Coding Blogs

I love DNS esoterica. Weird little things that you can shove in the global directory to be distributed around the world instantly(ish).

Domain names, like www.example.com usually resolve to servers. As much as we think of "the cloud" as being some intangible morass of ethereal Turing-machines floating in probability space, the more prosaic reality is that they're just boxen in data centres. They have a physical location.

Got a tricky machine which is playing silly-buggers? Wouldn't it be nice to know exactly where it is? That way you can visit and give it some percussive maintenance.

Enter the DNS LOC record!

The snappily titled RFC 1876 is an experimental standard. It allows you to create a DNS record which specifies the latitude and longitude of your server. Of course, some data-centres are very tall and some are underground. So it also contains an altitude parameter.

The standard allows for a minimum altitude of -100,000 metres - deep enough for any bunker! The maximum altitude is 42,849,672 metres which is high enough to allow it to be used on satellites in geostationary orbit.

So, as a bit of fun, I decided to create where-is-the-iss.dedyn.io

It isn't a website. You can't ping it. There's no way to interact with it except by using DNS. Yup! You can use a DNS query to get the (approximate) location of the International Space Station!

Linux and Mac users0 can run:

dig where-is-the-iss.dedyn.io LOC

And receive back the latest position of the ISS:

;; ANSWER SECTION: where-is-the-iss.dedyn.io. 1066 IN LOC 47 24 53.500 N 66 12 12.070 W 430520m 10000m 10000m 10000m

The DNS records are updated every 15 minutes on a best-effort basis1.

How

The lovely people at N2YO have a website which allows you to track loads of objects in orbit. They also have an easy to use API with a generous free tier.

Calling https://api.n2yo.com/rest/v1/satellite/positions/25544/0/0/0/1/&apiKey=_____ gets back the latest position:

{ "info": { "satname": "SPACE STATION", "satid": 25544, "transactionscount": 7 }, "positions": [ { "satlatitude": -21.25409321, "satlongitude": 140.3335763, "sataltitude": 420.09, "azimuth": 292.92, "elevation": -70.95, "ra": 202.69300845, "dec": -32.16097472, "timestamp": 1751366048, "eclipsed": true } ] }

Note that the altitude is in Km, whereas the LOC format requires m.

The latitude and longitude are in decimal format - they need to be converted to Degrees, Minutes, and Seconds.

There were only a few free domain name providers who offer an API for updating LOC records. I went for deSEC a charity from Berlin. They have comprehensive API documentation.

Adding the initial LOC record is done with:

curl https://desec.io/api/v1/domains/where-is-the-iss.dedyn.io/rrsets/
--header "Authorization: Token _______"
--header "Content-Type: application/json" --data @- <<<
'{"type": "LOC", "records": ["40 16 25.712 S 29 32 36.243 W 427550m 0.00m 10000m 10m"], "ttl": 900}'

However, updating the record is a little trickier. it needs to be sent as an HTTP PATCH to a subtly different URl. The PATCH only needs to send the data which have changed.

curl -X PATCH https://desec.io/api/v1/domains/where-is-the-iss.dedyn.io/rrsets/@/LOC/
--header "Authorization: Token _______"
--header "Content-Type: application/json" --data @- <<<
'{"records": ["40 16 25.712 S 29 32 36.243 W 427550m 0.00m 10000m 10m"]}'

I set the Time To Live at 900 seconds. Every 15 minutes my code runs to update the record2. That keeps me well within the API limits for both services. I could add TXT records showing when it was last updated, or other sorts of unstructured data, but I think this is enough for a quick proof-of-concept.

There you have it! A complex and silly way to demonstrate how DNS can be used to hold the most unlikely of records3. Say, I wonder how you'd represent the co-ordinates of the Mars Rover…?

Further Reading

For more DNS weirdness, please see my other posts:

BIMI - SVG in DNS TXT WTF?!Why you can't dig Switzerland

I don't think there's a way for Windows users to look up LOC records using PowerShell or the Command Prompt. ︎

Look, I'm not NASA, OK? If you're using this to help you dock then I cannot be held responsible. ︎

I suppose you could build an API with unlimited request limits by distributing data via DNS TXT records. Would best suit static or infrequently updating data. Push it once to DNS and let everyone query it semi-locally. ︎

See if you can find the other interesting record I've added to DNS! ︎

From Terence Eden’s Blog via this RSS feed

One of the disposable e-cigarettes studied released more lead during a day's use than nearly 20 packs of traditional cigarettes:

"When I first saw the lead concentrations, they were so high I thought our instrument was broken," Salazar said. [...]

"We found that these disposable devices have toxins already present in the e-liquid, or they're leaching quite extensively from their components into e-liquids and ultimately transferred to the smoke," Salazar said.

Leaded bronze alloy components in some devices leached nickel and lead to the e-liquid. Nickel was also released from heating coils, and antimony was present in unused e-liquids at high levels, both of which increase the risk of cancer.

The researchers also assessed the health risk for daily users. Vapors from three of the devices had nickel levels and two devices had antimony levels that exceeded cancer risk limits. Vapors from four of the devices had nickel and lead emissions that surpassed health-risk thresholds for illnesses besides cancer, such as neurological damage and respiratory diseases.

I'll bet Bobby Brainworms think you need a lot more lead and antimony supplements in your diet. But he's not going to state that outright, he's just asking questions...

Previously, previously, previously, previously, previously, previously, previously.

