Coding Blogs

A man broke into an enclosure containing the NextGen Live Radar system operated by News 9 in Oklahoma City, damaging its power supply and briefly knocking it offline:

The man also damaged CCTV cameras monitoring the site, but cameras captured a clear image of his face before they were destroyed. [...]

"Anyone that's going out to eliminate a Nexrad, if they haven't harmed life, and they're doing it according to the videos that we're providing, they are part of our group," Meyer tells WIRED. "We're going to have to take out every single media's capabilities of lying to the American people. Mainstream media is the biggest threat right now."

Nexrads refer to Next Generation Weather Radar systems used by the National Oceanic and Atmospheric Administration to detect precipitation, wind, tornadoes, and thunderstorms. Meyer says that his group wants to disable these as well as satellite systems used by media outlets to broadcast weather updates.

The attack on the News 9 weather radar system comes amid a sustained disinformation campaign on social media platforms including everyone from extremist figures like Meyer to elected GOP lawmakers. What united these disparate figures is that they were all promoting the debunked conspiracy theory that the devastating flooding in Texas last weekend was caused not by a month's worth of rain falling in the space of just a few hours -- the intensity of which, meteorologists say, was difficult to predict ahead of time -- but by a targeted attack on American citizens using directed energy weapons or cloud seeding technology to manipulate the weather. The result has not only been possible damage to a radar system but death threats against those who are being wrongly blamed for causing the floods. [...]

Within hours of the tragedy happening, conspiracy theorists, right-wing influencers, and lawmakers were pushing wild claims on social media that the floods were somehow geoengineered.

"Fake weather. Fake hurricanes. Fake flooding. Fake. Fake. Fake," Kandiss Taylor, who intends to run as a GOP candidate to represent Georgia's 1st congressional district in the House of Representatives, wrote in a post viewed 2.4 million times. "That doesn't even seem natural," Kylie Jane Kremer, executive director of Women for America First, wrote on X, in a post that has been viewed 9 million times.

As the emergency response to the floods was still taking place on Saturday, US representative Marjorie Taylor Greene, a Georgia Republican, tweeted that she would be introducing a bill to "end the dangerous and deadly practice of weather modification and geoengineering." Greene, who once blamed California wildfires on laser beams or light beams connected to an electric company with purported ties to an organization affiliated with a powerful Jewish family, said that the bill will be similar to Florida's Senate Bill 56, which Governor Ron DeSantis signed into law in June. That bill makes weather modification a third-degree felony, punishable by up to $100,000.

Previously, previously, previously, previously.

From jwz via this RSS feed

I don’t know why, but there is a Matterport walkthrough of the original Microsoft Building 3, which now no longer exists.

This walkthrough appears to have been made not too long before the building was demolished to make room for the new Microsoft campus. I can tell by the office furnishings (such as height-adjustable beige desks) and the overall gray color theme of the building. Originally, the decor leaned heavily on oak for doors as well as desks, shelves, and cabinets.

Building 3 was one of the so-called “X-wing” buildings.¹ From above, you can see the X shape, so chosen to maximize the number of window offices. The challenge in the X-wing offices is not getting lost, since all the corridors look the same. There was a period of time when the Real Estate department tried to address this by painting the walls of each branch of the X a different color, but this didn’t help much because the colors were not recorded in the address book, so when you went looking for room 2352, you didn’t know what color wing it was in. You still had to wander the building looking for it.

Anyway, enjoy the walkthrough. The map is more complete on the second floor, so use that one to see how well you can navigate through the building.

Bonus reading: The Hallowe’en-themed lobby. Via the Matterport walkthrough, you can now stand in the lobby. But you’ll have to imagine the Hallowe’en decorations hanging from various pieces of fishing line. The fishing line was then connected to the four front doors, as well as slipped in the gap between the top of the glass wall and the ceiling, ultimately connected to nearby doors deeper inside the building.

¹ We also had “double X-wing buildings” which consisted of two X-wings glued together, so it looked from above like ++. As easy as it was to get lost in an X-wing building, it was doubly so in the double X-wing buildings.

The post A walkthrough of the original Microsoft Building 3 appeared first on The Old New Thing.

From The Old New Thing via this RSS feed

Mission Local:

The clash started at 11:18 a.m. on Tuesday when around 10 Immigration and Customs Enforcement agents, almost all with faces covered, tried to enter the courthouse at 100 Montgomery St. to escort other agents already inside who had a young immigrant man in custody.

ICE has been routinely arresting asylum-seekers following their immigration hearings, and anti-ICE protesters had gathered at the courthouse that morning, as they said they've been doing every Tuesday. [...]

Protesters tried to grab the man in handcuffs and pull him away from officers, but were tossed back by the ICE agents. As police pulled the man back into a waiting black SUV and began driving away, protesters jumped onto the van's front hood.

A half-dozen protesters blocked the van by amassing in front of it. The van inched forward, indifferent, before gaining speed and driving off quickly. One protester, still lying on the hood of the car, fell off the car's hood half a block away and was almost run over.

Previously, previously, previously, previously, previously, previously.

From jwz via this RSS feed

Alejandro Orellana, a 29-year-old member of the Boyle Heights-based community organization Centro CSO, faces charges of conspiracy and aiding and abetting civil disorder:

According to the indictment, Orellana and at least two others drove around downtown L.A. in a pickup truck distributing Uvex Bionic face shields and other items to a crowd engaged in a protest near the federal building on Los Angeles Street on June 9.

Prosecutors allege Orellana was helping protesters withstand less-lethal munitions being deployed by Los Angeles police officers and Los Angeles County sheriff's deputies. [...]

Asked how handing out defensive equipment was a crime during a news conference last month, U.S. Atty. Bill Essayli [said] "He wasn't handing masks out at the beach. ... They're covering their faces. They're wearing backpacks. These weren't peaceful protesters." [...] Essayli described anyone who remained at a protest scene after an unlawful assembly was declared as a "rioter" and said peaceful protesters "don't need a face shield." [...]

"It's ridiculous charges. We're demanding they drop the charges now. They're insignificant, ridiculous," Montes said. "The most it amounts to is that he was passing out personal protective equipment, which includes boxes of water, hand sanitizer and snacks."

