Blog: Tech

Most of these posts were originally posted somewhere else and link to the originals. While this blog is not set up for comments, the original locations generally are, and I welcome comments there. Sorry for the inconvenience.

Bug triage as entry point

I'm the main person doing bug triage for Codidact, which means I go through bug reports and requests that our users have made on our sites and, for the ones that will require code changes, file and tag GitHub issues for our developers. I tend to do these in batches and, unless it's urgent, with a delay -- sometimes the community wants to discuss different solutions first, so we let that play out.

I've been doing a batch of triage over the last few days. Sometimes a bug looks small and easy and I think "you know, fixing that would be less effort than writing it up and tagging it". Sometimes that's actually right. (I have three small PRs open right now.) Other times my attempt to fix it is followed by me writing up the bug. :-) Either way I'm learning stuff, which is pretty cool. Mostly I've been learning about front-end stuff, focusing on the "V" in "MVC". I hope to advance to Ruby/Rails; there are features I want that we haven't gotten to yet and maybe some of them are small enough for a beginner.

Someone asked me if triage is a chore. It's not; I actually like doing what I'm doing, because it's not just copying but analysis and refinement. I'm finding that I can bring a fair bit of architectural knowledge and history to the process. A bug report is a symptom, and sometimes the issue I end up filing is different (with a paper trail). I might not write much code, but I'm pretty happy with my GitHub contributions. :-)

Sneaky malware vector

Huh, this is interesting. There are many top-level domains these days; we're way past the days when the world consisted of .com, .edu, .org, and .gov. I hadn't realized that one of those TLDs is .zip.

Yeah, really. That seems like asking for trouble. People sometimes do legitimately download ZIP files from sites they trust, like GitHub. But maybe you're not really talking to GitHub...

This post does a good job of explaining how a stray @ in a URL might ruin your whole day:

Can you quickly tell which of the URLs below is legitimate and which one is a malicious phish that drops evil.exe?

https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip

https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip

[...] As you can see in the breakdown of a URL below, everything between the scheme https:// and the @ operator is treated as user info, and everything after the @ operator is immediately treated as a hostname. However modern browsers such as Chrome, Safari, and Edge don’t want users authenticating to websites accidentally with a single click, so they will ignore all the data in the user info section, and simply direct the user to the hostname portion of the URL.

For example, the URL https://google.com@bing.com, will actually take the user to bing.com.

I didn't know that part about user info. Combined with Unicode fakes of characters you expect in URLs, this can send you somewhere very different from where you thought you were going.

We all know not to trust links or attachments from unverified sources (right?). But stealth URLs add extra risk; you might eyeball the URL in that email and decide "yeah, I trust GitHub/Dreamwidth/Google/whatever". Be careful out there.

Edit for info provided in a comment (thanks!): Also .mov. This post does a good job of demonstrating how this can be exploited and catch even people who are careful.

I might just edit my hosts file to wholesale block these domains.

Now pull the other one

There is an old joke about a man who is talking with his doctor after having surgery on his hands. He asks the doctor, "will I be able to play the piano when I recover?". The doctor says yes, he'll make a full recovery. "Great," the man says, "I've always wanted to know how to play".

This morning I got email -- sent through the contact form on my personal web site -- from someone with "hacker" in the address (yeah, right):

We have hacked your website cellio.org and extracted your databases. This was due to the security holes you had in your your site/server which have gained us remote control of everything that was on the server.

Our team is mostly interested in customer, administrative, and employee information which we have extracted through your databases once we got remote control over the server. It still needs to be sorted out but it will be well-organized once finished. First, we will be going through the emails/sms information and contacting the recipient how you held in disregard about their information being exposed to a hacking group when you could have stopped it. This would be detrimental to your personal image with these relationships with these people. Lastly, now that we have information not only will we be monetizing off it with our methods but made public or sold to other people that will do whatever they wish with the information also after we are done.

Now you can put a stop to this by paying a $3000 fee (0.11 BTC) in bitcoin. You can find our address by visiting [redacted] where you can copy and paste the address or scan the QR code. We will be notified of payment which we will then delete the information we have obtained, patch the hole in the site/server which we got in and remove you from any future targeting in the future. You have 72 hours in doing so after viewing this message or the series of steps will commence. You can obtain bitcoin through such services such [...]

<snark>

Gosh, I'd sure like to have that database full of employee and customer information. Wow, I have employees and customers! And a database! Maybe as a show of good faith you could tell me some of the information you "extracted"? Or if that's too hard, let's start with: what kind of database did you say that was? Surely you can tell me that.

