March 2026 – Dan Q

Dan Q found GC79ZK3 Wootton Word Wall

This checkin to GC79ZK3 Wootton Word Wall reflects a geocaching.com log entry. See more of Dan's cache logs.

I’ve never come across the TV series nor this kind of puzzle before, and opted to solve it in an unconventional way. We’re living for a week in an AirBnB nearby – one in a long series of short term lets while we and our insurance company find us sonewhere longer-term, following flood damage to our house last month.

This morning, the younger geokid and I came out for a walk with the geopup. After a little difficulty getting a GPSr fix we eventuality found a good-looking host, and after a few laps we had the well-camouflaged container in our hands. A good sized, well maintained container and an interesting puzzle, even if the way we solved it might be considered by some to have been cheating!

SL (using my own pencil; the one in the cache is blunt and I forgot to bring my sharpener), TFTC.

Did I Cheat?

The Puzzle

The other day I needed to solve a puzzle¹. Here’s the essence of it: there was a grid of 16 words. They needed to be organised into four thematic “groups” of four words each; then each group needed to be sorted alphabetically.

Each item in each group had a two-character code associated with it: these were to be concatenated together into a string and added to a pastebin.com/... URL. The correct four URLs would each contain a quarter of the answer to the puzzle.

I’m sure I could have solved the puzzle. But I figured it’d be more satisfying to solve a different puzzle, with the same answer: how to write a program that finds the correct URLs for me.

Here’s what I came up with:

#!/usr/bin/env ruby
require 'set'
require 'net/http'
require 'uri'
FRAGMENTS = [
  'Salsa|mO',
  'Henry|J2',
  'Primate|Q4',
  'Brine|M6',
  'Trinidad|1Z',
  'Pile|8g',
  'Crock|mO',
  'Howitzer|wT',
  'Light|DC',
  'Argo|Lt',
  'Juniper|2I',
  'Hamlet|wN',
  'Warden|xU',
  'Joker|1H',
  'Warner|9s',
  'Bargain|Cq',
]

result = FRAGMENTS.permutation(4).to_a

sorted_results = result.map { |combination| combination.sort }.uniq
shortened_results = sorted_results.map { |combination| combination.map { |fragment| fragment.split('|').last } }
urls = shortened_results.map { |combination| "https://pastebin.com/#{combination.join('')}" }

START_AT = 0

urls[START_AT..].each_with_index do |url, idx|
  uri = URI(url)
  response = Net::HTTP.get_response(uri)
  print '.'
  if response.code != '404'
    puts "\nHIT at index #{idx + START_AT}: #{url}"
  end
  sleep(rand(0..3) * 0.1)
end

I’m confident that this approach was faster.³ Or rather: it would have been if it hadn’t been for the fact that I felt the need to subsequently write a blog post about it.

Here’s how it works:

It creates an array containing the 43,680 possible permutations of 4 from the 16 words.
If sorts the permutations and removes duplicates, reducing the set to just 1,820.
It removes the bit of each that isn’t the two digit code at the end and concatenates them into a URL.
It tries each URL, with short random gaps between them, listing each one that isn’t a 404 “Not found” response.⁴

I kicked off the program and got on with some work. Meanwhile, in the background, it permuted the puzzle for me. Within a few minutes, I had four working pastebin URLs, which collectively gave me the geocache’s coordinates. Tada!

Was this cheating?

I still solved a puzzle. It probably took me, as a strong programmer, about as long as it would have taken me to solve the puzzle the conventional way were I a strong… “only connect”-er⁵. But I adapted the puzzle into a programming puzzle and solved it a completely different way, . Here’s the arguments, as I see them:

Yes, this was cheating. This wasn’t the way the puzzle author intended it to be solved. Inelegantly brute-forcing a problem isn’t “solving” it, it’s sidestepping it. If everybody did this, there’d be no point in the author putting the time into the puzzle in the first place.
No, this wasn’t cheating. This solution still required solving a puzzle, just a different one. A bad human player making a lucky guess would be fine. It’s a single-player game; play any way that satisfies you. Implementing software to assist is no worse than asking a friend for help, as others have done.