If you want a picture of the future, it's a rubber bullet screaming "STOP RESISTING". When people wear protective equipment, "the ability of that officer to gain compliance is restricted."

Remember, kids: all protests are peaceful until the cops declare that they are not!

Previously, previously, previously, previously, previously, previously, previously, previously.

From jwz via this RSS feed

This is the best book on practical feminism that I've read. Because it is long out of print, I had to get the British Library to pull this book out of the archives for me.

I'm fascinated by the evolution of feminist discourse in 20th Century UK. I read Myself When Young (1938) which is a series of mini-autobiographies of prominent women. One of them was Dame Caroline Haslett - an electrical engineer who led a long and fascinating life. One of her crowning achievements was advocating the use electricity to relieve household drudgery. Technology as a tool of feminist liberation.

As part of her battle for equality, she wrote a book called Problems Have No Sex. Sadly, there are no 2nd hand copies for sale, no scans, and very little written about it. There's one contemporary review and that's about it.

So I made a request to the British Library and, a few days later, sat down in their reading room with the dusty tome.

All books writing from 2020 will be in the shadow of Covid19. This book, published in 1949, is written in the shadow of the atomic bomb. It starts with the terrifying realisation that a woman has the same physical capability as a man when it comes to pressing the button which drops a bomb. While men and women may have different levels of strength, technology is the great leveller.

The influx of women into traditionally male environments allowed for a practical demonstration of feminism. It's all very well theorising that women are as capable as men but, as every engineer knows, you need to be able to prove it.

Sir Robert Watson Watt, the discoverer of radiolocation, speaking of the way in which women without previous experience in science had taken up this vital work, said: "The question I asked myself was, if these girls could reach such heights in the comparatively short period during which they had contact with physics, what would they have done with a decent education in technical, scientific and engineering studies?"

It is evident, however, that in addition to the revision of the school syllabus there will need to be a change in the attitude held up to boys as the correct one to adopt towards girls and their capacities.

There are signs that this is occurring spontaneously. A boy reproached by his father for being beaten in class by a "mere" girl, remarked thoughtfully, "You know, father, I don't think girls are so very mere nowadays."

The book spends a decent amount of space on pregnancy and its effects on women in the workplace. This was written pre-pill but in an era with relatively easy access to contraception. Haslett talks frankly about the realities of menstruation - which surprised me somewhat - and whether reproduction is compatible with employment (spoiler alert; yes).

In amongst some slightly tedious legal matters of the day are some forthright pleas for cheaper electricity so that women can be released from manual labour at home. There's also the realities of what it means to place people in a radically upgraded situation. You can't expect anyone to suddenly know how to operate:

Women must see that the vast amount of talk which there has been about kitchen planning is translated into action and that properly planned kitchens are included in all the new houses built. In addition to the importance of good design and lay-out and the provision of proper equipment as a sine qua non, there is much scope for education of the housewife in planning her housework along labour-saving lines; and in the teaching of the principles of motion study in the home so that the maximum benefit can be gained from the use of the equipment provided.

Haslett is undoubtedly technocratic but, above all, she is realistic. She has an excellent and provable theory of change. This isn't a rant nor a call to arms. She is calm, methodical and ruthlessly determined to set out the problems and solutions.

The sense of having prove herself equal to a male colleague sometimes makes a woman self-assertive and over-aggressive; while the fear of loss of personal prestige or of social or economic insecurity arising from admitting women to full equality makes some men unco-operative and unjust towards women working outside the home. As Miss Hilda Martindale remarks in her book From One Generation to Another: "I found that opposition to working with women on equal terms seldom came from the man who was first class at his work; it was the man who was not sure of himself who objected."

In manual as opposed to professional types of work the fear "If I show her how to do my job, the boss may sack me because he need not pay her so much" is a cogent argument for equal pay.

Equal pay is a battle which is still being fought, unfortunately.

There is also just a hint of radical politics lurking under the sometimes-bland prose. Should tariffs be imposed? Are trade-barriers a good way to promote equality? Should women be more self-assured about entering politics and agitating for change?

There's also an undercurrent of rage directed at the women who helped bring about the war.

The rise of Nazi Germany and Fascist Italy was made possible by the individual man delegating his personal responsibility to a Fuehrer or a Duce —and by the individual woman abandoning her responsibility towards mankind in general and devoting herself entirely and unquestioningly to child-bearing, and the routine work of the home. This wholesale shirking of individual responsibility was the one thing which made possible the creation of the Nazi system with its concomitants of the concentration camp, the mass crematorium and the battlefield.

Prophetically, she notes that the next 20 years should be one of the most interesting periods of history to live in. I'd certainly say that the change from 1949 to 1969 was just that!

Unlike some other books, this is realistic about the timeframes involved in wholesale cultural change. She sets out how many years of vigilance will be needed to ensure that schools are equipping their female students with the knowledge, ambition, and advice to help them survive in the future. Similar Government, which is lambasted as being far too slow, is shown as needing to embrace radical change. It should be remembered that Churchill, only recently deposed as Prime Minister, was an ardent anti-feminist. He repeatedly stymied the attempts of women to gain the vote - an attitude which is often conspicuously overlooked in the 21st century. I imagine that left a bitter taste in the mouths of Haslett and her contemporaries.

Women's organisations are also the recipient of Haslett's unsentimental gaze. They need to step up their game, raise more money, and set realistic goals. Similarly, women MPs must make sure not to concern themselves only with women's issues. And, for that matter, women have to stop lollygagging and start using their vote. Finally, she sets out ways in which society has to guard against a backlash to feminism.

There is a whole discussion about the structural ephemera which causes resentment. The slow build up of unjust laws and customs hurts everyone.

Now, obviously, people are the product of their time. The book is strongly focused on the UK and isn't too dodgy on race. There's an occasional mention of the USA and a brief sceptical look at the USSR's claims of feminist equality. She does go a little further. Here's a sample from the chapter "Citizens of the World":

Although in Great Britain and the United States women have achieved not only a considerable measure of “equality” but also a very considerable store of experience in the political, economic, and scientific fields: yet there are still countries where women have no rights at all.