I'm also curious about why you took the inefficient route here. Your email to webmaster got filtered as spam; I happened to notice it but could easily have missed it. Since you have my database full of contact information, why didn't you contact me directly? Just a helpful tip for reaching your future "customers" -- take the direct path.

Oh, and since you've got remote control of my server anyway, could you upgrade to the latest Emacs? I've been meaning to do that. You do want a good review for customer service, right?

Finally, since your proposal includes commitments to future actions on your part, please provide a verifiable contact address in case I need to make a claim.

</snark>

Avian socializing in the 21st century

How nifty!

Parrots are social creatures. However, most pet parrots are singletons. They get lonely and sometimes that leads to destructive behavior.

From the Smithsonian:

Once the birds had learned how to initiate video interactions, the second phase of the experiment could begin. In this “open call” period, the 15 participating birds could make calls freely; they also got to choose which bird to dial up. Over the next two months, pet parrots made 147 deliberate video calls to other birds. [...]

For starters, they found that the parrots took advantage of the opportunity to call one another, and they typically stayed on the call for the maximum time allowed during the experiment. They also seemed to understand that another live bird was on the other side of the screen, not a recorded bird, researchers say. Some of the parrots learned new skills from their virtual companions, including flying, foraging and how to make new sounds. [...]

The birds forged strong friendships, which researchers measured by how frequently they chose to call the same individual. Parrots who initiated the highest number of video calls also received the most calls, which suggests a “reciprocal dynamic similar to human socialization,” per the statement.

The article links to this ACM paper. Yes, ACM-CHI, meaning it's from a technical conference not an animal-behavior conference. (Also, I guess this stretches the boundaries of the 'H' in CHI, which stands for Computer-Human Interaction, or at least did the last time I attended that conference.)

Pixel fail: followup

The replacement phone arrived Wednesday (faster than they said, good). I'd already done a manual backup on top of the automatic one, but migration from one phone to another of the exact same type and OS version is easier: connect them via a cable and wait. Basic data transfer happened within an hour, though it took a few hours for apps to get installed and Chrome was being especially finicky for some reason.

My settings were almost all there; I expected to have to do more manual configuration (including re-laying out the icons where I wanted them). Nope, that was all fine. I had to set up each individual app again, though; sometimes that was just a matter of logging in (for example, Tusky or Authy), but sometimes it required redoing everything (email client for my non-Gmail accounts). Chrome had a weird bug where tabs didn't work (!) but the update ("new version available", it kept saying) would hang; after a few reboots it sorted itself out.

There was a feeling of trepidation as I kept asking myself "are you sure you have everything you need?" before doing the factory reset on the old phone, but I finally did that today. It started doing the flashing-display thing during the reset, so I just left it for a while. The documentation says a factory reset can take an hour, so after a couple hours I power-cycled to see where it was.

I was greeted by the "new phone" setup screen, so that worked.

And then it started flashing again. Ha.

Yes, support person, I was right: that's a hardware problem. After another power-cycle (so I could see what I was doing) I shut it down and boxed it up, and tomorrow I will take it to FedEx.

The replacement they sent me was marked as "refurbished", but they are holding the price of a new phone against my credit card, which feels wrong. It's only a problem if the package doesn't arrive in time (which is why I will hand it to a human at FedEx and get a proper receipt), but it's still sleazy. And yes, if they were to charge the card they would add shipping charges, so it's not to offset that.

I've never had to make a warranty claim on a phone before, so I don't know how my experience with Google compares to what I would have had with other vendors. It's something I should try to find out before I buy my next phone, which I hope will be several years from now.

Section 230

The Supreme Court will soon hear a case that -- according to most articles I've read -- could upend "Section 230", the law that protects Internet platforms from consequences of user-contributed content. For example, if you post something on Facebook and there's some legal problem with you, that falls on you, as the author, and not on Facebook, who merely hosted it. This law was written in the days of CompuServe and AOL, when message boards and the like were the dominant Internet discourse. While there's a significant difference between these platforms and the phone company -- that is, platforms can alter or delete content -- this still feels like basically the "common carrier" argument. This makes sense to me: you're responsible for your words; the place you happened to post it in public isn't.

Osewalrus has written a lot about Section 230 over the years -- he explains this stuff better and way more authoritatively than I do. (Errors are mine, credit is his, opinions are mine.)

When platforms moderate content things get more complicated, and I'm seeing a lot of framing of the current case that's rooted in this difference. From what I understand, that aspect is irrelevant, and unless the Supreme Court is going to be an activist court that legislates, hosting user-contributed content shouldn't be in danger. But we live in the highly-polarized US of 2023 with politically-motivated judges, so this isn't at all a safe bet.

