Blog

The 500-Year-Long Science Experiment

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

The 500-Year-Long Science Experiment (The Atlantic)
In 2014, microbiologists began a study that they hope will continue long after they’re dead.

In the year 2514, some future scientist will arrive at the University of Edinburgh (assuming the university still exists), open a wooden box (assuming the box has not been lost), and break apart a set of glass vials in order to grow the 500-year-old dried bacteria inside. This all assumes the entire experiment has not been forgotten, the instructions have not been garbled, and science—or some version of it—still exists in 2514.

This is a biology experiment that’s planned to run for half a millenium. How does one even make such a thing possible?

Thinking about the difficulties in constructing a message that may be understood for generations into the future reminds me of the work done on a possible marking system for nuclear waste disposal (which would need to continue to carry the message that a place is dangerous for ten thousand years).

This kind of philosophical thinking may require further work, though, if we’re ever to send spacecraft on interstellar journeys: another kind of “long” experiment. How might we preserve the records of what we’ve done, so that our descendants have the opportunity to continue our work, in a way that promotes the iterative translation and preservation of the messages that are required to support it? For example: if an experiment is to be understandable if rediscovered after a hypothetical future dark age, what precautions do we need to take today?

Why do book spines have the titles printed the way they do?

Have you noticed how the titles printed on the spines of your books are all, for the most part, oriented the same way? That’s not a coincidence.

Illustration of a chained library
If you can’t see the spines of your books at all, perhaps you’re in a library and it’s the 17th century. Wait: how are you on the Internet?

ISO 6357 defines the standard positioning of titles on the spines of printed books (it’s also codified as British Standard BS6738). If you assume that your book is stood “upright”, the question is one of which way you tilt your head to read the title printed on the spine. If you tilt your head to the right, that’s a descending title (as you read left-to-right, your gaze moves down, towards the surface on which the book stands). If you tilt your head to the left, that’s an ascending title. If you don’t need to tilt your head in either direction, that’s a transverse title.

ISO 6357:1985 page illustrating different standard spine title alignments.
Not every page in ISO 6357:1985 is as exciting as this one.

The standard goes on to dictate that descending titles are to be favoured: this places the title in a readable orientation when the book lays flat on a surface with the cover face-up. Grab the nearest book to you right now and you’ll probably find that it has a descending title.

Books on a shelf.
This eclectic shelf includes a transverse title (the Holy Bible), a semi-transverse title (The Book of English Magic) and a rare ascending title (A First Dictionary) among a multitude of descending titles.

But if the book is lying on a surface, I can usually read the cover of the book. Only if a book is in a stack am I unable to do so, and stacks are usually relatively short and so it’s easy enough to lift one or more books from the top to see what lies beneath. What really matters when considering the orientation of a spine title is, in my mind, how it appears when it’s shelved.

It feels to me like this standard’s got things backwards. If a shelf of anglophone books is organised into any kind of order (e.g. alphabetically) then it’ll usually be from left to right. If I’m reading the titles from left to right, and the spines are printed descending, then – from the perspective of my eyes – I’m reading from bottom to top: i.e. backwards!

It’s possible that this is one of those things that I overthink.

Facebook to integrate WhatsApp, Instagram and Messenger

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Facebook plans to integrate its messaging services on Instagram, WhatsApp and Facebook Messenger.

While all three will remain stand-alone apps, at a much deeper level they will be linked so messages can travel between the different services.

Facebook told the BBC it was at the start of a “long process”.

The plan was first reported in the New York Times and is believed to be a personal project of Facebook founder Mark Zuckerberg.

Once complete, the merger would mean that a Facebook user could communicate directly with someone who only has a WhatsApp account. This is currently impossible as the applications have no common core.

The work to merge the three elements has already begun, reported the NYT, and is expected to be completed by the end of 2019 or early next year.

Facebook-looking-dodgy in the news again this week (previously) with the news that they plan to integrate Instagram and WhatsApp into their central platform. They’re selling the upsides of this, such as that Facebook and WhatsApp users will be able to communicate with one another without switching to a different tool, but privacy advocates are understandably concerned: compared to Facebook, WhatsApp provides a reasonable level of anonymity. It also seems likely that this move may be an effort to preempt antitrust suits forcing Facebook’s property portfolio to be kept separate.