Click on a 😡 or a 🧠 to let me know whether you think I cheated or not, or drop me a comment if you’ve got a more-nuanced opinion.

Footnotes

¹ Okay, okay, it was for a geocache.

² Don’t try to solve this one; it’s randomly generated.

³ This version of the program is adapted to the fake gameboard I showed earlier. You won’t get any meaningful results by running this program in its current state. But you could quickly adapt it to a puzzle of this format, I suppose.

⁴ It occurred to me that it could have been more-efficient to eliminate from the list any possibilities that are ruled-out by any existing finds… but efficiency is a balancing act. For a program that you’ll only run once – and in the background, while you do other things, to boot – there’s a tipping point at which it’s better to just get it running than it is to improve its performance.

⁵ There’s a clear parallel here to the various ways in which I’ve solved jigsaw-puzzle-based geocaches, because I’m far more interested in (a) programming and (b) getting out into the world and finding geocaches in interesting places than I am in doing a virtual jigsaw puzzle!

Reply to: I’m OK being left behind, thanks!

This is a reply to a post published elsewhere. Its content might be duplicated as a traditional comment at the original source.

Terence Eden said:

Many years ago, someone tried to get me into cryptocurrencies. “They’re the future of money!” they said. I replied saying that I’d rather wait until they were more useful, less volatile, easier to use, and utterly reliable.

“You don’t want to get left behind, do you?” They countered.

That struck me as a bizarre sentiment. What is there to be left behind from? If BitCoin (or whatever) is going to liberate us all from economic drudgery, what’s the point of “getting in early”? It’ll still be there tomorrow and I can join the journey whenever it is sensible for me.

…

Terence Eden

100%. If I “get in early” on something, it’s because that thing interests me, not because I’m betting on its future. With a hundred new ideas a day and only one of them “making it”, it’s a fools’ game to try to jump on board every bandwagon that comes along.

With cryptocurrencies, though, I’m fortunate enough to have an even better comeback at the cryptobros that try to shill me whatever made-up currency they’re “investing” in today: I’ve already done better than they ever will, at them.

When Bitcoin first appeared, I took a technical interest in it. I genuinely never anticipated it’d take off (I made the same incorrect guess with MP3s, too!), but I thought it was a fun concept to play about with. The only Bitcoins I ever paid for must’ve been worth an average of 50p each, or so.

I sold my entire wallet of Bitcoins when they hit around £750 each. I know a tulip economy when I see one, I thought. Plus: I was no longer interested in blockchains now I was seeing how they were actually being used: my interest had been entirely in the technology and its applications, not in the actual idea of a currency!

Sure, I kick myself ocassionally, given that I later saw the value rise to tens of thousands of pounds each. But hey, I was never in it for the money anyway.

So yeah, I tell cryptobros; I already made a 1500% ROI on cryptocurrency. And no, I’m not buying any cryptocurrencies any more. Whatever they think “getting in early” was, they’re wrong, because I was there years ahead of them and I wasn’t even doing it to “get in early”; I did it because it was interesting. And honestly, isn’t that a better story to be able to tell?

…

I feel the same way about the current crop of AI tools. I’ve tried a bunch of them. Some are good. Most are a bit shit. Few are useful to me as they are now.

…

If this tech is as amazing as you say it is, I’ll be able to pick it up and become productive on a timescale of my choosing not yours.

…

Yup, that’s the attitude I’m taking.

I play with new AI technologies, sometimes. I don’t do it because I’m afraid of being left behind because – as you say – if a technology is transformative, we’ll all get to catch up eventually.

Do you think that people who had smartphones first are benefitting today because they “got in early” on something that later became mainstream?

