Tyler Cowan offers what he calls are the “the four basic truths of macroeconomics” in a recent column in Bloomberg. It may be paywalled, so I’ll quote liberally here.

His first point is that “a strong negative shock to demand — a sudden decline, in other words — usually leads to a loss of output and employment.” This is just the law of supply and demand, reworded to spin it a bit, and with some riders attached.

Put more clearly, the principle is this: in a market economy, a reduction in demand leads to a reduction in supply. It doesn’t matter whether the result is a ‘negative shock’ or simply a global disinterest in the product.

The rider in this proposition the the further assertion that this leads to unemployment. Let’s hear Cowan explain: “Nominal wages are sticky, for a complex mix of sociological reasons, and so employers do not always respond to lower demand with lower wages for workers. Instead they lay some people off, and that can lead to a recession.”

OK, first, lower wages can also lead to a recession, so the choice between ‘lower wages or lay people off’ is a false choice. Additionally, when people are laid off, it is not usually a result of high wages for other people, but because there is nothing for them to do.

Cowan calls this “one of the most important discoveries in history”. This may be true of the law of supply and demand, but not of his restatement. And the other half of this ‘most important discovery’ is that it applies only to market economies.

Market economies governed by the law of supply and demand are subject to market failures. One such failure is a drop in demand for a given product. All else being equal, this leads to a collapse of the economy. What saves the economy is intervention from outside the market. In a large company, for example, financial reserves may be brought in to develop a new product line. In a national or global economy, financial reserves may be brought in to build infrastructure, fight a war, or explore and discover.

Let’s move on to Cowan’s second point. It is this: “well-functioning central banks can offset such demand shocks to a considerable degree — or even prevent them from arising in the first place.“

This is Cowan’s version of the point I just made, but Cowan limits the sort of intervention needed to one conducted by central banks. It should be obvious, just on reflection of the point, that any intervention that replaces the loss of demand will apply equally well. Wealth does not exist only in central banks.

Cowan continues by narrowing the range of possibilities even further: “The bank can engage in complex financial transactions or simply print more currency to stabilize nominal demand and restore some measure of order.” Again, it should be clear by simple observation that there are many options in addition to ‘complex transactions’ or ‘printing money’.

This limited range of options is essential the set of constraints imposed in a set of responses known as ‘monetary policy’. The core idea of monetary policy is that economic fluctuations are addressed primarily by adjusting the money supply. But governments are more than merely central banks, and there is a range of options over and above monetary policy.

The obvious additional option, and the one we have actually taken, is to borrow money. Borrowing money isn’t the same as printing money, because the money still comes from somewhere – usually from places where it wasn’t being used to create demand, whether hidden in mattresses or stashed away in savings accounts. Another option is to tax this money – admittedly hard to do with cash stashed in the house somewhere, but much easier with unproductive wealth in futures markets or hidden in the Cayman Islands.

The other part of that strategy is, as I suggested above, giving people something else to do. During the pandemic, for example, no amount of money pumped into the economy is going to increase the demand for sit-down restaurants and seats in movie theatres. But there is an urgent and pressing need – one for which the market is not in a good position to address – in basic (but unprofitable) research in vaccines and personal protective equipment.

The second point was only one paragraph in Cowan’s article, not because there wasn’t a lot to say, but because there was a lot to keep hidden.

Let’s move on to his third point: “if central banks go crazy increasing the money supply, the result will be high price inflation.“ This is the law of supply and demand applied to money. Increase the supply of money, and its value decreases, meaning you need more to obtain the same goods and services. This phenomenon is called ‘inflation’.

This is a ceteris paribus clause, which means, ‘all else being equal’. But all else is never equal, and is is important, because there is an important corollary: if the demand for goods and services is greatly increased, the value of money decreases. This is the cause of some classic market failures. If, say, electricity becomes scarce, but demand is stable, the price will shoot through the roof, resulting (again) in inflation.

This is all the theoretical basis for monetary policy: keeping the value of money more or less in accord with variations in demand, growing the money supply as the economy grows, and shrinking it as the economy shrinks. This approach might work well on the upswing, but it has devastating consequences on the downswing. Just when the economy needs more investment to produce more jobs and more demand, money becomes tight, sending the economy into a downward spiral.

Not surprisingly, this is the policy Cowan suggests will be most effective. “If central banks simultaneously act to decrease the velocity of money,” he writes, “that is, if they take measures to reduce borrowing and lending, then price inflation will be limited accordingly.” Yes it would. At the cost of sending the economy into a tailspin.

But there’s room for a more positive message: inflation happens only if the supply of goods and services remains static. But if that supply increases, especially for new sorts of goods and services (to, say, build fibre networks, develop vaccine programs, explore space, develop alternative energy sources) then increased money supply does not increase inflation.

This is important because the greatest danger of inflation doesn’t come from governments printing money. For the most part, governments don’t print money; they borrow. No, the greatest danger lies in the fact that something like half of all global wealth is concentrated and hidden away in banks in Panama and the Caymans and Switzerland by the globally wealthy, and if this money is unleashed on the economy, the value of money will drop.

Finally, let’s look at Cowan’s fourth point: “non-monetary shocks, if they are large enough, can also create recessions or depressions.” For examples he gives us “the oil price shock of 1973, the current pandemic, or bad harvests in earlier agrarian societies.” What he should have said, in my opinion, is that “shocks can produce market failures”.

That is because the market generally, and monetary policy in particular, are not well-equipped to adjust to sudden systemic changes or disruptions to central aspects of the economy. Each of the three examples he gives impacted the market in a different way, but what they all have in common was that there was no market-based means to respond to them.

If we look at the pandemic, then what we saw was that, in addition to killing half a million Americans, the pandemic sharply reduced demand for public activities, thus eliminating the incomes of a wide swath of the population, including especially some of the most vulnerable and, at the same time, the most essential. If we did not address this by borrowing money and replacing that income, and also by developing alternative essential services, and also spending to combat the vaccine, then the economy would collapse.

If we look at the oil price shock of the 1970s, a completely different calculus was at play. The high cost of oil and gas resulted in widespread disruption because so much of the economy – from car production to drive-in theatres – depended on cheap and available fuel. The cost of a wide range of goods and services rose sharply. The short-term cause was the Arab oil embargo, and the crisis was effectively ended with the end of the embargo, which was the result of political agreements with the Arab states and an Israeli withdrawal in Egypt and disengagement with Syria. Longer term, the crisis resulted in increased (and often subsidized) exploration for oil elsewhere.

If we look at the collapse of harvests in agrarian economies, the cause and effect are pretty obvious, since the loss of food results in a loss of demand for pretty much everything else. The term ‘economic collapse’ becomes somewhat meaningless when everyone is starving. The response is found in one of the first of many accounts of socialism in the Bible (Genesis 42): store grain during the seven years of good times, and dispense it during the seven years of hard times. Today we know this as Keynesian economics.

So what sort of conclusions do we draw from all of this?

Well, the first thing I noticed about the article was that it mentioned Clubhouse right at the top, making it part of the non-market interventions being used by wealthier interests in order to stimulate demand for a product. I don’t know whether Cowan was paid for this, or for his appearance there, but I’m sure this reciprocity would not go unnoticed. The wealthy know all about non-market intervention, as use it liberally to tip the scales, drawing on their previously mention half of all wealth in the world.

Another is that in the discussion of economics and monetary policy, we never touch on the actual motivation for any of this, which is to increase human society and to alleviate suffering and hardship. When Cowan talks about, say, “the expected return of public investments,” he elides the point that a lot of government investment is made with no expectation of return – it is, indeed, the antithesis of market policy – because governments are addressing these very human needs. When you lose half a million people in a society, this is far more than an economic issue; it is a human tragedy.

That leads us to our final observation. Cowan says, as a result of these discoveries, that “the only thing worse than living with macroeconomics would be to try to live without it.”

I won’t deny the utility of macroeconomic theory (though I certainly have my doubts about unfettered market capitalism and the utility of monetary policy in a crisis). But it is also abundantly clear that tracking the flow of money, goods and services in an economy is only one small part of a much larger and more complex domain.

It’s like saying “the only thing worse for a human than living with the blood circulation system would be to try to live without it.” This is true – but it is far from the whole story. Focusing only on the blood supply leads to things like blood-letting as a part of medical theory. We need to look at many other things. We need to understand the human condition as a whole, not just as a set of numbers on a balance sheet.

Image: Macroeconomics.

I find I enjoy the process of self hosting my old presentations much more than I had expected. I expected the transition being a chore, but it turns out it is not.

Last September I quit using Slideshare and created a way to host my own slidedecks myself. I had 132 presentations in my personal slideshare account, and a similiar number in my company’s account. Migrating them into my own set-up seemed like a daunting chore. I resolved to take my time for it, to spread out the work load.

I first created a list of presentations that I embedded in this website at the time, containing 55 slide decks. In that list I marked those that I currently think are still relevant, or that I regard as important to me at the time, or that in hindsight turned out to contain something that gained more significance in my work afterwards. Then I started to manually add those prioritised slide decks to my self hosted collection (tonz.nl for Dutch slides, tonz.eu for non-Dutch slides), at most one per day.