Just as different races have reached different stages of civilization so that the primitive tribes of New Guinea co-exist with the highly civilized European races; so different races have reached different stages in their attitude towards women. This latter difference bears no obvious relation to their general level of technical or cultural development. There may in fact be a much greater equality of contribution towards the common life (which is the fundamental basis of equality between the sexes) among some primitive races than among some very highly civilized ones.

While these differences and inequalities persist, trained women will have a continuing obligation towards those who are striving to become politically articulate or who, by reason of the inferior status conferred upon them by their own community, are in danger of exploitation.

It is necessary also to have a realistic appreciation of the differences that may underlie a superficial equality.

The women of Japan were enfranchised almost simultaneously with the women of France, but the women of Switzerland still remain without voting rights.

Yet to deduce from the equality of political rights conferred on the women of France and Japan alike that the women of these two countries possessed indeed comparable opportunities and status would be fantastic.

The traditional Japanese woman, educated from birth to consider herself of no account and completely subservient to the men of her family, will need many years of education and opportunity before she is capable of political responsibility. To expect her to derive maximum advantage at the present time from her enfranchisement would be as logical as to suppose that a woman from the Middle Ages, could she be miraculously transported through time and placed in a modern labour-saving house, could be expected to know just what would happen if she turned certain knobs and switches; and to understand the part that electrical power plays in the modern community.

The adoption of Western democratic machinery by nations of other cultural traditions implies that we have a continuing obligation to these peoples until education has made plain the fundamental principles underlying our way of life.

Some of the Eastern nations are tackling their problems themselves with considerable energy. China with its great drive to stamp out illiteracy has done much to remove the burden of ignorance which has held that great country in economic thralldom for so long. It may well be that the imitative genius of Japan, which derived so much from the influence of China upon its art and culture in the past, will draw from Chinese sources more readily than from the West a new concept of the status of women in human society. The work of Mme. Chiang Kai Shek and her sisters may be the keystone of women’s emancipation in the East.

In this age we are setting up the pattern for life of succeeding generations. Women must see that the mistakes which our own nations made in their development are not through ignorance or greed perpetuated in other lands.

She is curiously circumspect on the issue of disability. Post-war, I imagine many people wanted to ignore the horrors which rent bodies asunder. The only mention is:

Yet even in Britain a very great number of people lead unnecessarily cramped and limited lives, and the social conscience of the country is awakening to their needs. It is being recognized, for example, that it is not sufficient to give disabled people a weekly pension to keep them from actual hunger or to provide institutions in which they can be housed. The disabled person has as much right to a full and useful life, within the limits of his or her disability, as anyone else.

Ultimately, this book is about what we owe to each other. Women won the war, then they rightly demanded to win the benefits of peace.

"Problems Have No Sex" is far better than many other feminist books I've read simply because of its lack of academic pretentiousness. Other than the occasional Latin phrase, the book is written in plain English - designed to be read and understood as widely as possible. As an engineer, Dame Haslett has an engineer's approach to problem solving - identify the issue, determine the cause, suggest solutions, investigate what works and what doesn't, repeat until fixed.

Every feminist should read this book. I'm annoyed that it has never been reprinted and that there's no eBook available. Under UK copyright, it should enter the public domain in 2028. Hopefully a scan will be released which will allow everyone to read this important work.

From Terence Eden’s Blog via this RSS feed

A security vulnerability report arrived that went roughly like this.

In Program X, click on the triangle icon and hold the mouse down. Drag the triangle icon to the green box in the corner, and while still holding the mouse down, press Alt+F4 to close the window. The program will crash on a null pointer.

It sure looks like you found a bug. But is it a security bug?

Who is the attacker? Who is the victim? What has the attacker gained?

The attacker is presumably the person using the mouse and keyboard to trigger the bug.

The victim is, um, I guess it’s the person whose program crashed. But wait, that’s the same as the attacker!

What the attacker gained is the ability to prevent the victim from getting work done.

It’s unclear how this became “elevation of privilege”. A crash on null pointer is typically at most a denial of service. And in this case, the attacker is denying service to himself.

If you want to deny service to yourself, you can just click the × button in the top right corner of the window. There, now you can’t use the program!

The report finishes with a claim that if malware could trigger the crash, then the malware could use a crafted input to escalate privileges.

First of all, there’s no escalation here. The crash is on a null pointer, not a use-after-free or something else that could be leveraged to gain remote code execution. Furthermore, if malware has the ability to inject input, then they don’t need this bug to escalate privileges. They could inject input to run an elevated command prompt and type commands into it!

The post Dubious security vulnerability: If I perform this complex series of manual steps, I can crash a program I am running appeared first on The Old New Thing.

From The Old New Thing via this RSS feed

Dear Lazyweb, I've replaced my failing Airport Extreme with a UniFi Express 7, and I can't figure out how to enable inbound ssh to my Mac. I set up port forwarding but port 22 remains closed to the outside world.

Settings / Routing / Port Forwarding says:

Name: ssh WAN IP: [ not editable ] WAN Port: 22 From: Any Forward IP Address: 10.0.1.2 Forward Port: 22 Protocol: TCP

I have also disabled Settings / System / Device SSH Authentication, and rebooted, in case that was interfering.

How make go?

Also how do I tell it that my DHCP-advertised domain should be something other than ".localdomain"?

In the now-traditional "things I shouldn't have to say but probably do" section: if you are not responding from a place of experience with UniFi hardware, but instead are instead about to give me general advice about networking -- please do not do that.

From jwz via this RSS feed

XScreenSaver 6.12 is out now. This is another Unix-only release.

DPMS works on Wayland, using either "wlr-output-power-management-unstable-v1" or "kde-dpms".Fading should perform much better on both Wayland and X11.GNOME continues to be unsupported. *Oh dear. How sad. Nevermind.*Still no locking.

What I would like to know:

Do you have a non-GNOME Wayland system on which either idle detection or DPMS does not work?Does fading look good? To clarify how it should look, on both Wayland and X11:

When the screen saver activates, your desktops fade to black on all monitors, then the savers start.When the screen un-blanks, the running savers should freeze; then fade to black; then the desktops fade in over that black.There should be no surprise single-frame flickers.All of this should be at least 30fps.

