Rolandt
Shared posts
Microsoft 365 Family im Angebot
Heute ist wieder ein guter Tag, Microsoft 365 Family zu verlängern. 6 Benutzer, jeder 1000 Gigabyte, dazu Word, Excel, Powerpoint, Outlook, Teams/Family, Online-Tresor und erweiterte Sicherheit gegen Erpressungstrojaner. Key kommt per Mail und kann auch auf laufende Abos angewendet werden. Ich bin aktuell bis 2022 lizenziert.
Twitter Favorites: [BikewaysTO] Recent counts have found 4,408 bikes at Bloor-Dufferin & 4,784 bikes at Bloor-Yorkville within a 24 hour period. Th… https://t.co/gSdUUqcVNN
Recent counts have found 4,408 bikes at Bloor-Dufferin & 4,784 bikes at Bloor-Yorkville within a 24 hour period. Th… twitter.com/i/web/status/1…
NewsBlur Blurblog: The Interconnectedness of All Things
|
sillygwailo
shared this story
from |

In the course of creative endeavours, artists and scientists join fragments of knowledge into a new unity of understanding.”
– Vera John-Steiner
Ideas are ‘just’ connections between existing elements.
Sherlock Holmes is the product of 19th-century detective fiction and medical investigation.
Holmes’s deductive powers were inspired by some of Arthur Conan Doyle’s medical lecturers, including Dr. Joseph Bell.
In a rare piece of film from 1930, Conan Doyle depicted Bell’s extraordinary ability to diagnose patients on sight:
He would look at the patient, he would hardly allow the patient to open his mouth, but he would make his diagnosis of the disease, also, very often, of the patient’s nationality and occupation and other points, entirely by his power of observation.
So naturally, I thought to myself, well, if a scientific man like Bell was to come into the detective business, he wouldn’t do these things by chance, he’d get the thing by building it up, scientifically.”
– Arthur Conan Doyle
Doyle became obsessed with Spiritualism as he got older, travelling the world to visit mediums and psychics, searching for ‘positive proof.’
The conclusion, then, of my long search after truth, is that in spite of occasional fraud… there remains a great solid core in this movement which is infinitely nearer to positive proof than any other religious development with which I am acquainted.”
– Arthur Conan Doyle, The New Revelation, 1918
Connecting Sherlock Holmes and spiritualism gives us Dirk Gently, Douglas Adams’ ‘holistic’ detective.
Gently is a creative extrapolation of Holmes’s technique of eliminating the impossible to reveal the truth.
What if the famous detective had embraced the impossible?
Sherlock Holmes observed that once you have eliminated the impossible, then whatever remains, however improbable, must be the answer. I, however, do not like to eliminate the impossible.”
– Dirk Gently, Dirk Gently’s Holistic Detective Agency
The Gently stories feature ghosts, time travel and ‘interconnectedness.’
Despite continually probing his own belief systems, Adams described himself as a ‘radical atheist,’ (adding ‘radical’ to show he really meant it.)
In a thought experiment designed to falsify the finely tuned universe argument for God (and typical of a man obsessed with baths and rain) Adams describes the thoughts of a sentient puddle:
This is an interesting world I find myself in – an interesting hole I find myself in – fits me rather neatly, doesn’t it? In fact it fits me staggeringly well, must have been made to have me in it!”
– Douglas Adams
Adams looked at the universe from other perspectives and what he found permeated his work. If you enjoyed this, you might like this article about keeping an open mind.