Unexpectedly this is fun to do. Because I do not just upload slides, but add links to my blogposts about the talk at the time, a video etc, I sort-of revisit the conference in question. Sometimes rewatching my own talk, sometimes going through the slides of other presenters at the same event or watching their videos. It resurfaces old ideas I forgot about but still find useful, and it results in new associations and thoughts about the topics I discussed in those talks. Leading to new notes and ideas now. It also shows me there is a consistency in my work that isn’t always obvious to me, and it surfaces the evolutionary path of some of my ideas and activities. That makes it worthwile to bring these slides home. Like reassembling an old photo album whose pictures slipped out because the glue became too old.

There are two kinds of impressive people in the world.

The first kind is the experts. The experts are the people who’ve already run the race, probably a few times. They know their way around their craft. They know lots of smart people who’ve also done it before, and they can combine their experience and mistakes from the past with their accumulated knowledge to walk confidently into formidable challenges.

Experts are great to know and have by your side, but chances are, because they’ve been in the game for so long, their world is crowded, and everyone else around you is also trying to play a game with them on the same team.

The second kind of impressive people is the sprinters.

From a distance, the sprinters look no different than every other beginner trying to figure out what they’re doing. They’re just getting started on their craft and making the same mistakes as everyone else, looking for the same kinds of help as everyone else. But the sprinters’ superpower is that they grow and learn faster than everyone else, and if you stand and run right next to them, you can tell the sprinters apart from the regular old runners in the race because every time you look, they’ll be running faster than the last time you saw them.

Sprinters are people who grow and improve at what they do exponentially, because they use every new project and experience and mistake as a way to improve at the next one. They really just care about figuring out what they want to work on, and then spend all their time getting better at that thing. The sprinters’ secret is that getting ahead is just the side effect – the real game they’re playing is just getting better at every step, running every meter a little faster than the last time. And they do it consistently, for longer than everyone else.

If you find yourself lucky enough to be running alongside a sprinter, make a bet on them, because they’ll be the experts of the next generation, leading the group from way up front and showing everyone else the way.

Sprinters don’t have the crowded following or impressive pedigree yet, and there are a lot of things they need help with. You make a bet on them by helping them out right here, when they’re early at the start of their race and invisible from a distance. What might be just a quick conversation or a run-of-the-mill introduction or a weekend collaboration for you could be the thing that helps them take their first big step. And if you’re there believing in their potential before everyone else, trust me, they’ll remember you better than anyone else who joins them later in their ascent.

You can try to find the experts of your space today and get in their network, but the experts will already have their MVPs – their MVPs are the people who helped them out when they were just sprinting for themselves at the start of their race.

So find the sprinters around you, and help them out and work together before anyone else notices them. You might not get the rush of standing next to titans of industry or the big, famous names in your field today, but if you’re patient enough to grow and learn alongside them for a few years, you’ll find yourself surrounded by the people everyone else now wants to be around.

This is how you build a truly valuable personal network – not just by knowing the people who are already successful, but more importantly, by helping the right people before anybody else will.

As a corollary to this idea, if you’re young or trying to break into a new field, and you don’t have nearly the credentials or experience to tout in your story, don’t lean on your average credentials and experience and try to stretch them out. Lean on how quickly you can learn and grow. The right people will notice you, and they’ll make a bet on you before anyone else. When you meet those people, work with them. I’ve both experienced firsthand and heard from others that following this advice – working with the people who bet on you – is more valuable than simply working at the right company with the right brand name on the right project.

Building relationship that matter is a long-term game. And like any other long game, your rate of growth dwarfs any significance that the starting line has in the beginning. If you know this, you can make better bets than the people who haven’t figured this out yet, in many things that matter in the long term – equity, people, and your own opportunities. And fortunately for us, in this case, the right bets also lead to the most interesting and exciting stories in the future.

On launch date, many organisations send an email out to their audience with the following words:

“Our community is now live!”

This makes sense. If you’ve worked hard for months to get the community ready to launch, you’re excited to announce its launch to the world.

But the words “we’re now live” are indicative of the wrong approach. They focus upon your state of mind, not your members’.

Believe me, your audience isn’t clutching their phones trepidatiously awaiting the launch of your community. They’re going about their daily lives.

The problem with announcing the community “is now live” is the audience’s natural reaction is “so what?” (or, more likely, complete indifference).

The better way of thinking about this is to use the phrase:

“You’re invited…”

“You’re invited” instantly provokes curiosity.

Then craft the invite like an invite to a conference afterparty. But imagine your afterparty is being hosted at the same time as 20 others. What would you say, do, an offer to get someone to attend to yours?

Will it be the unique and powerful people they can connect with?
Will it be the most exclusive afterparty in town?
Will the afterparty break new ground or have amazing features others don’t?
Will you want them personally because of something they’ve said and done in the past?

Instead of writing a message announcing a community’s launch, write a message pretending you’re inviting busy people to a party.

I've now been living at work working from home for almost one year.

Before the pandemic, I often spent three hours a day commuting. Now, I'm using these three hours to spend more time with family, become more successful at my job, and work out more. For those reasons, I prefer not to return to an office.

Many aspects of work function much better when people are face-to-face. In addition, I miss the in-person interactions with my colleagues and the camaraderie that comes from working together in person. For those reasons, I can't wait to go back to the office.

Given that I really like both, my personal preference is for work to be "hybrid". Do individual work from home, but go into an office for collaborative work.

Not everyone experiences the same advantages and disadvantages. My personal preference isn't necessarily best for everyone. As an employer, the pandemic has helped me better understand that people's life routines can be very different. For some, working from home has a negative impact on motivation, productivity and mental health. For others, it has been very positive and more productive.

I wouldn't be surprised if 1/3 would prefer not to return to an office, 1/3 would like to go back to the old normal, and the remaining 1/3 would like a hybrid approach where they can work from home a few days a week.

In the coming months, employers will be revisiting their "Work From Home" policies. In turn, employees will need to decide if they can align and readjust to their employer's updated policy. There are a lot of complexities to think through, both for employers and employees alike.

In the end, people will be more thoughtful about the workplace arrangement that best fits their life. On one hand, that is healthy. On the other hand, many people don't have the privilege to choose. The privileged will likely get more privileged (myself included).

I hope that we approach this workplace transformation with an open mind, empathy, and equity. It's important to consider how both corporate policies and individual choices impact people.

Here is a story that will tell you something about me. I am in my first month at a new job. I am surrounded by a few colleagues who are the smartest people I ever worked with. The conversation turns to people’s history. We come to realize that all of us have felt like a … Continued

The post Misfit appeared first on without bullshit.

Hill got the conversation started about a new bike for his wife, Melissa. They were looking for something to replace her aging, skinny-tire'd road bike so that she could more comfortably participate in gravel and mixed terrain rides both by herself and with her riding club. She also wanted to make sure it could handle a bit of luggage for overnight, sport touring trips where minimal gear is needed while going between BnBs or hotels. The Low Kicker Polyvalent was a natural selection for the frameset. Needless to say, this sounded like it was going to be a very fun bike for Melissa and a very fun project for us.

Fastmail protects you from spy pixels and other remote images. As the world's oldest independent email provider, we've been defending your privacy for over 20 years.

---

Fastmail has always been a privacy-focused email provider, and we're encouraged to see the attention that data privacy is now receiving around the world. It's very apparent that large brands have been underwriting the cost of service by making money from your data.

Recently, "spy pixels" have been in the news, with the BBC running a story about this marketing industry practice. Fastmail has blocked spy pixels by default for years. Your information is safe with us.

What is a spy pixel?

Spy pixels or tracking pixels are small images in an email that passes information about you back to the sender. They are typically used in emails from a company such as newsletters, or subscriptions. They could be a logo, a product image, or even just a colored background or a line border. These images live on the sender's server. The tracking image can be very small (even just 1 or 2 pixels large) so it doesn't make the email slower to load.

When you open your email, your mail program requests the image from the remote server (in the same way your browser does when you look at a web page). This request can be monitored by the sender.

These images do not allow the sender to breach the confidentiality of your inbox. They are intended to let the sender know if your email was interesting enough to read their message.

How do spy pixels work for tracking?

Every time a mail program opens an email that contains a remote image, the sender's server knows the image was requested. But with each request usually goes some extra information such as: What IP address your email client is at (which can be used to reveal your approximate location within 50km/30mi)? What mail program you're using (which can be used to know if you're reading on a desktop, tablet, or phone)?

Some senders take an additional step and they create a unique link for each recipient to the image they use to track. This lets them know whether you've opened their email, where you are, and how you read your mail. No wonder tracking makes us feel that we're being spied on!

Why do senders use tracking images?

As marketing has moved further online, companies want to understand whether they are reaching their audience. They want to know if their newsletters are being thrown in the trash, or opened, read and shared. There's whole schools of thought about how to increase a marketing campaign's open rate. After all, if they know what interests their subscribers, then they are better able to serve them.

However, some organizations go further and use tracking images that individually identify their recipients so that their sales team can tell specifically who has read their email, how many times, at what time of day, and on what device. Then they know who to contact, who's already interested, and who is a cold call.

Fastmail has always defended you from spy pixels

At Fastmail, we know that any image fetched when displaying an email can be used to monitor you. We put you in control of managing how to handle remote images. We've been protecting you from this practice for over 15 years.