One thing I have noticed is that during fade-in, that initial fade-out-to-black sometimes doesn't happen. It snaps to black immediately, so you'll see 1 sec of solid black, then the desktop fade-in starts. This seems to be timing related, possibly related to the saver's OpenGL context being torn down and becoming un-screenshottable?

On Wayland, fading (and hacks that manipulate the desktop image) require "grim" to be installed.

Because Wayland is incredible (pej., obs.), grim sometimes takes between 1.5 and 7 seconds to grab a screenshot on my Pi 4b at 1080p.

Previously, previously, previously, previously.

From jwz via this RSS feed

I love DNS esoterica. Weird little things that you can shove in the global directory to be distributed around the world instantly(ish).

Domain names, like www.example.com usually resolve to servers. As much as we think of "the cloud" as being some intangible morass of ethereal Turing-machines floating in probability space, the more prosaic reality is that they're just boxen in data centres. They have a physical location.

Got a tricky machine which is playing silly-buggers? Wouldn't it be nice to know exactly where it is? That way you can visit and give it some percussive maintenance.

Enter the DNS LOC record!

The snappily titled RFC 1876 is an experimental standard. It allows you to create a DNS record which specifies the latitude and longitude of your server. Of course, some data-centres are very tall and some are underground. So it also contains an altitude parameter.

The standard allows for a minimum altitude of -100,000 metres - deep enough for any bunker! The maximum altitude is 42,849,672 metres which is high enough to allow it to be used on satellites in geostationary orbit.

So, as a bit of fun, I decided to create where-is-the-iss.dedyn.io

It isn't a website. You can't ping it. There's no way to interact with it except by using DNS. Yup! You can use a DNS query to get the (approximate) location of the International Space Station!

Linux and Mac users0 can run:

dig where-is-the-iss.dedyn.io LOC

And receive back the latest position of the ISS:

;; ANSWER SECTION: where-is-the-iss.dedyn.io. 1066 IN LOC 47 24 53.500 N 66 12 12.070 W 430520m 10000m 10000m 10000m

The DNS records are updated every 15 minutes on a best-effort basis1.

How

The lovely people at N2YO have a website which allows you to track loads of objects in orbit. They also have an easy to use API with a generous free tier.

Calling https://api.n2yo.com/rest/v1/satellite/positions/25544/0/0/0/1/&apiKey=_____ gets back the latest position:

{ "info": { "satname": "SPACE STATION", "satid": 25544, "transactionscount": 7 }, "positions": [ { "satlatitude": -21.25409321, "satlongitude": 140.3335763, "sataltitude": 420.09, "azimuth": 292.92, "elevation": -70.95, "ra": 202.69300845, "dec": -32.16097472, "timestamp": 1751366048, "eclipsed": true } ] }

Note that the altitude is in Km, whereas the LOC format requires m.

The latitude and longitude are in decimal format - they need to be converted to Degrees, Minutes, and Seconds.

There were only a few free domain name providers who offer an API for updating LOC records. I went for deSEC a charity from Berlin. They have comprehensive API documentation.

Adding the initial LOC record is done with:

curl https://desec.io/api/v1/domains/where-is-the-iss.dedyn.io/rrsets/
--header "Authorization: Token _______"
--header "Content-Type: application/json" --data @- <<<
'{"type": "LOC", "records": ["40 16 25.712 S 29 32 36.243 W 427550m 0.00m 10000m 10m"], "ttl": 900}'

However, updating the record is a little trickier. it needs to be sent as an HTTP PATCH to a subtly different URl. The PATCH only needs to send the data which have changed.

curl -X PATCH https://desec.io/api/v1/domains/where-is-the-iss.dedyn.io/rrsets/@/LOC/
--header "Authorization: Token _______"
--header "Content-Type: application/json" --data @- <<<
'{"records": ["40 16 25.712 S 29 32 36.243 W 427550m 0.00m 10000m 10m"]}'

I set the Time To Live at 900 seconds. Every 15 minutes my code runs to update the record2. That keeps me well within the API limits for both services. I could add TXT records showing when it was last updated, or other sorts of unstructured data, but I think this is enough for a quick proof-of-concept.

There you have it! A complex and silly way to demonstrate how DNS can be used to hold the most unlikely of records3. Say, I wonder how you'd represent the co-ordinates of the Mars Rover…?

Further Reading

For more DNS weirdness, please see my other posts:

BIMI - SVG in DNS TXT WTF?!Why you can't dig Switzerland

I don't think there's a way for Windows users to look up LOC records using PowerShell or the Command Prompt. ︎

Look, I'm not NASA, OK? If you're using this to help you dock then I cannot be held responsible. ︎

I suppose you could build an API with unlimited request limits by distributing data via DNS TXT records. Would best suit static or infrequently updating data. Push it once to DNS and let everyone query it semi-locally. ︎

See if you can find the other interesting record I've added to DNS! ︎

From Terence Eden’s Blog via this RSS feed

Early one morning I received an email notification about a bug report to one of my open source projects. I like to be helpful and I want people who use my stuff to have a good time, so I gave it my attention. Here's what it said:

😱 I Can't Use On This Day 😭

Seriously, What’s Going On?! I’ve been trying to use the On This Day feature, but it’s just not working for me! Every time I input my details, it says I have no posts for today, even though I know I’ve posted stuff!

Here’s My Setup: ⚙

Python 3.x Access token fully generated (I triple-checked!) Attempted on multiple instances but still nothing!

Could It Be a Bug? 🤔

I’m really starting to doubt my posting history! Is it supposed to show only specific types of posts? I’ve made some pretty epic posts before!

Documentation Confusion 📚

The README says to register for an access token but doesn’t clarify if it factors into this feature! Did I miss something REALLY important?! Help me figure this out, please!!!

Feature Suggestion 💭

If this is broken, can we at least have a debug mode to log what’s happening! I need to know if it’s truly my fault or the code’s! Thanks for looking into this TRAGIC situation!!!

