Dan Q found GC5VXQ3 Motorway Mayhem – M5 – Gloucester Services (South)

This checkin to GC5VXQ3 Motorway Mayhem - M5 - Gloucester Services (South) reflects a geocaching.com log entry. See more of Dan's cache logs.

A quick and easy find (though I was glad of the hint when I approached the obstacle at the GZ) while travelling from Oxford to Cornwall to dump my partner’s brother in the sea for the start of his personal challenge to row the length of the UK. (Photo of our boat in tow attached!)

Arthur (red car) and Lucy (rowboat in tow) parked at a service station alongside caravans and HGVs

Arthur (red car) and Lucy (rowboat in tow) parked at a service station alongside caravans and HGVs×

Dan Q posted a note for GC90RH3 Tiny Log Book

This checkin to GC90RH3 Tiny Log Book reflects a geocaching.com log entry. See more of Dan's cache logs.

I was in the area anyway so, following a recent DNF, I checked up on this cache. It’s in perfect condition (though I did have to empty a woodlouse out of the outer cache container) and ready to find (previous logger was probably looking in the wrong place: there’s no risk of touching a stinging plant to get this cache!).

Using every car parking space in a supermarket car park

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

For the last six years I’ve kept a spreadsheet listing every parking spot I’ve used at the local supermarket in a bid to park in them all. This week I completed my Magnum Opus! A thread.

I live in Bromley and almost always shop at the same Sainsbury’s in the centre of town, here’s a satellite view of their car park. It’s a great car park because you can always get a space and it is laid out really well. Comfortably in my top 5 Bromley car parks.

After quite a few years of going each week I started thinking about how many of the different spots I’d parked in and how long it would take to park in them all. My life is one long roller coaster.

A glorious story from a man with the kind of dedication that would have gotten him far in CNPS back in the day (I wonder if Claire ever got past 13 points…).

This is the kind of thing that I occasionally consider adding to the list of mundane shit I track about my life. But then I start thinking about the tracking infrastructure and I end up adding far more future-proofing than I intend: I start thinking about tracking how often my hayfever causes me problems so I can correlate it to the time and the location data I already record to work out which tree species’ pollen affects me the most. Or tracking a variety of mood metrics so I can see if, as I’ve long suspected, the number of unread emails in my inboxen negatively correlates to my general happiness.

Measure all the things!

Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app’s perspective

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Cellebrite makes software to automate physically extracting and indexing data from mobile devices. They exist within the grey – where enterprise branding joins together with the larcenous to be called “digital intelligence.” Their customer list has included authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere. A few months ago, they announced that they added Signal support to their software.

Their products have often been linked to the persecution of imprisoned journalists and activists around the world, but less has been written about what their software actually does or how it works. Let’s take a closer look. In particular, their software is often associated with bypassing security, so let’s take some time to examine the security of their own software.

Moxie Marlinspike (Signal)

Recently Moxie, co-author of the Signal Protocol, came into possession of a Cellebrite Extraction Device (phone cracking kit used by law enforcement as well as by oppressive regimes who need to clamp down on dissidents) which “fell off a truck” near him. What an amazing coincidence! He went on to report, this week, that he’d partially reverse-engineered the system, discovering copyrighted code from Apple – that’ll go down well! – and, more-interestingly, unpatched vulnerabilities. In a demonstration video, he goes on to show that a carefully crafted file placed on a phone could, if attacked using a Cellebrite device, exploit these vulnerabilities to take over the forensics equipment.

Obviously this is a Bad Thing if you’re depending on that forensics kit! Not only are you now unable to demonstrate that the evidence you’re collecting is complete and accurate, because it potentially isn’t, but you’ve also got to treat your equipment as untrustworthy. This basically makes any evidence you’ve collected inadmissible in many courts.

Moxie goes on to announce a completely unrelated upcoming feature for Signal: a minority of functionally-random installations will create carefully-crafted files on their devices’ filesystem. You know, just to sit there and look pretty. No other reason:

In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.

That’s just beautiful.

Tips for Text-based Interviews

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Since joining the hiring team at Automattic in the fall of 2019, I’ve noticed different patterns and preferences on text-based interviews. Some of these are also general interviewing tips.

  1. Send shorter messages
  2. Avoid Threads if possible
  3. Show your thought process
  4. Don’t bother name dropping
  5. Tell the story
  6. It’s not that different

Fellow Automattician Jerry Jones, whose work on accessibility was very useful in spearheading some research by my team, earlier this year, has written a great post about interviewing at Automattic or, indeed, any company that’s opted for text-based interviews. My favourite hosting company uses these too, and I’ve written about my experience of interviewing at Automattic, but Jerry’s post – which goes into much more detail than just the six highlight points above, is well worth a look if you ever expect to be on either side of a text-based interview.

