Definitively Not( James )

2024/04/02

giphy


The whole xz thing is mind boggling.


The story starts two years ago. Lasse Collin is the sole developer maintaining xz as a hobby. xz is a linux utility used widely - nearly every installation of linux has it. Collin was delighted to start receiving help from JiaT75 - someone named Jia Tan. Tan kept fixing bugs, opening pull requests, and generally being helpful. Eventually, Collin had granted Tan access to commit directly to the repository. They were a trusted helper, after all! Tan then took responsibility of managing releases, helping with various security websites interactions with the project, and made life easier for Collin.


This year, Tan helped usher in version 5.6.0 and 5.6.1 of xz. Tan dutifully continued to be helpful and encouraged various linux distribution maintainers to include these new versions - they had security fixes, of course! Some did, some didn’t. Reviewing the code, it was unclear if the security fixes were major enough to warrant updating. This version ended up in “testing” versions of Debian, Redhat, and Kali linux - but these are large distributions used on millions of computers.


By chance, Andre Freund - a linux developer over at Microsoft - became frustrated that their SSH client was taking 500ms longer to connect that day. It wasn’t clear to them why all of a sudden everything was half a second slower, and sure: it wasn’t the end of the world by any means but it was ANNOYING. So they dug. They found something that was surprising.


Unfortunately, Jia Tan was not who they claimed to be. Tan was not just a helpful contributor. Tan was an agent of a nation state with a very specific goal - infiltration. They used their position to hide code inside of xz that could be used to execute arbitrary malicious payloads - and then used their role as security contact to prevent folks from finding it. Version 5.6.0 and 5.6.1 of xz included this code. Nobody noticed - that is, until Andre Freund.


If Andre hadn’t decided to inspect an annoyance this backdoor would have been everywhere. Every bank, every government, most every cell phone. This was all caught because someone didn’t want to wait half a second longer.


The Lasse Collin is currently suggesting to use an old version that doesn’t have ANY of Jia Tan’s code in it - 5.3.1.


Some real spy stuff, right?


Arstechnica has a more detailed write up, and Lasse Collin has some stuff about it on their site - but they’re currently on vacation and won’t be able to do much until they get back.


2021/10/27

giphy


Sometimes communication is difficult because you’re trying to express incredibly complex ideas using a complex tool such as language. The English language is ever-evolving and with over 500,000 words in Wiktionary the amount of choice available to you can be overwhelming. Beyond that, the many complex ways it can be combined and misused to form prose adds yet another layer.


However, it doesn’t have to be that way! There are constructed languages (“conlang”) which have much fewer words and are much simpler to understand.


Esperanto is one such language, and with a little over 16,000 words you have to take the complex ideas down to simplify them so that they can be expressed in simpla terms. It’s the most widely spoken constructed language, and was designed with the hopes that the grammar could be komprenita within an hour.


While Esperanto is simple, we can always aim for a simpler crafted language. Klingon is one such language - a language designed for the Klingon people, a race of Suv from the planet Klingon. With at most 4,000 words, the language is heavily skewed towards battle because they are the antagonistic and combative folk in the television show Star Trek - so those are the words they use! Most of their time is spent on the che’ron. The culture of the Klingons are reflected in their language and the restrictions within.


How simple can a language be, while still including the capability of expressing complex ideas? Meet Toki Pona. This language, literally meaning “the language of good”, consists of just 125 words and a relatively simple grammar - taking about 30 hours to be a strong toki of the language. But how does that pali? Toki Pona was designed around a small nanpa of simple near-universal concepts, with more complex concepts achieved through combining them. For example, there’s no words for “friend” or “enemy”, but “jan pona” (person + good) and “jan ike” (person + bad) could stand in for those ijo. Toki wile li pali sina pona, pona jan li pali pana ale. If you’re interested in the language of Toki Pona, there’s a wonderful cheat sheet.


https://news.ycombinator.com/item?id=22689959


2021/09/16


A 2015 study explored an interesting phenomenon: People that use web search tools to find data conflate information they find online with their own knowledge. This lead to increased self-assessed knowledge and even in unknown domains or areas of study - even when trying to answer something, searching, and getting zero results.


Part of this is because learning, knowledge, and memory are closely related. The process by which we shift memories from “short term” to “long term” memory is referred to as consolidation. This process is when we’re most susceptible to having our memories “rewritten” natrually, as described by Daniella Schiller. It’s possible that search engines have become ubiquitous in our lives as a transactive memory partner - we receive information and then quickly re-remember the information as being our own.


This isn’t new to the internet, though. Memory and knowledge is not exact - mistaking outsourced knowledge for internal knowledge also happens when part of integrated social environments. In a 1995 study, cockpit crews often conflated knowledge from another member as their own knowledge once it had been communicated to them.


If you’d like to subject yourself similarily to the study & conflate internet information with your own knowledge: Why are there jokers in a deck of cards?


2021/09/02


Wardialing is an information reconnaissance technique to find phone numbers of interest within a list. Dial up every number in an area code and listen for modems, fax machines, or bulletin board systems. Phone numbers can have a wide variety of systems behind them, but aside from phone books there’s no record of what these might be. Part of that is because the only way to know.. is to call.


Valtteri Lehtinen called nearly 60,000 numbers in Finland to understand the telephone network better. This was done via a VoIP trunk to make simple calls over GSM - cellular connections. Once a call was connected, they recorded 60 seconds of audio for classification then hung up. They tried to focus on only public numbers and ignored any premium numbers that would have run out their calling credits too quickly.


Over the course of 40 days they found that only 3% of calls were answered, and only 70% were interesting. There were only 74 unique and interesting responses. These ranged from machines, faxes, and systems for presenting information to callers.


One was a message with the following:


Welcome to the end of the world.
There is still some hope left.
If you want to be rescued then press 1.
If you want to join the zombie army then press 2.
Choose something quickly, we don't have all day.
...
You have chosen to be a zombie and join the zombie army.
Please wait patiently to be bitten.
Please do not call again.
Thank you for calling.

2021/09/01


She knows, now, absolutely, hearing the white noise that is London, that Damien’s theory of jet lag is correct: that her mortal soul is leagues behind her, being reeled in on some ghostly umbilical down the vanished wake of the plane that brought her here, hundreds of thousands of feet above the Atlantic. Souls can’t move that quickly, and are left behind, and must be awaited, upon arrival, like lost luggage


— Pattern Recognition by William Gibson


Jet Lag - as the name might imply - is relatively new for humans. Propeller-driven craft or trains often were much slower and didn’t travel as far over between timezones to cause it. Jet-driven airplanes travel such great distances that our circadian rhythm is frequently disrupted - causing disorientation and stress.


Traveling west is usually considered to be an easier shift than east. This is because most humans circadian clock has an endogenous period that’s slightly greater than 24 hours, and it’s easier to expand that window than to shrink it. In most cases, the 6-9 hour shift East causes the most problems.


There’s lots of “cures” for jet lag but in most it boils down to timing and sleep schedules. Push to go to bed at a reasonable bedtime in the target timezone. Time your flight to avoid light when leaving and find light on arrival.


Sometimes, though, you just have to wait for your soul to catch up with your body.


2021/08/31


Kanji is exceptionally confusing to me. When looking at the word 森林浴 - “shinrin yoku”, I wanted to learn a bit more about these three words that make up the compound word.


To start with, though, let’s look at another word: 木 - “ki”, or in english “tree”. It’s 4 strokes and is a grade 1 / JLPTN4. It’s taught in grade 1 of Japanese schools and is part of the Japanese Language Proficiency Test N4. This one’s pretty simple!


So, then 林… 木木, right? This is “hayashi”, and could somewhat be translated to a small grove or woods. Think a bunch of bushes, a few trees on their own. 8 strokes, still grade 1, but JLPTN3.


森 … okay, so we have THREE 木 now. This is “mori”, translated to a small forest or a large wooded area. Imagine a denser greenery - perhaps harder to traverse. 12 strokes, again grade 1 and JLPTN3.


Put all this together and we have 森林 - “shinrin”. A big forest, like a mountain covered in foliage. If you’re thinking a forest in English, that’s what we’ve got here. Lots of 木.


浴 is yoku. 10 strokes, Grade 4, and JLPTN2. This one’s a bit tougher. It’s a combination of 氵 (one of the water radicals) and 谷 (“tani”, or valley).


Put it all together and you have 森林浴, a peaceful walk to bask in the forest.


2021/08/24


An article was posted last month about the the dangers of autofill in password managers. The thought is that if there’s Cross Site Scripting (“XSS”) on the page you’re logging in and the password manager helpfully automatically fills in the password you’ll lose your password.


The point attempted by the article is not XSS on the authentication page but instead anywhere. The idea is that you create a fake form that looks like a simple login page, the password manager fills in the credentials and then deletes the form after shipping the credentials off.


So - you get the advantage of a much lower level of effort credential collection approach. This is usually for the security / ease of use tradeoff. Got it, though, let’s disable autofill globally - that solves the problem, right?


Well.. no. If you have an XSS vulnerability even without a password manager it’s already game over - you’ll be losing that password. Change the URL via the history API to be the correct URL, throw the fake login page out, collect the credential the user types in.


While it’s safer to disable autofill the question brought up is “will people use it?” If the ease of use gets folks to use different passwords between services.. it’s a security win in my book even if these new vectors are opened.


2021/08/11


The Russian Multipurpose Laboratory module “Nauka” docked with the International Space Station at 9:29AM Eastern on July 29th. It had an 8 day journey to get to the station. Nauka is a docking port, a spacewalk airlock, and a whole science facility - the biggest room in the International Space Station yet at 13 meters long and a diameter of 4.25 meters. Nauka launched from Kazakhstan after 14 years of delays.


Celebrations were had after the docking procedure was successful.


3 hours later at 12:59PM Eastern the ISS was passing over Indonesia. Nauka’s autopilot woke up and decided that it was time to take thrust control and leave. Unfortunately, Nauka was still firmly attached to the station. This is not ideal for the crew within the station.


The module started firing its thrusters to position the module for firing its main thruster. Outside of radio control from Moscow’s Mission Control, it was unknown that Nauka was firing its thrusters. Only once the ISS started to shift orientation from these thrusters did NASA detect it - but within minutes the Flight Director in Houston started attempts to counteract the spin.


At the same time, the station’s automated systems began to note the deviation from norm and took action to counter the spin via thrusters on the Russian half of the station. Houston Mission Control instructed astronauts to close hatches and windows - preparing for the worst. The ISS was designed to handle this kind of torque - but it was a maneuver far outside normal mission parameters.


44 minutes of thruster action rotated the station one and a half turns about its long-axis. By the time the station entered back into Russian radio contact the thruster had exhausted its fuel and was dormant. Moscow Mission Control directed the flight control back to the ISS from Nauka and sent instructions for the station’s thrusters to return the ISS to a more desirable orientation.


Work continued as normal after the disaster had been averted.


2021/07/29


I can open your eyes Take you wonder by wonder Over sideways and under On a magic carpet ride


How magical is that magic carpet ride, though?


We see prince Ali and Jasmine leave Agrabah on a magic carpet ride. Jasmine asks if it’s safe and then Aladdin just starts singing. Off to a shakey start, but they leave Agrabah, climb 15,000 feet above the clouds. On a few occasions they are thrown off the carpet but it catches them. You know. Safe. 60 seconds later they’re at what looks like the Great Sphinx of Giza. 15 seconds later they are at what looks like the Parthenon in Athens.


The distance from the Sphinx in Giza to the Parthenon in Athens is 615 miles across the Mediterranean Sea. To travel this in 15 seconds that magic carpet ride would be traveling in excess of 150,000 miles per hour - or roughly Mach 195. This puts them in the same league as a faster than average meteor. Meteors heat up both from air friction as well as the compression of air in front of them, and thus it would be safe to believe the magic carpet ride would have burst into flames as it travels across the sea.


Assuming they decelerate over the course of 3 seconds (perhaps when Aladdin is saying there’s time to spare) they would have experienced 2200 times the force of gravity. If Aladdin is around 120lbs normally (he’s a street rat, after all), his body would have felt like it weighed ~280,000lbs. For reference, a blue whale is 290,000lbs.


So, per Jasmine’s question, “Is It Safe?”, most certainly not. If it weren’t for the fact that it’s “magic” I wouldn’t trust prince Ali with anyone’s safety on that thing.