When reading your mail through your web browser, or on mobile with our Fastmail apps, you can choose whose images you want to load by adjusting settings in your Privacy settings:

• Always ask before loading remote images: Remote images are always blocked but you can load them as you need to.
• Show remote images from senders in my contacts, otherwise ask: If you know the sender, we'll load the images, otherwise images are blocked by default.
• Show remote images: Images are always loaded.

Your location always stays private

Should you choose to load those remote images, we load them via our server, not from your client. This means the sender only knows our server information and location, and not yours.

We block all remote images rather than guess at which particular ones might be used for spying, because any image can be used as a spy pixel. Rather than providing you with a false sense of security thinking we have blocked all spy pixels (and only the spy pixels) when we might have detected them incorrectly, we let you control how images are handled, based on your relationship with the sender.

Note: Location protection for remote images works on our website and our apps. If you use a third party client or program to read your mail, we can't intercept these images. Check out this guide to disabling tracking pixels in some common clients.*

Protect yourself from invasive marketing by:

1. Generous use of the 'unsubscribe' button on mailing lists if you no longer want to hear from them, or disagree with their tracking behaviours.
2. Get rid of spam. Spam is mail that doesn't have an unsubscribe link (or one that does not actually remove you from their list), in which case use our keyboard shortcut of "!" to report spam.
3. Use email aliases any time you give out an email address to a company and not an individual. Using an alias lets you easily block email if you don't want to hear from that sender any more, or discover they have sold or leaked your data. Fastmail lets you have over 600 email aliases at no extra cost.

If you'd like to help friends and family get protected from spy pixels, with a company that respects your privacy and the way you choose to work, share your referral link to give them a discount. If you're new to Fastmail, try it today with our 30-day free trial!

When was the last time you backed up all your important documents and photos? Last month? Last year? Never? Setting up a good backup system can seem time-consuming and intimidating, but it’s neither. Anyone can do it, and everyone should. In less than 15 minutes you can have a system that backs up your files automatically—both to an external drive and to encrypted cloud storage—without any regular action from you.

How to secure an Ubuntu server using Tailscale and UFW

This is the Tailscale tutorial I've always wanted: it explains in detail how you can run an Ubuntu server (from any cloud provider) such that only devices on your personal Tailscale network can access it.

Joseph Planta @Planta
Perhaps I should pick seventeen interviews from the last 17 years of the podcast to highlight.

Go straight to STM

Everybody wants to know. Does Haskell have mutable state?

Yes! In fact, several different kinds – IORef, MVar, TVar – that have various tradeoffs depending on…

Ugh.

---

I’m not big on complaining about what things are named, but STM is a rough one for me. To explain why it’s called “software transactional memory”, we have to go back to the 90s.

• 1993 – Transactional Memory: Architectural Support for Lock-Free Data Structures by Maurice Herlihy and J. Eliot B. Moss. One of many historical attempts to address the ever-irksome question of how multi-threaded programs can share data safely and efficiently, this paper proposes redesigning the caches on our physical memory chips to support what they call “transactional memory”.
• 1995 – Software Transactional Memory by Nir Shavit and Dan Touitou. They looked at the Transactional Memory research and said, hey, you don’t actually need to build a whole new architecture for this, because we can do it in software. So they called their idea software transactional memory.
• 2005 – The idea is implemented in GHC 6.4 and described in Composable memory transactions by Tim Harris, Simon Marlow, and Simon Peyton Jones. They publish a small library named stm which is still prominent in Haskell today.

The Tetris problem

There’s a saying that life is comparable to Tetris: While your mistakes are piling up, your successes disappear.

I think it beautifully describes a phenomenon in software: When people keep having to spend a great deal of time and code on a problem, it generates a great deal of discussion. Once there appears a solution that effectively mitigates the problem, there’s no need to devote so much talk to it anymore. Your successes disappear.

And I believe that’s what happened in 2005. STM solved a tremendous swath of multiprocessing problems in such a simple way that it all vanished in a puff of success. There aren’t enough flaws to make a popular conversation topic. Fantastic support for concurrency is, in my estimation, one of the greatest advantages of using Haskell to learn to code – and I’m not sure the programming population at large even knows that concurrent Haskell exists. From watching what most of us normally talk about, how would they ever find out?

Back in my “startup” days, I found out that it’s very difficult to switch back and forth between pitching a business and working on the product. The pitch has to be about everything that’s going right, but my everyday work focus is centered around what’s wrong. When I’m working on the product and somebody asks me about the business, all that’s on my mind is worries. And everyone can tell. You should never put me in front of investors.

Programmers all seem to hate their favorite languages, and I think it’s the Tetris problem. The good parts don’t require your attention.

One ref to rule them all

It was writing the Haskell Phrasebook that prompted our decision to ignore IORef and MVar and jump straight to STM. We wanted to quickly empower readers by presenting a small selection of the most generally useful APIs. When you’re stuggling through first steps in a language, you don’t need an overview of all the options; you need a guide to recommend a single good default.

This need for a minimal curriculum is especially pressing on the subject of state mutation, where the novelty budget is from the get-go already stressed by Haskell’s difference from other programming paradigms (more on that below). Three mutable state containers is two too many, so we picked STM as the one. Even for single-threaded applications, we’ll use a TVar; because then once you do need concurrency, you’re already prepared for it.

The great triumph of STM, and the reason it suffers the Tetris problem so badly, is that it does its job with very little contribution from the programmer. You are saved from many common sources of “race condition” and “deadlock” without even needing to know what those terms mean. TVars are simply state containers that work as expected in a multithreaded environment without weird surprises.

The potential downside of choosing STM is performance cost. To avoid it for this reason would fall squarely into the category of “premature optimization” for new language learners. Start with the thing that gives you a lot of safety with minimal effort.

Where the novelty budget is spent

In many languages, operations on state containers are built in using overloaded keywords. For example, the Python statement x = y can serve many ends, depending on context:

1. Define a constant x whose value is y;
2. Create a new state container x whose initial value is y;
3. Replace the current value of the existing container x with the value y;
4. Define a constant x whose value is obtained by reading from a state container y;
5. Create a new state container x whose initial value is the value obtained from container y; or
6. Replace the current value of the existing container x with the value obtained from container y.

In Haskell, x = y has only the first meaning, and the rest can be constructed using library functions like so:

2. x <- atomically (newTVar y)
3. atomically (writeTVar x y)
4. x <- atomically (readTVar y)
5. x <- atomically (newTVar =<< readTVar y)
6. atomically (writeTVar x =<< readTVar y)

As Haskell users, we appreciate the clarity afforded by this extra verbiage. But we cannot allow our own affinities to distract us from the critical step of guiding transitioners over this undeniable hump of unfamiliarity.

State is for threads

The final reason for presenting TVar as the standard state container is that we rarely use mutable references in single-threaded programs. Even if we initially present state mutation using simple single-threaded demonstrations, the general aim of learning how to use state containers is to enable communication between threads. Since this is the job at which STM truly excels, programmers are better served by exposure to it sooner rather than later.

---

STM is the subject of chapter 10 in Sockets and Pipes, available for purchase on Leanpub.

cosmopolitan libc

"Cosmopolitan makes C a build-once run-anywhere language, similar to Java, except it doesn't require interpreters or virtual machines be installed beforehand. [...] Instead, it reconfigures stock GCC to output a POSIX-approved polyglot format that runs natively on Linux + Mac + Windows + FreeBSD + OpenBSD + BIOS with the best possible performance and the tiniest footprint imaginable." This is a spectacular piece of engineering.

Via Hacker News

A swimming pool empty, a towel, a mask.

Captured by Dianna.

The pandemic has been around for one full year as of this week, so even though I have had very little time or reason to write in the meantime, it made sense to put together a short update on where we’re at from my standpoint.

This is the latest (slightly overdue) installment in my “pandemic saga”, which currently spans quite a few posts: It began 50 days after the start of the pandemic and has had irregular updates 120, 200-ish, 250-ish, 300-ish, 320-ish and 333 days later.

Current Status

In the space of a few weeks after lessening restrictions around Christmas (which is now widely recognized as being one of the dumbest ideas ever, even though nobody in the government wants to own the responsibility to “look back”), Portugal moved from becoming one of the less afflicted countries to the worst country in the world where it regards dealing with the pandemic.

Little did we know at the time it would only get a lot worse during January and early February, until a proper lockdown started having the desired effect:

…the downside, of course, is that entirely too many people died during this “learning period”:

More to the point, our health system is still stressed well beyond nominal capacity, and is taking a long time to recover:

All this data is available on my dashboard, which I’m still maintaining (although I’ve automated a few updates).

The Obvious Point To Be Made

Hard lockdowns work.

Period. New Zealand made that obvious, but our laissez-faire, consensus-based government was fundamentally unable to learn that lesson the easy way.

There is no wishy-washy, half-way point at which the government can both cater to economic pressure and prevent the collapse of the health system, nor any other way so they can have their cake and eat it too. We should have never loosened restrictions over Christmas, and ought to have gone into strict lockdown even before the November peak, let alone the blunders that were made early December.

This was pointed out before, during and after the current wave by a number of people (including some of the experts the government consulted, who have since discreetly distanced themselves from the proceedings).

