Articles – Page 2

Fake Herons

I saw a heron this morning, and it reminded me of a police officer.

A juvenile grey heron wades along a muddy stream bank. — If you plot a pair of axes for birds ‘looking really dorky, especially when flying’ and ‘actually being really cool’, the grey heron would sit at the sweet spot.

Right now, while my house is… not-so-inhabitable… I have a long drive to drop the kids off at school, and this morning it took us alongside the many flooded fields between our temporary accommodation and the various kid drop-offs.

Stopped at traffic lights, I watched a heron land in what would be best-described as a large puddle, rather than in the lake on the other side of the road. The lake, it turns out… was “guarded” by one of those fake heron things.

You’ve seen them, probably. People put them up to discourage territorial birds from visiting and eating all their fish.² If you haven’t seen them, you might have at least spotted the fake owls, whose purpose is slightly different because they scare off other birds.

Anyway: I found myself thinking… do birds actually fall for this? Like scarecrows, it feels like they shouldn’t (and indeed, scarecrows don’t always work, and birds can quickly become accustomed to them). But clearly they work at least a little…?

A fake plastic owl 'perched' atop a wooden electricity pylon. — If you don’t want birds, get a pretend bird. The same trick works for girlfriends.

Anyway, I found myself reminded of a geocaching expedition I went on outside Cambridge a couple of years ago. At around 6am I was creeping around outside a shopping centre on a Saturday morning, looking for a tiny magnetic geocache hidden behind a sign. I’d anticipated not having to use much “stealth” so early in the day… but nonetheless I kept getting the feeling that I was being watched.

It took me a few minutes until I worked out why: the local Home Bargains had put up a life-size standee of a police officer in just the right position that I kept catching him in the corner of my eye and second-guessing how much my digging-through-the-bushes looked incredibly suspicious!

I did a double-take the first time I spotted the officer, but soon realised he was fake. But the feeling of being watched persisted! There’s clearly something deeper in human psychology, more-instinctive, that – as social animals – gives us that feeling of being watched and influences our behaviour.

There’s a wonderful and much-cited piece of research from 2010 that describes how cooperative behaviour like proper use of an honesty box increases if you put a picture of some eyes above it: the mechanism’s not fully understood, but it’s speculated that it’s because it induces the feeling of being watched.

A mannequin wears a high-vis jacket and holds a fishing rod, standing in the rushes of a lake. — I found this picture of a *fake angler* (this is a mannequin with a fishing pole!), which I guess is also an anti-heron measure.⁴ Photograph copyright Andy Beecroft, used under a Creative Commons license.

I reckon it’s similar with birds. They’re not stupid (some of them, like corvids, are famously smart… and probably many predator birds exhibit significant intelligence too), but if there’s something in your peripheral vision that puts you at unease… then of course you’re not going to be comfortable! And if there’s another option nearby⁵ that’ll work, that’s an easy win for a hungry bird.

You don’t need to actually believe that a scarecrow, a plastic bird, a poster of some eyes, or a picture of a bobby is real in order for it to have a psychological impact. That’s why – I believe – a fake heron works. And that’s why, today, a heron reminded me of a police officer.

Footnotes

¹ I guess actual herons can’t tell the difference?

² Presumably the same technique doesn’t work with sociable birds, who would probably turn up to try to befriend or woo the models.

³ I don’t know, but I do wonder, whether the picture is actually of a police officer or of a model. If I were a police officer and I knew that my likeness was being used at supermarkets and the like, I’d be first to volunteer to any call-outs to anywhere nearby them, so any suspect who ran from me would keep spotting me, following them, at every corner. You get few opportunities for pranks as a copper, I reckon, but this one would be a blast.

⁴ I wonder if a fake angler is more- or less-effective than a fake heron. Somewhere, an animal psychology PhD student is working out the experimental conditions to answer this question, I hope.

⁵ Remember: a bird can have a birds-eye view of feeding spots! If one option’s gonna make them feel like they’re being watched by a predator or a competitor, and another nearby option looks almost-as-good, they’re gonna take the alternative!

Hello World by Hannah Fry

I’m not certain, but I think that I won my copy of Hello World: How to Be Human in the Age of the Machine at an Oxford Geek Nights event, after I was first and fastest to correctly identify a photograph of Stanislav Petrov shown by the speaker.

Despite being written a few years before the popularisation of GenAI, the book’s remarkably prescient on the kinds of big data and opaque decision-making issues that are now hitting the popular press. I suppose one might argue that these issues were always significant. (And by that point, one might observe that GenAI isn’t living up to its promises…)

Fry spins an engaging and well-articulated series of themed topics. If you didn’t already have a healthy concern about public money spending and policy planning being powered by the output of proprietary algorithms, you’ll certainly finish the book that way.

One of my favourite of Fry’s (many) excellent observations is buried in a footnote in the conclusion, where she describes what she called the “magic test”:

There’s a trick you can use to spot the junk algorithms. I like to call it the Magic Test. Whenever you see a story about an algorithm, see if you can swap out any of the buzzwords, like ‘machine learning’, ‘artificial intelligence’ and ‘neural network’, and swap in the word ‘magic’. Does everything still make grammatical sense? Is any of the meaning lost? If not, I’d be worried that it’s all nonsense. Because I’m afraid – long into the foreseeable future – we’re not going to ‘solve world hunger with magic’ or ‘use magic to write the perfect screenplay’ any more than we are with AI.

That’s a fantastic approach to spotting bullshit technical claims, and I’m totally going to be using it.

Anyway: this was a wonderful read and I only regret that it took me a few years to get around to it! But fortunately, it’s as relevant today as it was the day it was released.

6-12 Months

The insurance loss adjusters came around this morning, accompanied by damage assessors and electricians and whatnot.

The process continues to feel painfully slow. We’re still one to two weeks from confirmation that the insurance company will accept liability and be ready to start paying for, y’know, the immediate concerns like where we’re going to live.

“How long should we plan on renting another house to live in?” I asked, warily.

“Six to twelve months?” guessed the loss adjusters.

Erk! 😭

Run your own WireGuard VPN

With the news that the British government are considering requiring identity checks for age verification before allowing people to use VPNs, it’s time for my periodic reminder that you don’t have to use a “VPN provider” to use a VPN¹.

As I’ll demonstrate, it’s surprisingly easy to spin up your own VPN provider on a virtual machine hosted by your choice of the cloud providers. You pay for the hours you need it², and then throw it away afterwards.

Today, I’ll be using Linode to host my “throwaway” VPN provider for a price of USD $0.0075 per hour ($5/month if I ran it full-time), using a Linode StackScript I created for this purpose.

If you’d prefer to use GCP, AWS Azure, or whomever else you like: all you need is a Debian 13 VM with a public IP address (the cheapest one available is usually plenty!) and this bash script.

Screenshot from Linode's Web interface, showing my StackScript and indicating the location of the Deploy New Linode button. — If you prefer the command-line, Linode’s got an API. But we’re going for ‘easy’ today, so it’ll all be clicking buttons and things.