But even without those concerns, there are smaller but just-as-real, more-insidious privacy risks from this integration. With a very minor change to their terms and conditions about the use of the WhatsApp app Facebook can start performing even more-sophisticated big-data mining on the types of interpersonal relationships that they’re known to enjoy (let’s not forget that this is the company whose app will, left-unchecked, mine your mobile phone book to find friends-in-common that you have with other people, even if that friend-in-common doesn’t use Facebook!). With WhatsApp’s treasure trove of metadata, Facebook can determine who you talk to and, from where, and with what frequency: by technical necessity, none of this metadata is protected by WhatsApp’s end-to-end encryption. Similarly, they can determine what “groups” you participate in. This easily supports the “shadow profiles” they maintain which tell them far more about your life and interests than your mere Facebook profile alone does.

I for one will be watching WhatsApp with care and dropping it if it looks likely to “turn evil”. It’s not as though there aren’t (arguably better) alternatives, such as Signal (which I already use as my primary mobile text messaging system) and Riot.

Facebook may have known it was defrauding children and families through its online games

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Internal documents appear to show that Facebook knew it was defrauding children and families through its ecosystem of online games as early as 2011. Employees even had a name for the practice, which they dubbed “friendly fraud,” or FF for short. More damning, related documents show that Facebook employees had found a way to stop the fraud from happening, but the social media giant prioritized revenue instead.

Unshocker as internal memo at Facebook shows that they not only knew that kids were taking advantage of their parents’ credit card details being retained by Facebook-hosted freemium games to allow them to continue to make purchases, but that they specifically instructed their developers to make it as easy as possible for people to fall into this trap. Common industry practices like requiring selected card digits for additional purchases were not implemented specifically to help ensure that kids could more-easily go wild with their parents’ bank accounts.

Partner’s husband dropped car at garage.
Garage calls me to say it’s ready.

“My partner will pick it up,” I say.
“The other guy said his wife would pick it up?” they reply.

Pause.

“Yeah, that’s right.”

#awkward #polyamory #moment

Dropgangs, or the future of darknet markets

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

The Internet is full of commercial activity and it should come at no surprise that even illegal commercial activity is widespread as well. In this article we would like to describe the current developments – from where we came, where we are now, and where it might be going – when it comes to technologies used for digital black market activity.

The other major change is the use of “dead drops” instead of the postal system which has proven vulnerable to tracking and interception. Now, goods are hidden in publicly accessible places like parks and the location is given to the customer on purchase. The customer then goes to the location and picks up the goods. This means that delivery becomes asynchronous for the merchant, he can hide a lot of product in different locations for future, not yet known, purchases. For the client the time to delivery is significantly shorter than waiting for a letter or parcel shipped by traditional means – he has the product in his hands in a matter of hours instead of days. Furthermore this method does not require for the customer to give any personally identifiable information to the merchant, which in turn doesn’t have to safeguard it anymore. Less data means less risk for everyone.

The use of dead drops also significantly reduces the risk of the merchant to be discovered by tracking within the postal system. He does not have to visit any easily to surveil post office or letter box, instead the whole public space becomes his hiding territory.

From when I first learned about the existence of The Silk Road and its successors – places on the dark web where it’s possible to pseudo-anonymously make illicit purchases of e.g. drugs, weapons, fake ID and the like in exchange for cryptocurrencies like Bitcoin – it always seemed to me that the weak point was that the “buyer” had to provide their postal address to the “seller”. While there have, as this article describes, been a number of arrested made following postal inspections (especially as packages cross administrative boundaries), the bigger risk I’d assume that this poses to the buyer is that they must trust the seller (who is, naturally, a bigger and more-interesting target) to appropriately secure and securely-destroy that address information. In the event of a raid on a seller – or, indeed, law enforcement posing as a seller in a sting operation – the buyer is at significant risk.

That risk may not be huge for Johnny Pothead who wants to buy an ounce of weed, but it rapidly scales up for “middleman” distributors who buy drugs in bulk, repackage, and resell either on darknet markets or via conventional channels: these are obvious targets for law enforcement because their arrest disrupts the distribution chain and convictions are usually relatively easy (“intent to supply” can be demonstrated in many jurisdictions by the volume of the product in which they’re found to be in possession). A solution to this problem, for drug markets at least, with the fringe benefit of potentially faster-deliveries is pre-established dead drops (the downside, of course, is a more-limited geographical coverage and the risk of discovery by a non-purchaser, but the latter of these can at least be mitigated), and it’s unsurprising to hear that this is the direction in which the ecosystem is moving. And once you, Jenny Drugdealer, are putting that kind of infrastructure in place anyway, you might as well extend it to your regular clients too. So yeah: not surprising to see things moving in this direction.