And yet, the idiotic, selfish backlash against lockdown made the news time and again. The same restaurant made headlines by having dinner parties. The same people went out and about without nary a care in the world. Denialists of various kinds popped up here and there (and some were–finally–banned from social networks). There were various protests and demands for financial aid to small businesses, etc.

Yes, of course confinement was tough on businesses. But 16.000 people are dead, 10.000 of which in the past couple of months alone. And I still think that we barely missed having a much worse outbreak by closing down schools (belatedly, I should add). And yet there is already talk of re-opening them soon, and people are (again) taking to the streets because they think that with numbers visibly down, there is hardly anything to care about.

Vaccination

It’s the same mess as anywhere else (and the same mess regarding getting official data, but I won’t go down that rabbit hole again):

The chart on the right should probably be cumulative, but since recovery and inoculation are two different things I decided to plot everything separately.

So far, out of our entire family (including seniors, all of whom are eligible for vaccination in the first batches), only two got the first shot. That this is pretty dismal progress-wise is pretty obvious to anyone at this point, and I’m neither happy with the overall situation (never mind the supply constraints) nor with the policies or procedures adopted, which seem haphazard and inefficient.

Scaling this out to the population at large seems like a major challenge, and I have no illusions that the vaccine will afford full protection until (perhaps) the end of the year (excluding whatever mutations come about).

Other Stuff

I’ve been home for well over a year (pandemic or otherwise) and am still amazed that I haven’t completely burned out three or four times already in between the pandemic, work, and all the grating attrition that comes with having your life simultaneously “on hold” for this long and working ~12 hours a day.

I know I’m extraordinarily lucky to be able to not only work at all but also be able to do so in a context that is increasingly more fun, but that does not make things any easier–I’m still yearning for a long break from everything, and the past few months I had a few tough moments.

The worse thing, I think, is being completely aware that this isn’t over yet (not by a long shot) while the population at large starts going out and about as if it was just a rain shower (never mind complaining about having too much free time).

Sometimes ignorance is, indeed, bliss.

Addressing Supply Chain Vulnerabilities

One of the unsung achievements of modern software development is the degree to which it has become componentized: not that long ago, when you wanted to write a piece of software you had to write pretty much the whole thing using whatever tools were provided by the language you were writing in, maybe with a few specialized libraries like OpenSSL. No longer. The combination of newer languages, Open Source development and easy-to-use package management systems like JavaScript’s npm or Rust’s Cargo/crates.io has revolutionized how people write software, making it standard practice to pull in third party libraries even for the simplest tasks; it’s not at all uncommon for programs to depend on hundreds or thousands of third party packages.

Supply Chain Attacks

While this new paradigm has revolutionized software development, it has also greatly increased the risk of supply chain attacks, in which an attacker compromises one of your dependencies and through that your software.^[1] A famous example of this is provided by the 2018 compromise of the event-stream package to steal Bitcoin from people’s computers. The Register’s brief history provides a sense of the scale of the problem:

Ayrton Sparling, a computer science student at California State University, Fullerton (FallingSnow on GitHub), flagged the problem last week in a GitHub issues post. According to Sparling, a commit to the event-stream module added flatmap-stream as a dependency, which then included injection code targeting another package, ps-tree.

There are a number of ways in which an attacker might manage to inject malware into a package. In this case, what seems to have happened is that the original maintainer of event-stream was no longer working on it and someone else volunteered to take it over. Normally, that would be great, but here it seems that volunteer was malicious, so it’s not great.

Standards for Critical Packages

Recently, Eric Brewer, Rob Pike, Abhishek Arya, Anne Bertucio and Kim Lewandowski posted a proposal on the Google security blog for addressing vulnerabilities in Open Source software. They cover a number of issues including vulnerability management and security of compilation, and there’s a lot of good stuff here, but the part that has received the most attention is the suggestion that certain packages should be designated “critical”^[2]:

For software that is critical to security, we need to agree on development processes that ensure sufficient review, avoid unilateral changes, and transparently lead to well-defined, verifiable official versions.

These are good development practices, and ones we follow here at Mozilla, so I certainly encourage people to adopt them. However, trying to require them for critical software seems like it will have some problems.

It creates friction for the package developer

One of the real benefits of this new model of software development is that it’s low friction: it’s easy to develop a library and make it available — you just write it put it up on a package repository like crates.io — and it’s easy to use those packages — you just add them to your build configuration. But then you’re successful and suddenly your package is widely used and gets deemed “critical” and now you have to put in place all kinds of new practices. It probably would be better if you did this, but what if you don’t? At this point your package is widely used — or it wouldn’t be critical — so what now?

It’s not enough

Even packages which are well maintained and have good development practices routinely have vulnerabilities. For example, Firefox recently released a new version that fixed a vulnerability in the popular ANGLE graphics engine, which is maintained by Google. Both Mozilla and Google follow the practices that this blog post recommends, but it’s just the case that people make mistakes. To (possibly mis)quote Steve Bellovin, “Software has bugs. Security-relevant software has security-relevant bugs”. So, while these practices are important to reduce the risk of vulnerabilities, we know they can’t eliminate them.

Of course this applies to inadvertant vulnerabilities, but what about malicious actors (though note that Brewer et al. observe that “Taking a step back, although supply-chain attacks are a risk, the vast majority of vulnerabilities are mundane and unintentional—honest errors made by well-intentioned developers.”)? It’s possible that some of their proposed changes (in particular forbidding anonymous authors) might have an impact here, but it’s really hard to see how this is actionable. What’s the standard for not being anonymous? That you have an e-mail address? A Web page? A DUNS number?^[3] None of these seem particularly difficult for a dedicated attacker to fake and of course the more strict you make the requirements the more it’s a burden for the (vast majority) of legitimate developers.

I do want to acknowledge at this point that Brewer et al. clearly state that multiple layers of protection needed and that it’s necessary to have robust mechanisms for handling vulnerability defenses. I agree with all that, I’m just less certain about this particular piece.

Redefining Critical

Part of the difficulty here is that there are ways in which a piece of software can be “critical”:

• It can do something which is inherently security sensitive (e.g., the OpenSSL SSL/TLS stack which is responsible for securing a huge fraction of Internet traffic).
• It can be widely used (e.g., the Rust log) crate, but not inherently that sensitive.

The vast majority of packages — widely used or not — fall into the second category: they do something important but that isn’t security critical. Unfortunately, because of the way that software is generally built, this doesn’t matter: even when software is built out of a pile of small components, when they’re packaged up into a single program, each component has all the privileges that that program has. So, for instance, suppose you include a component for doing statistical calculations: if that component is compromised nothing stops it from opening up files on your disk and stealing your passwords or Bitcoins or whatever. This is true whether the compromise is due to an inadvertant vulnerability or malware injected into the package: a problem in any component compromises the whole system.^[4] Indeed, minor non-security components make attractive targets because they may not have had as much scrutiny as high profile security components.

Least Privilege in Practice: Better Sandboxing

When looked at from this perspective, it’s clear that we have a technology problem: There’s no good reason for individual components to have this much power. Rather, they should only have the capabilities they need to do the job they are intended to to (the technical term is least privilege); it’s just that the software tools we have don’t do a good job of providing this property. This is a situation which has long been recognized in complicated pieces of software like Web browsers, which employ a technique called “process sandboxing” (pioneered by Chrome) in which the code that interacts with the Web site is run in its own “sandbox” and has limited abilities to interact with your computer. When it wants to do something that it’s not allowed to do, it talks to the main Web browser code and asks it to do it for it, thus allowing that code to enforce the rules without being exposed to vulnerabilities in the rest of the browser.

Process sandboxing is an important and powerful tool, but it’s a heavyweight one; it’s not practical to separate out every subcomponent of a large program into its own process. The good news is that there are several recent technologies which do allow this kind of fine-grained sandboxing, both based on WebAssembly. For WebAssembly programs, nanoprocesses allow individual components to run in their own sandbox with component-specific access control lists. More recently, we have been experimenting with a technology called called RLBox developed by researchers at UCSD, UT Austin, and Stanford which allows regular programs such as Firefox to run sandboxed components. The basic idea behind both of these is the same: use static compilation techniques to ensure that the component is memory-safe (i.e., cannot reach outside of itself to touch other parts of the program) and then give it only the capabilities it needs to do its job.

Techniques like this point the way to a scalable technical approach for protecting yourself from third party components: each component is isolated in its own sandbox and comes with a list of the capabilities that it needs (often called a manifest) with the compiler enforcing that it has no other capabilities (this is not too dissimilar from — but much more granular than — the permissions that mobile applications request). This makes the problem of including a new component much simpler because you can just look at the capabilities it requests, without needing verify that the code itself is behaving correctly.

Making Auditing Easier

While powerful, sandboxing itself — whether of the traditional process or WebAssembly variety — isn’t enough, for two reasons. First, the APIs that we have to work with aren’t sufficiently fine-grained. Consider the case of a component which is designed to let you open and process files on the disk; this necessarily needs to be able to open files, but what stops it from reading your Bitcoins instead of the files that the programmer wanted it to read? It might be possible to create a capability list that includes just reading certain files, but that’s not the API the operating system gives you, so now we need to invent something. There are a lot of cases like this, so things get complicated.