From jwz via this RSS feed

I know I am probably the last person in the world still running X11 on a Mac, but some time around macOS 14.7.3, XQuartz stopped working with OpenGL programs that use EGL instead of GLX. If someone could tell me how to fix this, that would be great:

libEGL warning: egl: failed to create dri2 screen MESA: error: Failed to attach to x11 shm MESA: error: Failed to attach to x11 shm MESA: error: Failed to attach to x11 shm ...

From jwz via this RSS feed

Dear Lazyweb, how do you iterate the wl_registry more than once? I have two modules that have nothing to do with each other, but need to find their respective protocols, and apparently you can't call wl_registry_add_listener more than once. The second one is ignored.

Is there any actual API documentation for this shit? I have found only the two extremes of "hex dumps of socket protocol" and "language-agnostic XML file fetishism".

Previously, previously.

From jwz via this RSS feed

The LVIF_INDENT property of the Win32 classic listview control lets you indent an item in report view. The units of indentation are the size of the image list. But that requires an image list. Why does it require an image list?

The indentation feature of the classic listview control was added for Internet Mail and News, a mail and newsreader program that came with Internet Explorer 3.¹ The indentation was used to represent message threading. Since the indentation was intended to represent reply depth, it was not unreasonable for the listview’s representation of the indentation to match the underlying data’s indentation. And since each item had an icon (representing read or unread), the width of the icon was a natural unit of indentation.

But what if you don’t want an image list?

The indentation demands an image list, but you can provide a 1 × 1 image list, and choose not to show any images. The space will still be reserved, so there will be a 1 pixel gap, but maybe this small glitch isn’t noticeable. The indentation would then be in units of pixels.

Not great, but it might be the best you can do.

¹ Internet Mail and News was subsequently rebranded as Outlook Express, a rebranding which created confusion and unmet expectations.

The post Why doesn’t LVIF_INDENT work without an image list? appeared first on The Old New Thing.

From The Old New Thing via this RSS feed

Somehow, I must have missed out on learning phrases of changes in quantity in German, so I need a cheat sheet.

TrendQuantityLowHighDecreasingnur noch “only…left”immer noch “still”Increasingerst “so far”schon “already”Stable/Unknownnur “only”

(Native German speakers: Please feel free to offer corrections.)

Here’s a sentence pattern for demonstration.

Ihaveonly100left=Ich habenur noch100: ˦˨I used to have more, but I’m running low.Istillhave100=Ich habeimmer noch100: ˦˧I used to have more, but I’m not running low yet.Ihave100so far=Ich habeerst100: ˩˨It’s not much, but it’s more than I had before.Ihave100already=Ich habeschon100: ˩˧It’s quite a bit, and it’s more than I had before.Ihaveonly100=Ich habenur100: ˩It’s not much, but that’s typical.Ihave100=Ich habe100:It is what it is.

It’s interesting to me that the last box is empty. Neither English nor German seems to have a clear phrase pattern to indicate “I have a lot, and that’s typical.”

Learning another language gives you a chance to reflect upon your own. When laid out this way, it does seem weird that the English patterns scatter the modifier words into three different positions in the sentence.

Note: These adverbs also have meanings unrelated to quantity. I’m focusing on the quantity-related meanings.

The post German language cheat sheet: On changing quantities appeared first on The Old New Thing.

From The Old New Thing via this RSS feed

A customer called the Format­Message function with the FORMAT_MESSAGE_ALLOCATE_BUFFER flag, and they weren’t sure what to do if the function fails (by returning 0). Do they have to free the buffer by calling Local­Free?

No, you don’t have to free the buffer. In fact, on failure, there is no buffer. The function failed to perform the desired operation, so there is nothing to clean up.

You can make things easier on yourself by pre-initializing the output pointer to NULL. That way, if the function fails, the pointer is still null. Then your logic can be “Go ahead and free the buffer,” because the Local­Free function allows you to pass NULL, and it just ignores it. (This trick allows things like wil::unique_hlocal_string to work with FormatMessage.)

Thinking about the original question: You can’t tell whether the reason for the function failure is that something went wrong during formatting or that something went wrong during allocation of the final output buffer. You could call Get­Last­Error(), but if it returns ERROR_OUT_OF_MEMORY, you still don’t know whether it ran out of memory during the formatting phase or during the final buffer allocation phase. Therefore, even if you wanted to free the buffer, you don’t know whether you even got one in the first place.

The post If the Format­Message function fails, and I requested that it allocate a buffer, do I have to free the buffer? appeared first on The Old New Thing.

From The Old New Thing via this RSS feed

Between 2014 and 2022, DigitalOcean sent free t-shirts to developers who completed the Hacktoberfest challenge. For entirely sensible reasons related to sustainability and spammy entrants, they stopped doing physical merchandise in 2023.

I'm the sort of hip fashionista who only wears free conference t-shirts.

[

GDS

@GDSTeam](https://twitter.com/GDSTeam)We support open source. And we’ve got the t-shirts to prove it (thanks @github @digitalocean). GDS took part in #Hacktoberfest this year, contributing to open source projects as part of a global community hacktoberfest.digitalocean.com pic.x.com/AkM09LGono 24 3 016:31 - Tue 30 January 2018

Sadly, after several years of constant catwalk modelling, my beloved Hacktoberfest shirts are full of holes. I couldn't find any for sale on eBay or Vinted - so I decided to make my own.

Note: DigitalOcean's Brand Guidelines say that you shouldn't create physical merchandise or sell any products featuring the logo. Well, I'm not selling these nor, do I think, they are merchandise. Hacktoberfest aren't using these to incentivise anyone any more. They're just cool t-shirts.

The Logos

There are lots of photos of the t-shirts but it is surprisingly hard to find the original assets.