Big List of Naughty Strings

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

# Reserved Strings
# Strings which may be used elsewhere in code


# Numeric Strings
# Strings which can be interpreted as numeric

Max Woolf

Max has produced a list of “naughty strings”: things you might try injecting into your systems along with any fuzz testing you’re doing to check for common errors in escaping, processing, casting, interpreting, parsing, etc. The copy above is heavily truncated: the list is long!

It’s got a lot of the things in it that you’d expect to find: reserved keywords and filenames, unusual or invalid unicode codepoints, tests for the Scunthorpe Problem, and so on. But perhaps my favourite entry is this one, a test for “human injection”:

# Human injection
# Strings which may cause human to reinterpret worldview
If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you.


OpenAI-powered Linux shell uses AI to Do What You Mean

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

It’s like Alexa/Siri/Cortana for your terminal!

This is a basic Python shell (really, it’s a fancy wrapper over the system shell) that takes a task and asks OpenAI for what Linux bash command to run based on your description. For safety reasons, you can look at the command and cancel before actually running it.

Of all the stupid uses of OpenAI’s GPT-3, this might be the most-amusing. It’s really interesting to see how close – sometimes spot-on – the algorithm comes to writing the right command when you “say what you mean”. Also, how terribly, terribly ill-advised it would be to actually use this for real.

Dan Q found GC6T0EG Junior Passage

This checkin to GC6T0EG Junior Passage reflects a geocaching.com log entry. See more of Dan's cache logs.

Had to search for an embarrassingly long time before finding this one. The coordinates and the hint agreed with the (obvious) location I was looking, but I just couldn’t see it. I expanded my search to nearby candidates too before giving up and moving on with my walk.

On the way back, I decided to have another quick search before calling it a DNF… and found it straight away. I was kicking myself to not have seen it before, especially given that I’d looked at past log photos and knew exactly what I was looking for! I’ll tell you what; if either of my kids had been here today they’d have spotted it instantly! (But then… they’re about the perfect height for it…)

Thanks for the distraction while I waited to collect from the river my partner’s brother, who’s been rowing down from Bablock Hythe since yesterday.

Robin rowing down the river, as seen from near the GZ

Robin rowing down the river, as seen from near the GZ×

The Cursed Computer Iceberg Meme

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

More awesome from Blackle Mori, whose praises I sung recently over The Basilisk Collection. This time we’re treated to a curated list of 182 articles demonstrating the “peculiarities and weirdness” of computers. Starting from relatively well-known memes like little Bobby Tables, the year 2038 problem, and how all web browsers pretend to be each other, we descend through the fast inverse square root (made famous by Quake III), falsehoods programmers believe about time (personally I’m more of a fan of …names, but then you might expect that), the EICAR test file, the “thank you for playing Wing Commander” EMM386 in-memory hack, The Basilisk Collection itself, and the GIF MD5 hashquine (which I’ve shared previously) before eventually reaching the esoteric depths of posuto and the nightmare that is Japanese postcodes

Plus many, many things that were new to me and that I’ve loved learning about these last few days.

It’s definitely not a competition; it’s a learning opportunity wrapped up in the weirdest bits of the field. Have an explore and feed your inner computer science geek.

Spy’s Guidebook Reborn

When I was a kid of about 10, one of my favourite books was Usborne’s Spy’s Guidebook. (I also liked its sister the Detective’s Handbook, but the Spy’s Guidebook always seemed a smidge cooler to me).

Detective's Handbook andSpy's Guidebook on a child's bookshelf.
I imagine that a younger version of me would approve of our 7-year-old’s bookshelf, too.

So I was pleased when our eldest, now 7, took an interest in the book too. This morning, for example, she came to breakfast with an encrypted message for me (along with the relevant page in the book that contained the cipher I’d need to decode it).

Usborne Spy's Guidebook showing the "Pocket code card" page and a coded message
Decryption efforts were hampered by sender’s inability to get her letter “Z”s the right damn way around.

Later, as we used the experience to talk about some of the easier practical attacks against this simple substitution cipher (letter frequency analysis, and known-plaintext attacks… I haven’t gotten on to the issue of its miniscule keyspace yet!), she asked me to make a pocket version of the code card as described in the book.

Three printed pocket code cards
A three-bit key doesn’t make a simple substitution cipher significantly safer, but it does serve as a vehicle to teach elementary cryptanalysis!

While I was eating leftover curry for lunch with one hand and producing a nice printable, foldable pocket card for her (which you can download here if you like) with the other, I realised something. There are likely to be a lot more messages in my future that are protected by this substitution cipher, so I might as well preempt them by implementing a computerised encoder/decoder right away.

So naturally, I did. It’s at danq.dev/spy-pocket-code and all the source code is available to do with as you please.

Key 4-1 being used to decode the message: UOMF0 7PU9V MMFKG EH8GE 59MLL GFG00 8A90P 5EMFL
Uh-oh: my cover is blown!