The second reason is that some components are critical because they perform critical functions. For instance, no matter how much you sandbox OpenSSL, you still have to worry about the fact that it’s handling your sensitive data, and so if compromised it might leak that. Fortunately, this class of critical components is smaller, but it’s non-zero.

This isn’t to say that sandboxing isn’t useful, merely that it’s insufficient. What we need is multiple layers of protection^[5], with the first layer being procedural mechanisms to defend against code being compromised and the second layer being fine-grained sandboxing to contain the impact of compromise. As noted earlier, it seems problematic to put the burden of better processes on the developer of the component, especially when there are a large number of dependent projects, many of them very well funded.

Something we have been looking at internally at Mozilla is a way for those projects to tag the dependencies they use and depend on. The way that this would work is that each project would then be tagged with a set of other projects which used it (e.g., “Firefox uses this crate”). Then when you are considering using a component you could look to see who else uses it, which gives you some measure of confidence. Of course, you don’t know what sort of auditing those organizations do, but if you know that Project X is very security conscious and they use component Y, that should give you some level of confidence. This is really just a automating something that already happens informally: people judge components by who else uses them. There are some obvious extensions here, for instance labelling specific versions, having indications of what kind of auditing the depending project did, or allowing people to configure their build systems to automatically trust projects vouched for by some set of other projects and refuse to include unvouched projects, maintaining a database of insecure versions (this is something the Brewer et al. proposal suggests too). The advantage of this kind of approach is that it puts the burden on the people benefitting from a project, rather than having some widely used project suddenly subject to a whole pile of new requirements which they may not be interested in meeting. This work is still in the exploratory stages, so reach out to me if you’re interested.

Obviously, this only works if people actually do some kind of due diligence prior to depending on a component. Here at Mozilla, we do that to some extent, though it’s not really practical to review every line of code in a giant package like WebRTC There is some hope here as well: because modern languages such as Rust or Go are memory safe, it’s much easier to convince yourself that certain behaviors are impossible — even if the program has a defect — which makes it easier to audit.^[6] Here too it’s possible to have clear manifests that describe what capabilities the program needs and verify (after some work) that those are accurate.

Summary

As I said at the beginning, Brewer et al. are definitely right to be worried about this kind of attack. It’s very convenient to be able to build on other people’s work, but the difficulty of ascertaining the quality of that work is an enormous problem^[7]. Fortunately, we’re seeing a whole series of technological advancements that point the way to a solution without having to go back to the bad old days of writing everything yourself.

---

1. Supply chain attacks can be mounted via a number of other mechanisms, but in this post, we are going to focus on this threat vector. ↩︎
2. Where “critical” is defined by a somewhat complicated formula based roughly on the age of the project, how actively maintained it seems to be, how many other projects seem to use it, etc. It’s actually not clear to me that this is metric is that good a predictor of criticality; it seems mostly to have the advantage that it’s possible to evaluate purely by looking at the code repository, but presumably one could develop a metric that would be good. ↩︎
3. Experience with TLS Extended Validation certificates, which attempt to verify company identity, suggests that this level of identity is straightforward to fake. ↩︎
4. Allan Schiffman used to call this phenomenen a “distributed single point of failure”. ↩︎
5. The technical term here is defense in depth. ↩︎
6. Even better are verifiable systems such the HaCl* cryptographic library that Firefox depends on. HaCl* comes with a machine-checkable proof of correctness, which significantly reducing the need to audit all the code. Right now it’s only practical to do this kind of verification for relatively small programs, in large part because describing the specification that you are proving the program conforms to is hard, but the technology is rapidly getting better. ↩︎
7. This is true even for basic quality reasons. Which of the two thousand ORMs for node is the best one to use? ↩︎

The post Notes on Addressing Supply Chain Vulnerabilities appeared first on The Mozilla Blog.

In a Paris Review interview, Fran Lebowitz joked about the challenge of writing:

Every time I sit at my desk, I look at my dictionary, a Webster's Second Unabridged with nine million words in it and think, All the words I need are in there; they're just in the wrong order.

Unfortunately, thinks this computer scientist, writing is a computationally more intense task than simply putting the words in the right order. We have to sample with replacement.

Computational complexity is the reason we can't have nice things.

This week I got involved with the VaccinateCA effort. We are trying to end the pandemic a little earlier, by building the most accurate database possible of vaccination locations and availability in California.

VaccinateCA

I’ve been following this project for a while through Twitter, mainly via Patrick McKenzie - here’s his tweet about the project from January 20th.

https://t.co/JrD5mb4TAN calls medical professionals daily to ask who they could vaccinate and how to get in line. We publish this, covering the entire state of California, to help more people get their vaccines faster. Please tell your friends and networks.

- Patrick McKenzie (@patio11) January 20, 2021

The core idea is one of those things that sounds obviously correct the moment you hear it. The Covid vaccination roll-out is decentralized and pretty chaotic. VaccinateCA figured out that the best way to figure out where the vaccine is available is to call the places that are distributing it - pharmacies, hospitals, clinics - as often as possible and ask if they have any in stock, who is eligible for the shot and how people can sign up for an appointment.

What We've Learned (So Far) by Patrick talks about lessons learned in the first 42 days of the project.

There are three public-facing components to VaccinateCA:

• www.vaccinateca.com is a website to help you find available vaccines near you.
• help.vaccinateca is the web app used by volunteers who make calls - it provides a script and buttons to submit information gleaned from the call. If you’re interested in volunteering there’s information on the website.
• api.vaccinateca is the public API, which is documented here and is also used by the end-user facing website. It provides a full dump of collected location data, plus information on county policies and large-scale providers (pharmacy chains, health care providers).

The system currently mostly runs on Airtable, and takes advantage of pretty much every feature of that platform.

Why I got involved

Jesse Vincent convinced me to get involved. It turns out to be a perfect fit for both my interests and my skills and experience.

I’ve built crowdsourcing platforms before - for MP’s expense reports at the Guardian, and then for conference and event listings with our startup, Lanyrd.

VaccinateCA is a very data-heavy organization: the key goal is to build a comprehensive database of vaccine locations and availability. My background in data journalism and the last three years I’ve spent working on Datasette have given me a wealth of relevant experience here.

And finally… VaccinateCA are quickly running up against the limits of what you can sensibly do with Airtable - especially given Airtable’s hard limit at 100,000 records. They need to port critical tables to a custom PostgreSQL database, while maintaining as much as possible the agility that Airtable has enabled for them.

Django is a great fit for this kind of challenge, and I know quite a bit about both Django and using Django to quickly build robust, scalable and maintainable applications!

So I spent this week starting a Django replacement for the Airtable backend used by the volunteer calling application. I hope to get to feature parity (at least as an API backend that the application can write to) in the next few days, to demonstrate that a switch-over is both possible and a good idea.

What about Datasette?

On Monday I spun up a Datasette instance at vaccinateca.datasette.io (underlying repository) against data from the public VaccinateCA API. The map visualization of all of the locations instantly proved useful in helping spot locations that had incorrectly been located with latitudes and longitudes outside of California.

I hope to use Datasette for a variety of tasks like this, but it shouldn’t be the core of the solution. VaccinateCA is the perfect example of a problem that needs to be solved with Boring Technology - it needs to Just Work, and time that could be spent learning exciting new technologies needs to be spent building what’s needed as quickly, robustly and risk-free as possible.

That said, I’m already starting to experiment with the new JSONField introduced in Django 3.1 - I’m hoping that a few JSON columns can help compensate for the lack of flexibility compared to Airtable, which makes it ridiculously easy for anyone to add additional columns.

(To be fair JSONField has been a feature of the Django PostgreSQL Django extension since version 1.9 in 2015 so it’s just about made it into the boring technology bucket by now.)

Also this week

Working on VaccinateCA has given me a chance to use some of my tools in new and interesting ways, so I got to ship a bunch of small fixes, detailed in Releases this week below.

On Friday I gave a talk at Speakeasy JS, "the JavaScript meetup for 🥼 mad science, 🧙‍♂️ hacking, and 🧪 experiments" about why "SQL in your client-side JavaScript is a great idea". The video for that is on YouTube and I plan to provide a full write-up soon.

I also recorded a five minute lightning talk about Git Scraping for next week's NICAR 2021 data journalism conference.

I also made a few small cosmetic upgrades to the way tags are displayed on my blog - they now show with a rounded border and purple background, and include a count of items published with that tag. My tags page is one example of where I've now applied this style.

