Blog

More than you expected?

You're reading everything on Dan's blog - including notes, reposts, checkins, videos and comics.
That might be more than you wanted to see, if you're only interested in blog posts (articles) Dan has written.

Hey @LloydsBank! 2009 called and asked if you’re done sending your customers links to unencrypted HTTP endpoints yet. How do you feel about switching this to a HTTPS link rather than relying on an interceptable/injectable HTTP request?

Text message: "Follow this link to download your free Lloyds Bank Mobile Banking app. http://www.lloydsbank.com/mobileapp"

Ireland and the UK Aren’t In The Same Timezone!

This weekend, while investigating a bug in some code that generates iCalendar (ICS) feeds, I learned about a weird quirk in the Republic of Ireland’s timezone. It’s such a strange thing (and has so little impact on everyday life) that I imagine that even most Irish people don’t even know about it, but it’s important enough that it can easily introduce bugs into the way that computer calendars communicate:

Most of Europe put their clocks forward in Summer, but the Republic of Ireland instead put their clocks backward in Winter.

If that sounds to you like the same thing said two different ways – or the set-up to a joke! – read on:

Map showing timezones of Europe. The UK and Ireland are grouped (along with Iceland) in a zone labelled as being UTC+0.
The timezones of Europe look pretty simple compared to some parts of the world, but the illustration of the British Isles hides an interesting eccentricity.

A Brief History of Time (in Ireland)

Poster titled "Time (Ireland) Act 1916", advising that "On and after Sunday 1st October 1916 Western European Time will be ovserved throughout Ireland" asking people to set their clocks and watches back 35 minutes.
Spring forward, fall back… just a little bit back, though. Not too much.

After high-speed (rail) travel made mean solar timekeeping problematic, Great Britain in 1880 standardised on Greenwich Mean Time (UTC+0) as the time throughout the island, and Ireland standardised on Dublin Mean Time (UTC-00:25:21). If you took a ferry from Liverpool to Dublin towards the end of the 19th century you’d have to put your watch back by about 25 minutes. With air travel not yet being a thing, countries didn’t yet feel the need to fixate on nice round offsets in the region of one-hour (today, only a handful of regions retain UTC-offsets of half or quarter hours).

That’s all fine in peacetime, but by the First World War and especially following the Easter Rising, the British government decided that it was getting too tricky for their telegraph operators (many of whom operated out of Ireland, which provided an important junction for transatlantic traffic) to be on a different time to London.

1885 GPO telegraph instrument from the Porthcurno Telegraph Museum, which Dan almost visited the other week but it was closed.
It’s widely believed that the world’s first “U UP? [STOP]” message never got a response as a direct result of Anglo-Irish timezone confusion.
So the Time (Ireland) Act 1916 was passed, putting Ireland on Greenwich Mean Time. Ireland put her clocks back by 35 minutes and synched-up with the rest of the British Isles. And from then on, everything was simple and because nothing ever went wrong in Ireland as a result of the way it was governed by by Britain, nobody ever had to think about the question of timezones on the island again.

Ah. Hmm.

December 1920 photograph showing St Patrick's Street, Cork, following the burning of the city by British forces.
“Those Irish people want to govern their own country, do they? After we so kindly shared our king with them? Right-ho: let’s set fire to their cities and see how they feel then.”

Following Irish independence, the keeping of time carried on in much the same way for a long while, which will doubtless have been convenient for families spread across the Northern Irish border. But then came the Second World War.

Summers in the 1940s saw Churchill introduce Double Summer Time which he believed would give the UK more daylight, saving energy that might otherwise be used for lighting and increasing production of war materiel.

Ireland considered using the emergency powers they’d put in place to do the same, as a fuel saving measure… but ultimately didn’t. This was possibly because aligning her time with Britain might be seen as undermining her neutrality, but was more likely because the government saw that such a measure wouldn’t actually have much impact on fuel use (it certainly didn’t in Britain). Whatever the reason, though, Britain and Northern Ireland were again out-of-sync with one another until the war ended.