2021/06/16


President Biden signed an Executive Order to improve the Nation’s Cybersecurity posture. This is a pretty big deal because it signals to every organization across the government that they need to divert funding to implement this order.


This Executive Order covers a pretty wide variety of tasks, but a few things specifically stand out to me:


  • incorporation of NIST guidelines and standards as part of a playbook
  • enforcement of Multi-Factor Authentication everywhere in government
  • additional expectations of a Software Bill of Materials
  • required movement towards a Zero Trust architecture

The NIST guidelines are not that “out there” all things considered. However, there’s a number of which that most government agencies don’t seem to follow. Suggestions against Password expiration and arbitrary password composition rules are high up on that list. Government sites also often make it difficult ot use password managers which is discouraged by the NIST rules. NIST has a really handy FAQ if you’d like the short version.


Multi-factor Authentication is pretty clear in NIST to not be SMS and not be email. This is to be adopted by agencies within 180 days of the order - and if they can’t adopt it within that time frame they must explain why not every 60 days to DHS / CISA / etc. Hopefully, most organizations will choose existing solutions like login.gov to implement this.


Software Bill of Materials is less clear as to what it’s really requiring. The executive order does not define this, but does set in place the requirement that a definition must be published within 60 days by the Secretary of Commerce.


Zero-Trust architecture is where there will be a huge amount of work to be done. This is designing systems in a way that encourages defense with both public and private interactions of systems. Expect that there’s a potential threat actor that’s breached your network. With that in mind, you can’t give full access to just anyone and everything. Instead, you have to clearly define access and privileges, enforcing controls on who gets what and why.


I’m excited to see an executive order that takes cyber security seriously. Thanks to Beau Woods for tipping me off about this, I hadn’t even heard of it!


2021/06/09


Fastly had a bit of an incident on June 8th which you might’ve seen. The outage lasted around one hour, but it meant that loads of sites that rely on their CDN were impacted.


Fastly uses a fork of Varnish 2 that they maintain internally - a general HTTP Cache. This is core to a lot of how they do business, but isn’t the only piece of software they employ. However, they do give customers access to VCL, a domain specific programming language to influence the behavior of their caching solution.


Best guess is that someone had included a configuration value that created VCL with undefined behavior which caused the shared infrastructure to crash or otherwise stop serving as expected. This is all a guess, of course, because they’re being relatively hush-hush about the exact details of the problem. (Makes sense because we don’t really need to know & it’s ~24 hours since the actual problem.)


They did provide a very great blog post and short post-mortem about the incident right away, though. For such a large company, that’s quite impressive.


Let’s just hope they don’t have to do that too often.


2021/06/08


The playdate is an amazingly interesting exercise in the right marketing, the right UX, the right device, and the right time.


It’s an amazingly whimsical but simple device with a black and white screen, an itty bitty processor, some buttons, a directional pad, and a crank. Yes, a crank on the side as part of the game input.


This was made with folks over at Teenage Engineering, who are also amazingly good at marketing & UX. I’ve had so much fun with the pocket operators (here’s a video someone else made, not me!) and always want to buy their other devices..


None of these devices are exactly special from a technical sense but it is from how it makes you feel. I think that’s what matters.


2021/06/07


I read a wonderful blog post about the opening lines of novels and their importance. This is very true! There’s a lot to be said of the impact you can have in that first sentence. This applies not just to books - you have a miniscule amount of time to leave a good impression and bring people in.


However, there’s quite a bit also to be said about not starting with that opening sentence. You don’t need to get it right first thing. A terrible book with an amazing initial line is just a book that everyone will read and hate.


If you can iterate, you can eventually get that amazing sentence that gets everyone to pick up what you’re selling.


John Swartzwelder, a writer for the simpsons, gives advice on the subject:


I do have a trick that makes things easier for me. Since writing is very hard and rewriting is comparatively easy and rather fun, I always write my scripts all the way through as fast as I can, the first day, if possible, putting in crap jokes and pattern dialogue— “Homer, I don’t want you to do that.” “Then I won’t do it.” Then the next day, when I get up, the script’s been written. It’s lousy, but it’s a script. The hard part is done. It’s like a crappy little elf has snuck into my office and badly done all my work for me, and then left with a tip of his crappy hat. All I have to do from that point on is fix it. So I’ve taken a very hard job, writing, and turned it into an easy one, rewriting, overnight. I advise all writers to do their scripts and other writing this way.


And be sure to send me a small royalty every time you do it.


This, of course, applies beyond just script writing. Software, products, whatever it may be - often, the biggest roadblock you will have is that initial impetus to get things rolling. Once you have something it’s much easier to make smaller improvements.


With that in mind, go forth and embrace the crappy little elf that builds the v0.1 of whatever you’re making. Then, show them how much better you can make it.


2021/06/04


For some reason, any time you see someone in a movie go into space without a space suit you invariably see them explode, freeze, or somehow boil. None of this is true, but it’s not like the vacuum of space is really all that hospitable.


There’s a neat blog post from 2013 that backs me up on this, but for the most part: going out in to space without a space suit is inadvisable, just for different reasons. There’s the issue of radiation, vacuum, and a distinct lack of oxygen.


Within a few seconds, you’d feel slightly warm, not cold, in space. Sure, space is cold but there’s very little transfer of temperature. This is because there’s no matter in space to transfer heat via conduction or convection. Instead, all you’ve got is thermal radiation. This means either heat will be being radiating to you slowly from the sun or heat will be radiating off of you slowly. You won’t become a popsicle.


The vacuum of space is dangerous, but not in the same way that you where people pop like a balloon. Instead, you’ll see some tissue swelling from water vapor under the skin, with some pretty gnarly bruises. However, this can also end up causing gas bubbles to form within the bloodstream which can be incredibly deadly. Another issue is that the decompression will cause the air in lungs to expand to an extent that could be incredibly dangerous. So, Pro-Tip: Before taking a space walk without a space suit, exhale as much as you can.


The vacuum of space means a lack of matter, though. Oxygen is matter. Often times, humans need oxygen to survive. This is where we come into our third problem: you can’t breathe in space, and worse, because of the vacuum the lungs actually will REMOVE oxygen from the blood stream. In under 30 seconds, you will start getting deoxygenated blood to the brain, and it’s lights out. Suffice it to say, it’s downhill from there.


So, short version? Don’t go into space without a pressure suit and a steady supply of oxygen.


2021/05/26


Amazon is starting its acquisition of MGM for a whole lotta cash. This is a bid to try to buy the defeat of Netflix via Amazon Prime streaming services. James Bond, the Addams Family, Stargate, The Lord of the Rings,


There’s a famous anti-trust case, US vs Paramount, which put an end to the Hollywood studio system. In the old system we had The Big Five studios - which included MGM - and they had a 90% ownership over the film market.


The studios had actors that had exclusive contracts, they made films that they owned exclusive rights to, and would only release them in theaters owned by the studio. The studios owned the entire vertical and it prevented smaller studios from breaking into the market. They couldn’t get actors. They couldn’t get their pictures up on screens.


This is all very similar now to the big VOD streaming companies. But hey, there’s legal precedent to prevent history from repeating itself, right? Well.. not exactly. On August 7th, 2020, the DOJ reversed the decision and added a termination period to the decree. This was heavily opposed by independent movie theater owners. By the time Amazon acquires MGM this will be completely reversed and Amazon will continue to burninate the countryside, gobbling up as much as possible. All it takes is for Amazon to buy AMC.


Now we’ll have a new Big Five: Netflix, Youtube, Amazon, Hulu, and Dinsey+ take up 85% of the streaming market. Art for Art’s sake, right?


2021/05/25


Getting DOOM to run on devices is a bit of a past-time to some folks. A recent product hunt offering has a DOOM captcha available.


DOOM can run on a fridge, a pregnancy test, or a printer. This is partially because DOOM was written run on Intel 8086 PCs with limited to know graphics processing abilities. Compared to current computing power, it requires a miniscule amount of technical capabilities to run - at least compared to software like modern web browsers.


Much of this has to do with how the internals of DOOM works! If you’d like to learn more about that, there’s always the Game Engine Black Book on DOOM!


Then you can figure out how to run DOOM in DOOM.


2021/05/21


There are a lot of birds! There’s a recent global abundance study of birds which puts the estimate of birds at around 50 billion individual birds in the world. This is across roughly 9700 different species!


From big birds to little birds, they’re all amazing.


I think the Northern Mockingbird is interesting in particular, though. They’re known to be highly intelligent. If you are just a passerby in their nesting area, they’ll usually leave you alone. However, they can recognize individual humans! If you’re commonly near them they’ll remember you and have been known to try to scare you away. They’ll even remember if you’ve previously threatened or attacked them.


2021/05/19


Microsoft is retiring Internet Explorer June 15, 2022.


If you’re a web developer working on a modern website or app, we know you’ve been waiting for this day for a long time. Internet Explorer has increasingly been difficult to support side-by-side with modern browsers. With this change, enterprises and consumers will be able to limit their use of Internet Explorer to only those legacy sites that absolutely need it.


They even have a feature to nag people to stop using IE for your site!


2021/05/18


SQLite is a self-contained, high-reliability, and very very fast SQL database engine. It’s known as the most widely deployed database engine in the world. It’s absolutely the most deployed database engine off-world, too.


There’s a really cool blog post about hosting SQLite online, with a virtual file system that uses range requests to cut down on fetches. In this way, you can read from a database of nearly any size and query it efficiently! With a properly written query you can do instant lookups against gigabyte+ SQLite tables.


If you mix this with trigram indexing you can do a lot of Full-Text search needs via an S3 bucket and the web! While it won’t have nearly as many features this could potentially replace quite a lot of the features Algolia provides.


Would I suggest replacing a mission-critical log aggregation and query for a top-100 tech company? Nope. Is it good enough for smaller use-cases? You betcha it is.


2021/05/17


Sometimes new technology and transit goes haywire, as seen earlier this morning when a reboot caused turnstiles to lock up and prevent entry. In most cases the turnstiles are supposed to fail open. However, it seems an oversight was made during the engineering process which caused them to fail closed.


New technology isn’t always terrible, though! One thing MTA has been working on has been improving the signals they use for maintaining traings. Over the past five years the MTA has been replacing the existing infrastructure with newer digitized versions. Some of these signals were a century old. Because of this, trains can safely increase speeds!


If you take the R line in the city, for instance, trains have sped up 15mph all the way to 50MPH in some areas! Even dangerous areas like near the Brooklyn-Bridge/City Hall station they were able to increase speeds because of this.


Some of this has also allowed for new kinds of data to be recorded. Many of these points help with logistics and planning for maintenance work and train routes. However, others enable things like the really cool live MTA map that shows where trains are in real time along the routes!


2021/05/12


Yoko Taro is an incredibly talented video game director and writer. Games that he’s worked on include Drakengard, SINoALICE, Nier, and Nier: Automata. He’s pushed video games in extreme ways that create beautiful experiences. There’s a level of polish and finesse exhibited. Platinum Games published a post about the music in Nier Automata that I found really interesting.


The music is all over the place in really amazing and interesting ways. One thing which makes it interesting is the vocals are often a mix of languages, between old Gaelic, French, Japanese, and English. This means no matter what you speak it is slightly foreign and like it’s from another time and place.


In Nier: Automata parts of the game are “Hacking” sections. At these points the game’s music switches over to an “8-bit” version which is much lower fidelity and sounds reminiscent of older video games instead of the orchestra of the normal soundtrack.


However, not all pieces of their score for NieR: Automata received an 8-bit track - for the amount of music they have it was nearly untenable. Part of this has to do with some of the systems they had around mixing different tracks together. They instead developed a system that automatically created the chiptune music from the traditional orchestral score.


This was done by bucketing 48 tones across 4 octaves out of the score, distoring them aggressively, removing anything that was below a specific level to make the output clearer, and applying it back over the original song.


You can see how it worked in practice on their Youtube channel.


2021/05/10


The Seagaia Ocean Dome was a really, really big pool.


Well, it was more than a relaly big pool: It was 6 times the size of an olympic pool, had 12,000 square meters of simulated beach, and was filled with more than 3.5 million gallons of water kept at 82F year round. In the case of bad weather they had the world’s largest retractable roof to keep everything going year round.


The Ocean dome was opened in 1993 and demolished in 2017 after multiple bankruptcies and related hotel closures.


It wasn’t that bad of a waterpark, all things considered!