Of course they’re not. Their experience is eventually exactly the same as everybody else’s, just like it was for everybody who “got in early” on hype trains whose final station came early, like Compuserve GO-words, WAP, Beenz.com, WebTV, the CueCat, m-Commerce, HD-DVD, the JooJoo, or Google+.

F-Day plus 35

It’s F-Day plus 35, and I’m spending a few hours working in the habitable part of our flood-damaged house while I’m “between” two AirBnBs.

The dog, who doesn’t normally get to come upstairs, is sitting with me on the landing. Except she also wants to keep an eye on what’s happening downstairs.

The result? Her back legs are sitting and her front legs are standing as she peers blepfully down the stairs.

A Random List of Silly Things I Hate

So apparently now this is a thing, so here I go:

Websites that are just blank pages if the JavaScript doesn’t load from the CDN.¹
The misunderstanding that LLMs can somehow be a route to AGI.
Computer systems that say my name is too short or my password is too long.²
People being unwilling to discuss their wild claims later using the lack of discussion as evidence of widespread acceptance.
When people balance the new toilet roll one atop the old one’s tube.³

A nearly-full roll of toilet paper perched atop an empty toilet roll tube on an open-ended spindle. — Come on! It would have been *so easy*!

Shellfish. Why would you eat that!?
People assuming my interest in computers and technology means I want to talk to them about cryptocurrencies.⁴
Websites that nag you to install their shitty app. (I know you have an app. I’m choosing to use your website. Stop with the banners!)
People who seem to only be able to drive at one speed.⁵
The assumption that the fact I’m “sharing” my partner is some kind of compromise on my part; a concession; something that I’d “wish away” if I could. (It’s very much not.)
Brexit.

Wow, that was strangely cathartic.

Footnotes

¹ I have a special pet hate for websites that require JavaScript to render their images. Like… we’d had the <img> tag since 1993! Why are you throwing it away and replacing it with something objectively slower, more-brittle, and less-accessible?

² Or, worse yet, claiming that my long, random password is insecure because it contains my surname. I get that composition-based password rules, while terrible (even when they’re correctly implemented, which they’re often not), are a moderately useful model for people to whom you’d otherwise struggle to explain password complexity. I get that a password composed entirely of personal information about the owner is a bad idea too. But there’s a correct way to do this, and it’s not “ban passwords with forbidden words in them”. Here’s what you should do: first, strip any forbidden words from the password: you might need to make multiple passes. Second, validate the resulting password against your composition rules. If it fails, then yes: the password isn’t good enough. If it passes, then it doesn’t matter that forbidden words were in it: a properly-stored and used password is never made less-secure by the addition of extra information into it!

³ This is the worst of the toilet paper crimes, but there’s a lesser but more-common offence.

⁴ Also: I’m uninterested in whatever multiplayer shooter game you’re playing, and no I won’t fix your printer.

⁵ “You were doing 35mph in the 60mph limit, then you were doing 35mph in the 40mph limit, now you’re doing 35mph in the 20mph limit. Argh!”

Note #28553

Somebody should make a tea cosy but to fit a cafetiere.

That sounds like a great idea.

Dan Q wrote note for GCADCWF Treasure island

This checkin to GCADCWF Treasure island reflects a geocaching.com log entry. See more of Dan's cache logs.

I first found this cache last summer while cycling a circuitous route from Witney to Stanton Harcourt. I happened to be walking the dog nearby, this morning, and so I figured I’d check up on it. The outer container continues to deteriorate and could do with some TLC, but otherwise this cache looks to be okay.

Hint Line 93

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Australian Centre for the Moving Image, in Hint Line 93

With thanks to Marcin Wichary for introducing me to it, let me share with you… Hint Line ’93, a project of the awesome-sounding museum ACMI (the Australian Centre for the Moving Image). Originally pitched by Yarn Spinner, the concept of the exhibit was:

…a visual novel on screen, where you’re working a fictional hint line, with critical information in The Compendium, a dog-eared binder full of official docs mixed with handwritten notes from previous counselors who figured out what actually works.