Newspaper clipping advising that "Double Summer Time comes to an end on Saturday night, August 8-9, when all clocks and watches should be put back one hour, thus reverting to British Summer Time, which will probably be maintained throughout the winter."
I like to imagine that the development of powerful computers by the folks at Bletchley Park was

From 1968 to 1971 Britain experimented with “British Standard Time” – putting the clocks forward in Summer once, to UTC+1, and then leaving them there for three years. This worked pretty well except if you were Scottish in which case you’ll have found winter mornings to be even gloomier than you were used to, which was already pretty gloomy. Conveniently: during much of this period Ireland was also on UTC+1, but in their case it was part of a different experiment. Ireland were working on joining the European Economic Community, and aligning themselves with “Paris time” year-round was an unnecessary concession but an interesting idea.

But here’s where the quirk appears: the Standard Time Act 1968, which made UTC+1 the “standard” timezone for the Republic of Ireland, was not repealed and is still in effect. Ireland could have started over in 1971 with a new rule that made UTC+0 the standard and added a “Summer Time” alternative during which the clocks are put forward… but instead the Standard Time (Amendment) Act 1971 left UTC+1 as Ireland’s standard timezone and added a “Winter Time” alternative during which the clocks are put back.

Two clocks, both showing the same time. One has a sign reading "LONDON", the other "DUBLIN, I GUESS?"
It all seems so simple until you actually think about it.

(For a deeper look at the legal history of time in the UK and Ireland, see this timeline. Certainly don’t get all your history lessons from me.)

So what?

You might rightly be thinking: so what! Having a standard time of UTC+0 and going forward for the Summer (like the UK), is functionally-equivalent to having a standard time of UTC+1 and going backwards in the Winter, like Ireland, right? It’s certainly true that, at any given moment, a clock in London and a clock in Dublin should show the same time. So why would anybody care?

Perl Data::ICal::TimeZone implementation of Dublin timezone, incorrectly showing summer DST at +1 rather than winter DST of -1.
This code for Europe/Dublin, from the Perl module Data::ICal::TimeZone, is technically-incorrect because it states that the winter time is the standard and daylight savings of +1 hour apply in the summer, rather than the opposite.

But declaring which is “standard” is important when you’re dealing with computers. If, for example, you run a volunteer rota management system that supports a helpline charity that has branches in both the UK and Ireland, then it might really matter that the computer systems involved know what each other mean when they talk about specific times.

The author of an iCalendar file can choose to embed timezone information to explain what, in that file, a particular timezone means. That timezone information might say, for example, “When I say ‘Europe/Dublin’, I mean UTC+1, or UTC+0 in the winter.” Or it might say – like the code above! – “When I say ‘Europe/Dublin’, I mean UTC+0, or UTC+1 in the summer.” Both of these declarations would be technically-valid and could be made to work, although only the first one would be strictly correct in accordance with the law.

Stressed programmer hunched over a MacBook. Photo by Anna Shvets from Pexels.
Clients who need solid timezone support represent 50% of a programmer’s production of stress hormones. See also Falsehoods Programmers Believe About Time.

But if you don’t include timezone information in your iCalendar file, you’re relying  on the feed subscriber’s computer (e.g. their calendar software) to make a sensible interpretation.. And that’s where you run into trouble. Because in cases like Ireland, for which the standard is one thing but is commonly-understood to be something different, there’s a real risk that the way your system interprets and encodes time won’t necessarily be the same as the way somebody else’s does.

If I say I’ll meet you at 12:00 on 1 January, in Ireland, you rightly need to know whether I’m talking about 12:00 in Irish “standard” time (i.e. 11:00, because daylight savings are in effect) or 12:00 in local-time-at-the-time-of-the-meeting (i.e. 12:00). Humans usually mean the latter because we think in terms of local time, but when your international computer system needs to make sure that people are on a shift at the same time, but in different timezones, it needs to be very clear what exactly it means!

And when your daylight savings works “backwards” compared to everybody else’s… that’s sure to make a developer somewhere cry. And, possibly, blog about your weird legislation.

Dan Q performed maintenance for GC8W7QW Forgotten Bridge

This checkin to GC8W7QW Forgotten Bridge reflects a geocaching.com log entry. See more of Dan's cache logs.

The rain finally stopped this afternoon so I figured I’d take my next Zoom meeting outdoors with me and stretch my legs while I talked to work colleagues. And so I went, selfie-stick ahead of me and chatting to teammates in New York and Florence (what a world we live in!), out for a ramble and soon remembered that I was carrying Duck Race / Mustache Pink, a travel bug I’d picked up near Lands End this weekend. So I diverted my walk to come and check up on this cache (it’s looking fine!) and drop off the TB for the next leg of its journey!