TIL this week

• Using sphinx.ext.extlinks for issue links
• Show the SQL schema for a PostgreSQL database
• Running tests against PostgreSQL in a service container
• Adding extra read-only information to a Django admin change page
• Granting a PostgreSQL user read-only access to some tables

Releases this week

• flatten-single-item-arrays: 0.1 - 2021-02-25
  Given a JSON list of objects, flatten any keys which always contain single item arrays to just a single value
• datasette-auth-github: 0.13.1 - (25 releases total) - 2021-02-25
  Datasette plugin that authenticates users against GitHub
• datasette-block: 0.1.1 - (2 releases total) - 2021-02-25
  Block all access to specific path prefixes
• github-contents: 0.2 - 2021-02-24
  Python class for reading and writing data to a GitHub repository
• csv-diff: 1.1 - (9 releases total) - 2021-02-23
  Python CLI tool and library for diffing CSV and JSON files
• sqlite-transform: 0.4 - (5 releases total) - 2021-02-22
  Tool for running transformations on columns in a SQLite database
• airtable-export: 0.5 - (7 releases total) - 2021-02-22
  Export Airtable data to YAML, JSON or SQLite files on disk

Back in 2012 E and I gave about half of our many books away as part of a BBQ party. We kept what we hadn’t read yet but still found interesting, as well as reference books and books we had read and felt attached to. In the decade since I’ve bought a lot of new books, based on interests, recommendations, or because they were mentioned in books I did read, and of course based on arbitrary reasons like the title and design jumped out at me while browsing a bookstore. Even though E and I don’t regularly descend anymore on a bookstore like a swarm of locusts on a field, something we did frequently in the past, over the years the collection of unread books I have has grown significantly. Those stacks of unread books carry a certain weight on my mind, a nagging backlog of books to read. I stopped buying for a long while because I ‘should’ read the others first.

Taleb in his book The Black Swan comes up with the concept of the Anti-Library. I don’t remember that specifically from reading The Black Swan, but I came across it again in this posting at Ness Labs. I do remember reading Taleb’s anecdote about Umberto Eco’s enormous book collection though, which concludes with the concept of the Anti-Library.

An Anti-Library is your personal curated collection of books, papers etc. that you haven’t read. Taleb posits that what you haven’t read, but did have reason to collect and adopt into your library constitutes a research tool. Because it has more potential value (in terms of new insights etc) than what you’re already familiar with and have read.

This puts the focus on how I can actively use the stacks of unread books around the house and on my devices, while at the same time letting go of the feeling of guilt attached to it (“I really should read that book I bought soon….”). This switches the perspective from ‘I bought this book to read immediately’ to ‘I bought this book so it’s there when I might need it’. From ‘backlog’ to ‘shelves of opportunity’.

Thinking in terms of an anti-library also allows paying attention to how you deliberately enlarge the collection of unreads, which is a curation task. The unread books aren’t random choices, they are a selected set of personal resources concerning themes you find interesting or that make you curious.

I de facto already have an anti-library, as the result of procuring books faster than reading them. To make it fully visible as such to myself and use it as a research tool, I probably just need to add a few tweaks. Such as:

• Maintaining an index of unread books. I created a collection ‘Anti-library’ in Zotero, which also contains other collections with the references to things I did read. Zotero works well with both books and (academic) papers. I already had in my notes a list called ‘my reading list’ which is an overview of books I think would be useful to read at this moment in time, which I moved to Zotero. And I could make an additional round through my e-ink devices, and our home to add to the list of unreads.
• When adding a new unread book, jotting down why I thought to add it. This is helpful context in evaluating it later. I do the same for bookmarks I store for later reading/turning into notes, where I write down why I thought it relevant and to which other things I think it might be connected.
• Keep doing what I already do, which is checking out recommendations from peers, and what other books the ones I enjoy currently reading are referencing
• I now post here about books I read sometimes, maybe I should do the same for books I acquired but didn’t yet read, and share the reason I think it might be an interesting book. Have an anti-library stream
• When exploring a new question, consider which unread books may contain relevant insights (next to exploring what my notes already contain on the question at hand)

The other side of a book case, image by Ton Zijlstra, license CC BY NC SA

mkalus shared this story from vwestlife's YouTube Videos.

---

---

mkalus shared this story from moodvintage on Twitter.

---

A San Francisco-based tech startup called ‘Framework‘ is launching a modular laptop that it says can be modified, upgraded and customized above and beyond any other laptop.

It’s an intriguing premise, and while Framework isn’t the first to take a run at modular computer hardware, it seems more dedicated to the cause than others.

“This is not something we’re dabbling in. It’s not a side project for us that someone thought was interesting. This is the core of our company,” Framework founder Nirav Patel told The Verge.

Patel also touted the environmental benefits, explaining that most tech companies push out products in a way that encourages wasteful upgrading.

The Framework Laptop — which Patel views as more of an ecosystem than a single product — hopes to encourage less wasteful upgrades and repairs by making many of the parts interchangeable. It sports a 13.5-inch, 2256 x 1504 pixel screen, 1080p 60fps webcam, a 55Wh battery and a 2.87lb aluminum chassis. On the inside, customers can equip the Framework Laptop with an 11th Gen Intel processor, up to 64GB of DDR4 memory and up to a 4TB SSD.

While several laptops available on the market let you upgrade many of those parts, Framework goes above and beyond in a few ways. For one, the Framework Laptop also allows users to upgrade external components, like the keyboard, screen or bezels (which are attached using magnets). There’s even a swappable port system so you won’t need any dongles.

Another way Framework plans to set itself apart is by hosting a centralized digital marketplace for buying and selling parts. The company plans to open the system to third-party retailers. Through this system, customers will be able to purchase components to modify or repair their laptops. Laptop components include a QR code that people can scan to get a link to a webpage to buy a replacement.

Finally, Framework plans to offer pre-built systems and kits for enthusiasts who want to assemble the entire laptop themselves. The do-it-yourself (DIY) kit will also let users pick their own operating system, whether that’s a Windows 10 installation or a Linux distribution of their choice.

Framework’s website says the company will ship the laptop starting summer 2021. Those interested can sign up for an email notification when pre-orders go live. However, the company hasn’t shared any information about pricing or Canadian availability yet. Hopefully, those details come soon.

Source: Framework Via: The Verge

The post Framework’s modular laptop lets you swap the screen, keyboard and ports appeared first on MobileSyrup.

Carl Pei’s ‘Nothing’ startup has a new founding partner in Swedish music gadget maker Teenage Engineering.

Nothing has named Teenage Engineering CEO Jesper Kouthoofd as its creative lead and Tom Howard, the vice-head of Teenage Engineering, as the head of design.

Teenage Engineering is an electronics company based in Sweden that makes cool audio gear like synthesizers. It even recently partnered with Ikea to make a limited-edition collection of home products. 

This is huge news for Nothing since Teenage Engineering has some of the best hardware design in the tech game right now. That said, it’s interesting that the company is going after creatives with colourful past projects when all of Nothing’s branding so far has been white and black.

Nothing’s first product is slated to be a pair of wireless earbuds that will come out this summer. It will be interesting to see how much influence Teenage Engineering has on the look of its new products.

Pei’s startup also recently acquired what’s left of Essential. If the company can somehow combine a device like the Essential Phone with Teenage Engineerings style, it’s either going to be incredibly cool, or end up like a new version of the Nextbit Robin.

Source: Engadget 

The post Nothing taps Teenage Engineering as a founding partner in charge of hardware appeared first on MobileSyrup.

Nudget¹ is a budgeting app designed to streamline the daily input of expenses. Developer Sawyer Blatz created a gorgeous and extremely efficient interface to make budgeting feel light and fun. With my beloved bank Simple closing this year, I’ve been looking for new solutions for keeping track of my finances. Over the last couple weeks I’ve worked with Nudget full-time, and the experience has been rewarding.

Getting Started

As is the case with any budgeting app, you’ll need to put in a bit of work up front to get started with Nudget. When you first open the app it will prompt you to input your after-tax income and recurring expenses. Nudget uses this data to craft a simplified budget for you. Budget-wise, the app isn’t doing anything too fancy. Each budget consists of three categories: recurring expenses, spending money, and savings. These categories are shown as large cards in Nudget’s ‘Budget’ tab, and you can tap each one to edit it.

Tapping into the ‘Recurring Expenses’ card opens a list interface where you can add new expenses. Tap the ‘+’ button, then give the recurring expense a name and cost. The frequency of each expense is set from a horizontal bar which has options for daily, weekly, biweekly, monthly, quarterly, and annually. The expense list is sorted by cost, and breaks down your expenses by one of the time intervals mentioned above. If you have the list set to monthly (the default) then any yearly expenses will be divided out to show their monthly cost. Weekly expenses will be multiplied to get a monthly total, etc. The interface for this list is simple, but feels very usable and accomplishes everything that I’d want from it. Visualizing my expenses by different timeframes is particularly nice.

The ‘Spending Money’ and ‘Savings’ cards don’t get their own interfaces, but tapping either one brings up a number pad where you can set their value. Altogether your recurring expenses, spending money, and savings amounts must add up exactly to what you set as your total income. As such, if you increase the value in the ‘Savings’ card, that amount will be correspondingly subtracted from the ‘Spending Money’ card’s value (and vice-versa). Nudget handles these calculations for you automatically, and if you try to set one of the values too high then it will be reset to its maximum amount (thus reducing the other category to zero). Nudget won’t mess with your recurring expenses number, so it’s really just balancing the spending money and savings values to match your income after recurring expenses have been taken out of it.

Whatever value you choose for spending money is what Nudget then tries to help you budget for. It divides this value across every day of the month, and then keeps track of whether you’ve gone over-budget in a given day. This is where your manual expense input comes into play.

Transactions

The ‘Transaction’ tab is where you go to add an expense to Nudget. You do not need to add any expenses that you’re tracking as recurring expenses — Nudget considers those to be immediately removed from your income each month. As such, you only need to add expenses that fall outside your known categories.