P.S. My friends ARE posting on this day and their instances work!! I feel so left out!! Let’s get this sorted ASAP!

OK, that's a lot of Emoji - too much even for me! But if one of my users needs help, I'm there for them! As the feature works for me, I decided I'd ask for the output of the app. Maybe there'd be a clue in the minimal debugging output it had.

I clicked on the link to the Codeberg repository and was hit be a 404! What? I clicked on the link to the user "simpleseaport2" but that was also broken.

"Seriously, What’s Going On?! "

It looks like Codeberg has been hit by a wave of spam bug reports. I read through the bug report again, slightly more awake, and saw just how content free it was. Yes, it is superficially well structured, the Emoji are a bit over-the-top but not the worst I've seen, and the emotional manipulation is quite insidious.

A few weeks later, I got a bug report to a different repo. This one was also deleted before I could reply to it, see if you can spot that it is AI generated:

I've been trying to use the Threads tool to visualize some conversations but I'm running into a serious problem, and it's really frustrating!

When I input the URL for a post with a substantial number of replies, the script seems to hang indefinitely. I've waited more than 15 minutes on a couple of occasions, and nothing seems to happen. This is not what I expected, especially since the README mentions large conversations may take a long time, but doesn’t specify any limits or give guidance on what users should do if it doesn’t respond at all!

It's unclear what's actually happening here. Is the script failing silently? Is it the API timing out? Why isn’t there any sort of progress notification built into the tool? It feels like a complete dead end.

Can you please add some kind of error handling or logging feature to the Threads script? It would be helpful if it could at least inform the user when a timeout occurs or if the API response is simply taking too long. Additionally, could you clarify the maximum number of replies that can be handled? It’s really inconvenient to have no idea if the script is still processing or if it’s just broken.

Thanks for addressing this. I hope to see improvements soon.

The emotional manipulation starts in the first line - telling me how frustrated the user is.It turns the blame on me for providing poor guidance.Then the criticism of the tool.Next, a request that I do work.Finally some more emotional baggage for me to carry.

I'm not alone in getting these - other people have also received similar spam

To be fair to Codeberg, they are under attack and are trying to stop these specious complaints reaching maintainers.

Post by @[email protected] on Mastodon

But, still, search the socials and you'll find a stream of frustrated developers.

Woke this morning to my first ever AI generated spam issue on a repo. Got it via email. When I went to check it out at Codeberg, it had already been moderated. Wonder how many others were affected. I immediately knew it was AI spam due to the overuse of emojis…[image or embed]

— Jeff Sikes (@bsky.box464.social) 24 April 2025 at 15:07

What's Going On⁉

I can only think of a few possibilities - none of them particularly positive.

Attacking the viability of CodeBerg - make users abandon it for a different platform.Attacking the attention of developers - make them unwilling to give attention where it is actually needed.Attacking the integrity of users - make them less likely to receive help because they are mistaken for AI.Maybe it is just a bored kid or an unethical researcher. Trying to find the limits of what a maintainer will recognise as spam?

Either way, AI bug reports like this are about as welcome as a haemorrhage in a jacuzzi.

From Terence Eden’s Blog via this RSS feed

One of the disposable e-cigarettes studied released more lead during a day's use than nearly 20 packs of traditional cigarettes:

"When I first saw the lead concentrations, they were so high I thought our instrument was broken," Salazar said. [...]

"We found that these disposable devices have toxins already present in the e-liquid, or they're leaching quite extensively from their components into e-liquids and ultimately transferred to the smoke," Salazar said.

Leaded bronze alloy components in some devices leached nickel and lead to the e-liquid. Nickel was also released from heating coils, and antimony was present in unused e-liquids at high levels, both of which increase the risk of cancer.

The researchers also assessed the health risk for daily users. Vapors from three of the devices had nickel levels and two devices had antimony levels that exceeded cancer risk limits. Vapors from four of the devices had nickel and lead emissions that surpassed health-risk thresholds for illnesses besides cancer, such as neurological damage and respiratory diseases.

I'll bet Bobby Brainworms think you need a lot more lead and antimony supplements in your diet. But he's not going to state that outright, he's just asking questions...

Previously, previously, previously, previously, previously, previously, previously.

From jwz via this RSS feed

I know I am probably the last person in the world still running X11 on a Mac, but some time around macOS 14.7.3, XQuartz stopped working with OpenGL programs that use EGL instead of GLX. If someone could tell me how to fix this, that would be great:

libEGL warning: egl: failed to create dri2 screen MESA: error: Failed to attach to x11 shm MESA: error: Failed to attach to x11 shm MESA: error: Failed to attach to x11 shm ...

From jwz via this RSS feed

Dear Lazyweb, how do you iterate the wl_registry more than once? I have two modules that have nothing to do with each other, but need to find their respective protocols, and apparently you can't call wl_registry_add_listener more than once. The second one is ignored.

Is there any actual API documentation for this shit? I have found only the two extremes of "hex dumps of socket protocol" and "language-agnostic XML file fetishism".

Previously, previously.

From jwz via this RSS feed

The LVIF_INDENT property of the Win32 classic listview control lets you indent an item in report view. The units of indentation are the size of the image list. But that requires an image list. Why does it require an image list?

The indentation feature of the classic listview control was added for Internet Mail and News, a mail and newsreader program that came with Internet Explorer 3.¹ The indentation was used to represent message threading. Since the indentation was intended to represent reply depth, it was not unreasonable for the listview’s representation of the indentation to match the underlying data’s indentation. And since each item had an icon (representing read or unread), the width of the icon was a natural unit of indentation.

But what if you don’t want an image list?

The indentation demands an image list, but you can provide a 1 × 1 image list, and choose not to show any images. The space will still be reserved, so there will be a 1 pixel gap, but maybe this small glitch isn’t noticeable. The indentation would then be in units of pixels.

Not great, but it might be the best you can do.

¹ Internet Mail and News was subsequently rebranded as Outlook Express, a rebranding which created confusion and unmet expectations.

The post Why doesn’t LVIF_INDENT work without an image list? appeared first on The Old New Thing.

From The Old New Thing via this RSS feed

Somehow, I must have missed out on learning phrases of changes in quantity in German, so I need a cheat sheet.