Twitter Favorites: [AnandWrites] We live in an age that demands radical change, and yet incrementalists keep convincing people to go their way. But… https://t.co/FLRRTNiHGP
We live in an age that demands radical change, and yet incrementalists keep convincing people to go their way. But… twitter.com/i/web/status/1…
Twitter Favorites: [VanWritersFest] We're so excited to welcome Upstart & Crow, a fabulous new bookshop, to @granville_isle! Founded by VWF Marketing D… https://t.co/4O2pwe0NRH
We're so excited to welcome Upstart & Crow, a fabulous new bookshop, to @granville_isle! Founded by VWF Marketing D… twitter.com/i/web/status/1…
Some diversity and inclusion best practices in hiring
After 3 years leading Diversity and Inclusion at Mozilla I’m looking for my next job: Director or Head of Diversity, Equity and Inclusion at a tech company that’s hungry to make systemic change. At Mozilla one of my key partnerships was with our Talent Acquisition team to debias our hiring process and improve the candidate experience. Now I’m on the candidate side looking for jobs. Here’s some of my observations.
I saw a Diversity Equity and Inclusion Lead position that required 15-20 years experience. Honestly, that’s ridiculous, and even a stretch for a Chief Diversity Officer. I appreciated this added commentary from Aubrey Blanche:
I am a Director of DEI. 5.5 years of experience in the field.
— Aubrey Blanche #BLM (@adblanche) August 15, 2020
Yourbullshit
professional
experience
requirements
are
literally
the
problem.
(Also, hire @tararobertson. Your org will be much better for it.) https://t.co/siIYOz0GZx
There was a job posting with 20 bullet points. When a job post has that many requirements it demonstrates to me that the company is unclear what their priorities are for the role. Be clear about what the mandatory requirements are and what additional things might be nice to have. We know that men are far more likely to apply for a job where they have some of the qualifications and that women are far more likely to self select out, unless they have 100% of the qualifications. See: Why Women Don’t Apply for Jobs Unless They’re 100% Qualified by Tara Sophia More in Harvard Business Review.
I’ve also seen some thoughtful ads with 5-8 bullet points about the key requirements and an explicit call out to invite people with non-traditional backgrounds to apply and to tell the company how their experience could map to what they’re looking for. Here’s the language we used in some job postings at Mozilla:
You should apply even if you don’t feel that your credentials are a 100% match with the position description. We are looking for relevant skills and experience, not a checklist that exactly matches the position itself.”
I also like the friendly language that Collective, a DEI consultancy, uses:
Not-so-fun fact: Research shows that while men apply to jobs when they meet an average of 60% of the criteria, women and other marginalized folks tend to only apply when they check every box. Think you have what it takes, but not sure you check every box? Reach out to us anyways. We’d love to talk and determine together whether you could be a great fit!
Speaking of non-traditional backgrounds, the DEI leaders i admire come from a variety of backgrounds: business, academic/research, consulting, most do not have traditional HR backgrounds. So if you’re scoping to only look for HR professionals, you’re missing out on some great talent.
Textio is a great tool for ensuring the language in your job postings is balanced. Don’t we all want leaders who are strategic and results oriented who also have great communication skills and empathy?
I read a great job post from Sprout Social that included some milestones for the new person in this role for the 3mo, 6mo and 1 year mark. I liked this approach a lot. As a job searcher it gives me a clear idea of their priorities and helps me imagine myself in that job. Michelle Y. Bess was the Director of DEI and I know this is her good work.
I wish more job postings included salary ranges. I get that it’s complicated, especially for global companies where comp varies by geography, but if you’re looking for a Director yet the salary is $85k a year, there’s something off.
I’m excited to see more DEI jobs in academic institutions and the education requirement is nonsense. i don’t have an MBA but i’ve got 3 years in the tech industry where i used various research and data to drive measurable change. I don’t need an MBA.
Like most people on the job market, I’m also assessing if I want to work at a company when I read the job posting and look at the careers site. I’m analyzing what you say about your culture by the words and images you use. Who is represented? Who is not represented? As a DEI leader I’m also looking to see if your company is transparent about diversity metrics and where you’ve been able to make progress and where you haven’t.
As a 43 year old queer woman, I’m interested in the company culture–I want to work somewhere where i can continue to learn and grow and where they’re are great extended benefits. A ping pong table and beer on Fridays are not high on my priority list.