Low Resolution

Kotis - a design agency - did the Hacktoberfest swag from 2015-2020. They have a brand portfolio with the t-shirt icons. Sadly, all a bit low resolution for printing, but good for getting accurate background colours for the material.

2020 2019 2018 2017 2016 2015

Similarly, there are a few low resolution promo shots of the t-shirts or their logos:

2022 (back of t-shirt)2021 (t-shirt)2016 (more accurate colours)2015 (logo)2014 (logo)

AI upscaling looked typically rubbish.

Higher Resolution Bitmaps

Some designers have their logo designs on Dribbble. Not very high resolution, but good enough for stickers.

2019201820172016

Archived Logos

The official Hacktoberfest website had some logos embedded on it:

2022 (SVG logo)2019 (SVG)2018 (PNG with transparent background)2017 (SVG)

Best of the bunch

[Content truncated due to length...]

From Terence Eden’s Blog via this RSS feed

Dear Lazyweb, what is the proper way to tell Wayland, "power off the monitor, power it on again when there is activity"? AKA "xset dpms force off" or "DPMSForceLevel()".

The closest I have found is "wlr-randr --output HDMI-A-2 --off" which powers off as a side effect of disabling the monitor in RANDR... and it doesn't turn back on at activity.

Doing that in code (via "wlr-output-management-unstable-v1", which of course GNOME and KDE don't implement) takes 400+ lines. That's 399+ too many. And if the program crashes, congratulations, you get to reboot to turn your screens back on.

Wayfire lets you put a "dpms_timeout" number in its config file, but I can't make any sense of how that is implemented.

Wayland continues to fill me with amazement (pej., obs.)

Previously.

From jwz via this RSS feed

Eric Bailey:

It turns out you can just pay people to do things.

I found a voice actor and hired them with the task of "Reading this very dry technical document in the most over-the-top sarcastic, passive-aggressive, condescending way possible. Like, if you think it's too much, take that feeling, ignore it, and crank things up one more notch."

Previously, previously, previously, previously.

From jwz via this RSS feed

XScreenSaver 6.11 is out now. This is a Unix-only release -- this version contains preliminary support for Wayland.

This is maybe not entirely ready for prime time, but I figured I'd get it out there so that some people who actually understand Wayland can poke at it.

This version only supports blanking, not locking.It requires compositor support for either the "org_kde_kwin_idle" or "ext_idle_notifier_v1" protocols. That means "everything but GNOME", I think.Fading in and out, and grabbing screen images, require the program "grim" to be installed, and work. And it does not work under GNOME or KDE.It is unable to configure DPMS, or detect changes in it.

Things I could use your help with:

Tell me if you have a Wayland system on which it does not work, besides GNOME.I have not tested "ext_idle_notifier_v1". Please let me know if you have a system that supports that. Alternately, if it is the case that there are no compositors that provide "ext_idle_notifier_v1" that do not also provide "org_kde_kwin_idle", then I can just remove it.Figure out a better (or dare I dream, faster) way to get screen shots than running "grim".Figure out this GNOME and KDE shit, because I'm probably gonna just say "screw those guys" otherwise.Write me some sample Wayland code that places two windows on the screen, one atop the other, and changes the alpha on the front window to make the back window appear to fade to black.I have barely begun to think about locking, but probably "ext-session-lock-v1" is going to continue to be the only game in town, even though it is absolutely the wrong way to go about any of this, FFS. Anyway, it takes a list of surfaces which are the only ones displayed while locked. Possibly we can get the underlying Wayland surface out of the X11 saver windows and feed those in to it? I guess the xscreensaver-auth window would have to be re-parented to under one of those.

I have little interest in working on this part, so if you want XScreenSaver to be able to lock your screen, you might wanna pitch in here.

Previously, previously, previously, previously, previously.

From jwz via this RSS feed

A customer was adding an interface to their out-of-process COM server. They added their interface to the project’s existing IDL file and recompiled the resulting proxy stub DLL. But when they tried to connect to the server, the connection failed with error 0x80040155, also known as REGDB_E_IID­NOT­REG: Interface not registered.

They realized that they forgot to register the interface’s proxy, so they added an entry to HKCR\Interface{iid}[ProxyStubClsid32] so that COM knew where to find the proxy stub. (They didn’t have to create a new CLSID entry for the proxy DLL because they were adding an interface to their existing IDL, so the proxy DLL was itself already registered by whoever set up that IDL file initially.)

Upon trying again, the connection still failed. This time with the error 0x80004002, the often-encountered E_NO­INTERFACE: No such interface supported.

We learned that one cause of this is a missing marshaler.

“But that doesn’t apply in this case, because I registered the interface and pointed it to the proxy DLL that holds the marshaler!”

Does that proxy DLL hold the marshaler?

We looked at the interface declaration.

[ object, local, uuid(iid) ] interface IWidgetFactory : IUnknown { ⟦ ... ⟧ }

The interface is marked as local. A local interface is one that never leaves its home apartment and therefore never needs to be marshalled. The IDL compiler does not generate marshallers for local interface because they would never be needed.

I don’t know the history here. It’s possible that this interface started out as local because it was originally designed as an in-apartment object, but then the team decided to move the widget factory out of process (which now requires a marshaller) and forgot to remove the local attribute.

Or maybe the local was just a copy-pasta from elsewhere in the IDL file that they forgot to remove. (Or they didn’t realize what it meant.)

The post Unintended yet somehow entirely expected consequences of marking a COM interface as local appeared first on The Old New Thing.

From The Old New Thing via this RSS feed

See Something, Tap Something:

ICEBlock is an innovative, completely anonymous crowdsourced platform that allows users to report Immigration and Customs Enforcement (ICE) activity with just two taps on their phone.