TrendQuantityLowHighDecreasingnur noch “only…left”immer noch “still”Increasingerst “so far”schon “already”Stable/Unknownnur “only”

(Native German speakers: Please feel free to offer corrections.)

Here’s a sentence pattern for demonstration.

Ihaveonly100left=Ich habenur noch100: ˦˨I used to have more, but I’m running low.Istillhave100=Ich habeimmer noch100: ˦˧I used to have more, but I’m not running low yet.Ihave100so far=Ich habeerst100: ˩˨It’s not much, but it’s more than I had before.Ihave100already=Ich habeschon100: ˩˧It’s quite a bit, and it’s more than I had before.Ihaveonly100=Ich habenur100: ˩It’s not much, but that’s typical.Ihave100=Ich habe100:It is what it is.

It’s interesting to me that the last box is empty. Neither English nor German seems to have a clear phrase pattern to indicate “I have a lot, and that’s typical.”

Learning another language gives you a chance to reflect upon your own. When laid out this way, it does seem weird that the English patterns scatter the modifier words into three different positions in the sentence.

Note: These adverbs also have meanings unrelated to quantity. I’m focusing on the quantity-related meanings.

The post German language cheat sheet: On changing quantities appeared first on The Old New Thing.

From The Old New Thing via this RSS feed

A customer called the Format­Message function with the FORMAT_MESSAGE_ALLOCATE_BUFFER flag, and they weren’t sure what to do if the function fails (by returning 0). Do they have to free the buffer by calling Local­Free?

No, you don’t have to free the buffer. In fact, on failure, there is no buffer. The function failed to perform the desired operation, so there is nothing to clean up.

You can make things easier on yourself by pre-initializing the output pointer to NULL. That way, if the function fails, the pointer is still null. Then your logic can be “Go ahead and free the buffer,” because the Local­Free function allows you to pass NULL, and it just ignores it. (This trick allows things like wil::unique_hlocal_string to work with FormatMessage.)

Thinking about the original question: You can’t tell whether the reason for the function failure is that something went wrong during formatting or that something went wrong during allocation of the final output buffer. You could call Get­Last­Error(), but if it returns ERROR_OUT_OF_MEMORY, you still don’t know whether it ran out of memory during the formatting phase or during the final buffer allocation phase. Therefore, even if you wanted to free the buffer, you don’t know whether you even got one in the first place.

The post If the Format­Message function fails, and I requested that it allocate a buffer, do I have to free the buffer? appeared first on The Old New Thing.

From The Old New Thing via this RSS feed

Between 2014 and 2022, DigitalOcean sent free t-shirts to developers who completed the Hacktoberfest challenge. For entirely sensible reasons related to sustainability and spammy entrants, they stopped doing physical merchandise in 2023.

I'm the sort of hip fashionista who only wears free conference t-shirts.

[

GDS

@GDSTeam](https://twitter.com/GDSTeam)We support open source. And we’ve got the t-shirts to prove it (thanks @github @digitalocean). GDS took part in #Hacktoberfest this year, contributing to open source projects as part of a global community hacktoberfest.digitalocean.com pic.x.com/AkM09LGono 24 3 016:31 - Tue 30 January 2018

Sadly, after several years of constant catwalk modelling, my beloved Hacktoberfest shirts are full of holes. I couldn't find any for sale on eBay or Vinted - so I decided to make my own.

Note: DigitalOcean's Brand Guidelines say that you shouldn't create physical merchandise or sell any products featuring the logo. Well, I'm not selling these nor, do I think, they are merchandise. Hacktoberfest aren't using these to incentivise anyone any more. They're just cool t-shirts.

The Logos

There are lots of photos of the t-shirts but it is surprisingly hard to find the original assets.

Low Resolution

Kotis - a design agency - did the Hacktoberfest swag from 2015-2020. They have a brand portfolio with the t-shirt icons. Sadly, all a bit low resolution for printing, but good for getting accurate background colours for the material.

2020 2019 2018 2017 2016 2015

Similarly, there are a few low resolution promo shots of the t-shirts or their logos:

2022 (back of t-shirt)2021 (t-shirt)2016 (more accurate colours)2015 (logo)2014 (logo)

AI upscaling looked typically rubbish.

Higher Resolution Bitmaps

Some designers have their logo designs on Dribbble. Not very high resolution, but good enough for stickers.

2019201820172016

Archived Logos

The official Hacktoberfest website had some logos embedded on it:

2022 (SVG logo)2019 (SVG)2018 (PNG with transparent background)2017 (SVG)

Best of the bunch

[Content truncated due to length...]

From Terence Eden’s Blog via this RSS feed

Dear Lazyweb, what is the proper way to tell Wayland, "power off the monitor, power it on again when there is activity"? AKA "xset dpms force off" or "DPMSForceLevel()".

The closest I have found is "wlr-randr --output HDMI-A-2 --off" which powers off as a side effect of disabling the monitor in RANDR... and it doesn't turn back on at activity.

Doing that in code (via "wlr-output-management-unstable-v1", which of course GNOME and KDE don't implement) takes 400+ lines. That's 399+ too many. And if the program crashes, congratulations, you get to reboot to turn your screens back on.

Wayfire lets you put a "dpms_timeout" number in its config file, but I can't make any sense of how that is implemented.

Wayland continues to fill me with amazement (pej., obs.)

Previously.

From jwz via this RSS feed

Eric Bailey:

It turns out you can just pay people to do things.

I found a voice actor and hired them with the task of "Reading this very dry technical document in the most over-the-top sarcastic, passive-aggressive, condescending way possible. Like, if you think it's too much, take that feeling, ignore it, and crank things up one more notch."

Previously, previously, previously, previously.

From jwz via this RSS feed

XScreenSaver 6.11 is out now. This is a Unix-only release -- this version contains preliminary support for Wayland.

This is maybe not entirely ready for prime time, but I figured I'd get it out there so that some people who actually understand Wayland can poke at it.

