistic.net/plura-list
Mastodon (no ads, tracking, or data-collection):
Medium (no ads, paywalled):
Twitter (mass-scale, unrestricted, third-party surveillance and advertising):
Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):
https://mostlysignssomeportents.tumblr.com/tagged/pluralistic
"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla
13:28
Attacking Supply Chains at the Source [Radar]
We’ve been very lucky. A couple of weeks ago, a supply-chain attack against the Linux xz Utils package, which includes the liblzma compression library, was discovered just weeks before the compromised version of the library would have been incorporated into the most widely used Linux distributions. The attack inserted a backdoor into sshd that would have given threat actors remote shell access on any infected system.
The details of the attack have been thoroughly discussed online. If you want a blow-by-blow exposition, here are two chronologies. ArsTechnica, Bruce Schneier, and other sources have good discussions of the attack and its implications. For the purposes of this article, here’s a brief summary.
The malware was introduced into xz Utils by one of its maintainers, an entity named Jia Tan. That’s almost certainly not a person’s name; the actual perpetrator is unknown. It’s likely that the attacker is a collective operating under a single name. Jia Tan began several years ago by submitting a number of changes and fixes to xz, which were included in the distribution, establishing a reputation for doing useful work. A coordinated attack against xz’s creator and maintainer, Lasse Collin, complained that Collin wasn’t approving patches quickly enough. This pressure eventually convinced him to add Jia Tan as a maintainer.
Over two years, Jia Tan gradually added compromised source files to xz Utils. There’s nothing really obvious or actionable; the attackers were slow, methodical, and patient, gradually introducing components of the malware and disabling tests that might have detected the malware. There were no changes significant enough to attract attention, and the compromises were carefully concealed. For example, one test was disabled by the introduction of an innocuous single-character typo.
Only weeks before the compromised xz Utils would have become part of the general release of RedHat, Debian, and several other distributions, Andrew Freund noticed some performance anomalies with the beta distribution he was using. He investigated further, discovered the attack, and notified the security community. Freund made it clear that he is not a security researcher, and that there may be other problems with the code that he did not detect.
Is that the end of the story? The compromised xz Utils was never distributed widely, and never did any damage. However, many people remain on edge, with good reason. Although the attack was discovered in time, it raises a number of important issues that we can’t sweep under the rug:
- We’re looking at a social engineering attack that achieves its aims by bullying—something that’s all too common in the Open Source world.
- Unlike most supply chain attacks, which insert malware covertly by slipping it by a maintainer, this attack succeeded in inserting a corrupt maintainer, corrupting the release itself. You can’t go further upstream than that. And it’s possible that other packages have been compromised in the same way.
- Many in the security community believe that the quality of the malware and the patience of the actors is a sign that they’re working for a government agency.
- The attack was discovered by someone who wasn’t a security expert. The security community is understandably disturbed that they missed this.
What can we learn from this?
Everyone is responsible for security. I’m not concerned that the attack wasn’t discovered by the a security expert, though that may be somewhat embarrassing. It really means that everyone is in the security community. It’s often said “Given enough eyes, all bugs are shallow.” You really only need one set of eyeballs, and in this case, those eyeballs belonged to Andres Freund. But that only begs the question: how many eyeballs were watching? For most projects, not enough—possibly none. If you notice something that seems funny, look at it more deeply (getting a security expert’s help if necessary); don’t just assume that everything is OK. “If you see something, say something.” That applies to corporations as well as individuals: don’t take the benefits of open source software without committing to its maintenance. Invest in ensuring that the software we share is secure. The Open Source Security Foundation (OpenSSF) lists some suspicious patterns, along with best practices to secure a project.
It’s more concerning that a particularly abusive flavor of social engineering allowed threat actors to compromise the project. As far as I can tell, this is a new element: social engineering usually takes a form like “Can you help me?” or “I’m trying to help you.” However, many open source projects tolerate abusive behavior. In this case, that tolerance opened a new attack vector: badgering a maintainer into accepting a corrupted second maintainer. Has this happened before? No one knows (yet). Will it happen again? Given that it came so close to working once, almost certainly. Solutions like screening potential maintainers don’t address the real issue. The kind of pressure that the attackers applied was only possible because that kind of abuse is accepted. That has to change.
We’ve learned that we know much less about the integrity of our software systems than we thought. We’ve learned that supply chain attacks on open source software can start very far upstream—indeed, at the stream’s source. What we need now is to make that fear useful by looking carefully at our software supply chains and ensuring their safety—and that includes social safety. If we don’t, next time we may not be so lucky.
13:07
Who Stole 3.6M Tax Records from South Carolina? [Krebs on Security]
For nearly a dozen years, residents of South Carolina have been kept in the dark by state and federal investigators over who was responsible for hacking into the state’s revenue department in 2012 and stealing tax and bank account information for 3.6 million people. The answer may no longer be a mystery: KrebsOnSecurity found compelling clues suggesting the intrusion was carried out by the same Russian hacking crew that stole of millions of payment card records from big box retailers like Home Depot and Target in the years that followed.
Questions about who stole tax and financial data on roughly three quarters of all South Carolina residents came to the fore last week at the confirmation hearing of Mark Keel, who was appointed in 2011 by Gov. Nikki Haley to head the state’s law enforcement division. If approved, this would be Keel’s third six-year term in that role.
The Associated Press reports that Keel was careful not to release many details about the breach at his hearing, telling lawmakers he knows who did it but that he wasn’t ready to name anyone.
“I think the fact that we didn’t come up with a whole lot of people’s information that got breached is a testament to the work that people have done on this case,” Keel asserted.
A ten-year retrospective published in 2022 by The Post and Courier in Columbia, S.C. said investigators determined the breach began on Aug. 13, 2012, after a state IT contractor clicked a malicious link in an email. State officials said they found out about the hack from federal law enforcement on October 10, 2012.
KrebsOnSecurity examined posts across dozens of cybercrime forums around that time, and found only one instance of someone selling large volumes of tax data in the year surrounding the breach date.
On Oct. 7, 2012 — three days before South Carolina officials say they first learned of the intrusion — a notorious cybercriminal who goes by the handle “Rescator” advertised the sale of “a database of the tax department of one of the states.”
“Bank account information, SSN and all other information,” Rescator’s sales thread on the Russian-language crime forum Embargo read. “If you purchase the entire database, I will give you access to it.”
A week later, Rescator posted a similar offer on the exclusive Russian forum Mazafaka, saying he was selling information from a U.S. state tax database, without naming the state. Rescator said the data exposed included Social Security Number (SSN), employer, name, address, phone, taxable income, tax refund amount, and bank account number.
“There is a lot of information, I am ready to sell the entire database, with access to the database, and in parts,” Rescator told Mazafaka members. “There is also information on corporate taxpayers.”
On Oct. 26, 2012, the state announced the breach publicly. State officials said they were working with investigators from the U.S. Secret Service and digital forensics experts from Mandiant, which produced an incident report (PDF) that was later published by South Carolina Dept. of Revenue. KrebsOnSecurity sought comment from the Secret Service, South Carolina prosecutors, and Mr. Keel’s office. This story will be updated if any of them respond.
On Nov. 18, 2012, Rescator told fellow denizens of the forum Verified he was selling a database of 65,000 records with bank account information from several smaller, regional financial institutions. Rescator’s sales thread on Verified listed more than a dozen database fields, including account number, name, address, phone, tax ID, date of birth, employer and occupation.
Asked to provide more context about the database for sale, Rescator told forum members the database included financial records related to tax filings of a U.S. state. Rescator added that there was a second database of around 80,000 corporations that included social security numbers, names and addresses, but no financial information.
The AP says South Carolina paid $12 million to Experian for identity theft protection and credit monitoring for its residents after the breach.
“At the time, it was one of the largest breaches in U.S. history but has since been surpassed greatly by hacks to Equifax, Yahoo, Home Depot, Target and PlayStation,” the AP’s Jeffrey Collins wrote.
As it happens, Rescator’s criminal hacking crew was directly responsible for the 2013 breach at Target and the 2014 hack of Home Depot. The Target intrusion saw Rescator’s cybercrime shops selling roughly 40 million stolen payment cards, and 56 million cards from Home Depot customers.
Who is Rescator? On Dec. 14, 2023, KrebsOnSecurity published the results of a 10-year investigation into the identity of Rescator, a.k.a. Mikhail Borisovich Shefel, a 36-year-old who lives in Moscow and who recently changed his last name to Lenin.
Mr. Keel’s assertion that somehow the efforts of South Carolina officials following the breach may have lessened its impact on citizens seems unlikely. The stolen tax and financial data appears to have been sold openly on cybercrime forums by one of the Russian underground’s most aggressive and successful hacking crews.
While there are no indications from reviewing forum posts that Rescator ever sold the data, his sales threads came at a time when the incidence of tax refund fraud was skyrocketing.
Tax-related identity theft occurs when someone uses a stolen identity and SSN to file a tax return in that person’s name claiming a fraudulent refund. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually owed a refund from the U.S. Internal Revenue Service (IRS).
According to a 2013 report from the Treasury Inspector General’s office, the IRS issued nearly $4 billion in bogus tax refunds in 2012, and more than $5.8 billion in 2013. The money largely was sent to people who stole SSNs and other information on U.S. citizens, and then filed fraudulent tax returns on those individuals claiming a large refund but at a different address.
It remains unclear why Shefel has never been officially implicated in the breaches at Target, Home Depot, or in South Carolina. It may be that Shefel has been indicted, and that those indictments remain sealed for some reason. Perhaps prosecutors were hoping Shefel would decide to leave Russia, at which point it would be easier to apprehend him if he believed no one was looking for him.
But all signs are that Shefel is deeply rooted in Russia, and has no plans to leave. In January 2024, authorities in Australia, the United States and the U.K. levied financial sanctions against 33-year-old Russian man Aleksandr Ermakov for allegedly stealing data on 10 million customers of the Australian health insurance giant Medibank.
A week after those sanctions were put in place, KrebsOnSecurity published a deep dive on Ermakov, which found that he co-ran a Moscow-based IT security consulting business along with Mikhail Shefel called Shtazi-IT.
A Google-translated version of Shtazi dot ru. Image: Archive.org.
12:42
CodeSOD: A Small Partition [The Daily WTF]
Once upon a time, I was tuning a database performance issue. The backing database was an Oracle database, and the key problem was simply that the data needed to be partitioned. Great, easy, I wrote up a change script, applied it to a test environment, gathered some metrics to prove that it had the effects we expected, and submitted a request to apply it to production.
And the DBAs came down on me like a sledgehammer. Why? Well, according to our DBAs, the license we had with Oracle didn't let us use partitioning. The feature wasn't disabled in any way, but when an Oracle compliance check was performed, we'd get dinged and they'd charge us big bucks for having used the feature- and if we wanted to enable it, it'd cost us $10,000 a year, and no one was willing to pay that.
Now, I have no idea how true this actually was. I have no reason to disbelieve the DBAs I was working with, but perhaps they were being overly cautious. But the result is that I had to manually partition the data into different tables. The good news was all the writes always went into the most recent table, almost all of the reads went to either the current table or last month's table, and everything else was basically legacy and while it might be used in a report, if it was slower than the pitch drop experiment, that was fine.
It was stupid, and it sucked, but it wasn't the worst sin I'd ever committed.
Which is why I have at least some sympathy for this stored procedure, found by Ayende.
ALTER PROCEDURE GetDataForDate
@date DATETIME
AS
DECLARE @sql nvarchar(max)
SET @sql = 'select * from data_' + convert(nvarchar(30),getdate(),112)
EXEC sp_executesql @sql
Now, this is for an MS SQL database, which does not have any weird licensing around using partitions. But we can see here the manual partitioning in use.
There are a set of data_yyyymmdd tables. When we
call this function, it takes the supplied date and writes a query
specific to that table. This means that there is a table for
every day.
Ayende got called in for this because one of the reports was
running slowly. This report simply… used all of the tables.
It just UNIONed them together. This, of course,
removed any benefit of partitioning, and didn't exactly make the
query planning engine's job easy, either. The execution paths it
generated were not terribly efficient.
At the time Ayende first found it, there were 750 tables. And obviously, as each day ticked past, a new table was created. And yes, someone manually updated the view, every day.
Ayende sent this to us many tables ago, and I dread to think how many tables are yet to be created.
[Advertisement] Continuously monitor your servers for configuration
changes, and report when there's configuration drift.
Get started with Otter today!12:21
X.com Automatically Changing Link Text but Not URLs [Schneier on Security]
Brian Krebs reported that X (formerly known as Twitter) started automatically changing twitter.com links to x.com links. The problem is: (1) it changed any domain name that ended with “twitter.com,” and (2) it only changed the link’s appearance (anchortext), not the underlying URL. So if you were a clever phisher and registered fedetwitter.com, people would see the link as fedex.com, but it would send people to fedetwitter.com.
Thankfully, the problem has been fixed.
11:00
Refusing the salon of the refused [Seth's Blog]
This week is the 150th anniversary of the most important failed art exhibit of all time.
It was organized by and featured artists who weren’t even among those that had a slot at the runner’s up exhibit for artists who weren’t featured in the real Salon in Paris. Manet didn’t have the guts to join them, so he participated in the ‘Refused’ exhibit. The others understood that a real change was possible.
Monet, Renoir, Sisley, Degas, Berthe Morisot, Pissarro, Béliard, Guillaumin, Lepic, Levert, and Rourt all participated. They not only put their art in the show, they organized and paid for it.
A few lessons worth taking away:
The first exhibit was a financial and critical failure. The show received fewer than 1% of the number of visitors that the mainstream salon benefitted from, and there were few reviews, most of them negative.
They knew someone who had a building, and the empty space he offered them was enough of an instigator that it turned some maybes into yesses. Use it or lose it.
One of the most positive things to come from the exhibit was a scathing satirical piece, the one that gave the impressionists their name. The insecure critics came to regret their inability to see what was possible.
And yet, the artists persisted. Year after year, eight times, gaining momentum each time, they returned, working their way from outsiders to become the dominant form of artistic expression of their time.
But most of all, so much easier today than in Paris 150 years ago, these individual painters did two things: They picked themselves and they did it together.
Everyone wants to be picked, but no one wants to organize the collective ‘we’.
It’s the ‘we’ that creates a school of thought, a movement, a network, a culture.
Curate, connect, organize and lead. Who better than you?
PS launched yesterday, a GOODBIDS auction for a very rare signed first edition of a nationwide bestseller.
A rare signed first edition of Remarkably Bright Creatures. A beloved bestseller, this one is signed by the author with a doodle of the novel’s star.
And new auctions coming later today.
08:28
Passion Pole Dance by Juliette Taka [Oh Joy Sex Toy]
06:07
02:35
Grooming As An Act Of Submission [QC RSS]
I have TWO NEW T SHIRT DESIGNS up for pre-order! Click that graphic below if you agree that A) shit is fucked or B) people should be nice to you or C) all of the above. Thank you.
01:28
Iran strikes, ISR [Richard Stallman's Political Notes]
Iran launched many missiles and drones against Israel.
Israel's attack on the Iranian consulate was not, in and of itself, a war crime. It was an attack on military personnel of a country which was already at war with Israel.
I don't know what specific targets Iran's missiles and drones were aimed at, but I don't see a reason why that attack would be a war crime. It seems that this is simply not war.
Judged in terms of its effects in the current context, Israel's attack was a manipulative provocation. Netanyahu must have figured that Iran would retaliate, and that this would give Israel an opportunity to attack Iran in a much bigger way and justify it as "retaliation". He may have hoped that western countries would talk western countries into "standing by Israel" in war against Iran.
I am not the only one to suspect that.
I hope those countries' governments are wise enough to refuse to fall for Netanyahu's efforts to lure them into war, or lure them into disregarding the urgency of ending the siege of Gaza.
This could be an opportunity to squeeze Netanyahu out of the Israeli government. They could tell Israel, "We will support Israel against Iranian attack, provided it adopts a defensive posture and provided Netanyahu is not its prime minister."
Urgent: Fossil-fuel policy rallies [Richard Stallman's Political Notes]
In the US: join rallies for curbing global heating on April 19 and April 22.
(Satire) gated community [Richard Stallman's Political Notes]
(satire) *Residents [of a Gated Community] Establish More Exclusive Gated [Nested] Community Within First.*
Carbon-offsetting revolt [Richard Stallman's Political Notes]
*The UN-backed Science Based Targets initiative (SBTi), which certifies whether a company is on track to help limit global heating to under 1.5°C,* has bought into the idea that "carbon offsets" are valid methods for curbing global heating.
The organization's staff condemn the plan and say it is not in fact based on science.
I've said for many years that we cannot trust a company to achieve the goal, because it is easy to set up bogus offsets that won't really reduce emissions but only pretend to.
For similar reasons, a "carbon market" would be easy to game and therefore to render ineffective. It appeals to the worshipers of the Invisible Hand.
By contrast, a carbon tax really would pressure companies to emit less greenhouse gas.
Prescription concerns [Richard Stallman's Political Notes]
*"What we’re seeing is not tele[medicine]": alarm over doctors using AI and prescribing without seeing patients.*
Medicine is intended to result in better health (better than it would otherwise have been), but it is misleading to refer to medicine as "health", and likewise to refer to telemedicine as "telehealth".
Heat stress [Richard Stallman's Political Notes]
Ocean temperatures of 25°C lead to the premature death of octopus mothers, from heat stress, before their eggs have hatched.
The article is confused when it talks about "unborn offspring". Octopus eggs are not "born", any more than birds' chicks are "born" when they hatch. Baby octopuses do not develop inside their mother. However, the mother must circulate water for them constantly until they are ready to swim away.
It is too bad that the experiment did not report on the visual capabilities of octopuses that did hatch at 25°C. That is the only way to tell for certain whether that water high temperature will damage their vision.
It is possible that octopuses can evolve to adopt to warmer conditions, if the change is not terribly fast. Or they can survive farther from the equator.
Cashier-free shops [Richard Stallman's Political Notes]
Amazon's notorious checkout-less stores supposedly used secret scanning and AI systems to figure out what each shopper bought. Actually they used remote workers in low-wage countries to watch the shoppers.
What Amazon had invented was a new method of replacing workers in the US with outsourcing to low-wage workers. But if they ever succeed in really automating this, workers will lose even more.
00:35
Mount Zero’s closure [Richard Stallman's Political Notes]
Hong Kong's people have been silenced by China, which is using many different laws to disguise the extent of repression.
This repression is what China today means. This is why we must defend whatever targets China aims to conquer in the future.
Labour and the Sun [Richard Stallman's Political Notes]
*Starmer is courting Tory voters so hard it’s almost as though he wants to lose his own.*
I think he wants to convert the Labour Party into a competent but mainly plutocratist party, which would make policies mainly to benefit the wealthy, and carry them out competently. This would occupy the space that the Tory Party has abandoned to become the party of cruel rigidity.
Labour would then try to win elections by preventing any non-plutocratist opposition party from becoming a real alternative.
It is true that victory for a political cause usually requires compromises. The crucial thing is to distinguish the compromises that you can safely make from the compromises that would undermine your values.
Trump case [Richard Stallman's Political Notes]
The cheater is about to be tried for violating campaign finance laws to hush up a scandal that could have interfered with his chances of getting elected. Describing it as a matter of a "sex scandal" covers up what is really at stake.
Negative experiences [Richard Stallman's Political Notes]
*Negative experiences during military service are the main drivers of extremist beliefs amongst veterans, [suggests a small survey].*
These "negative experiences" are likely to involve hatred, bullying and war crimes. How ironic that their reaction to such violence leads them to commit or advocate similar violence themselves.
It is a mistake to classify "Antifa" as "extremist", since it means only participation in organized activity against a form of violence (fascism). That sometimes takes the form of fighting violent fascists, but basically it is nonviolent resistance against fascists.
Right-wing disinformation in the US portrayed Antifa a few years ago as a violent movement, which it was not.
Bogotá water supply [Richard Stallman's Political Notes]
Due to El Niño plus Global heating, much of South America is suffering from record droughts, and Bogotá is facing exhaustion of water in two months.
Monday, 15 April
23:42
Food production crisis building, UK [Richard Stallman's Political Notes]
Britain has had a year of heavy rain, which has damaged wheat production.
This is surely related somehow to global heating. Whether it will continue, get better, or get worse, I have no basis to predict. But it is a dangerous situation.
Global coal-power up 2% [Richard Stallman's Political Notes]
China is building new coal-fired generators faster than the US and Europe are closing them.
Corp. rename butt of media jokes, UK [Richard Stallman's Political Notes]
A corporation that changed its name to "abrdn" claims to be entitled to certain kinds of human kindness that we think humans deserve. Corporations are not in fact persons, and they are not entitled to human rights or even human kindness.
I conjecture that the name "abrdn" was meant to acknowledge that large corporations are often a brdn on society, and to encourage regulating them more strictly ;-}.
Where the article comments on a matter of trademark law, it injects gratuitous confusion by using the propaganda overgeneralization of "the intellectual property" instead of the objective and concrete term, "the trademark".
Trademarks are nothing whatsoever like copyrights or patents or trade secrets — be careful never to generalize about all those laws.
22:28
Anton Zuiker is the first Drummer user with a FeedLand blogroll.
Followed by Frank McPherson and Gary Thompson.
22:21
Fedora intends to fully embrace “AI”, but doesn’t address sourcing or its environmental impact [OSnews]
All weekend, I’ve been mulling over a recent blog post by Fedora Project Leader Matthew Miller, which he wrote and published on behalf of the Fedora Council. Fedora (the KDE version) is my distribution of choice, I love using it, and I consider it the best distribution for desktop use, and not by a close margin either. As such, reading a blog post in which Fedora is announcing plans to make extensive use of “AI” was bound to make me a feel a little uneasy.
Miller states – correctly – that the “AI” space as it stands right now is dominated so much by hyperbole and over-the-top nonsense that it’s hard to judge the various technologies underpinning “AI” on merit alone. He continues that he believes that stripped of all the hyperbole and techbro bullshit, there’s “something significant, powerful”, and he wants to make “Fedora Linux the best community platform for AI”.
So, what exactly does that look like?
In addition to the big showy LLM-based tools for chat and code generation, these advances have brought big jumps for more tailored tasks: for translation, file search, home automation, and especially for accessibility (already a key part of our strategy). For example, open source speech synthesis has long lagged behind proprietary options. Now, what we have in Fedora is not even close to the realism, nuance, and flexibility of AI-generated speech.
↫ Matthew Miller
Some of these are things we can all agree are important and worthwhile, but lacking on the Linux desktop. If we can make use of technologies labelled as “AI” to improve, say, text-to-speech on Linux for those who require it for accessibility reasons, that’s universally a great thing. Translation, too, is, at its core, a form of accessibility, and if we can improve machine translations so that people who, for instance, don’t speak English gain more access to English content, or if we can make the vast libraries of knowledge locked into foreign languages accessible to more people, that’s all good news.
However, Fedora aims to take its use of “AI” even further, and wants to start using it in the process of developing, making, and distributing Fedora. This is where more and more red flags are starting to pop up for me, because I don’t feel like the processes and tasks they want to inject “AI” into are the kinds of processes and tasks where you want humans taken out of the equation.
We can use AI/ML as part of making the Fedora Linux OS. New tools could help with package automation and bug triage. They could note anomalies in test results and logs, maybe even help identify potential security issues. We can also create infrastructure-level features for our users. For example, package update descriptions aren’t usually very meaningful. We could automatically generate concise summaries of what’s new in each system update — not just for each package, but highlighting what’s important in the whole set, including upstream change information as well.
↫ Matthew Miller
Even the tools built atop billions and billions of euros of investments by Microsoft, Google, OpenAI, Facebook, and similar juggernauts are not exactly good at what they’re supposed to do, and suck at even the most basic of tasks of providing answers to simple questions. They lie, they make stuff up, they bug out and produce nonsense, they’re racist, and so on. I don’t want any of that garbage near the process of making and updating the operating system I rely on every day.
Miller laments how “AI” is currently a closed-source, black box affair, which obviously doesn’t align with Fedora’s values and goals. He doesn’t actually explain how Fedora’s use of “AI” is going to address this. They’re going to have to find ethical, open source models that are also of high quality, and that’s a lot easier said than done. Sourcing doesn’t even get a single mention in this blog post, even though I’m fairly sure that’s one of the two major issues many of us have with the current crop of “AI” tools.
The blog post also completely neglects to mention the environmental cost of training these “AI” tools. It costs an insane amount of electricity to train these new tools, and with climate change ever accelerating and the destruction of our environment visible all around us, not mentioning this problem when you’re leading a project like Fedora seems disingenuous at best, and malicious at worst.
While using “AI” to improve accessibility tools in Fedora and the wider Linux world is laudable, some of the other intended targets seem more worrisome, especially when you take into account that the blog post makes no mention of the two single biggest problems with “AI”: sourcing, and its environmental impact. If Fedora truly intends to fully embrace “AI”, it’s going to have to address these two problems first, because otherwise they’re just trying to latch onto the hype without really understanding the cost.
And that’s not something I want to hear from the leaders of my Linux distribution.
Framework’s software and firmware have been a mess, but it’s working on them [OSnews]
Framework puts a lot of effort into making its hardware easy to fix and upgrade and into making sure that hardware can stay useful down the line when it’s been replaced by something newer. But supporting that kind of reuse and recycling works best when paired with long-term software and firmware support, and on that front, Framework has been falling short.
Framework will need to step up its game, especially if it wants to sell more laptops to businesses—a lucrative slice of the PC industry that Framework is actively courting. By this summer or fall, we’ll have some idea of whether its efforts are succeeding.
↫ Andrew Cunningham at Ars Technica
A very painful read, and I’m disappointed to learn that the software support from Framework has been so lacklustre – or non-existent, to be more accurate. Leaving severel security vulnerabilities in firmware unpatched is a disgrace, and puts users at risk, while promising but not delivering updates that will unlock faster Thunderbolt speeds is just shitty. They have to do better, especially since their pitch is all about repairability and longevity.
This article has made me more weary of spending any money on Framework – not that I have the money for a new laptop, because reasons – and I feel more people will feel this way after reading this.
Radxa ROCK 5 ITX: a first look [OSnews]
A couple of weeks ago I wrote about the ROCK 5 ITX coming soon and since then, samples of the Rockchip RK3588-based Radxa ROCK 5 ITX have been landing on doorsteps (or service points, screw you, UPS) of a lucky group of people and somehow I was one of those, so here’s a first look at Radxa’s latest Single Board Computer in a Mini ITX form-factor!
It’s going to be a photo-heavy post and I make no apologies for that, it’s a very nice-looking PCB, with the black and gold colour scheme looking very stylish. I imagine that was a very conscious decision seeing as, as expected, they’re marketing this as a low-power desktop option and you probably don’t want a plain Jane motherboard taking pride of place in your new system, right?
↫ Bret Weber
Now this – this, my friends, is exactly what the doctor ordered. I can’t wait for standard, ATX motherboard sporting ARM processors to become more common and readily available, hopefully standardised better than what we’re used to from the ARM world. I want my next (non-gaming) machines to be ARM-powered, and that means we’re going to need more of these ATX ARM boards, spanning wider performance levels.
22:07
GNU Taler v0.10 released [Planet GNU]
We are happy to announce the release of GNU Taler v0.10.
21:00
The Pittsburgh Stealers [Penny Arcade]
In the modern era of course, Gabe is a petrol-huffing speed demon. In Wheel Saint, he made me anodize his filthy carnography with a Catholoid sheen. But even if we weren't obsessives in the past, we usually kept up with the big franchises because there was a lot of fun metaphors they could bang into unique gameplay. Burnout is the, I don't know… racing platformer, I guess? Need for Speed: Hot Pursuit was a really fun version of tag. We grabbed The Crew back in the day, sometimes called a "CaRPG," and Ubisoft allowed it to live and breathe and develop a unique audience. An audience they would scourge at the beginning of the month by seizing access to the game they bought.
20:14
CJPA news link tax [Richard Stallman's Political Notes]
Google is testing a response to California's "news link tax", which is to remove all news links from what users post on Google platforms.
I see this as a counterattack rather than as a compelled reaction. But it is a fact that nothing can stop Google from retaliating this way. Whether Google's claims are right that the tax encourages further concentration and hollowing out of the newspaper business, I don't know.
The article talks about possible "better alternative" in a vague way, and I have no idea what Google means to suggest. But I do have a suggestion.
Adopt a tax on web sites that display advertising and allow users to post their own messages. The tax should be based on the amount of usage and/or the amount of advertising. The money should be distributed to news organizations in a way that does not depend on who does or does not post links to them. This way, Google and other platforms could not evade the tax by counterattacking.
US military drones [Richard Stallman's Political Notes]
Reportedly US military drones have proved unreliable in Ukraine, so Ukraine is buying commercial Chinese drones (and spare parts), which work better.
Peer review corruption [Richard Stallman's Political Notes]
There is evidence that peer reviewers are using bullshit generators (chatbots) to generate evaluations of submitted papers.
Since those programs don't really understand the articles that are being reviewed, or the subject that those are about, this is asking for error.
Please don't call those programs "AI"!
Pro-Putin far right [Richard Stallman's Political Notes]
*The pro-Putin far right is on the march across Europe — and it could spell tragedy for Ukraine.*
Aid not reaching Gaza [Richard Stallman's Political Notes]
Israel promised to allow more aid into Gaza, but it has not really done that. Famine has started.
Israel said it would allow aid into Gaza from the north, but instead of doing this using the existing crossing, it has decided to build a new crossing first. That's as absurd as extinguishing a life-threatening urban fire by ordering a new fire engine and waiting for it to arrive.
However, there seems to be other impediments to distributing aid inside Gaza once it gets across the border.
Perhaps these are not directly Israel's doing, but they are consequences of Israel's actions. I can imagine that truck owners don't want to risk that their trucks be destroyed by Israeli drones, and drivers don't want to risk getting killed that way.
20:00
GestureX: control your Linux machine with hand gestures [OSnews]
GestureX enables you to control your Linux PC using hand gestures. You can assign specific commands or functionalities to different hand gestures, allowing for hands-free interaction with your computer.
↫ GestureX GitHub page
I personally see no use for any of this, but I’m sure there are some interesting accessibility uses for technology like this, which in and of itself make it a worthwhile endeavour to work on. Do note, though, that this is all beta, so there’s bound to be issues.
Apple’s mysterious fisheye projection [OSnews]
If you’ve read my first post about Spatial Video, the second about Encoding Spatial Video, or if you’ve used my command-line tool, you may recall a mention of Apple’s mysterious “fisheye” projection format. Mysterious because they’ve documented a CMProjectionType.fisheye enumeration with no elaboration, they stream their immersive Apple TV+ videos in this format, yet they’ve provided no method to produce or playback third-party content using this projection type.
Additionally, the format is undocumented, they haven’t responded to an open question on the Apple Discussion Forums asking for more detail, and they didn’t cover it in their WWDC23 sessions. As someone who has experience in this area – and a relentless curiosity – I’ve spent time digging-in to Apple’s fisheye projection format, and this post shares what I’ve learned.
↫ Mike Swanson
There is just so much cool technology crammed into the Vision Pro, from the crazy displays down to, apparently, the encoding format for spatial video. Too bad Apple seems to have forgotten that a technology is not a product, as even the most ardent Apple supporterts – like John Gruber, or the hosts of ATP – have stated their Vision Pro devices are lying unused, collecting dust, just months after launch.
The Top 36 Events in Seattle This Week: Apr 15-21 2024 [The Stranger]
Chastity Belt, Record Store Day, and More Top Picks by EverOut Staff Clear your calendar: With events like Record Store Day 2024 and 4/20 festivities like 4/20's Eve Eve Comedy Show feat. Stoner Chicks Improv and Reefer Madness (1936) and Stoned Shorts on 16mm around the corner, this week is sure to be packed. We've gathered those, plus more of the best things to do, from Sasha taqʷšəblu LaPointe with Tayi Tibble — 'Thunder Song: Essays' to Chastity Belt. TUESDAY READINGS & TALKS
Sasha taqʷšəblu LaPointe with Tayi Tibble —
'Thunder Song: Essays'
With just a handful of pages to go in Thunder
Song, a series of essays from award-winning Coast Salish
author Sasha taqwšəblu LaPointe, LaPointe asks her
reader, “Are you listening yet?” She breaks the fourth
wall, but she isn’t speaking for just herself. With poignant
essays that center her own experiences, the Coast Salish
landscapes, livelihoods, and people who were lost to
colonialism—while unapologetically celebrating those who
survive—LaPointe sees herself preventing Indigenous erasure
in multigenerational company. She traces the ongoing struggle from
Chief Seattle, to her great-grandmother and namesake, Upper Skagit
elder Vi taqwšəblu Hilbert, to herself. Read more in
our interview
with LaPointe here and then see her Tuesday night at Third
Place Books Lake Forest Park in conversation with poet Tayi Tibble.