The app ensures user privacy by storing no personal data, making it impossible to trace reports back to individual users. Available exclusively for iOS devices, ICEBlock empowers communities to stay informed about ICE presence within a 5-mile radius while maintaining their anonymity through real-time updates and automatic deletion of sightings after four hours.

The cowards at Time wrote a whole article about the app and didn't include a link to it:

Joshua Aaron:

"When I saw what was going on in this country, I just really felt like I had to do something," Aaron says, referencing the ICE raids that have taken place following Trump's return to the White House. As of June, over 100,000 people have reportedly been arrested by ICE during Trump's second term. [...]

"The app is 100% anonymous and free for anybody who wants to use it. We don't collect user data. We don't even capture user data. That's extremely important," Aaron says, recognizing the privacy concerns people may have. As such, the app is not available on Android because it "requires a device ID in order to send push notifications, which requires a user account and a password." [...]

"Before [the protests started], there were around 2,500 users, and I was thrilled. Then I logged on two days later, and there were over 20,000 users, and the app went to number 32 for 'Social Networking' in the App Store," he says. [...]

In response to a request for comment, ICE referred TIME to a statement from acting director Todd Lyons, who called the app "sickening," saying it "paints a target on federal law enforcement officers' backs" and "incites violence."

Aaron says he hopes the app, which became available to iPhone users in April, is used as a tool to avoid interactions with ICE agents, rather than users directly involving themselves in potential altercations. [...]

Aaron says his ultimate goal is to look out for the community. "When I see things like ICE outside of elementary schools, that's what we are trying to push back against, because you need to do more. You need to protect your neighbors," he says.

Previously, previously, previously, previously, previously.

From jwz via this RSS feed

I recently read an interesting article about Accountability Sinks. In it, the author argues that part of the reason for having business processes is that they diffuse accountability.

Every one of us has tried to have an argument with an employee of a big company, and it always goes like this:

the human being you are speaking to is only allowed to follow a set of processes and rules that pass on decisions made at a higher level of the corporate hierarchy. It’s often a frustrating experience; you want to get angry, but you can’t really blame the person you’re talking to.

So should we give people more discretion in which processes they follow?

In some cases, yes! The article contains some compelling examples of when "breaking the rules" is the preferable outcome.

But there are some unacknowledged downsides to letting people decide which rules are applicable - and that's people's personal prejudices.

The article say some of the discontent with the modern world can be blamed on over-adherence to rules. For example:

The skepticism toward judges? It fits. They often seem more devoted to procedure than to justice.

Imagine a world without sentencing guidelines. Perhaps the judge is from a different tribe to the accused and punishes them much more harshly than a clan-member. Would that seem fair?

The customer service agent just doesn't like people of your gender, and refuses to process your refund.

You give the bank manager a firm handshake and he approves your loan - even though you don't technically qualify you look like a decent sort of chap.

And on it goes.

Look, there's no doubt plenty of bias encoded within processes. All processes should be regularly reviewed and updated. Breaking a process in extremis can be a good idea. When confronted with an inflexible policy, you may feel like a mere cog in a machine - but at least the machine is prevented from discriminating against your type of cogs.

A well-defined process dehumanises both sides.

From Terence Eden’s Blog via this RSS feed

At the end of project milestones, some organizations have a tradition of asking each team within the organization to produce a a “sizzle reel” highlighting the work that they have accomplished. These short videos are then gathered together and shown at the organizational group meeting so everybody can show off their work and receive appropriate kudos from other teams in the organization.

Another source of these “sizzle reels” is a group showing off its work as a form of advertisement. For example, a team may have developed a new tool or technology and want to get the word out. Or they may have made improvements to their existing technology, and they want to announce the next revision to their existing customers.

One thing I would like to remind people who are creating these short videos: Understand your audience.

It is not uncommon for these little videos to brag about accomplishments in terms that are not comprehensible to people who aren’t on the team.

We are always working on improving performance, and during this milestone, we tried out a new way to turboencabulate the dependency net, which produced a metonomic phase cycle period of 15 milliseconds.

Like, I’m happy for you though, or sorry that happened.

Go ahead and include those details if it makes your team feel good. (Particularly the developers who worked hard on the new turboencabulator.) But please also give a brief explanation that makes sense to the outsiders who are watching your video.

On large data sets, we found that this lowered run times by as much as 30%, though improvements of 10% are more typical.

The post The sizzle reel that says things that nobody understands appeared first on The Old New Thing.

From The Old New Thing via this RSS feed

Phineas:

I've been getting mad a lot about hollow-eyed, artless money ghouls telling me what's inevitable and then I had an idea I had to draw about it.

T-shirt!

Previously, previously, previously.

From jwz via this RSS feed

Another day, another security disaster! This time, multiple printers from Brother have an unfixable security flaw. That's bad, obviously, but is it illegally bad0?

Let's take a look at details of the vulnerability:

An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device.

Recently, the UK brought in some laws aimed at strengthening consumer protection - the Product Security and Telecommunications Infrastructure act (PSTI). There's a readable summary on the National Cyber Security Centre's website.

There are three interesting points to note in that blog post. The first is about passwords:

The law means manufacturers must ensure that all their smart devices meet basic cyber security requirements. Specifically:

The manufacturer must not supply devices that use default passwords, which can be easily discovered online, and shared.

Secondly, is a question of jurisdiction:

Most smart devices are manufactured outside the UK, but the PSTI act also applies to all organisations importing or retailing products for the UK market. Failure to comply with the act is a criminal offence

Thirdly, what is actually covered:

The law applies to any ‘consumer smart device’ that connects either to the internet, or to a home network (for example by wifi).