This version only supports blanking, not locking.It requires compositor support for either the "org_kde_kwin_idle" or "ext_idle_notifier_v1" protocols. That means "everything but GNOME", I think.Fading in and out, and grabbing screen images, require the program "grim" to be installed, and work. And it does not work under GNOME or KDE.It is unable to configure DPMS, or detect changes in it.

Things I could use your help with:

Tell me if you have a Wayland system on which it does not work, besides GNOME.I have not tested "ext_idle_notifier_v1". Please let me know if you have a system that supports that. Alternately, if it is the case that there are no compositors that provide "ext_idle_notifier_v1" that do not also provide "org_kde_kwin_idle", then I can just remove it.Figure out a better (or dare I dream, faster) way to get screen shots than running "grim".Figure out this GNOME and KDE shit, because I'm probably gonna just say "screw those guys" otherwise.Write me some sample Wayland code that places two windows on the screen, one atop the other, and changes the alpha on the front window to make the back window appear to fade to black.I have barely begun to think about locking, but probably "ext-session-lock-v1" is going to continue to be the only game in town, even though it is absolutely the wrong way to go about any of this, FFS. Anyway, it takes a list of surfaces which are the only ones displayed while locked. Possibly we can get the underlying Wayland surface out of the X11 saver windows and feed those in to it? I guess the xscreensaver-auth window would have to be re-parented to under one of those.

I have little interest in working on this part, so if you want XScreenSaver to be able to lock your screen, you might wanna pitch in here.

Previously, previously, previously, previously, previously.

From jwz via this RSS feed

A customer was adding an interface to their out-of-process COM server. They added their interface to the project’s existing IDL file and recompiled the resulting proxy stub DLL. But when they tried to connect to the server, the connection failed with error 0x80040155, also known as REGDB_E_IID­NOT­REG: Interface not registered.

They realized that they forgot to register the interface’s proxy, so they added an entry to HKCR\Interface{iid}[ProxyStubClsid32] so that COM knew where to find the proxy stub. (They didn’t have to create a new CLSID entry for the proxy DLL because they were adding an interface to their existing IDL, so the proxy DLL was itself already registered by whoever set up that IDL file initially.)

Upon trying again, the connection still failed. This time with the error 0x80004002, the often-encountered E_NO­INTERFACE: No such interface supported.

We learned that one cause of this is a missing marshaler.

“But that doesn’t apply in this case, because I registered the interface and pointed it to the proxy DLL that holds the marshaler!”

Does that proxy DLL hold the marshaler?

We looked at the interface declaration.

[ object, local, uuid(iid) ] interface IWidgetFactory : IUnknown { ⟦ ... ⟧ }

The interface is marked as local. A local interface is one that never leaves its home apartment and therefore never needs to be marshalled. The IDL compiler does not generate marshallers for local interface because they would never be needed.

I don’t know the history here. It’s possible that this interface started out as local because it was originally designed as an in-apartment object, but then the team decided to move the widget factory out of process (which now requires a marshaller) and forgot to remove the local attribute.

Or maybe the local was just a copy-pasta from elsewhere in the IDL file that they forgot to remove. (Or they didn’t realize what it meant.)

The post Unintended yet somehow entirely expected consequences of marking a COM interface as local appeared first on The Old New Thing.

From The Old New Thing via this RSS feed

See Something, Tap Something:

ICEBlock is an innovative, completely anonymous crowdsourced platform that allows users to report Immigration and Customs Enforcement (ICE) activity with just two taps on their phone.

The app ensures user privacy by storing no personal data, making it impossible to trace reports back to individual users. Available exclusively for iOS devices, ICEBlock empowers communities to stay informed about ICE presence within a 5-mile radius while maintaining their anonymity through real-time updates and automatic deletion of sightings after four hours.

The cowards at Time wrote a whole article about the app and didn't include a link to it:

Joshua Aaron:

"When I saw what was going on in this country, I just really felt like I had to do something," Aaron says, referencing the ICE raids that have taken place following Trump's return to the White House. As of June, over 100,000 people have reportedly been arrested by ICE during Trump's second term. [...]

"The app is 100% anonymous and free for anybody who wants to use it. We don't collect user data. We don't even capture user data. That's extremely important," Aaron says, recognizing the privacy concerns people may have. As such, the app is not available on Android because it "requires a device ID in order to send push notifications, which requires a user account and a password." [...]

"Before [the protests started], there were around 2,500 users, and I was thrilled. Then I logged on two days later, and there were over 20,000 users, and the app went to number 32 for 'Social Networking' in the App Store," he says. [...]

In response to a request for comment, ICE referred TIME to a statement from acting director Todd Lyons, who called the app "sickening," saying it "paints a target on federal law enforcement officers' backs" and "incites violence."

Aaron says he hopes the app, which became available to iPhone users in April, is used as a tool to avoid interactions with ICE agents, rather than users directly involving themselves in potential altercations. [...]

Aaron says his ultimate goal is to look out for the community. "When I see things like ICE outside of elementary schools, that's what we are trying to push back against, because you need to do more. You need to protect your neighbors," he says.

Previously, previously, previously, previously, previously.

From jwz via this RSS feed

I recently read an interesting article about Accountability Sinks. In it, the author argues that part of the reason for having business processes is that they diffuse accountability.

Every one of us has tried to have an argument with an employee of a big company, and it always goes like this:

the human being you are speaking to is only allowed to follow a set of processes and rules that pass on decisions made at a higher level of the corporate hierarchy. It’s often a frustrating experience; you want to get angry, but you can’t really blame the person you’re talking to.

So should we give people more discretion in which processes they follow?

In some cases, yes! The article contains some compelling examples of when "breaking the rules" is the preferable outcome.

But there are some unacknowledged downsides to letting people decide which rules are applicable - and that's people's personal prejudices.

The article say some of the discontent with the modern world can be blamed on over-adherence to rules. For example:

The skepticism toward judges? It fits. They often seem more devoted to procedure than to justice.

Imagine a world without sentencing guidelines. Perhaps the judge is from a different tribe to the accused and punishes them much more harshly than a clan-member. Would that seem fair?

The customer service agent just doesn't like people of your gender, and refuses to process your refund.

You give the bank manager a firm handshake and he approves your loan - even though you don't technically qualify you look like a decent sort of chap.