I recall that some years ago, a friend whom I’m introduced to geocaching accidentally ran across a dead drop (or a stash) while hunting for a ‘cache that was hidden in the same general area. The stash was of clearly-stolen credit cards, and of course she turned it in to the police, but I think it’s interesting that these imaginative digital-era drug dealers, in trying to improve upon a technique popularised by Cold War era spies by adding the capacity for long-time concealment of dead drops, are effectively re-inventing what the geocaching community has been doing for ages.

What will they think of next? I’m betting drones.

Vasectomy

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Oh Joy Sex Toy - Vasectomy

This comic from the fabulous Oh Joy Sex Toy folks gives a pretty good explanation of vasectomy that mirrors my experience (part one, part two)… except for the fact that I didn’t have this dude’s anxiety issue and was instead (according to the surgeon) “creepily interested” in the nitty-gritty of what he was up to!

RFC-20

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

The choice of this encoding has made ASCII-compatible standards the language that computers use to communicate to this day.

Even casual internet users have probably encountered a URL with “%20” in it where there logically ought to be a space character. If we look at this RFC we see this:

   Column/Row  Symbol      Name

   2/0         SP          Space (Normally Non-Printing)

Hey would you look at that! Column 2, row 0 (2,0; 20!) is what stands for “space”. When you see that “%20”, it’s because of this RFC, which exists because of some bureaucratic decisions made in the 1950s and 1960s.

Darius Kazemi is reading a single RFC every day throughout 2019 and writing up his understanding as to the content and importance of each. It’s good reading if you’re “into” RFCs and it’s probably pretty interesting if you’re just a casual Internet historian.

Evaluating the GCHQ Exceptional Access Proposal

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

In a blog post, cryptographer Matthew Green summarized the technical problems with this GCHQ proposal. Basically, making this backdoor work requires not only changing the cloud computers that oversee communications, but it also means changing the client program on everyone’s phone and computer. And that change makes all of those systems less secure. Levy and Robinson make a big deal of the fact that their backdoor would only be targeted against specific individuals and their communications, but it’s still a general backdoor that could be used against anybody.

The basic problem is that a backdoor is a technical capability — a vulnerability — that is available to anyone who knows about it and has access to it. Surrounding that vulnerability is a procedural system that tries to limit access to that capability. Computers, especially internet-connected computers, are inherently hackable, limiting the effectiveness of any procedures. The best defense is to not have the vulnerability at all.

Lest we ever forget why security backdoors, however weasely well-worded, are a terrible idea, we’ve got Schneier calling them out. Spooks in democratic nations the world over keep coming up with “innovative” suggestions like this one from GCHQ but they keep solving the same problem, the technical problem of key distribution or key weakening or whatever it is that they want to achieve this week, without solving the actual underlying problem which is that any weakness introduced to a secure system, even a weakness that was created outwardly for the benefit of the “good guys”, can and eventually will be used by the “bad guys” too.

Furthermore: any known weakness introduced into a system for the purpose of helping the “good guys” will result in the distrust of that system by the people they’re trying to catch. It’s pretty trivial for criminals, foreign agents and terrorists to switch from networks that their enemies have rooted to networks that they (presumably) haven’t, which tends to mean a drift towards open-source security systems. Ultimately, any backdoor that gets used in a country with transparent judicial processes becomes effectively public knowledge, and ceases to be useful for the “good guys” any more. Only the non-criminals suffer, in the long run.

Sigh.

The Route of a Text Message

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

With each tap, a small electrical current passes from the screen to her hand. Because electricity flows easily through human bodies, sensors on the phone register a change in voltage wherever her thumb presses against the screen. But the world is messy, and the phone senses random fluctuations in voltage across the rest of the screen, too, so an algorithm determines the biggest, thumbiest-looking voltage fluctuations and assumes that’s where she intended to press.

Figure 0. Capacitive touch.

So she starts tap-tap-tapping on the keyboard, one letter at a time.

I-spacebar-l-o-v-e-spacebar-y-o-u.

I’ve long been a fan of “full story” examinations of how technology works. This one looks and the sending and receipt of an SMS text message from concept through touchscreen, encoding and transmission, decoding and display. It’s good to be reminded that whatever technology you build, even a “basic” Arduino project, a “simple” website or a “throwaway” mobile app, you’re standing on the shoulders of giants. Your work sits atop decades or more of infrastructure, standards, electronics and research.