If you’ve got kids of the right kind of age, I highly recommend picking up a copy of the Spy’s Guidebook (and possibly the Detective’s Handbook). Either use it as a vehicle to talk about codes and maths, like I have… or let them believe it’s secure while you know you can break it, like we did with Enigma machines after WWII. Either way, they eventually learn a valuable lesson about cryptography.

Detective's Handbook andSpy's Guidebook on a child's bookshelf.× Usborne Spy's Guidebook showing the "Pocket code card" page and a coded message× Three printed pocket code cards×

Wix and Their Dirty Tricks

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Wix, the website builder company you may remember from stealing WordPress code and lying about it, has now decided the best way to gain relevance is attacking the open source WordPress community in a bizarre set of ads. They can’t even come up with original concepts for attack ads, and have tried to rip-off of Apple’s Mac vs PC ads, but tastelessly personify the WordPress community as an absent, drunken father in a therapy session. 🤔

I have a lot of empathy for whoever was forced to work on these ads, including the actors, it must have felt bad working on something that’s like Encyclopedia Britannica attacking Wikipedia. WordPress is a global movement of hundreds of thousands of volunteers and community members, coming together to make the web a better place. The code, and everything you put into it, belongs to you, and its open source license ensures that you’re in complete control, now and forever. WordPress is free, and also gives you freedom.

For those that haven’t been following the relevant bits of tech social media this last week, here’s the insanity you’ve missed:

  1. Wix start their new marketing campaign by posting headphones and a secret video link to people they clearly think are WordPress “influencers”. But the video is so confusing that people thought it was a WordPress marketing campaign against Wix, not the other way around.
  2. Next, Wix launch their “You Deserve Better” website, attempting to riff off the old “Mac vs. PC” ads. It’s been perhaps most-charitably described as a “bewildering” attack ad, more-critically described as being insensitive and distasteful.
  3. Wix’s Twitter and YouTube responses suddenly swing from their usual “why is your customer service so slow to respond to me?” level of negative to outright hostile. LOL.

Sure, I’m not the target audience. I’ve been a WordPress user for 15 years, and every time I visit a Wix site it annoys me when I have to permit a stack of third-party JavaScript just to load images like they’ve never heard of the <img>tag or something. Hell, I like WordPress enough that I used it as a vehicle to get a job with Automattic, a company most-famous for its WordPress hosting provision. But even putting all of that aside: this advertising campaign stinks.

Twinebook – Printable Interactive Fiction

Twine 2 is a popular tool for making hypertext interactive fiction, but there’s something about physical printed “choose your own adventure”-style gamebooks that isn’t quite replicated when you’re playing on the Web. Maybe it’s the experience of keeping your finger in a page break to facilitate a “save point” for when you inevitably have to backtrack and try again?

Annabe enjoying Choose Your Own (Minecraft) Story books.
These are the first branching novels I’ve introduced her to for which she’s felt the need to take notes.

As a medium for interactive adventures, paper isn’t dead! Our 7-year-old is currently tackling the second part of a series of books by John Diary, the latest part of which was only published in December! But I worry that authors of printed interactive fiction might have a harder time than those producing hypertext versions. Keeping track of all of your cross-references and routes is harder than writing linear fiction, and in the hypertext

Hand-written note showing branching path story plan, from John Diary's Twitter.
John Diary tweeted about his process back in 2017 and it looks… more manual than I’d want.


So I’ve thrown together Twinebook, an experimental/prototype tool which aims to bring the feature-rich toolset of Twine to authors of paper-based interactive fiction. Simply: you upload your compiled Twine HTML to Twinebook and it gives you a printable PDF file, replacing the hyperlinks with references in the style of “turn to 27” to instruct the player where to go next. By default, the passages are all scrambled to keep it interesting, but with the starting passage in position 1… but it’s possible to override this for specific passages to facilitate puzzles that require flipping to specific numbered passages.

Thumb in the page of a Sorcery choose-your-own-adventure gamebook.
In some adventure games, keeping your thumb in the page feels like it’s essential.

Obviously, it doesn’t work with any kind of “advanced” Twine game – anything that makes use of variables, Javascript, etc., for example! – unless you can think of a way to translate these into the written word… which is certainly possible – see Fighting Fantasy‘s skill, stamina, luck and dice-rolling mechanics, for example! – but whether it’s desirable is up to individual authors.

If this tool is valuable to anybody, that’s great! Naturally I’ve open-sourced the whole thing so others can expand on it if they like. If you find it useful, let me know.

Twine screenshot showing many branching paths of the game "Inpatient".
Mapping a complex piece of interactive fiction is a job for a computer, not a human.

If you’re interested in the possibility of using Twine to streamline the production of printable interactive fiction, give my Twinebook prototype a try and let me know what you think.

Annabe enjoying Choose Your Own (Minecraft) Story books.× Thumb in the page of a Sorcery choose-your-own-adventure gamebook.× Twine screenshot showing many branching paths of the game "Inpatient".×