First, spin up a VM and run my script³. If you’re using Linode, you can do this by going to my StackScript and clicking ‘Deploy New Linode’.

Linode configuration screenshot with the key options highlighted as described below. — You might see more configuration options than this, but you can ignore them.

Choose any region you like (I’m putting this one in Paris!), select the cheapest “Shared CPU” option – Nanode 1GB – and enter a (strong!) root password, then click Create Linode.

It’ll take a few seconds to come up. Watch until it’s running.

My script automatically generates configuration for your local system. Once it’s up and running you can use the machine’s IP address to download wireguard.conf locally. For example, if your machine has the IP address 172.239.9.151, you might type scp -o StrictHostKeyChecking=no root@172.239.9.151:wireguard.conf ./ – note that I disable StrictHostKeyChecking so that my computer doesn’t cache the server’s SSH key (which feels a bit pointless for a “throwaway” VM that I’ll never connect to a second time!).

If you’re on Windows and don’t have SSH/SCP, install one. PuTTY remains a solid choice.

File doesn’t exist? Give it a minute and try again; maybe my script didn’t finish running yet! Still nothing? SSH into your new VM and inspect stackscript.log for a complete log of all the output from my script to see what went wrong.

Open up WireGuard on your computer, click the “Import tunnel(s) from file” button, and give it the file you just downloaded.

You can optionally rename the new connection. Or just click “Activate” to connect to your VPN!

You can test your Internet connection is being correctly routed by your VPN by going to e.g. icanhazip.com or ipleak.net: you should see the IP address of your new virtual machine and/or geolocation data that indicates that you’re in your selected region.

When you’re done with your VPN, just delete the virtual machine. Many providers use per-minute or even per-second fractional billing, so you can easily end up spending only a handful of cents in order to use a VPN for a reasonable browsing session.

When you’re done, just disconnect and – if you’re not going to use it again immediately – delete the virtual machine so you don’t have to pay for it for a minute longer than you intend⁴.

I stopped actively paying for VPN subscriptions about a decade ago and, when I “need” the benefits of a VPN, I’ve just done things like what I’ve described above. Compared to a commercial VPN subscription it’s cheap, (potentially even-more) private, doesn’t readily get “detected” as a VPN by the rare folks who try to detect such things, and I can enjoy my choice of either reusable or throwaway IP addresses from wherever I like around the globe.

And if the government starts to try to age-gate commercial VPNs… well then that’s just one more thing going for my approach, isn’t it?

Footnotes

¹ If you’re a heavy, “always-on” VPN user, you might still be best-served by one of the big commercial providers, but if you’re “only” using a VPN for 18 hours a day or less then running your own on-demand is probably cheaper, and gives you some fascinating benefits.

² Many providers have coupons equivalent to hundreds of hours of free provision, so as long as you’re willing to shuffle between cloud providers you can probably have a great and safe VPN completely for free; just sayin’.

³ Obviously, you shouldn’t just run code that strangers give you on the Internet unless you understand it. I’ve tried to make my code self-explanatory and full of comments so you can understand what it does – or at least understand that it’s harmless! – but if you don’t know and trust me personally, you should probably use this as an excuse to learn what you’re doing. In fact, you should do that anyway. Learning is fun.

⁴ Although even if you forget and it runs for an entire month before your billing cycle comes up, you’re out, what… $5 USD? Plenty of commercial VPN providers would have charged you more than that!

F-Day plus 3

It feels inconceivable to me that we’re only at F-Day plus three; that is, three days since a flash flood rushed through the ground floor of our house and forced us to evacuate. We’ve been able to visit since and start assessing the damage, but for now I figured that what you’d want would be the kinds of horrible pictures that make you say “wow; I’m glad that didn’t happen to me”.

These pictures are all from F-Day itself (which happened to be Friday the 13th; delightful, eh?):

A particularly horrifying moment was when the seals on the patio doors gave way and the dining room began to flood, and we had to pivot to laying sandbags to protect the kitchen from the dining room rather than to protect the house as a whole. (Eventually, every ground floor room would be affected.)

We’ve had a few nights in Premier Inns, but it’s a new week and it’s time to hassle the insurance company to come and have a look around. And then, maybe, we can start working out where we’ll live so the repair work can start.

Ugh.

The calm after the storm

This morning, from my Premier Inn window, the skies are clear. I could almost forget that, just 4 miles away, my house is full of water.

Today may well be a day of waders and damage assessment, conversations with insurance companies and of working out where we’ll be living for the near future.

But strangely, what’s thrown me first this morning was that I couldn’t make this post submit.

Turns out my crosspost-to-mastodon checkbox was checked. Because my Mastodon server… runs on my homelab. Which is currently unplugged and in one of the highest rooms of a house with no electricity or Internet access. (Or, probably, running water… although that matters less to a homelab.)

I think I moved it before it got wet, but yesterday is such a blur that I just don’t know. I remember we spent some time fighting back the water with sandbags and barricades. I remember the moments each room began to fail, one by one, and we started moving whatever we could carry to higher floors (max props to folks from Eynsham Fire Bridade for helping with the heavy stuff). But if you ask me what order we rescued things in, I just don’t know.

I guess we’ll find out when the waters recede, and it’s safe to go check.

Fucking hell.

LGBT+ History Month

It’s February, which means that (here in the UK) it’s LGBT+ History Month.¹ And it feels like this year, it’s more important than ever to remember our country’s queer history.

In 2015, the UK was ranked first place in ILGA Europe‘s annual “Rainbow Map” study of LGBT rights in 50 countries of Europe. By 2025, the UK had fallen to 22nd place. That’s the fastest drop of any country in the list, tied with Hungary² and Georgia³.

'Rainbow Map' of Europe. In general, the trend is that the further East you go, the weaker LGBT+ rights are, with Russia and Turkey being the worst, and the further West the better they get (with Belgium and Iceland excelling). There are a few exceptions, like Italy (less rights than you'd expect) and Greece (more rights than you'd expect), as well as standout Malta (topping the charts), but otherwise the trend is solid... except for the UK, which stands out as a weak performer in Western Europe, even compared to traditionally socially-conservative countries like Ireland and Switzerland. — By the time Western European countries traditionally seen as ‘socially conservative’ like Ireland and Switzerland are outranking the UK in LGBT+ rights rankings… it’s a clue that something’s gone wrong, right?

Knowing your history is important. I’ve talked before about my personal experience of growing up under Section 28, and I don’t think that the UK’s backsliding is, by any means, harmless⁴. In case the reasons for the UK’s drop in the rankings aren’t obvious, it’s pretty much entirely to do with the UK’s increasingly restrictive gender identity laws (thanks, Supreme Court)⁵.

This stuff affects everybody. When you build a community that is a safe space for queer people, and trans people,⁶ everybody benefits⁷. So even if you’re somehow not compelled by the argument that we should treat everybody fairly and with compassion, you should at least accept that it helps you, too, when we do.