Is a WiFi enabled printer a "consumer smart device"? One of the things that techies find confusing is that the law is not code. It usually doesn't enumerate a definitive list of what is and what isn't in scope. It gives a general outline and then allows case-law to develop. This means laws don't need to be updated when someone invents, say, an Internet connected tinfoil dispenser.

Let's move beyond the consumer-friendly summary and go to the actual law. The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023

Passwords must be—

a. unique per product; or

b. defined by the user of the product.

Passwords which are unique per product must not be—

a. based on incremental counters;

b. based on or derived from publicly available information;

c. based on or derived from unique product identifiers, such as serial numbers, unless this is done using an encryption method, or keyed hashing algorithm, that is accepted as part of good industry practice;

d. otherwise guessable in a manner unacceptable as part of good industry practice.

How does this apply to the printers? Rapid7, who discovered the vulnerability, have this to say about how it works:

[The vulnerability] allows an attacker to leak a serial number via the target's HTTP, HTTPS, and IPP services. However, should an attacker not be able to leverage [the vulnerability], a remote unauthenticated attacker can still discover a target device's serial number via either a PJL or SNMP query

So, yes. The default password is unique but it can be automatically derived from the serial number. That serial number is available to anyone with a network connection to the printer.

But, do printers fall under the scope of this act?

The Product Security and Telecommunications Infrastructure Act 2022 says:

4 Relevant connectable products

In this Part “relevant connectable product” means a product that meets conditions A and B.

Condition A is that the product is—

A. an internet-connectable product, or

B. a network-connectable product.

Condition B is that the product is not an excepted product (see section 6).

It goes on to define what Internet-connectable means, along with some other clarifying details. But is there a get-out clause here? Are printers an "excepted product"?

In this Part “excepted product” means a product of a description specified in regulations made by the Secretary of State.

OK, let's look at the regulations. I've expanded out the relevant bit:

Schedule 3 Excepted connectable products

Computers

Products are excepted under this paragraph if they are computers which are—

a. desktop computers;

b. laptop computers;

c. tablet computers which do not have the capability to connect to cellular networks.

Nope! The Brother printers don't appear to be exempt1. What's the maximum penalty Brother could be subject to?

The greater of £10 million or 4% of worldwide revenue.

Ouch!

Of course, much like GDPR fines, these are headline grabbing numbers. The prosaic reality is that the enforcement policy is much more likely to suggest remedial steps. Only the most flagrant transgressors are likely to be punished harshly2.

So, to recap. The law says an Internet-connected device (including printers) must have a password which is not "based on or derived from publicly available information". As I understand it, having a serial-number based password is OK as long as you don't publicise the serial number. I expect that if it were printed on a sticker that would be fine. But because the serial can be discovered remotely, it fails at this point.

In Brother's (slight) defence, unless the user has specifically connected the printer to the Internet this is only a local vulnerability. Someone on the same network would be able to monkey around with the printer but, similarly, they could plug in a USB cable for some illicit printing or break it with a hammer. Any damage is confined to the LAN.

Should users change default passwords? Yes. But manufacturers have a legal duty to ensure that people who don't are still protected.

I'm not a lawyer. This is not legal advice. This is just my interpretation of what's going on. If in doubt, consult someone qualified. ︎

With thanks to m'learned colleague Neil Brown who came to much the same conclusion ︎

You can see the actions they've previously taken. Because PSTI is so new, there aren't any actions against insecure IoT devices - so we'll have to wait and see how they choose to proceed. ︎

From Terence Eden’s Blog via this RSS feed

Dear Lazyweb, how do I test a version of Wayland that supports ext-idle-notify-v1? The docs say it is supported on Wayfire, but that is what I am running and it is not. Do I have to turn it on somehow?

"/usr/share/wayland-protocols/staging/ext-idle-notify" exists.

Previously, previously.

From jwz via this RSS feed

So my power went out today (thanks, AT&T!) and just like last time, as soon as the "running on backup power" dialog popped up, my Mac Studio was basically frozen. Moving the mouse took 20+ seconds to update its position. Once the screen locked, it could not register typed characters fast enough for the unlock dialog to not time out!

I unplugged USB from the UPS and rebooted, and it behaved the same at the login screen with no apps running.

Now, last time this happened, the next day I tested it, by unplugging my UPS from the wall -- and the Mac behaved perfectly fine! ◀◀ Read that part again.

It's not even under high load; the UPS said I had like 40 minutes of runtime left.

Once the power finally came back on, suddenly the Mac was behaving perfectly normally again.

Any ideas? For I would like my computer to function on backup power in the future. That would be nice.

Previously.