Sometimes it feels pretty fragile. But mostly it feels like magic.

CSS-driven console graphics

If you’re reading this post via my blog and using a desktop computer, try opening your browser’s debug console (don’t worry; I’ll wait). If you don’t know how, here’s instructions for Firefox and instructions for Chrome. Other browsers may vary. You ought to see something like this in your debugger:

Debug console on DanQ.me showing Dan's head and a speech bubble.
I’m in your console, eating your commands!

What sorcery is this?

The debug console is designed to be used by web developers so that they can write Javascript code right in their browser as well as to investigate any problems with the code run by a web page. The web page itself can also output to the console, which is usually used for what I call “hello-based debugging”: printing out messages throughout a process so that the flow and progress can be monitored by the developer without having to do “proper” debugging. And it gets used by some web pages to deliver secret messages to any of the site users who open their debugger.

Facebook console messaging advising against the use of the console.
Facebook writes to the console a “stop” message, advising against using the console unless you know what you’re doing in an attempt to stop people making themselves victims of console-based social engineering attacks.

Principally, though, the console is designed for textual content and nothing else. That said, both Firefox and Chrome’s consoles permit the use of CSS to style blocks of debug output by using the %c escape sequence. For example, I could style some of a message with italic text:

>> console.log('I have some %citalic %ctext', 'font-style: italic;', '');
   I have some italic text

Using CSS directives like background, then, it’s easy to see how one could embed an image into the console, and that’s been done before. Instead, though, I wanted to use the lessons I’d learned developing PicInHTML 8¾ years ago to use text and CSS (only) to render a colour picture to the console. First, I created my template image – a hackergotchi of me and an accompanying speech bubble, shrunk to a tiny size and posterised to reduce the number of colours used and saved as a PNG.

Hackergotchi of Dan with a speech bubble, "squashed".
The image appears “squashed” to compensate for console monospace letters not being “square”.

Next, I wrote a quick Ruby program, consolepic.rb, to do the hard work. It analyses each pixel of the image and for each distinct colour assigns to a variable the CSS code used to set the background colour to that colour. It looks for “strings” of like pixels and combines them into one, and then outputs the Javascript necessary to write out all of the above. Finally, I made a few hand-tweaks to insert the text into the speech bubble.

The resulting output weighs in at 31.6kB – about a quarter of the size of the custom Javascript on the frontend of my site and so quite a bit larger than I’d have liked and significantly less-efficient than the image itself, even base64-encoded for embedding directly into the code, but that really wasn’t the point of the exercise, was it? (I’m pretty sure there’s significant room for improvement from a performance perspective…)

Scatmania.org in 2012
I’ll be first to admit it’s not as cool as the “pop-up Dan” in the corner of my 2012 design. You might enjoy my blog post about my 20 years of blogging or the one about how “pop-up Dan” worked.

What it achieved was an interesting experiment into what can be achieved with Javascript, CSS, the browser console, and a little imagination. An experiment that can live here on my site, for anybody who looks in the direction of their debugger, for the foreseeable future (or until I get bored of it). Anybody with any more-exotic/silly ideas about what this technique could be used for is welcome to let me know!

Security Checklist

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Be safe on the internet.

An open source checklist of resources designed to improve your online privacy and security. Check things off to keep track as you go.

I’m pretty impressed with this resource. It’s a little US-centric and I would have put the suggestions into a different order, but many of the ideas on it are very good and are presented in a way that makes them accessible to a wide audience.

Dan Q posted a note for GC5J655 GO Active Cutteslowe and Sunnymead Park

This checkin to GC5J655 GO Active Cutteslowe and Sunnymead Park reflects a geocaching.com log entry. See more of Dan's cache logs.

  1. CO hasn’t logged in in almost 3 years.
  2. Long string of DNFs.
  3. No finds in 8 months.
  4. During that time I’ve repeatedly tried to contact CO both through this site and through Go Active Oxfordshire (to report this as probably-missing and to volunteer to help with its future maintenance if they want to bring it back to life), but never received a response.

I strongly suspect that this cache is abandoned by the organisation that set it up. I’m reaching out to them today, one last time, but if they don’t respond then I suggest that this be considered for archiving by an administrator.

Map of 51.789567,-1.258683