So yeah. It’s a bit like… Keep Talking and Nobody Explodes, except instead of bomb defusal, you’re working on a computer game hint line in their heyday of circa 1993. Customers call you, and you have to help them with their video game problems, ideally in accordance with company policy to try to guide the customer to their own answer rather than telling them the solution outright. Oh, and also sometimes people call up about products that aren’t covered and you need to identify this promptly and get on to the next caller.

Obviously you’ve already got an encyclopaedic knowledge of all the games already? No, you don’t, because before they could even start on making Hint Line ’93, the creators first needed to invent a fictional video games company, a catalogue of fictional games (including faked screenshots, history, lore, and BBS posts), and more. But it wouldn’t matter anyway, because you get a thick manual – the compendium – of hints and tips to refer to (also code wheels, post-its, and lots more).

The exhibit is designed to be experienced in-person, but – given that I live on the other side of the planet – I was delighted to see that the museum put a (less-tactile) version online for visitors around the world to play.

Also: speaking as somebody with an awesome name, there are so many people with awesome names involved with this project. Mars Buttfield-Addison and Paris Buttfield-Addison are perhaps my favourite. Excellent names.

Even if you don’t feel up to playing the game, have a flick through the (digital version of the) compendium. That’s where the real art lies!

Questionnaire – Plain Text

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Inspired by The Frugal Gamer, who was in turn inspired by Ellane, I today used my silly plain text only blog to answer a questionnaire that’s going around:

Questionnaire - Plain Text
==========================

The Frugal Gamer recently shared[1] her answers to the questions posed by plain-text advocate Ellane
in her post "Answer These Eight Questions About Your Plain Text Files"[2], and this blog (being even
more "plain text" than either of those!) seems like an obvious place to answer those questions on my
own behalf, too. Let's give them a go!

1. When did you start using plain text?
---------------------------------------

Way back in the mid-1980s, on an Amstrad CPC microcomputer, I guess, when I started editing files of
BASIC code (and, ocassionally, text-based data with CRLF delimiters). I'd later go on to extensively
make use of plain text in various flavours of DOS on IBM-compatible PCs: for programming, of course,
but also for general notetaking and personal documents.

2. Why did you start using plain text?
--------------------------------------

At those earliest points, it was an exercise in necessity! With only 64Kb of RAM and a 4MHz CPU, the
capabilities of my first microcomputer to do anything more gaphically-sophisticated than ASCII plain
text (or a nearby derivative of it) would be a stretch! It was around this same time that I tested a
basic word processing package called TASWord, but it was VERY bare-bones: just five font faces, able
to hold up to three "pages" in memory at once, and some kind of mail merge tool... even though I had
a (dot matrix!) printer capable of rendering those fonts, it didn't really justify the effort needed
to load the software from the tape deck in the first place with a simpler, lighter editor would, for
any real purpose, suffice!

3. What do you use plain text for?
----------------------------------

This blog, for a start!

Aside from when I'm programming or taking basic notes, mostly I end up writing Markdown, these days.
Obsidian's a wonderful notetaking app, but in practice all it REALLY is is a tool for collating text
files and doing on-the-fly plain-text-to-markdown rendering. I don't really use any of its many cool
plugins for anything more-sophisticated than that.

And I'm also routinely found writing Markdown (or plain text!) for programming-adjacent jobs: commit
logs, pull requests, test instructions, and the like.

4. What keeps you using plain text?
-----------------------------------

My favourite thing about plain text is its longevity. I have notes (old emails, poems, logs from IRC
and IM clients, personal notes, even letters) that I wrote in plain text formats 30+ years ago. Even
though technology has moved on, I have absolutely no problem reading them today just as I would have
when they were first written.