2021/05/07


Cloudflare has a really interesting blog post about branch prediction and the cost of if jumps in code. If it’s C, I’m unsure why you’d have non-macro debug if blocks peppered throughout your code, but sometimes it could make sense.


The blog post investigates branch prediciton and how the [Branch Target Buffer][2] affects performance. The TLDR is that once you go above the L1 instruction cache you will find some cost, but in general the cost of an if statement that’s never taken is little to nothing, and the cost of always-taken branches may be an issue.


2021/05/06


A paper submitted to ACM in 2019 reviewed the privacy implications of accelerometer data as of that time.


Behavior tracking can go beyond the traditional step counter people think of when it comes to behavioral analysis. Eating, drinking, and smoking, can be determined from wrist-mounted accelerometers. Further, gait can be inferred and level of intoxication can be interpreted. This can also give a guess on how heavy of a load a person is carrying.


Taking all of this a bit further, you can even determine what is being said or written via these devices. Determining specifc spoken “hotwords” could be done via accelerometer alone. It’s also possible to figure out what someone has typed on their phone’s virtual keyboard without actually having access to the keyboard through only the movements of the phone.


Inference beyond this can be done to get fuzzier understanding of who someone is without actually know who they are. Someone’s physical activity and timing can infer someone’s socioeconomic status, openness, and extraversion. It can be used to understand someone’s mood, their relationships with others, and overall stress levels. It can also be used to determine age and gender based on gait, movement parameters, and activity.


The short version, though? We really need to enforce the privacy related to wearable devices. It’s an imperative for our safety.


2021/05/04


Microgravity always looks really fun. It’s all fun and games until someone gets hurt, right?


In space and in micro-gravity we lose the constant of gravity to prevent items from moving in a specific direction. If you let go of a wrench while you’re moving it, it falls to the ground and friction stops its movement on Earth. In space, that wrench will continue in the direction you let go of it and bonk someone in the head.


This is when you’d need to do a little surgery to suture up your mistake. Surgery in space is going to be even more difficult because of a number of reasons.


Without gravity, we don’t have blood being pushed downwards. Instead, blood pools in the center of your body. If this happened on Earth, it would mean you have too much blood! So your body will try to remove liquid, thus lowering your blood volume significantly. This brings your standard blood volume in space to a pretty low level already. If you add a wrench to the head, though, you lose even more blood, putting you at a critical level quickly.


Wound healing in microgravity is also an unknown - we’ve done almost no research on how wounds will heal in space. It’s likely that there will be trouble because of the lack of gravity pushing downwards. This is made worse by the fact that your immune system will be heavily suppressed and poorly prepared to fight off infections from being in the microgravity. Bacteria grows in even more interesting ways - instead of growing in two-dimensions because gravity holds it down, it can grow in 3 dimensions.


Without gravity, water will be held together not by gravity, but instead by surface tension. Surface tension will cause the blood to pool together, obscuring the view of surgeons. You’ll need to constantly be clearing the field of view, but given weightlessness and possible bacteria infections it’s difficult to decide what to do with that excess. That’s also an unknown.


Suffice it to say - we probably aren’t prepared for this yet.


2021/05/03


Observance of Shabbat seems to be very tricky to accomplish in our modern age of technical advancement. There’s a number of ways this is approached, such as the shabbat mode in a few different devices, or other means.


Elevators have a shabbat mode. They will often pick up from the 1st floor, go to the top floor, and then stop on every floor. That way, you don’t operate the electric device and thus can properly observe.


Ovens often will have a shabbat mode, too. Some you set a cook time and desired temperature and then it’ll randomly turn on at some point in the near future, completely out of your control. Sort of. Others will keep the oven continuously running at a specific low temperature all day. As long as you arne’t creating new “fire” then maybe it’s fine?


There’s the eruv wires that mark a territory as “private”. This means during Shabbat you can carry objects within these designated areas. One such eruv encircles all of Manhattan. All of it. Every week it’s inspected and a status report is given on twitter.


But hey, don’t trust me on this. Ask Rabbi instead.


2021/04/30


Influenza has more or less disappeared, according to Scientific American. Where we’d normally be seeing 35,000+ deaths from the flu in the US? We’re now seeing only around 600 or so. The WHO has also noted this as well in their vaccine recommendation, and in their influenza tracking operations.


What’s more is that because there’s so few virus particles circulating there’s a lower chance for mutation. This means the vaccine will be even more effective than it would be.


Hopefully this doesn’t mean we’ll lose some immunity we’d normally have from it and end up with an influenza strain that is much more difficult to manage.


2021/04/29


The North American X-15 was an aircraft that was ahead of its time in the 1960s. Built by North American Aviation and Reaction Motors, its first flight was June 8th, 1959. There were only 3 ever produced, but they helped push aeronautics further than ever before.


The X-15 could not launch under its own power. Instead, it was lifted by a modified Boeing B-52 Stratofortress and released before it would fire off on its own power. The X-15 would reach speeds of 4,520 miles per hour at an altitude of 19.34 miles. This is the highest speed ever recorded by a crewed, powered aircraft to this day.


Every pilot that took flight in the X-15 took their own lives in their hands. The ejection seat had never been tested, or used, but would only work at up to 2700 miles per hour. The pilots also wore pressure suits, and both the pressure suit and the cockpit would be pressurized with nitrogen gas before flight. Fortunately, all pilots of the X-15 made it out of the program relatively unscathed.


Looking at the X-15, you do have to wonder: who in their right mind would step into that thing?


2021/04/28


For some reason, Pokemon cards - first edition - are going for insane prices. Folks are spending millions of dollars on them. Part of this is because the sale of first edition cards like a Charizard have sold for over $200,000 USD. People are investing in Pokemon cards instead of property.


However, because of this, we’re seeing an increase in fraudulent cards. The most public of which is a $375,000 USD box that ended up counterfeit. This isn’t a new trend - art forgery has been documented even two thousand years ago - where Roman sculptors produced copies of Greek sculptures. However, at the time, it was very likely known by the art buyers of the time that these were not genuine pieces.


In 1496, Michelangelo sculpted a work of art - a sleeping cupid. Through acid washing techniques, the piece was artificially aged and sold to a cardinal - who learned that it was not a true antique. However, being so impressed by Michelangelo’s talent, he let the young artist keep the money he was paid. It was still placed with other true antiques, and was thus passed off as if it were one.


It leads me to think about Phillip K Dick’s “The Man in the High Castle”. In it, we have Frank Frink who makes and ages Colt Pistols as well as other memorabilia. Does it matter more that they are actual Colt Pistols from the civil war? Or that people that are collecting them can say that they are? It’s all in the “historicity”.


Getting up, he hurried into his study, returned at once with two cigarette lighters which he set down on the coffee table. “Look at these. Look the same, don’t they? Well, listen. One has historicity in it.” He grinned at her. “Pick them up. Go ahead. One’s worth, oh, maybe forty or fifty thousand dollars on the collectors’ market.” The girl gingerly picked up the two lighters and examined them. “Don’t you feel it?” he kidded her. “The historicity?”


She said, “What is ‘historicity’?”


“When a thing has history in it. Listen. One of those two Zippo lighters was in Franklin D. Roosevelt’s pocket when he was assassinated. And one wasn’t. One has historicity, a hell of a lot of it. As much as any object ever had. And one has nothing. Can you feel it?” He nudged her. “You can’t. You can’t tell which is which. There’s no ‘mystical plasmic presence,’ no ‘aura’ around it.”


How much does it matter if the Shiny Charizard in Mint 9 condition is a forgery without true historicity if nobody could tell?


2021/04/27


A few studies published in the Proceedings of the National Academy of Sciences purport that we have biases towards class from even a few seconds of speech.


This is concerning but not unheard of. There’s subjective standards in the English language which people bias as being a perceived higher social class. It changes how we consider others. Another followup study examines how this may affect hiring managers’ assessment of qualifications.


However, the research is even more interesting because it shows that pronounciation cues in speech gives a more accurate assessment as to someone’s social status than the content.


2021/04/26


Google Cloud is terrifying to some people because of Google’s policy of axeing products all around.


Steve Yegge penned an interesting blog post about their experiences with Google deprecation both from inside google and outside google. In their case, they ran into some of the same deprecation issues outside as they saw culturally on the inside. Comparing it to AWS, there is a pretty stark difference in the deprecation policy of old technology that isn’t actively being developed on.


Deprecation isn’t the only oddity. Quota increases can be weird, too - AWS asked me to get my quota upped why and I wrote something, I don’t think they read it, and then they upped it. With Google, it was faster than AWS but I did have to talk to someone on the phone in sales. It felt weird. Perhaps it’s a way to increase touch points and push people to use more at GCP?


Google has gone on record saying that they’ll end the GCP projects if they don’t outclass Azure or AWS or the like. That’s a tall order, and would require a much heavier marketing and engineering push than I’ve been seeing. They set the deadline to 2023, so I’m sure we’ll see Google Cloud shutting down before 2025.


Who knows, though, I’ve heard rumors of folks dog-fooding Google Cloud internally. If Google Cloud could sign a deal as big as Google onto their cloud, I’m sure they’d quickly outrank AWS, right?


2021/04/22


There’s a Unicode proposal for Textile Care instructions. This adds 40 new characters which represent instructions on how to wash your clothes. These are from ISO3758, which is the same as other international standards that can be used.


Much of this is based on work by GINETEX, an association for textile care labels in Europe, South America, Africa, and Asia. They’ve been working on care labels since the late 60s & pushing for regulation since the 70s. If a nation is part of GINETEX, they mandate that the washing care instructions follow correct use.


Unfortunately, many of the GINETEX symbols are trademarked, thus can’t be used freely in many European countries as part of the ISO3758 standard. This is partly because GINETEX wants to mandate the correct use of these symbols.


But, seriously, how do I wash my coat?


2021/04/21


University of Minnesota published a paper about vulnerabilities being introduced to open source by malicious actors contributing commits. They did this by intentionally introducing bad code via merge requests to the Linux kernel, leading to vulnerabilities. Some of the 190 commits have even landed in stable branches.


Ethically, this is an unacceptable behavior for experimentation, and has been reported to the UMN Institutional Review Board on these cases. Ethics complaints have also been filed to IEEE to have the publication revoked, but it’s unlikely that it will be. They’ve also been banned, as a University, from contributing to the Linux kernel, as well as from communicating through many Linux kernel mailing lists.


Their experiments prove that humans are fallible. Good job, folks.


*plonk*


2021/04/16


Someone called out allowing disposable email as a security concern today.


I disagree. Disposable email is just another term for… email. Any email service that you can sign up to. Just that some are easier to sign up to than others.


These lighter-weight sign up email services are important for people that are privacy conscious and want to control how they are interacted with more readily.


What about gmail? Okay, I sign up once with [email protected] - then the next day I sign up with [email protected] - then [email protected] - then [email protected]


“Disposable” email services are not the issue, here. I don’t care if you use a service that is “disposable” or “real” or not. I can use any address @my-domain and it will all work.


Does that mean I run a disposable email service and I should be blocked?


2021/04/15


John Wilander, principal engineer on Intelligent Tracking Prevention in Safari, opened an issue on the WICG FLoC github pointing out how FLoC can be used to create cross-site tracking. What this would mean is that the purported privacy benefits of FLoC would be moot. In fact, it would make it easier to track a user.


To take this to the crowd metaphor: Before the pandemic and some time back, I attended a Mew concert, a Ghost concert, Disney on Ice, and a Def Leppard concert. At each of those events I was part of a large crowd. But I bet you I was the only one to attend all four.


Indeed, de-anonymizing users is a huge problem. 99% of Americans can be identified by 15 demographic attributes. As part of this research, they created a tool using just three data points - ZIP code, gender, and birth date - which has an 83% chance of identification.


We aren’t as anonymous as we’d like to think because we’re all wonderful and special little snowflakes.


2021/04/14


On November 18th, 2008, Heide Stefanyshyn-Piper looked out into the blue of the ocean from 250 miles away. Above it. She kicked off for her third EVA for mission STS-126. She was out there with fellow astronaut Stephen Bowen to fix the rotation assembly that allows the solar arrays to follow the sun. It had failed and was not operating optimally. The solution that the those ground control folks came up with? Go out there with some grease and some wipes to clean it up and grease it up. No sweat.


Looking into her airlock bag with these advanced tools she sees something very concerning. “I think we had a grease gun explode in the large bag. There’s grease in the bag.”