In many ways, queer rights in the UK have been a success story in recent decades. Within my lifetime, we’ve seen the harmonisation of the age of consent (2001), civil partnerships (2004), the Gender Recognition Act (2004), the Equality Act (2010), same-sex marriage (2013; I was genuinely surprised this bill passed!) and the mass-pardoning of people previously convicted under discriminatory sex act laws (2017). These are enormous and important steps and it’s little wonder that the UK topped ILGA Europe’s scoreboard for a while there.

But as recent developments have shown: we can’t rest on our laurels. There’s more to do. History shows us what’s possible; it’s up to us to decide whether we keep moving forward or let it unravel.

So this LGBT+ History Month, don’t just remember the past: pay attention to the present, and push back where it’s slipping.

Footnotes

¹ We celebrate it in February; I’ve never truly understood why. The Independent claims the month was chosen to coincide with the 2003 abolition of Section 28 in England and Wales, but that wouldn’t happen until later in the year; it doesn’t really coincide with the Employment Equality (Sexual Orientation) Regulations 2003 (made June, commencing December) either. So if anybody knows the real reason the UK marks LGBT+ History month in February, I’ve love to hear it.

² Hungary banned same-sex couples from adopting five years ago and banned Pride parades last year, in an incredible backslide for an EU country.

³ Georgia’s backslide is superficially similar to Hungary’s except that one can’t help but feel the influence of partial occupier Russia – a frequent bottom-scorer in ILGA’s list – in that.

⁴ By the way: I just looked back at my own blog posts tagged ‘sexuality’, and man, that shit is on fire! Some fun things there if you’re new to my blog and just catching-up, if I may toot my own horn a little! (Is “toots own horn” a protected identity? ‘Cos I do it a lot.)

⁵ It’s also aggravated by established but regressive problems like the fact that the UK still doesn’t outlaw “conversion therapy”, gender identity is not a recognised justification for seeking asylum, and protections for intersex people are basically nonexistent.

⁶ And, it turns out, furries, who’ve ‘gone from “ew cringe” to “they’re the lichens of a healthy social ecosystem”‘.

⁷ Everybody benefits… except, perhaps, nazis.

Reducing Phantom Obligation in FreshRSS

A week or so ago, Terry Godier – who’s been thinking a lot about UX assumptions lately – argued that the design of most feed readers produces an effect called “phantom obligation”.

He observes that the design of feed readers – which still lean on the design of the earliest feed readers, which adopted the design of email software to minimise the learning curve – makes us feel obligated to stay on top of all our incoming content with its “unread counts”.

Phantom obligation

Email’s unread count means something specific: these are messages from real people who wrote to you and are, in some cases, actively waiting for your response. The number isn’t neutral information. It’s a measure of social debt.

But when we applied that same visual language to RSS (the unread counts, the bold text for new items, the sense of a backlog accumulating) we imported the anxiety without the cause.

…

RSS isn’t people writing to you. It’s people writing, period. You opted to be notified of their existence. The interface implied debt where none existed. The obligation became phantom.

For a while now I’ve been encouraging people to see their feed reader as something distinct from email, and Terry’s expertly summarised exactly why. When people think of RSS as being like email, they’re encouraged to idolise “inbox zero” for both. But that’s not the right metaphor for RSS at all.

Screenshot of Terry's animation showing different kinds of media and the relative match or mismatch between (a) how guilty their notification interface makes you feel and (b) the actual amount of obligation that exists. — Seriously, if you haven’t read Terry’s article yet, you should read it now!¹

From where I’m sitting

I use FreshRSS as my feed reader, and I love it. But here’s the thing: I use the same application for two different kinds of feeds. I call them slow content and fast content.²

Slow content

Blogs, news, podcasts, webcomics, vlogs, etc. I want to know that there is unread content, but I don’t need to know how much.

In some cases, I configure my reader to throw away stuff that’s gotten old and stale; in other cases, I want it to retain it indefinitely so that I can dip in when I want to. There are some categories in which I’ll achieve “inbox zero” most days³… but many more categories where the purpose of my feed reader is to gather and retain a library of things I’m likely to be interested in, so that I can enjoy them at my leisure.

I also use my RSS reader to subscribe to a few mailing lists (where an RSS feed isn’t available for some reason). These – like blogs – are often “people writing, period” content and shouldn’t have been sent by email in the first place!⁴

Fast content

Some of the things I subscribe to, though, I do want to know about. Not necessarily immediately, but “same day” for sure! This includes things like when it’s a friend’s birthday (via the Abnib Birthdays feed) or when there’s an important update to some software I selfhost.

This is… things I want to know about promptly, but that I don’t want to be interrupted for! I appreciate that this kind of subscription isn’t an ideal use for a feed reader… but I use my feed reader with an appropriate frequency that it’s the best way for me to put these notifications in front of my eyeballs.

I agree with Terry that unread counts and notification badges are generally a UX antipattern in feed readers… but I’d like to keep them for some purposes. So that’s exactly what I do.

How I use FreshRSS (to differentiate slow and fast content)

FreshRSS already provides categories. But what I do is simply… not show unread counts except for designated feeds and categories. To do that, I use the CustomCSS extension for FreshRSS (which nowadays comes as-standard!), giving it the following code (note that I want to retain unread count badges only for feed #1 and categories #6 and #8 and their feeds):

.aside.aside_feed {
  /* Hide all 'unread counts' */
  .category, .feed {
    .title:not([data-unread="0"])::after,
    .item-title:not([data-unread="0"])::after {
      display: none;
    }
  }
  
  /* Re-show unread counts only within:
   * - certain numbered feeds (#f_*) and
   * - categories (#c_*)
   */
  #f_1, #c_6, #c_8 {
    &, .feed {
    .title:not([data-unread="0"])::after,
    .item-title:not([data-unread="0"])::after {
      display: block;
    }
  }
}

That’s how I, personally, make my feed reader feel less like an inbox and more like a… I don’t know… a little like a library, a little like a newsstand, a little like a calendar… and a lot like a tool that serves me, instead of another oppressive “unread” count.

Maybe it’ll help you too.

Footnotes

¹ Or whenever you like. It’s ‘slow content’. I’m not the boss of you.

² A third category, immediate content, is stuff where I might need to take action as soon as I see it, usually because there’s another human involved – things like this come to me by email, Slack, WhatsApp, or similar. It doesn’t belong in a feed reader.

³ It’s still slow content even if I inbox-zero it most days… because I don’t inbox-zero it every day! I don’t feel bad ignoring or skipping it if I’m, for example, not feeling the politics news right now (and can you blame me?). This is fundamentally different than ignoring an incoming phone call or a knock at the door (although you’re absolutely within your rights to do that too, if you don’t have the spoons for it).

⁴ I’m yet to see a mailing list that wouldn’t be better as either a blog (for few-to-many communication) or a forum (for many-to-many communication), frankly. But some people are very wedded to their email accounts as “the way” to communicate!

OpenBenches reaches Tenerife

Since 2018 I’ve been a fan of OpenBenches, a community-driven effort to catalogue memorial benches. Co-creator Terence Eden just wrote a blog post about the cost of running the service, which was pretty-much in the region of what I expected but (as an on-again, off-again financial backer, depending on my own financial health!) I appreciated the transparency anyway!