5. Do you use any markup or formatting languages? If so, which ones and why?
----------------------------------------------------------------------------

My most-used markup languages are Markdown and HTML (although neither on THIS blog, obviously). Both
provide functionality that's absent from plain text while still retaining at least a part of the top
feature of plain text: its universality and longevity. Markdown's perfectly human-readable even when
you don't have an interpreter to hand already. HTML _can_ be very human-readable, too, if the author
has taken the care to make it so... and even if it isn't, it can be transformed to plain text pretty
trivially even if there isn't a Web browser to hand.

6. What are your favourite plain text tools or applications?
------------------------------------------------------------

My go-to text editor is Sublime Text (I'm using it right now). After over a decade of Emacs being my
preferred text editor, Sublime Text was what dragged me kicking and screaming into 21st century text
editing! I love that it's clean, and simple, and really fast (I tried Atom or VSCode or one of those
other "heavyweight" editors, implemented in Electron, and found it it to be unbearably slow; perhaps
faster processors have made them more-bearable, but doesn't that feel a little bit like treating the
symptom rather than solving the problem?).

Oh, and Obsidian, as previously noted. Sometimes I'll use Notepad++ on a Windows box, or Nano, Pico,
or Emacs from a command-line.

And just sometimes - more often than you might expect, I just daisychain an `echo` or a `printf` and
a `>>` and just concatenate things into a file. Sometimes that's all you need!

7. Is there one tool you can’t do without?
------------------------------------------

Nope! I've spent long enough doing plain text things with enough different tools that - perhaps with
a little mumbling and grumbling - I can adapt to whatever tools are available. Though you'll find me
grumpy if you make me work on a system without `grep` available!

8. Is there anything you can’t do with plain text?
--------------------------------------------------

I mean... ultimately, there has to be right? Sure, you can write general-purpose software using your
plain text editor, but you'll still need a compiler or interpreter to run it, and how is ITS program
code rendered? No matter what your stack is, eventually you'll find that you're running into machine
code, and - even though it can be 1:1 mapped to assembly... that's a translation, not what it IS. So
fundamentally, there's a limit to the power of plain text.

But once you're balanced atop a well-made toolchain, there's a hell of a lot you can do! Data can be
rendered as CSV, YAML, JSON or whatever. Markup can add value while retaining the human-readable joy
of a simple, plain text file. It saddens me when I see somebody type out their shopping list in e.g.
Microsoft Word or some other monster, when Notepad would have plenty sufficed (and be faster, with a
smaller file size, and increased interoperability!).

I've long loved the "Unix Philosophy" that plain text should be the default data format, rather than
any binary format, between applications. That, in itself, is a reminder of plain text's versatility!

It's the universal language of humans and machines. And it's here to stay.

Links
-----

[1] https://www.thefrugalgamer.net/blog/2026/01/22/questionnaire-plain-text/
[2] https://ellanew.com/2025/01/19/ptpl-191-answer-8-questions-why-plain-text

D’ya know what? Back when I used to write lots of stuff on Usenet and BBSes, I got really good at manually wrapping at, say, 80 characters. Even doing full justification by tweaking word choices or by just manually injecting spaces in the places that that produce the fewest “rivers”.

I’ve sort-of lost the knack for it. But I think I did a pretty good job with this post!

A Hundred Inconveniences

It’s F-Day plus 31 – a whole month (and a bit; thanks February) since our house filled with water and rendered us kinda-homeless.

We continue to live out of a series of AirBnB-like accommodations, flitting from place to place after a week or fortnight. I can’t overstate how much this feels like a hundred tiny inconveniences, piling up in front of me all at once and making it hard to see “past” them.

An attractive Cotswold-stone converted barn with a gravel driveway and a broad grassy lawn. — Our current two-week stint is spent at a place that’s perfectly delightul… but it’s not *home*.

They’re all small potatoes compared to the bigger issue of, y’know… our house being uninhabitable. But they’re still frustrating.