I appreciate it when companies outline what their application process is going to look like. It demonstrates empathy and respect and helps me as a candidate understand what the process is going to be like because each one is slightly different.
These are my observations after actively looking for a job for a couple of weeks. What other things am I missing?
This post was originally a Twitter thread.
The post Some diversity and inclusion best practices in hiring appeared first on tara robertson.
Dead plots
|
mkalus
shared this story
from |
Way back in 2000, when I published my first collection of short stories, "Toast, and other rusted futures", I wrote a slightly tongue-in-cheek foreword explaining that time has a way of rendering SF futures obsolete.
For example, after the probe fly-bys of the 1960s it was no longer possible to write planetary romances set in the swamps of Venus or among the barbarian tribes roaming the arid deserts of Mars. After 1969 it was no longer possible to write a story about the first human landing on the moon without being aware of Apollo 11. Even though those futures are still accessible via contrived parallel universe or alternate history conceits, you can't write them naively or unironically, and unironic or naive stories written beforehand tend to read badly after the events that rendered them obsolete.
One of the stories in "Toast" was a Y2K parable. I was working in IT during the 1990s, and while Y2K denialism is a Thing in the media today, it's only a Thing because a lot of people worked a lot of overtime hours to ensure that almost nothing went wrong on the day (the dog didn't bark because the dog was in intensive care at the time and made a full recovery).
Anyway, the 21st century has rendered a whole slew of 20th century plots obsolete, including the first moon landing, habitable planets elsewhere in our solar system right now, Martian and Venusian aliens, Y2K causing the downfall of civilization, a USA/USSR nuclear war causing the downfall of civilization, and so on.
But what are the contemporary plot lines from the first two decades of the 21st century that no longer work?
I'm going to note the corrosive influence of "everybody has a mobile phone" on the crime and contemporary horror novel in passing. For the most part, authors have figured out how to deal with it. Some of them still rely on the old trope of "battery runs down" (a bit weak in an age where everything uses one of two types of plug and booster batteries are sold in newsagents), "dropped in a puddle" (again: see IP67 and IP68 standards), and "no signal" (which is a total fail in pretty much any city on the planet: it's still viable in rural/wilderness areas but even then satphones are a Thing and most major roads are networked to provide at least GSM signal). More sophisticated authors actually make cellphones — and more recently smartphones — integral to the plot: Iain Banks' non-SF thriller "Dead Air" from 2002 had a plot that wouldn't work without everyone having a cellphone.
This stuff shouldn't be rocket science, but I note the average age of first-time novelists is somewhere north of 30, and established novelists are typically in their 40s to 70s — not the prime time for adapting to new technologies.
The internet (and Facebook in particular — the search interface for people as opposed to things (Amazon) or facts (Google: NB, sprinkle with irony to taste)) is another phenomenon you can't leave out of a story without going seriously retro. In fact, the arrival of internet dating made a big impact on the contemporary romance sub-genre: a bunch of older how-do-you-meet-someone plots went out the window, but a whole bunch of new ones showed up.
But meanwhile the eminent mainstream literary faculty are still turning out deeply sensitive realist-mode explorations of the human condition that totally neglect the tech dimension. We live in a world with killer drones, state level actors gaslighting each others' electorates with bots and sock puppets and AI generated user icons, where the average TV viewer is ageing by more than 12 months per year as demographic shift kills the video star and moves everything online, where private space launch companies are listed on the stock market and cars park themselves. A realist-mode 21st century novel that ignores phenomena that were tropes in 20th century SF is a de-facto historical novel, or a retro nostalgia trip for people who are deeply uneasy about modernity. Indeed, the only way I can see to write a novel set in North America or Europe with a protagonist aged under 70 who doesn't have a mobile phone or use the internet is to make them either a criminal on probation (who's been forbidden from using those everyday tools on pain of going back to prison) or to give them some sort of disabling condition — a neurotic terror of 5G radiation, perhaps, or locked-in syndrome.