The news came at about the same time as I logged the first bench of the Canary Islands while I was waiting (in vain) to log an obstructed geocache during my recent trip to Tenerife.

On a tiled patio, a wooden bench stands, bearing a plaque that reads: THIS MEMORIAL GARDEN IS DEDICATED TO THE MEMORY OF THOSE WHO LOST THEIR LIVES IN THE AIR DISASTER IN TENERIFE ON 25TH APRIL 1980. — This bench – and the garden it stands in – is a memorial to the victims of the Dan-Air Flight 1008 disaster.

OpenBenches’ dataset is still very UK-centric. I like that I’ve helped broaden its borders! (I’m currently the 83rd-from-top photo contributor, apparently.)

If you’re not already helping collect benches, you should give it a look. You can install the site to your mobile device as a progressive web app and start snapping benches.

Gamified… Pornography?

This article is probably “safe for work” (depending on your workplace).

It makes reference to a popular pornographic website and the features of that website. It contains screenshots, but the porny bits are blurred. The links are all safe.

Verify your age

After Pornhub introduced age check to comply with the Online Safety Act¹, I figured that I’d make an account to see how arduous and privacy-destroying the process of verifying that I was old enough to see naked people². I thought it would make an amusing blog post.

I felt confident that my stupid name, if nothing else, would guarantee me a hard time with this kind of automated system.

Unfortunately³, it turned out to be super-easy for me to pass the age verification.

I just hit “verify by email” with the third-party age verification tool they use, entered an email address that’s associated with a few online accounts (not even the one I gave Pornhub!), and… everything just worked.

Sooo… this isn’t a blog post about how insurmountable age verification is. This is a blog post about something else I discovered as a result of doing this research: Pornhub has “achievements”!

Achievement unlocked

I was slightly surprised to see how many “social networking”-like features Pornhub accounts have. You can upload a profile photo… you have a “wall” that you can post to, and you can post to other people’s. Your profile (unless you tell it not to) shares which channels you’ve subscribed to, which videos you’ve favourited, and so on.

Who on Earth wants those features? I mean: really? 😅 I consider myself pretty sex-positive, but I’m not sure I’d want there to be a web page with my name, photo, and a list of all my favourite dirty vids!⁴

Anyway… the other thing a Pornhub profile seems to provide is… achievements:

Screenshot showing a popover notification reading 'You just unlocked a new achievement: The Virgin' — Hurrah, I guess? *The Virgin* was easy, at least (snerk), unlike most of the things on my Steam profile.

I’ve only got the one achievement right now, of course, and it’s the one that you get “for free”. So it didn’t feel like I’d earned it.

I suppose I was an actual virgin, once. And I had to prove that I’m a real human to get an account. So… maybe I earned it?

Your profile page encourages you to ‘earn and show off more achievements’. Because, yes, your ‘achievements’ are on your public profile too!

But just stop and think about what this means for a moment. At some point, in some conference room at Pornhub HQ, there was a meeting in which somebody said something like:

“You know what we need? Public profile pages for all Pornhub accounts. And they should show, like, ‘achievements’ like you get for videogames. Except the achievements are for things like how much porn you’ve watched and how often. You can show it off to your friends!”

And then somebody else in the meeting said:

“Yes. That is a good idea.”⁵

If it weren’t for the time-based achievements like ’10 year-old account’, I’ll bet there’d be people competing to speedrun Pornhub.

Complete list of Pornhub Achievements

I’ve reverse-engineered the complete⁶ collection of Pornhub Achievements for you. Y’know, in case you’re trying to finish your collection:

	The Virgin	Congrats! You have accessed your account for the first time! Enjoy the ride on Many Faps Road.
	The Freshman	You have accessed your account for the 10th time! I take it you’ve enjoyed the 9 last times?
	The Sophomore	You have accessed your account for the 100th time! Maximus Fappitus, you’re a true Pornhub warrior!
	The Junior	You have accessed your account for the 500th time! If only you could get air miles for this.
	The Senior	You have accessed your account for the 1000th time! If only you could get air miles for this.
	The Porn Buff	You’ve watched 10 videos – This is just the beginning, trust me.
	The Two Thumbs	You’ve watched 500 videos – Lotion or no lotion, that is the question.
	The Cinephile	You’ve watched 5,000 videos – Be careful, carpal tunnel is a thing.
	The Connoisseur	You’ve watched 50,000 videos – you are a veritable porn expert now.
	1 Year Old Account	Our very first anniversary, I wish us many more!
	2 Year Old Account	Two years of pleasure!
	3 Year Old Account	Three years… Ah! The memories!
	4 Year Old Account	Most relationships don’t even last this long #funfact
	5 Year Old Account	That’s half a decade of watching porn.. woah… that’s impressive.
	6 Year Old Account	I guess we were a match made in heaven. Who would’ve known that 6 years later, you would still be fapping on me.
	7 Year Old Account	No 7 year itch here! Thanks for 7 fappy years
	8 Year Old Account	The Outlook is good: you’ve had 8 magical years on Pornhub!
	9 Year Old Account	In 9 more years, your account will be old enough to view itself.
	10 Year Old Account	You were really ahead of the wave – here’s to a decade on Pornhub!

I have no idea who this feature is “for”. I’d feel the same way if YouTube had achievements, too⁷, but the fact that you can, and by default do, showcase your achievements on a porn site is what really blows my mind.

But maybe they ought to double-down and add more achievements. If they’re going to have them, they might as well make the most of them! How about achievements for watching a particular video a certain number of times? Or for watching videos in each of many different hour segments of the day? Or for logging in to your account and out again without consuming any pornography (hey, that’s one that I would have earned!)? If they’re going to have this bizarre feature, they might as well double-down on it!

I also have no idea who this blog post is “for”. If it turned out to be for you (maybe you wanted to know how to unlock all the achievements… or maybe you just found this as amusing as I did), leave me a comment!

Footnotes

¹ Don’t get me started with everything that’s wrong with the so-called Online Safety Act. Just… don’t. The tl;dr would be that it’s about 60% good ideas, 20% good implementation.

² Obviously if I were actually trying to use Pornhub I’d just use a VPN with an endpoint outside of the UK. Y’know, like a sensible person.

³ I mean: it’s probably pretty fortunate that – based on my experience at least – it seems to be easy for adults to verify that they’re adults in order to access services that are restricted to adults as a result of the OSA. But it’s unfortunate in that I’d hoped to make a spicy blog post about all the hoops I had to jump through and ultimately it turned out that there was only one hoop and it was pretty easy.

⁴ Of course, the Indieweb fan within me also says that if I did want such a page to exist, I’d want it to be on my own domain. Should there be an Indieweb post kind for “fap” for people who want to publicly track their masturbatory activities as an exercise in the quantified self?