She heard Steve Bown observe dryly over her headset, “Ah. it must have been the pressure changes.” Putting that MIT engineering degree to work.


The flight controllers peered through her helmet camera uplink and calmly assessed the situation, with suggestions. She grabbed a dry wipe and did her best to clean up the grease. The EVA suit’s not known for being dextrous, though, and one movement too exxagerated knocked the bag. It tumbled away, off on its own. Out of reach.


“Oh, great. We have a lost tool, uh, I guess one of my crew lock bags was not transferred and it’s loose.”


This is how one more piece of space debris ended up in orbit. There are more than 23,000 pieces of debris larger than 10cm in orbit. This number grows every day. Even something as small as Heide’s tool bag can be identified and seen from the ground.


Space debris becomes more and more of a concern as we look outwards from our own planet. This is a problem known as Kessler syndrom. The thought is that a time could come where there’s such a density of space debris that we avoiding collision would be impossible. Even in the early 2000s we found evidence of small debris embedding itself in shuttle windows.


An impact with a piece of space debris is on average a collision with the relative difference in velocity of 10-15km/s. This is 10x the speed of even the fastest bullets. At that speed, even a bolt no bigger than your thumb will tear through steel like paper.


There’s many projects to track and visualize space debris, but what do we do to make this better?


One approach is to stop putting things in higher orbits. Low earth orbit has a small amount of atmosphere which causes drag on items. This means that, without assistance, items in low earth orbit will leave orbit and return to earth. This is great because it puts a much shorter time limit on debris: years instead of millenia. This is why Starlink is considered less of a negative impact on space debris.


However, that still leaves thousands of tons of space junk in higher orbit. Some of these will take many, many lifetimes before they would deorbit on their own - perhaps longer. Actively removing these takes ingenuity. Science fiction has looked into this active removal via movies and comics.


In reality, it’s more likely that we’ll use ground-based or sattelite-based Laser Brooms to control and deorbit smaller debris (1cm-10cm in size). This works by targeting a piece of debris and firing a high-power laser to heat one side of the debris to produce thrust. This would make the orbit unstable, quickening the eventual deorbit.


Oh, and Heide’s toolbag. It was in a low orbit on its own around Earth until it lost enough velocity to return on August 3, 2009. It was vaporized during reentry.


2021/04/13


Another Google product is being put out to pasture. In particular, “Google Play Movies & TV”. Previously available content will be on Youtube on Smart TVs. The Android app has already been rebranded to Google TV (not to be confused with Google TV). This continues Google’s tradition of killing products.


Google Play Music was taken out a few months back, with Youtube Music being the replacement. This was such a difficult transition that I started paying for Spotify for my parents to use.


To understand why this is (I am not a Xoogler and I am sure SOMEONE here would have a clearer picture to this) it helps to understand promotions at Google! Promotions at higher levels have criteria around impact to the organization and business. A project that creates a big splash will get people promoted. This attracts people to those projects.


On the other hand, maintenance does not lead well to impact. This means that projects that aren’t shiny and new will bleed members from their teams. Maintenance work is a dead end because in most cases, if you do your job right then nobody knows you’ve done anything at all.


It’s totally understandable when you reframe it like this. But nobody has to like it.


2021/04/12


Yet another great step for cryptocurrency enthusiasts, there’s now an implementation of std::unique_ptr backed by crytpo NFTs! Exciting. What does that mean in practice?


The std::unique_ptr in C++ is a smart pointer that manages another object via a pointer (a reference to a memory address). What it does that makes it “smart” is that it disposes of the object when the pointer goes out of scope. This is most often done using the delete operator, but can also be supplied by the developer.


This NFT pointer implementation has the same semantics and usability of a traditional smart pointer, but also is on the Ethereum blockchain, making it superior.


As we all know, adding blockchain to a problem automatically makes it simple, transparent, and cryptographically secure.


The difference in performance between the two is negligible in the grand scheme of things, with std::unique_ptr running in 0.005 seconds, followed quickly behind by nft_ptr at 3 minutes per call.


I applaud Zhuowei Zhang’s efforts to bring crytocurrency to more widespread appeal. For more information, check out their whitepaper.


2021/04/09


Amazon employees in Bessemer, Alabama voted against unionizing their workplace. There’s a lot that could be said about this - whether there was some form of interference in the vote, or if it’s good or bad for the employees.


If you take a look at Bessemer compared to other cities, it’s not positive. Manufacturing jobs dried up, unemployment rose, and crime increased. It was voted Alabama’s Worst City to Live in by 24/7 Wall Street. The Amazon jobs are huge - given that AMZN is employing some 30% of the city. For that city, at least short term, Amazon can be a great power for good. Long term, who knows.


As interesting as arguing about unions may be - let’s instead look at another aspect of Amazon and how they interact with their workforce.


In particular, the Fulfillment Center (FC) Ambassador Program.


The FC Ambassador Program is a way for fulfillment center employees can spend one day a week tweeting about how great their job is at the warehouse. They are trained to follow scripts, and don’t get much out of doing this aside from an amazon gift card and one limited paid day off (with an expiration of 3 weeks). This ends up with great tweets such as the following.


Did you know that Amazon pays warehouse workers 30% more than other retailers? I feel proud to work for Amazon – they’ve taken good care of me. Much better than some of my previous employers.


— Shaye – Amazon FC Ambassador 📦 (@AmazonFCShaye) August 21, 2018


They’re often the “kiss asses” of the departments. Who can blame, them, though? Getting out of loading and unloading trucks for 10 hours and all you have to do is write some tweets? I’d be tempted, too.


We continue to slowly tread towards the Amazon dystopia we never wanted.


2021/04/08


We’re moving away from fossil fuels in our day to day transit as electric vehicles are becoming more viable for our transportation needs. However, pushing people to use bicycles more would be far more helpful than pushing for a transition to electric vehicles.


Electric Vehicles are far from carbon neutral. They’re better than combustion engine vehicles, of course, but the production and manufacturing of the batteries and chassis still produces a large amount of emissions. The generation of electricity to charge these electric vehicles is also not carbon-zero.


Pushing for bicycles works in urban cities. Especially those with milder climates. However, most articles gloss over rural areas with more extreme climates. It’s one thing to try to trudge around New York City when it’s a humid 95F / 35C day. It’s uncomfortable and you might end up a little sweaty. It’s an entirely different story to bike the 35 miles from Frisco, Texas into downtown Dallas during the 115F / 46C summer. It’s downright dangerous.


Bicycling is great if it’s an option - but it own’t be for everyone. While electric vehicles aren’t entirely carbon zero, they’re better than many alternatives while being feasible “replacements”.


But if you’re in a city and can bike somewhere? Do that. It’s healthier, too.


2021/04/07


Dungeons and Dragons, is first and foremost, a collaborative storytelling game. Sure, there might be lots of numbers and mechanics to support these stories. Without those, there’s a whole lot of chaos. At the end of the day, though, all of the rules can be blurred or broken.


That’s why the Dungeon Master is always looked upon as a supreme being of grand benevolence. It’s also why there’s one rule that has withstood the test of time: The Rule… of Cool.


It’s one of the first things you often get told when you ask a seasoned storyteller for DnD for advice. The Rule of Cool is simple, really. If it’s cool? Why not let it play out? Of course, cool is subjective.


Here’s the deal: You’re playing with friends. You want your friends to all feel like they are the most amazing people. (Spoiler: They are.) So the Rule of Cool can be used as a fantastic reward to those wonderful players.


My favorite rule of cool I’d been part of was when an Orc fighter, Human Druid, an Elven Cleric, and a Gnome Barbarian were in dire straits. They’d been a Big Bad Evil Wizard for an hour - and had nearly taken them down. Right as they were going to strike the final blow, the wizard had opened a magical portal (Dimension Door) towards their friend and compatriot, the Elven Cleric.


He’d knocked them unconcious with a magic weapon attack, and the cleric was barely holding onto their mortal coil. None of the three had enough time to get over the difficult terrain to the Big Bad to save their friend. A friend that they’d gotten close with over months. Someone they cared about. In less than 6 seconds they knew it would be the end.


Except… what if… So the Orc player stared straight at our DM and declared their next action. “I’m going to do a fastball special.” They were declaring that they’d PICK UP the Gnome and throw them as hard as they could at the Big Bad.


The DM’s eyebrow raised as they opened up their rulebook, looked a bit, and closed it. We all knew there was nothing in there about this. It’s just not part of the rules. We all knew what the answer would be. “I don’t think you can throw them quite that far. That’s 90 feet.” We were all a little slack jawed. Our DM had always followed the rules to a T… up until now.


Our druid’s eyes light up. “GUST OF WIND! I HAVE A TURN. GUST OF WIND.”


With a bit of contemplation, the DM sighed. “Alright.” Pointing at the Orc, “You roll strength.” Pointing at the Druid, “You roll wisdom”. Pointing at the Gnome, “You roll for an attack.”


Strength, 19, plus 4. “You see her muscles ripple, and our Gnomish friend feels like there is an incredibly springboard under his feet. Before he has even a moment to think through how awful this plan is, he’s rocketed into the air.”


Wisdom, 16, plus 3. “Druidic energy starts to emenate visibly from the staff, and all of you can hear a howling of wind through the trees picking up. While soaring through the air, the Gnome accelerates even faster - the wind screaming by their ears.”


Attack roll, natural 20. The gnome barbarian stares at the die, worried that it might change if they don’t keep a close eye on it. “The wizard’s eyes go wide, as he starts to utter an incantation - but not fast enough. You feel a CRUNCH as you slam into his chest, axes flying from a mix of momentum and your rage. Your vision is blood red. You can hear your own pulse pounding in your ears. Uhh.. you have brutal critical, don’t you. He’s only got..”


The DM looked up quietly from behind their cardboard DM screen, they stole Matt Mercer’s line, with a giant grin growing across their face. “How do you want to do this?” We broke a lot of rules - but we all felt like heroes.


2021/04/06


Disney World is a monumental effort to make it the Most Magical place on Earth. Much of this is attributed to the extreme amounts of engineering that have gone into manufacturing the magic.


I think the Utilidor is the best example of this.


Whenever you’re at Disney World, you’re technically on the rooftop of the Magic Kingdom. A portmanteau of Utility and Corridor, the Utilidor is the true “first floor” of the theme park. In most places in Florida, you dig a few feet down? You hit water. Building underground is thus mostly a dangerous and difficult proposition. Thus, most of the Magic Kingdom is about 100ft above sea level.


The Utilidor is used for logistics in the park. Getting anything from point A to point B magically can be done via the tunnel systems.


Employees (referred to as “Cast Members” per corporate mandate) travel between locations using the Utilidor. This allows them to navigate quickly using electric vehicles & get in the correct locations quickly for their work. The Utilidor also houses a number of services for employees - such as cafeterias, banking services, hair salons, and more.


What I think is the most interesting, however, is the automated vacuum waste collection within the Utilidor. The utilidor has pneumatic tubes to quickly whisk away any and all trash away from the park - to where it can be disposed of or recycled. This helps the custodial staff keep the park as clean as it is - by taking all the trash and dumping it somewhere else.


There are “Backstage” tours of Walt Disney World that show off the utilidor among other ways that the magic is preserved at the theme park. Even if some of the illusion can be dispelled, though, it’s still real magic if you believe in it.


2021/04/05


The Supreme Court has come to a decision on the Google v Oracle case regarding Google’s usage of the Java SE API in Android’s Android Runtime, as well as Dalvik VM before it. This has been ongoing since August 2010.


TLDR: It’s fair use, the declaring code is very small and is not implementation, but instead a general organization. As such, it’s fair use.


Let’s read a couple excerpts!


The most succinct description of how this is fair use:


Google copied these lines not because of their creativity or beauty but because they would allow programmers to bring their skills to a new smartphone computing environment.


But does this mean that programs in general are not copyrightable? The following decides that’s not the case:


As part of an interface, the copied lines are inherently bound together with uncopyrightable ideas (the overall organization of the API) and the creation of new creative expression (the code inde- pendently written by Google). Unlike many other computer programs, the value of the copied lines is in significant part derived from the in- vestment of users (here computer programmers) who have learned the API’s system. Given these differences, application of fair use here is unlikely to undermine the general copyright protection that Congress provided for computer programs


How much of the code is considered copied:


If one considers the declaring code in isolation, the quan- titative amount of what Google copied was large. Google copied the declaring code for 37 packages of the Sun Java API, totaling approximately 11,500 lines of code. Those lines of code amount to virtually all the declaring code needed to call up hundreds of different tasks. On the other hand, if one considers the entire set of software material in the Sun Java API, the quantitative amount copied was small. The total set of Sun Java API computer code, includ- ing implementing code, amounted to 2.86 million lines, of which the copied 11,500 lines were only 0.4 percent


However, my favorite part of the entire decision is that they retell one of the world’s shortest short stories:


When he awoke, the dinosaur was still there.