STRANGER CONTRIBUTOR ADAM WILLEMS
(Third
Place Books Lake Forest Park, free)
19:14
Better, Stronger, Faster [The Stranger]
The Seattle Repertory Jazz Orchestra will perform “SRJO Plays Blues and the Abstract Truth” at Benaroya Hall Saturday, April 20, at 7:30 pm. by Charles Mudede
Let’s begin with The Six Million Dollar Man. The TV show ran from 1973 to 1978. The star, Lee Majors, played an astronaut who, after his body is damaged in the crash of a test plane/spaceship, is transformed, with the top technology of the day, into a cyborg: part human but mostly wires, circuits, metal gears, and synthetic skin. The operation cost $6 million (roughly equal to $40 million in today’s money). The opening for the show is just mesmerizing.
After the test craft hits the ground and explodes, an off-camera narrator, Oscar Goldman, speaks to the members of a secret government agency with the deepest pockets. He says: “Gentlemen, we can rebuild him. We have the technology. We have the capability to make the world’s first bionic man. Steve Austin will be that man. Better than he was before. Better… stronger… faster.” At the last word, the show’s theme erupts into accelerating bongos, whirling and blasting horns, and a hard-funk bass line. By the end of the sequence, you are sold. Indeed, the show could never be as good as that opening: Lee Majors’s fast-motion running to a funky beat. It has to be downhill from there. But no matter. All of the garbage in the show had nothing on the music, which was written and produced by one of jazz’s greatest intellectuals, Oliver Nelson.
This arranger, composer, conductor, and saxophonist also made, in 1961, the jazz classic The Blues and the Abstract Truth, a work that is everything that The Six Million Dollar Man theme is not. It is not the kind of music that can capture the incredible speed of a human/machine. Its structure, pace switches, and harmonic innovations are too heady for that sort of entertainment. Here we are presented with the art of a highly educated musician.
In the late ‘50s, Nelson studied composition and music theory at universities in his hometown, St. Louis, Missouri. (He also studied, according to an article on JazzProfiles, “taxidermy and embalming” because his family was “in the funeral home business.”) A few years after obtaining a master’s degree in music, Nelson released his first masterpiece, The Blues and the Abstract Truth, which featured some of the best jazz musicians of the time—Freddie Hubbard, Eric Dolphy, Bill Evans, and Paul Chambers—and contained the definitive version of Nelson’s most famous piece of music, “Stolen Moments.” After that work, his future in the funeral business closed permanently. The rest of his life, which was tragically short (a heart attack killed him at the age of 43), was devoted to writing, conducting, and arranging music during jazz’s modern period (the 1960s) and composing scores for movies and TV shows. Had he lived a long life, there is no doubt that his name would be as recognizable, as mainstream as Quincy Jones.
“You know, I just love Blues and the Abstract Truth, I just love the way it bounces around to different meters and the angularity of the melody, and the sound of the ensemble—all of these things appeal to me greatly,” says Michael Brockman, the artistic director of Seattle Repertory Jazz Orchestra (SRJO). We are on the phone. We are talking about the orchestra’s upcoming tribute to Oliver Nelson, “SRJO Plays Blues and the Abstract Truth.” A few moments before, Brockman, who founded SRJO with Clarence Acox in 1995, said Nelson is one of “the leading icons in the history of jazz. And, in the jazz industry, he’s recognized as one of the people who established the art form into something composers could take part in.” SRJO is primarily devoted to the work of composers—”Charles Mingus, Gil Evans, Thelonious Monk... and of course, Count Basie and Duke Ellington.”
Indeed, one of the best musical shows I experienced last year was “SRJO Plays Charles Mingus.” It happened on February 11 at Benaroya Hall. The players, many of whom will be on the stage for “SRJO Plays Blues and the Abstract Truth,” were just in top form. Mingus had a spirit that was as huge as it was singular. For musicians, even our city’s best ones (Randy Halberstadt, D’Vonne Lewis, Kate Olson, Jay Thomas), to successfully capture that singularity and even revisit the extraordinary expansiveness of the composer was nothing less than remarkable. The performance made it very clear to me that SRJO is not just one of our city’s core jazz institutions but one of its most vital art institutions.
“For the [“SRJO Plays Blues and the Abstract Truth”] show, we’re going to do most of the pieces from the original album [The Blues and the Abstract Truth] and the second album [More Blues and the Abstract Truth],” says Brockman near the end of the interview. “So we’ll do ‘Stolen Moments,’ ‘Hoe-Down,’ and ‘Cascades.’ I’m still considering whether to do the entire [first] album or draw from music from his other records, but we will definitely play Blues and the Abstract Truth.”
But what about the theme for The Six Million Dollar Man? He does not answer the question because he never heard it; it never left my mind. The Blues and the Abstract Truth is for this great orchestra; the theme for the battery-charged android is for me and my American childhood.
The Seattle Repertory Jazz Orchestra will perform “SRJO Plays Blues and the Abstract Truth” at Benaroya Hall Saturday, April 20, at 7:30 pm. Tickets are available at srjo.org.
View this post on Instagram
18:42
Ubisoft Is On Drugs [Penny Arcade]
There is no universe in which I purchase the new Ubisoft Star Wars game for $70 much less $200 now that they just delete games you bought from your library. This is especially frustrating considering I’ve been playing a lot of old games recently, specifically racing ones. Going back and playing these decade old games made me realize how much I dislike the new “festival” design for these sorts of racers. The Crew Motorfest and Horizon both want me to believe that I’m participating in some kind of sanctioned event and compared to games like NFS or even the original Crew it’s just super boring. I’m having a blast with NFS Payback and NFS 2015 right now which sadly is another of these Always Online games meaning that EA could pull the plug on it at anypoint. It’s wild because they still look and play better than many modern racing games. Just because a game is 10 years old doesn’t mean it’s no good anymore especially when you look at the current state of triple A games.
18:21
OpenSSF and OpenJS warn about social-engineering attacks [LWN.net]
The Open Source Security Foundation and the OpenJS Foundation have jointly posted a warning about XZ-like social-engineering attacks after OpenJS was seemingly targeted.
The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails. These emails implored OpenJS to take action to update one of its popular JavaScript projects to "address any critical vulnerabilities," yet cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement.
17:42
What were the tax consequences of letting Windows 95 team members keep a piece of software as long as they tested it? [The Old New Thing]
Every so often, somebody rediscovers my story of buying an entire Egghead Software store. One question that comes up is the issue of taxes. (You can never avoid taxes. Taxes are due today for most people in the United States.)
If the employees were allowed to keep the software provided they tested the program and filed bugs against it, did that count as work compensation that became taxable income?
The thing is, nobody ever checked whether you tested the program you took, and it was obvious to everybody participating in the activity, seeing as you just picked up the software and walked out of the room without filling out any paperwork. You were assumed to be a well-meaning member of the team who wouldn’t show up for an activity without any intention of doing it. The expectation that you test the program was just that: An expectation. It wasn’t a condition.
My understanding is that this makes the software count as a gift that falls under the de minimis rule of the United States tax code. This was a one-time thing, so the frequency criterion is met. The value of the software was well under $100, so that requirement was met. And since nobody actually kept track of who took which software, the administrative impracticality requirement was also satisfied.
But really, this was just a development manager taking it upon himself to do some unconventional application compatibility test coverage and to instill camaraderie at the same time.
Bonus chatter: During one of the many iterations of this story being retold, someone remarked that they got a copy of the video game Wing Commander III through this exercise. I immediately remembered that they fulfilled their expectation by filing a bug against Windows 95: When you earned the cloaking device on level 58 or something, you couldn’t activate it.
Fortunately, they provided a save-game at level 58, so I didn’t have to play all the way to level 58 by myself.
The problem was that the hotkey for activating the cloaking device was Ctrl+C, and that conflicted with the use of Ctrl+C to cancel an active clipboard paste operation into an MS-DOS session. Normally, Windows 95 realized that there was no active paste active and replayed the hotkey into the MS-DOS session. However, the replay of the hotkey was apparently too fast for this game to recognize, so it never activated the cloaking device.
I fixed it by changing Windows 95 so that it installed the Ctrl+C hotkey handler only when a clipboard paste operation was active, and removed it when the paste operation completed. That way, when you hit it outside of a paste operation, the keys were visible to the game at human speeds, and this allowed it to engage the cloaking device.
The post What were the tax consequences of letting Windows 95 team members keep a piece of software as long as they tested it? appeared first on The Old New Thing.
Andreas Rönnquist: Status update for Allegro packaging in Debian [Planet Debian]
I have mailed to a Debian bug on allegro4.4
describing my reasoning
regarding the allegro libraries – in short, allegro4.4 is
pretty much
dead upstream, and my interest was basically to keep alex4 (which
is
cool) in Debian, but since it migrated to non-free, my interest
in
allegro4.4 has waned. So, if anybody would like to still see
allegro4.4
in Debian, please step up now and help out. Since it is dead
upstream,
my reasoning is that it is better to remove it from Debian if
no
maintainer who wants to help steps up.
Previously Tobias Hansen has helped out, but now it is 8 (!)
years
since his last upload of either package.(Please don’t
interpret this as
judgement, I am very happy for the help he has provided and all
the
work he has done on the packages).
Allegro5 is another deal – still active upstream, and I
have kept it up
to date in Debian, and while I have held the latest upload a short
while
because of the time_t transition, it will come sooner or later
– There
I am also waiting on a final decision on this bug from
upstream. Other than
that allegro 5 is in a very good state, and I will keep maintaining
it
as long as I can. But help would of course be appreciated on
allegro5
too.
Slog AM: SPD Cop Who Killed Pedestrian Had "Checkered Past," Trump Arrives at Criminal Trial, Iran Launches Missiles at Israel [The Stranger]
The Stranger's morning news roundup. by Nathalie Graham
SPD hired cop knowing his "checkered past:" The cop, Kevin Dave, who struck and killed 23-year-old pedestrian Jaahnavi Kandula last year while going 74 miles per hour, had a history of bad behavior and reckless driving when he worked at the Tucson Police Department. The agency fired Dave in 2013. According to PubliCola, Dave was the subject of six investigations while at TPD, including two collisions (one deemed "preventable"), two regarding firearm use, one about filing a police report incorrectly, and one for violating code of conduct standards.
Even more disturbing: Eight months after TPD fired him, officers had a run-in with a likely intoxicated Dave. When he encountered the officers, he sped away in his truck and then stashed it away in an alley. When cops confronted him, he said he hadn't been driving the truck. TPD officers described Dave as "belligerent" during their interaction, and "Dave blamed TPD for his inability to get a job at other police departments," PubliCola reports. The Seattle Police Department later hired Dave with a $15,000 signing bonus contingent upon him staying with the department for three years. Dave killed Kandula "less than two and a half years" into his role. He is still employed with SPD.
Huge news: The sun will set at 8 pm tonight. We haven't had 8vpm sunsets since last August. Make sure you use the extra daylight for good, not evil.
Today's weather will not be like Sunday's weather. It will be gray and 10 degrees colder. Hope is on the horizon, though. Sun will return and stick around for a big chunk of the week once we make it through today.
While we saw phenomenal weather today, temperatures will tumble in the wake of a cold front tonight, dropping 10 degrees or so cooler Monday. Scattered showers will persist through much of the day across the Puget Sound region bringing light rainfall. 📉#WAwx pic.twitter.com/yzzKDQEgq8
— NWS Seattle (@NWSSeattle) April 15, 2024
Fire destroys historic Snoqualmie building: A fire in downtown Snoqualmie early Sunday morning decimated a historic building and the businesses it housed. The impacted businesses were Snoqualmie Ice Cream, Chickadee Bakery, Snoqualmie Pie Company, and Littlest Wishes Photography.
Dog hell: Mason County authorities found way too many animals inside a Grapeview, Washington home. They found 67 dogs ("Shepherds, Pyrenees, Poodles, Chihuahuas, Dachsunds, lots of Huskies," according to KING 5), one horse, and a dead horse. Eight of the dogs were in critical condition. "I can't understand how someone accumulates so many dogs," the executive director of the Humane Society of Mason County said. That is simply too many dogs for my taste, and too many dead horses.
Amazon sued for selling deadly chemical: Fifteen people died by suicide between 2020 and 2022 after consuming a chemical used as a food preservative or in medical lab settings. They all purchased the chemical on Amazon. The families of the deceased are now suing the e-commerce giant, claiming the product was mislabeled, that bad reviews warning of the product's lethal potential were deleted, and that the site reminded shoppers that the product was in the cart. According to the Seattle Times, "Amazon has argued in court documents that it can’t be held responsible for how its customers use its products." The company claims a ruling against it in this case would have "far-reaching and untenable consequences" for all online retailers. Trump's hush money trial starts today: Donald Trump arrived in court in Manhattan for jury selection in the Stormy Daniels hush-money case. Prosecutors will argue the payment was a form of election interference. He is the first former president to stand trial for criminal charges. Isn't history fun? Trump played the politically persecuted victim in comments he made upon his arrival:A look at outside the courtroom: Now this is the wacky shit I want to see."This is political persecution" Trump speaks ahead of historical criminal trial. pic.twitter.com/2UnuwSeIYL
— Morning Joe (@Morning_Joe) April 15, 2024
Iran launched missiles at Israel: On Saturday, Iran launched "hundreds of drones, ballistic missiles, and cruise missiles" at Israel two weeks after a suspected Israeli attack in Syria killed two Iranian generals. Israel said 99% of the missiles were intercepted. This is Iran's first direct military assault on Israel despite decades of tension between the two countries. The United Nations is urging Israel not to retaliate. Don't worry, SPD is on the case: In a blog post, the Seattle Police Department announced it was "closely monitoring [the] conflict between Israel and Iran." Criminal investigation launched in bridge collapse case: The FBI and the US Coast Guard are launching a federal criminal investigation into the collapse of Baltimore's Francis Scott Key Bridge last month. The probe will center on the cargo ship that crashed into the bridge and sent it tumbling down. Specifically, authorities are looking into whether the vessel's crew failed to report earlier issues with the ship. Layoffs at Tesla: Tesla is laying off 10% of its global workforce. CEO Elon Musk stated in a memo that the cuts were a needed step before the company's "next phase of growth." However, Tesla sales are down. For the first time since 2020, the electric car company reported an annual decline in vehicle deliveries. Stabbing at Sydney mall: A 40-year-old man went on a stabbing rampage in Australia on Saturday. He killed five women and one male security guard before he was shot dead. Authorities say he "clearly" targeted women in his attack. The perpetrator's father said his son, who he described as mentally ill and very sick, targeted women because "he wanted a girlfriend and he's got no social skills and he was frustrated out of his brain." For all the sad, angry men out there: Women are not responsible for your loneliness, we do not owe you anything, please stop murdering us. A little duet for your Monday: Lana Del Rey and Billie Eilish crooned Del Rey's song,"Video Games" at Coachella this weekend.Let the circus begin#TrumpTrial pic.twitter.com/a1polqpkjg
— marco congiu (@marcocongiu) April 15, 2024
Billie Eilish joins Lana Del Rey at #Coachella to perform “Video Games.” pic.twitter.com/GwqYGhkQLt
— IndieWire (@IndieWire) April 13, 2024
17:07
Wakey Wakey – DORK TOWER 15.04.245 [Dork Tower]
This or any DORK TOWER strip is now available as a signed, high-quality print! JUST CLICK HERE!
Help keep DORK TOWER going – join the DORK TOWER Patreon and ENLIST IN THE ARMY OF DORKNESS TODAY! (We have cookies!)
16:49
Crickets from Chirp Systems in Smart Lock Key Leak [Krebs on Security]
The U.S. government is warning that “smart locks” securing entry to an estimated 50,000 dwellings nationwide contain hard-coded credentials that can be used to remotely open any of the locks. The lock’s maker Chirp Systems remains unresponsive, even though it was first notified about the critical weakness in March 2021. Meanwhile, Chirp’s parent company, RealPage, Inc., is being sued by multiple U.S. states for allegedly colluding with landlords to illegally raise rents.
On March 7, 2024, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) warned about a remotely exploitable vulnerability with “low attack complexity” in Chirp Systems smart locks.
“Chirp Access improperly stores credentials within its source code, potentially exposing sensitive information to unauthorized access,” CISA’s alert warned, assigning the bug a CVSS (badness) rating of 9.1 (out of a possible 10). “Chirp Systems has not responded to requests to work with CISA to mitigate this vulnerability.”
Matt Brown, the researcher CISA credits with reporting the flaw, is a senior systems development engineer at Amazon Web Services. Brown said he discovered the weakness and reported it to Chirp in March 2021, after the company that manages his apartment building started using Chirp smart locks and told everyone to install Chirp’s app to get in and out of their apartments.
“I use Android, which has a pretty simple workflow for downloading and decompiling the APK apps,” Brown told KrebsOnSecurity. “Given that I am pretty picky about what I trust on my devices, I downloaded Chirp and after decompiling, found that they were storing passwords and private key strings in a file.”
Using those hard-coded credentials, Brown found an attacker could then connect to an application programming interface (API) that Chirp uses which is managed by smart lock vendor August.com, and use that to enumerate and remotely lock or unlock any door in any building that uses the technology.
Brown said when he complained to his leasing office, they sold him a small $50 key fob that uses Near-Field Communications (NFC) to toggle the lock when he brings the fob close to his front door. But he said the fob doesn’t eliminate the ability for anyone to remotely unlock his front door using the exposed credentials and the Chirp mobile app.
A smart lock enabled with Chirp. Image: Camdenliving.com
Also, the fobs pass the credentials to his front door over the air in plain text, meaning someone could clone the fob just by bumping against him with a smartphone app made to read and write NFC tags.
Neither August nor Chirp Systems responded to requests for comment. It’s unclear exactly how many apartments and other residences are using the vulnerable Chirp locks, but multiple articles about the company from 2020 state that approximately 50,000 units use Chirp smart locks with August’s API.
Roughly a year before Brown reported the flaw to Chirp Systems, the company was bought by RealPage, a firm founded in 1998 as a developer of multifamily property management and data analytics software. In 2021, RealPage was acquired by the private equity giant Thoma Bravo.
Brown said the exposure he found in Chirp’s products is “an obvious flaw that is super easy to fix.”
“It’s just a matter of them being motivated to do it,” he said. “But they’re part of a private equity company now, so they’re not answerable to anybody. It’s too bad, because it’s not like residents of [the affected] properties have another choice. It’s either agree to use the app or move.”
In October 2022, an investigation by ProPublica examined RealPage’s dominance in the rent-setting software market, and that it found “uses a mysterious algorithm to help landlords push the highest possible rents on tenants.”
“For tenants, the system upends the practice of negotiating with apartment building staff,” ProPublica found. “RealPage discourages bargaining with renters and has even recommended that landlords in some cases accept a lower occupancy rate in order to raise rents and make more money. One of the algorithm’s developers told ProPublica that leasing agents had ‘too much empathy’ compared to computer generated pricing.”
Last year, the U.S. Department of Justice threw its weight behind a massive lawsuit filed by dozens of tenants who are accusing the $9 billion apartment software company of helping landlords collude to inflate rents.
In February 2024, attorneys general for Arizona and the District of Columbia sued RealPage, alleging RealPage’s software helped create a rental monopoly.
16:21
A blogroll on a Drummer blog [Scripting News]
How to add a FeedLand blogroll to a Drummer blog.
- You must have a Drummer blog and a FeedLand account.
- You can specify that all the feeds you're subscribed to are in your blogroll or use a category and only feeds in that category will be in the blogroll.
- The blogroll updates automatically, when one of the feeds has a new post, it goes to the top of the list.
- You can expand a feed to see the five most recent items. Click on the pubdate to go to the full item on the web.
- It supports keyboard navigation. Up and down arrows move through the list, Return to expand/collapse.
- We're working on WordPress plugin.
Four head-level attributes in your blog.opml file. Only one required.
- blogrollUsername -- required
- blogrollServer -- optional, if not specified it's feedland.com
- blogrollCategory -- optional
- blogrollTitle -- optional, but you really should provide a title, otherwise we invent a silly one for you. 😄
Screen shot of how the head-level attributes are set on Bull Mancuso's blog.
Screen shot of the blog itself with the blogroll.
A link to Bull's blogroll category on feedland.com.
A place to ask questions offer kudos, etc. 😄
PS: I'm not trying to sell you on using Drummer to run a blog. Rather I needed a place to figure out how this works, so we know how to set up and document the WordPress plugin.
16:07
[$] Cleaning up after BPF exceptions [LWN.net]
Kumar Kartikeya Dwivedi has been working to add support for exceptions to BPF since mid-2023. In July, Dwivedi posted the first patch set in this effort, which adds support for basic stack unwinding. In February 2024, he posted the second patch set aimed at letting the kernel release resources held by the BPF program when an exception occurs. This makes exceptions usable in many more contexts.
15:21
Security updates for Monday [LWN.net]
Security updates have been issued by AlmaLinux (bind, bind and dhcp, bind9.16, gnutls, httpd:2.4/mod_http2, squid:4, and unbound), Debian (kernel, trafficserver, and xorg-server), Fedora (chromium, kernel, libopenmpt, and rust-h2), Mageia (apache-mod_jk, golang, indent, openssl, perl-HTTP-Body, php, rear, ruby-rack, squid, varnish, and xfig), Oracle (bind, squid, unbound, and X.Org server), Red Hat (bind and dhcp and unbound), Slackware (less and php), SUSE (gnutls, python-Pillow, webkit2gtk3, xen, xorg-x11-server, and xwayland), and Ubuntu (yard).
Why good external SSDs are faster with Apple silicon [OSnews]
After several days testing the latest Express 1M2 enclosure from OWC, I have changed my recommendations for the best external SSDs. Previously I had chosen the relatively reliable Thunderbolt 3 up to 3 GB/s, even though few drives ever seemed capable of achieving that up to. If you’re still needing good performance with an Intel Mac, that makes sense.
But if you need best performance with an Apple silicon Mac, you’re far better off with a high-quality USB 40Gbps enclosure such as OWC’s Express 1M2, which should reliably return over 3 GB/s even through a compatible hub. I much prefer the word over to up to.
↫ Howard Oakley
If you have an Apple Silicon Mac, and you’re looking for an external drive – this is some good advice to follow.
14:35
Pluralistic: How to screw up a whistleblower law (15 Apr 2024) [Pluralistic: Daily links from Cory Doctorow]
Today's links
- How to screw up a whistleblower law: We want kingpins, not powerless underlings.
- Hey look at this: Delights to delectate.
- This day in history: 2004, 2009, 2014, 2019, 2023
- Upcoming appearances: Where to find me.
- Recent appearances: Where I've been.
- Latest books: You keep readin' em, I'll keep writin' 'em.
- Upcoming books: Like I said, I'll keep writin' 'em.
- Colophon: All the rest.
How to screw up a whistleblower law (permalink)
Corporate crime is notoriously underpoliced and underprosecuted. Mostly, that's because we just choose not to do anything about it. American corporations commit crimes at 20X the rate of real humans, and their crimes are far worse than any crime committed by a human, but they are almost never prosecuted:
https://pluralistic.net/2021/10/12/no-criminals-no-crimes/#get-out-of-jail-free-card
We can't even bear to utter the words "corporate crime": instead, we deploy a whole raft of euphemisms like "risk and compliance," and that ole fave, the trusty "white-collar crime":
https://pluralistic.net/2021/12/07/solar-panel-for-a-sex-machine/#a-single-proposition
The Biden DOJ promised it would be different, and they weren't kidding. The DOJ's antitrust division is kicking ass, doing more than the division has done in generations, really swinging for the fences:
Main Justice – the rest of the DOJ – promised that it would do the same. Deputy AG Lisa Monaco promised an end to those bullshit "deferred prosecution agreements" that let corporate America literally get away with murder. She promised to prosecute companies and individual executives. She promised a lot:
Was she serious? Well, it's not looking good. Monaco's number two gnuy, Benjamin Mizer, has a storied career – working for giant corporations, getting them off the hook when they commit eye-watering crimes:
https://prospect.org/justice/2024-04-09-reform-groups-lack-of-corporate-prosecutions-doj/
Biden's DOJ is arguably more tolerant of corporate crime than even Trump's Main Justice. In 2021, the DOJ brought just 90 cases – the worst year in a quarter-century. 2022's number was 99, and 2023 saw 119. Trump's DOJ did better than any of those numbers in two out of four years. And back in 2000, Justice was bringing more than 300 corporate criminal prosecutions.
Deputy AG Monaco just announced a new whistleblower bounty program: cash money for ratting out your crooked asshole co-worker or boss. Whistleblower bounties are among the most effective and cheapest way to bring criminal prosecutions against corporations. If you're a terrified underling who can't afford to lose your job after narcing out your boss, the bounty can outweigh the risk of industry-wide blacklisting. And if you're a crooked co-conspirator thinking about turning rat on your fellow criminal, the bounty can tempt you into solving the Prisoner's Dilemma in a way that sees the crime prosecuted.
So a new whistleblower bounty program is good. We like 'em. What's not to like?
Sorry, folks, I've got some bad news:
As the whistleblower lawyer Stephen Kohn points out to Russell Mokhiber of Corporate Crime Reporter, Monaco's whistleblower bounty program has a glaring defect: it excludes "individuals who were involved with the crime." That means that the long-suffering secretary who printed the boss's crime memo and put it in the mail is shit out of luck – as is the CFO who's finally had enough of the CEO's dirty poker.
This is not how other whistleblower reward programs work: the SEC and CFTC whistleblower programs do not exclude people involved with the crime, and for good reason. They want to catch kingpins, not footsoldiers – and the best way to do that is to reward the whistleblower who turns on the boss.
This isn't a new idea! It's in the venerable False Claims Act, an act that was signed into law by President Abraham Lincoln. As Kohn says, making "accomplices" eligible to participate in whistleblower rewards is how you get people like his client, who relayed a bribe on behalf of his boss, to come forward. As Lincoln said in 1863, the purpose of a whistleblower law is to entice conspirators to turn on one another. Like Honest Abe said, "it takes a rogue to catch a rogue."
And – as Kohn says – we've designed these programs so that masterminds can't throw their minor lickspittles under the buss and collect a reward: "I know of no case where the person who planned or initiated the fraud under any of the reward laws ever got a dime."
Kohn points out that under Monaco, the DOJ just ignores the rule that afford anonymity to whistleblowers. That's a big omission – the SEC got 18,000 confidential claims in 2023. Those are claims that the DOJ can't afford to miss, given their abysmal, sub-Trump track record on corporate crime prosecutions.
(Image: Karen Neoh, CC BY 2.0; Robert Thivierge, CC BY-SA 2.0. modified)
Hey look at this (permalink)
- Today's hackers wear green eyeshades, not mirrorshades https://www.programmablemutter.com/p/the-accountant-as-cyberpunk-hero
-
Locus Awards Poll https://poll.voting.locusmag.com
-
The Fastest Wordle Winning Strategy Ever https://slate.com/culture/2024/03/wordle-connections-nyt-hint-word-new-york-times.html (h/t Metafilter)
This day in history (permalink)
#20yrsago Why national ID cards make us less safe https://www.schneier.com/essays/archives/2004/04/a_national_id_card_w.html
#20yrsago EFF guide to Gmail privacy https://web.archive.org/web/20040516090804/https://blogs.eff.org/deeplinks/archives/001425.php#001425
#20yrsago Stephenson’s money-centric interview on Wired News https://web.archive.org/web/20040510183726/http://www.wired.com/news/culture/0,1284,63050,00.html?tw=wn_tophead_1
#15yrsago Somali pirates versus European toxic-waste dumpers https://www.independent.co.uk/voices/commentators/johann-hari/johann-hari-you-are-being-lied-to-about-pirates-1225817.html
#15yrsago If you lose your Amazon account, your Kindle loses functionality https://www.mobileread.com/forums/showthread.php?t=44350&highlight=amazon+banning
#15yrsago Secretive US prisons hold “terrorists” including animal rights activists and people who gave to the wrong charity http://www.greenisthenewred.com/blog/communication-management-units-mcgowan/1747/
#15yrsago Amazon explains cataloging error that banished queer books to “adult” purgatory https://www.latimes.com/archives/blogs/technology-blog/story/2009-04-13/amazon-begins-to-re-rank-affected-adult-books-theories-swirl
#15yrsago Texas lawmaker: Chinese Americans should change names so “Americans” can handle them https://web.archive.org/web/20090410142836/https://thinkprogress.org/2009/04/09/brown-asian-names/
#15yrsago John McDaid’s “(Nothing But) Flowers”, sweet and haunting sf story https://web.archive.org/web/20090414052546/http://www.torvex.com/jmcdaid/node/984
#15yrsago Terrible anti-piracy ads from the past 15 years https://www.theguardian.com/media/pda/2009/apr/08/piracy-piracy
#10yrsago Study: American policy exclusively reflects desires of the rich; citizens’ groups largely irrelevant https://www.cambridge.org/core/journals/perspectives-on-politics/article/testing-theories-of-american-politics-elites-interest-groups-and-average-citizens/62327F513959D0A304D4893B382B992B
#10yrsago HOWTO buy your way out of a California speeding ticket https://priceonomics.com/can-you-buy-a-license-to-speed/
#10yrsago Japanese game-show asks celebs to eat household objects that may or may not be chocolates https://kotaku.com/can-you-tell-whats-chocolate-and-what-isnt-asks-japa-1496174116
#5yrsago The #ShellPapers: crowdsourcing analysis of all correspondence between Shell and the Dutch government https://www.ftm.nl/dossier/shell-papers
#5yrsago Air tanker drops are often useless for fighting wildfires, but politicians order them because they make good TV https://www.latimes.com/local/la-me-wildfires29-2008jul29-story.html
#5yrsago America today feels like the last days of the Soviet Union https://eand.co/how-american-collapse-resembles-soviet-collapse-94773b44fe17
#5yrsago EFF to Facebook: enforce your rules banning cops from creating sockpuppet accounts and be transparent when you catch cops doing it https://www.eff.org/deeplinks/2019/04/facebook-must-take-these-four-steps-counter-police-sock-puppets
#5yrsago Not just Apple: Microsoft has been quietly lobbying to kill Right to Repair bills https://medium.com/u-s-pirg/microsoft-named-as-stopping-right-to-repair-in-washington-b880bf4ad052
#5yrsago Silicon Valley’s techie uprisings reveal growing support for socialism in tech https://www.salon.com/2019/04/11/silicon-valley-once-a-bastion-of-libertarianism-sees-a-budding-socialist-movement/
#5yrsago Investors controlling $3B in Facebook stock demand Zuckerberg’s ouster, and they will lose https://www.businessinsider.com/facebook-investors-will-vote-to-oust-mark-zuckerberg-as-chairman-2019-4
#5yrsago Starz abuses the DMCA to remove EFF’s tweet about Starz abusing the DMCA https://www.eff.org/deeplinks/2019/04/effs-tweet-about-overzealous-dmca-takedown-now-subject-overzealous-takedown
#5yrsago RIP, science fiction and fantasy Grand Master Gene Wolfe, 1931-2019 https://reactormag.com/gene-wolfe-in-memoriam-1931-2019/
#5yrsago Leaked, “highly classified” French report shows that the slaughter in Yemen depends on US support https://theintercept.com/2019/04/15/saudi-weapons-yemen-us-france/
#1yrago SVB bailouts for everyone – except affordable housing projects https://pluralistic.net/2023/04/15/socialism-for-the-rich/#rugged-individualism-for-the-poor
Upcoming appearances (permalink)
- The Bezzle at Anderson's Books (Chicago), Apr 17
https://www.andersonsbookshop.com/event/cory-doctorow-1 -
Torino Biennale Tecnologia, Apr 21
https://www.turismotorino.org/en/experiences/events/biennale-tecnologia -
The Bezzle at Book Passage Corte Madera (Marin County), April 27
https://www.bookpassage.com/event/cory-doctorow-bezzle-martin-hench-novel-corte-madera-store -
Canadian Centre for Policy Alternatives (Winnipeg), May 2
https://www.eventbrite.ca/e/cory-doctorow-tickets-798820071337 -
Wordfest (Calgary), May 3
https://wordfest.com/2024/event/wordfest-presents-cory-doctorow-2/ -
Massy Arts (Vancouver), May 4
https://www.eventbrite.ca/e/solo-reading-cory-doctorow-the-bezzle-tickets-876989167207 -
Tartu Prima Vista Literary Festival, May 5-11
https://tartu2024.ee/en/kirjandusfestival/ -
Tim O’Reilly and Cory Doctorow on “Enshittification” and the Future of AI, May 14
https://www.oreilly.com/live-events/tim-oreilly-and-cory-doctorow-on-enshittification-and-the-future-of-ai/0642572001651/ -
"Finding the Money" screening (LA), May 15
https://www.laemmle.com/film/finding-money?date=2024-05-15 -
Media Ecology Association keynote (Amherst, NY), Jun 6-9
https://media-ecology.org/convention -
American Association of Law Libraries keynote (Chicago), Jul 21
https://www.aallnet.org/conference/agenda/keynote-speaker/
Recent appearances (permalink)
- Deep Dive podcast
https://open.spotify.com/episode/0bS0DS1H7ghHkiyx4KzXBV?si=fe7242019e734d61 -
Digital capitalism course: What is digital capitalism? (Transnational Institute)
https://www.youtube.com/watch?v=oCzWpEQcd7E -
The Scam Economy (Lost Dollar Business Club)
https://www.youtube.com/watch?v=SChg9ZiY_bk
Latest books (permalink)
- The Bezzle: a sequel to "Red Team Blues," about prison-tech and other grifts, Tor Books (US), Head of Zeus (UK), February 2024 (the-bezzle.org). Signed, personalized copies at Dark Delicacies (https://www.darkdel.com/store/p3062/Available_Feb_20th%3A_The_Bezzle_HB.html#/).