Or should there be a “sex” kind that works a bit like “invitation” in that you can optionally tag other people who were involved? Or is sex a kind of “exercise”? Could it be considered “game play”? What about when it’s a “performance”? Of course, the irony is that anybody who puts a significant amount of effort into standardising the way that a person might publicly catalogue their sex life… is probably rendering themselves less-likely to have one.

I think I got off-topic in this footnote.

⁵ To be fair, I’ve worked places where committee groupthink has made worse decisions. Want a topical example? My former employer The Bodleian Libraries decided to call a podcast series “BodCast” without first performing a search… which would have revealed that Playboy were already using that name for a series of titillating vlogs. Curiously, it was Playboy who caved and renamed their service first. Presumably the strippers didn’t want to be associated with librarians?

⁶ It’s possible there are achievements I’ve missed – their spriteset file looks like it contains others! – that are only available to content creators on the platform. But if that’s the case, it further reinforces that these achievements are for the purpose of consumers who want to show off how many videos they’ve watched, or whatever! Weird, right?

⁷ “Congratulations: you watched your 500th YouTube ‘short’ – look how much of your life you’ve wasted!”

Postcard from San Diego

I got another postcard. This one’s from Joe Crawford, all the way over in San Diego.

Both sides of a postcard. The text reads: I enjoy your blog. I enjoy books. I enjoy using the mails. I love the idea of using proper mail to internet aquaintances. I acquired this postcard last year in San Francisco. I hope you enjoy it. Best. - Joe (ARTLUNG.COM). The front shows a photograph from a San Francisco street, showing City Lights Booksellers & Publishers' shop front. — Cute card, too. I appreciate the “stop the deportations” banner on this San Fancisco bookshop!

I first started soliciting Internet strangers to send me postcards three months ago and I’m still loving it.

It adds a layer of humanity and personality to the Web. It introduces me to cool new people, and re-introduces me to cool people whom I’d crossed paths with at a distance: Joe’s one of the latter, but I’ve now taken the time to ensure he’s in my RSS reader… and, by proxy, in my blogroll.

I don’t have a return address for anybody who posted anything to me, yet (obviously I’d have masked it out from the postcard if I had!), but I feel like I ought to buy some postcards now too. It’s only a matter of time.

And hey, maybe there’s mileage in starting an Personal Web Postcards Club or something…

Without Bloganuary

In January 2024 I participated in Bloganuary, a “write a blog post every day for a month” challenge organised by Automattic. I wasn’t 100% impressed by the prompts made available and was – as an employee of Automattic – shuffling towards trying to help make them better in a future year. To be part of the solution!

I didn’t participate in January 2025, because I was on sabbatical and – as well as it feeling a little “close” to work! – Bloganuary intersected with a winter-sun trip to Trinidad & Tobago, where – despite a state of emergency being declared – Ruth and I unlocked a geohashing graticule, experienced small-world serendipity, and generally explored beautiful and remote places.¹

View of waves crashing into a bay on a rugged island coastline. — There’s definitely something in this ‘winter sun’ thing that seems to help me stay sane in the cold dark months. This morning, I’m blogging from a hotel balcony in Peurtro de la Cruz, Tenerife.

Of course, two significant things changed since then:

As part of a sweeping range of redundancies, I was let go from my position at Automattic², and
Automattic ceased running Bloganuary: I’m guessing that the folks responsible for making it happen were among the many that Automattic decided to axe, or else their shifting priorities – reflected by their waves of layoffs – are no longer compatible with providing that service to bloggers.

Ah well, I figured. I’d just do my own thing. I can write something for every day in January 2026, can’t I?

Generating a chart...
If this message doesn't go away, the JavaScript that makes this magic work probably isn't doing its job right: please tell Dan so he can fix it.

Turns out that yes, I can. 53 posts over 31 consecutive days, so far this year. This year might be my fastest run at 100 Days To Offload yet.

In general, I suppose I’ve been blogging more-frequently lately. Why is that? I guess it’s been a realisation that a blog post doesn’t always have to be polished to perfection. I still write long-form posts which require research and planning, like setting up a network of Windows 3.x VMs just to get screenshots of what programming then looked like or making that podcast episode with the music in it… but I’m also feeling more-free to just express myself in the moment. To share things I see that look interesting or funny or pretty, or just whatever I’m thinking. I’ve been using “kinds” to categorise my posts so it’s easy for people to avoid my more-inane stuff if they like, but that’s a secondary consideration because ultimately… I blog for me.

I’ve also been trying to make blogging more social. Over the last year I’ve made an effort to (visibly) “follow” more personal bloggers and correspond with them (including in new – by which I mean old – ways like exchanging postcards!).

Anyway… all of which is to say that I’ve been writing more and I’ve been loving it. The best way to read more of what I’m writing, if you’d like to, remains: by subscribing via RSS.

But regardless of how and why you’ve come to find this post – thanks for dropping be: drop me a message and say hi and let’s be friends.

Footnotes

¹ I’d anticipated having a lack of Internet access, but in fact 4G was widespread throughout both islands and overall I managed to post something on every day except three in January 2025.

² Based on friends I’ve spoken to, there seem to have been a lot more folks let go since; the company seems to be shrinking quite a lot, which might go some way to explaining my second observation too.

How an RM Nimbus Taught Me a Hacker Mentality

What can I make it do?

It’s been said that when faced with a new piece of technology, a normal person asks “what does it do?”, but a hacker asks “what can I make it do?”.

This kind of curiosity is integral to a hacker mindset.

I can trace my hacker roots back further than my first experience of using an RM Nimbus M-Series in circa 1992². But there was something particular about my experience of this popular piece of British edutech kit which provided me with a seminal experience that shaped my “hacker identity”. And it’s that experience about which I’d like to tell you:

Shortly after I started secondary school, they managed to upgrade their computer lab from a handful of Nimbus PC-186s to a fancy new network of M-Series PC-386s. The school were clearly very proud of this cutting-edge new acquisition, and we watched the teachers lay out the manuals and worksheets which smelled fresh and new and didn’t yet have their corners frayed nor their covers daubed in graffiti.

Program Manager

The new ones ran Windows 3 (how fancy!). Well… kind-of. They’d been patched with a carefully-modified copy of Program Manager that imposed a variety of limitations. For example, they had removed the File > Run… menu item, along with an icon for File Manager, in order to restrict access to only the applications approved by the network administrator.

A special program was made available to copy files between floppy disks and the user’s network home directory. This allowed a student to take their work home with them if they wanted. The copying application – whose interface was vastly inferior to File Manager‘s – was limited to only copying files with extensions in its allowlist. This meant that (given that no tool was available that could rename files) the network was protected from anybody introducing any illicit file types.

Bring a .doc on a floppy? You can copy it to your home directory. Bring a .exe? You can’t even see it.

To young-teen-Dan, this felt like a challenge. What I had in front of me was a general-purpose computer with a limited selection of software but a floppy drive through which media could be introduced. What could I make it do?

This isn’t my school’s computer lab circa mid-1990s (it’s this school) but it has absolutely the same energy. Except that I think Solitaire was one of the applications that had been carefully removed from Program Manager.