I’m talking about things like discovering your spare toothbrush heads are at the “wrong” house. Or having to take extra care to plan who’s going to use which car to go to the office because the kids and the dog need dropping off (because our lives were all optimised for our local walking and bus routes). It’s a level of cognitive load that, frankly, I could do without.

Dan and JTA sit with pints of beer in a cluttered brewery, at a table with large tomato cans repurposed as holders for chilli oil and pizza cutters. — I’m trying to look on the bright side. One particular highlight was JTA and I discovering the epic pizza restaurant inside the brewery that’s about four minutes walk from where we’re living, right now.

Meanwhile, any relief is slow to come. We’re still without a medium-term plan for somewhere to live, because even though the insurance company has pulled their finger out and agreed to pay for say six months of rental of a place, we’re struggling to find a suitable property whose landlord is open to such a short-term let.

When the house first flooded and friends told me that I’d be faced with many months of headaches, I figured this was hyperbole. Or that, somehow, with the epic wrangling and project management skills of Ruth, JTA and I combined, that we’d be able to accelerate the process somewhat. Little did I know that so many of the problems wouldn’t be issues of scale or complexity but of bureaucracy and other people’s timescales. Clearly, we’re in it for the long haul.

It feels silly that we’re still in the first quarter of this 2026 and already I’m looking forward to next year and the point where we can look back and laugh, saying “ah, remember 2026: the year of the flood?” Sigh.

You don’t have to disconnect

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

A lot of attention was gained by Derek Sivers‘ post Offline 23 hours a day, the other week. I was particularly impressed by the rebuttal by Rishi Dass:

…

Anyway, the reasoning behind this idea of disconnecting seems to be that they equate being productive with having no internet or phone service. This implies that the tool (internet or the phone) is the problem. But is that entirely true?

They further argue that disconnection helps them create a vacuum through media silence, allowing their thoughts to expand and fill the space. While it’s understandable that you can concentrate better when your attention is focused on one thing, there’s no reason you can’t stay online and do the work. If you’re able to work comfortably in a library, you can do this.

…

Rishi Dass, in You don’t have to disconnect

Obviously, Derek’s approach is valid. It sounds like he’s found what works for him in terms of managing his time, life, mental energy, and the like, and that’s great! I’d be lying if I said that I didn’t envy him at least a little: don’t we all enjoy “unplugging” sometimes?

I think Derek’s post is so appealing because it touches our nostalgia of a simpler, less-always-online time.

For a while I thought that this would be a sensation unique to folks who, like me, had their first experiences of the Internet in a very intermittent and deliberate way. In the 1990s, I used to go on the Internet: a premeditated act that required being somewhere with a landline and the appropriate hardware, requiring that nobody was using or intending to use the phone, booting up a computer, dialling-up to the local Internet Service Provider, and then going about what I wanted to do. At that time, it was uncommon to use the ‘net for trivial things like checking the weather or what’s on at the cinema, because picking up the local newspaper would probably be a faster way to achieve that! Similarly, it wasn’t so-useful as a procrastination activity, because picking up a book or going for a walk was more accessible and reliable.

But this isn’t a generational thing, or at least not entirely. Gen Zs are seeing the joy in retro tech from before they were born, which is something I’ve witnessed myself: I’m part of a couple of online communities that do quite a bit of retro-Web and other retro-tech stuff, and I’ve been amazed at how young the demographics can skew in some of these groups! Like: there are people who were born after Facebook was founded who yearn to recreate the kind of dial-up experience that I had, before their parents met.

(Obviously, I think this is great; I think there are great lessons to be learned from the more open, decentralised, distributed, transparent, and exploratory Internet of times gone by. It just… initially surprised me to find so many younger folks showing such an interest in it, too.)