-
"The Lost Cause:" a solarpunk novel of hope in the climate emergency, Tor Books (US), Head of Zeus (UK), November 2023 (http://lost-cause.org). Signed, personalized copies at Dark Delicacies (https://www.darkdel.com/store/p3007/Pre-Order_Signed_Copies%3A_The_Lost_Cause_HB.html#/)
-
"The Internet Con": A nonfiction book about interoperability and Big Tech (Verso) September 2023 (http://seizethemeansofcomputation.org). Signed copies at Book Soup (https://www.booksoup.com/book/9781804291245).
-
"Red Team Blues": "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books http://redteamblues.com. Signed copies at Dark Delicacies (US): and Forbidden Planet (UK): https://forbiddenplanet.com/385004-red-team-blues-signed-edition-hardcover/.
-
"Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin", on how to unrig the markets for creative labor, Beacon Press/Scribe 2022 https://chokepointcapitalism.com
-
"Attack Surface": The third Little Brother novel, a standalone technothriller for adults. The Washington Post called it "a political cyberthriller, vigorous, bold and savvy about the limits of revolution and resistance." Order signed, personalized copies from Dark Delicacies https://www.darkdel.com/store/p1840/Available_Now%3A_Attack_Surface.html
-
"How to Destroy Surveillance Capitalism": an anti-monopoly pamphlet analyzing the true harms of surveillance capitalism and proposing a solution. https://onezero.medium.com/how-to-destroy-surveillance-capitalism-8135e6744d59?sk=f6cd10e54e20a07d4c6d0f3ac011af6b) (signed copies: https://www.darkdel.com/store/p2024/Available_Now%3A__How_to_Destroy_Surveillance_Capitalism.html)
-
"Little Brother/Homeland": A reissue omnibus edition with a new introduction by Edward Snowden: https://us.macmillan.com/books/9781250774583; personalized/signed copies here: https://www.darkdel.com/store/p1750/July%3A__Little_Brother_%26_Homeland.html
-
"Poesy the Monster Slayer" a picture book about monsters, bedtime, gender, and kicking ass. Order here: https://us.macmillan.com/books/9781626723627. Get a personalized, signed copy here: https://www.darkdel.com/store/p2682/Corey_Doctorow%3A_Poesy_the_Monster_Slayer_HB.html#/.
Upcoming books (permalink)
- Picks and Shovels: a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books, February 2025
-
Unauthorized Bread: a graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2025
Colophon (permalink)
Today's top sources:
Currently writing:
- A Little Brother short story about DIY insulin PLANNING
-
Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. FORTHCOMING TOR BOOKS JAN 2025
-
Vigilant, Little Brother short story about remote invigilation. FORTHCOMING ON TOR.COM
-
Spill, a Little Brother short story about pipeline protests. FORTHCOMING ON TOR.COM
Latest podcast: Capitalists Hate Capitalism https://craphound.com/news/2024/04/14/capitalists-hate-capitalism/
This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.
https://creativecommons.org/licenses/by/4.0/
Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.
How to get Pluralistic:
Blog (no ads, tracking, or data-collection):
Newsletter (no ads, tracking, or data-collection):
https://pluralistic.net/plura-list
Mastodon (no ads, tracking, or data-collection):
Medium (no ads, paywalled):
Twitter (mass-scale, unrestricted, third-party surveillance and advertising):
Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):
https://mostlysignssomeportents.tumblr.com/tagged/pluralistic
"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla
13:42
CodeSOD: A Top Level Validator [The Daily WTF]
As oft stated, the specification governing email addresses is complicated, and isn't really well suited for regular expressions. You can get there, but honestly, most applications can get away with checking for something that looks vaguely email like and call it a day.
Now, as complicated as the "accurate" regex can get, we can certainly find worse regexes for validating emails. Morgan did, while on a contract.
The client side had this lovely regex for validating emails:
/*
Check if a string is in valid email format.
Returns true if valid, false otherwise.
*/
function isEmail(str)
{
var regex = /^[-_.a-z0-9]+@(([-_a-z0-9]+\.)+(ad|ae|aero|af|ag|ai|al|am|an|ao|aq|ar|arpa|as|at|au|aw|az|ba|bb|bd|be|bf|bg|bh|bi|biz|bj|bm|bn|bo|br|bs|bt|bv|bw|by|bz|ca|cc|cd|cf|cg|ch|ci|ck|cl|cm|cn|co|com|coop|cr|cs|cu|cv|cx|cy|cz|de|dj|dk|dm|do|dz|ec|edu|ee|eg|eh|er|es|et|eu|fi|fj|fk|fm|fo|fr|ga|gb|gd|ge|gf|gh|gi|gl|gm|gn|gov|gp|gq|gr|gs|gt|gu|gw|gy|hk|hm|hn|hr|ht|hu|id|ie|il|in|info|int|io|iq|ir|is|it|jm|jo|jp|ke|kg|kh|ki|km|kn|kp|kr|kw|ky|kz|la|lb|lc|li|lk|lr|ls|lt|lu|lv|ly|ma|mc|md|mg|mh|mil|mk|ml|mm|mn|mo|mp|mq|mr|ms|mt|mu|museum|mv|mw|mx|my|mz|na|name|nc|ne|net|nf|ng|ni|nl|no|np|nr|nt|nu|nz|om|org|pa|pe|pf|pg|ph|pk|pl|pm|pn|pr|pro|ps|pt|pw|py|qa|re|ro|ru|rw|sa|sb|sc|sd|se|sg|sh|si|sj|sk|sl|sm|sn|so|sr|st|su|sv|sy|sz|tc|td|tf|tg|th|tj|tk|tm|tn|to|tp|tr|tt|tv|tw|tz|ua|ug|uk|um|us|uy|uz|va|vc|ve|vg|vi|vn|vu|wf|ws|ye|yt|yu|za|zm|zw)|(([0-9][0-9]?|[0-1][0-9][0-9]|[2][0-4][0-9]|[2][5][0-5])\.){3}([0-9][0-9]?|[0-1][0-9][0-9]|[2][0-4][0-9]|[2][5][0-5]))$/i;
return regex.test(str);
}
They check a long list of TLDs to ensure that the email address is potentially valid, or accept an email address. Is the list exhaustive? Of course not. There are loads of TLDs not on this list- perhaps not widely used ones, but it's incomplete. And also, unnecessary.
But not so unnecessary that they didn't do it twice- they mirrored this code on the server side, in PHP:
function isEmail($email)
{
return(preg_match("/^[-_.[:alnum:]]+@((([[:alnum:]]|[[:alnum:]][[:alnum:]-]*[[:alnum:]])\.)+(ad|ae|aero|af|ag|ai|al|am|an|ao|aq|ar|arpa|as|at|au|aw|az|ba|bb|bd|be|bf|bg|bh|bi|biz|bj|bm|bn|bo|br|bs|bt|bv|bw|by|bz|ca|cc|cd|cf|cg|ch|ci|ck|cl|cm|cn|co|com|coop|cr|cs|cu|cv|cx|cy|cz|de|dj|dk|dm|do|dz|ec|edu|ee|eg|eh|er|es|et|eu|fi|fj|fk|fm|fo|fr|ga|gb|gd|ge|gf|gh|gi|gl|gm|gn|gov|gp|gq|gr|gs|gt|gu|gw|gy|hk|hm|hn|hr|ht|hu|id|ie|il|in|info|int|io|iq|ir|is|it|jm|jo|jp|ke|kg|kh|ki|km|kn|kp|kr|kw|ky|kz|la|lb|lc|li|lk|lr|ls|lt|lu|lv|ly|ma|mc|md|mg|mh|mil|mk|ml|mm|mn|mo|mp|mq|mr|ms|mt|mu|museum|mv|mw|mx|my|mz|na|name|nc|ne|net|nf|ng|ni|nl|no|np|nr|nt|nu|nz|om|org|pa|pe|pf|pg|ph|pk|pl|pm|pn|pr|pro|ps|pt|pw|py|qa|re|ro|ru|rw|sa|sb|sc|sd|se|sg|sh|si|sj|sk|sl|sm|sn|so|sr|st|su|sv|sy|sz|tc|td|tf|tg|th|tj|tk|tm|tn|to|tp|tr|tt|tv|tw|tz|ua|ug|uk|um|us|uy|uz|va|vc|ve|vg|vi|vn|vu|wf|ws|ye|yt|yu|za|zm|zw)$|(([0-9][0-9]?|[0-1][0-9][0-9]|[2][0-4][0-9]|[2][5][0-5])\.){3}([0-9][0-9]?|[0-1][0-9][0-9]|[2][0-4][0-9]|[2][5][0-5]))$/i"
,$email));
}
Bad code is even better when you have to maintain it in two places and in two languages. I suppose I should just be happy that they're doing some kind of server-side validation.
[Advertisement]
Utilize BuildMaster to release your software with confidence,
at the pace your business demands.
Download today!12:21
New Lattice Cryptanalytic Technique [Schneier on Security]
A new paper presents a polynomial-time quantum algorithm for solving certain hard lattice problems. This could be a big deal for post-quantum cryptographic algorithms, since many of them base their security on hard lattice problems.
A few things to note. One, this paper has not yet been peer reviewed. As this comment points out: “We had already some cases where efficient quantum algorithms for lattice problems were discovered, but they turned out not being correct or only worked for simple special cases.”
Two, this is a quantum algorithm, which means that it has not been tested. There is a wide gulf between quantum algorithms in theory and in practice. And until we can actually code and test these algorithms, we should be suspicious of their speed and complexity claims.
And three, I am not surprised at all. We don’t have nearly enough analysis of lattice-based cryptosystems to be confident in their security.
11:42
Grrl Power #1249 – Meet the boyfriends [Grrl Power]
Hey babe, you didn’t say you were bringing the guy I’ve been having disjointed yet vivid sex dreams about. A little heads up would have helped avoid this awkward situation. But then, that’s what dating is about, isn’t it? A bunch of awkward stuff potentially followed by an entirely different kind of awkward stuff. Assuming the first set of awkwardness wasn’t too awkward and the threshold for proceeding to, let’s call it, advanced awkwardness, was met by both parties.
You might be tempted to assume from the above that my own personal dating history won’t become the inspiration for the next great romance novel.
. . .
Anyway, Frix is a pretty open minded guy and understands what Sydney went through, vis a vis borrowed memories. He’s just fronting for her benefit, which is scoring well if the gigglometer is registering correctly.
The new one is coming soon!
The new vote incentive is up! This is a bit of a weird one as it’s a character that hasn’t appeared in the comic.
It’s my Ifrit Pathfinder 1e monk, Fray! Ifrits don’t really make great monks in Pathfinder, as player characters they get a +2 to Dex and Cha, but -2 to Wis. For monks, Dex is good, Cha is largely irrelevant, but Wis is important as it can add to your AC and also has something to do with Ki points I think. But I didn’t care. I wanted a character with dark blue/gray skin and glowing orange hair, so that’s what I picked. (I don’t think Ifrit even really have dark skin, so maybe she’s 1/4 Drow? Don’t care. I think she looks cool.) Will she show up in the comic? I mean… maybe? Probably in a Dabbler flashback, but who knows?
As usual, Patreon has her in delicto flagrante.
Double res version will be posted over at Patreon. Feel free to contribute as much as you like.
10:28
Every competitor faces pressure, and it varies by industry, consumer/investor segment and geography. This applies to services, products, ideas, organizations, jobs… whenever there’s a choice and a market. The pressure might push you to be:
- Cheaper
- Simpler
- Dumber
- More short term
- Easier
- Coarse
- More convenient
- Hyped
But it’s also possible to choose a marketplace that rewards:
- Durability
- Difficulty
- Elegant design
- Resilience
- Thoughtfulness
- Higher performance and efficiency
- Patience
A real challenge is in trying to bring the desires of one segment to the other. That’s difficult indeed.
Choose your customers, choose your future.
08:42
The Pittsburgh Stealers [Penny Arcade]
New Comic: The Pittsburgh Stealers
08:14
Tipping Point, p1 [Ctrl+Alt+Del Comic]
The post Tipping Point, p1 appeared first on Ctrl+Alt+Del Comic.
06:49
Girl Genius for Monday, April 15, 2024 [Girl Genius]
The Girl Genius comic for Monday, April 15, 2024 has been posted.
06:00
Spinnerette - White Heron - Issue 00 - 06 [Spinnerette]
New comic!
Today's News:
05:35
Comic Strip for Monday, April 15, 2024 [General Protection Fault: Comic Updates]
Current Story: Chapter Twelve
04:07
Capitalists Hate Capitalism [Cory Doctorow's craphound.com]
Today for my podcast, I read Capitalists Hate Capitalism, my latest column from Locus Magazine. It’s a meditation on the difference between feudalism and capitalism, and how to know which one you’re living under.
I recorded this on a day when I was home between book-tour stops (I’m out with my new techno crime-thriller, The Bezzle). Catch me this Wednesday (Apr 17) in Chicago at Anderson’s Books, then in Torino for the Biennale keynote on Apr 21, then in Marin County at Book Passage Corte Madera on Apr 27, then in Winnipeg, Calgary, Vancouver, and beyond! The canonical link for the schedule is here.
Varoufakis’s argument turns on an important distinction between two types of income: profits and rents. These terms have colloquial meanings that are widely understood, but Varoufakis is interested in the precise technical definitions used by economists.For an economist, ‘‘profit’’ is income obtained by mixing capital – tools, machines, systems – with your employees’ labor. The value created by that labor is then divided between the worker, who draws a wage, and the capitalist, who takes the rest as profit.
‘‘Rent,’’ meanwhile, was income derived from owning something that the capitalist needs in order to realize a profit. In feudal times, hereditary lords owned plots of land that serfs were bound to, and those serfs owed an annual rent to their lords. This wasn’t a great deal for the serfs, but it also needled the nascent capitalist class, who would have very much preferred to have those lands enclosed for sheep grazing. The sheep would produce wool, which could be woven into cloth in the ‘‘dark, Satanic mills’’ of the industrial revolution. The former serfs, turned off their land, could be set to work in those factories.
Here’s that tour schedule!
17 Apr: Anderson’s Books, Chicago, 19h:
https://www.andersonsbookshop.com/event/cory-doctorow-1
19-21 Apr: Torino Biennale Tecnologia
https://www.turismotorino.org/en/experiences/events/biennale-tecnologia
2 May, Canadian Centre for Policy Alternatives, Winnipeg
https://www.eventbrite.ca/e/cory-doctorow-tickets-798820071337
3 May, Wordfest, Calgary
https://wordfest.com/2024/event/wordfest-presents-cory-doctorow-2/
4 May, Massy Arts, Vancouver
https://www.eventbrite.ca/e/solo-reading-cory-doctorow-the-bezzle-tickets-876989167207
5-11 May: Tartu Prima Vista Literary Festival
https://tartu2024.ee/en/kirjandusfestival/
6-9 Jun: Media Ecology Association keynote, Amherst, NY
https://media-ecology.org/convention
(Image: Steve Jurvetson, CC BY 2.0, modified)
02:56
If you want to see the Werewolf Mode Incident in all its NSFW glory, you can subscribe to my Patreon. You also get comics 24 hours early, access to comic drawing streams for even SNEAKIER sneak peeks, and more!
ALSO, I have TWO NEW T SHIRT DESIGNS up for pre-order! Click that graphic below if you agree that A) shit is fucked or B) people should be nice to you or C) all of the above. Thank you.
02:42
Network of ghost roads [Richard Stallman's Political Notes]
*Network of "ghost roads" paves the way for leveling Asia-Pacific rain forests.*
Layan Nasir [Richard Stallman's Political Notes]
Not all Palestinians are Muslims. Israeli soldiers came to arrest an unarmed Christian Palestinian at home, at night, in the West Bank.
They are planning to hold her in prison indefinitely, with no official charges and therefore no trial. However, there is suspicion that she is in prison for political organizing.
Iran drone strikes [Richard Stallman's Political Notes]
Iran launched 100 drones, or more, in attacks on Israel. This was a response to an Israeli attack on an Iranian consulate in Syria.
Israel and Iran have been, formally, at war for decades. Can anyone point me at info on how and when that state of war started?
Here is more background.
Shoplifting crackdown [Richard Stallman's Political Notes]
The UK proposes to use facial recognition systems on important streets, including mobile vans, to find people wanted for arrest. And not only for heinous crimes — even shoplifters would be sought this way.
02:35
Next up, let's connect Drummer blogging to FeedLand blogrolls. 😄
I want to work with the best developers, I don't care where
they work. It occurred to me watching a Martin Scorcese
documentary about the life of George Harrison, how much people
in music seek out opportunities to create with other musicians. In
technology, it doesn't happen, we don't even look at each others
software. After waiting a whole lifetime for a culture of
collaboration, we have had it for short periods, but it's most of
the time it's been people trying to deconstruct and reinvent other
people's work, not build on it. I'm still open to this changing. I
hope to be a catalyst for it, one more time.
I don’t like how betting has invaded sports
broadcasting. I don't like that it breaks the bond among people who
root for one team their whole lives, as I have with the Knicks and
the Mets. I think of people who love the same teams as I do as
family. I like that there are Knicks fans who also like the Yankees
even though I totally despise the Yankees and everything they
(don't) stand for, but we all love the freaking Knicks (and ignore
the Nets, btw). Before long there won't be any of us left, everyone
will see sports as a business, an obsession, or their downfall,
because you can't win at gambling, we all know that. The whole
tribal thing about sports is broken by integrated gambling, it
suggests many of us, maybe eventually most of us, are here not for
love of team, rather they're feeding an addiction.
01:49
RMS will give a talk in Braga [Richard Stallman's Political Notes]
In Braga, Portugal, April 17th, Richard Stallman will give a talk, Free Software and Freedom in a Digital Society.
00:56
More Midwest fires earlier, USA [Richard Stallman's Political Notes]
It is early spring, and the US Midwest is already suffering from wildfires.
Sunday, 14 April
22:49
Kernel prepatch 6.9-rc4 [LWN.net]
The 6.9-rc4
kernel prepatch is out for testing. "Nothing particularly
unusual going on this week - some new hw mitigations may stand out,
but after a decade of this I can't really call it 'unusual' any
more, can I?
"
22:14
Linux 6.10 to merge NTSYNC driver for emulating Windows NT synchronization primitives [OSnews]
Going through my usual scanning of all the “-next” Git subsystem branches of new code set to be introduced for the next Linux kernel merge window, a very notable addition was just queued up… Linux 6.10 is set to merge the NTSYNC driver for emulating the Microsoft Windows NT synchronization primitives within the kernel for allowing better performance with Valve’s Steam Play (Proton) and Wine of Windows games and other apps on Linux.
↫ Michael Larabel
The improvements to performance of games running under Proton this new driver will bring are legitimately insane. We’re looking at a game-changing addition to the Linux kernel here, and it’s no surprise, then, to see this effort being spearheaded by companies like Valve and CodeWeavers.
KDE’s Kate on all platforms [OSnews]
Kate, KDE’s programming-focused text editor, is, of course, a Qt application, and is also available on a variety of other platforms. Christoph Cullmann, one of the developers of Kate, published a short blog post with screenshots of Kate running on the three biggest platforms – Linux/BSD, Windows, and macOS. Sadly, while Haiku gets a mention, there’s no screenshot of the Haiku version of Kate.
Still, it’s interesting to see the family resemblance.
21:56
Final Eastern Division standings. Knicks finish second. Best Knicks team in a long time. Ended the season with a five-game winning streak.
17:35
Upcoming Speaking Engagements [Schneier on Security]
This is a current list of where and when I am scheduled to speak:
- I’m speaking twice at RSA Conference 2024 in San Francisco. I’ll be on a panel on software liability on May 6, 2024 at 8:30 AM, and I’m giving a keynote on AI and democracy on May 7, 2024 at 2:25 PM.
The list is maintained on this page.
17:14
Getting the word out [Seth's Blog]
“How do you get the word out?”
I’ve heard this from presidential candidates, from small business leaders and nonprofits as well. It’s easy to believe that the goal of marketing is to shout, hype, hustle and otherwise promote.
It’s tempting to focus on your story as the top of the pyramid, and decide that your work is to share that story to everyone downstream, downwind or near you.
Hire a PR firm, run some ads, post more on social media and hype and hustle. After all, it’s important.
But that’s not how the world works, and it hasn’t worked that way since network TV started to fade a few decades ago.
Ideas that spread win. Horizontally, not from the rooftops.
When we build something that our users want to talk about, remarkable happens. Remarkable means worth making a remark about.
This is the engine that GOODBIDS is built for. A nonprofit uses the permission asset they’ve built with their existing donors to let them know about an auction. That’s anticipated, personal and relevant, and backers are delighted to hear about it.
And then what happens?
If the auction is interesting to friends or colleagues, the supporters happily tell the others about it. They do it to earn free bids, or they do it to help a cause they care about, or they do it because spreading the word about something interesting, worthwhile or fun feels good.
In the last four days, GOODBIDS users have shared our initial auctions with tens of thousands of people… not because someone made them do it, but because they wanted to.
Today’s auctions:
An official NASA Apollo 11 shoulder patch, identical to the one that Armstrong wore on the moon. It comes with a signed, limited edition of David Meerman Scott‘s brilliant book on the marketing of the race to the moon.
It also comes with a letter of authenticity. The patch is untouched, unflown and uncut. It will make your heart race and remind you of just how much we’re capable of when we work together with focus. Meeting Neil years ago made me cry, and I hope you’ll check this one out.
A chance to have Simon Sinek and me on your podcast. We might not set any records, but we keep the crowd alert.
And a hand-signed New York Giants helmet. It is difficult to ignore and something a fan would love to own.
13:28
Paolo Amoroso: Testing the Practical Common Lisp code on Medley [Planet Lisp]
When the Medley Interlisp Project began reviving the system around 2020, its Common Lisp implementation was in the state it had when commercial development petered out in the 1990s, mostly prior to the ANSI standard.
Back then Medley Common Lisp mostly supported CLtL1 plus CLOS and the condition system. Some patches submitted several years later to bring the language closer to CLtL2 needed review and integration.
Aside from these general areas there was no detailed information on what Medley missed or differed from ANSI Common Lisp.
In late 2021 Larry Masinter proposed to evaluate the ANSI compatibility of Medley Common Lisp by running the code of popular Common Lisp books and documenting any divergences. In March of 2024 I set to work to test the code of the book Practical Common Lisp by Peter Seibel.
I went over the book chapter by chapter and completed a first pass, documenting the effort in a GitHub issue and a series of discussion posts. In addition I updated a running list of divergences from ANSI Common Lisp.
Methodology
Part of the code of the book is contained in the examples in the text and the rest in the downloadable source files, which constitute some more substantial projects.
To test the code on Medley I evaluated the definitions and expressions at a Xerox Common Lisp Exec, noting any errors or differences from the expected outcomes. When relevant source files were available I loaded them prior to evaluating the test expressions so that any required definitions and dependencies were present. ASDF hasn't been ported to Medley, so I loaded the files manually.
Adapting the code
Before running the code I had to apply a number of changes. I filled in any missing function and class definitions the book leaves out as incidental to the exposition. This also involved adding appropriate function calls and object instantiations to exercise the definitions or produce the expected output.
The source files of the book needed adaptation too due to the way Medley handles pure Common Lisp files.
Skipped code
The text and source files contain also code I couldn't run because some features are known to be missing from Medley, or key dependencies can't be fulfilled. For example, a few chapters rely on the AllegroServe HTTP server which doesn't run on Medley. Although Medley does have a XNS network stack, providing the TCP/IP network functions AllegroServe assumes would be a major project.
Some chapters depend on code in earlier chapters that uses features not available in Medley Common Lisp, so I had to skip those too.
Findings
Having completed the first pass over Practical Common Lisp, my initial impression is Medley's implementation of Common Lisp is capable and extensive. It can run with minor or no changes code that uses most basic and intermediate Common Lisp features.
The majority of the code I tried ran as expected. However, this work did reveal significant gaps and divergences from ANSI.
To account for the
residential environment and other peculiarities of Medley,
packages need to be defined in a specific way. For example, some
common defpackage keyword arguments differ from ANSI.
Also, uppercase strings seem to work better than keywords as
package designators.
As for the gaps the loop iteration macro,
symbol-macrolet, the #p reader macro, and
other features turned out to be missing or not work.
While the incompatibilities with ANSI Common Lisp are relativaly easy to address or work around, what new users may find more difficult is understanding and using the residential environment of Medley.
Bringing Medley closer to ANSI Common Lisp
To plug the gaps this project uncovered Larry ported or implemented some of the missing features and fixed a few issues.
He ported a
loop implementation which he's enhancing to add
missing functionality like iterating over hash
tables. Iterating over packages, which loop lacks
at this time, is trickier. More work went into adding
#p and an experimental
symbol-macrolet.
Reviewing and merging the CLtL2 patches is still an open issue, a major project that involves substantial effort.
Future work and conclusion
When the new features are ready I'll do a second pass to check if more of the skipped code runs. Another outcome of the work may be the beginning of a test suite for Medley Common Lisp.
Regardless of the limitations, what the project highlighted is Medley is ready as a development environment for writing new Common Lisp code, or porting libraries and applications of small to medium complexity.
Discuss... Email | Reply @amoroso@fosstodon.org
10:35
The digital barback [Seth's Blog]
A barback supports the bartending staff. There are always clean glasses and fresh ingredients, ready to go.
Having someone else do your mise en place can dramatically improve your productivity.
And now, with a bit of effort, you can train an AI and a few systems to do it for you. If you won’t, your competition will.
09:00
Petter Reinholdtsen: Time to move orphaned Debian packages to git [Planet Debian]
There are several packages in Debian without a associated git repository with the packaging history. This is unfortunate and it would be nice if more of these would do so. Quote a lot of these are without a maintainer, ie listed as maintained by the 'Debian QA Group' place holder. In fact, 438 packages have this property according to UDD (SELECT source FROM sources WHERE release = 'sid' AND (vcs_url ilike '%anonscm.debian.org%' OR vcs_browser ilike '%anonscm.debian.org%' or vcs_url IS NULL OR vcs_browser IS NULL) AND maintainer ilike '%packages@qa.debian.org%';). Such packages can be updated without much coordination by any Debian developer, as they are considered orphaned.
To try to improve the situation and reduce the number of packages without associated git repository, I started a few days ago to search out candiates and provide them with a git repository under the 'debian' collaborative Salsa project. I started with the packages pointing to obsolete Alioth git repositories, and am now working my way across the ones completely without git references. In addition to updating the Vcs-* debian/control fields, I try to update Standards-Version, debhelper compat level, simplify d/rules, switch to Rules-Requires-Root: no and fix lintian issues reported. I only implement those that are trivial to fix, to avoid spending too much time on each orphaned package. So far my experience is that it take aproximately 20 minutes to convert a package without any git references, and a lot more for packages with existing git repositories incompatible with git-buildpackages.
So far I have converted 10 packages, and I will keep going until I run out of steam. As should be clear from the numbers, there is enough packages remaining for more people to do the same without stepping on each others toes. I find it useful to start by searching for a git repo already on salsa, as I find that some times a git repo has already been created, but no new version is uploaded to Debian yet. In those cases I start with the existing git repository. I convert to the git-buildpackage+pristine-tar workflow, and ensure a debian/gbp.conf file with "pristine-tar=True" is added early, to avoid uploading a orig.tar.gz with the wrong checksum by mistake. Did that three times in the begin before I remembered my mistake.
So, if you are a Debian Developer and got some spare time, perhaps considering migrating some orphaned packages to git?
As usual, if you use Bitcoin and want to show your support of my activities, please send Bitcoin donations to my address 15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b.
08:14
Ecuadorian, diplomatic faux pas, MEX [Richard Stallman's Political Notes]
*Mexico calls on UN to expel Ecuador over embassy raid as tensions soar.*
To legitimize the practice of invading other countries' embassies would further destabilize what remains of the conventions and rules of international relations.
That may have helped arrest a crook this time. In London, 10 years ago, it would have enabled the UK to grab Julian Assange sooner. But overall, these specific effects will average out to zero; what will remain is less stability.
More PFAS regulations, lawsuits [Richard Stallman's Political Notes]
*US imposes first-ever limits on levels of [four specific] toxic PFA substances in drinking water.*
No level of these substances is absolutely safe, but a smaller concentration causes a smaller danger. Even though no nonzero level leads to zero danger, a small enough level makes for a danger that is insignificant, practically speaking, compared with the other dangers of life. The effort to reduce PFA substance levels beyond that is not efficient reduction of the danger.
Satire: Finger exercises [Richard Stallman's Political Notes]
(satire) *CDC Recommends 6 Hours Of Clicking Per Day For Healthy Fingers.*
Satire: A Gotta dalita [Richard Stallman's Political Notes]
(satire) *God To Delete Several Million Humans Due To Inactivity.*
Amazon rainforest as bargaining chip, COL [Richard Stallman's Political Notes]
*Colombian Amazon deforestation surges as armed groups tighten grip.* The groups started as rebels fighting a repressive government, but now they use the forest as a hostage. Meanwhile, the erstwhile provincial rebel group made peace and disarmed, so it is no longer there to keep the others down.
Palestinian village raided, brutalized [Richard Stallman's Political Notes]
Violent Israeli colonists in Palestinian territory attacked a Palestinian village, killing one Palestinian and injuring many. They were searching for a missing teenager who seems not to have been there at all. However, people who hate some others are often in a rush to declare them guilty of crimes, which may not even have happened at all.
Let's not lose sight of where we want to end up.
Ireland, Spain, push EU for Palestine [Richard Stallman's Political Notes]
*Ireland and Spain reiterate plan to form alliance to recognize state of Palestine.*
Buying EU govt influence, RUS [Richard Stallman's Political Notes]
*Belgium investigates alleged Russian payments to MEPs.*
*Belgian [prime minister] says Russia is trying to influence forthcoming elections to weaken European support for Ukraine.*
Sargassum belt polycrisis, CARICOM [Richard Stallman's Political Notes]
Enormous excesses of sargassum seaweed are choking coasts in the Caribbean, and emitting hydrogen sulfide gas, which is foul-smelling and even toxic in large enough amounts.
The dangerous excess is partly caused by the large amounts of fertilizer runoff that humans' farms now release to the Atlantic Ocean.
05:35
I Was Absolutely NOT Procrastinating Today, Nevertheless, Here is a Cover of “Brandy (You’re a Fine Girl)” [Whatever]
This is the fault of my friend Greg van Eekhout, who today on Facebook opined that “If you’re over 45 and play guitar you have a moral duty to learn at least one yacht rock song.” To which I commented that I called dibs on “Brandy” by Looking Glass. And since I called dibs on it, I felt beholden to, you know, actually whomp it up. It is the weekend, so I felt like I could take a couple of hours to play with it. And here we are.
Two things: I did not do the background vocals on the song, because I am lazy, and I used MIDI guitar, because I’m having some difficulty getting my audio interface to play nice with my guitar right now. The problem here is almost certainly me rather than the audio interface. Nevertheless, if you were going to comment that my guitar playing seems to be coming along, all I can say is, thanks, I cheated.
Also, if you want to compare and contrast with the original, here it is:
Enjoy the rest of your weekend!
— JS
Saturday, 13 April
23:42
It's bigger than a tiny little textbox [Scripting News]
Question: What's between a tiny little text box and a full-blown content management system?
Answer: A full-featured text editor with a social media feel to it without the limits of twitter-like systems.
That's what textcasting is for, to identity the essential features. This editor supports them.