Moving forward, we come to some new nope-outs in fiction. First up, is using AI to rig elections. Interface, a 1995 novel by "Stephen Bury" (a pseudonym for Neal Stephenson and J. Frederick George) was set in a then-near future that seems eerily prescient from today's perspective, focusing on the election campaign of a US presidential candidate with shadowy backers who has been fitted with an experimental biochip to prompt his public gestures and speech on the basis of feedback from a focus group of random voters. Of course, how you pick the training set for your AI is hugely consequential, and it's both funny and chilling to contemplate in the light of subsequent events — as is 1999's Distraction by Bruce Sterling, in which the Chairman for once missed the target by hopelessly optimistically setting the date for the USA's final political gridlock in 2044, rather than a couple of decades sooner. Again: neurocomputing, shadowy influencers and manipulators, emergent tech, and a political system that's unfit for purpose. If you put these two SF novels together with either The Whisper of the Axe or Prizzi's Glory by Richard Condon (author of The Manchurian Candidate) you basically get the American 21st Century redux. (In The Whisper of the Axe a talented African-American woman decides it's time for payback — payback for everything since 1639, that is. And in Prizzi's Glory, the third novel in the trilogy that starts with the much more familiar Prizzi's Honor, a Mafia family decide to go more-legit-than-legit and successfully take over the White House.)
All these plotlines are now dead. (Mob family in the White House? Political leader motivated by a total ideological committment to destroy their own country? AI-mediated-focus groups directing candidate public appearances? Politics causing gridlock and societal breakdown? Dead, dead, dead because they already happened, like the Moon landing.)
Next on the chopping block is pandemic novels, with a side-order of zombies.
Pandemics: we are now intimately familiar with what actually happens — the majority of folks behave reasonably on the basis of the information they're given by those in positions of authority. (Escape clause for "the authorities are deliberately gaslighting the electorate in order to get people who don't vote their way killed".) A minority act out (e.g. illegal parties in AirBnB's booked under fake names: refusing to socially distance in public spaces). The problem has been aggravated by a general destruction of trust in consensus media narratives for political gain (or just advertising click-through rates) in the past couple of decades, but we don't need pandemics in escapist fiction right now, and it's too soon for the deeply serious navel-gazing Novel of the Plague Years. (Just keep a diary.)
Zombies: zombies are a dehumanization narrative, with their roots in a slave society — originally a slave nightmare (of being worked to death, then raised from the dead to carry on working) it was appropriated by slaveowners and white supremacists as a coded euphemism for fear of a (obviously, non-white) slave uprising. Popular with rich media entrepreneurs because it panders to Elite Panic, an entrenched belief in the volatility and violence of human nature (which in turn reflects the paranoid outlook of a slaveowning elite, who had good reason to fear other people).
The thing about zombie narratives is that we are all zombies these days, unless we're in the 0.1%. Disaster capitalism immiserates and impoverishes its victims, and while it was originally the generalization of strategies of imperialist wealth extraction to no-longer colonized peripheral states, it's now been brought home with a vengeance to the public of the most populous Anglosphere nations. But — shockingly — people tend to hang together, rather than riot, when times turn harsh: it actually takes the police rioting against the public to generate the bad news headlines we keep being fed.
So, unironic zombie pandemic stories? Busted. And also unironic pandemic novels. (I will grant a conditional pass for kitch, camp zombies and zombies as a metaphor for something other than the lumpenproletariat getting lumpy with the slave overseers, but I've got my eye on you.)
Also busted: cops (not necessarily including forensics or detectives) as good guys. I'm sorry, but if you look at gun-toting mirrorshade-wearing "blue lives matter" law enforcers today and see good guys, you're a racist. Might as well try and write a sympathetic protagonist who's a homophobic fundamentalist pastor and young-earth creationist with a side-order of anti-vaxx and birtherism. (I had a moment of forced introspection a few months ago when I realized a major protagonist in my new Laundryverse trilogy was a cop and did a double-take: luckily for me she's an ex-cop turned private eye, who got railroaded off the force for being insufficiently complicit. So I didn't have to rewrite very much at all. But it's an illustration of how fast social norms can turn on a dime that something that would have been unexceptional in 2010 was a huge nope by 2020.)