The Transaction interface makes it simple and quick to add expenses, but it does take a small amount of up-front work to prepare. Each expense consists of an amount, a memo, and a tag. The latter two items are optional, but tagging expenses is important so that the app can give you better insights into your spending habits. Nudget includes a couple example tags, but when you get started you’ll want to hit the ‘Edit Tags’ button and add your own. Once your tags are set, inputting new expenses becomes very easy.

To input a new expense, just tap the tag it belongs to, enter an amount, and hit the check button. If you do want to take the extra step of adding a memo then you can do so as well, but personally I only add memos to expenses under my “Misc” tag so that I know what they were — all of my other tags speak for themselves so that my transaction input is as streamlined as possible (also, if a similar type of expense keeps falling into “Misc” then I know it needs its own tag). I know myself, and if adding transactions takes more than a few seconds then I’ll eventually get lazy and stop doing it. Nudget’s interface makes it so fast that I haven’t had any problem with it.

The interface is filled with nice touches that show how much care went into its design. The font is friendly, the big green box showing the transaction amount is inviting, the custom number pad is spread out and easy to type in, and when you hit the check mark to add an expense you get a nice haptic feedback tap. Following the example of Nudget’s default tags, I also added emoji icons to each of my own tags. This makes the whole tag list look fun, as well as making it faster for me to visually identify the tag I’m looking for.

The tags are sortable, so you can make sure that your most-used tags are shown without you needing to scroll. That said, the tags are displayed as two stacked rows, but sorting them is done via single list column. The result is strangely inconsistent, with the row wrapping mostly, but not entirely consistent with the list’s sorting. I’m not really sure what’s going on with this, but I was able to guess-and-check with the sorting of my list until my tags showed up in the order that I wanted. The row sorting doesn’t change after you set it, so once I got the list right this wasn’t a problem, but I hope a future update makes these tag rows easier to sort.

Once you understand how Nudget’s budgeting works, you can control exactly how much you want to use the app. For instance, I looked at my past expenses and identified that I spend essentially the same amount on coffee every month. That amount is reasonable enough that I don’t feel the need to restrict it, so I just added my average coffee spending as a recurring expense. Now I don’t need to constantly add coffee purchases as manual transactions in Nudget — they’re already accounted for.

You can use the above strategy to wade into budgeting with Nudget a bit slower. Maybe figure out the average amount you spend on food and groceries each month and add that as a recurring expense too. Then you can adjust to budgeting by only inputting your less frequent or unusual transactions. I am not a financial professional, so take my advice on how to build a budget with a grain of salt, but as someone who is resistant to adding a constant repeating task to my life (however quick that task might be), this has been a good way for me to start building the habit without getting frustrated and giving up.

Insights

Once you have your budget in place and have started inputting your expenses into Nudget, you’ll start to see data in the app’s ‘Insights’ tab. This is a great place to go to see visualizations of your spending habits. It can show you what you’re doing well, or clearly surface concerns with your state of affairs. Currently this section shows whether you’re over or under budget, your total spending for the month, the category (one of your custom tags) which you’ve spent the most on, the category which has dropped the most compared to last month, and the category which has grown the most compared to last month. Just like in the ‘Recurring Expenses’ list, you can adjust the time interval of this data. Switching it to weekly will make the above comparisons against the week before, yearly will show for the last year, etc.

History

The final tab in Nudget is the ‘History’ tab. This shows a scrolling list of individual transactions which you’ve added from the Transaction tab. This list is most useful for making edits to your transactions. For instance, if you forgot to add a transaction on the day in which it happened, you can add it at a later date and then update it to the correct date from the History tab. You can also delete transactions from this interface.

Transactions in the History tab can be grouped by tag, and can be viewed by the same various time intervals as other sections of the app. My only complaint is that the editing pane allows you to swipe down to close it, but if you’ve made changes then they aren’t saved unless you actually hit the ‘Save’ button in the top right. Changes should be saved automatically when you swipe the view closed, but at the very least you should see a prompt asking if you want to save them rather than silently dumping any edits.

Settings

You can access Nudget’s settings from the gear icon in the top-right corner of the Budget tab. From here you can set the app’s currency symbol, choose from a variety of different app icons, set a color theme, and enable biometric authentication to unlock the app. You can also choose whether to enable decimal points throughout the app.

By default Nudget only allows round numbers, meaning you need to manually round your recurring expenses as well as your transactions up or down. This annoyed me at first, especially when I hadn’t yet noticed the existence of the decimal setting. By the time I found the setting though, I’d adjusted to the rounded numbers and I think I actually prefer their simplicity. Since I’m not inputting every single expense, I don’t need Nudget to be 100% accurate. It’s okay with me if my high level budget is off by a few dollars in either direction. If you want to be more precise though, then just flip the setting on and you’ll be back in the land of exact numbers.

Finally, Nudget’s settings pane includes a section of “experimental” settings. I’m not sure exactly what makes these experimental since they all work great for me, but I expect that they haven’t been thoroughly tested yet so your mileage may vary. In particular, there’s an experimental setting to add a date picker to the main Transaction interface. This shows up as an unobtrusive icon in the top-right corner, and you can tap it to set the date for the next transaction that you input. If you find yourself constantly having to change dates from the History tab, enabling this setting will save you some time.

Conclusion

I’ve been really enjoying my time with Nudget. For years now my evanescent bank Simple has handled all of my budgeting automatically. While I don’t relish having to take this task on manually going forward, Nudget has made it something that I don’t dread having to do. I always love using a beautifully designed app, so adding expenses in Nudget hasn’t felt like a chore. I even enabled the experimental confetti feature, which gives me a tiny confetti party every time I add an expense. Who said budgeting can’t be fun?

You can find Nudget on the App Store as a universal app for iOS and iPadOS. Nudget has a one-time cost of $3.99, and the in-app purchases offered are only for a virtual tip jar.

---

Support MacStories Directly

Club MacStories offers exclusive access to extra MacStories content, delivered every week; it’s also a way to support us directly.

Club MacStories will help you discover the best apps for your devices and get the most out of your iPhone, iPad, and Mac. Plus, it’s made in Italy.

Join Now

I meant to link this great article by Jason Snell a couple weeks ago:

Every time an app I rely on exposes its mortality, I realize that all the software I rely on is made by people. And some of it is made by a very small group of people, or even largely a single person. And it gives me pause, because whether that person decides to stop development or retires or is hit by the proverbial bus, the result is the same: That tool is probably going to fade away.

A lot of the software I rely on is a couple of decades old. And while those apps have supported the livelihoods of a bunch of talented independent developers, it can’t last forever. When James Thomson decides to move to the Canary Islands and play at the beach all day, what will become of PCalc? When Rich Siegel hangs up his shingle at Bare Bones Software, will BBEdit retire as well? Apps can last as abandonware for a while, but as the 32-bit Mac app apocalypse taught us, incompatibility comes for every abandoned app eventually.

The final segment of this week’s episode of Connected reminded me about the impermanence of software (which is something I covered extensively before) and how, ultimately, the apps we depend upon are made by people, who will eventually stop working on them. As Snell argues, we may not always be prepared for change in our workflows, but that’s exactly what I love about keeping up with new apps and revisiting the way we get our work done.

→ Source: sixcolors.com

sillygwailo shared this story from Boris Mann’s (Micro) Blog.

---

I saw that Richard Eriksson shared news about the “new Gowalla”.

I replied to Richard’s tweet:

I haven’t delved into it, have you see anything about data licensing?

I’ll just come right out and say that I’d love for the basics of location data to be openly licensed, maybe synced or improved with OpenStreetMap over time. <twitter.com/bmann/sta…>

I then headed over to LinkedIn and posted there to see if I could get some mapping friends to weigh in, tagging Will Cadell of Sparkgeo of and Eric Gunderson of Mapbox:

---

I am completely uninterested in spending a bunch of time on a platform which doesn’t have AT LEAST non-commercial re-use of data around locations.

Do you all know anything about state of the art location (business, place, etc) licensing?

Are people syncing back to Open Street Map as a shared layer?

Can we include IndieWeb protocols like Micropub “check ins” so we can extend beyond a silo from day one?

Any info, speculation, or hard earned learnings welcome ;)

---

I’d be happy to participate in Gowalla-like activities – but I don’t want to do it if the links, identifiers, and data are all owned by another locked down platform.

The location of a store, what type of store it is, and user “enrichment” like photos, reviews, etc. shouldn’t be locked in one data silo.

There is more awareness around these issues, so maybe we can raise them early, and get these platforms to address this up front.

Today, I read a book in a language that is not English, for only the second or third time in my life.

I’ve been working on a project on the intellectual roots of hypertext and the Web, an inquiry inspired by a class to which Andy van Dam and Norm Meyrowitz invited me to speak last year. I’ve been asking lots of people for advice on sources for various questions. One suggested a multi-volume work which seems eminently pertinent, but which is only available in French.

After some prevarication, I realized that if a graduate student in this pickle came to me for advice, I would likely say, “Learn to read French, or start over on a different topic.” With my hearing problems, I’m never going to manage to speak, but reading might be possible.