Spoiler: eventually I ended up being able to execute pretty much anything I wanted, but we’ll get to that. The journey is the important part of the story. I didn’t start by asking “can I trick this locked-down computer lab into letting my friends and I play Doom deathmatches on it?” I started by asking “what can I make it do?”; everything else built up over time.

I started by playing with macros. Windows used to come with a tool called Recorder,³ which you could use to “record” your mouse clicks and keypresses and play them back.

Recorder + Paintbrush made for an interesting way to use these basic and limited tools to produce animations. Like this one, except at school I’d have put more effort in⁴.

Microsoft Word

Then I noticed that Microsoft Word also had a macro recorder, but this one was scriptable using a programming language called WordBasic (a predecessor to Visual Basic for Applications). So I pulled up the help and started exploring what it could do.

And as soon as I discovered the Shell function, I realised that the limitations that were being enforced on the network could be completely sidestepped.

Screenshot showing Microsoft Word's 'Macro Editor' on Windows 3.1. The subroutine being defined contains the code 'Shell("WINFILE.EXE")'; the 'Shell' command is described in the WordBasic Help file, which is also visible. — A Windows 3 computer that runs Word… can run any other executable it has access to. Thanks, macro editor.

Now that I could run any program I liked, I started poking the edges of what was possible.

Could I get a MS-DOS prompt/command shell? Yes, absolutely⁵.
Could I write to the hard disk drive? Yes, but any changes got wiped when the computer performed its network boot.
Could I store arbitrary files in my personal network storage? Yes, anything I could bring in on floppy disks⁶ could be persisted on the network server.

I didn’t have a proper LAN at home⁷ So I really enjoyed the opportunity to explore, unfettered, what I could get up to with Windows’ network stack.

Screenshot from Windows 3.11; a Microsoft Paint window is partially-concealed behind a WinChat conversation with 'RMNET013'. The other participant is warning the user to look busy and stop drawing dicks in Paint because the teacher is coming. The user is responding with confusion. — The “WinNuke” NetBIOS remote-crash vulnerability was a briefly-entertaining way to troll classmates, but unlocking WinPopup/Windows Chat capability was ultimately more-rewarding.

File Manager

I started to explore the resources on the network. Each pupil had their own networked storage space, but couldn’t access one another’s. But among the directories shared between all students, I found a directory to which I had read-write access.

I created myself a subdirectory and set the hidden bit on it, and started dumping into it things that I wanted to keep on the network⁸.

By now my classmates were interested in what I was achieving, and I wanted in the benefits of my success. So I went back to Word and made a document template that looked superficially like a piece of coursework, but which contained macro code that would connect to the shared network drive and allow the user to select from a series of programs that they’d like to run.

Gradually, compressed over a series of floppy disks, I brought in a handful of games: Commander Keen, Prince of Persia, Wing Commander, Civilization, Wolfenstein 3D, even Dune II. I got increasingly proficient at modding games to strip out unnecessary content, e.g. the sound and music files⁹, minimising the number of floppy disks I needed to ZIP (or ARJ!) content to before smuggling it in via my shirt pocket, always sure not to be carrying so many floppies that it’d look suspicious.

Screenshot of Windows 3.11 File Manager connected to a network with shares rmnet, shared, and students. Shared contains a hidden directory called 'dan'. — The goldmine moment – for my friends, at least – was the point at which I found a way to persistently store files in a secret shared location, allowing me to help them run whatever they liked *without passing floppy disks around the classroom* (which had been my previous approach).

In a particularly bold move, I implemented a simulated login screen which wrote the entered credentials into the shared space before crashing the computer. I left it running, unattended, on computers that I thought most-likely to be used by school staff, and eventually bagged myself the network administrator’s password. I only used it twice: the first time, to validate my hypothesis about the access levels it granted; the second, right before I finished school, to confirm my suspicion that it wouldn’t have been changed during my entire time there¹⁰.

Are you sure you want to quit?

My single biggest mistake was sharing my new-found power with my classmates. When I made that Word template that let others run the software I’d introduced to the network, the game changed.

When it was just me, asking the question what can I make it do?, everything was fun and exciting.

But now half a dozen other teens were nagging me and asking “can you make it do X?”

This wasn’t exploration. This wasn’t innovation. This wasn’t using my curiosity to push at the edges of a system and its restrictions! I didn’t want to find the exploitable boundaries of computer systems so I could help make it easier for other people to do so… no: I wanted the challenge of finding more (and weirder) exploits!

I wanted out. But I didn’t want to say to my friends that I didn’t want to do something “for” them any more¹¹.

I figured: I needed to get “caught”.

16-bit Windows screenshot with a background image from WarGames. A dialog box asks 'Are you sure you want to quit? If you quit, you will lose the ability to: (a) use network chat tools, (b) play videogames awhen you should be doing coursework, (c) impress your friends and raise your otherwise-pathetic social status'; the cursor hovers over a 'Yes, I'm out' button. — I considered just using graphics software to make these screenshots… but it turned out to be faster to spin up a network of virtual machines running Windows 3.11 and some basic tools. I *actually made* the stupid imaginary dialog box you’re seeing.¹²

I chose… to get sloppy.

I took a copy of some of the software that I’d put onto the shared network drive and put it in my own home directory, this time un-hidden. Clearly our teacher was already suspicious and investigating, because within a few days, this was all that was needed for me to get caught and disciplined¹³.

I was disappointed not to be asked how I did it, because I was sufficiently proud of my approach that I’d hoped to be able to brag about it to somebody who’d understand… but I guess our teacher just wanted to brush it under the carpet and move on.

Aftermath

The school’s IT admin certainly never worked-out the true scope of my work. My “hidden” files remained undiscovered, and my friends were able to continue to use my special Word template to play games that I’d introduced to the network¹⁴. I checked, and the hidden files were still there when I graduated.

The warning worked: I kept my nose clean in computing classes for the remainder of secondary school. But I would’ve been happy to, anyway: I already felt like I’d “solved” the challenge of turning the school computer network to my interests and by now I’d moved on to other things… learning how to reverse-engineer phone networks… and credit card processors… and copy-protection systems. Oh, the stories I could tell¹⁵.

Old photograph of Dan, then a teenager, with other teenagers. Dan is labelled 'young hacker, a.k.a. bellend', while another young man is captioned 'classmate who just wanted to play lemmings'. — I “get” it that some of my classmates – including some of those pictured – were mostly interested in the *results* of my hacking efforts. But for me it always was – and still is – about the *journey of discovery*.

But I’ll tell you what: 13-ish year-old me ought to be grateful to the RM Nimbus network at my school for providing an interesting system about which my developing “hacker brain” could ask: what can I make it do?

Which remains one of the most useful questions with which to foster a hacker mentality.

Footnotes

¹ I first played Game of Life on an Amstrad CPC464, or possibly a PC1512.