Spy stories: the same. (Edward Snowden stuck the knife in and twisted, aided and abetted by the CIA providing the black sites and torture chambers for him to leak the existence of.) The Empire is real, the Empire has ears and eyes everywhere, and the Empire is nobody's friend. Are you a loyal subject, reader? If you've done nothing wrong you've got nothing to fear. (Etcetera.)
What else is on the skids towards 21st century obsolescence?
I want to sound a cautionary note at this point: a bunch of fictional tropes don't exist to be taken seriously but to provide emotional focus and punch to a story, or an escapist refuge from the mundane horrors of everyday life. Vigilante superheroes have in principle been a bust since Alan Moore stuck the boot in with Watchmen in the 80s, if not before, but they sit firmly in the escapism basket, with a bolt-on of modern polytheistic myth-making (in many cases their power spectrum resembles that of the gods of classical mythology). There's still a queasy element of sleaze to some of them — Batman is a billionaire who could solve child poverty in Gotham with a stroke of the pen, but prefers to dress up in latex fetish gear and beat the crap out of poor people — but it's not all terrible.
Fantasies of agency are a drug. We live in an age where individuals almost never get to make a significant difference. The past 4 years have been an object lesson in how little power the Imperial Presidency of the United States actually wields, insofar as Trump could have been far more destructive if he'd been remotely competent — just yanking on the levers like a monkey in a behavioural experiment doesn't get you very far. And I have a feeling that sooner or later we're going to need to go cold turkey and come down off the pleasant high of imagining that we can fix global climate change, or colonize Mars, or punch the Joker, on our own and without collaboration.
But the biggest total nope for the next decade (at least) is the conspiracy theory as a world-view in fiction.
Conspiracy theory is dead to me. It used to be a funny plot trope, as witness Robert Shea and Robert Anton Wilson's Illuminatus! trilogy. You could read these batshit theories put together by people who thought the Martians had assassinated JFK, or the Jews ran a secret Masonic conspiracy to pollute everybody's bodily fluids by fluoridating the municipal water supply, and giggle at the stupidity of it all. But then a funny thing happened: Facebook. Facebook and Twitter mainstreamed conspiracies and they went viral on the grey matter of people who had never been educated to think critically, evaluate sources of evidence, and fact-check, and we all know the results: QAnon, Donald Fucking Trump, Brexit, a massive upsurge in anti-semitism and white supremacism and neo-Nazism. Not to mention 5G radiation conspiracy theories, anti-vaxx, flat-eartherism, and all the other nonsense. It ends up with people believing shit like the late Francis E. Dec's Gangster computer god rant — and if you listen to it for lulz, because it's basically the ravings of a paranoid schizophrenic with hypergraphia and the controling-machine delusion, just keep watch for the racist interjections.
Folks, writing conspiracy theories in fiction is over. It's not clever: it's like pouring accelerants on a house fire, or playing with matches in a harborside warehouse full of ammonium nitrate. It runs the risk of taking off like an explosive chain reaction and causing immense damage. Those 5G conspiracy theorists in the UK have led to arson attacks on cellphone masts, resulting in emergency (fire and ambulance service) blackouts that put lives at risk. The risks of the anti-vaxxer nonsense (thank you, Mr. Wakefield was causing lethal disease outbreaks even before it convinced about 40-50% of the UK population that they wouldn't accept a vaccine against COVID-19 because vaccines don't work/are a conspiracy/Bill Gates wants to put a chip in you (why?)/you might have a child with autism (hey, no ableism here, honest). And so on. Our current media environment has scrambled our society's ability to assemble a consensus view of reality so badly that conspiracy theories should be considered toxic. And that's not a good thing from my perspective because it puts the entire viability of creative-lies-that-amuse-and-inform — fiction — in jeopardy.