I asked my eminent cousin, “Suppose you had a graduate student to whom you had said, ‘go away and come back and talk when you have an adequate reading knowledge of French.’ When would you expect to see this student next?” She said, “Six months: three months intensive coursework, three months in France.” I can’t manage that. There’s work to do, and we’re still in the midst of pandemic. But perhaps we can get somewhere, and perhaps my eminent cousin has high standards.

Reading on the iPad is great because the dictionary is a joy to use. And, do I use it! Even for this famously easy little children’s book, I’m puzzling out the simplest little things. (We do have some esoteric vocabulary: boas (open and closed), baobabs, switchmen, and lamplighters for starters.) This is a profound book but an odd one for children, perhaps even sadder than Charlotte’s Web which was read to me once and remains unbearable to think about.

Next up, I’m going to attempt Jo Walton’s Among Others en Français, where it has a different title but will still, I hope, be tons of fun.

Today on the blog I have a patiently awaited for Small Home Tour with the incomparable Robin of @Twentyventi. I have long admired her approach to parenting, design and living well. When I am feeling overwhelmed by motherhood or messes Robin often has the words to put me at ease or refocus my priorities. I truly find her to be an authentic and bright light in this strange social media world I find myself in. Beyond her words, her photos capture childhood and motherhood in a way that always leaves me impatiently awaiting her next photo. Her beautiful captures of the everyday are - as I mentioned in the first sentence -incomparable. I am incredibly grateful that she took the time to give us an in-depth look into her home and for her thoughtful words regarding small living as a family of four. I’ll leave you with Robin

Meet Robin…

My name is Robin. I live in a suburb of Toronto with my husband, Patricio, and two daughters. I worked in childcare for over a decade as an Early Childhood Educator — and have been home full-time with my girls for the past two and a half years.

What I share on my blog and social media is quite a mixed bag of my personal interests and everyday life - creative projects, respectful parenting, motherhood, low-to-zero waste living, homeschooling, slow and sustainable fashion, and whatever I'm currently reading (usually parenting or social justice titles these days).

How big is your home and what is the layout?

We live in a 905 sqft two-bedroom apartment flooded with natural light from ceiling-high wall-to-wall south-facing windows in every room.

Half the apartment is our living/dining area and a little outdated corner kitchen. We spend most of our time together in this half of our apartment, cooking while the girls play, having family dance parties, mini yoga sessions, curled up together on the sofa reading, puzzles, painting, obstacle courses. We intentionally left our living space fairly open and sparsely furnished to accommodate two young children who need lots of space to run around and play.

On the other half of the apartment are the bedrooms, and a tiny bathroom. The smaller bedroom belongs to our older daughter, and the larger bedroom is ours, that we currently share with our toddler.

The only pieces of furniture in our room are our bed and our dresser, which we pushed into the space where our closet used to be (we removed the doors two years ago). Because our room is so bare, we've actually been talking about putting a Murphy bed in the living space and turning one of the bedrooms into a studio (my husband is an artist), but that project has been put on the shelf until we move the girls into the same room. It's nice to know we have some flexibility and room to grow here.

Who lives there?

My husband, Patricio, myself and our two daughters who are five and two and a half years old.

Tell me about your choice to live small as a family. Was it a conscious decision or did it just evolve?

I don't actually consider our apartment to be that small compared to other small homes, so I don't know that I've ever consciously made the decision to live small (in terms of space) - but I have consciously decided to live with less physical things, and to be intentional about what we own, which definitely is a good fit with living in a more modest space.

Is there a piece of furniture or accessory that you couldn't live without that makes living in your space easier?

Early last year we built a wall of cabinets across a 12-foot wall in our living room. That same space used to have wall-to-wall open-shelving, which was beautiful in theory, but I couldn’t take the visual clutter on such open display, even when it was organized. We do have a lot of storage in our apartment, but we wanted everything that we frequently use within easy access in our living space, without having to dig through a closet (i.e. books, craft and art supplies, puzzles, our turntable and records).

Assuming you keep toys edited are there any you recommend that have survived many purges and provided entertainment?

We do keep toys fairly edited down, though I'd still say we probably have more than we really need - enough that I can rotate our collection ever so often so that the same items still have novelty again and again.

The toys that have been most used, and that have survived many ruthless purges, are the open-ended ones that have grown along with our children, such as wooden blocks and play silks, as well as anything home-related - dishes, toy food, bowls, spoons, baby dolls.

I tend to gravitate towards toys made from natural materials (though we do have some plastic, like lego), partly because they are generally better quality, but also because I think when you live in a smaller space that can get cluttered quite easily as your children play, the mess, at least for me, bothers me less when the toys are, by my standards, beautiful. The girls have a say in what we donate or sell, so for any toys that I'm not too keen on, it helps to have pretty natural baskets to store them all in.

What is something you love about living small?

I feel like this has been a common answer from the other families that you've interviewed - but I love how little time it takes to clean. Yes, it can look messy quite quickly, but 10-20 minutes is all you really need for a good surface clean, and maybe an hour to deep clean.

I also love that it forces us to really "face" our belongings and to fill our space only with things we love or truly need, and get creative about the rest. I think that people mistakenly get the impression that I'm a very organized person when in reality, I've learned that having less helps me combat the fact that I'm terribly unorganized and scatterbrained - it allows me to focus on the things that are truly important to me and my family.

And, of course, I love that we’re always close by no matter where we are in our home - as hard as that can be as well, it’s nice to always know where the kids are.

What is something you hate?

Honestly, I don't really have many complaints about living small in our current apartment - it feels like exactly the right amount of space for us. Sure, I could say that sometimes I want a little more personal space and quiet, but I think that I'd have that same feeling while raising young, energetic children even in a bigger space.

Most of my frustrations about our home have to do with the fact that it's a rental (which limits what we can do), and a high rise apartment without a yard. I often say that I wish we could move our exact apartment to a plot of land, where we could have a vegetable garden and some fruit trees, hang our laundry to dry on a clothesline and let the kids run wild.

I know for us, having walkable kid-friendly places in the neighbourhood really helps with small living. Would love to hear some of your favourite places to get outside with the kids in Toronto?

Getting outdoors every day is a pretty high priority because we don't have a yard. We chose our neighbourhood because it is walking distance to so many great parks and walking trails, and just a short drive to Lake Ontario, where we go quite regularly to walk along the lakeside trails and play in the tide. This year we didn't spend any time in the city, but normally we love to visit High Park or anywhere along the harbourfront.

One of the reasons I started this blog was to have a positive space about living small with a family and hopefully have people let go of the shame associated with it. Thank you soooo much for being so open with your beautiful home and life. Is there anything you would want to say to someone who wants to stay in their small space with a child/baby but are nervous or feeling external pressure not to?

I think that you can build a beautiful life anywhere if you truly want to. To some, living small may seem like a life that is lacking, but to others, they see an environment that can really foster creativity, intentionality, and prioritizing human relationships over material things (or space). So I think that our personal attitude towards living small is what makes or breaks it, whether we think our children can only thrive if they have lots of space and a room of their own, or if we can recognize that children can flourish anywhere - and that truly, in these early years, what children often want most is to be closeby their caregivers anyway, whether you live in 400 sqft apartment or 4000 sqft home.

During this pandemic do you find you have changed or used your space differently?

Yes - though mostly small things like changing the direction of our dining room table, rearranging a few cupboards, switching the rug in my daughter's room, hanging book ledges in the halls for the girls overflow of picture books. Little changes that have made spending extra time here a little prettier or more functional for our current needs.

These past ten months have deepened our appreciation for our space, and helped us recognize how privileged we are to have it - and more than ever we've seen how the only thing we really feel we are lacking, in terms of space, is a yard. But we made what we have work for us - putting a swing in our living room for the girls to release some extra energy, in addition to a Pikler triangle we got two Christmases ago that we keep out for climbing.

We hadn’t used our balcony much in the past, but during the pandemic, we bought some seedlings and started a few plants from seed, and made our first small balcony garden. It was always in my head that we needed a yard to have a real garden, so it was a wonderful experience for all of us to adapt to use what we already have to fit our current situation — and now we are quite looking forward to having an even bigger balcony garden this year.

Thank you again for opening your home and heart to us! I resonated with so much of what you said! And as we are about to move into 900-ish square feet I am encouraged to hear that it is the perfect amount of space for you. Also call me when you want to talk wallbeds! I have so many thoughts (mainly, yes you should! whether the wall bed is in your bedroom or the living room is the bigger questions I want to discuss!). You can find Robin on Instagram and her Blog!

EduResearch Matters, Australia Association for Research in Education, Feb 25, 2021

"I began to see the words and ideas of far-right extremists being repeated back to me as truth," says Stephanie Wescott, and this should be worrisome for educators of all stripes. How to respond? Wescott attempts to equip students "with the skills and knowledge to not only understand how persuasive language positions them as an audience, but also the deeper, more complex layers of bias and political leanings that underpin the media." One way to get at this, says Peter Greste in a review of Kid Reporter is to take "a deep dive into the kind of approach that experienced journalists would be expected to bring to their craft... to not only question and confirm basic facts, but also to think about things like the motives of the people presenting information; its context and purpose; the difference between opinion, fact and analysis." As its authors write, "“One of the best ways to learn about the media is to become a media creator yourself. If you know how to find accurate information for your own news story, you are far more likely to know if another person’s work is based on facts."

Web: [Direct Link] [This Post]