2021/04/02


There’s a really neat stack overflow post about the Amiga OS Kickstart image. They ask why the image included during the bootstrapping sequence of the Amiga computers - known as “Kickstart” - was so ugly. The image showed up and instructed the user to insert the Kickstart floppy so the computer could start.


The short version is that they were severely resource constrained. A bitmap payload would have been around 4KiB, but vector art data for the Kickstart image weighed in at only 412 bytes. This was very important when they only had 8KiB of space to work with for the pre-boot ROM.


The vector art data is as follows:


FF 01 23 0B 3A 0B 3A 21 71 21 71 0B 7D 0B 88 16 88 5E 7F 5E 7F 38 40 38
3E 36 35 36 34 38 2D 38 2D 41 23 48 23 0B FE 02 25 45 FF 01 21 48 21 0A
7E 0A 8A 16 8A 5F 56 5F 56 64 52 6C 4E 71 4A 74 44 7D 3C 81 3C 8C 0A 8C
0A 6D 09 6D 09 51 0D 4B 14 45 15 41 19 3A 1E 37 21 36 21 36 1E 38 1A 3A
16 41 15 45 0E 4B 0A 51 0A 6C 0B 6D 0B 8B 28 8B 28 76 30 76 34 72 34 5F
32 5C 32 52 41 45 41 39 3E 37 3B 37 3E 3A 3E 41 3D 42 36 42 33 3F 2A 46
1E 4C 12 55 12 54 1E 4B 1A 4A 17 47 1A 49 1E 4A 21 48 FF 01 32 3D 34 36
3C 37 3D 3A 3D 41 36 41 32 3D FF 01 33 5C 33 52 42 45 42 39 7D 39 7D 5E
34 5E 33 5A FF 01 3C 0B 6F 0B 6F 20 3C 20 3C 0B FF 01 60 0E 6B 0E 6B 1C
60 1C 60 0E FE 03 3E 1F FF 01 62 0F 69 0F 69 1B 62 1B 62 0F FE 02 63 1A
FF 01 2F 39 32 39 32 3B 2F 3F 2F 39 FF 01 29 8B 29 77 30 77 35 72 35 69
39 6B 41 6B 41 6D 45 72 49 72 49 74 43 7D 3B 80 3B 8B 29 8B FF 01 35 5F
35 64 3A 61 35 5F FF 01 39 62 35 64 35 5F 4A 5F 40 69 3F 69 41 67 3C 62
39 62 FF 01 4E 5F 55 5F 55 64 51 6C 4E 70 49 71 46 71 43 6D 43 6A 4E 5F
FF 01 44 6A 44 6D 46 70 48 70 4C 6F 4D 6C 49 69 44 6A FF 01 36 68 3E 6A
40 67 3C 63 39 63 36 65 36 68 FF 01 7E 0B 89 16 89 5E FE 01 22 0B FE 01
3B 0B FE 01 61 0F FE 01 6A 1B FE 01 70 0F FE 01 7E 5E FE 01 4B 60 FE 01
2E 39 FF FF

The way it was interpreted followed pretty simple rules:


  1. Read two bytes at a time.
  2. If both bytes are FF, end the program.
  3. If the first byte is FF and the second byte is not, start drawing a polyline with the color index given in the second byte. Treat any subsequent two bytes as x,y coordinates belonging to that polyline except if the first byte is FF (see rules 2 and 3) or FE (see rule 4), which is where you stop drawing the line.
  4. If the first byte is FE, flood fill an area using the color index given in the second byte, starting from the point whose coordinates are given in the next two bytes.

Sheryl Knowles, the first Amiga artist, noted that there were no real tools on the Amiga to make many of these images aside from when they eventually wrote Graphicraft. At that point, using graphicraft she held the floppy in her left hand and painstakingly created the drawing with her right hand.


The drawing was limited in size and in the number of pixels that could be used, by the programming requirements of the time. All of which should explain why it’s a bad drawing. But it was deemed a sufficient icon.


Which is very true! Even if it’s ugly, it’s clear what it’s supposed to be. It’s not supposed to be high art - it’s supposed to be an icon you see for a couple seconds at most.


2021/04/01


Today, running 5KM took a lot out of me. This can be squarely blamed on a more sedentary lifestyle than is ideal. This doesn’t mean I can’t. We’re all Born to Run in our own ways. Some hypotheses even suggest that we should take that pretty literally.


For example, look at the Rarámuri peoples - 5KM might feel like a lot, but they’re known to long-distance running. Extremely long-distance running. Up to 320KM in one session, often over the course of multiple days. That isn’t even on flat surfaces, either. It’s through canyon and brush, with rather significant elevation changes and rough terrain.


What’s more, the Rarámuri also have competitive aspects to their running, such as the game Rarajipari - a game of kicking and chasing a ball. Even casual games will go on for several miles. However, after some serious all-night partying they will do equally serious matches which go on for thirty to fourty miles.


While much of that can seem extreme, it’s led many to lean into the Endurance running hypothesis - that certain human characteristics can be explained by our need to run extended distances. Sure, it’s just a hypothesis, and there’s definitely some areas where it falters - but it’s interesting nonetheless.


For example - we have shorter toes than other primates. For grasping, this makes us greatly inferior. We lost overall strength and gripping capabilities. With such short toes, how am I supposed to hang from the monkey bars with just my toes? However, shorter toes mean less mechanical work is needed to support weight. Less exertion is put on the joints, and we can support 75% of our body weight on just our toes. In running, this is incredibly important - as we often will end up landing on our toes - and those longer toes would cause injuries.


What does it all mean, though? Well, you might not run 300KM in a single go today - but I’m sure 5KM is a good start on it.


2021/03/29


The Suez canal is clear again.


Hackernews was suggesting a wide array of possible solutions.


You can vibrate the sand with the right resonance to “liquefy” the sand allowing for easier passage - similar to concrete.


You can use heavy-lift helicopters to unload the shipping containers to.. somewhere. An empty shipping container is 4 tons. A fully-loaded container is 33.5 tons. The Mi-26 is the largest and most powerful helicopter to go into serial production and it can only lift 14.5 tons. This would be roughly 60-240 minutes per container to offload, assuming the helicopters don’t have failures. At a 20k ton load that puts us at 175 days, give or take to unload the ship.


You could cut through the ship - it’s been done before. It’d be a huge loss for ths shipping company, though. It’d also take many months, and would likely destroy all of the cargo.


You could do what they do with beached whales - just blow it up. Evaporate it with an ICBM. Let’s ignore various nuclear arms treaties and ecological issues involved. LGM-118 Peacekeeper is armed with a 300 kiloton W87 warhead. Unfortunately, the Ever Given is just too big. It would not be completely destroyed as the fireball is only 320 meters and various leftover scrap metal would be all over the place. Upgrading to something that would make the UN sweat a little, though, and we could probably create a big enough crater to allow for U-turns.


My favorite, though… is to just explode a medium sized nuke under the ship. Then another. Then another. Just keep exploding nukes until it’s sailing off into the cosmos. We’d have accomplished Project Orion. Open up the Suez canal and ship goods to Mars in one fell swoop!


In the end, the Suez canal was cleared by high tide, dredging the canal, and a bunch of tug boats. Keep it Simple.


2021/03/19


While Ireland’s Gaeilge is the national and official language of the Republic of Ireland, many regions of Ireland speak a dialect of English: Hiberno-English, or Irish English. Even within this dialect there’s a number of differences regionally, which have developed over hundreds of years.


English has been pushing out Gaeilge in Ireland for centuries. Originally brought to Ireland in the 12th century via the Norman Invasion, the Tudor conquest led to English speaking immigrants flooding Ireland, and a general suppresion of the Irish language. More recently, only 4% of surveyed Irish speakers speak Gaelige in their daily life. Otherwise, English is the predominant language of the land.


While the English attempted suppress anything other than the traditional English at the time, there’s been a number of differences that have grown to make Irish English unique across the gamut - grammar, vocabulary, and phonetics, Much of this is holdover from Gaelige, which makes it doubly interesting.


One particularly interesting grammatical difference is that “yes” and “no” are far less frequently used. For example, “You speak with an Irish dialect?” would be responded with “I do” instead of “Yes”. Much of this is due to the Irish language lacking “yes” or “no” as vocabulary. Instead, the verb is negated and responded with.


Hiberno-English pulls a number of words from Gaeilge as loan-words, as well as some that are merely derived from the national language. “Sláinte!” is one that you might hear in a pub, meaning “(To your) Health!” And if you’re nervous, you might “fooster” - to fidget - derived from the Gaeilge word “Fústar”. In other cases, Hiberno-English has vocabulary that is less clearly historied - such as when you’ve really broken something? It’s “banjaxed”.


The phonology of Hiberno-English is probably what differs the most between the regions. I’ll be frank - I’m not a phonetics expert, and every paper I’ve read on this really goes all out on that. A few examples, however, are words like “kite” that to American ears would sound like “koyt”, “mouth” which would be closer to “meh-ooth” or “maith”, and “about” would be close to “a boat”.


Now don’t be a lúdramán, and give céad míle fáilte when yer with the Irish, will you? They do be thinking yer an eejit if ya talk like this, yeah?


2021/03/17


Last year Gregg Tavares posted about Github’s permission model, frustrated with how it blindly grants the ability to request data from users to anyone that asks for the permissions. Yesterday it was trending on Hackernews. I think from a privacy standpoint it’s an interesting read. Something they touched on, however, gave me that weird gut feeling…


Let’s imagine your bank let you sign in to 3rd party services in a similar manner. How many people would click through on “Let ACME corp act on your behalf on your Citibank Account”. I think most people would be super scared of permissions like that. Instead they’d want very specific permission like, only permission to deposit money, or only permission to read the balance, or only permission to read transactions, etc…


Oh, you sweet summer child. Oh, no, no, no. It’s much worse when it comes to banking.


Enter Plaid.


You might know Plaid because their Visa acquisiton was recently blocked.


Plaid operates as an “in-between” for their customers to allow end-users to sign into banks - surfacing information about account numbers, routing numbers, current balance, recent transactions, and other related banking information.


Cool, right?


Well, let’s pull apart how that works. Let’s take Venmo as an example. Venmo embeds Plaid’s SDK. A user will want to link their bank account to Venmo. The SDK interacts with and then Plaid performs a Man in the Middle attack on the end-user. Within an app (not the bank’s) app, Plaid’s embeddable code will simulate a fake bank login, collect credentials - including many 2FA - and then falsify a login as if they were an end user. At this point they scrape all data they can get access to, storing it all in their servers. This is how their customers, like Venmo, would be able to verify you own your account and can peek at your account balance to verify you have funds to pay for that pizza / rent / drugs / fantasy football.


Plaid’s codebase itself has a distinct issue, too. The underlying code for their scrapers are thousands upon thousands of Python files that connect together like spaghetti. Updates get patched in at random, so following security practices is attempted but… it’s a moving target.


As far as permissioning - it’s nonexistent. Plaid gives every single one of their customers full access to the accounts of users that authenticated. With Venmo - account verification? Sure! Account balance? Uh.. weird, but okay. Loan status? Credit card statements? Transactions unrelated to Venmo? Identity documentation? Initiate transfers? Uhh.. Why?! For anyone?!!


Is this legal? Well, maybe. That doesn’t stop banks from suing Plaid. This is also not great for consumers because it opens up new vectors for threat actors to gain access to accounts and could void agreements banks have with their customers around fraud.


Lots of financial services apps like Mint also work in this way.


Don’t worry, though, at least we can use alternatives. Like, I’ve heard of “Yodlee” to do this, right? Oh…


At the end of the day, services like Plaid provide features that users want.


Do I think plaid is a security nightmare? Yes.


Can I think of a reasonable alternative for their features? No.


2021/03/16


Docker announced a Series B raise of $23M today - which is definitely impressive for a company focused around Open-Source, right? Well, maybe. In 2015, Docker had announced a $95M Series D raise of funding at a $1B valuation. Best guess was a reset after Mirantis acquired part of the company?