And on it goes.

Look, there's no doubt plenty of bias encoded within processes. All processes should be regularly reviewed and updated. Breaking a process in extremis can be a good idea. When confronted with an inflexible policy, you may feel like a mere cog in a machine - but at least the machine is prevented from discriminating against your type of cogs.

A well-defined process dehumanises both sides.

From Terence Eden’s Blog via this RSS feed

At the end of project milestones, some organizations have a tradition of asking each team within the organization to produce a a “sizzle reel” highlighting the work that they have accomplished. These short videos are then gathered together and shown at the organizational group meeting so everybody can show off their work and receive appropriate kudos from other teams in the organization.

Another source of these “sizzle reels” is a group showing off its work as a form of advertisement. For example, a team may have developed a new tool or technology and want to get the word out. Or they may have made improvements to their existing technology, and they want to announce the next revision to their existing customers.

One thing I would like to remind people who are creating these short videos: Understand your audience.

It is not uncommon for these little videos to brag about accomplishments in terms that are not comprehensible to people who aren’t on the team.

We are always working on improving performance, and during this milestone, we tried out a new way to turboencabulate the dependency net, which produced a metonomic phase cycle period of 15 milliseconds.

Like, I’m happy for you though, or sorry that happened.

Go ahead and include those details if it makes your team feel good. (Particularly the developers who worked hard on the new turboencabulator.) But please also give a brief explanation that makes sense to the outsiders who are watching your video.

On large data sets, we found that this lowered run times by as much as 30%, though improvements of 10% are more typical.

The post The sizzle reel that says things that nobody understands appeared first on The Old New Thing.

From The Old New Thing via this RSS feed

Another day, another security disaster! This time, multiple printers from Brother have an unfixable security flaw. That's bad, obviously, but is it illegally bad0?

Let's take a look at details of the vulnerability:

An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device.

Recently, the UK brought in some laws aimed at strengthening consumer protection - the Product Security and Telecommunications Infrastructure act (PSTI). There's a readable summary on the National Cyber Security Centre's website.

There are three interesting points to note in that blog post. The first is about passwords:

The law means manufacturers must ensure that all their smart devices meet basic cyber security requirements. Specifically:

The manufacturer must not supply devices that use default passwords, which can be easily discovered online, and shared.

Secondly, is a question of jurisdiction:

Most smart devices are manufactured outside the UK, but the PSTI act also applies to all organisations importing or retailing products for the UK market. Failure to comply with the act is a criminal offence

Thirdly, what is actually covered:

The law applies to any ‘consumer smart device’ that connects either to the internet, or to a home network (for example by wifi).

Is a WiFi enabled printer a "consumer smart device"? One of the things that techies find confusing is that the law is not code. It usually doesn't enumerate a definitive list of what is and what isn't in scope. It gives a general outline and then allows case-law to develop. This means laws don't need to be updated when someone invents, say, an Internet connected tinfoil dispenser.

Let's move beyond the consumer-friendly summary and go to the actual law. The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023

Passwords must be—

a. unique per product; or

b. defined by the user of the product.

Passwords which are unique per product must not be—

a. based on incremental counters;

b. based on or derived from publicly available information;

c. based on or derived from unique product identifiers, such as serial numbers, unless this is done using an encryption method, or keyed hashing algorithm, that is accepted as part of good industry practice;

d. otherwise guessable in a manner unacceptable as part of good industry practice.

How does this apply to the printers? Rapid7, who discovered the vulnerability, have this to say about how it works:

[The vulnerability] allows an attacker to leak a serial number via the target's HTTP, HTTPS, and IPP services. However, should an attacker not be able to leverage [the vulnerability], a remote unauthenticated attacker can still discover a target device's serial number via either a PJL or SNMP query

So, yes. The default password is unique but it can be automatically derived from the serial number. That serial number is available to anyone with a network connection to the printer.

But, do printers fall under the scope of this act?

The Product Security and Telecommunications Infrastructure Act 2022 says:

4 Relevant connectable products

In this Part “relevant connectable product” means a product that meets conditions A and B.

Condition A is that the product is—

A. an internet-connectable product, or

B. a network-connectable product.

Condition B is that the product is not an excepted product (see section 6).

It goes on to define what Internet-connectable means, along with some other clarifying details. But is there a get-out clause here? Are printers an "excepted product"?

In this Part “excepted product” means a product of a description specified in regulations made by the Secretary of State.

OK, let's look at the regulations. I've expanded out the relevant bit:

Schedule 3 Excepted connectable products

Computers

Products are excepted under this paragraph if they are computers which are—

a. desktop computers;

b. laptop computers;

c. tablet computers which do not have the capability to connect to cellular networks.

Nope! The Brother printers don't appear to be exempt1. What's the maximum penalty Brother could be subject to?

The greater of £10 million or 4% of worldwide revenue.

Ouch!

Of course, much like GDPR fines, these are headline grabbing numbers. The prosaic reality is that the enforcement policy is much more likely to suggest remedial steps. Only the most flagrant transgressors are likely to be punished harshly2.

So, to recap. The law says an Internet-connected device (including printers) must have a password which is not "based on or derived from publicly available information". As I understand it, having a serial-number based password is OK as long as you don't publicise the serial number. I expect that if it were printed on a sticker that would be fine. But because the serial can be discovered remotely, it fails at this point.

In Brother's (slight) defence, unless the user has specifically connected the printer to the Internet this is only a local vulnerability. Someone on the same network would be able to monkey around with the printer but, similarly, they could plug in a USB cable for some illicit printing or break it with a hammer. Any damage is confined to the LAN.

Should users change default passwords? Yes. But manufacturers have a legal duty to ensure that people who don't are still protected.

I'm not a lawyer. This is not legal advice. This is just my interpretation of what's going on. If in doubt, consult someone qualified. ︎

With thanks to m'learned colleague Neil Brown who came to much the same conclusion ︎

You can see the actions they've previously taken. Because PSTI is so new, there aren't any actions against insecure IoT devices - so we'll have to wait and see how they choose to proceed. ︎

From Terence Eden’s Blog via this RSS feed