I still think this is nostalgia, though. Here’s why: none of us are born with unfettered and unfiltered access to the Internet. Unless they have the most hands-off parents possible, even a child born today won’t be “always online” for the first decade or more of their life. And being a child, for most folks, is a time of safety and wonderment: where there are other people to attend to our needs and filter our information intake and answer our questions in a protected environment. Growing up, we all have to learn to do those things for ourselves. And in the information-saturated attention economy of the modern world, that shit is exhausting.

You don’t need to be reminiscing about dial-up to fantasise about a slower time, when pub quizzes couldn’t be cheated by a shithead in the corner unless you catch them in the act and when your pocket computer wouldn’t beep for attention every 30 seconds because a half-remembered friend posted a holiday snap. Not having the extra cognitive load all the time is liberating!

No wonder “going offline” seems like a luxury to people, and why Derek’s extreme approach is so intriguing! But it’s just the same as that curated holiday snap that your friend-of-a-friend just posted to Instagram: it’s a snapshot into the best bits of somebody else’s life. It’s not reality. It’s your imagination, your fantasy, projected onto somebody else’s solution. “This works for them,” you say to yourself, “It must work for me, too!”

Maybe it would! And I hope that a few people feel empowered by Derek’s post to fulfil their dream and go live in the woods. Good for them!

But Rishi’s rebuttal brings us a sense of balance. For most people, it’s not necessary to go live in the woods to “go offline”. If you really want to, just… go offline. The power’s in your hands.

if you don’t want to be distracted by social media and games, close those accounts and take those apps off your device
if you don’t want to be interrupted by notifications, switch them off and check your inputs on your own schedule
if you don’t want to be online at all, set airplane mode or disconnect from the WiFi, and narrow your focus onto that book, board game, film, conversation, or daydream
if you don’t trust yourself not to be tempted to backslide… well, that’s a bigger problem of self-control that you need to work on, but in the meantime, try and experiment: leave your device behind and take a walk!

I get wanting to disconnect. I have my own controls in place, too, and they’re great for my mental health. But my approach, Derek’s approach, anybody’s approach… don’t have to be your approach.

Start the journey by working out what parts of the always-online world aren’t serving you. What things are more of a psychological drain than a boost? What’s bad for your mental wellbeing on the whole (not just in the moment)? What habits would you like to kick? What excuses are you using to keep them?

Then, work out what you can do about them. Seek assistance if you need it; you might not have all the solutions. But beware the seductive approach of taking what works for somebody else and trying to fit yourself to their mould.

Sure: maybe you need to go live in the woods with Derek. But make that choice because it solves your problems, not because it solves his!

Dan Q found GC4MJR8 R’n’R #2 Skinny & Boney

This checkin to R’n’R #2 Skinny & Boney reflects a geocaching.com log entry. See more of Dan's cache logs.

Coming across from Finstock via R’n’R #9 (we’re absolutely doing this series in the wrong order!), the geokid, geopup and I made a poor choice by hugging the tree line rather than cutting out of the field and coming up the road: it was super muddy in the field at the points at which the footpath runs nearest to this cache, and we struggled to get through a particularly large puddle.

We initially made an effort to get “behind” the bush but eventually discovered we didn’t need to: the cache (whose nature we’d eventually managed to guess from the name) was accessible – with a bit of a stretch – from near the roadside.

And, in accordance with the theme, we’ve got a verse for you:

🎶 I used to wonder what caching could be,
🎶 Until you all shared this series with me.
🎶 Big adventure, tons of fun.
🎶 A beautiful cache; now it’s signed and done!

Dan Q found GC4MJY0 R’n’R #9 – Thumper

This checkin to GC4MJY0 R’n’R #9 – Thumper reflects a geocaching.com log entry. See more of Dan's cache logs.

The younger geokid and I had a plan, this morning, to drive out from our temporary (post-flood) accommodation in New Yatt, park at St. Peter’s in Wilcote, and then walk the dog around the area between Wilcote and Ramsden while we collect a few more caches from this excellent series.