What’s Docker the software? Let’s start with the basics.


Containers. Containers are effectively packaging to create a running process with encapsulation features applied to keep it isolated from when running on a host computer. Containers as a concept have been around for decades - older examples would be OpenVZ.


Containers are helpful for developing software because they provide portability, reproducibility, and isolation. Portability helps you run your app anywhere - irregardless of the system you’re running on. Isolation is so that state in the host and state in other Containers won’t impact your app.


This is different from virtual machines that have full virtualization. Containers will often utilize OS virtualization & isolation features to share multiple containers safely in one OS - instead of a full VM where the OS is duplicated.


That leads to Docker the Software. Docker the software brings container tooling, an abstraction layer wrapping multiple Virtualization APIs, and a Domain Specific Language for Container Filesystems.


Docker’s “images” include everything needed to start a container - the code or binary, runtimes, dependencies, and any other filesystem objects required. Docker images and containers are supported by most of the big cloud providers - AMZN AWS, GOOG Cloud, MSFT Azure, Heroku, Glitch, and others. The same docker image can be run across all of them.


But what does Docker Inc do? Docker, Inc primarily develops Docker Hub and Docker Desktop at this point in time. Per their blog post about their plans for the funding it seems like they’re focusing on improving dev experience, tooling around security, and API development.


I’ve got high hopes for the company into the 2020s. Here’s hoping that this time investor interests are more closely aligned with the direction of the company. If not, I’m sure we’ll see Docker repeat the past decade again.


2021/03/15


Security.txt made the rounds again on HackerNews. It’s a format, similar to robots.txt for making it clearer how to submit security issues to an organization.


In theory, this is great! It’s noted by the DHS as a helpful way for researchers to communicate their findings. At one point, it was required for agencies to have it, but was removed from that draft. Because it’s at a normalized location, it can be found by scraping sites like SHODAN and Disclose.io.


In practice, however, some members of the cyber security community find it to leads to a poor signal-to-noise ratio.


Some entrepeneurial members of the cybersecurity community will grab the domain lists with security.txt files, fetch the email, run burpsuite or metasploit to get some low effort security issues, and dump it all into excel. For extra credit, then do a mail-merge. Minimal effort, and if you get answers back you ask for a bug bounty.


I don’t think that security.txt on its own will cause this, though. It’s just as easy to search for Vulnerability Disclosure Policies and use those as inputs for automated security testing. It takes a bit more manual work, but even with that you end up with odd security reports now and then.


All of this is to explain how we ended up with the security report for a site that shared the same first two letters of ours instead.


2021/03/12


The UK is in talks to depart from using GDPR. This likely means one of two outcomes - neither of which are positive.


Option A - come up with their own privacy laws. This is iffy and is the path the USA is currently on. You end up with multiple laws that may by chance hit similar beats but may conflict and make it more difficult to be compliant. In this world, many companies will just ignore the privacy laws in the hopes that they won’t be caught - or that the legal jurisdiction they’re in makes it difficult to litigate.


Option B - roll back everything. This is bad for privacy, consumers, and citizens of the UK but good for businesses. As such, this is the likely path forward, given other recent actions taken by parliament.


If we continue to split up privacy laws, I’ve got a bad feeling about the future of the internet. I could foresee a future where it’s no longer open across country borders and becomes insular within each jurisdiction, sharing stamped out by bureaucracy.


2021/03/11


Amen Brother by The Winstons is a B-side of The Winston’s 1969 single “Color Him Father”. The A-side song - “Color Him Father” - won a Grammy Award for Best R&B song in 1970 - but the B-side… the B-side has been heard by so many more people. Not in its entirety, mind you, but in the seven second drum solo from 1 minute and 26 seconds to 1 minute and 33 seconds.


This is the “Amen Break”.


The drum solo, performed by Greg Coleman, was initially just meant to fill time. It caught the attention of DJs almost two decades later in the hip-hop scene. They found that if you slowed it down from 135BPM to about 90BPM it became the perfect canvas for laid back rappers to create on.


Unfortunately, Coleman was unlikely to have become aware of the impact he had on the world. George Coleman died in 2006, homeless and destitute. However, his drum solo is immortal and has shaped modern music as we know it.


There’s thousands upon thousands of songs that use the Amen Break, but I’ll leave you with a few I’m fond of.



2021/03/10


Oh no! OVH had a small datacenter fire which affected their SBG datacenter. This is not that uncommon of a problem for a datacenter. That’s why you should always have a Disaster Recovery Plan if your data is invaluable - beyond reliance on fire suppression systems.


Fire suppression in datacenters pose an interesting problem. When you have so many things that can’t get wet and are incredibly expensive to replace you can’t use sprinklers, and any residue could be heavily damaging to the equipment as well.


Bromotrifluoromethane, or Halon, was developed in the 1950s as a gaseous fire suppression agent for use with valuable materials - such as computers and telecommunications systems. In the mid-90s we stopped using Halon because it is incredibly damaging to the ozone layer and contributes considerably towards global warming. However much damage it causes to the planet, it’s relatively safe for humans. While Halon may cause dizziness and tingling in the extremities at the low amounts it may be effective at, it is relatively safe to be used in close quarters. This is why even now the FAA reccommends it for aircraft!


HFC-227ea is another gaseous fire suppression agent used in data centers. Generally, this is safe for humans at up to 9% concentration, which is the maximum most fire suppression systems would use. It doesn’t deplete the ozone layer but does contribute to climate change in other ways. At incredibly high heat, however, it does decompose into hydrogen fluoride - which can cause blindness and creates hydrofluoric acid on contact with moisture.


Most fire suppression systems have an alarm before they go off and may be manually prevented. If you’re interested, there’s a simulation video video which has some obnoxious music but is otherwise accurate. I’ve been part of this before in a data center, and it’s not a fun time. I was not inside when the fire suppression activated, thankfully!


Of course, not much of this matters once the datacenter gets to the point SGB2 just did. Don’t worry, though! That data center is still green across the board according to its status page!


2021/03/09


Last week I wrote about an American English dialect. Regional dialects are incredibly common! Another well known regional dialect is the dialect from Osaka, Japan and the surrounding regions - commonly known as the Kansai dialect, western Japanese, or “Kansai-ben”.


Kansai-ben is usually characterized as being a bit harsher to the ears but more melodic. All of Kansai dialect has an acestor in the Kinai dialect, and was considered the national dialect of Japan while Kyoto was the capital. However, once the capital moved to Edo - now Tokyo - the dialect of that region took hold on the country, now commonly known as Tokyo dialect or Standard Japanese. However, using the Kansai dialect is often a source of pride to people from Kansai, with many being rather attached to it.


Kansai-ben used to be the stereotypical villain but now it’s more commonly associated with boisterous personalities in Japanese pop-culture. Because of the shared regional origins, the Kansai-ben is often associated with a Manzai comedy. Manzai is a type of traditional Japanese stand-up comedy based around a funny man (Tsukommi) and a straight man (Boke) - but more often than not they’ll be speaking with a Kansai dialect.


There are grammatical differences, different words, and a few other differences between Kansai dialect and Tokyo dialect. The difference I think that’s the most interesting is one that is often more difficult for English speakers: Pitch Accent. This is one of the quickest ways that non-Kansai dialect speakers will identity Kansa dialect speakers.


I’m not an expert in pitch accent - far from it. If you’re interested in learning more about Pitch Accent, Dogen has a wonderful 10 minute video but the trick to Standard Japanese intonation is to just say it flat. Right?


Now it’s time for me to butcher an example. Let’s take “Japan” - ni-ho-n. It has 3 mora - which isn’t quite a syllable but.. close enough. For Tokyo dialect, this starts out low pitch, raises, the lowers again. This is called the nakadaka (中高) pattern. For Kansai dialect, though, we start the pitch high, then are low for rest of the word - known as the atamadaka (頭高) pattern.


Of course, the most important thing you need to know when about Kansai-ben when visiting Osaka?


When asked: 「儲かりまっかぁ?」 (Mokari makka?)


Respond with: 「ぼちぼちでんなぁー。たこ焼きとビールが必要や。」 (Bochi bochi, denna. Takoyaki to biru ga hitsuyoya.)


2021/03/08


I read a really interesting medium post by Piotr Migdal about procrastination. In particular, it reframes the issue of procratination from being a productivity problem into what else it could be: an emotional management problem.


Timothy Pychyl writes about this in Psychology Today summarizing a few studies. We’re conditioned to not enjoy bad outcomes and often that is exhibited by enacting our emotion-coping mechanisms - fight, flight, or freeze. Anxious about something? Easy. Just don’t do it. Procrastination and giving up a bit of self control is a form of mood repair.


There’s a bit of truth in there and it’s something good to introspect about. Fight, flight, or freeze has been a part of our instinctual responses for a long time. It served us very well in the past and can today as well. Flat out rejecting this and fighting it as a time management issue may be burying other problems and exacerbating it long term. Some theories point at one cause of depression being another outlet of the freeze response - a biological defense mechanism to trauma perceived by our autonomic nervous system.


Introspection on how you’re feeling the next time you feel that need to get away from it all (by cleaning or watching netflix) might be more effective than tomato timers or to-do lists.


2021/03/05


Google made a statement a few days ago that they’re not building new ways to track individuals across the web for targeted ads.


The optimist in me wants to say that they heard the message from consumers that it’s not wanted, and that targeted ads just aren’t making the money that they used to. People are wisening up and don’t click ads. Or people are intentionally sending bad data.


The realist in me says they have something else, like FLoC, that they’ve shown works. Something even more privacy-invasive. Something that locks competitors out. Something that is more predatory.


I’m sure I have nothing to worry about. Google won’t be evil.


2021/03/04


The Cephalopod - squid, octopus, nautilus, and cuttlefish - are both adorable and incredibly intelligent. Within the first hour of their life, they start foraging and camoflauging.


Recent studies have shown that they also possess the capacity for exerting self control. This is commonly known as the Stanford marshmallow experiment, a study on delayed gratification.


This does bring into question animal intelligence and conciousness. Urbanization means people spend less time with other animals. We interact with a smaller variety of animals and thus can see much less varied expressions of intelligence from them.


Dr. David Scheel raised a Day Octopus in his home, documenting the experience. The Scheel family named her Heidi. Heidi was able to show recognition of faces, solved puzzles, and built relationships with members of the Scheel family. Of this, Scheel noted:


I am less intrigued by the differences and more interested in our similarities. What kind of a connection is possible with an animal that has three hearts and blue blood running through its veins? It’s been a privilege to have a relationship with such a strange and wonderful creature.


It could be that we aren’t smart enough to judge how smart animals are. The Octopus followed a different evolutionary path than we did. As such, the expressions of intelligence they have could just be poorly understood by us. Just because we excel in a larger number of areas on average doesn’t mean that some animals can do better than some people in specific tasks.


From Slashdot:


Back in the 1980s, Yosemite National Park was having a serious problem with bears: They would wander into campgrounds and break into the garbage bins.


This put both bears and people at risk. So the Park Service started installing armored garbage cans that were tricky to open — you had to swing a latch, align two bits of handle, that sort of thing.


But it turns out it’s actually quite tricky to get the design of these cans just right. Make it too complex and people can’t get them open to put away their garbage in the first place.


Said one park ranger, “There is considerable overlap between the intelligence of the smartest bears and the dumbest tourists.”


Perhaps the entire marshmallow test is flawed. It purports that cuttlefish show intelligence normally seen in toddlers. Maybe cuttlefish are just able to show intelligence in one aspect that is similar to toddlers. Or maybe cuttlefish aren’t that smart - maybe babies are just stupid.


2021/03/03


The “far right” social media platform, Gab, was breached sometime last month and had public messages, private messages and password hashes leaked on March 1st.


Let’s ignore the… uh… unprofessional (to put it lightly) statement the founder made and how they responded to this event in general. It’s not worth unpacking all of that. It really isn’t. I promise you.


Instead, let’s chat about how this happened. It’s pretty simple.


The site in question had a commit from the Gab CTO which migrated a specific SQL query away from the library abstraction SQL and into raw SQL - the query language used to interact more directly with their database. This is often done because a custom SQL query can often be used to greatly improve performance.


However…


As part of this, they used string interpolation do craft the query. String interpolation is kinda like saying VARIABLE_U is james and I want to interpolate that into SELECT * FROM user WHERE username = '$VARIABLE_U' so that I end up with the final string of SELECT * FROM WHERE username = 'james'.