100% built on WordPress. Why reinvent all the good stuff that's been debugged and scaled and has all that support in the world. As I like to say, one way of doing something is better than two, no matter how much better the second way is.
PS: A seven-minute podcast that explains. 😄
PPS: And don't forget about the blogroll. It's part of the puzzle too.
PPPS: The house was really cold when I did this recording so I walked around to try to stay warm. By the end I was pretty close to shivering out loud. I turned the heat up after I finished.
22:49
22:07
VMS Software guts its community licensing program [OSnews]
VMS Software, the company developing OpenVMS, has announced some considerable changes to its licensing program for hobbyists, and the news is, well, bad. The company claims that demand for hobbyist licenses has been so high that they were unable to process requests fast enough, and as such, that the program is not delivering the “intended benefits”. Despite this apparent high demand, contributions from the community, such as writing and porting open-source software, creating wiki articles, and providing assistance on their forums, “has not matched the scale of the program”.
Now, I want to stop them right here. The OpenVMS hobbyist program was riddled with roadblocks, restrictions, unclear instructions, restrictive licensing, and similar barriers to entry. As such, it’s entirely unsurprising that the community around a largely relic of an operating system – with all due respect – simply hasn’t grown enough to become self-sustainable. The blame here lies entirely with VMS Software itself, and not at all with whatever community managed to form around OpenVMS, despite the countless restrictions.
So, you’d expect them to expand the program, right? Perhaps embrace open source, or make the various versions and releases more freely and easily available?
No, they’re going to do the exact opposite. To address not getting enough out of their community, they’re going to limit that community’s options even more. First, they’re ending the community program for the Alpha and Itanium (which they call Integrity, since it covers HP’s Integrity machines), effective immediately, so they won’t be granting any new licenses for these architectures. Existing licenses will continue to work until 2025.
Effective immediately, we will discontinue offering new community licenses for non-commercial use for Alpha and Integrity. Existing holders of community licenses for these architectures will get updates for those licenses and retain their access to the Service Portal until March 2025 for Alpha and December 2025 for Integrity. All outstanding requests for Alpha and Integrity community licenses will be declined.
↫ VMS Software announcement
This sucks, but with both Alpha and Itanium being end-of-life, there’s at least some arguments that can be made for ending the program for these architectures. Much less defensible are the changes to x86-64 community licensing, which basically just come down to more bureaucracy for both users and VMS Software.
For x86 community licenses, we will be transitioning to a package-based distribution model (which will also replace the student license that used to be distributed as a FreeAXP emulator package). A vmdk of a system disk with OpenVMS V9.2-2 and compilers installed and licensed will be provided, along with instructions to create a virtual machine and the SYSTEM password. The license installed on that system will be valid for one year, at which point we will provide a new package. While this may entail some inconvenience for users, it enables us to continue offering licenses at no cost, ensuring accessibility without compromising our sustainability.
↫ VMS Software announcement
The vibe I’m getting from this announcement is that by offering some rudimentary and complicated form of community licensing, OpenVMS hoped to gain the advantages of a vibrant open source community, without all the downsides. They must’ve hoped that by throwing the community a bone, they’d get them to do a bunch of work for them, and now that this is not panning out, they’re taking their ball and going home. That’s entirely within their right, of course, but I doubt these changes are going to make anyone more excited to dig into OpenVMS.
All of this feels eerily similar to the attempts by QNX – before being acquired by BlackBerry – to do pretty much the same thing. QNX also tried a similar model where you needed to sign up and jump through a bunch of hoops to get QNX releases, and the company steeped it in talks of building a community, but of course it didn’t pan out because people are simply not interested in a one-way relationship where you’re working for free for a corporation who then takes your stuff and uses it to sell their, in this case, operating system.
This particular mistake is made time and time again, and it seems VMS Software simply did not learn this lesson.
20:49
Hey, I’m Not Going to Try to Scam You on Facebook (Or, You Know, Elsewhere) [Whatever]
Briefly: Some dimwit scamster is pretending to be me on Facebook and then is sliding into people’s messages there, trying to get them to use “my” marketing expert, what looks to be an equally scamalicious Facebook account. So for the avoidance of doubt:
This is the only public Facebook account I have (note the URL); you’ll notice the “verified” blue check on it (likewise, I note it’s mine here). Any other public facing account purporting to be me is fake, and if tries to get you do anything, you should probably report it as a scam.
(Note: I have a private Facebook account for friends and family, and also a Scalzi Enterprises account. Neither of them are going to slide into your private messages to try to sell you anything, either.)
Here is that fake account purporting to be me; if you have a Facebook account and would like to report it for impersonation, please feel free (don’t be a jerk about it, just report it). Here is the account of the “marketer” it wants to suggest I am using. I do not use her, nor, obviously, do I suggest you use the services of that account, either. It’s almost certainly a scam. FYI, the picture of the woman there is stock art.
Also, in a general sense, any account purporting to be a well-known person who tries to get you to give money directly to them, or someone else associated with them, is probably really bad news, and you should not have anything to do with them.
Also also: I am not going to try to upsell you on any marketing mavens. All my marketing and publicity is handled by my publishers. I don’t work with outside marketing people at this time, and even if I did I would not slide into your messages about it.
At this moment in time, the only thing I’m trying to sell you is books. I’m not going to slide into your personal messages about those, either. You can get them from any bookstore. Support your local one!
— JS
19:07
Reproducible and minimal source-only tarballs [Planet GNU]
With the release of Libntlm version 1.8 the release tarball can be reproduced on several distributions. We also publish a signed minimal source-only tarball, produced by git-archive which is the same format used by Savannah, Codeberg, GitLab, GitHub and others. Reproducibility of both tarballs are tested continuously for regressions on GitLab through a CI/CD pipeline. If that wasn’t enough to excite you, the Debian packages of Libntlm are now built from the reproducible minimal source-only tarball. The resulting binaries are hopefully reproducible on several architectures.
What does that even mean? Why should you care? How you can do the same for your project? What are the open issues? Read on, dear reader…
This article describes my practical experiments with reproducible release artifacts, following up on my earlier thoughts that lead to discussion on Fosstodon and a patch by Janneke Nieuwenhuizen to make Guix tarballs reproducible that inspired me to some practical work.
Let’s look at how a maintainer release some software, and how a user can reproduce the released artifacts from the source code. Libntlm provides a shared library written in C and uses GNU Make, GNU Autoconf, GNU Automake, GNU Libtool and gnulib for build management, but these ideas should apply to most project and build system. The following illustrate the steps a maintainer would take to prepare a release:
git clone https://gitlab.com/gsasl/libntlm.git
cd libntlm
git checkout v1.8
./bootstrap
./configure
make distcheck
gpg -b libntlm-1.8.tar.gz
The generated files libntlm-1.8.tar.gz and
libntlm-1.8.tar.gz.sig are published, and users
download and use them. This is how the GNU project have been doing releases
since the late 1980’s. That is a testament to how successful
this pattern has been! These tarballs contain source code and some
generated files, typically shell scripts generated by autoconf,
makefile templates generated by automake, documentation in formats
like Info,
HTML, or PDF. Rarely do they contain binary object code, but
historically that happened.
The XZUtils incident illustrate that tarballs with files that are not included in the git archive offer an opportunity to disguise malicious backdoors. I blogged earlier how to mitigate this risk by using signed minimal source-only tarballs.
The risk of hiding malware is not the only motivation to publish
signed minimal source-only tarballs. With pre-generated content in
tarballs, there is a risk that GNU/Linux
distributions such as Trisquel, Guix, Debian/Ubuntu or Fedora ship generated files coming
from the tarball into the binary *.deb or
*.rpm package file. Typically the person packaging the
upstream project never realized that some installed artifacts was
not re-built through a typical autoconf -fi &&
./configure && make install sequence, and never
wrote the code to rebuild everything. This can also happen if the
build rules are written but are buggy, shipping the old artifact.
When a security problem is found, this can lead to time-consuming
situations, as it may be that patching the relevant source code and
rebuilding the package is not sufficient: the vulnerable generated
object from the tarball would be shipped into the binary package
instead of a rebuilt artifact. For architecture-specific binaries
this rarely happens, since object code is usually not included in
tarballs — although for 10+ years I shipped the binary Java
JAR file in the GNU
Libidn release tarball, until I
stopped shipping it. For interpreted languages and especially
for generated content such as HTML, PDF, shell scripts this happens
more than you would like.
Publishing minimal source-only tarballs enable easier auditing
of a project’s code, to avoid the need to read through all
generated files looking for malicious content. I have taken care to
generate the source-only minimal tarball using git-archive. This
is the same format that GitLab, GitHub etc offer for the automated
download links on git tags. The minimal source-only tarballs can
thus serve as a way to audit GitLab and GitHub download material!
Consider if/when hosting sites like GitLab or GitHub has a security
incident that cause generated tarballs to include a backdoor that
is not present in the git repository. If people rely on the tag
download artifact without verifying the maintainer PGP signature
using GnuPG, this can lead to
similar backdoor scenarios that we had for XZUtils but originated
with the hosting provider instead of the release manager. This is
even more concerning, since this attack can be mounted for some
selected IP address that you want to target and not on everyone,
thereby making it harder to discover.
With all that discussion and rationale out of the way, let’s return to the release process. I have added another step here:
make srcdist
gpg -b libntlm-1.8-src.tar.gz
Now the release is ready. I publish these four files in the Libntlm’s Savannah Download area, but they can be uploaded to a GitLab/GitHub release area as well. These are the SHA256 checksums I got after building the tarballs on my Trisquel 11 aramo laptop:
91de864224913b9493c7a6cec2890e6eded3610d34c3d983132823de348ec2ca libntlm-1.8-src.tar.gz
ce6569a47a21173ba69c990965f73eb82d9a093eb871f935ab64ee13df47fda1 libntlm-1.8.tar.gz
So how can you reproduce my artifacts? Here is how to reproduce them in a Ubuntu 22.04 container:
podman run -it --rm ubuntu:22.04
apt-get update
apt-get install -y --no-install-recommends autoconf automake libtool make git ca-certificates
git clone https://gitlab.com/gsasl/libntlm.git
cd libntlm
git checkout v1.8
./bootstrap
./configure
make dist srcdist
sha256sum libntlm-*.tar.gz
You should see the exact same SHA256 checksum values. Hooray!
This works because Trisquel 11 and Ubuntu 22.04 uses the same version of git, autoconf, automake, and libtool. These tools do not guarantee the same output content for all versions, similar to how GNU GCC does not generate the same binary output for all versions. So there is still some delicate version pairing needed.
Ideally, the artifacts should be possible to reproduce from the
release artifacts themselves, and not only directly from git. It is
possible to reproduce the full tarball in a AlmaLinux 8 container – replace
almalinux:8 with rockylinux:8 if you
prefer RockyLinux:
podman run -it --rm almalinux:8
dnf update -y
dnf install -y make wget gcc
wget https://download.savannah.nongnu.org/releases/libntlm/libntlm-1.8.tar.gz
tar xfa libntlm-1.8.tar.gz
cd libntlm-1.8
./configure
make dist
sha256sum libntlm-1.8.tar.gz
The source-only minimal tarball can be regenerated on Debian 11:
podman run -it --rm debian:11
apt-get update
apt-get install -y --no-install-recommends make git ca-certificates
git clone https://gitlab.com/gsasl/libntlm.git
cd libntlm
git checkout v1.8
make -f cfg.mk srcdist
sha256sum libntlm-1.8-src.tar.gz
As the Magnus Opus or chef-d’œuvre, let’s
recreate the full tarball directly from the minimal source-only
tarball on Trisquel 11 – replace
docker.io/kpengboy/trisquel:11.0 with
ubuntu:22.04 if you prefer.
podman run -it --rm docker.io/kpengboy/trisquel:11.0
apt-get update
apt-get install -y --no-install-recommends autoconf automake libtool make wget git ca-certificates
wget https://download.savannah.nongnu.org/releases/libntlm/libntlm-1.8-src.tar.gz
tar xfa libntlm-1.8-src.tar.gz
cd libntlm-v1.8
./bootstrap
./configure
make dist
sha256sum libntlm-1.8.tar.gz
Yay! You should now have great confidence in that the release artifacts correspond to what’s in version control and also to what the maintainer intended to release. Your remaining job is to audit the source code for vulnerabilities, including the source code of the dependencies used in the build. You no longer have to worry about auditing the release artifacts.
I find it somewhat amusing that the build infrastructure for Libntlm is now in a significantly better place than the code itself. Libntlm is written in old C style with plenty of string manipulation and uses broken cryptographic algorithms such as MD4 and single-DES. Remember folks: solving supply chain security issues has no bearing on what kind of code you eventually run. A clean gun can still shoot you in the foot.
Side note on naming: GitLab exports tarballs with pathnames
libntlm-v1.8/ (i.e.., PROJECT-TAG/) and
I’ve adopted the same pathnames, which means my
libntlm-1.8-src.tar.gz tarballs are bit-by-bit
identical to GitLab’s exports and you can verify this with
tools like diffoscope. GitLab
name the tarball libntlm-v1.8.tar.gz (i.e.,
PROJECT-TAG.ARCHIVE) which I find too similar to the
libntlm-1.8.tar.gz that we also publish. GitHub uses
the same git archive style, but unfortunately they have logic that
removes the ‘v’ in the pathname so you will get a
tarball with pathname libntlm-1.8/ instead of
libntlm-v1.8/ that GitLab and I use. The content of
the tarball is bit-by-bit identical, but the pathname and archive
differs. Codeberg (running Forgejo) uses another approach: the
tarball is called libntlm-v1.8.tar.gz (after the tag)
just like GitLab, but the pathname inside the archive is
libntlm/, otherwise the produced archive is bit-by-bit
identical including timestamps. Savannah’s CGIT interface
uses archive name libntlm-1.8.tar.gz with pathname
libntlm-1.8/, but otherwise file content is identical.
Savannah’s GitWeb interface provides
snapshot links that are named after the git commit (e.g.,
libntlm-a812c2ca.tar.gz with
libntlm-a812c2ca/) and I cannot find any tag-based
download links at all. Overall, we are so close to get SHA256
checksum to match, but fail on pathname within the archive.
I’ve chosen to be compatible with GitLab regarding the
content of tarballs but not on archive naming. From a simplicity
point of view, it would be nice if everyone used
PROJECT-TAG.ARCHIVE for the archive filename and
PROJECT-TAG/ for the pathname within the archive. This
aspect will probably need more discussion.
Side note on git archive output: It seems different versions of git archive produce different results for the same repository. The version of git in Debian 11, Trisquel 11 and Ubuntu 22.04 behave the same. The version of git in Debian 12, AlmaLinux/RockyLinux 8/9, Alpine, ArchLinux, macOS homebrew, and upcoming Ubuntu 24.04 behave in another way. Hopefully this will not change that often, but this would invalidate reproducibility of these tarballs in the future, forcing you to use an old git release to reproduce the source-only tarball. Alas, GitLab and most other sites appears to be using modern git so the download tarballs from them would not match my tarballs – even though the content would.
Side note on ChangeLog: ChangeLog
files were traditionally manually curated files with version
history for a package. In recent years, several projects moved to
dynamically generate them from git history (using tools like
git2cl
or
gitlog-to-changelog). This has consequences for reproducibility
of tarballs: you need to have the entire git history available! The
gitlog-to-changelog tool also output
different outputs depending on the time zone of the person
using it, which arguable is a simple bug that can be fixed. However
this entire approach is incompatible with rebuilding the full
tarball from the minimal source-only tarball. It seems
Libntlm’s ChangeLog file died on the
surgery table here.
So how would a distribution build these minimal source-only
tarballs? I happen to help on the libntlm package in
Debian. It has historically used the generated tarballs as the
source code to build from. This means that code coming from gnulib
is vendored in the tarball. When a security problem is discovered
in gnulib code, the security team needs to patch all packages that
include that vendored code and rebuild them, instead of merely
patching the gnulib package and rebuild all packages that rely on
that particular code. To change this, the Debian libntlm package
needs to Build-Depends on Debian’s gnulib
package. But there was one problem: similar to most projects
that use gnulib, Libntlm depend on a particular git commit of
gnulib, and Debian only ship one commit. There is no coordination
about which commit to use. I
have adopted gnulib in Debian, and add a git bundle to the
*_all.deb binary package so that projects that rely on
gnulib can pick whatever commit they need. This allow an
no-network GNULIB_URL and GNULIB_REVISION
approach when running Libntlm’s ./bootstrap
with the Debian gnulib package installed. Otherwise libntlm would
pick up whatever latest version of gnulib that Debian happened to
have in the gnulib package, which is not what the Libntlm
maintainer intended to be used, and can lead to all sorts of
version mismatches (and consequently security problems) over time.
Libntlm in
Debian is developed and tested on Salsa and there is continuous
integration testing of it as well, thanks to the Salsa CI
team.
Side note on git bundles: unfortunately there appears to be no
reproducible way to export a git repository into one or more files.
So one unfortunate consequence of all this work is that the gnulib
*.orig.tar.gz tarball in Debian is not reproducible
any more. I have tried to
get Git bundles to be reproducible but I never got it to work
— see my notes in
gnulib’s debian/README.source on this aspect. Of course,
source tarball reproducibility has nothing to do with binary
reproducibility of gnulib in Debian itself, fortunately.
One open question is how to deal with the increased build
dependencies that is triggered by this approach. Some people
are surprised by this but I don’t see how to get around
it: if you depend on source code for tools in another package to
build your package, it is a bad idea to hide that dependency.
We’ve done it for a long time through vendored code in
non-minimal tarballs. Libntlm isn’t the most critical project
from a bootstrapping perspective, so adding git and gnulib as
Build-Depends to it will probably be fine. However,
consider if this pattern was used for other packages that uses
gnulib such as coreutils, gzip, tar, bison etc (all are using
gnulib) then they would all Build-Depends on git and
gnulib. Cross-building those packages for a new architecture will
therefor require git on that architecture first, which gets
circular quick. The dependency on gnulib is real so I don’t
see that going away, and gnulib is a Architecture:all
package. However, the dependency on git is merely a consequence of
how the Debian gnulib package chose to make all gnulib git commits
available to projects: through a git bundle. There are other ways
to do this that doesn’t require the git tool to extract the
necessary files, but none that I found practical — ideas
welcome!
Finally some brief notes on how this was implementated. Enabling
bootstrappable source-only minimal tarballs via gnulib’s
./bootstrap is achieved by using the
GNULIB_REVISION mechanism, locking down the gnulib
commit used. I have always disliked git submodules because they add
extra steps and has complicated interaction with CI/CD. The reason
why I
gave up git submodules now is because the particular commit to
use is not recorded in the git archive output when git
submodules is used. So the particular gnulib commit has to be
mentioned explicitly in some source code that goes into the git
archive tarball.
Colin Watson added the GNULIB_REVISION approach to
./bootstrap back in 2018, and now it no longer made
sense to continue to use a gnulib git submodule. One alternative is
to use ./bootstrap with --gnulib-srcdir
or --gnulib-refdir if there is some practical problem
with the GNULIB_URL towards a git bundle the
GNULIB_REVISION in bootstrap.conf.
The srcdist make rule is simple:
git archive --prefix=libntlm-v1.8/ -o libntlm-v1.8.tar.gz HEAD
Making the make dist generated tarball reproducible
can be more complicated, however for Libntlm it was sufficient to
make sure the
modification times of all files were set deterministically to
the timestamp of the last commit in the git repository.
Interestingly there seems to be a couple of different ways to
accomplish this, Guix doesn’t support minimal source-only
tarballs but rely
on a .tarball-timestamp file inside the tarball. Paul Eggert
explained what TZDB is using some time ago. The
approach I’m using now is fairly similar to the
one I suggested over a year ago. If there are problems because
all files in the tarball now use the same modification time, there
is
a solution by Bruno Haible that could be implemented.
Doing continous testing of all this is critical to make sure
things don’t regress. Libntlm’s
pipeline definition now produce the generated
libntlm-*.tar.gz tarballs and a checksum as a build
artifact. Then I added the
000-reproducability job which compares the checksums and
fails on mismatches. You can read its delicate
output in the job for the v1.8 release. Right now we insists
that builds on Trisquel 11 match Ubuntu 22.04, that PureOS 10
builds match Debian 11 builds, that AlmaLinux 8 builds match
RockyLinux 8 builds, and AlmaLinux 9 builds match RockyLinux 9
builds. As you can see in pipeline job output, not all platforms
lead to the same tarballs, but hopefully this state can be improved
over time. There is also partial reproducibility, where the full
tarball is reproducible across two distributions but not the
minimal tarball, or vice versa.
If this way of working plays out well, I hope to implement it in other projects too.
What do you think? Happy Hacking!
19:00
Freexian Collaborators: Monthly report about Debian Long Term Support, March 2024 (by Roberto C. Sánchez) [Planet Debian]
Like each month, have a look at the work funded by Freexian’s Debian LTS offering.
Debian LTS contributors
In March, 19 contributors have been paid to work on Debian LTS, their reports are available:
- Abhijith PA did 0.0h (out of 10.0h assigned and 4.0h from previous period), thus carrying over 14.0h to the next month.
- Adrian Bunk did 59.5h (out of 47.5h assigned and 52.5h from previous period), thus carrying over 40.5h to the next month.
- Bastien Roucariès did 22.0h (out of 20.0h assigned and 2.0h from previous period).
- Ben Hutchings did 9.0h (out of 2.0h assigned and 22.0h from previous period), thus carrying over 15.0h to the next month.
- Chris Lamb did 18.0h (out of 18.0h assigned).
- Daniel Leidert did 12.0h (out of 12.0h assigned).
- Emilio Pozuelo Monfort did 0.0h (out of 3.0h assigned and 57.0h from previous period), thus carrying over 60.0h to the next month.
- Guilhem Moulin did 22.5h (out of 7.25h assigned and 15.25h from previous period).
- Holger Levsen did 0.0h (out of 0.5h assigned and 11.5h from previous period), thus carrying over 12.0h to the next month.
- Lee Garrett did 0.0h (out of 0.0h assigned and 60.0h from previous period), thus carrying over 60.0h to the next month.
- Markus Koschany did 40.0h (out of 40.0h assigned).
- Ola Lundqvist did 19.5h (out of 24.0h assigned), thus carrying over 4.5h to the next month.
- Roberto C. Sánchez did 9.25h (out of 3.5h assigned and 8.5h from previous period), thus carrying over 2.75h to the next month.
- Santiago Ruano Rincón did 19.0h (out of 16.5h assigned and 2.5h from previous period).
- Sean Whitton did 4.5h (out of 4.5h assigned and 1.5h from previous period), thus carrying over 1.5h to the next month.
- Sylvain Beucler did 25.0h (out of 24.5h assigned and 35.5h from previous period), thus carrying over 35.0h to the next month.
- Thorsten Alteholz did 14.0h (out of 14.0h assigned).
- Tobias Frost did 12.0h (out of 12.0h assigned).
- Utkarsh Gupta did 19.5h (out of 0.0h assigned and 48.75h from previous period), thus carrying over 29.25h to the next month.
Evolution of the situation
In March, we have released 31 DLAs.
Adrian Bunk was responsible for updating gtkwave not only in LTS, but also in unstable, stable, and old-stable as well. This update involved an upload of a new upstream release of gtkwave to each target suite to address 82 separate CVEs. Guilhem Moulin prepared an update of libvirt which was particularly notable, as it fixed multiple vulnerabilities which would lead to denial of service or information disclosure.
In addition to the normal security updates, multiple LTS contributors worked at getting various packages updated in more recent Debian releases, including gross for bullseye/bookworm (by Adrian Bunk), imlib2 for bullseye, jetty9 and tomcat9/10 for bullseye/bookworm (by Markus Koschany), samba for bullseye, py7zr for bullseye (by Santiago Ruano Rincón), cacti for bullseye/bookwork (by Sylvain Beucler), and libmicrohttpd for bullseye (by Thorsten Alteholz). Additionally, Sylvain actively coordinated with cacti upstream concerning an incomplete fix for CVE-2024-29894.
Thanks to our sponsors
Sponsors that joined recently are in bold.
- Platinum sponsors:
- TOSHIBA (for 103 months)
- Civil Infrastructure Platform (CIP) (for 71 months)
- Gold sponsors:
- Roche Diagnostics International AG (for 114 months)
- Linode (for 108 months)
- Babiel GmbH (for 97 months)
- Plat’Home (for 97 months)
- CINECA (for 71 months)
- University of Oxford (for 53 months)
- Deveryware (for 40 months)
- VyOS Inc (for 35 months)
- EDF SA (for 24 months)
- Silver sponsors:
- Domeneshop AS (for 118 months)
- Nantes Métropole (for 112 months)
- Univention GmbH (for 104 months)
- Université Jean Monnet de St Etienne (for 104 months)
- Ribbon Communications, Inc. (for 98 months)
- Exonet B.V. (for 88 months)
- Leibniz Rechenzentrum (for 82 months)
- Ministère de l’Europe et des Affaires Étrangères (for 65 months)
- Cloudways by DigitalOcean (for 55 months)
- Dinahosting SL (for 53 months)
- Bauer Xcel Media Deutschland KG (for 47 months)
- Platform.sh SAS (for 47 months)
- Moxa Inc. (for 41 months)
- sipgate GmbH (for 38 months)
- OVH US LLC (for 36 months)
- Tilburg University (for 36 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 28 months)
- Soliton Systems K.K. (for 25 months)
- THINline s.r.o.
- Bronze sponsors:
- Evolix (for 119 months)
- Seznam.cz, a.s. (for 119 months)
- Intevation GmbH (for 116 months)
- Linuxhotel GmbH (for 116 months)
- Daevel SARL (for 114 months)
- Bitfolk LTD (for 113 months)
- Megaspace Internet Services GmbH (for 113 months)
- Greenbone AG (for 112 months)
- NUMLOG (for 112 months)
- WinGo AG (for 112 months)
- Ecole Centrale de Nantes - LHEEA (for 108 months)
- Entr’ouvert (for 103 months)
- Adfinis AG (for 100 months)
- GNI MEDIA (for 95 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 95 months)
- Tesorion (for 95 months)
- Bearstech (for 86 months)
- LiHAS (for 86 months)
- Catalyst IT Ltd (for 81 months)
- Supagro (for 76 months)
- Demarcq SAS (for 75 months)
- Université Grenoble Alpes (for 61 months)
- TouchWeb SAS (for 53 months)
- SPiN AG (for 50 months)
- CoreFiling (for 45 months)
- Institut des sciences cognitives Marc Jeannerod (for 40 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 37 months)
- Tem Innovations GmbH (for 32 months)
- WordFinder.pro (for 31 months)
- CNRS DT INSU Résif (for 30 months)
- Alter Way (for 23 months)
- Institut Camille Jordan (for 12 months)
18:42
Breaking my heart [RevK®'s ramblings]
One of the things I suffer from is tachycardia.
My first memory of this was in secondary school, when I got a flat tyre cycling to school and ran the rest of the way as the the "form teacher", with which we had registration at the start of the day, was "evil" (well, I was a school kid), so I did not dare be late.
When I got to school my heart rate was stupidly high, and I ended up passing out. My "evil" form teacher was suddenly panicking that one of her kids might have dropped dead! In some ways that was amusing.
I found much later this was congenital, and not worth surgery to fix. It is rare that it happens, and oddly enough made a lot more likely by "heart burn". It lasts a lot longer if I have just had exercise, which is what got me in an ER department and ended up with it being investigated many years later.
It is basically my heart doing "double time", so if I would have been 100bpm from exercise it is 200bpm! If I have a lie down and wait a few minutes it is fine. On rare occasions after a lot of exercise, it can take a lot longer, and that is scary. I look like shit and am soaking wet from sweat. I managed it once in costa coffee, and the manager there (that we know quite well) was really panicked, sorry.
What is weird is when it sorts its self out. I am instantly "absolutely fine". That confuses people. Yes, other customers in costa were really worried about me!
On a few occasions I have been able to capture this on an ECG, using a Kardia thing, and now my new Apple Watch.
The rate drops a bit while I rest, but as you see, suddenly, my heart rate drops back to normal.
One of the scariest things I ever had was when I was in ER and they administered drugs to fix it, and that makes your heart stop! I mean it may have been a second or two before starting up again, but it feels like it has stopped, and that is scary as hell.
I don't know if any of my follows have this. It was explained to me that it was not worth the side effects and risks of surgery to fix it, and was mostly a nuisance. It pretty much has been, with maybe a couple of times a year. Something I have had all my life.
17:49
The perils of doing it live [Seth's Blog]
[Relevant aside: If you get this blog by email, apologies for the glitches of the last few days caused by my provider. If you ever see a broken link or something that doesn’t render, you can visit the blog. It always has the latest version, typos fixed. It’s much easier to fix the blog over time than it is to re-send an email due to an error. The irony of ‘live’ in this post is not lost on me. Thanks for your patience.]
Charity auctions are an odd hybrid. They take a lot of focus, and when done live, a lot of logistical support.
It’s all of the charity’s best “customers” in a room, at the same time.
Not just in a room, but at something that’s supposed to be a party, an event that’s not only supposed to be fun and demonstrate hospitality, but one that might involve our feelings around status, insufficiency and perfection.
As a result, months are spent making sure everything is just right. Date certain has baggage. Sign up to host live events with care.
That’s time and effort the nonprofit could be putting into engaging with donors directly. Or even in connecting donors to one another in a way that’s generative and useful.
If something goes wrong, plenty of people are triggered. And the responses have to happen with urgency.
GOODBIDS positive auctions can bring some of the real-time energy and urgency of a fundraising event, but without the emotional or labor overhead.
Yes, the auction is happening right here and right now. Bidders can’t snooze or they miss out. The clock is ticking, but not at the expense of the hardworking folks at the nonprofit. It’s working for them instead.
“What’s it for” is a question that’s worth asking, again and again.
Today, three superfun auctions join the list:
Claire Saffitz teaches you to bake.
Also, this Bob Dylan Slow Train Coming official tour jacket. It’s hanging in my office, and has been for a month or so. It’s magical and I’ll miss it. Thanks, Greg.
The first rule of GOODBIDS is that we create the conditions to talk about GOODBIDS. Ed Norton donated a signed Fight Club movie poster…
Apple sleep tracking [RevK®'s ramblings]
I only post this because someone else may be as confused as I.
It is confusing - the instructions are very very clear that the Apple Watch will track sleep only when in "sleep focus", and you can set a schedule for that.
My issue is that I do not got to sleep at the same time - I could go to bed as early as 6pm or as late as 11pm. I could sleep all night, or sleep, and be awake, and sleep again (the old school "two sleeps" that apparently was the norm in medieval times) - last night I was awake and watched the really good "Miss Potter" film between sleeps. And no, I was not "in bed" all that time, so it is a tad confused and probably could have worked that out.
So I did not want to set a sleep focus schedule that was too soon as it stops notifications/alerts/calls. But also did not want to set too late so it does not record sleep. I did not want to set manually as I would forget, plus, it seems, you have to tell it to end the sleep focus (even if you have a schedule). I do get up consistently in the morning, so that helps.
My concerns were totally unfounded, as it seems that Apple are happy to record sleep starting way before your sleep focus is scheduled to start. So I can simply set for a sensible later time.
Why the hell don't Apple explain this? Why make me think I have to fuck about with "sleep focus schedule"?
15:21
Pluralistic: Twinkfrump Linkdump (13 Apr 2024) [Pluralistic: Daily links from Cory Doctorow]
Today's links
- Twinkfrump Linkdump: All the miscellany that didn't make it.
- This day in history: 2019, 2023
- Upcoming appearances: Where to find me.
- Recent appearances: Where I've been.
- Latest books: You keep readin' em, I'll keep writin' 'em.
- Upcoming books: Like I said, I'll keep writin' 'em.
- Colophon: All the rest.
Twinkfrump Linkdump (permalink)
Welcome to the seventeenth Pluralistic linkdump, a collection of all the miscellany that didn't make it into the week's newsletter, cunningly wrought together in a single edition that ranges from the first ISP to AI nonsense to labor organizing victories to the obituary of a brilliant scientist you should know a lot more about! Here's the other 16 dumps:
https://pluralistic.net/tag/linkdump/
If you're reading this (and you are!), it was delivered to you by an internet service provider. Today, the ISP industry is calcified, controlled by a handful of telcos and cable companies. But the idea of an "ISP" didn't come out of a giant telecommunications firm – it was created, in living memory, by excellent nerds who are still around.
Depending on how you reckon, The Little Garden was either the first or the second ISP in America. It was named after a Palo Alto Chinese restaurant frequented by its founders. To get a sense of that founding, read these excellent recollections by Tom Jennings, whose contributions include the seminal zine Homocore, the seminal networking protocol Fidonet, and the seminal third-party PC ROM, whence came Dell, Gateway, Compaq, and every other "PC clone" company.