From jwz via this RSS feed

Visualizing all the books of the world in ISBN space. What it says on the tin.Back in 2013, there was a series of promotional videos for the golf European Tour titled “Every Shot Imaginable”, in which golfers attempted silly tasks. Professional golfers would try to hit a clay pigeon out of the sky or hit a gong placed in a lake¹ or chip a ball into an explosive-loaded boat or hit the ball collector at a driving range (who hasn’t talked about doing that?) or go head-to-head against a trash-talking golf robot to drive balls into distant washing machines. I enjoy how the golfers get in the spirit of the exercise and celebrate their silly accomplishment. The trash-talking golf robot is probably my favorite, though. Behind the scenes of the washing machine video. The invalid 68030 instruction that accidentally allowed the Mac Classic II to successfully boot up, a deep dive into retrocomputing and reverse-engineering. How 6502 illegal opcodes really work, a study of the 6502 instruction decode logic.Nine is a Commodore 64 demo video showing what appears to be impossible: Nine active sprites on hardware that supports only eight sprites. I am not familiar with the Commodore 64, but I went with the premise. At first, you think you figured out the trick, but as the demo progresses, you realize that you were wrong, and it just gets more and more absurd. Once you’ve seen the trick, watch the explanation and learn about the multiple layers of deception plus some truly mind-boggling beam-racing. Debugging An Undebuggable App. Bryce Bostwick unwraps the anti-debugging measures taken by an iOS app. Bryce does this to accomplish tasks like fixing a hang in the Disneyland app or (less practically (?)) patching TikTok to show only cat videos. Ash Wolf fixes a fix for a Windows 3.1 video driver. A calculator app? Anyone could make that. It turns out that writing a calculator app is incredibly hard because people expect exact answers to certain classes of expressions. Related reading: Windows Calculator switching to an arbitrary-precision rational numbers library (and using a 32-digit precision library for non-rational operations), resulting in tiny errors in the calculation of square roots (because square roots are not rational operations), and leading to a special carve-out for rational roots and powers that result in exact integers. Recreating An Old “Dirty Gamedev Trick” by Kyle Halladay, who tries to reproduce a dirty trick from an old article from Gamasutra: Exploiting a buffer overflow bug in a network client in order to patch it.An identical trick was used by AOL in their AOL Instant Messenger app to distinguish their real client from clones. In the late 1990s, there was a cat-and-mouse game between AOL Instant Messenger and MSN Messenger, where the MSN Messenger team reverse-engineered AOL’s chat protocol, and then the AOL Instant Messenger team would issue an update that changed the protocol, and then the MSN Messenger team reverse-engineered the new protocol, etc. (I heard through a friend of a friend that the AOL Instant Messenger team relished pushing their updates at a time that was most inconvenient for Redmond.) The game ended when AOL relied on a buffer overflow bug in their own client. That was a bridge too far for the MSN Messenger Team. (In a contemporary article, an AOL spokesperson said that AOL is “doing all it can to protect its users’ security and privacy“, which is ironic given that the “protection” was “introduce a security vulnerability and then exploit it.”)

¹ The gong shot was so popular that a decade later, they brought back three of the original golfers to do it again [YouTube] (with floating golf balls to allow subsequent retrieval).

The post 2025 mid-year link clearance appeared first on The Old New Thing.

From The Old New Thing via this RSS feed

A team was proposing a method that was at its essence a Read(n) that takes the maximum number of items to read. The reality was more complicated than that: The parameter n was really a configuration property on an operation, but it had the same meaning: It set the maximum number of items to return.

The team said that their method returns E_INVALID­ARG if you pass n = 0.

I argued that this is an incorrect design: If somebody asks for “at most zero items”, then you should succeed and give them zero items. Zero is at most zero.

For example, maybe the program calculates the size of its window, divides by the height of an item, and requests only as many items as fit in the window without overflowing. After all, there’s no point fetching data that you never use.

And then the user resizes the window so small that no items fit, so the division rounds down to zero, and the program asks for zero items and crashes because “somebody” decided that it was wrong to ask for zero items.

Let them ask for zero items. Give them nothing.

Edge cases are hard, so remove edge cases from the interface.

Related reading: Embracing the power of the empty set in API design (and applying this principle to selectors and filters).

The post Embracing the power of the empty set in API design: Requesting zero items appeared first on The Old New Thing.

From The Old New Thing via this RSS feed

Google's monopolistic stranglehold on Android results in poor experience for power-users, and artificially restricts choice for those who have older phones. For example, Google Wallet is the de facto way to use NFC payments on Android. There's one problem though - it only works with Google's Android. If you have the temerity to install a 3rd party Android OS - like the hyper-secure GrapheneOS - you'll be locked out of it.

First of all, Google is lying. It does meet security standards and it is not rooted. I get that I have no right to run someone else's software in an environment they don't like, but this is just misinformation. 3rd party OSes are often more secure that a stock OS which has been left to rot by an unresponsive manufacturer.

Anyway, here's how you can use contactless payments on Graphene.

Prerequisites

I'm going to tell you what I did. If you found another way, leave a comment or write your own blog post.

I'm using the latest version of Graphene (2025062000) with Play Services installed. The app is running in my main profile. None of the advanced app protection has been toggled for the app. NFC is on.

You will have to agree to Curve's privacy policy. And the privacy policy of your credit card. Look, if you're using Graphene, you're probably overly privacy sensitive. If you're concerned about The Man knowing that you used your card to buy a breakfast beer and then sharing that with 958 trusted partners, just use cash instead.

Install Curve

Here's a referral link to install Curve - join and you get £10. Or, you can install directly from the Play Store.

You'll need to create an account and pass KYC / AML checks. Curve are regulated by the FCA so you should feel safe giving your details to them.

Add a card

Curve is a virtual card provider. So add your existing Visa or MasterCard to the app (no Amex). When you spend on Curve, you're actually spending on the underlying card you've added. Curve promise cheaper foreign exchange fees and a few other perks. But what we're really interested in is NFC payments.

Set up Curve Pay

On your app's dashboard, you should see a banner saying "Curve Pay is good to go!". If not, head into your account and set it up there.

If it has all set up, you should see a welcome tutorial explaining how contactless works.

Set your default wallet

On your phone, go to Settings → Connected devices → Connection Preferences → NFC → Contactless Payments.

Or, search your settings for Pay.

Select your default wallet app - in this case, Curve.

Pay for something

You need to make sure NFC is turned on before you can use NFC payments. I know that sounds obvious, but I forgot to do it the first time and got very confused.