Unfortunately our plans were scuppered early on when we discovered that a Scouts troop had completely occupied all possible parking spaces in Wilcote, and a platoon of children, supervised by some tired-looking adults, were beginning a walk around what looked likely to be the exact same routes we were planning.

So we came at it from the other angle. Driving around to Finstock, we parked near The Plough and came across the network of footpaths from the other end.

By the time we were at the corner of this field the kid and dog were enjoying running around in the Spring sunshine, and once we got to the GZ the cache itself was a quick and easy find… although the kid did take the time to stop and make a crude joke about the rabbit’s bum being corked!

Why Security Engineering needs a Hacker Mentality

My recent post How an RM Nimbus Taught Me a Hacker Mentality kickstarted several conversations, and I’ve enjoyed talking to people about the “hacker mindset” (and about old school computers!) ever since.¹

Thinking “like a hacker” involves a certain level of curiosity and creativity with technology. And there’s a huge overlap between that outlook and the attitude required to be a security engineer.

By way of example: I wrote a post for a Web forum² recently. A feature of this particular forum is that (a) it has a chat room, and (b) new posts are “announced” to the chat room.

The title of my latest post contained a HTML tag (because that’s what the post was talking about). But when the post got “announced” to the chat room… the HTML tag seemed to have disappeared!

And this is where “hacker curiosity” causes a person to diverge from the norm. A normal person would probably just say to themselves “huh, I guess the chat room doesn’t show HTML elements in the subjects of posts it announces” and get on with their lives. But somebody with a curiosity for the technical, like me, finds themselves wondering exactly what went wrong.

It took only a couple of seconds with my browser’s debug tools to discover that my HTML tag… had actually been rendered to the page! That’s not good: it means that, potentially, the combination of the post title and the shoutbox announcer might be a vector for an XSS attack. If I wrote a post with a title of, say, <script src="//example.com/some-file.js"></script>Benign title, then the chat room would appear to announce that I’d written a post called “Benign title”, but anybody viewing it in the chat room would execute my JavaScript payload³.

I reached out to an administrator to let them know. Later, I delivered a proof-of-concept: to keep it simple, I just injected an <img> tag into a post title and, sure enough, the image appeared right there in the chat room.

This didn’t start out with me doing penetration testing on the site. I wasn’t looking to find a security vulnerability. But I spotted something strange, asked “what can I make it do?”, and exercised my curiosity.

Even when I’m doing something more-formally, and poking every edge of a system to try to find where its weak points are… the same curiosity still sometimes pays dividends.

I remember that a decade ago, I found a vulnerability in a central IT system at the University of Oxford that involved setting a payload in a domain-wide cookie with the anticipation that a trusted system would trip over it later. The administrators of the system had been running the usual automated scanners to look for security problems, but those tools lack the imagination of a human with a hacker mindset.

And that’s why you need that mindset in your security engineers. Curiosity, imagination, and the willingness to ask “what can I make it do?”. Because if you don’t find the loopholes, the bad guys will.

Footnotes

¹ It even got as far as the school run, where I ended up chatting to another parent about the post while our kids waited to be let into the classroom!

² Remember forums? They’re still around, and – if you find one with the right group of people – they’re still delightful. They represent the slower, smaller communities of a simpler Web: they’re not like Reddit or Facebook where the algorithm will always find something more to “feed” you; instead they can be a place where you can make real human connections online, so long as you can deprogram yourself of your need to have an endless-scroll of content and you’re willing to create as well as consume!

³ This, in turn, could “act as” them on the forum, e.g. attempting to steal their credentials or to make them post messages they didn’t intend to, for example: or, if they were an administrator, taking more-significant actions!

Chapattidilla

Wanted a quesadilla. Didn’t have any tortillas, so substituted chapattis.

It went… only okay. The earthiness of the chapatti pairs with mature cheese less-well than the cornflour-sweetness of a tortilla does.

I tried it, so you don’t have to!