The first installment describes how an informal co-op to network a few friends turned into a business almost by accident, with thousands of dollars flowing in and out of Jennings' bank account:
https://www.sensitiveresearch.com/Archive/TLG/TLG.html
And it describes how that ISP set a standard for neutrality, boldly declaring that "TLGnet exercises no control whatsoever over the content of the information." They introduced an idea of radical transparency, documenting their router configurations and other technical details and making them available to the public. They hired unskilled punk and queer kids from their communities and trained them to operate the network equipment they'd invented, customized or improvised.
In part two, Jennings talks about the evolution of TLG's radical business-plan: to offer unrestricted service, encouraging their customers to resell that service to people in their communities, having no lock-in, unbundling extra services including installation charges – the whole anti-enshittification enchilada:
https://www.sensitiveresearch.com/Archive/TLG/
I love Jennings and his work. I even gave him a little cameo in Picks and Shovels, the third Martin Hench novel, which will be out next winter. He's as lyrical a writer about technology as you could ask for, and he's also a brilliant engineer and thinker.
The Little Garden's founders and early power-users have all fleshed out Jennings' account of the birth of ISPs. Writing on his blog, David "DSHR" Rosenthal rounds up other histories from the likes of EFF co-founder John Gilmore and Tim Pozar:
https://blog.dshr.org/2024/04/the-little-garden.html
Rosenthal describes some of the more exotic shenanigans TLG got up to in order to do end-runs around the Bell system's onerous policies, hacking in the purest sense of the word, for example, by daisy-chaining together modems in regions with free local calling and then making "permanent local calls," with the modems staying online 24/7.
Enshittification came to the ISP business early and hit it hard. The cartel that controls your access to the internet today is a billion light-years away from the principled technologists who invented the industry with an ethos of care, access and fairness. Today's ISPs are bitterly opposed to Net Neutrality, the straightforward proposition that if you request some data, your ISP should send it to you as quickly and reliably as it can.
Instead, ISPs want to offer "slow-lanes" where they will relegate the whole internet, except for those companies that bribe the ISP to be delivered at normal speed. ISPs have a laughably transparent way of describing this: they say that they're allowing services to pay for "fast lanes" with priority access. This is the same as the giant grocery store that charges you extra unless you surrender your privacy with a "loyalty card" – and then says that they're offering a "discount" for loyal customers, rather than charging a premium to customers who don't want to be spied on.
The American business lobby loves this arrangement, and hates Net Neutrality. Having monopolized every sector of our economy, they are extremely fond of "winner take all" dynamics, and that's what a non-neutral ISP delivers: the biggest services with the deepest pockets get the most reliable delivery, which means that smaller services don't just have to be better than the big guys, they also have to be able to outbid them for "priority carriage."
If everything you get from your ISP is slow and janky, except for the dominant services, then the dominant services can skimp on quality and pocket the difference. That's the goal of every monopolist – not just to be too big to fail, but also too big to care.
Under the Trump administration, FCC chair Ajit Pai dismantled the Net Neutrality rule, colluding with American big business to rig the process. They accepted millions of obviously fake anti-Net Neutrality comments (one million identical comments from @pornhub.com addresses, comments from dead people, comments from sitting US Senators who support Net Neutrality) and declared open season on American internet users:
Now, Biden's FCC is set to reinstate Net Neutrality – but with a "compromise" that will make mobile internet (which nearly all of use sometimes, and the poorest of us are reliant on) a swamp of anticompetitive practices:
https://cyberlaw.stanford.edu/blog/2024/04/harmful-5g-fast-lanes-are-coming-fcc-needs-stop-them
Under the proposed rule, mobile carriers will be able to put traffic to and from apps in the slow lane, and then extort bribes from preferred apps for normal speed and delivery. They'll rely on parts of the 5G standard to pull off this trick.
The ISP cartel and the FCC insist that this is fine because web traffic won't be degraded, but of course, every service is hellbent on pushing you into using apps instead of the web. That's because the web is an open platform, which means you can install ad- and privacy-blockers. More than half of web users have installed a blocker, making it the largest boycott in human history:
https://doc.searls.com/2023/11/11/how-is-the-worlds-biggest-boycott-doing/
But reverse-engineering and modding an app is a legal minefield. Just removing the encryption from an app can trigger criminal penalties under Section 1201 of the DMCA, carrying a five-year prison sentence and a $500k fine. An app is just a web-page skinned in enough IP that it's a felony to mod it.
Apps are enshittification's vanguard, and the fact that the FCC has found a way to make them even worse is perversely impressive. They're voting on this on April 25, and they have until April 24 to fix this. They should. They really should:
https://docs.fcc.gov/public/attachments/DOC-401676A1.pdf
In a just world, cheating ripoff ISPs would be the top tech policy story. The operational practices of ISPs affect every single one us. We literally can't talk about tech policy without ISPs in the middle. But Net Neutrality is an also-ran in tech policy discourse, while AI – ugh ugh ugh – is the thing none of us can shut up about.
This, despite the fact that the most consequential AI applications sum up to serving as a kind of moral crumple-zone for shitty business practices. The point of AI isn't to replace customer service and other low-paid workers who have taken to demanding higher wages and better conditions – it's to fire those workers and replace them with chatbots that can't do their jobs. An AI salesdroid can't sell your boss a bot that can replace you, but they don't need to. They only have to convince your boss that the bot can do your job, even if it can't.
SF writer Karl Schroeder is one of the rare sf practitioners who grapples seriously with the future, a "strategic foresight" guy who somehow skirts the bullshit that is the field's hallmark:
https://pluralistic.net/2024/03/07/the-gernsback-continuum/#wheres-my-jetpack
Writing on his blog, Schroeder describes the AI debates roiling the Association of Professional Futurists, and how it's sucking him into being an unwilling participant in the AI hype cycle:
https://kschroeder.substack.com/p/dragged-into-the-ai-hype-cycle
Schroeder's piece is a thoughtful meditation on the relationship of SF's thought-experiments and parables about AI to the promises of AI hucksters, who promise that a) "general artificial intelligence" is just around the corner and that b) it will be worth trillions of dollars.
Schroeder – like other sf writers including Ted Chiang and Charlie Stross (and me) – comes to the conclusion that AI panic isn't about AI, it's about power. The artificial life-form devouring the planet and murdering our species is the limited liability corporation, and its substrate isn't silicon, it's us, human bodies:
What’s lying underneath all our anxieties about AGI is an anxiety that has nothing to do with Artificial Intelligence. Instead, it’s a manifestation of our growing awareness that our world is being stolen from under us. Last year’s estimate put the amount of wealth currently being transferred from the people who made it to an idle billionaire class at $5.2 trillion. Artificial General Intelligence whose environment is the server farms and sweatshops of this class is frightening only because of its capacity to accelerate this greatest of all heists.
After all, the business-case for AI is so very thin that the industry can only survive on a torrent of hype and nonsense – like claims that Amazon's "Grab and Go" stores used "AI" to monitor shoppers and automatically bill them for their purchases. In reality, the stores used thousands of low-paid Indian workers to monitor cameras and manually charge your card. This happens so often that Indian technologists joke that "AI" stands for "absent Indians":
https://pluralistic.net/2024/01/29/pay-no-attention/#to-the-little-man-behind-the-curtain
Isn't it funny how all the really promising AI applications are in domains that most of us aren't qualified to assess? Like the claim that Google's AI was producing millions of novel materials that will shortly revolutionize all forms of production, from construction to electronics to medical implants:
https://deepmind.google/discover/blog/millions-of-new-materials-discovered-with-deep-learning/
That's what Google's press-release claimed, anyway. But when two groups of experts actually pulled a representative sample of these "new materials" from the Deep Mind database, they found that none of these materials qualified as "credible, useful and novel":
https://pubs.acs.org/doi/10.1021/acs.chemmater.4c00643
Writing about the researchers' findings for 404 Media, Jason Koebler cites Berkeley researchers who concluded that "no new materials have been discovered":
The researchers say that AI data-mining for new materials is promising, but falls well short of Google's claim to be so transformative that it constitutes the "equivalent to nearly 800 years’ worth of knowledge" and "an order-of-magnitude expansion in stable materials known to humanity."
AI hype keeps the bubble inflating, and for so long as it keeps blowing up, all those investors who've sunk their money into AI can tell themselves that they're rich. This is the essence of "a bezzle": "The magic interval when a confidence trickster knows he has the money he has appropriated but the victim does not yet understand that he has lost it":
Among the best debezzlers of AI are the Princeton Center for Information Technology Policy's Arvind Narayanan and Sayash Kapoor, who edit the "AI Snake Oil" blog. Now, they've sold a book with the same title:
https://www.aisnakeoil.com/p/ai-snake-oil-is-now-available-to
Obviously, books move a lot more slowly than blogs, and so Narayanan and Kapoor say their book will focus on the timeless elements of identifying and understanding AI snake oil:
In the book, we explain the crucial differences between types of AI, why people, companies, and governments are falling for AI snake oil, why AI can’t fix social media, and why we should be far more worried about what people will do with AI than about anything AI will do on its own. While generative AI is what drives press, predictive AI used in criminal justice, finance, healthcare, and other domains remains far more consequential in people’s lives. We discuss in depth how predictive AI can go wrong. We also warn of the dangers of a world where AI continues to be controlled by largely unaccountable big tech companies.
The book's out in September and it's up for pre-order now:
One of the weirder and worst side-effects of the AI hype bubble is that it has revived the belief that it's somehow possible for giant platforms to monitor all their users' speech and remove "harmful" speech. We've tried this for years, and when humans do it, it always ends with disfavored groups being censored, while dedicated trolls, harassers and monsters evade punishment:
https://pluralistic.net/2022/08/07/como-is-infosec/
AI hype has led policy-makers to believe that we can deputize online services to spy on all their customers and block the bad ones without falling into this trap. Canada is on the verge of adopting Bill C-63, a "harmful content" regulation modeled on examples from the UK and Australia.
Writing on his blog, Canadian lawyer/activist/journalist Dimitri Lascaris describes the dire speech implications for C-63:
https://dimitrilascaris.org/2024/04/08/trudeaus-online-harms-bill-threatens-free-speech/
It's an excellent legal breakdown of the bill's provisions, but also a excellent analysis of how those provisions are likely to play out in the lives of Canadians, especially those advocating against genocide and taking other positions the that oppose the agenda of the government of the day.
Even if you like the Trudeau government and its policies, these powers will accrue to every Canadian government, including the presumptive (and inevitably, totally unhinged) near-future Conservative majority government of Pierre Poilievre.
It's been ten years since Martin Gilens and Benjamin I Page published their paper that concluded that governments make policies that are popular among elites, no matter how unpopular they are among the public:
Now, this is obviously depressing, but when you see it in action, it's kind of wild. The Biden administration has declared war on junk fees, from "resort fees" charged by hotels to the dozens of line-items added to your plane ticket, rental car, or even your rent check. In response, Republican politicians are climbing to their rear haunches and, using their actual human mouths, defending junk fees:
https://prospect.org/politics/2024-04-12-republicans-objectively-pro-junk-fee/
Congressional Republicans are hell-bent on destroying the Consumer Finance Protection Bureau's $8 cap on credit-card late-fees. Trump's presumptive running-mate Tim Scott is making this a campaign plank: "Vote for me and I will protect your credit-card company's right to screw you on fees!" He boasts about the lobbyists who asked him to take this position: champions of the public interest from the Consumer Bankers Association to the US Chamber of Commerce.
Banks stand to lose $10b/year from this rule (which means Americans stand to gain $10b/year from this rule). What's more, Scott's attempt to kill the rule is doomed to fail – there's just no procedural way it will fly. As David Dayen writes, "Not only does this vote put Republicans on the spot over junk fees, it’s a doomed vote, completely initiated by their own possible VP nominee."
This is a hilarious own-goal, one that only brings attention to a largely ignored – but extremely good – aspect of the Biden administration. As Adam Green of Bold Progressives told Dayen, "What’s been missing is opponents smoking themselves out and raising the volume of this fight so the public knows who is on their side."
The CFPB is a major bright spot in the Biden administration's record. They're doing all kind of innovative things, like making it easy for you to figure out which bank will give you the best deal and then letting you transfer your account and all its associated data, records and payments with a single click:
https://pluralistic.net/2023/10/21/let-my-dollars-go/#personal-financial-data-rights
And now, CFPB chair Rohit Chopra has given a speech laying out the agency's plan to outlaw data-brokers:
Yes, this is some good news! There is, in fact, good news in the world, bright spots amidst all the misery and terror. One of those bright spots? Labor.
Unions are back, baby. Not only do the vast majority of Americans favor unions, not only are new shops being unionized at rates not seen in generations, but also the largest unions are undergoing revolutions, with control being wrestled away from corrupt union bosses and given to the rank-and-file.
Many of us have heard about the high-profile victories to take back the UAW and Teamsters, but I hadn't heard about the internal struggles at the United Food and Commercial Workers, not until I read Hamilton Nolan's gripping account for In These Times:
https://inthesetimes.com/article/revolt-aisle-5-ufcw-grocery-workers-union
Nolan profiles Faye Guenther, president of UFCW Local 3000 and her successful and effective fight to bring a militant spirit back to the union, which represents a million grocery workers. Nolan describes the fight as "every bit as dramatic as any episode of Game of Thrones," and he's not wrong. This is an inspiring tale of working people taking power away from scumbag monopoly bosses and sellout fatcat leaders – and, in so doing, creating an institution that gets better wages, better working conditions, and a better economy, by helping to block giant grocery mergers like Kroger/Albertsons.
I like to end these linkdumps on an up note, so it feels weird to be closing out with an obituary, but I'd argue that any celebration of the long life and many accomplishments of my friend and mentor Anne Innis Dagg is an "up note."
I last wrote about Anne in 2020, on the release of a documentary about her work, "The Woman Who Loved Giraffes":
https://pluralistic.net/2020/02/19/pluralist-19-feb-2020/#annedagg
As you might have guessed from the title of that doc, Anne was a biologist. She was the first woman scientist to do field-work on giraffes, and that work was so brilliant and fascinating that it kicked off the modern field of giraffology, which remains a woman-dominated specialty thanks to her tireless mentoring and support for the scientists that followed her.
Anne was also the world's most fearsome slayer of junk-science "evolutionary psychology," in which "scientists" invent unfalsifiable just-so stories that prove that some odious human characteristic is actually "natural" because it can be found somewhere in the animal kingdom (i.e., "Darling, please, it's not my fault that I'm fucking my grad students, it's the bonobos!").
Anne wrote a classic – and sadly out of print – book about this that I absolutely adore, not least for having one of the best titles I've ever encountered: "Love of Shopping" Is Not a Gene:
Anne was my advisor at the University of Waterloo, an institution that denied her tenure for fifty years, despite a brilliant academic career that rivaled that of her storied father, Harold Innis ("the thinking person's Marshall McLuhan"). The fact that Waterloo never recognized Anne is doubly shameful when you consider that she was awarded the Order of Canada:
Anne lived a brilliant live, struggling through adversity, never compromising on her principles, inspiring a vast number of students and colleagues. She lived to ninety-one, and died earlier this month. Her ashes will be spread "on the breeding grounds of her beloved giraffes" in South Africa this summer:
https://obituaries.therecord.com/obituary/anne-innis-dagg-1089534658
(Image: Valeva1010, CC BY-SA 4.0)
This day in history (permalink)
#5yrsago The Pinkertons’ plan for climate change: a mercenary army that guards one-percenters as the seas rise https://www.nytimes.com/interactive/2019/04/10/magazine/climate-change-pinkertons.html
#5yrsago Ford CEO: we “overestimated” self-driving cars https://www.engadget.com/2019-04-10-ford-ceo-says-the-company-overestimated-self-driving-cars.html
#5yrsago Talking Radicalized with John Scalzi in the LA Times https://www.latimes.com/books/la-ca-jc-fob-cory-doctorow-interview-radicalized-20190411-story.html
#5yrsago Illinois almost passed a bill that banned devices that record you without your consent — and then Big Tech stepped in https://www.vice.com/en/article/ywyzm5/big-tech-lobbying-gutted-a-bill-that-would-ban-recording-you-without-consent
#1yrago Gig apps trap reverse centaurs in wage-stealing Skinner boxes https://pluralistic.net/2023/04/12/algorithmic-wage-discrimination/#fishers-of-men
Upcoming appearances (permalink)
- The Bezzle at Anderson's Books (Chicago), Apr 17
https://www.andersonsbookshop.com/event/cory-doctorow-1 -
Torino Biennale Tecnologia, Apr 21
https://www.turismotorino.org/en/experiences/events/biennale-tecnologia -
The Bezzle at Book Passage Corte Madera (Marin County), April 27
https://www.bookpassage.com/event/cory-doctorow-bezzle-martin-hench-novel-corte-madera-store -
Canadian Centre for Policy Alternatives (Winnipeg), May 2
https://www.eventbrite.ca/e/cory-doctorow-tickets-798820071337 -
Wordfest (Calgary), May 3
https://wordfest.com/2024/event/wordfest-presents-cory-doctorow-2/ -
Massy Arts (Vancouver), May 4
https://www.eventbrite.ca/e/solo-reading-cory-doctorow-the-bezzle-tickets-876989167207 -
Tartu Prima Vista Literary Festival, May 5-11
https://tartu2024.ee/en/kirjandusfestival/ -
Tim O’Reilly and Cory Doctorow on “Enshittification” and the Future of AI, May 14
https://www.oreilly.com/live-events/tim-oreilly-and-cory-doctorow-on-enshittification-and-the-future-of-ai/0642572001651/ -
"Finding the Money" screening (LA), May 15
https://www.laemmle.com/film/finding-money?date=2024-05-15 -
Media Ecology Association keynote (Amherst, NY), Jun 6-9
https://media-ecology.org/convention -
American Association of Law Libraries keynote (Chicago), Jul 21
https://www.aallnet.org/conference/agenda/keynote-speaker/
Recent appearances (permalink)
- Deep Dive podcast
https://open.spotify.com/episode/0bS0DS1H7ghHkiyx4KzXBV?si=fe7242019e734d61 -
Digital capitalism course: What is digital capitalism? (Transnational Institute)
https://www.youtube.com/watch?v=oCzWpEQcd7E -
The Scam Economy (Lost Dollar Business Club)
https://www.youtube.com/watch?v=SChg9ZiY_bk
Latest books (permalink)
- The Bezzle: a sequel to "Red Team Blues," about prison-tech and other grifts, Tor Books (US), Head of Zeus (UK), February 2024 (the-bezzle.org). Signed, personalized copies at Dark Delicacies (https://www.darkdel.com/store/p3062/Available_Feb_20th%3A_The_Bezzle_HB.html#/).
-
"The Lost Cause:" a solarpunk novel of hope in the climate emergency, Tor Books (US), Head of Zeus (UK), November 2023 (http://lost-cause.org). Signed, personalized copies at Dark Delicacies (https://www.darkdel.com/store/p3007/Pre-Order_Signed_Copies%3A_The_Lost_Cause_HB.html#/)
-
"The Internet Con": A nonfiction book about interoperability and Big Tech (Verso) September 2023 (http://seizethemeansofcomputation.org). Signed copies at Book Soup (https://www.booksoup.com/book/9781804291245).
-
"Red Team Blues": "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books http://redteamblues.com. Signed copies at Dark Delicacies (US): and Forbidden Planet (UK): https://forbiddenplanet.com/385004-red-team-blues-signed-edition-hardcover/.
-
"Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin", on how to unrig the markets for creative labor, Beacon Press/Scribe 2022 https://chokepointcapitalism.com
-
"Attack Surface": The third Little Brother novel, a standalone technothriller for adults. The Washington Post called it "a political cyberthriller, vigorous, bold and savvy about the limits of revolution and resistance." Order signed, personalized copies from Dark Delicacies https://www.darkdel.com/store/p1840/Available_Now%3A_Attack_Surface.html
-
"How to Destroy Surveillance Capitalism": an anti-monopoly pamphlet analyzing the true harms of surveillance capitalism and proposing a solution. https://onezero.medium.com/how-to-destroy-surveillance-capitalism-8135e6744d59?sk=f6cd10e54e20a07d4c6d0f3ac011af6b) (signed copies: https://www.darkdel.com/store/p2024/Available_Now%3A__How_to_Destroy_Surveillance_Capitalism.html)
-
"Little Brother/Homeland": A reissue omnibus edition with a new introduction by Edward Snowden: https://us.macmillan.com/books/9781250774583; personalized/signed copies here: https://www.darkdel.com/store/p1750/July%3A__Little_Brother_%26_Homeland.html
-
"Poesy the Monster Slayer" a picture book about monsters, bedtime, gender, and kicking ass. Order here: https://us.macmillan.com/books/9781626723627. Get a personalized, signed copy here: https://www.darkdel.com/store/p2682/Corey_Doctorow%3A_Poesy_the_Monster_Slayer_HB.html#/.
Upcoming books (permalink)
- Picks and Shovels: a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books, February 2025
-
Unauthorized Bread: a graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2025
Colophon (permalink)
Today's top sources: Bill Budington, Gord Doctorow, Ryan Singel.
Currently writing:
- A Little Brother short story about DIY insulin PLANNING
-
Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. FORTHCOMING TOR BOOKS JAN 2025
-
Vigilant, Little Brother short story about remote invigilation. FORTHCOMING ON TOR.COM
-
Spill, a Little Brother short story about pipeline protests. FORTHCOMING ON TOR.COM
Latest podcast: Subprime gadgets https://craphound.com/news/2024/03/31/subprime-gadgets/
This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.
https://creativecommons.org/licenses/by/4.0/
Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.
How to get Pluralistic:
Blog (no ads, tracking, or data-collection):
Newsletter (no ads, tracking, or data-collection):
https://pluralistic.net/plura-list
Mastodon (no ads, tracking, or data-collection):
Medium (no ads, paywalled):
Twitter (mass-scale, unrestricted, third-party surveillance and advertising):
Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):
https://mostlysignssomeportents.tumblr.com/tagged/pluralistic
"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla
15:07
Paul Tagliamonte: Domo Arigato, Mr. debugfs [Planet Debian]
Years ago, at what I think I remember was DebConf 15, I hacked
for a while on debhelper to
write build-ids to debian binary control files, so that the
build-id (more specifically, the ELF note
.note.gnu.build-id) wound up in the Debian apt archive
metadata. I’ve always thought this was super cool, and seeing
as how Michael Stapelberg
blogged some great pointers around the ecosystem, including the
fancy new debuginfod service, and the
find-dbgsym-packages helper, which uses these same headers, I
don’t think I’m the only one.
At work I’ve been using a lot of rust, specifically, async rust using tokio. To try and work on my style, and to dig deeper into the how and why of the decisions made in these frameworks, I’ve decided to hack up a project that I’ve wanted to do ever since 2015 – write a debug filesystem. Let’s get to it.
Back to the Future
It shouldn't shock anyone to learn I'm a huge fan of Go, right?Time to admit something. I really love Plan 9. It’s just so good. So many
ideas from Plan 9 are just so prescient, and everything just feels
right. Not just right like, feels good – like,
correct. The bit that I’ve always liked the most is
9p, the network protocol for serving a filesystem over
a network. This leads to all sorts of fun programs, like the Plan 9
ftp client being a 9p server – you mount the ftp
server and access files like any other files. It’s kinda like
if fuse were more fully a part of how the operating system worked,
but fuse is all running client-side. With 9p there’s a single
client, and different servers that you can connect to,
which may be backed by a hard drive, remote resources over
something like SFTP, FTP, HTTP or even purely synthetic.
The interesting (maybe sad?) part here is that 9p wound up
outliving Plan 9 in terms of adoption – 9p is in
all sorts of places folks don’t usually expect. For instance,
the Windows Subsystem for Linux uses the 9p protocol to share files
between Windows and Linux. ChromeOS uses it to share files with
Crostini, and qemu uses 9p (virtio-p9) to share files
between guest and host. If you’re noticing a pattern here,
you’d be right; for some reason 9p is the go-to protocol to
exchange files between hypervisor and guest. Why? I have no idea,
except maybe due to being designed well, simple to implement, and
it’s a lot easier to validate the data being shared and
validate security boundaries. Simplicity has its value.
As a result, there’s a lot of lingering 9p
support kicking around. Turns out Linux can even handle mounting 9p
filesystems out of the box. This means that I can deploy a
filesystem to my LAN or my localhost by running a
process on top of a computer that needs nothing special, and mount
it over the network on an unmodified machine – unlike
fuse, where you’d need client-specific software
to run in order to mount the directory. For instance, let’s
mount a 9p filesystem running on my localhost machine, serving
requests on 127.0.0.1:564 (tcp) that goes by the name
“mountpointname” to /mnt.
$ mount -t 9p \ -o trans=tcp,port=564,version=9p2000.u,aname=mountpointname \ 127.0.0.1 \ /mnt
Linux will mount away, and attach to the filesystem as the root user, and by default, attach to that mountpoint again for each local user that attempts to use it. Nifty, right? I think so. The server is able to keep track of per-user access and authorization along with the host OS.
WHEREIN I STYX WITH IT
"Simple" here is intended as my highest form of praise. Writing complex things is easy. Taking your work, and simplifying it down the core is the most difficult part of our work.Since I wanted to push myself a bit more with rust
and tokio specifically, I opted to implement the whole
stack myself, without third party libraries on the critical path
where I could avoid it. The 9p protocol (sometimes called
Styx, the original name for it) is incredibly simple.
It’s a series of client to server requests, which receive a
server to client response. These are, respectively,
“T” messages, which transmit
a request to the server, which trigger an
“R” message in response
(Reply messages). These messages are TLV
payload with a very straight forward structure – so straight
forward, in fact, that I was able to implement a working server off
nothing more than a handful of man pages.
9P2000.L 9p variant which has more
Linux specific extensions. There's a good chance I port this
forward when I get the chance.
Later on after the basics worked, I found a more complete
spec
page that contains more information about the unix specific
variant that I opted to use (9P2000.u rather than
9P2000) due to the level of Linux
specific support for the 9P2000.u variant over the
9P2000 protocol.
MR ROBOTO
It really bothers me rust libraries that deal with I/O need to support std::io, but to add support for async runtimes, you need to implement support for tokio::io and every other runtime; but them's the breaks I guess. I really miss Go's built-in async support and io module.The backend stack over at zoo is
rust and tokio running i/o for an
HTTP and WebRTC server. I figured
I’d pick something fairly similar to write my filesystem
with, since 9P can be implemented on basically
anything with I/O. That means tokio tcp server bits,
which construct and use a 9p server, which has an
idiomatic Rusty API that partially abstracts the raw R
and T messages, but not so much as to cause issues
with hiding implementation possibilities. At each abstraction
level, there’s an escape hatch – allowing someone to
implement any of the layers if required. I called this framework
arigato which can
be found over on docs.rs and
crates.io.
/// Simplified version of the arigato File trait; this isn't actually
/// the same trait; there's some small cosmetic differences. The
/// actual trait can be found at:
///
/// https://docs.rs/arigato/latest/arigato/server/trait.File.html
trait File {
/// OpenFile is the type returned by this File via an Open call.
type OpenFile: OpenFile;
/// Return the 9p Qid for this file. A file is the same if the Qid is
/// the same. A Qid contains information about the mode of the file,
/// version of the file, and a unique 64 bit identifier.
fn qid(&self) -> Qid;
/// Construct the 9p Stat struct with metadata about a file.
async fn stat(&self) -> FileResult<Stat>;
/// Attempt to update the file metadata.
async fn wstat(&mut self, s: &Stat) -> FileResult<()>;
/// Traverse the filesystem tree.
async fn walk(&self, path: &[&str]) -> FileResult<(Option<Self>, Vec<Self>)>;
/// Request that a file's reference be removed from the file tree.
async fn unlink(&mut self) -> FileResult<()>;
/// Create a file at a specific location in the file tree.
async fn create(
&mut self,
name: &str,
perm: u16,
ty: FileType,
mode: OpenMode,
extension: &str,
) -> FileResult<Self>;
/// Open the File, returning a handle to the open file, which handles
/// file i/o. This is split into a second type since it is genuinely
/// unrelated -- and the fact that a file is Open or Closed can be
/// handled by the `arigato` server for us.
async fn open(&mut self, mode: OpenMode) -> FileResult<Self::OpenFile>;
}
/// Simplified version of the arigato OpenFile trait; this isn't actually
/// the same trait; there's some small cosmetic differences. The
/// actual trait can be found at:
///
/// https://docs.rs/arigato/latest/arigato/server/trait.OpenFile.html
trait OpenFile {
/// iounit to report for this file. The iounit reported is used for Read
/// or Write operations to signal, if non-zero, the maximum size that is
/// guaranteed to be transferred atomically.
fn iounit(&self) -> u32;
/// Read some number of bytes up to `buf.len()` from the provided
/// `offset` of the underlying file. The number of bytes read is
/// returned.
async fn read_at(
&mut self,
buf: &mut [u8],
offset: u64,
) -> FileResult<u32>;
/// Write some number of bytes up to `buf.len()` from the provided
/// `offset` of the underlying file. The number of bytes written
/// is returned.
fn write_at(
&mut self,
buf: &mut [u8],
offset: u64,
) -> FileResult<u32>;
}
Thanks, decade ago paultag!
If this isn't my record for longest idea-to-wip-project time, it's close.Let’s do it! Let’s use arigato to
implement a 9p filesystem we’ll call debugfs that will serve
all the debug files shipped according to the Packages
metadata from the apt archive. We’ll fetch the
Packages file and construct a filesystem based on the
reported Build-Id entries. For those who don’t
know much about how an apt repo works, here’s
the 2-second crash course on what we’re doing. The first is
to fetch the Packages file, which is specific to a
binary architecture (such as amd64, arm64
or riscv64). That architecture is
specific to a component (such as main,
contrib or non-free). That
component is specific to a suite, such as
stable, unstable or any of its aliases
(bullseye, bookworm, etc). Let’s
take a look at the Packages.xz file for the
unstable-debug suite, main
component, for all amd64 binaries.
$ curl \
https://deb.debian.org/debian-debug/dists/unstable-debug/main/binary-amd64/Packages.xz \
| unxz
This will return the Debian-style rfc2822-like
headers, which is an export of the metadata contained inside each
.deb file which apt (or other tools that
can use the apt repo format) use to fetch information
about debs. Let’s take a look at the debug headers for the
netlabel-tools package in unstable
– which is a package named netlabel-tools-dbgsym
in unstable-debug.
Package: netlabel-tools-dbgsym
Source: netlabel-tools (0.30.0-1)
Version: 0.30.0-1+b1
Installed-Size: 79
Maintainer: Paul Tagliamonte <paultag@debian.org>
Architecture: amd64
Depends: netlabel-tools (= 0.30.0-1+b1)
Description: debug symbols for netlabel-tools
Auto-Built-Package: debug-symbols
Build-Ids: e59f81f6573dadd5d95a6e4474d9388ab2777e2a
Description-md5: a0e587a0cf730c88a4010f78562e6db7
Section: debug
Priority: optional
Filename: pool/main/n/netlabel-tools/netlabel-tools-dbgsym_0.30.0-1+b1_amd64.deb
Size: 62776
SHA256: 0e9bdb087617f0350995a84fb9aa84541bc4df45c6cd717f2157aa83711d0c60
So here, we can parse the package headers in the
Packages.xz file, and store, for each
Build-Id, the Filename where we can fetch
the .deb at. Each .deb contains a number
of files – but we’re only really interested in the
files inside the .deb located at or under
/usr/lib/debug/.build-id/, which you can find in
debugfs under rfc822.rs.
It’s crude, and very single-purpose, but I’m feeling a
bit lazy.
Who needs dpkg?!
Hilariously, the fourth? fifth? non-serious time (second serious time) I've had to do this for a new language.For folks who haven’t seen it yet, a .deb
file is a special type of .ar file, that
contains (usually) three files inside –
debian-binary, control.tar.xz and
data.tar.xz. The core of an .ar file is a
fixed size (60 byte) entry header, followed by the
specified size number of bytes.
[8 byte .ar file magic]
[60 byte entry header]
[N bytes of data]
[60 byte entry header]
[N bytes of data]
[60 byte entry header]
[N bytes of data]
...
I can't believe it's already been over a decade since my NM
process, and nearly 16 years since I became an Ubuntu member.
First up was to implement a basic ar parser in
ar.rs.
Before we get into using it to parse a deb, as a quick diversion,
let’s break apart a .deb file by hand –
something that is a bit of a rite of passage (or at least it used
to be? I’m getting old) during the Debian nm (new member)
process, to take a look at where exactly the .debug
file lives inside the .deb file.