The reason none of that should matter is that the case the court is hearing, Gonzales vs. Google, isn't about content per se. It's about the recommendation algorithm, Google's choice to promote objectionable content. This is not passive hosting. That should matter.

The key part of Section 230 says:

No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider. (47 U.S.C. § 230(c)(1)).

The court can rule against Google without affecting this clause at all. The decision shouldn't be about whether Google is the "publisher" or "speaker". Rather, in this case Google is the advertiser, and Section 230 doesn't appear to cover promotion at all.

I'm not a lawyer, and I'm not especially knowledgeable about Section 230. I'm a regular person on the Internet with concerns about the proper placement of accountability. Google, Twitter, Facebook, and others choose to promote user-contributed content, while platforms like Dreamwidth, Mastodon, and many forums merely present content in the order in which it arrives. That should matter. Will it? No idea.

Moderation is orthogonal. Platform owners should be able to remove content they do not want to host, just like the owner of a physical bulletin board can. In a just world, they would share culpability only if objectionable content was brought to their attention and they did not act. At that point they've said it's ok, as opposed to saying nothing at all because nobody can read everything on a platform of even moderate size. This is how I understand the "safe harbor" provision of the Digital Millennium Copyright Act to work, and the same principle should apply. In a just world, as I said, which isn't the world we live in. (I, or rather my job title, am a registered agent for DMCA claims, and I have to respond to claims I receive.)

I really hope that the court, even a US court in 2023, focuses on the key points and doesn't use this case to muck with things not related to the case at hand.

Pixel fail

I got my Pixel 5A in March of last year. So, fortunately, it is still in its warranty period.

This is the weirdest failure I have heard of. Yesterday, I took my phone out of my pocket, woke it up, and was greeted by a flashing screen. What it was flashing was a screen full of "snow", like what you get on a TV that's tuned to a station that's not broadcasting, but static -- the whole screen was flashing but the snow wasn't moving around. Hmm, very odd. As I tried to shut it down gracefully I could see that the "underlying" image was responding to me -- there were the usual buttons for "restart", "shut down", and whatever else -- but so fleeting that I couldn't catch them with my finger or read them. On to the hard reboot via the power button.

I Googled this but did not find answers.

I hoped it was a one-time glitch, but I wouldn't be writing this post if it were. Almost every time, but not every single time, since then, recovering from "sleep" mode gets me not the usual desktop but this flashing thing from which I can only hard-reboot. Rebooted about 20 times yesterday.

After the first reboot I had a new notification of a pending OS update, so I applied that. No change. I uninstalled the app I most recently installed, which should have been safe but it's basic troubleshooting. No change. I had, I think on Friday, gotten a batch of miscellaneous app updates, but I don't see a way to review exactly what now. But also, it wasn't right before this behavior. None of that was; that app (from my bank) was sometime last week.

Off to chat support I went. The agent I spoke with told me both that it's a software problem and that I would need to take it to their designated repair place for a hardware repair (for which you must first do a system reset); I asked her to reconcile those two things but she didn't. I pushed back on the repair place, noting that earlier in the warranty period I'd had a problem for which they said that was the solution, but the place couldn't help me and was kind of rude about it and it never got fixed. I asked if the software problem was something I could fix but her script didn't have any info about that. I said in that case, since it's under warranty, I want to exchange it, and I know they have a scheme where they send you the new phone (with a hold on your credit card), you migrate to it and send back the old one, and they release the hold. After I sent her a video of the behavior (an adventure of its own, as she was assuming I could do that from my phone and share it and I was like "uh, this is a video taken with my partner's iPhone and no it's not in my photo gallery and I need to upload or email it to you"), she collected some information from me and came back a few minutes later to say something like "good news, it's under warranty" (I knew that), and then gave me instructions for mailing back the phone and then they'd send me a new one, "or if you like, we could do" (exactly what I'd just asked for). Yeah that, I said.

Meanwhile, I installed Authy on my tablet lest the phone become completely unusable, because I wouldn't want to be locked out of anything that requires two-factor authentication. Today I noticed a seeming pattern where the phone would be fine so long as it was active, and if I set it on the desk next to me I could then wake it up but if I put it in my pocket we'd be back to the snow. This is, uh, the same pocket position I always use. But then the snow thing happened while I was using the phone, so apparently it's not that either. I am mystified.

It's going to be an aggravating several days, methinks.