Simple, right?


This way of crafting SQL can fail because of what is known as SQL Injection. In our example, what if VARIABLE_U was coming from an input field on a website? In that case, a user could type whatever they wanted into that field.


If a user was to type in ' OR 'a' = 'a, the final string would then look something like SELECT * FROM user WHERE username = '' OR 'a' = 'a'. Instead of limiting to a single username value, we’d instead retrieve any users.


This can be elaborated on to do even more - such as with Blind SQL Injection techniques.


How should they instead of handled this? By using the library to “bind” parameters. Ruby on Rails supports this in the function used by the change that caused the breach.


In our example, we could instead write the query as SELECT * FROM user WHERE username = ? and then tell the library to bind VARIABLE_U to the first numbered parameter. No string interpolation would be performed, and with most databases the query would be sent over completely separate from the bound parameters!


This should have been caught in code review. I mean.. if they do code review, right?


2021/03/02


Regional Dialects are something of an interesting topic for me. It’s not just an indicator of your originating geography but also the cultural upbringing you had. Over the next few weeks I’ll be picking out a few different language dialects to both learn about and write about.


To start with, a dialect that’s near and dear to me: Appalachian English, also known as Smoky Mountain English or Southern Mountain English. This is the dialect that’s most often attributed to the inland Southern United States and has many features of 18th-century colonial English. I’d often encounter this dialect with my family in Kentucky, Tennessee, and West Viriginia.


Some of the words I’ve picked up over time that I can think of:


  • afeared - to be afraid
  • buggy - a shopping cart
  • britches - pants
  • crick - this may be either a stiffness of joints in the body or a creek
  • fixin - this can also be a few things - either to say something is soon to happen, or a portion of food
  • holler - the steep valley between two hills, because you can “holler” across to the other side
  • plumb - completely
  • reckon - suppose
  • skifting - a dusting, usually of snow on the ground
  • sody-pop - carbonated beverages
  • spell - either a duration of time or the state of being lightheaded
  • yonder - somewhere distant, away from where we are currently

Appalachian English has many other archaic phrases, words, and prefixes.
Most of the above fall into that - either from older English words like breetches or the a- (such as afeared or a-haunted) prefix which comes from Early Middle English. right can also be used with adjectives and adverbs such as right fine or right quick.


Southern drawl is also an important aspect of this dialect. Sourthern Drawl - considered different from the Southern twang - is a common pattern in how the vowels are prolonged making the speech sound slower. To many, this leads to the incorrect assumption that an individual with a drawl is uneducated or dim-witted. Part of this is from a lack of exposure to Southern accents - people that don’t hear it can immediately hear the other-ness. However, even people that grow up with the accent are told that a Southern accent is “wrong” via pop-culture and media. How many celebrities speak with a Southern drawl?


Dialects like this might sound strange to people that aren’t part of them. However, to those that are within that dialect outsiders without it sound foreign. To quote my cousins in regards to my differing dialect, “Yew talk real funny! Y’all spake all fast-like. Yer a yankee from up yonder, aintcha?”


2021/03/01


Social engineering is one of the most difficult attack vectors to detect. It’s also one of the oldest technqiues in the espionage handbook. Most of the time in this day and age it’s implemented as spear-phishing or in other ways via email. That’s when you aren’t dealing with highly motivated nation-state actors where money and time becomes less of a problem.


Let’s think like a threat actor for a moment. Who’s going to look the most threatening to an employee? The other, of course. Someone outside the company. That’s why spear-phishing can be so successful - you purport to be someone trusted. Someone that’s a part of the company. However, that leaves tech in the way. That makes it easier to detect, right?


So then.. let’s pivot. How can we become someone trustworthy? Well… What if we only needed to fool one employee - someone that wouldn’t expect it - and use that to get a foot-hold? How about.. HR. HR gets a candidate. On paper, they’re perfect. They came from top schools, they know your stack, the teams that interview them are gung-ho, their references are all gushing about how amazing this individual is. And that’s exactly how we get someone on the inside.


Sound too outlandish? It has happened many times - even in recent years. Alexey Karetnikov had joined Microsoft as a QA engineer in 2010. It was purported that he was there to capture intelligence for the Russian intelligence agencies. He was on the sloppier side and was tracked by the US intelligence agencies as soon as he set foot in the US. He was deported over charges of immigration violations.


The current FBI Director, Christopher Wray, spoke about this as well. In 2020, the Boston FBI field office arrested a researcher that was smuggling vials of biological research back to the Chinese government.


When someone’s as motivated as these folks are and have the backing of a nation state nearly anything is possible. These are just the cases we hear about, too. Jack Barsky is a more famous example of someone that had been a spy for the KGB in New York City for 10 years.


In espionage, reality is often more outlandish than even fiction.


2021/02/26


There are people that claim they can tell you where water is via a dowsing rod. Water finding. Water witching. Water Divination. I’m gonna spoil it for you: it’s hogwash.


Dowsing has been a pseudoscience employed since the 1500s, and it was just as useless then as it is now. Traditionally the way it works is that you take a forked twig, hold it in front of you, and it’ll make small movements towards what you’re trying to find.


The small movements are said to be magnetic ion something something by divinators. Those small movements are known as the Ideomotor phenomenon. It’s where a mental image or a thought bring on a reflexive muscular action outside of conscious knowledge. It’s the same effect that you’ll see with other “precognition-lite” techniques like Ouija boards, automatic writing, and facilitated communication. (Sorry if I’ve dunked on your preferred pseudoscience, happy for you to tell me how I’m wrong.)


It’s been tested again and again and show that it’s a whole bunch of baloney. While the 1990 study by Hans-Dieter Betz concludes that it works, but statistical analysis by J. T. Enright in 1995 finds that out of 500 dowsers even the best of the best were about only 0.4% better than random chance which could be easily attributed to statistical fluctuation. That’s the most POSITIVE study I can find on it; there’s countless others that call out dowsing as completely fake. Algeria 1943, New Zealand 1948, Britain 1959, the British Ministry of Defense did one in 1971 - the list goes on and every single one of them show this as a complete farce.


Even today, water dowsing is employed by ten out of the twelve water companies in the UK. Dowsing is considered “tried-and-tested” methods of finding water by these companies, if Twitter is to be believed. Really.


The ADE 651 and GT200 are modern versions of the dowsing rod being sold in military applications as late as 2011 and have been found just as effective as previous dowsing rods. Read: They’re as good as random chance because that’s all it is. They say they can track drugs, bombs, ivory, and who knows what else. What’s even more amazing is they’re purported to be powered by the user’s static electricity and they have programmable cards that you have to pay extra for because of.. electrostatic magnetic ion … It’s a huge fake and by 2010 companies of both swindled people out of millions and millions of dollars. This includes the governments of the USA, United Kingdom, Iraq, Lebanon, Thailand, and Mexico.


The creators of these devices are currently being litigated so thoroughly that they’ll need a dowsing rod to find themselves out of the mess they’re in.


Thing is - if you have other sensory cues, you use your mind, and with the observer expectancy cognitive bias - dowsing really works! At least, it works about as well as me going out into that same field and rolling a D20.


2021/02/25


In the before times, two titans battled out a war in North America - a bitter ande drawn out war that waged on for decades.


Eventually, the Video Home System overcame the Betamax cassette. Home Video consumption became a norm. The Videocassette Recorder was feared by the television industry and heralded by consumers. A new way to consume movies and television was born with the VHS.


There was one issue with translating theatrical movies to the small screen: Home televisions were 4:3 aspect ratio. This meant that the the screens had a width of 1.33 times the height unlike the new Cinemascope and other Widescreen formats for theatrical releases that became popular after 1960.


Two techniques are available to make the widescreen theatrical releases fit on a smaller screen. There’s always letterboxing - which adds black bars above and below the screen. Another technique is Pan and Scan - where the image is translated to better show off the points of interest in the cinematography, shaping the film to match the 4:3 through cropping or other techniques. This would be done by an editor and could drastically change the tone of a scene if done poorly. This is why many criticize and refuse to release a pan and scan version.


The kind of film that would do well in the “home cinema” also differed from what would do well in the theater.


In the the theater there is less need to keep the audience’s attention - they were stuck there in the building. At home, you have distractions so a different kind of movie can prosper. Comedy movies like Mallrats, The Big Lebowski, and Office Space did ABYSMALLY in the theater but found their footing once they were released on VHS. Some of this is attributed to the fact that they can be enjoyed more recreationally and sporadically than many other movies that require direct attention.


The Horror film genre The Thing, The Abyss, and “slasher” movies like Halloween did extraorgdinarily well on VHS. This could because.. what’s scarier than when the monster is.. inside your own house? On the small screen it’s harder to see what’s going on but sometimes that adds to the fear.. plus, you can’t see the zipper so easily on the scary demon monster.


There’s also some films that wouldn’t be as popular today if it weren’t for home video - such as Labyrinth, Blade Runner, or Big Trouble in Little China. These three did not do well in the box office but sold well on home video. A good thing, too - they’re all fantastic films and it’s a good thing they weren’t forgotten.


VHS may be gone - the last VCR was produced in 2016 - but it’s still in our collective pop-culture memory. You get the same gritty effects used all over videos online - giving a bit of realism that it’s a “found” tape. There’s even an anthology Horror series called V/H/S which uses the the look of VHS tapes to hide all of the imperfections of CGI to great effect.


Myself? I just remember the joy of being able to watch Star Wars in the warmth of my pajamas on Saturday while eating some cereal.


2021/02/24


Having not gone to any conferences, conventions, or the like for a while a quora post caught my eye being shared in discord.


A ways back I’d have collected all the swag I could. Heck, I only wore shirts that were swag because they were free. It was great because I wouldn’t have to pay for them and they were decently high quality!


Now a days, I don’t really want that stuff. The last conference I went to I even won a new computer monitor (thanks, I guess, Asus?) which I promptly gave to a friend because I already have a monitor and didn’t want to bring it back on a train.


Getting swag can be exciting - except for when I have 10 venmo hoodies, 4 Wayfair hoodies, 2 jackets that are branded elsewhere, and now more socks than I know what to do with. It’s just not much of a marketing channel for me anymore.


I say that - but then came the time when I spoke with the Pokemon Company. They give out nice shirts that were exclusive, high quality, and from a brand that I have an affinity for.


So, exclusive, high quality, and engaging brands. They don’t really even need to market to me, but do. So why is it that companies spend billions on low quality garbage to give out at conferences? Do we need more tiny and useless thumb drives, pop-sockets, or totes? (They shouldn’t.)


For companies giving out swag to employees there’s now entire companies devoted to creating these - like SwagUp. This is a little more interesting as an employee but…


I’d rather just get snacks, experiences, or other things that I can consume rather than more things that’ll probably end up in a landfill.


2021/02/23


The ongoing pandemic has led to everyone feeling a little disconnected from one-another. It’s no surprise that we crave human interaction when we can’t see one another! However, Zoom just feels too… meeting-ish. Communities don’t really form around Zoom. I think that’s why folks are turning to more “video game”-like aspects to break the physical distances between us.


When we’re meeting in person, we’re usually limited by physics. This is something we’re really used to. You can only have so many people in a room, you can’t really hear folks outside of a short distance away, and you know when someone is talking to you because they are usually giving you their attention.


So - simulating those physical limitations has been seen in a few products (games? tools? communication devices?) that’ve been dropping. I’d first seen something like this at the Recurse Center - they have Virtual RC & it’s really neat! It’s like being in the RC space but you’re represented by just a little avatar version of your face. I think there’s a few other ways that this can work - and products show that’s the case as well.


Skittish is one of these - and I saw it on the front page of Hacker News. You get an avatar that’s a Raccoon or an Owl or a snake - and you hang out in a virtual space, watch videos together, all that. It’s neat, but definitely limited in what it can do.


Gather.town is a bit older, and if I remember correctly had Pokemon sprites to begin with, way back. A few college students tossed it together and put it up online & it grew like wildfire.


To go a bit more realistic, there’s Hub by Mozilla. This is available via VR and feels much more video-gamey than the others. You can easily modify the space you’re in and customize it together with other people. I’ve seen a number of other examples like this - the closest being Rec Room.


There’s still Second Life and Second Life has been around.. forever. Thing is… Second Life gets weird. Real weird. Let’s not think about that too much.