$ ar x netlabel-tools-dbgsym_0.30.0-1+b1_amd64.deb
$ ls
control.tar.xz debian-binary
data.tar.xz netlabel-tools-dbgsym_0.30.0-1+b1_amd64.deb
$ tar --list -f data.tar.xz | grep '.debug$'
./usr/lib/debug/.build-id/e5/9f81f6573dadd5d95a6e4474d9388ab2777e2a.debug
Since we know quite a bit about the structure of a
.deb file, and I had to implement support from scratch
anyway, I opted to implement a (very!) basic debfile parser using
HTTP Range requests. HTTP Range requests, if supported by the
server (denoted by a accept-ranges: bytes HTTP header
in response to an HTTP HEAD request to that file)
means that we can add a header such as range:
bytes=8-68 to specifically request that the returned
GET body be the byte range provided (in the above
case, the bytes starting from byte offset 8 until byte
offset 68). This means we can fetch just the ar file
entry from the .deb file until we get to the file
inside the .deb we are interested in (in our case, the
data.tar.xz file) – at which point we can
request the body of that file with a final range
request. I wound up writing a struct to handle a
read_at-style API surface in hrange.rs,
which we can pair with ar.rs above and start to find
our data in the .deb remotely without downloading and
unpacking the .deb at all.
After we have the body of the data.tar.xz coming
back through the HTTP response, we get to pipe it through an
xz decompressor (this kinda sucked in Rust, since a
tokio AsyncRead is not the same as an
http Body response is not the same as
std::io::Read, is not the same as an async (or sync)
Iterator is not the same as what the xz2
crate expects; leading me to read blocks of data to a buffer and
stuff them through the decoder by looping over the buffer for each
lzma2 packet in a loop), and tarfile
parser (similarly troublesome). From there we get to iterate over
all entries in the tarfile, stopping when we reach our file of
interest. Since we can’t seek, but gdb needs to,
we’ll pull it out of the stream into a
Cursor<Vec<u8>> in-memory and pass a
handle to it back to the user.
From here on out its a matter of gluing
together a File traited struct in debugfs, and
serving the filesystem over TCP using arigato. Done
deal!
A quick diversion about compression
I was originally hoping to avoid transferring the whole tar file
over the network (and therefore also reading the whole debug file
into ram, which objectively sucks), but quickly hit issues with
figuring out a way around seeking around an xz file.
What’s interesting is xz has a great primitive
to solve this specific problem (specifically, use a block size that
allows you to seek to the block as close to your desired seek
position just before it, only discarding at most block size -
1 bytes), but data.tar.xz files generated by
dpkg appear to have a single mega-huge block for the
whole file. I don’t know why I would have expected any
different, in retrospect. That means that this now devolves into
the base case of “How do I seek around an lzma2
compressed data stream”; which is a lot more complex of a
question.
Thankfully, notoriously brilliant tianon was nice enough to introduce
me to Jon Johnson who
did something super similar – adapted a technique to seek
inside a compressed gzip file, which lets his service
oci.dag.dev seek
through Docker container images super fast based on some prior work
such as soci-snapshotter, gztool, and
zran.c. He also pulled this party trick off for apk based
distros over at apk.dag.dev,
which seems apropos. Jon was nice enough to publish a lot of his
work on this specifically in a central place under the name
“targz” on his
GitHub, which has been a ton of fun to read through.
The gist is that, by dumping the decompressor’s state
(window of previous bytes, in-memory data derived from the last
N-1 bytes) at specific “checkpoints” along
with the compressed data stream offset in bytes and decompressed
offset in bytes, one can seek to that checkpoint in the compressed
stream and pick up where you left off – creating a similar
“block” mechanism against the wishes of gzip. It means
you’d need to do an O(n) run over the file, but
every request after that will be sped up according to the number of
checkpoints you’ve taken.
Given the complexity of xz and lzma2,
I don’t think this is possible for me at the moment –
especially given most of the files I’ll be requesting will
not be loaded from again – especially when I can
“just” cache the debug header by Build-Id.
I want to implement this (because I’m generally curious and
Jon has a way of getting someone excited about compression schemes,
which is not a sentence I thought I’d ever say out loud), but
for now I’m going to move on without this optimization. Such
a shame, since it kills a lot of the work that went into seeking
around the .deb file in the first place, given the
debian-binary and control.tar.gz members
are so small.
The Good
First, the good news right? It works! That’s pretty cool.
I’m positive my younger self would be amused and happy to see
this working; as is current day paultag. Let’s take
debugfs out for a spin! First, we need to mount the
filesystem. It even works on an entirely unmodified, stock Debian
box on my LAN, which is huge. Let’s take it for a
spin:
$ mount \
-t 9p \
-o trans=tcp,version=9p2000.u,aname=unstable-debug \
192.168.0.2 \
/usr/lib/debug/.build-id/
And, let’s prove to ourselves that this actually mounted before we go trying to use it:
$ mount | grep build-id
192.168.0.2 on /usr/lib/debug/.build-id type 9p (rw,relatime,aname=unstable-debug,access=user,trans=tcp,version=9p2000.u,port=564)
Slick. We’ve got an open connection to the server, where
our host will keep a connection alive as root, attached to the
filesystem provided in aname. Let’s take a look
at it.
$ ls /usr/lib/debug/.build-id/
00 0d 1a 27 34 41 4e 5b 68 75 82 8E 9b a8 b5 c2 CE db e7 f3
01 0e 1b 28 35 42 4f 5c 69 76 83 8f 9c a9 b6 c3 cf dc E7 f4
02 0f 1c 29 36 43 50 5d 6a 77 84 90 9d aa b7 c4 d0 dd e8 f5
03 10 1d 2a 37 44 51 5e 6b 78 85 91 9e ab b8 c5 d1 de e9 f6
04 11 1e 2b 38 45 52 5f 6c 79 86 92 9f ac b9 c6 d2 df ea f7
05 12 1f 2c 39 46 53 60 6d 7a 87 93 a0 ad ba c7 d3 e0 eb f8
06 13 20 2d 3a 47 54 61 6e 7b 88 94 a1 ae bb c8 d4 e1 ec f9
07 14 21 2e 3b 48 55 62 6f 7c 89 95 a2 af bc c9 d5 e2 ed fa
08 15 22 2f 3c 49 56 63 70 7d 8a 96 a3 b0 bd ca d6 e3 ee fb
09 16 23 30 3d 4a 57 64 71 7e 8b 97 a4 b1 be cb d7 e4 ef fc
0a 17 24 31 3e 4b 58 65 72 7f 8c 98 a5 b2 bf cc d8 E4 f0 fd
0b 18 25 32 3f 4c 59 66 73 80 8d 99 a6 b3 c0 cd d9 e5 f1 fe
0c 19 26 33 40 4d 5a 67 74 81 8e 9a a7 b4 c1 ce da e6 f2 ff
Outstanding. Let’s try using gdb to debug a
binary that was provided by the Debian archive, and
see if it’ll load the ELF by build-id from the
right .deb in the unstable-debug
suite:
$ gdb -q /usr/sbin/netlabelctl
Reading symbols from /usr/sbin/netlabelctl...
Reading symbols from /usr/lib/debug/.build-id/e5/9f81f6573dadd5d95a6e4474d9388ab2777e2a.debug...
(gdb)
Yes! Yes it will!
$ file /usr/lib/debug/.build-id/e5/9f81f6573dadd5d95a6e4474d9388ab2777e2a.debug
/usr/lib/debug/.build-id/e5/9f81f6573dadd5d95a6e4474d9388ab2777e2a.debug: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter *empty*, BuildID[sha1]=e59f81f6573dadd5d95a6e4474d9388ab2777e2a, for GNU/Linux 3.2.0, with debug_info, not stripped
The Bad
Linux’s support for 9p is mainline, which is
great, but it’s not robust. Network issues or server restarts
will wedge the mountpoint (Linux can’t reconnect when the tcp
connection breaks), and things that work fine on local filesystems
get translated in a way that causes a lot of network chatter
– for instance, just due to the way the syscalls are
translated, doing an ls, will result in a
stat call for each file in the directory, even though
linux had just got a stat entry for every file while
it was resolving directory names. On top of that, Linux will
serialize all I/O with the server, so there’s no concurrent
requests for file information, writes, or reads pending at the same
time to the server; and read and write
throughput will degrade as latency increases due to increasing
round-trip time, even though there are offsets included in the
read and write calls. It works well
enough, but is frustrating to run up against, since there’s
not a lot you can do server-side to help with this beyond
implementing the 9P2000.L variant (which, maybe is
worth it).
The Ugly
Unfortunately, we don’t know the file size(s) until
we’ve actually opened the underlying tar file
and found the correct member, so for most files, we don’t
know the real size to report when getting a stat. We
can’t parse the tarfiles for every stat call,
since that’d make ls even slower (bummer). Only
hiccup is that when I report a filesize of zero, gdb
throws a bit of a fit; let’s try with a size of
0 to start:
$ ls -lah /usr/lib/debug/.build-id/e5/9f81f6573dadd5d95a6e4474d9388ab2777e2a.debug
-r--r--r-- 1 root root 0 Dec 31 1969 /usr/lib/debug/.build-id/e5/9f81f6573dadd5d95a6e4474d9388ab2777e2a.debug
$ gdb -q /usr/sbin/netlabelctl
Reading symbols from /usr/sbin/netlabelctl...
Reading symbols from /usr/lib/debug/.build-id/e5/9f81f6573dadd5d95a6e4474d9388ab2777e2a.debug...
warning: Discarding section .note.gnu.build-id which has a section size (24) larger than the file size [in module /usr/lib/debug/.build-id/e5/9f81f6573dadd5d95a6e4474d9388ab2777e2a.debug]
[...]
This obviously won’t work since gdb will
throw away all our hard work because of stat’s
output, and neither will loading the real size of the underlying
file. That only leaves us with hardcoding a file size and hope
nothing else breaks significantly as a result. Let’s try it
again:
$ ls -lah /usr/lib/debug/.build-id/e5/9f81f6573dadd5d95a6e4474d9388ab2777e2a.debug
-r--r--r-- 1 root root 954M Dec 31 1969 /usr/lib/debug/.build-id/e5/9f81f6573dadd5d95a6e4474d9388ab2777e2a.debug
$ gdb -q /usr/sbin/netlabelctl
Reading symbols from /usr/sbin/netlabelctl...
Reading symbols from /usr/lib/debug/.build-id/e5/9f81f6573dadd5d95a6e4474d9388ab2777e2a.debug...
(gdb)
Much better. I mean, terrible but better. Better for now, anyway.
Kilroy was here
Do I think this is a particularly good idea? I mean; kinda.
I’m probably going to make some fun 9p
arigato-based filesystems for use around my LAN, but I
don’t think I’ll be moving to use debugfs
until I can figure out how to ensure the connection is more
resilient to changing networks, server restarts and fixes on i/o
performance. I think it was a useful exercise and is a pretty great
hack, but I don’t think this’ll be shipping anywhere
anytime soon.
Along with me publishing this post, I’ve pushed up all my
repos; so you should be able to play along at home! There’s a
lot more work to be done on arigato; but it does
handshake and successfully export a working 9P2000.u
filesystem. Check it out on on my github at arigato, debugfs and also on
crates.io and
docs.rs.
At least I can say I was here and I got it working after all these years.
10:28
What kind of culture will we build? At work, in our community, online?
- Compliance
- Quality
- Inquiry
- Inclusion
- Consumption
- Possibility and/or
- Fear
Each of us builds culture every time we interact with anyone else. Opting out isn’t possible, all we can do is decide what sort of impact and contribution we’re each going to make.
It’s tempting to say, “they” build culture, and to see that some have far more leverage than others. But it’s actually a “we” thing.
08:56
Russell Coker: Software Needed for Work [Planet Debian]
When I first started studying computer science setting up a programming project was easy, write source code files and a Makefile and that was it. IRC was the only IM system and email was the only other communications system that was used much. Writing Makefiles is difficult but products like the Borland Turbo series of IDEs did all that for you so you could just start typing code and press a function key to compile and run (F5 from memory).
Over the years the requirements and expectations of computer use have grown significantly. The typical office worker is now doing many more things with computers than serious programmers used to do. Running an IM system, an online document editing system, and a series of web apps is standard for companies nowadays. Developers have to do all that in addition to tools for version control, continuous integration, bug reporting, and feature tracking. The development process is also more complex with extra steps for reproducible builds, automated tests, and code coverage metrics for the tests. I wonder how many programmers who started in the 90s would have done something else if faced with Github as their introduction.
How much of this is good? Having the ability to send instant messages all around the world is great. Having dozens of different ways of doing so is awful. When a company uses multiple IM systems such as MS-Teams and Slack and forces some of it’s employees to use them both it’s getting ridiculous. Having different friend groups on different IM systems is anti-social networking. In the EU the Digital Markets Act [1] forces some degree of interoperability between different IM systems and as it’s impossible to know who’s actually in the EU that will end up being world-wide.
In corporations document management often involves multiple ways of storing things, you have Google Docs, MS Office online, hosted Wikis like Confluence, and more. Large companies tend to use several such systems which means that people need to learn multiple systems to be able to work and they also need to know which systems are used by the various groups that they communicate with. Microsoft deserves some sort of award for the range of ways they have for managing documents, Sharepoint, OneDrive, Office Online, attachments to Teams rooms, and probably lots more.
During WW2 the predecessor to the CIA produced an excellent manual for simple sabotage [2]. If something like that was written today the section General Interference with Organisations and Production would surely have something about using as many incompatible programs and web sites as possible in the work flow. The proliferation of software required for work is a form of denial of service attack against corporations.
The efficiency of companies doesn’t really bother me. It sucks that companies are creating a demoralising workplace that is unpleasant for workers. But the upside is that the biggest companies are the ones doing the worst things and are also the most afflicted by these problems. It’s almost like the Bureau of Sabotage in some of Frank Herbert’s fiction [3].
The thing that concerns me is the effect of multiple standards on free software development. We have IRC the most traditional IM support system which is getting replaced by Matrix but we also have some projects using Telegram, and Jabber hasn’t gone away. I’m sure there are others too. There are also multiple options for version control (although github seems to dominate the market), forums, bug trackers, etc. Reporting bugs or getting support in free software often requires interacting with several of them. Developing free software usually involves dealing with the bug tracking and documentation systems of the distribution you use as well as the upstream developers of the software. If the problem you have is related to compatibility between two different pieces of free software then you can end up dealing with even more bug tracking systems.
There are real benefits to some of the newer programs to track bugs, write documentation, etc. There is also going to be a cost in changing which gives an incentive for the older projects to keep using what has worked well enough for them in the past,
How can we improve things? Use only the latest tools? Prioritise ease of use? Aim more for the entry level contributors?
06:49
Urgent: Drop charges on Julian Assange [Richard Stallman's Political Notes]
US citizens: call on the US to drop charges against Julian Assange.
- Phone the White House at 202-456-1111 (only 11-3pm, Tues, Wed & Thur).
- Phone the Department of Justice at 202-353-1555 x1.
- Phone your congresscritter via 202-224-3121 and ask per to support H.Res.934.
See assangedefense.org/press-releases for more information
Any medical treatment attacked, Gaza [Richard Stallman's Political Notes]
Foreign doctors who volunteered to work in Gaza claim that Israel intentionally targets medical facilities and personnel.
Let's not lose sight of where we want to end up.
Republican personhood in abortion vs IVF [Richard Stallman's Political Notes]
*Alabama IVF ruling leaves Republicans stuck between their base and the broader public.*
I am not surprised by this good news As the bully pushes his followers into increasingly extreme and cruel positions, he is sure to generate more and more opposition. Republicans' usual methods of rigging elections won't help them if the demographic groups that normally vote Republican start doing rejecting them.
Ex-president's criminal trial, COL [Richard Stallman's Political Notes]
Colombia's former president, Alvaro Horrible, will be tried for witness tampering and fraud.
He has been tied to the paramilitaries, gangs of criminals with close connections to the army, who were Colombia's worst terrorists.
Satanic Temple bomb, Witch City, MA [Richard Stallman's Political Notes]
A bomb was planted on the Satanic Temple. It did little damage, due to an apparent malfunction, but it looks like right-wing terrorism.
New EPA rules finally cleanup air [Richard Stallman's Political Notes]
A new EPA rule will require 200 US chemical plants to be redesigned to reduce toxic pollution.
Gun sales' loopholes closed [Richard Stallman's Political Notes]
*US will require background checks for gun shows and online firearm sales.*
This is a step forward, but we urgently need strict laws about safe storage and transport of guns.
05:00
03:28
S.T.O.P. is Working to ‘Ban The Scan’ in New York [Deeplinks]
Facial recognition is a threat to privacy,
racial justice, free expression, and information security.
EFF supports
strict restrictions on face recognition use by
private companies, and total bans on government use of the
technology. Face recognition in all of its forms, including face
scanning and real-time tracking, pose threats to civil liberties
and individual privacy. “False positive” error rates
are significantly higher for women, children, and people of color,
meaning face recognition has an unfair discriminatory impact.
Coupled with the fact that cameras are
over-deployed in neighborhoods with
immigrants and people of color, spying technologies like face
surveillance serve to amplify existing disparities in the criminal
justice system.
Across the nation local communities from San
Francisco to Boston have moved to ban government use of facial
recognition. In New York, Electronic Frontier
Alliance member Surveillance Technology
Oversight Project (S.T.O.P.) is at the forefront
of this movement. Recently we got the chance to speak with them
about their efforts and what people can do to help advance the
cause. S.T.O.P. is a New York-based civil rights and privacy
organization that does research, advocacy, and litigation around
issues of surveillance technology abuse.
What does “Ban The Scan” mean?
When we say scan, we are referring to the “face scan” component of facial recognition technology. Surveillance, and more specifically facial recognition, disproportionately targets Black, Brown, Indigenous, and immigrant communities, amplifying the discrimination that has defined New York’s policing for as long as our state has had police. Facial recognition is notoriously biased and often abused by law enforcement. It is a threat to free speech, freedom of association, and other civil liberties. Ban the Scan is a campaign and coalition built around passing two packages of bills that would ban facial recognition in a variety of contexts in New York City and New York State.
Are there any differences with the State vs City version?
The City and State packages are largely similar. The main differences are that the State package contains a bill banning law enforcement use of facial recognition, whereas the City package has a bill that bans all government use of the technology (although this bill has yet to be introduced). The State package also contains an additional bill banning facial recognition use in schools, which would codify an existing regulatory ban that currently applies to schools.
What hurdles exist to its passage?
For the New York State package, the coalition is newly coming together, so we are still gathering support from legislators and the public. For the City package, we are lucky to have a lot of support already, and we are waiting to have a hearing conducted on the residential ban bills and move them into the next phase of legislation. We are also working to get the bill banning government use introduced at the City level.
What can people do to help this good legislation? How to get involved?
We recently launched a campaign website for both City and State packages (banthescan.org). If you’re a New York City or State resident, you can look up your legislators (links below!) and contact them to ask them to support these bills or thank them for their support if they are already signed on. We also have social media toolkits with graphics and guidance on how to help spread the word!
Find your NYS Assemblymember: https://nyassembly.gov/mem/search/
Find your NYS Senator: https://www.nysenate.gov/find-my-senator
Find your NYC Councilmember: https://council.nyc.gov/map-widget/
This Week in Seattle Food News [The Stranger]
Asian Fusion Brunch, A Desert-Themed Pop-Up Bar, and An Upcoming Italian Restaurant by EverOut Staff This week, we're welcoming Coffeeholic's new brunch spot M Cozy Fusion Cafe and the new desert-themed pop-bar The Mystic Motel. Plus, Conor Byrne Pub could make a comeback as a co-op, and chef Brian Clevenger has a new restaurant in the works. For more ideas, check out our food and drink guide. NEW OPENINGS
M
Cozy Fusion Cafe
Lately I've been addicted to the "Tropical Vine" (pandan coconut
coffee) from the popular local cafe Coffeeholic
House, which has locations in Columbia City, Greenwood, and
Bellevue, so I was particularly delighted to hear that the team
behind the coffee shop has set their sights on brunch. On
Wednesday, co-owners Chen Dien and Trang Cao soft opened M
Cozy Fusion Cafe, a new modern Asian fusion brunch spot with
comforting dishes like ube mascarpone French toast and pandan
waffles with chicken wings. The drink menu includes Vietnamese
coffee, espresso, fruity "refreshers," and tea.
University District
02:42
Spinnerette - Last Week! [Spinnerette]
New comic!
Today's News:
01:35
Your Occasional Reminder the 80s Were Even Weirder Than You Remember [Whatever]
That is, if you were there for them at all.
That’s it, that’s what I have for today. Some days are like that.
— JS
Friday, 12 April
23:35
EFF Submits Comments on FRT to Commission on Civil Rights [Deeplinks]
Our faces are often exposed and, unlike passwords or pin numbers, cannot be remade. Governments and businesses, often working in partnership, are increasingly using our faces to track our whereabouts, activities, and associations. This is why EFF recently submitted comments to the U.S. Commission on Civil Rights, which is preparing a report on face recognition technology (FRT).
In our submission, we reiterated our stance that there should be a ban on governmental use of FRT and strict regulations on private use because it: (1) is not reliable enough to be used in determinations affecting constitutional and statutory rights or social benefits; (2) is a menace to social justice as its errors are far more pronounced when applied to people of color, members of the LGBTQ+ community, and other marginalized groups; (3) threatens privacy rights; (4) chills and deters expression; and (5) creates information security risks.
Despite these grave concerns, FRT is being used by the government and law enforcement agencies with increasing frequency, and sometimes with devastating effects. At least one Black woman and five Black men have been wrongfully arrested due to misidentification by FRT: Porcha Woodruff, Michael Oliver, Nijeer Parks, Randal Reid, Alonzo Sawyer, and Robert Williams. And Harvey Murphy Jr., a white man, was wrongfully arrested due to FRT misidentification, and then sexually assaulted while in jail.
Even if FRT was accurate, or at least equally inaccurate across demographics, it would still severely impact our privacy and security. We cannot change our face, and we expose it to the mass surveillance networks already in place every day we go out in public. But doing that should not be license for the government or private entities to make imprints of our face and retain that data, especially when that data may be breached by hostile actors.
The government should ban its own use of FRT, and strictly limit private use, to protect us from the threats posed by FRT.
Microsoft tests ads in the Start menu [OSnews]
Building on top of recent improvements like grouping recently installed apps and showing your frequently used apps, we are now trying out recommendations to help you discover great apps from the Microsoft Store under Recommended on the Start menu. This will appear only for Windows Insiders in the Beta Channel in the U.S. and will not apply to commercial devices (devices managed by organizations). This can be turned off by going to Settings > Personalization > Start and turning off the toggle for “Show recommendations for tips, app promotions, and more”. As a reminder, we regularly try out new experiences and concepts that may never get released with Windows Insiders to get feedback. Should you see this experience on the Start menu, let us know what you think. We are beginning to roll this out to a small set of Insiders in the Beta Channel at first.
↫ Amanda Langowski and Brandon LeBlanc
The Start menu, August 24, 1995 – April 12, 2024. You made it almost 30 years, buddy.
22:49
Friday Squid Blogging: The Awfulness of Squid Fishing Boats [Schneier on Security]
It’s a pretty awful story.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
21:56
When I see our engineer playing something in Early Access, I always make a note to come back and check it out - but Gabe beat me to it. This time it's The Planet Crafter, which just hit 1.0. It's a multiplayer techy buildy enviro sim type thing, but the couple screens and videos I saw didn't really communicate the arc. The arc is terraforming a hostile world into a paradise, which you can see in the video below. I've done the first part a ton - picking up all that shit, making shit from the shit, so many times that I don't really get out of bed for that layer anymore. I sure as shit haven't done this:
21:14
Scarlett Gately Moore: Kubuntu: Noble Numbat Beta available! Qt6 snaps coming soon. [Planet Debian]
It has been a very busy couple of weeks as we worked against some major transitions and a security fix that required a rebuild of the $world. I am happy to report that against all odds we have a beta release! You can read all about it here: https://kubuntu.org/news/kubuntu-24-04-beta-released/ Post beta freeze I have already begun pushing our fixes for known issues today. A big one being our new branding! Very exciting times in the Kubuntu world.
In the snap world I will be using my free time to start knocking out KDE applications ( not covered by the project ). I have also recruited some help, so you should start seeing these pop up in the edge channel very soon!
Now that we are nearing the release of Noble Numbat, my contract is coming to an end with Kubuntu. If you would like to see Plasma 6 in the next release and in a PPA for Noble, please consider donating to extend my contract at https://kubuntu.org/donate !
On a personal level, I am still looking to help with my grandson and you can find that here: https://www.gofundme.com/f/in-loving-memory-of-william-billy-dean-scalf
Thanks for stopping by,
Scarlett
WTO sabotaged [Richard Stallman's Political Notes]
The US has sabotaged the WTO by blocking appointment of "judges" to implement its dispute appeals procedure. See how I have condemned the WTO in the past.
The WTO "dispute resolution procedure" is much like an ISDS clause except that businesses cannot directly sue countries for making laws to protect human right, public health, the environment, or their citizens' standard of living. In the WTO, only another member country can do that. But a big enough company can generally get the government of the country it claims to be located in to sue on its behalf.
With the dispute resolution system spiked, the WTO will be unable to do much to countries that relax the unjust copyright laws that persecute people who share with other people, and may be unable to pressure countries to make exceptions in patent law for software, medicine and agriculture.
If the WTO limited itself to preventing international dumping of products, I would support it. But it goes far beyond that, into injustice.
Trade agreements is one of the few areas in which the corrupter did good things, For instance, keeping the US out of the TPP, and spiking the WTO. But that is no reason to vote for the corrupter, since Biden has continued the same policies. What's more, Biden has taken broad action against monopolies in the US.
In any case, the danger that the corrupter would impose fascism and abolish human rights in the US outweighs other the political issues.
Antarctica temperature fluctuations [Richard Stallman's Political Notes]
Antarctica has begun experiencing big temperature fluctuations which are likely to make global heating start causing bigger changes there.
Vagrancy Act arrests [Richard Stallman's Political Notes]
There have been 2500 arrests of people simply for being homeless in the UK since 2019.
Google's bullshit generator [Richard Stallman's Political Notes]
Google tried to make its bullshit generator respond to questions about morals by saying that it can't judge those questions because they are for each person to judge. That's not a bad idea, in general. However, on some specific questions, such as *'Who negatively impacted society more, Elon tweeting memes or Hitler?'*, to assert that is there is no right answeris taking a kind of stand.
Perhaps if it said, "That asks for a moral judgment — this system lacks the capability to make such judgments," it would achieve the intended result.
Of course, there are many other topics about which a bullshit generator lacks the capability to give valid responses.
Vending machine facial recognition [Richard Stallman's Political Notes]
Vending machines installed in a university in Canada have cameras, but various companies assert that they don't identify persons or store photos of them. They only detect that some person is in front of the machine and perhaps wants to use it.
In my view, the injustice of most cameras that watch people lies in tracking people. A camera that can't identify a person (or a car) is not an injustice. But it makes sense to demand that the company demonstrate at the technical level that these cameras cannot identify persons.
We can't take on trust any statements about what the machine actually does today if that depends on software, because the machine's owner could install different software any day.
Climate-smart agriculture funds [Richard Stallman's Political Notes]
*More than half of federal funding for "climate-smart" agriculture in the US goes to farming practices that are unlikely to reduce greenhouse gas emissions.*
In some cases, this is because the funding pays for changes that reduce emissions, but they effectively subsidize raising livestock, and that is likely to mean more livestock and therefore more emissions.
I Saw U: At the Antiquarian Bookfair, Winning Beanie Babies at Leny’s, and Taking Tequila Shots in Ballard [The Stranger]
Did you see someone? Say something! by Anonymous
Antiquarian Cutie
Talked to you at the 2023 Antiquarian Bookfair, my booth partner gave you my number but you never texted me. I still think about you.
we traded beanie babies winnings at Leny's
it was months ago... on my birthday. you were tall and such a cutie. we hugged. are you out there mystery claw machine master?
"Don't touch her!" in Queen Anne
You saw a guy grab me in the street. You told him not to touch me and it got physical. Thank you for caring, please let me know you're okay.
bright smile at the corner of 4th and pine
you low key waved at me while I was on my bike waiting for the red light. you know me but I don’t have your #, give me a like on that app 👀
Tatted RCF Gym Cutie
You asked me to take a video of your deadlift for the RCF Fundraiser and I was too shy to inquire further. Hope to see you again!
I'm sorry I forgot your name...
You were taking tequila shots in ballard. It was a fun time hanging out with you and your tropical shirt but I couldn't remember your name
Big Vibes Pizza Hunk
I've seen you in a few different neighborhoods and I know you've seen me too. You bummed me a cigarette recently...I should've talked to you more.
hot daddy at the bar
I saw you at Twilight Exit on Friday. You looked like you could take me home and have your way with me. Maybe you'll see me again this Friday
Is it a match? Leave a comment here or on our Instagram post to connect!
Did you see someone? Say something! Submit your own I Saw U message here and maybe we'll include it in the next roundup!
20:28
The Best Bang for Your Buck Events in Seattle This Weekend: Apr 12-14 2024 [The Stranger]
Anastacia-Reneé, Sour Beer Day, and More Cheap & Easy Events Under $15 by EverOut Staff Take a break from doing your taxes and go have some thrifty fun this weekend. We've gathered all the best events under $15, from Anastacia-Reneé with Noni Ervin to 14 Hours by Janelle Abbott and from Cozy Con West to Sour Beer Day. For more ideas, check out our guide to the top events of the week. FRIDAY LIVE MUSIC
A Night of Latin Music & Art
Did you know that there is a boutique hotel above the Crocodile
(cue Lana Del Rey's "Did you know that
there’s a tunnel under Ocean Blvd")? This week, Hotel
Crocodile is back to spotlight Latin artists, performers, and
musicians at their monthly art walk showcase. Keep your eyes and
ears peeled for music from Gold Chisme, La Mala Noche, Albina
Cabrera, Gloomyyy, Bloqueador Solar, Lucia Flores-Wiseman, and
ArtnBeats, along with gallery displays, installations, tattooing,
and live poetry. Plus, tasty treats will be provided by the
Mexican-Italian street food cart That’s-a-Molè! and
pop-up panadería Bakescapade.
AV
(Hotel Crocodile, Belltown,
free)
19:42
What Does EFF Mean to You? [Deeplinks]
We could go on for days talking about all the work EFF does to ensure that technology supports freedom, justice, and innovation for all people of the world. In fact, we DO go on for days talking about it — but we’d rather hear from you.
What does EFF mean to you? We’d love to know why you support us, how you see our mission, or what issue or area we address that affects your life the most. It’ll help us make sure we keep on being the EFF you want us to be.
So if you’re willing to go on the record, please send us a few sentences, along with your first name and current city of residence, to testimonials@eff.org; we’ll pick some every now and then to share with the world here on our blog, in our emails, and on our social media.
18:07
SPD Cop Fired for Creeping on Ex, Officer “Accidentally” Tases Someone, Hornets Attack the Police by Ashley Nerbovig
Last week, the Seattle police union’s tentative collective bargaining agreement showed that the City plans to increase pay by 23% for the Seattle Police Department’s (SPD) officers and sergeants. The contract promised no substantial changes to accountability measures for the police department. In fact, rather than adding more accountability measures for officers, the City could even move backwards.
For instance, to help with morale, Chief of Police Adrian Diaz has started pushing for the Office of Police Accountability (OPA) to allow SPD to investigate its own officers internally on minor complaints through “Supervisor Actions.” The OPA already allows SPD to investigate some policy violations, such as when a cop drove up to 54 miles per hour to a call, hitting speeds the OPA called “likely unreasonable.” We know very little about how the department handled that situation because SPD does not post details about supervisor actions publicly, resulting in less transparent accountability.
Diaz pitched the idea in March, and no one on the city council raised any concerns. But why would they? The council spends public safety committee meetings fawning over the police department, all while SPD officers have thrown handcuffed suspects to the ground and bullied bus drivers, among other things.
Speaking of bad apples, let’s take a closer look at some of the officers who could reap buckets of back pay under the City’s new tentative agreement.
Case #2021OPA-0366
For about two years, the OPA has investigated Officer Andrew Swartz’s use of criminal databases to allegedly harass and stalk his ex-girlfriend in 2021. When the OPA interviewed Swartz, he acknowledged that he followed his ex-girlfriend, took photos of her car, and tried to expose the fact that she was having an affair with a married man. He also admitted to using criminal justice databases to run the name of the married man, but he justified it by telling investigators that he wanted to know where the man’s wife lived in order to tell her about the affair.