Re: deja vu, all over again

New_public published a post, Déjà Vu, All Over Again, about the evolution of the web and the early days when people made stuff for fun instead of companies making stuff for brand impact and algorithms, and it struck a chord. The author invited comments, so here's what I posted:

--

I've been feeling that deja vu too. I was on Usenet before the great renaming, and much later when I joined LiveJournal and this "blogging" thing (pulled in by friends), I remember thinking that a blog or LJ was basically alt.fan.me and would people really care about what I, a nobody, wrote? I expected to read and be read by about a dozen people who were already friends, but things have a way of spreading. And I knew that from Usenet, where I built friendships with people I've never met and sometimes didn't know "real" names for, and it was all very cool and friendly and broadening.

The net, when freed from algorithms and branding and bubbles so that ordinary people can interact with other ordinary people without barriers, is a remarkable way to learn about people and places and subcultures very different from my own. I've formed friendships from people halfway around the world walking very different paths in life from mine. There's a whole big world out there, and the last thing I want is to be trapped in a bubble of people just like me, or as close as Twitter et al think they can come to that.

The revival -- I hope it's a revival and not just a blip on the way to the next corporate thing -- of decentralized, direct, person-to-person online interaction excites me. Coincidentally, I've been working my way through my older posts on LiveJournal and then Dreamwidth, pulling together stuff on my own domain now that I have one, and I'm realizing how much more I used to write and share. I don't know how much of the change in my behavior has been due to people moving from blogs to social media and the vibe changing, how much has been due to modern social censors who retcon what's acceptable and what's offensive, and how much is me being more lazy or distracted or busy or whatever. But, facing the stark contrast to "online me 15 years ago" and "today", I'm motivated to try to get more of the old, personal, human writing back, somehow.

Review: desk lamp

Why no, I never expected to review a desk lamp, but here we are.

My father, from whom I inherited my vision problems, got a lamp for himself that he really likes, and so he bought me one. The "Yeslights Business Desk Lamp" is a small desk lamp that fits nicely amongst the three computers, two sets of monitor/keyboard/mouse, assorted external hard drives, tablets, and charging cables, and other tech necessities on my desk. The base is about the size of my Kindle, and the light is on a folding, rotating arm that sits flush against a vertical support when not in use. The base has a USB port because of course it does, and a wireless phone charger that I can't evaluate because my phone charges the old-fashioned way, with a cable. The wireless charger has a red indicator light (I assume red because it doesn't detect a phone) that I've found no way to turn off; it's not bright, but it's an unnecessary light in my field of vision and I'd prefer to not see it.

The LED light (a bar, not a bulb) has adjustable brightness and adjustable color temperature; the first I'm used to, but the second I haven't seen in a conventional lamp before. Color temperature matters a lot to me, so this is a delightful surprise. The controls are easy to use (no finicky touchscreens or the like), and very sensitive. Mine's in a space where I don't expect to accidentally brush it much, but depending on where you put it, you could surprise yourself with unexpected lighting changes. If you have cats that jump up on your desk, this could be an issue.

That vertical support has an embedded clock; I discovered this when I plugged the lamp in for the first time and it started playing Auld Lang Syne at me. I was not expecting that. I set the time and date (doing so emits loudish beeps) and I hope it won't play music again. (There's a button battery, so I assume it will retain these settings during power outages.) It also reports temperature, though I'm not sure how accurate that'll be when sitting on a desk with computers and monitors. It currently thinks it's a couple degrees warmer than the thermostat in the hall thinks it is. The clock has an alarm and a snooze setting, so even though it's billed as a desk lamp, they seem to have also had the "bedside table" use case in mind.

The lamp does very well with its primary function, to produce light at the desired brightness and color temperature. It's got a good range from "bright enough to easily read by" to "a little supplemental illumination". The head rotates in two of the three dimensions: up/down and left/right, but you can't change the angle of the head. So far that hasn't prevented me from getting light where I need it.

Online payments and credit cards

As I make the rounds doing year-end donations, I'm reminded of two things that have long puzzled me:

  1. Some web sites auto-detect the type of credit card based on the number. Apparently all credit-card numbers that begin with "4" are Visa. (I don't know if the reverse is true: do all Visa numbers start with 4?) Being me, I've cycled through the other nine digits and nothing else produces a match based on a single digit. What are the patterns for other providers? And are all these sites using some standard library for this, or are programmers really coding that by hand?

  2. Years ago, a three-digit code ("CCV") was added to cards to mitigate fraud. On a physical credit card, this number is stamped rather than embossed, so those old-style manual credit-card gadgets that took an imprint of your card (on actual paper, with a carbon!) couldn't record it. Um, that's fine I guess, but online, that number isn't any more secure than the card number itself. And someone who steals your physical card has the number; it's not a password. Does that number have another purpose?