Go to a local shop, pick up something, hand it to the merchant, wave your phone over the payment terminal like you are a technowizard from the future.

Enjoy eating whatever you paid for!

That's it!

Once you're done, you can turn of NFC if you're paranoid.

Apparently, Curve also works with Garmin Smart Watches - but I don't have one to test out.

If you've found this blog post useful, I'd be grateful if you signed up with my referral link for Curve.

From Terence Eden’s Blog via this RSS feed

Venice, Italy:

In a welcome bag filled with favors such as local chocolates, artisanal soaps, and scented candles, guests arriving for the wedding of Amazon founder Jeff Bezos and Lauren Sánchez this week were reportedly given monogrammed plastic bottles in which to urinate during the ceremony.

"Because guests will be strictly prohibited from leaving the room at any time during the festivities, the couple have provided these custom-made bottles as a token of their appreciation." wedding planner Lucia Contarini said as she showed off a makeshift urine receptacle emblazoned with the initials "J" and "L," noting that it would be the only option available to attendees who did not wish to wet themselves when they inevitably needed to empty their long-held bladders.

"We ask that guests also save some room in the bottle for the reception, because the groom has requested the dance floor be full at all times and no one will be permitted a bathroom break." At press time, the dancing had been in progress for hours, and witnesses confirmed an exhausted Leonardo DiCaprio was completely drenched in urine and struggling to continue moving to the beat of "Uptown Funk."

Previously, previously, previously.

From jwz via this RSS feed

We have been investigating why a project is getting an error about a weird C++/CX symbol, and we tracked it down to three things:

If you compile with C++/CX, the compiler injects vccorlib.lib as a default library.The vccorlib.lib library provides a definition of main.The linker special rule for resolving references introduced by a library causes the search for main to look in vccorlib.lib ahead of the fuzzer library that contains the main we want.

To get the linker to find the intended main, we need to take away one of the conditions.

For the first item, we could take away all the components that use C++/CX. But presumably they are there because we need to test them, so that’s not an option.

Another possibility is to remove vccorlib.lib from the default library list. The library is still needed, but we can add it back as an explicit library.

link /out:fuzzer.exe /subsystem:console fuzzer.obj cx.obj lib.lib vccorlib.lib /NODEFAULTLIB:vccorlib.lib

The avoids the problem with the special rule: The reference to main came from libcmt.lib, so the search proceeds through the rest of the default libs, and then wraps around back to the explicit libraries. In the list of explicit libraries, we have been careful to put lib.lib ahead of vccorlib.lib, so that the main in lib.lib gets found first.

For the second item, there’s not much we can do because the vccorlib.lib is provided as part of the toolchain, so we are not at liberty to modify it.

For the third item, we can try to avoid the linker special rule by making sure that the reference to main does not come from a library in the first place. That ensures that the search starts with the first explicitly library rather than doing the weird wraparound thing.

One way to force it is to have another object file that contains an explicit reference to main

rem new! An object file that requests main.

forcemain.cpp echo int __cdecl main(int, char**); auto forcemain = main; cl /c forcemain.cpp

rem Add it as the first object file. link /out:fuzzer.exe /subsystem:console forcemain.obj fuzzer.obj cx.obj lib.lib

rem success!

The first reference to main comes from forcemain, which is not a library, so the special library search rule does not come into play.

I put forcemain.obj first to increase the likelihood that it will provide the first reference to main. If it came second, then maybe resolving a symbol from the first object file leads to a reference that is resolved by a library, and that in turn requests a reference to main, and now the special library search rule kicks in.

It may be difficult to ensure that forcemain.obj comes first. For example, some tooling might sort the object files alphabetically, or somebody might just decide to sort them alphabetically as part of just making things more tidy,¹ causing forcemain.obj to lose its special place at the front of the object list.

Therefore, I like to use the /INCLUDE trick.

link /out:fuzzer.exe /subsystem:console fuzzer.obj cx.obj lib.lib /INCLUDE:main

rem success!

The compiler team tells me that references injected via /INCLUDE get ushered to the front of the line, so they get resolved before any references that come from the object files themselves. In this case, it means that /INCLUDE:main ensures that main is resolved before any symbols from object files, thereby removing the dependency on the order of object files.

My colleague Martyn Lovell noted that even though you can cobble together something that works, he considers it generally a mistake to put your entry point in a library. Libraries generally carry the meaning of “Use this only if necessary,” but in the case of the fuzzing library, their specific main function is mandatory, not a fallback. This is a problem I discussed earlier in the context of choosing between WinMain and wWinMain.

The entry point should be in an explicit object file that is added to the project, or (my preferred option) the library should provide its main function under a name like fuzzer_main which programs are expected to forward to.

// fuzzer.cpp #include <fuzzerlibrary.h> int __cdecl main(int argc, char** argv) { return fuzzer_main(argc, argv); }

bool fuzzer_callback(void* data, int length) { ⟦ ... ⟧ }

This also allows you to do things like choose between two fuzzers at runtime, or run multiple fuzzers from a single binary or run the same fuzzer twice.

// fuzzer.cpp #include <fuzzerlibrary1.h> #include <fuzzerlibrary2.h> int __cdecl main(int argc, char** argv) { // If run with no arguments, then provide // some defaults. if (argc == 1) { static char arg1[] = "default-argument1"; static char arg2[] = "default-argument2"; static char* args[] = { argv[0], arg1, arg2 }; argc = 3; argv = args; }

// Run it through both fuzzers
int result = fuzzer1_main(argc, argv);
if (result == 0) {
    result = fuzzer2_main(argc, argv);
}

} return result; }

bool fuzzer_callback(void* data, int length) { ⟦ ... ⟧ }

Now, for convenience, the fuzzer library could also provide the main function that we put into fuzzer.cpp. But even so, there should be a separate name (like fuzzer_main) that can be used to invoke it explicitly.