Swartz’s ex-girlfriend sought multiple protection orders against him, and the Snohomish County Sheriff’s Office investigated him on charges of stalking. His friend wrote a declaration of support on the woman’s behalf in one of the order of protection cases, saying that “as a police officer” Swartz should understand how his actions “are scary and terrorizing” to the woman and her family. After the first protection order expired, Swartz continued to track his ex-girlfriend by watching the parking lot of her gym.
The OPA recommended that Chief Diaz should either suspend Swartz without pay or terminate him over his policy violations. Diaz chose to fire him after about two years on administrative leave. SPD had previously suspended him in 2019 for failing to “sufficiently investigate and document a domestic violence assault.” He first joined SPD in 2015.
In 2021, Swartz made about $126,090, including overtime and a premium for wearing a body camera. He went on paid leave in August 2021. While on administrative leave he earned roughly a quarter of a million dollars under the new tentative agreement.
Accidental TasingCase #2023OPA-0047
On January 15, 2023, West Precinct Officer Vontrail Lee responded to a call about a man hiding in bushes and eating leaves on private property, according to an OPA report. The person living on the property called the police. Lee arrived and told the leaf-eater he needed to leave. The guy took out his phone as if filming Lee and then argued about whether the cop could tell him what to do. Then he started asking if Lee planned to hit him with the baton Lee was holding. During the conversation, the man called Lee, who is Black, the N-word three times.
From the OPA investigative report, which refers to the
man in the bushes as “The Complainant” and Lee as
“NE.”
Lee returned to his patrol vehicle, left the door open, and told the man not to approach him. Lee’s body-worn video footage showed the man walking up to the car saying, “What am I doing wrong? Are you scared you should be a cop?” Lee aimed a TASER at the unarmed man, who stepped back as Lee said, “This is a TASER, you come near me, this is what…” Lee then triggered his TASER. One of the prongs struck the man in the left shoulder. TASER data shows Lee held the trigger for about four seconds.
When a sergeant arrived about 10 minutes later, Lee said he used his TASER by accident, and he meant only to spark it as a warning, but he “claimed his finger slipped to the trigger,” according to the OPA report. When the Seattle Fire Department arrived, they noted that the man appeared to have experienced a “behavioral/psychiatric episode.”
In the investigator's report, OPA noted that SPD officers may not use force in retaliation. Before Lee used his TASER, the man repeatedly approached him and used a racial slur, which suggested Lee might have acted in “possible retaliation,” OPA said. However, only Lee knew his intent, the OPA said. The TASER’s “spark” and “shoot” buttons are close together, and other officers have claimed to accidentally shoot when they meant to spark, according to the OPA report. The agency sustained no policy violations in this case. Investigators said their evidence was inconclusive on whether Lee used his TASER in an unprofessional manner and whether he failed to deescalate the situation before using force.
Since 2019 OPA has noted 12 complaints against Lee. In 2021, SPD reprimanded Lee in writing after he told a suicidal person who had agreed to go to the hospital that, “I mean, once you get out [from the hospital] you can figure out a way, if you really want to die you can figure that out on your own. Just don’t tell anybody. Not teaching you how to commit suicide but that’s just a way to do that.”
In 2022, Lee took home $220,700 between his base pay and overtime. From 2019 to 2021, Lee has earned $673,225 dollars working for SPD. That does not include the back pay the City could owe Lee under the new SPOG contract.
Hornets Resist ArrestCase #2023OPA-0449
On August 13, 2023, Officer Seth Wagner responded to a call about a man allegedly waving a knife at passing cars, blocking traffic, and damaging vehicles. When Wagner and another officer approached the man, he ran. Wagner and the other officer chased him over a guardrail through dense bushes, cornered him, and then struggled to pin him to the ground. In the process, the two disturbed a hornet nest, according to the OPA report.
From the OPA investigative report, which refers to
Wagner as ‘NE#1,’ and refers to the man officers went
to arrest as ‘the Complainant.’
The man passed out, possibly as a result of his interaction with police. Wagner reported 50 bee stings covering his own body, five stitches, and lots of cuts and bruises.
The man later complained that SPD officers had “beat the shit out of me. Like, like worse than an animal.” Wagner told OPA investigators that before backup officers arrived he’d struggled to keep the man pinned to the ground and had to punch him in the head and chest two to three times. Wagner claimed the man put him in a headlock. When Wagner freed himself, the man tried to run, but Wagner grabbed him and pulled him to the ground. While the cop had the man on his back, he said the man continued to resist, and so he had to punch the man in the face “five to ten times.” The OPA ruled Wagner’s use-of-force lawful and proper.
In the past, OPA has flagged instances of cops punching suspects multiple times in a row as excessive uses of force.
In 2022, Wagner earned $128,147. Since 2019, he’s earned about $330,270 in total salary, including overtime, and not including back pay that would be owed under the tentative agreement.
Anyone can report a cop for bad behavior or for bad driving by going to the OPA’s website. If you do file a complaint and want us to track it, then let me know your complaint number and we’ll add it to our list of possible future Bad Apples.
18:00
My wpidentity package now has storage.
17:21
Freexian Collaborators: Debian Contributions: SSO Authentication for jitsi.debian.social, /usr-move updates, and more! (by Utkarsh Gupta) [Planet Debian]
Contributing to Debian is part of Freexian’s mission. This article covers the latest achievements of Freexian and their collaborators. All of this is made possible by organizations subscribing to our Long Term Support contracts and consulting services.
P.S. We’ve completed over a year of writing these blogs. If you have any suggestions on how to make them better or what you’d like us to cover, or any other opinions/reviews you might have, et al, please let us know by dropping an email to us. We’d be happy to hear your thoughts. :)
SSO Authentication for jitsi.debian.social, by Stefano Rivera
Debian.social’s jitsi instance has been getting some abuse by (non-Debian) people sharing sexually explicit content on the service. After playing whack-a-mole with this for a month, and shutting the instance off for another month, we opened it up again and the abuse immediately re-started.
Stefano sat down and wrote an SSO Implementation that hooks into Jitsi’s existing JWT SSO support. This requires everyone using jitsi.debian.social to have a Salsa account.
With only a little bit of effort, we could change this in future, to only require an account to open a room, and allow guests to join the call.
/usr-move, by Helmut Grohne
The biggest task this month was sending mitigation patches for
all of the /usr-move issues arising from package renames due to the
2038 transition. As a result, we can now say that every affected
package in unstable can either be converted with
dh-sequence-movetousr or has an open bug report. The
package set relevant to debootstrap except for the set
that has to be uploaded concurrently has been moved to /usr and is
awaiting migration. The move of coreutils happened to
affect piuparts which hard codes the location of
/bin/sync and received multiple updates as a
result.
Miscellaneous contributions
- Stefano Rivera uploaded a stable release update to python3.11 for bookworm, fixing a use-after-free crash.
- Stefano uploaded a new version of python-html2text, and updated python3-defaults to build with it.
- In support of Python 3.12, Stefano dropped distutils as a Build-Dependency from a few packages, and uploaded a complex set of patches to python-mitogen.
- Stefano landed some merge requests to clean up dead code in dh-python, removed the flit plugin, and uploaded it.
- Stefano uploaded new upstream versions of twisted, hatchling, python-flexmock, python-authlib, python–mitogen, python-pipx, and xonsh.
- Stefano requested removal of a few packages supporting the Opsis HDMI2USB hardware that DebConf Video team used to use for HDMI capture, as they are not being maintained upstream. They started to FTBFS, with recent sdcc changes.
- DebConf 24 is getting ready to open registration, Stefano spent some time fixing bugs in the website, caused by infrastructure updates.
- Stefano reviewed all the DebConf 23 travel reimbursements, filing requests for more information from SPI where our records mismatched.
- Stefano spun up a Wafer website for the Berlin 2024 mini DebConf.
- Roberto C. Sánchez worked on facilitating the transfer of upstream maintenance responsibility for the dormant Shorewall project to a new team led by the current maintainer of the Shorewall packages in Debian.
- Colin Watson fixed build failures in celery-haystack-ng,
db1-compat, jsonpickle, libsdl-perl, kali, knews, openssh-ssh1,
python-json-log-formatter, python-typing-extensions, trn4, vigor,
and wcwidth. Some of these were related to the 64-bit time_t
transition, since that involved enabling
-Werror=implicit-function-declaration. - Colin fixed an off-by-one error in neovim, which was already causing a build failure in Ubuntu and would eventually have caused a build failure in Debian with stricter toolchain settings.
- Colin added an sshd@.service template to openssh to help newer systemd versions make containers and VMs SSH-accessible over AF_VSOCK sockets.
- Following the xz-utils backdoor, Colin spent some time testing and discussing OpenSSH upstream’s proposed inline systemd notification patch, since the current implementation via libsystemd was part of the attack vector used by that backdoor.
- Utkarsh reviewed and sponsored some Go packages for Lena Voytek and Rajudev.
- Utkarsh also helped Mitchell Dzurick with the adoption of pyparted package.
- Helmut sent 10 patches for cross build failures.
- Helmut partially fixed architecture cross bootstrap tooling to
deal with changes in
linux-libc-devand the recentgcc-for-hostchanges and also fixed a 64bit-time_t FTBFS inlibtextwrap. - Thorsten Alteholz uploaded several packages from debian-printing: cjet, lprng, rlpr and epson-inkjet-printer-escpr were affected by the newly enabled compiler switch -Werror=implicit-function-declaration. Besides fixing these serious bugs, Thorsten also worked on other bugs and could fix one or the other.
- Carles updated simplemonitor and python-ring-doorbell packages with new upstream versions.
- Santiago is still working on the Salsa CI MRs to adapt the
build jobs so they can rely on sbuild. Current work includes
adapting the images used by the build job,
implementing the basic sbuild support the related jobs, and
adjusting the support for experimental and *-backports
releases..
Additionally, Santiago reviewed some MR such as Make timeout action explicit in the logs and the subsequent Implement conditional timeout verbosity, and the batch of MRs included in https://salsa.debian.org/salsa-ci-team/pipeline/-/merge_requests/482. - Santiago also reviewed applications for the improving Salsa CI in Debian GSoC 2024 project. We received applications from four very talented candidates. The selection process is currently ongoing. A huge thanks to all of them!
- As part of the DebConf 24 organization, Santiago has taken part in the Content team discussions.
Slog AM: More Camping Ban Beef in Burien, SUV Drives Over Tents Downtown, Shohei Ohtani's Interpreter Allegedly Stole $16 Million [The Stranger]
The Stranger's morning news roundup. by Nathalie Graham
SUV drives over tents: On Tuesday night, an Acura SUV drove onto the sidewalk downtown at Third Avenue and James Street and mowed down the tents pitched there. Luckily, the tents were empty. Police pursued the SUV through downtown but abandoned the chase when they learned no one was in the tents. The SUV returned to the area later and fired a gun multiple times. Police are now looking for the SUV again. What's most disturbing about this incident is the seeming intent to harm unhoused people, which, with several targeted attacks and even a murder of those living on the streets, is seeming like a growing trend in our city.
Chipotle pays up: The burrito bowl purveyor came under fire for allegedly violating the city's Secure Scheduling and Paid Sick and Safe Time Ordinances. Chipotle settled with Seattle's Office of Labor Standards, paying nearly $3 million to more than 1,850 employees over accusations of retaliating against workers who called out sick, not providing the correct sick time accrual rate, retaliating against employees who requested specific schedule changes so as not to conflict with other jobs, and more.
Rolling library closures: In case you missed it, Seattle Public Library branches across the city will be closed intermittently through June 4 due to staffing issues that would not be an issue if the City of Seattle lifted its hiring freeze, a budget-preserving measure implemented by Mayor Bruce Harrell.
This is a wake-up call. Unless we take action, we're going to see even deeper cuts to essential services like libraries. I am calling on my colleagues to work with me and explore solutions that don't just rely on cuts.
— Councilmember Tammy J. Morales (@CMTammyMorales) April 11, 2024
Statement ➡️ https://t.co/5EeGI1qZTi https://t.co/aZzgyCBVIP
Sunny and 60s: Break out your light cardigans, it'll be perfect spring weather Friday and Saturday.
Burien's latest beef: Burien is a mess right now, thanks to a constitutionally dubious camping ban the city updated last month. The ban severely restricts and criminalizes the act of sleeping outdoors in the midst of a housing crisis. In response to the ordinance, the King County Sheriff's Office (KCSO), the entity responsible for Burien's policing via an interlocal agreement, filed a complaint with the US District Court saying it couldn't enforce the ban because it wasn't constitutional. Burien then sued the KCSO for not enforcing the ban. Now, Burien's city manager wants to fire Burien's police chief. In a letter to the KCSO, the city manager wrote: "I can no longer state that I trust Chief [Ted] Boe to fulfill the requirements listed within the Interlocal Agreement." This has to be more camping ban drama.
In case you forgot to be worried about the Great Barrier Reef: Things are bad. Australia's Great Barrier Reef is showing signs of severe coral bleaching. Damage to the reef extends nearly 60 feet below the surface. The bleaching is so bad even coral species that had previously been resistant to bleaching are being affected. The cause, of course, is consistently warmer-than-normal ocean temperatures. The cause of that? Climate change.
Unbleached reefs this year are coloured blue.
— Terry Hughes (@ProfTerryHughes) April 9, 2024
This is the most widespread and most severe mass bleaching and mortality event ever recorded on the Great Barrier Reef. https://t.co/eE5LCrSwtL
Trump and Putin shared a view of Ukraine: According to a new book by former Donald Trump advisor Fiona Hill, "Trump made it very clear that he thought, you know, that Ukraine, and certainly Crimea, must be part of Russia." Hill's book continued: "He really could not get his head around the idea that Ukraine was an independent state." Huh, sounds like a really similar position to Vladimir Putin.
Who says baseball isn't exciting? Major League Baseball's biggest star, Shohei Ohtani, who signed a 10-year $700 million contract with the Dodgers, is embroiled in scandal. His close friend and interpreter, Ippei Mizuhara, has been charged with bank fraud for allegedly stealing $16 million from Ohtani to cover Mizuhara's own gambling debts. The case forming against Mizuhara paints him as controlling Ohtani's bank accounts, and, as his link to the English-speaking world, taking on the role of a de-facto manager. So, Ohtani, who could be kicked out of the league if found gambling, is being portrayed as a blind victim here. Yet, in Mizuhara's first statement on the matter, he said Ohtani paid the debts at Mizuhara's request. The next day, Mizuhara corrected his story and said Ohtani had no knowledge of the gambling debts. What's real? We just don't know!
Trump's hush money case: Jury selection in Manhattan for Trump's first criminal case—and, yes, he faces four criminal prosecutions—will start Monday. This case concerns Trump "fudging his company’s books as part of an effort to conceal payments made to hide claims of extramarital sex during his 2016 campaign." You know, normal president stuff. Anyway, the jury selection process should be difficult to say the least. The court needs to find 12 jurors in Manhattan who are impartial and unbiased toward Trump.
"Abnormally dry"on Oahu: Severe and persistent droughts are stressing Oahu's water resources. Fresh water on the Hawaiian island comes from an underground aquifer, yet evidence suggests the groundwater will lessen even more by 2030. With tourists sharing the island and the tourism industry building giant, freshwater, artificial surfing wave pools, locals are pissed. "We may come to a point where we have to decide … who gets water and who doesn't," said Wayne Tanaka, director of Sierra Club of Hawai'i.
Water stores are looking good in California: The last two very wet years have been good for assuaging the Golden State's seemingly perpetual drought.
California's water storage is at its healthiest levels in over a decade.
— Colin McCarthy (@US_Stormwatch) April 12, 2024
Virtually every major reservoir in the state has average to above-average storage, with a substantial 115% of average snowpack still to melt.
The last two years have been an amazing reprieve from the… pic.twitter.com/PUm8Kca1wR
US confirms famine in Gaza: Famine has started in Gaza, according to US official Samantha Power. Despite Benjamin Netanyahu's promises to Joe Biden of "a surge in aid" to Gaza, nothing has changed. Israel reported an increase in truck crossings into Gaza, yet those numbers conflict with the United Nation's reports.
How bad is the cost of living in some cities? So bad that FBI agents are "struggling to make ends meet." They're even—gasp—rooming with other agents to save money on rent. The FBI's Agents Association asked for $165 million to be added to the Justice Department's budget for a housing allowance for FBI agents.
We're all trying to find the guy who did this: An Arizona court ruled 4-2 on Monday to reinstate a 1864-era law criminalizing abortion at any point during pregnancy unless the woman's life is at risk. Former Gov. Doug Ducey, a Republican, said he thought the law went too far and that it was “not the outcome I would have preferred.” When he was governor in 2016, Ducey expanded the state Supreme Court from five justices to seven, then appointed four conservative justices to the bench. Those justices made this ruling.
A song for your Friday: Shakira proves on her new album "Las Mujeres Ya No Lloran" that she's still got it, tax fraud be damned.
17:14
The challenge of nonprofit fundraising [Seth's Blog]
When someone starts a business, they spend a bunch of time with a business plan, working to raise funds and get it off the ground. After that, though, the purpose of the business is completely aligned with the idea of not running out of money. We run a business to make money, not to spend it. If done well, there’s no more fundraising after a startup period.
On the other hand, nonprofits sign up to do at least two things.
They’re here to solve a problem, to address trauma, to enrich the culture, to do the difficult work that we’re not always able to do on our own.
And yet, at the same time, we require them to raise money. Not just for a little while, but all the time.
The more successful they become, the more money they need to raise.
Along the way, it’s not unusual for a nonprofit to spend 50% of the money they raise on the expense of raising more money. That’s not because they’re inefficient, it’s because we are.
We demand a gala, or an emergency, or artfully written fundraising letters. Donors want personal attention from the folks who are ostensibly doing the front line or strategic work of the nonprofit, and treat regular donations as an exception, not the standard.
When the internet arrived, it dramatically lowered the transactional costs in a wide variety of industries. You can buy an airline ticket yourself faster and with less intervention than through a travel agent. You can buy stocks for transaction fees that are a tiny fraction of what a broker used to charge. But creative and effective nonprofit fundraising has been stuck in a cycle of risk, galas and uncertainty.
GOODBIDS is making it easier for a nonprofit to create an event that might capture the attention of regular donors as well as new ones. It still requires some effort to secure the prizes, but our tool significantly leverages the work of the nonprofit and the fee we charge the nonprofit is a tiny fraction of what it usually costs to do fundraising.
Today’s new auctions are rare collectibles donated by special friends:
Her father baked a chandelier for Salvador Dali, and this is your chance to have a handmade work of art from the world’s most famous bakery. Apple sponsored these luxurious jackets for the crew on the original movie. Guy signed his for you, making it doubly collectible.I hope you’ll check out how positive auctions are working for charities you care about.
PS bonus tip: Each Goodbids auction has an end date and time, but the auction is automatically extended when someone bids near the end of the window. That means that there’s no benefit to waiting until the last minute, because there isn’t a last minute–the auction keeps running until the bidding is done.
16:07
[$] A tale of two troublesome drivers [LWN.net]
The kernel project merges dozens of drivers with every development cycle, and almost every one of those drivers is entirely uncontroversial. Occasionally, though, a driver submission raises wider questions, leading to lengthy discussion and, perhaps, opposition. That is currently the case with two separate drivers, both with ties to the networking subsystem. One of them is hung up on questions of whether (and how) all device functionality should be made available to user space, while the other has run into turbulence because it drives a device that is unobtainable outside of a single company.
15:49
The case of the string being copied from a mysterious pointer to invalid memory [The Old New Thing]
A customer ran some stress tests on their program with Application Verifier enabled. Thanks for doing that!
They found that there were rare but repeated crashes where their program appeared to be copying a string from invalid memory due to a pointer that didn’t appear to match the member variable it was supposed to have come from. One such hit might be chalked up to a flaky CPU, but they had three, from three different machines.
Since this shows up in stress testing, it’s not practical to collect a Time Travel Trace, but let’s see what we can do with the crash dumps that were produced.
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(5db8.4180): Access violation - code c0000005 (first/second chance not available)
For analysis of this file, run !analyze -v
rax=000001e081072fe0 rbx=000001e080fe8fc8 rcx=000001e081072fe0
rdx=000001e081070ff0 rsi=000001e081070fe0 rdi=000000000000000f
rip=00007ffc08ab143a rsp=000000b3ed0ffa28 rbp=000001e081072fe0
r8=0000000000000010 r9=0000000000000000 r10=00007ffc08ab0000
r11=000001e0fa3bfde0 r12=0000000000000000 r13=0000000000000000
r14=000000000000001f r15=000000000000022c
VCRUNTIME140!memcpy+0x12a:
00007ffc`08ab143a movdqu xmm2,xmmword ptr [rdx+r8-10h] ds:000001e0`81070ff0=????????
0:005> kn
# RetAddr Call Site
00 00007ff6`06144342 VCRUNTIME140!memcpy+0x12a
01 (Inline Function) contoso!std::_Char_traits<char,int>::copy+0x13
02 (Inline Function) contoso!std::string::_Construct+0xba
03 (Inline Function) contoso!std::string::{ctor}+0xd3
04 00007ff6`06149dcf contoso!Widget::GetId+0x202
05 00007ff6`0614742d contoso!<lambda_9cd1b560a470dbb5c6e1d5da28bd3866>::operator()+0xc0
09 00007ffc`22785976 ntdll!TppSimplepExecuteCallback+0xa3
0a 00007ffc`2172257d ntdll!TppWorkerThread+0x8f6
0b 00007ffc`227aaa78 kernel32!BaseThreadInitThunk+0x1d
0c 00000000`00000000 ntdll!RtlUserThreadStart+0x28
So we have a lambda that called Widget::GetId, and
we crashed trying to copy a string. Here’s what
Widget::GetId looks like:
struct Widget
{
std::string GetId()
{
if (m_uniqueId.empty())
{
m_uniqueId = SlowGetId();
}
return m_uniqueId; // <<< crash here
}
private:
std::string m_uniqueId;
std::string SlowGetId();
};
If we dig into the STL code, we are in the copy
method at the point where we copy the characters from the string
into a newly-allocated buffer.
_CSTD memcpy(_First1, _First2, _Count * sizeof(_Elem));
The address we are trying to copy from is in the
rdx register, 000001e0`81070ff0, which is
presumably the string buffer hiding inside m_uniqueId,
but when we ask the debugger for the contents of
m_uniqueId, we see something different:
0:005> ?? this->m_uniqueId
class std::string
+0x000 _Mypair : std::_Compressed_pair<std::allocator<char>,std::_String_val<std::_Simple_types<char> >,1>
0:005> ?? this->m_uniqueId._Mypair
class std::_Compressed_pair<std::allocator<char>,std::_String_val<std::_Simple_types<char> >,1>
+0x000 _Myval2 : std::_String_val<std::_Simple_types<char> >
0:005> ?? this->m_uniqueId._Mypair._Myval2
class std::_String_val<std::_Simple_types<char> >
+0x000 _Bx : std::_String_val<std::_Simple_types<char> >::_Bxty
+0x010 _Mysize : ??
+0x018 _Myres : 0x10
0:005> ?? this->m_uniqueId._Mypair._Myval2._Bx
union std::_String_val<std::_Simple_types<char> >::_Bxty
+0x000 _Buf : [16] "???"
+0x000 _Ptr : 0x000001e0`81074ff0 "fdf551a3ebd7f381"
+0x000 _Alias : [16] "???"
0:005>
In memory, the m_uniqueId of the widget is a
reasonable-looking string of hex digits, and the pointer is nothing
like the address we crashed on.
I suspected that at the time we started copying, the string was
indeed at 000001e0`81070ff0, but while we were copying
the string, another thread came in and changed the
m_uniqueId, which freed the string out from under
us.
Since this crash occurred when running under Application Verifier, we can ask Application Verifier for the histories of these two memory blocks.
0:005> !avrf -?
Verifier package version >= 3.00
Application verifier debugger extension
...
!avrf -hp N dump last N entries from heap log.
!avrf -hp -a ADDR searches ADDR in the heap log.
...
Great, we can use the !avrf -hp -a command to ask
AppVerifier to tell us what it knows about an address on the
heap.
0:005> !avrf -hp -a 0x000001e0`81070ff0 Searching call tracker @ 000001e0fe042fc0 with 422 valid entries ... -------------------------------------------------------------- 2024-04-12T07:00:20.140Z GlobalIndex 19E1E6 ThreadId NA HeapFree: 1E081070FF0 11 1E0FBB60000 7870 00007ffc1fae37eb: ucrtbase!_free_base+0x1B 00007ffb45614ff7: vfbasics!AVrfp_ucrt_free+0x57 00007ff606144219: contoso!Widget::GetId+0xD9 00007ff606149400: contoso!<lambda_963292f271044b3ead3564f3abbc4b26>::operator()+0xb7 00007ffc2279e4a3: ntdll!TppSimplepExecuteCallback+0xA3 00007ffc22785976: ntdll!TppWorkerThread+0x8F6 00007ffc2172257d: KERNEL32!BaseThreadInitThunk+0x1D 00007ffc227aaa78: ntdll!RtlUserThreadStart+0x28 -------------------------------------------------------------- 2024-04-12T07:00:20.139Z GlobalIndex 19E1E0 ThreadId NA HeapAlloc: 1E081070FF0 11 1E0FBB60000 4180 00007ffc22854438: ntdll!RtlDebugAllocateHeap+0x48 00007ffc2280d6f0: ntdll!RtlpAllocateHeap+0x7EAB0 00007ffc2278cd49: ntdll!RtlpAllocateHeapInternal+0x6C9 00007ffbf8bcc3dc: vrfcore!VfCoreRtlAllocateHeap+0x2C 00007ffb456137d5: vfbasics!AVrfpRtlAllocateHeap+0x155 00007ffc1fae1b06: ucrtbase!_malloc_base+0x36 00007ffb45614e20: vfbasics!AVrfp_ucrt_malloc+0x40 00007ff6061491f3: contoso!operator new+0x1F 00007ff606144365: contoso!Widget::SlowGetId+0x25 00007ff606144185: contoso!Widget::GetId+0x45 00007ff60614742d: contoso!<lambda_9cd1b560a470dbb5c6e1d5da28bd3866>::operator()+0xc0 00007ffc22785976: ntdll!TppSimplepExecuteCallback+0xa3 00007ffc22785976: ntdll!TppWorkerThread+0x8F6 00007ffc2172257d: KERNEL32!BaseThreadInitThunk+0x1D 00007ffc227aaa78: ntdll!RtlUserThreadStart+0x28
And the history for the string in m_uniqueId right
now is
0:005> !avrf -hp -a 0x000001e0`81074ff0 Searching call tracker @ 000001e0fe042fc0 with 422 valid entries ... -------------------------------------------------------------- 2024-04-12T07:00:20.140Z GlobalIndex 19E1E3 ThreadId NA HeapAlloc: 1E081074FF0 11 1E0FBB60000 7870 00007ffc22854438: ntdll!RtlDebugAllocateHeap+0x48 00007ffc2280d6f0: ntdll!RtlpAllocateHeap+0x7EAB0 00007ffc2278cd49: ntdll!RtlpAllocateHeapInternal+0x6C9 00007ffbf8bcc3dc: vrfcore!VfCoreRtlAllocateHeap+0x2C 00007ffb456137d5: vfbasics!AVrfpRtlAllocateHeap+0x155 00007ffc1fae1b06: ucrtbase!_malloc_base+0x36 00007ffb45614e20: vfbasics!AVrfp_ucrt_malloc+0x40 00007ff6061491f3: contoso!operator new+0x1F 00007ff606144365: contoso!Widget::SlowGetId+0x25 00007ff606144185: contoso!Widget::GetId+0x45 00007ff606149400: contoso!<lambda_963292f271044b3ead3564f3abbc4b26>::operator()+0xb7 00007ffc2279e4a3: ntdll!TppSimplepExecuteCallback+0xA3 00007ffc22785976: ntdll!TppWorkerThread+0x8F6 00007ffc2172257d: KERNEL32!BaseThreadInitThunk+0x1D 00007ffc227aaa78: ntdll!RtlUserThreadStart+0x28
The timestamps and GlobalIndex let us reconstruct the chronology of what happened.
First (GlobalIndex 19E1E0), the original string was
allocated when a lambda called Widget::GetId from
thread 4180. Which happens to be the thread we’re on
right now:
0:005> ~.
. 5 Id: 5db8.4180 Suspend: 0 Teb: 000000b3`ecb84000 Unfrozen
Start: ntdll!TppWorkerThread (00007ffc`22785080)
Priority: 0 Priority class: 32 Affinity: ff
The GetId() called SlowGetId(), and
that’s what actually allocated the string.
Next (GlobalIndex 19E1E3), thread 7870
allocated a replacement string, also through
SlowGetId().
And then (GlobalIndex 19E1E6), thread 7870 freed the first string.
And finally, we crashed because thread 4180 (the current thread) tried to copy from that first string, which was already freed.
My guess is that we had a race condition where two threads
called GetId() at the same time, and both of them
decided to do the lazy initialization of
m_uniqueId.
Thread 4180 enters GetId() and sees that
m_uniqueId is empty, so it calls
SlowGetId() to get the ID.
While SlowGetId() is doing its slow work, thread
7870 calls GetId(), and it too sees that
m_uniqueId is empty, so it also calls
SlowGetId() to get the ID.
Thread 4180 finishes getting the ID from
SlowGetId() and saves it in m_uniqueId.
It then makes a copy of m_uniqueId to return to the
caller.
While this copy is being made, thread 7870 finishes its
call to SlowGetId() and (here’s where things go
bad) saves it in m_uniqueId, which causes the previous
string to become freed, even though thread 4180 is still
copying from it!
The problem is therefore conflicting multithreaded access to
m_uniqueId: One thread is reading while another is
writing.
The design of the Widget class is apparently that
multithreaded use is allowed, but simultaneous multithreaded use is
permitted only for read operations. You cannot have a write
operation concurrent with a read or another write.
The lambdas that called GetId() were careful to
lock a shared_mutex in shared mode, thinking that
GetId() was a read-only operation. I mean, look at its
name: It’s “Get”. It just reads something!
Unfortunately, the lazy initialization of
m_uniqueId made GetId() a read-write
operation, even though its name sure sounds like a read-only
operation.
One way to fix this is to make sure all callers of
GetId() take an exclusive lock rather than a shared
lock before calling GetId().
Another way to fix this is to have GetId() apply
internal locking:
std::string GetId()
{
if (auto lock = std::shared_lock(m_sharedMutex);
!m_uniqueId.empty())
{
return m_uniqueId;
}
auto uniqueId = SlowGetId();
auto lock = std::unique_lock(m_sharedMutex);
if (m_uniqueId.empty()) {
m_uniqueId = std::move(uniqueId);
}
return m_uniqueId;
}
The post The case of the string being copied from a mysterious pointer to invalid memory appeared first on The Old New Thing.
For quite a while now, you might have noticed various people recommending a search engine called “Kagi”. From random people on the internet, to prominent bloggers like John Gruber and David Pierce, they’ve all been pushing this seemingly new search engine as a paid-for alternative to Google that respects your privacy. Over the past few months to a year, though, more and more cracks started to appear in Kagi’s image, and I’ve been meaning to assemble those cracks and tie a bow on them.
Well, it turns out I don’t have to, because lori (I’m not aware of their full name, so I’ll stick to lori) already did it for me in a blog post titled “Why I lost faith in Kagi“. Even though I knew all of these stories, and even though I was intending to list them in more or less the same way, it’s still damning to see it all laid out so well (both the story itself, as well as the lovely, accessible, approachable, and simple HTML, but that’s neither here nor there).
Lori’s summary hits on all the pain points (but you should really read the whole thing):
Between the absolute blase attitude towards privacy, the 100% dedication to AI being the future of search, and the completely misguided use of the company’s limited funds, I honestly can’t see Kagi as something I could ever recommend to people. Is the search good? I mean…it’s not really much better than any other search, it heavily leverages Bing like DDG and the other indie search platforms do, the only real killer feature it has to me is the ability to block domains from your results, which I can currently only do in other search engines via a user script that doesn’t help me on mobile. But what good is filtering out all of the AI generated spamblogs on a search platform that wants to spit more AI generated bullshit at me directly? Sure I can turn it off, but who’s to say that they won’t start using my data to fuel their own LLM? They already have an extremely skewed idea of what counts as PII or not. They could easily see using people’s searches as being “anonymized” and decide they’re fine to use, because their primary business isn’t search, it’s AI.
↫ lori at lori’s blog
The examples underpinning all these pain points are just baffling, like how the company was originally an “AI” company, made a search engine that charges people for Bing results, and now is going full mask-off with countless terrible, non-working, privacy-invasive “AI” tools. Or that thing where the company spent one third of their funding round of $670,000 on starting a T-shirt company in Germany (Kagi is US-based) to print 20,000 free T-shirts for their users that don’t even advertise Kagi. Or that thing where they claimed they “forgot” to pay sales tax for two years and had to raise prices to pay their back taxes. And I can just keep on going.