I think there’s always a want for Human connection, though. It doesn’t even have to be instant. Sometimes you just want to listen to some chilled out music and write letters to people via a deer postman. Kind Words (lo fi chill beats to write to) gives you that experience. Kind Words is about writing nice letters and reading nice letters from other people. It makes you feel much better inside than many other interactions.


To be honest? I think we need less Zoom and we need more Kind Words in the world.


2021/02/22


There were two posts on the front page of Hacker News yesterday - Choose Boring Technology and Choose Exciting Technology. Both make are great points and are compelling on their own, but they’re completely at odds with one another.


Boring Technology gives examples like PHP, Postgres, Java, and all other sorts of technology that’s been around for a while and is.. well.. not as new and shiny. Battle-tested technology. Things that everyone on the team knows. The argument for boring technology is generally that you won’t get anything that surprises you.


Exciting Technology is … uh.. okay, so bear with me: the examples given are Cassandra (at least 12 years old), MongoDB (>11 years), Clojure (>14 years), and NodeJS (..let’s not touch that). For the sake of simplicity, let’s say Exciting Technology is technology that an engineer is less familiar with and as such cannot for certain say that it will solve the issues they currently have - but there are some shiny new features that they really like!


Let’s … not talk touch on my personal experiences with Cassandra, Mongo, and the like. Let’s not touch on the issues that seemed to be the case at Etsy’s SRE & maintenance of servers. Let’s not even touch on all the fighting going on in the HN comments.


Instead, I think it’s interesting to talk about the kinds of people that do this because I don’t think that either of these articles will change people’s minds.


Managing Humans by Michael Lopp is a book that’s not just about managing humans. In it he writes about engineering culture, different personalities you might find, and communication skills. Things that are sometimes considered tangential to management (but are very important!)


The chapter “Stables and Volatiles” details two archetypes that you’ll commonly see within engineering cultures.


Stables are engineers that happily work within a set of confines - even appreciating these confines such as direction and deadlines. They assess risk, carefully mitigate failure, and aim for predictable outcomes.


Volatiles will show up, stomp on everything that exists, and leave a trail of disruption in their wake. However, when they build.. they sure build a LOT. In some cases, what they make will be novel and would not have occurred otherwise.


Stables and Volatiles are at odds with one another. They do not get along on everything but a team with both can be incredibly successful - even if there’s a bit of conflict along the way. Volatiles become stables, and sometime stables become volatiles, and neither is really good or bad. They just are.


These archetypes are applicable to the argument about boring versus exciting technology. Stables will more likely than not choose the familiar. Volatiles will sometimes choose the foreign. Neither is right or wrong - at least not intrinsically. Instead, it’s gotta be a balance and you’ve got to use the right tool for the right job.


If you lean too far towards boring technology nothing will be pushed forward. If you lean too far towards the exciting you’ll end up with a backend written in Little using a home-grown database written in Haskell. That.. does sound pretty exciting, though, doesn’t it?


2021/02/20


There’s a nifty new Electron alternative called Tauri which purports to be more memory efficient than Electron! Competition is awesome!


Tauri is written in Rust and utilizes a webview instead of bundling the entire Chrome browser within it.


Using a webview isn’t a particularly new idea - DeskGap, Electrino, Neutralino, and others. On Linux, this works pretty okay! You get a webkit rendering engine (of an unknown version). On MacOS you get the Safari flavor of webkit. On Windows 7 you often get IE11 which.. yikes. Then on earlier Windows 10 you get the old non-Webkit Edge, newer versions mostly get Webkit Edge. It’s.. a little all over.


The big thing that Electron brings is that you know exactly what version of Webkit you’re building against and can cut down on the pain you feel when testing.


The other thing is that Electron has a lot of batteries already included and while Tauri has a lot of features in the works - they just aren’t there yet! However, the roadmap looks great and who knows - maybe it’d really hit that right balance between performance and features without having to write a native app version.


I dunno, though, I feel that Electron being resource hungry isn’t the end of the world. For the most part, you can cut down on memory in Electron in the same way you would a standard web app on Chrome - through profiling and optimization.


2021/02/19


The Perseverance rover confirmed a successful touchdown yesterday, February 19th at ~3:55PM EST. The mission is one of the most ambitious we’ve sent to the red planet - but not just because of the rover (which, itself, is the most complex and featured rover we’ve sent).


The EDL (Entry, Descent, and Landing) platform was also for more advanced than any other we’d sent - with the descent into the Martian atmosphere being yet another part of the experiment. The ablative heat shielding covered the bottom of the capsule - with a type of plating covering it which upon heating would vaporize and be carried away from the Perseverance capsule.


The Perseverance also carried 661lbs of tungsten weights. However, just because they’re dead weight doesn’t mean they won’t serve a purpose.


Two 165 pound blocks of tungsten kept Perseverance in a stable and balanced spin on its journey from Earth. This prevented any one side of the capsule from getting too hot. These are jettisoned 900 miles or so above Mars as they’d no longer be needed. Waste not, though. These two tungsten blocks will slam into the surface of Mars at 9,000 mph or so and is part of a very vital experiment. The InSight lander has a seismometer and even at 2000 miles away it’ll be listening for Perseverance knocking with these tungsten payloads.


Removing those two tungsten blocks is an important part of the entry phase because while balance is required during the journey, the entry requires debalancing. Because one side of the capsule is heavier than the other the entry angle will be at 16°. This leads to a slight amount of lift experienced by the craft, allowing the descent to be controlled via RCS (Reaction Control System) powered rotation - rotate left to cause the lift to push you one way, right to push the other, and go left and right consistently to burn off speed. This is all autonomous!


There’s also six 55lb tungsten masses that ensure landing is aligned. These are jettisoned right before firing the parachute and are used to ensure that the radar will be oriented in the correct direction. While the RCS was fired roughly 2,256 times during atmosphere entry, at this point they aren’t a whole lot of use. These tungsten blocks are jettisoned two at a time, and will cause the craft to roll into the exact orientation needed for the rest of the descent.


Haven’t heard yet if InSight heard Perseverance’s hello to start a welcome party, but all of this was fantastically interesting to me and I’m always surprised at how much NASA can achieve.


Wanna watch it? They streamed the landing on twitch! What an amazing future we live in.


2021/02/18


In 2019, the World Health Organization recognized burnout as an occupational phenomenon in the ICD-11. However, a relatively new article by HBR about burnout points at studies that show the pandemic has been causing burnout to run rampant since early 2020. “Knowledge workers” are now mostly working remotely - looking at Zoom, for example, they went from 10 million to 200 million active users effectively overnight.


To clarify: Burnout is really just another term for chronic stress causing emotional, mental, and even physical damage.


Lots of companies just look at it as a personal problem. Get better at self-care, do some yoga, use those new-fangled meditation apps. Those might help soothe some of the pains caused by chronic stress, but they don’t get to the actual causes of it.


A 2012 Study by Christina Maslach, Michael Leither and Susan Jackson point at the causes of burnout to be more organizational than personal. The top cause? Unsustainable workload. Also in there is the lack of a supportive community.


If you take a look over the NBER’s working paper on the impact of COVID-19 - what do you see? Remote workers on average work 10% more during all of this. People also have more shorter meetings than ever before. You end up with a heavier workload and sparser, shorter action-oriented meetings - without the same affordances given to social interactions unrelated to the work at hand.


The HBR article I’d linked above did a survey of 1500 workers - and found that nearly 90% said that their work life was getting worse, more than half said their work was becoming more demanding, and half felt that they couldn’t maintain a strong connection with their friends.


This isn’t really a new phenomenon, either. Some CEOs of public companies have been pushing for 80 hours a week of work, Uber’s employees were effectively not sleeping, Amazon worked people to exhaustion on Easter Sunday and Thanksgiving weekend, and if you want to hear me go off about even my personal experience, just ask me about Venmo’s practices. The superbowl “war room” that literally means being in the office for 24 hours without sleep is just the tip of that iceberg.


Really, though - what I’m trying to say is that burnout is very real, very scary, and it’s gotta get addressed sometime. I don’t think that time is now, but it’s gotta be soon.


Maybe the 5 hour work day could become the norm. I doubt it though.


2021/02/17


Having lived in Texas for a few years I know a number of Texans right now that have not had power for nearly 48 hours with freezing causing a real terrible situation.


Much of this is caused because Texas has an isolated power grid with 3 interconnects to other states and 3 to Mexico - through what is known as ERCOT. ERCOT was founded in 1970 and covers most of Texas. Much of this was fueled by a secessionist attitude many Texas lawmakers take, as well as a want to avoid federal regulations. A push to deregulate even more was in the late 90s and much of ERCOT is powered by an aging and neglected coal and natural gas infrastructure.


I’ve seen a number of talking points saying that this is all because renewable energy such as wind and solar are failing Texas - which isn’t the case. Not only do modern wind turbines handle ice and snow through some neat mechanisms, most of the 80% power deficit has to do with the [natural gas, coal, and nuclear losing capacity][23. Natural gas pipelines froze, coal couldn’t be shipped, and nuclear plants did not have the abilities to prevent the cooling water reservoirs from potentially freezing.


This all ends up hurting the citizens of Texas - where rolling power outages turning into several day outages as ERCOT scrambles to make up for the shortages. Folks are cold, hungry, and don’t have water.


It’s a bad situation.


2021/02/16


Have you ever wanted to make an interface for a program, but realized web just isn’t for you? Don’t want to delve into the madness and incantations needed to utilize new curses?


There’s a new blog post by Will McGugan about his Python library Rich, used to create beautiful CLIs. The blog post details some basic creation of dashboards using the various APIs available through Rich. Having written a few things with ncurses, I can safely say that this is a much more pleasant experience.


But what about folks over in javascript land? Heck, while I love Python I also adore Javascript.


Check out blessed, blessed-contrib, and react-blessed. Blessed is a Javascript library to create CLIs, but you’ll notice that the react API it has is really game changing. Using a special blessed renderer in React you can create CLI interfaces with the same paradigms as any React 16 application. Combine that with the contrib package and you can have real time terminal dashboards that show graphs, maps, spark lines, markdown, and even picture rendering.


It’s one thing to show off your cool new graphical web app. It’s another entirely to show off your 100% hacker terminal app.


2021/02/15


In Javascript, functions always have variadic arguments. This leads to some performance hits because there always has to be an adapter when using a JIT compilation. The adapter required creating a new frame in-between the caller and callee frames. Creating a frame is super costly.


On the v8 development website a new blog entry was posted which details how this process works and what they’ve done to dramatically improve function calls by optimizing this javascript feature.


How’d they solve it? They work through the arguments array backwards so they don’t really need to know how many arguments are in the stack, but they can assume that there’s at least the enough arguments to satisfy the parameter count - even if the arguments are undefined. This allows for cutting up the formal parameters and the extra variadic arguments to pass them to the callee frame in a way that doesn’t require extra lookups or an extra frame that will calculate it all.


No more overhead! Super fast!


2021/02/11


There’s something about the fact that I’m taking an at-home class for cooking from a world-renowned french cuisine Chef that’s feeling like got an uncomfortable “rich people things” vibe to it.


It makes me think about a New Yorker article about the “Joylessness of Cooking”. In theory, I love to cook. It’s a way of peering through time and culture to see how different people live and have lived.


Those of us that still have stable incomes can often find far more ingredients than ever before. In New York City there’s Chef Collective seeing even better stock because many restaurants have shuttered or are generally seeing fewer customers. Some restaurants, like Xi’an Famous Foods, have even pivoted to selling “kits” instead of doing delivery because their foods don’t work well with delivery.


The article points out a book - How to Cook a Wolf by MFK Fisher. The book through dealing with shortages and difficulties that existed when cooking during World War 2. I am so grateful that my life is in a place where the feeling of hunger is a choice rather than a fact of life. I picked up a copy of the book. I’m really looking forward to reading it.


In theory, I love to cook. In practice, I’ve been cooking far too often to truly enjoy it. I have always had an extreme respect for my mother and father. We cooked food at home every single day while I was growing up - sometimes out of necessity. We didn’t do fast food, and we very rarely ate at restaurants or had takeout. They followed through with that to make sure there was food on the table & dealt with getting children to eat that food.


I really do love cooking - just.. in theory. In practice, I can’t wait to make it an exciting optional activity like this cooking class I’m taking. I’ve registered to the wait list for the vaccine and boy am I looking forward to that.