¹ For example, keeping lists in alphabetical or numeric order reduces the likelihood of bad merges.

The post Why do I get errors or warnings about some weird symbol called ?main@@YAHP$01E$AAV?$Array@PE$AAVString@Platform…, part 3 appeared first on The Old New Thing.

From The Old New Thing via this RSS feed

Hello! After many months of writing deep dive blog posts about the terminal, on Tuesday I released a new zine called “The Secret Rules of the Terminal”!

You can get it for $12 here: https://wizardzines.com/zines/terminal, or get an 15-pack of all my zines here.

Here’s the cover:

the table of contents

Here’s the table of contents:

why the terminal?

I’ve been using the terminal every day for 20 years but even though I’m very confident in the terminal, I’ve always had a bit of an uneasy feeling about it. Usually things work fine, but sometimes something goes wrong and it just feels like investigating it is impossible, or at least like it would open up a huge can of worms.

So I started trying to write down a list of weird problems I’ve run into in terminal and I realized that the terminal has a lot of tiny inconsistencies like:

sometimes you can use the arrow keys to move around, but sometimes pressing the arrow keys just prints ^[[Dsometimes you can use the mouse to select text, but sometimes you can’tsometimes your commands get saved to a history when you run them, and sometimes they don’tsome shells let you use the up arrow to see the previous command, and some don’t

If you use the terminal daily for 10 or 20 years, even if you don’t understand exactly why these things happen, you’ll probably build an intuition for them.

But having an intuition for them isn’t the same as understanding why they happen. When writing this zine I actually had to do a lot of work to figure out exactly what was happening in the terminal to be able to talk about how to reason about it.

the rules aren’t written down anywhere

It turns out that the “rules” for how the terminal works (how do you edit a command you type in? how do you quit a program? how do you fix your colours?) are extremely hard to fully understand, because “the terminal” is actually made of many different pieces of software (your terminal emulator, your operating system, your shell, the core utilities like grep, and every other random terminal program you’ve installed) which are written by different people with different ideas about how things should work.

So I wanted to write something that would explain:

how the 4 pieces of the terminal (your shell, terminal emulator, programs, and TTY driver) fit together to make everything worksome of the core conventions for how you can expect things in your terminal to worklots of tips and tricks for how to use terminal programs

this zine explains the most useful parts of terminal internals

Terminal internals are a mess. A lot of it is just the way it is because someone made a decision in the 80s and now it’s impossible to change, and honestly I don’t think learning everything about terminal internals is worth it.

But some parts are not that hard to understand and can really make your experience in the terminal better, like:

if you understand what your shell is responsible for, you can configure your shell (or use a different one!) to access your history more easily, get great tab completion, and so much moreif you understand escape codes, it’s much less scary when cating a binary to stdout messes up your terminal, you can just type reset and move onif you understand how colour works, you can get rid of bad colour contrast in your terminal so you can actually read the text

I learned a surprising amount writing this zine

When I wrote How Git Works, I thought I knew how Git worked, and I was right. But the terminal is different. Even though I feel totally confident in the terminal and even though I’ve used it every day for 20 years, I had a lot of misunderstandings about how the terminal works and (unless you’re the author of tmux or something) I think there’s a good chance you do too.

A few things I learned that are actually useful to me:

I understand the structure of the terminal better and so I feel more confident debugging weird terminal stuff that happens to me (I was even able to suggest a small improvement to fish!). Identifying exactly which piece of software is causing a weird thing to happen in my terminal still isn’t easy but I’m a lot better at it now.you can write a shell script to copy to your clipboard over SSHhow reset works under the hood (it does the equivalent of stty sane; sleep 1; tput reset) – basically I learned that I don’t ever need to worry about remembering stty sane or tput reset and I can just run reset insteadhow to look at the invisible escape codes that a program is printing out (run unbuffer program > out; less out)why the builtin REPLs on my Mac like sqlite3 are so annoying to use (they use libedit instead of readline)

blog posts I wrote along the way

As usual these days I wrote a bunch of blog posts about various side quests:

How to add a directory to your PATH“rules” that terminal problems followwhy pipes sometimes get “stuck”: bufferingsome terminal frustrationsASCII control characters in my terminal on “what’s the deal with Ctrl+A, Ctrl+B, Ctrl+C, etc?”entering text in the terminal is complicatedwhat’s involved in getting a “modern” terminal setup?reasons to use your shell’s job controlstandards for ANSI escape codes, which is really me trying to figure out if I think the terminfo database is serving us well today

people who helped with this zine

A long time ago I used to write zines mostly by myself but with every project I get more and more help. I met with Marie Claire LeBlanc Flanagan every weekday from September to June to work on this one.

The cover is by Vladimir Kašiković, Lesley Trites did copy editing, Simon Tatham (who wrote PuTTY) did technical review, our Operations Manager Lee did the transcription as well as a million other things, and Jesse Luehrs (who is one of the very few people I know who actually understands the terminal’s cursed inner workings) had so many incredibly helpful conversations with me about what is going on in the terminal.

get the zine

Here are some links to get the zine again:

get The Secret Rules of the Terminalget a 15-pack of all my zines here.

As always, you can get either a PDF version to print at home or a print version shipped to your house. The only caveat is print orders will ship in August – I need to wait for orders to come in to get an idea of how many I should print before sending it to the printer.

From Julia Evans via this RSS feed