To make matters worse, after publication of the blog post, Kagi’s CEO started harassing lori over email, and despite lori stating repeatedly they wanted him to stop emailing them, he just kept on going. Never a good look.
The worst part of it, though, is the lack of understanding about what privacy means, while telling their users they are super serious about it. Add to that the CEO’s “trust me, bro” attitude, their deals with the shady and homophobic crypto company Brave, and many other things, and the conclusion is that, no, your data is not safe at Kagi at all, and with their primary business being “AI” and not search, you know exactly what that means.
Do not use Kagi.
Amazon virtually kills efforts to develop Alexa Skills, disappointing dozens [OSnews]
There was a time when it thought that Alexa would yield a robust ecosystem of apps, or Alexa Skills, that would make the voice assistant an integral part of users’ lives. Amazon envisioned tens of thousands of software developers building valued abilities for Alexa that would grow the voice assistant’s popularity—and help Amazon make some money.
But about seven years after launching a rewards program to encourage developers to build Skills, Alexa’s most preferred abilities are the basic ones, like checking the weather. And on June 30, Amazon will stop giving out the monthly Amazon Web Services credits that have made it free for third-party developers to build and host Alexa Skills. The company also recently told devs that its Alexa Developer Rewards program was ending, virtually disincentivizing third-party devs to build for Alexa.
↫ Scharon Harding at Ars Technica
I’ve never used Alexa – Amazon doesn’t really have a footprint in either The Netherlands or Sweden, so I never really had to care – but I always thought the Skills were the reason it was so loved. It seemingly makes no sense to me to start killing off this feature, but then, I’m assuming Amazon has the data to back up the fact people aren’t using them.
It sucks, I guess? Can someone who uses Alexa fill in the blanks for me here?
15:42
I just finished Ripley on
Netflix, an 8-part miniseries remake of The
Talented Mr. Ripley, which I remember, probably incorrectly, as
a light-hearted story. There was very little to laugh about in this
new version, but omg it is such a beautifully presented story. Even
if you hated the plot you'd have to watch it just to see the art.
And if you're Italian or love Italy, you have to watch it. Anyway
now that I know all the twists and how it ends, I'm going to have
to watch it again, but I might wait to recover from the experience.
It is, at times, hard to watch. But oh so goooood.
In some ways the look of Ripley resembles Poor Things, another eclectic and lovely to look at presentation.
I really want to see Civil War. Gets an amazing review in NYT.
15:21
What we need to take away from the XZ Backdoor (openSUSE News) [LWN.net]
Dirk Mueller has posted a lengthy analysis of the XZ backdoor on the openSUSE News site, with a focus on openSUSE's response.
Debian, as well as the other affected distributions like openSUSE are carrying a significant amount of downstream-only patches to essential open-source projects, like in this case OpenSSH. With hindsight, that should be another Heartbleed-level learning for the work of the distributions. These patches built the essential steps to embed the backdoor, and do not have the scrutiny that they likely would have received by the respective upstream maintainers. Whether you trust Linus Law or not, it was not even given a chance to chime in here. Upstream did not fail on the users, distributions failed on upstream and their users here.
15:00
NOKUBI Takatsugu: mailman3-web error when upgrading to bookworm [Planet Debian]
I tried to upgrade bullseye machien to bookworm, so I got the following error:
File “/usr/lib/python3/dist-packages/django/contrib/auth/mixins.py”, line 5, in
from django.contrib.auth.views import redirect_to_login
File “/usr/lib/python3/dist-packages/django/contrib/auth/views.py”, line 20, in
from django.utils.http import (
ImportError: cannot import name ‘url_has_allowed_host_and_scheme’ from ‘django.utils.http’ (/usr/lib/python3/dist-packages/django/utils/http.py)During handling of the above exception, another exception occurred:
It is similar to #1000810, but it is already closed.
My solution is:
- apt remove mailman3-web
- keep db and config files (do not purge)
- apt autoremove
- remove django related packages
- apt install mailman3-web mailman3-full
I tried to send to the report, but it rerutns `550 Unknown or archived bug’ …
14:35
Security updates for Friday [LWN.net]
Security updates have been issued by Debian (chromium), Fedora (rust, trafficserver, and upx), Mageia (postgresql-jdbc and x11-server, x11-server-xwayland, tigervnc), Red Hat (bind, bind9.16, gnutls, httpd:2.4, squid, unbound, and xorg-x11-server), SUSE (perl-Net-CIDR-Lite), and Ubuntu (apache2, maven-shared-utils, and nss).
13:49
Pluralistic: No, "convenience" isn't the problem (12 Apr 2024) [Pluralistic: Daily links from Cory Doctorow]
Today's links
- No, "convenience" isn't the problem: Enshittification isn't caused by "lazy consumers."
- Hey look at this: Delights to delectate.
- This day in history: 2004, 2009, 2014, 2019, 2023
- Upcoming appearances: Where to find me.
- Recent appearances: Where I've been.
- Latest books: You keep readin' em, I'll keep writin' 'em.
- Upcoming books: Like I said, I'll keep writin' 'em.
- Colophon: All the rest.
No, "convenience" isn't the problem (permalink)
Using Amazon, or Twitter, or Facebook, or Google, or Doordash, or Uber doesn't make you lazy. Platform capitalism isn't enshittifying because you made the wrong shopping choices.
Remember, the reason these corporations were able to capture such substantial market-share is that the capital markets saw them as a bet that they could lose money for years, drive out competition, capture their markets, and then raise prices and abuse their workers and suppliers without fear of reprisal. Investors were chasing monopoly power, that is, companies that are too big to fail, too big to jail, and too big to care:
https://pluralistic.net/2024/04/04/teach-me-how-to-shruggie/#kagi
The tactics that let a few startups into Big Tech are illegal under existing antitrust laws. It's illegal for large corporations to buy up smaller ones before they can grow to challenge their dominance. It's illegal for dominant companies to merge with each other. "Predatory pricing" (selling goods or services below cost to prevent competitors from entering the market, or to drive out existing competitors) is also illegal. It's illegal for a big business to use its power to bargain for preferential discounts from its suppliers. Large companies aren't allowed to collude to fix prices or payments.
But under successive administrations, from Jimmy Carter through to Donald Trump, corporations routinely broke these laws. They explicitly and implicitly colluded to keep those laws from being enforced, driving smaller businesses into the ground. Now, sociopaths are just as capable of starting small companies as they are of running monopolies, but that one store that's run by a colossal asshole isn't the threat to your wellbeing that, say, Walmart or Amazon is.
All of this took place against a backdrop of stagnating wages and skyrocketing housing, health, and education costs. In other words, even as the cost of operating a small business was going up (when Amazon gets a preferential discount from a key supplier, that supplier needs to make up the difference by gouging smaller, weaker retailers), Americans' disposable income was falling.
So long as the capital markets were willing to continue funding loss-making future monopolists, your neighbors were going to make the choice to shop "the wrong way." As small, local businesses lost those customers, the costs they had to charge to make up the difference would go up, making it harder and harder for you to afford to shop "the right way."
In other words: by allowing corporations to flout antimonopoly laws, we set the stage for monopolies. The fault lay with regulators and the corporate leaders and finance barons who captured them – not with "consumers" who made the wrong choices. What's more, as the biggest businesses' monopoly power grew, your ability to choose grew ever narrower: once every mom-and-pop restaurant in your area fires their delivery drivers and switches to Doordash, your choice to order delivery from a place that payrolls its drivers goes away.
Monopolists don't just have the advantage of nearly unlimited access to the capital markets – they also enjoy the easy coordination that comes from participating in a cartel. It's easy for five giant corporations to form conspiracies because five CEOs can fit around a single table, which means that some day, they will:
https://pluralistic.net/2023/04/18/cursed-are-the-sausagemakers/#how-the-parties-get-to-yes
By contrast, "consumers" are atomized – there are millions of us, we don't know each other, and we struggle to agree on a course of action and stick to it. For "consumers" to make a difference, we have to form institutions, like co-ops or buying clubs, or embark on coordinated campaigns, like boycotts. Both of these tactics have their place, but they are weak when compared to monopoly power.
Luckily, we're not just "consumers." We're also citizens who can exercise political power. That's hard work – but so is organizing a co-op or a boycott. The difference is, when we dog enforcers who wield the power of the state, and line up behind them when they start to do their jobs, we can make deep structural differences that go far beyond anything we can make happen as consumers:
https://pluralistic.net/2022/10/18/administrative-competence/#i-know-stuff
We're not just "consumers" or "citizens" – we're also workers, and when workers come together in unions, they, too, can concentrate the diffuse, atomized power of the individual into a single, powerful entity that can hold the forces of capital in check:
https://pluralistic.net/2024/04/10/an-injury-to-one/#is-an-injury-to-all
And all of these things work together; when regulators do their jobs, they protect workers who are unionizing:
And strong labor power can force cartels to abandon their plans to rig the market so that every consumer choice makes them more powerful:
https://pluralistic.net/2023/10/01/how-the-writers-guild-sunk-ais-ship/
And when consumers can choose better, local, more ethical businesses at competitive rates, those choices can make a difference:
https://pluralistic.net/2022/07/10/view-a-sku/
Antimonopoly policy is the foundation for all forms of people-power. The very instant corporations become too big to fail, jail or care is the instant that "voting with your wallet" becomes a waste of time.
Sure, choose that small local grocery, but everything on their shelves is going to come from the consumer packaged-goods duopoly of Procter and Gamble and Unilever. Sure, hunt down that local brand of potato chips that you love instead of P&G or Unilever's brand, but if they become successful, either P&G or Unilever will buy them out, and issue a press release trumpeting the purchase, saying "We bought out this beloved independent brand and added it to our portfolio because we know that consumers value choice."
If you're going to devote yourself to solving the collective action problem to make people-power work against corporations, spend your precious time wisely. As Zephyr Teachout writes in Break 'Em Up, don't miss the protest march outside the Amazon warehouse because you spent two hours driving around looking for an independent stationery so you could buy the markers and cardboard to make your anti-Amazon sign without shopping on Amazon:
https://pluralistic.net/2020/07/29/break-em-up/#break-em-up
When blame corporate power on "laziness," we buy into the corporations' own story about how they came to dominate our lives: we just prefer them. This is how Google explains away its 90% market-share in search: we just chose Google. But we didn't, not really – Google spends tens of billions of dollars every single year buying up the search-box on every website, phone, and operating system:
https://pluralistic.net/2024/02/21/im-feeling-unlucky/#not-up-to-the-task
Blaming "laziness" for corporate dominance also buys into the monopolists' claim that the only way to have convenient, easy-to-use services is to cede power to them. Facebook claims it's literally impossible for you to carry on social relations with the people that matter to you without also letting them spy on you. When we criticize people for wanting to hang out online with the people they love, we send the message that they need to choose loneliness and isolation, or they will be complicit in monopoly.
The problem with Google isn't that it lets you find things. The problem with Facebook isn't that it lets you talk to your friends. The problem with Uber isn't that it gets you from one place to another without having to stand on a corner waving your arm in the air. The problem with Amazon isn't that it makes it easy to locate a wide variety of products. We should stop telling people that they're wrong to want these things, because a) these things are good; and b) these things can be separated from the monopoly power of these corporate bullies:
https://pluralistic.net/2022/11/08/divisibility/#technognosticism
Remember the Napster Wars? The music labels had screwed over musicians and fans. 80 percent of all recorded music wasn't offered for sale, and the labels cooked the books to make it effectively impossible for musicians to earn out their advances. Napster didn't solve all of that (though they did offer $15/user/month to the labels for a license to their catalogs), but there were many ways in which it was vastly superior to the system it replaced.
The record labels responded by suing tens of thousands of people, mostly kids, but also dead people and babies and lots of other people. They demanded an end to online anonymity and a system of universal surveillance. They wanted every online space to algorithmically monitor everything a user posted and delete anything that might be a copyright infringement.
These were the problems with the music cartel: they suppressed the availability of music, screwed over musicians, carried on a campaign of indiscriminate legal terror, and lobbied effectively for a system of ubiquitous, far-reaching digital surveillance and control:
https://pluralistic.net/2023/02/02/nonbinary-families/#red-envelopes
You know what wasn't a problem with the record labels? The music. The music was fine. Great, even.
But some of the people who were outraged with the labels' outrageous actions decided the problem was the music. Their answer wasn't to merely demand better copyright laws or fairer treatment for musicians, but to demand that music fans stop listening to music from the labels. Somehow, they thought they could build a popular movement that you could only join by swearing off popular music.
That didn't work. It can't work. A popular movement that you can only join by boycotting popular music will always be unpopular. It's bad tactics.
When we blame "laziness" for tech monopolies, we send the message that our friends have to choose between life's joys and comforts, and a fair economic system that doesn't corrupt our politics, screw over workers, and destroy small, local businesses. This isn't true. It's a lie that monopolists tell to justify their abuse. When we repeat it, we do monopolists' work for them – and we chase away the people we need to recruit for the meaningful struggles to build worker power and political power.
(Image: Cryteria, CC BY 3.0, modified)
Hey look at this (permalink)
- A 2-Axis, Multihead Light Positioner https://www.bunniestudios.com/blog/2024/a-2-axis-multihead-light-positioner/
-
A new bill would try to make tools like Zoom and Teams work together securely https://www.theverge.com/2024/4/8/24119268/wyden-secure-interoperable-goverment-collaboration-technology-act-encryption
-
Nobel Prize economist Angus Deaton rethinks unions, free trade, immigration https://www.businessinsider.com/nobel-prize-economist-angus-deaton-rethinks-unions-free-trade-immigration-2024-4 (h/t James Boyle)
This day in history (permalink)
#20yrsago Implicit ideology in video games https://reason.com/2004/04/01/free-play-2/
#20yrsago BBC tries DRM-free distribution https://web.archive.org/web/20040422090025/https://www.bbc.co.uk/radio4/reith2004/mp3.shtml
#20yrsago Remembering gopher https://www.wired.com/2004/04/gopher-underground-technology/
#20yrsago MSFT pays $440MM to settle DRM patent dispute https://www.theregister.com/2004/04/12/ms_settles_intertrust/
#15yrsago Billboards versus the attention economy: critical essay from 1960 https://web.archive.org/web/20090414052206/http://howtolookatbillboards.com/
#15yrsago Statebook: how UK gov’t spooks see the Internet http://www.statebook.co.uk
#15yrsago Manchester’s streets to be patrolled by CCTV cars that film you picking your nose at the wheel and then send you a fine http://news.bbc.co.uk/2/hi/uk_news/england/manchester/7994449.stm
#10yrsago Copy Me: a new critical animation series about copying, culture and copyright https://www.youtube.com/watch?v=62-UT84-fXM
#10yrsago Everything is a Remix vs Patent Trolls https://www.youtube.com/watch?v=Il9nXHoprsU
#5yrsago Foxconn’s inconsistent, chaotic behavior in Wisconsin looks awfully grifty https://www.theverge.com/2019/4/10/18296793/foxconn-wisconsin-location-factory-innovation-centers-technology-hub-no-news
#5yrsago Victory! House of Reps passes legislation to restore Net Neutrality https://www.eff.org/deeplinks/2019/04/victory-house-representatives-passes-net-neutrality-protections
#5yrsago Chicago is demanding that children on bail wear private-sector ankle-cuffs with mics that can record them without their consent https://theappeal.org/chicago-electronic-monitoring-wiretapping-juveniles/
#5yrsago Security keys are “transformative” and “revolutionary” for information security https://mrisher.medium.com/phishing-and-security-keys-b5c8e8e26931
#10yrsago RIP, Sue Townsend https://www.bbc.com/news/entertainment-arts-26982680
#5yrsago Text-mining journalists find that lawmakers introduced 10,000 bills that were copypasted from lobbyists’ “model legislation” https://publicintegrity.org/politics/state-politics/copy-paste-legislate/you-elected-them-to-write-new-laws-theyre-letting-corporations-do-it-instead/
#5yrsago Someone is targeting “critical infrastructure” safety systems in networked attacks https://arstechnica.com/information-technology/2019/04/mysterious-safety-tampering-malware-infects-a-2nd-critical-infrastructure-site/
#5yrsago Courts and cops don’t know what to do with “sovereign citizens,” the delusional far-rightists who claim the law doesn’t apply to them https://www.youtube.com/watch?v=d_y-gLm9Hrw
#5yrsago Amazon stores recordings of Alexa interactions and turns them over to internal staff and outside contractors for review https://www.bloomberg.com/news/articles/2019-04-10/is-anyone-listening-to-you-on-alexa-a-global-team-reviews-audio
#5yrsago Teen Vogue explains capitalism https://www.teenvogue.com/story/what-capitalism-is
#5yrsago French officials call Project Gutenberg archive, 15 million ebooks, Grateful Dead recordings and Prelinger Archive “terrorism,” demands removal from Internet Archive https://www.techdirt.com/2019/04/11/eu-tells-internet-archive-that-much-site-is-terrorist-content/
#5yrsago Brexit is cratering London house prices https://www.bloomberg.com/news/articles/2019-04-10/house-prices-in-london-southeast-u-k-forecast-to-keep-falling
#1yrago Alissa Quart's 'Bootstrapped: Liberating Ourselves from the American Dream' https://pluralistic.net/2023/04/10/declaration-of-interdependence/#solidarity-forever
Upcoming appearances (permalink)
- RISD Debates in AI (Providence), Apr 12
https://involved.risd.edu/event/9777963 -
The Bezzle at Anderson's Books (Chicago), Apr 17
https://www.andersonsbookshop.com/event/cory-doctorow-1 -
Torino Biennale Tecnologia, Apr 21
https://www.turismotorino.org/en/experiences/events/biennale-tecnologia -
The Bezzle at Book Passage Corte Madera (Marin County), April 27
https://www.bookpassage.com/event/cory-doctorow-bezzle-martin-hench-novel-corte-madera-store -
Canadian Centre for Policy Alternatives (Winnipeg), May 2
https://www.eventbrite.ca/e/cory-doctorow-tickets-798820071337 -
Wordfest (Calgary), May 3
https://wordfest.com/2024/event/wordfest-presents-cory-doctorow-2/ -
Massy Arts (Vancouver), May 4
https://www.eventbrite.ca/e/solo-reading-cory-doctorow-the-bezzle-tickets-876989167207 -
Tartu Prima Vista Literary Festival, May 5-11
https://tartu2024.ee/en/kirjandusfestival/ -
Tim O’Reilly and Cory Doctorow on “Enshittification” and the Future of AI, May 14
https://www.oreilly.com/live-events/tim-oreilly-and-cory-doctorow-on-enshittification-and-the-future-of-ai/0642572001651/ -
"Finding the Money" screening (LA), May 15
https://www.laemmle.com/film/finding-money?date=2024-05-15 -
Media Ecology Association keynote (Amherst, NY), Jun 6-9
https://media-ecology.org/convention -
American Association of Law Libraries keynote (Chicago), Jul 21
https://www.aallnet.org/conference/agenda/keynote-speaker/
Recent appearances (permalink)
- Deep Dive podcast
https://open.spotify.com/episode/0bS0DS1H7ghHkiyx4KzXBV?si=fe7242019e734d61 -
Digital capitalism course: What is digital capitalism? (Transnational Institute)
https://www.youtube.com/watch?v=oCzWpEQcd7E -
The Scam Economy (Lost Dollar Business Club)
https://www.youtube.com/watch?v=SChg9ZiY_bk
Latest books (permalink)
- The Bezzle: a sequel to "Red Team Blues," about prison-tech and other grifts, Tor Books (US), Head of Zeus (UK), February 2024 (the-bezzle.org). Signed, personalized copies at Dark Delicacies (https://www.darkdel.com/store/p3062/Available_Feb_20th%3A_The_Bezzle_HB.html#/).
-
"The Lost Cause:" a solarpunk novel of hope in the climate emergency, Tor Books (US), Head of Zeus (UK), November 2023 (http://lost-cause.org). Signed, personalized copies at Dark Delicacies (https://www.darkdel.com/store/p3007/Pre-Order_Signed_Copies%3A_The_Lost_Cause_HB.html#/)
-
"The Internet Con": A nonfiction book about interoperability and Big Tech (Verso) September 2023 (http://seizethemeansofcomputation.org). Signed copies at Book Soup (https://www.booksoup.com/book/9781804291245).
-
"Red Team Blues": "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books http://redteamblues.com. Signed copies at Dark Delicacies (US): and Forbidden Planet (UK): https://forbiddenplanet.com/385004-red-team-blues-signed-edition-hardcover/.
-
"Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin", on how to unrig the markets for creative labor, Beacon Press/Scribe 2022 https://chokepointcapitalism.com
-
"Attack Surface": The third Little Brother novel, a standalone technothriller for adults. The Washington Post called it "a political cyberthriller, vigorous, bold and savvy about the limits of revolution and resistance." Order signed, personalized copies from Dark Delicacies https://www.darkdel.com/store/p1840/Available_Now%3A_Attack_Surface.html
-
"How to Destroy Surveillance Capitalism": an anti-monopoly pamphlet analyzing the true harms of surveillance capitalism and proposing a solution. https://onezero.medium.com/how-to-destroy-surveillance-capitalism-8135e6744d59?sk=f6cd10e54e20a07d4c6d0f3ac011af6b) (signed copies: https://www.darkdel.com/store/p2024/Available_Now%3A__How_to_Destroy_Surveillance_Capitalism.html)
-
"Little Brother/Homeland": A reissue omnibus edition with a new introduction by Edward Snowden: https://us.macmillan.com/books/9781250774583; personalized/signed copies here: https://www.darkdel.com/store/p1750/July%3A__Little_Brother_%26_Homeland.html
-
"Poesy the Monster Slayer" a picture book about monsters, bedtime, gender, and kicking ass. Order here: https://us.macmillan.com/books/9781626723627. Get a personalized, signed copy here: https://www.darkdel.com/store/p2682/Corey_Doctorow%3A_Poesy_the_Monster_Slayer_HB.html#/.
Upcoming books (permalink)
- Picks and Shovels: a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books, February 2025
-
Unauthorized Bread: a graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2025
Colophon (permalink)
Today's top sources:
Currently writing:
- A Little Brother short story about DIY insulin PLANNING
-
Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. FORTHCOMING TOR BOOKS JAN 2025
-
Vigilant, Little Brother short story about remote invigilation. FORTHCOMING ON TOR.COM
-
Spill, a Little Brother short story about pipeline protests. FORTHCOMING ON TOR.COM
Latest podcast: Subprime gadgets https://craphound.com/news/2024/03/31/subprime-gadgets/
This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.
https://creativecommons.org/licenses/by/4.0/
Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.
How to get Pluralistic:
Blog (no ads, tracking, or data-collection):
Newsletter (no ads, tracking, or data-collection):
https://pluralistic.net/plura-list
Mastodon (no ads, tracking, or data-collection):
Medium (no ads, paywalled):
Twitter (mass-scale, unrestricted, third-party surveillance and advertising):
Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):
https://mostlysignssomeportents.tumblr.com/tagged/pluralistic
"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla
13:07
Error'd: Paycheque [The Daily WTF]
There are an infinite variety of ways to be wrong, but only very small number of ways to be right.
Patient Peter W. discovers that MS Word is of two minds about English usage. "Microsoft Word just can't seem to agree with itself on how to spell paycheck/pay check." Faithful readers know it's even worse than that.
Slow Daniel confused me with this complaint. He writes "It seems that the eclipse has reversed the flow of time for the traffic-free travel time." I don't get it. Can readers explain? The only WTF I see here is how much faster it is to walk than to drive 2 miles. Franconia isn't Conway!
Parsimonious Adam found a surprise discount. "This album was initially listed as pay-what-you-want. I tried to pay $4 for it, but the price changed to a minimum of $5 before I was able to check out, and checkout rightfully failed. My shopping cart then reverted to saying this." I want to know what happened next.
Some of you dislike it when I thaw a thematic item from the deep freeze, so please note that B.J. sent us this sometime last year, noting that "Time works in mysterious ways for some companies. I earned a Verizon community 2 Year badge 36 hours after earning a 4 Year badge." I did consider saving it until July 26 this year but I'm just not that patient.
By comparison, I only had to drag this entry from the far back
bottom corner of February's fridge.
I imagine chill Paul intoning with his radio voice
"This next saturday is going to be all ice ice baby."
[Advertisement]
Otter - Provision your servers automatically without ever
needing to log-in to a command prompt.
Get started today!12:21
Smuggling Gold by Disguising it as Machine Parts [Schneier on Security]
Someone got caught trying to smuggle 322 pounds of gold (that’s about a quarter of a cubic foot) out of Hong Kong. It was disguised as machine parts:
On March 27, customs officials x-rayed two air compressors and discovered that they contained gold that had been “concealed in the integral parts” of the compressors. Those gold parts had also been painted silver to match the other components in an attempt to throw customs off the trail.
11:56
Discord is nuking Nintendo Switch emulator devs and their entire servers [OSnews]
Discord has shut down the Discord servers for the Nintendo Switch emulators Suyu and Sudachi and has completely disabled their lead developers’ accounts — and the company isn’t answering our questions about why it went that far. Both Suyu and Sudachi began as forks of Yuzu, the emulator that Nintendo sued out of existence on March 4th.
↫ Sean Hollister at The Verge
This is exactly what people were worried about when Nintendo and Yuzu settled for millions of dollars. Even though it’s a settlement and not a court ruling, and even tough the code to Yuzu is entirely unaffected by the settlement and freely shareable and usable by anyone, and even though emulators are legal – the chilling effect this settlement is having is absolutely undeniable. Here we have Discord going far beyond its own official policy, without even giving the affected parties any recourse. It’s absolutely wild, and highlights just how dangerous it is to rely on Discord for, well, anything.
I wish that for once, we’d actually see a case related to console emulation go to court in either the EU or the US, to make it even clearer that yes, unless you distribute copyrighted code like game ROMs or console firmware, emulators are entirely legal and without any risk. You know, a recent court ruling we could point to to dissuade bullies like Nintendo from threatening innocent developers and ruining their lives because of entirely legal activities.
And let me reiterate: don’t use Discord as for anything other than basic chat. This platform ain’t got your back.
DwarfFS: a read-only compression file system [OSnews]
DwarFS is a read-only file system with a focus on achieving very high compression ratios in particular for very redundant data.
[…]DwarFS also doesn’t compromise on speed and for my use cases I’ve found it to be on par with or perform better than SquashFS. For my primary use case, DwarFS compression is an order of magnitude better than SquashFS compression, it’s 6 times faster to build the file system, it’s typically faster to access files on DwarFS and it uses less CPU resources.
↫ DwarfFS GitHub page
DwarfFS supports both Linux, macOS, and Windows, but macOS and Windows support is experimental at this point. It seems to have higher compression ratios at faster speeds than various alternatives, so if you have a use case for compression file systems – give DwarfFS a look.
10:28
Updating our stuck interactions [Seth's Blog]
There are few sitcoms, thrillers or plays where the plot can tolerate the addition of a cell phone. Once the characters have the ability to connect and clear up misunderstandings at will, a lot of tension disappears. If Juliet had had a smartphone, she and Romeo would have ended up married, living in a house in the suburbs.
And the ubiquitous meeting-in-person has a similarly long history. And yet they still happen with very few changes, with power getting the head of the table, traditionally privileged voices being the loudest and no accommodations for new information or asynchronous interactions.
Political debates are largely unchanged since Lincoln’s day. Yes, we have microphones now, but it hasn’t occurred to the organizers to use a timer and simply turn off the mic when time’s up, not to mention including real time fact checking. We still reward bullying, bloviating and dances of dominance.
Email, once the most modern form of interaction, hasn’t changed much at all since I got my first address in 1976. There are a hundred ways it could be dramatically more effective and efficient, but it’s stuck.
Weddings, high school graduations and funerals also remain similar to the way they’ve always been.
One reason these formats stick around is that they are connection devices, and we often believe that we have to stick with the status quo, because getting everyone involved to agree on a new method is too difficult. And yet, new methods do arise… but sometimes we stick with the old ones without wondering why.
Humans have been communicating and coordinating since the beginning. But in the last fifty years, we’ve transformed the tech–now we need to think hard about whether we’re sticking with something because it works, or because we always have done it that way.
10:21
Reproducible Builds (diffoscope): diffoscope 264 released [Planet Debian]
The diffoscope maintainers are pleased to announce the release
of diffoscope version 264. This version
includes the following changes:
[ Chris Lamb ]
* Don't crash on invalid zipfiles, even if we encounter 'badness'
through through the file. (Re: #1068705)
[ FC (Fay) Stegerman ]
* Add note when there are duplicate entries in ZIP files.
(Closes: reproducible-builds/diffoscope!140)
[ Vagrant Cascadian ]
* Add an external tool reference for GNU Guix for zipdetails.
You find out more by visiting the project homepage.
08:56
New Comic: Crafty
08:28
The Console War: Crossroads, p10 [Ctrl+Alt+Del Comic]
The post The Console War: Crossroads, p10 appeared first on Ctrl+Alt+Del Comic.
06:35
Codified – DORK TOWER 12.04.24 [Dork Tower]
This or any DORK TOWER strip is now available as a signed, high-quality print! JUST CLICK HERE!
Help keep DORK TOWER going – join the DORK TOWER Patreon and ENLIST IN THE ARMY OF DORKNESS TODAY! (We have cookies!)
05:49
Comic Strip for Friday, April 12, 2024 [General Protection Fault: Comic Updates]
Current Story: Chapter Twelve
05:42
Girl Genius for Friday, April 12, 2024 [Girl Genius]
The Girl Genius comic for Friday, April 12, 2024 has been posted.
04:28
Here Comes the Rain Again [Whatever]
Turns out it was no joke that the only clear day in a week was the one that had the eclipse: it rained so much today that my yard river is back, which means good odds that I will find more fish in the grass when I walk the dog tomorrow. It’s such an odd thing. I imagine the fish aren’t thrilled with it either.
— JS
02:42
Abdellatif freed [Richard Stallman's Political Notes]
Australia kept an Egyptian refugee in deportation prison for 12 years because the government gave undue respect to a conviction in absentia in an Egyptian court which used torture to get "evidence".
Kafkaesque rigidity prolonged his imprisonment.
Lab-grown meat ban [Richard Stallman's Political Notes]
Some Republican-ruled states want to prohibit lab-grown meat.
Some of those states have already passed laws to punish making pictures of how farms treat their animals. We know the reason for both kinds of laws: to serve the powerful few companies that dominate US agriculture, and also to oppose efforts to curb global heating.
Mooing cows [Richard Stallman's Political Notes]
A new French law says that people who move into living spaces near existing activities that normally make noise have no right to demand an end to the noise.
This is simple common sense.
Lawful photography [Richard Stallman's Political Notes]
A UK thug accused press photographer Dimitris Legakis of "assaulting" per, and arrested him. Seven months later, just before the trial, prosecutors realized Legakis had committed no crime, and dropped the case.
The thug seems to have accused Legakis of a fictitious crime — something not unusual for thugs. Dropping the prosecution was the right thing for prosecutors to do, but it isn't enough. It is necessary also to teach thugs to lose that unjust habit.
What has been done towards that end?
HP printer rental [Richard Stallman's Political Notes]
HP invites customers to rent printers, with a contract that requires the printer to be reachable over the internet from HP, so it can monitor lots of things about what the renter prints.
Supposedly HP makes this snooping legitimate by making the renter explicitly consent to it. Balderdash! Massive surveillance cannot be justified by the manufacture of consent.
If we seriously want to stop companies from putting digital shackles on people, this sort of monitoring and control should be a crime. It should be punished with prison for the people who implemented it, as well as with fines to, or dissolution of, the company.
Arabic science [Richard Stallman's Political Notes]
*Why the Arabic World Turned Away from Science.*
Science thrived in the Islamic world until around 1000 CE, but since then has lost its impetus and its influence. The article speculates about what the causes was, and whether there is a chance of changing it today. One suggested cause is that Islam never recognized autonomous institutions of study that were not controlled by religious authorities.
Today there are Arabs who do science, but they often do it in parts of the world where Islam does not dominate.
Prison phone lawsuit [Richard Stallman's Political Notes]
*Lawsuits filed by a civil rights group allege that county jails in Michigan banned in-person visits in order to gouge prisoners and their families, as part of a "quid pro quo kickback scheme" with prison phone companies.*
The reason "prison phone companies" exist is to exploit an opportunity to gouge people who can least afford it — people who can't work except for a minuscule wage.
We need laws to require that these phone calls have a low price, or even zero price.