² What is the earliest experience to which I can credit my “hacker mindset”? Tron and WarGames might have played a part, as might have the “hacking” sequence in Ferris Bueller’s Day Off. And there was the videogame Hacker and its sequel (it’s funny to see their influence in modern games). Teaching myself to program so that I could make text-based adventures was another. Dissecting countless obfuscated systems to see how they worked… that’s yet another one: something I did perhaps initially to cheat at games by poking their memory addresses or hexediting their save games… before I moved onto reverse-engineering copy protection systems and working out how they could be circumvented… and then later still when I began building hardware that made it possible for me to run interesting experiments on telephone networks.

Any of all of these datapoints, which took place over a decade, could be interpreted as “the moment” that I became a hacker! But they’re not the ones I’m talking about today. Today… is the story of the RM Nimbus.

³ Whatever happened to Recorder? After it disappeared in Windows 95 I occasionally had occasion to think to myself “hey, this would be easier if I could just have the computer watch me and copy what I do a few times.” But it was not to be: Microsoft decided that this level of easy automation wasn’t for everyday folks. Strangely, it wasn’t long after Microsoft dropped macro recording as a standard OS feature that Apple decided that MacOS did need a feature like this. Clearly it’s still got value as a concept!

⁴ Just to clarify: I put more effort in to making animations, which were not part of my schoolwork back when I was a kid. I certainly didn’t put more effort into my education.

⁵ The computers had been configured to make DOS access challenging: a boot menu let you select between DOS and Windows, but both were effectively nerfed. Booting into DOS loaded an RM-provided menu that couldn’t be killed; the MS-DOS prompt icon was absent from Program Manager and quitting Windows triggered an immediate shutdown.

⁶ My secondary school didn’t get Internet access during the time I was enrolled there. I was recently trying to explain to one of my kids the difference between “being on a network” and “having Internet access”, and how often I found myself on a network that wasn’t internetworked, back in the day. I fear they didn’t get it.

⁷ I was in the habit of occasionally hooking up PCs together with null modem cables, but only much later on would I end up acquiring sufficient “thinnet” 10BASE2 kit that I could throw together a network for a LAN party.

⁸ Initially I was looking to sidestep the space limitation enforcement on my “home” directory, and also to put the illicit software I was bringing in somewhere that could not be trivially-easily traced back to me! But later on this “shared” directory became the repository from which I’d distribute software to my friends, too.

⁹ The school computer didn’t have soundcards and nobody would have wanted PC speakers beeping away in the classroom while they were trying to play a clandestine videogame anyway.

¹⁰ The admin password was concepts. For at least four years.

¹¹ Please remember that at this point I was a young teenager and so was pretty well over-fixated on what my peers thought of me! A big part of the persona I presented was of somebody who didn’t care what others thought of him, I’m sure, but a mask that doesn’t look like a mask… is still a mask. But yeah: I had a shortage of self-confidence and didn’t feel able to say no.

¹² Art is weird when your medium is software.

¹³ I was briefly alarmed when there was talk of banning me from the computer lab for the remainder of my time at secondary school, which scared me because I was by now half-way through my boring childhood “life plan” to become a computer programmer by what seemed to be the appropriate route, and I feared that not being able to do a GCSE in a CS-adjacent subject could jeopardise that (it wouldn’t have).

¹⁴ That is, at least, my friends who were brave enough to carry on doing so after the teacher publicly (but inaccurately) described my alleged offences, seemingly as a warning to others.

¹⁵ Oh, the stories I probably shouldn’t tell! But here’s a teaser: when I built my first “beige box” (analogue phone tap hardware) I experimented with tapping into the phone line at my dad’s house from the outside. I carefully shaved off some of the outer insulation of the phone line that snaked down the wall from the telegraph pole and into the house through the wall to expose the wires inside, identified each, and then croc-clipped my box onto it and was delighted to discovered that I could make and receive calls “for” the house. And then, just out of curiosity to see what kinds of protections were in place to prevent short-circuiting, I experimented with introducing one to the ringer line… and took out all the phones on the street. Presumably I threw a circuit breaker in the roadside utility cabinet. Anyway, I patched-up my damage and – fearing that my dad would be furious on his return at the non-functioning telecomms – walked to the nearest functioning payphone to call the operator and claim that the phone had stopped working and I had no idea why. It was fixed within three hours. Phew!

That’s Not How Email Works, HSBC

I have a credit card with HSBC¹. It doesn’t see much use², but I still get a monthly statement from them, and an email to say it’s available.

Not long ago I received a letter from them telling me that emails to me were being “returned undelivered” and they needed me to update the email address on my account.

“What’s happening?”

I logged into my account, per the instructions in the letter, and discovered my correct email address already right there, much to my… lack of surprise³.

So I kicked off a live chat via their app, with an agent called Ankitha. Over the course of a drawn-out hour-long conversation, they repeatedly told to tell me how to update my email address (which was never my question). Eventually, when they understood that my email address was already correct, then they concluded the call, saying (emphasis mine):

I can understand your frustration, but if the bank has sent the letter, you will have to update the e-mail address.

This is the point at which a normal person would probably just change the email address in their online banking to a “spare” email address.

But aside from the fact that I’d rather not⁴, by this point I’d caught the scent of a deeper underlying issue. After all, didn’t I have a conversation a little like this one but with a different bank, about four years ago?

So I called Customer Services directly⁵, who told me that if my email address is already correct then I can ignore their letter.

I suggested that perhaps their letter template might need updating so it doesn’t say “action required” if action is not required. Or that perhaps what they mean to say is “action required: check your email address is correct”.

Edited version of the letter, now saying 'What's happening? We need to ensure that the email address we're using for you is correct' and 'Action required: Please check that you've been receiving our emails and that the address in your account is correct'. — Say what you mean, HSBC! I’ve suggested an improvement to your letter template.

So anyway, apparently everything’s fine… although I reserved final judgement until I’d seen that they were still sending me emails!

“Action required”

I think I can place a solid guess about what went wrong here. But it makes me feel like we’re living in the Darkest Timeline.

Scene from Community episode 'Remedial Chaos Theory'. Pierce lies injured on the floor, tended to by Annie and Abed, while Jeff swings a flaming blanket around his head. Troy stands in shock at the door, holding a pile of pizza boxes. — You know the one I mean. Somebody rolled a ‘1’, didn’t they…

I dissected HSBC’s latest email to me: it was of the “your latest statement is available” variety. Deep within the email, down at the bottom, is this code:

<img src="http://www.email1.hsbc.co.uk:8080/Tm90IHRoZSByZWFsIEhTQkMgcGF5bG9hZA=="
   width="1"
  height="1"
     alt="">

<img src="http://www.email1.hsbc.co.uk:8080/QWxzbyBub3QgcmVhbCBIU0JDIHBheWxvYWQ="
   width="1"
  height="1"
     alt="">

What you’re seeing are two tracking pixels: tiny 1×1 pixel images, usually transparent or white-on-white to make them even-more invisible, used to surreptitiously track when somebody reads an email. When you open an email from HSBC – potentially every time you open an email from them – your email client connects to those web addresses to get the necessary images. The code at the end of each identifies the email they were contained within, which in turn can be linked back to the recipient.