Geocacher with a selfie-stick

Map of 51.7652,-1.390367

Dan Q couldn’t find GC1VQ7G Pooh Sticks Bridge

This checkin to GC1VQ7G Pooh Sticks Bridge reflects a geocaching.com log entry. See more of Dan's cache logs.

Coordinates brought me exactly to a tree that would match the hint… except for the fact that it’s been recently felled! (Picture attached.) No sign of cache, and anything else nearby that would fit the hint is on very-clearly-private land, so I’m concerned this cache might have vanished. :-(

Cheered myself up with a quick game of pooh sticks. I won, but that’s to be expected when you play solo.

Map of 51.6546,-2.443

Dan Q found GC5J6JR Would you believe another Almost Motorway Mayhem?

This checkin to GC5J6JR Would you believe another Almost Motorway Mayhem? reflects a geocaching.com log entry. See more of Dan's cache logs.

Stopped at the nearby services on a long journey from dropping my partner’s brother and his boat off Lands End (I can just about see my car from near the GZ: photo attached) for a hot drink and to remotely participate in a work meeting. Meeting’s not starting yet so I walked out the services’ staff exit and came up here to find this cache. Easy find, TFTC.

Map of 51.652383,-2.436317

Dan Q found GC4NTRC Motorway Mayhem M5 Michaelwood Northbound

This checkin to GC4NTRC Motorway Mayhem M5 Michaelwood Northbound reflects a geocaching.com log entry. See more of Dan's cache logs.

Stopped at the services on my way back to Oxford from Lands End, where I was dropping my partner’s brother and his skiff into the sea to begin his attempt to row the length of the UK! The boat trailer is wobbling in a curious way so I’ve been driving extra carefully, so it’s been a long journey so far (and I’ve still got the A40 to tackle!) so the opportunity for a break is a welcome one.

Cache was easy to sight – with the hint – and stealthing around the nearby truckers wasn’t hard, but prickly plants made retrieving the container a little challenging. Wish I’d brought gloves! SL, TFTC.

Map of 51.656333,-2.43345

Dan Q found GCYK2M Got A Light Boy ? Longships Lighthouse

This checkin to GCYK2M Got A Light Boy ? Longships Lighthouse reflects a geocaching.com log entry. See more of Dan's cache logs.

I just launched my partner’s brother – shown in free attached picture – out in his rowboat to begin his attempt to row from Land’s End to John O’ Groats. Naturally this first involves rowing South, around the headland and past the lighthouse, to get to Land’s End! So I came up the hill to watch him get started. And while I was at it, I figured I’d find this cache! Took travel bug. TFTC!

Robin rows away from Sennen Cove and towards St. Ives

Map of 50.07555,-5.705467

Dan Q found GC6VG1N “BOSISTOW FARM”

This checkin to GC6VG1N "BOSISTOW FARM" reflects a geocaching.com log entry. See more of Dan's cache logs.

I arrived yesterday at nearby Raftra Farm for a weekend, mostly to launch my partner’s brother into the sea to begin his attempt to row from Land’s End to John O’ Groats (making use of inland waterways as much as possible). After a bit of a lie-in this morning, I came out for a brief walk and to find this geocache. Probably this’ll be a highlight of my day, as much of the rest of it will be dominated by catching up on the work I didn’t get done yesterday (during the drive down here from Oxford), at least until the afternoon tide turns which is when we’re doing the first launch!

Easy to find cache hidden in the most likely location – I maintain one just like this near my old house North of Oxford! TFTC.

Dan, on a country lane in Cornwall, in front of a bright blue sky, waves to the camera.

Map of 50.05335,-5.670867

Dan Q found GC5VXQ3 Motorway Mayhem – M5 – Gloucester Services (South)

This checkin to GC5VXQ3 Motorway Mayhem - M5 - Gloucester Services (South) reflects a geocaching.com log entry. See more of Dan's cache logs.

A quick and easy find (though I was glad of the hint when I approached the obstacle at the GZ) while travelling from Oxford to Cornwall to dump my partner’s brother in the sea for the start of his personal challenge to row the length of the UK. (Photo of our boat in tow attached!)