You know how invasive a read-receipt feels? Tracking pixels are like those… but turned up to eleven. While a read-receipt only says “the recipient read this email” (usually only after the recipient gives consent for it to do so), a tracking pixel can often track when and how often you refer to an email⁶.

If I re-read a year-old email from HSBC, they’re saying that they want to know about it.

But it gets worse. Because HSBC are using http://, rather than https:// URLs for their tracking pixels, they’re also saying that every time you read an email from them, they’d like everybody on the same network as you to be able to know that you did so, too. If you’re at my house, on my WiFi, and you open an email from HSBC, not only might HSBC know about it, but I might know about it too.

An easily-avoidable security failure there, HSBC… which isn’t the kind of thing one hopes to hear about a bank!

Zoom-in animation showing two tracking pixels at the bottom of an email, rendered visible in red and blue. — Tracking pixels are usually invisible, so I turned these ones visible so you can see where they hide.

But… tracking pixels don’t actually work. At least, they doesn’t work on me. Like many privacy-conscious individuals, my devices are configured to block tracking pixels (and a variety of other instruments of surveillance capitalism) right out of the gate.

This means that even though I do read most of the non-spam email that lands in my Inbox, the sender doesn’t get to know that I did so unless I choose to tell them. This is the way that email was designed to work, and is the only way that a sender can be confident that it will work.

But we’re in the Darkest Timeline. Tracking pixels have become so endemic that HSBC have clearly come to the opinion that if they can’t track when I open their emails, I must not be receiving their emails. So they wrote me a letter to tell me that my emails have been “returned undelivered” (which seems to be an outright lie).

Surveillance capitalism has become so ubiquitous that it’s become transparent. Transparent like the invisible spies at the bottom of your bank’s emails.

The letter from HSBC again, but this time corrected to say 'We cannot conceive that there's anybody left who hasn't given up on trying to fight back against surveillance capitalism. Action required: turn off your privacy software so we can watch you read our emails. (We'll be letting anybody you live with read them too.) — I’ve changed my mind. Maybe *this* is what HSBC’s letter should have said.

So in summary, with only a little speculation:

Surveillance capitalism became widespread enough that HSBC came to assume that tracking pixels have bulletproof reliability.
HSBC started using tracking pixels them to check whether emails are being received (even though that’s not what they do when they are reliable, which they’re not).
- (Oh, and their tracking pixels are badly-implemented, if they worked they’d “leak” data to other people on my network⁷.)
Eventually, HSBC assumed their tracking was bulletproof. Because HSBC couldn’t track how often, when, and where I was reading their emails… they posted me a letter to tell me I needed to change my email address.

What do I think HSBC should do?

Instead of sending me a misleading letter about undelivered emails, perhaps a better approach for HSBC could be:

At an absolute minimum, stop using unencrypted connections for tracking pixels. I do not want to open a bank email on a cafe’s public WiFi and have everybody in the cafe potentially know who I bank with… and that I just opened an email from them! I certainly don’t want attackers injecting content into the bottom of legitimate emails.
Stop assuming that if somebody blocks your attempts to spy on them via your emails, it means they’re not getting your emails. It doesn’t mean that. It’s never meant that. There are all kinds of reasons that your tracking pixels might not work, and they’re not even all privacy-related reasons!
Or, better yet: just stop trying to surveil your customers’ email habits in the first place? You already sit on a wealth of personal and financial information which you can, and probably do, data-mine for your own benefit. Can you at least try to pay lip service to your own published principles on the ethical use of data and, if I may quote them, “use only that data which is appropriate for the purpose” and “embed privacy considerations into design and approval processes”.
If you need to check that an email address is valid, do that, not an unreliable proxy for it. Instead of this letter, you could have sent an email that said “We need to check that you’re receiving our emails. Please click this link to confirm that you are.” This not only achieves informed consent for your tracking, but it can be more-secure too because you can authenticate the user during the process.

Also, to quote your own principles once more: when you make a mistake like assuming your spying is a flawless way to detect the validity of email addresses, perhaps you should “be transparent with our customers and other stakeholders about how we use their data”.

Wouldn’t that be better than writing to a customer to say that their emails are being returned undelivered (when they’re not)… and then having your staff tell them that having received such an email they have no choice but to change the email address they use (which is then disputed by your other staff)?

</rant>

Footnotes

¹ You know, the bank with virtue-signalling multiculturalism that we used to joke about.

² Long, long ago I also had a current account with HSBC which I forgot to close when I switched banks… 20 years ago… and I possibly still owe them for the six pence the account was in debt at the time.

³ After all, I’d been reading their emails!

⁴ After all, as I’ll stress again: the email address HSBC have for me, and are using, is already correct.

⁵ In future, I’ll just do this in the first instance. The benefits of live chat being able to be done “in the background” while one gets on with some work are totally outweighed when the entire exchange takes an hour only to reach an unsatisfactory conclusion, whereas a telephone call got things sorted (well hopefully…) within 10 minutes.

⁶ A tracking pixel can also collect additional personal information about you, such as your IP address at the time that you opened the email, which might disclose your location.

⁷ It could be even worse still, actually! A sophisticated attacker could “inject” images into the bottom of a HSBC email; those images could, for example, be pictures of text saying things like “You need to urgently call HSBC on [attacker’s phone number].” This would allow a scammer to hijack a legitimate HSBC email by injecting their own content into the bottom of it. Seriously, HSBC, you ought to fix this.

PHP 8.4 on Caddy on Debian 13… in Three Minutes

I just needed to spin up a new PHP webserver and I was amazed how fast and easy it was, nowadays. I mean: Caddy already makes it pretty easy, but I was delighted to see that, since the last time I did this, the default package repositories had 100% of what I needed!

Apart from setting the hostname, creating myself a user and adding them to the sudo group, and reconfiguring sshd to my preference, I’d done nothing on this new server. And then to set up a fully-functioning PHP-powered webserver, all I needed to run (for a domain “example.com”) was:

sudo apt update && sudo apt upgrade -y
sudo apt install -y caddy php8.4-fpm
sudo mkdir -p /var/www/example.com
printf "example.com {\n"                               | sudo tee    /etc/caddy/Caddyfile
printf "  root * /var/www/example.com\n"               | sudo tee -a /etc/caddy/Caddyfile
printf "  encode zstd gzip\n"                          | sudo tee -a /etc/caddy/Caddyfile
printf "  php_fastcgi unix//run/php/php8.4-fpm.sock\n" | sudo tee -a /etc/caddy/Caddyfile
printf "  file_server\n"                               | sudo tee -a /etc/caddy/Caddyfile
printf "}\n"                                           | sudo tee -a /etc/caddy/Caddyfile
sudo service caddy restart

After that, I was able to put an index.php file into /var/www/example.com and it just worked.

And when I say “just worked”, I mean with all the bells and whistles you ought to expect from Caddy. HTTPS came as standard (with a solid QualSys grade). HTTP/3 was supported with a 0-RTT handshake.

Mind blown.