Arthur (red car) and Lucy (rowboat in tow) parked at a service station alongside caravans and HGVs

Map of 51.818183,-2.22145

Dan Q posted a note for GC90RH3 Tiny Log Book

This checkin to GC90RH3 Tiny Log Book reflects a geocaching.com log entry. See more of Dan's cache logs.

I was in the area anyway so, following a recent DNF, I checked up on this cache. It’s in perfect condition (though I did have to empty a woodlouse out of the outer cache container) and ready to find (previous logger was probably looking in the wrong place: there’s no risk of touching a stinging plant to get this cache!).

Map of 51.757567,-1.40085

Using every car parking space in a supermarket car park

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

For the last six years I’ve kept a spreadsheet listing every parking spot I’ve used at the local supermarket in a bid to park in them all. This week I completed my Magnum Opus! A thread.

I live in Bromley and almost always shop at the same Sainsbury’s in the centre of town, here’s a satellite view of their car park. It’s a great car park because you can always get a space and it is laid out really well. Comfortably in my top 5 Bromley car parks.

After quite a few years of going each week I started thinking about how many of the different spots I’d parked in and how long it would take to park in them all. My life is one long roller coaster.

A glorious story from a man with the kind of dedication that would have gotten him far in CNPS back in the day (I wonder if Claire ever got past 13 points…).

This is the kind of thing that I occasionally consider adding to the list of mundane shit I track about my life. But then I start thinking about the tracking infrastructure and I end up adding far more future-proofing than I intend: I start thinking about tracking how often my hayfever causes me problems so I can correlate it to the time and the location data I already record to work out which tree species’ pollen affects me the most. Or tracking a variety of mood metrics so I can see if, as I’ve long suspected, the number of unread emails in my inboxen negatively correlates to my general happiness.

Measure all the things!

Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app’s perspective

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Cellebrite makes software to automate physically extracting and indexing data from mobile devices. They exist within the grey – where enterprise branding joins together with the larcenous to be called “digital intelligence.” Their customer list has included authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere. A few months ago, they announced that they added Signal support to their software.

Their products have often been linked to the persecution of imprisoned journalists and activists around the world, but less has been written about what their software actually does or how it works. Let’s take a closer look. In particular, their software is often associated with bypassing security, so let’s take some time to examine the security of their own software.

Moxie Marlinspike (Signal)

Recently Moxie, co-author of the Signal Protocol, came into possession of a Cellebrite Extraction Device (phone cracking kit used by law enforcement as well as by oppressive regimes who need to clamp down on dissidents) which “fell off a truck” near him. What an amazing coincidence! He went on to report, this week, that he’d partially reverse-engineered the system, discovering copyrighted code from Apple – that’ll go down well! – and, more-interestingly, unpatched vulnerabilities. In a demonstration video, he goes on to show that a carefully crafted file placed on a phone could, if attacked using a Cellebrite device, exploit these vulnerabilities to take over the forensics equipment.

Obviously this is a Bad Thing if you’re depending on that forensics kit! Not only are you now unable to demonstrate that the evidence you’re collecting is complete and accurate, because it potentially isn’t, but you’ve also got to treat your equipment as untrustworthy. This basically makes any evidence you’ve collected inadmissible in many courts.

Moxie goes on to announce a completely unrelated upcoming feature for Signal: a minority of functionally-random installations will create carefully-crafted files on their devices’ filesystem. You know, just to sit there and look pretty. No other reason:

In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.

That’s just beautiful.

Tips for Text-based Interviews

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Since joining the hiring team at Automattic in the fall of 2019, I’ve noticed different patterns and preferences on text-based interviews. Some of these are also general interviewing tips.

  1. Send shorter messages
  2. Avoid Threads if possible
  3. Show your thought process
  4. Don’t bother name dropping
  5. Tell the story
  6. It’s not that different

Fellow Automattician Jerry Jones, whose work on accessibility was very useful in spearheading some research by my team, earlier this year, has written a great post about interviewing at Automattic or, indeed, any company that’s opted for text-based interviews. My favourite hosting company uses these too, and I’ve written about my experience of interviewing at Automattic, but Jerry’s post – which goes into much more detail than just the six highlight points above, is well worth a look if you ever expect to be on either side of a text-based interview.