Worrying Effect
The WordPress app for iOS is a free and open source app that doesn’t sell anything — but Apple, reportedly, made the publisher change it so that it sells custom domain names via IAP, with the standard 30% cut going to Apple.
So now (or soon) the app will sell things.
Here’s where the worry turns personal for me…
NetNewsWire for iOS is a free and open source app that doesn’t sell anything, but it does let you use your Feedbin or Feedly account for syncing.
Will I be asked to add IAP to NetNewsWire for purchasing Feedbin and Feedly accounts? It doesn’t sound like that much of a stretch right now.
That’s not exactly what’s happening with the WordPress app, but it’s pretty close, and barriers just seem to get crossed these days.
* * *
Somebody on Twitter will tell me that I should add that IAP right now so I can pay Apple for the privilege of being on the App Store. Fuck you in advance.
* * *
Related question: how is the PR hit to Apple worth it for the money they’ll make through these WordPress IAP sales? And: how is developer fear a good thing for the platform?
The Best Windows Laptop
As prices rise and options overwhelm, it’s harder than ever to discern which laptop will serve your needs for the best price. Laptop companies are making big promises about the AI features in their new computers, and the end of support for Windows 10 has arrived. While you shouldn’t buy a new laptop just for AI, it’s time to consider an upgrade if you’re still using Windows 10.
After testing hundreds of laptops over the past decade and spending time with 43 thin-and-light models so far this year, we’ve found that the Lenovo Yoga 7i 2-in-1 (14" Intel) is the best Windows laptop for most people.
Chromium’s impact on root DNS traffic
|
mkalus
shared this story
from |

Chromium is an open-source software project that forms the foundation for Google’s Chrome web browser, as well as several other browser products, including Microsoft Edge, Opera, Amazon Silk, and Brave. Since its introduction in 2008, Chromium-based browsers have risen steadily in popularity and today comprise approximately 70% of the market share.
Chromium has, since its early days, included a feature known as the omnibox, which allows users to enter either a website name, URL, or search terms. But the omnibox has an interface challenge. The user might enter a word like “marketing” that could refer to both an (intranet) website and a search term. Which should the browser choose to display? Chromium treats it as a search term but also displays an infobar that says something like “did you mean <a href="http://marketing/?%E2%80%9D" rel="nofollow">http://marketing/?”</a> if a background DNS lookup for the name results in an IP address.
At this point, a new issue arises. Some networks (for example, ISPs) use products or services designed to intercept and capture traffic from mistyped domain names. This is sometimes known as “NXDomain hijacking.” Users on such networks might be shown the “did you mean” infobar on every single-term search. To work around this, Chromium needs to know if it can trust the network to provide non-intercepted DNS responses.
Chromium probe design
Inside the Chromium source code, there is a file named intranet_redirect_detector.c. The functions in this file attempt to load three URLs, the hostnames of which consist of a randomly generated single-label domain name, as shown in Figure 1 below.
This code results in three URL fetches — such as <a href="http://rociwefoie/" rel="nofollow">http://rociwefoie/</a>, <a href="http://uawfkfrefre/" rel="nofollow">http://uawfkfrefre/</a> and <a href="http://awoimveroi/" rel="nofollow">http://awoimveroi/</a> — and these, in turn, result in three DNS lookups for the random hostnames. As can be deduced from the source code, these random names are 7-15 characters in length (line 151) and consist of only the letters a-z (line 153). In versions of the code before February 2014, the random names were always 10 characters in length.
The intranet redirect detector functions are executed each time the browser starts up, each time the system/device’s IP address changes, and each time the system/device’s DNS configuration changes. If any two of these fetches resolve to the same address, that address is stored as the browser’s redirect origin.
Identifying Chromium queries
Nearly any cursory glance at root name server traffic will exhibit queries for names that look like those used in Chromium’s probe queries. For example, here are 20 sequential queries received at an <a href="http://a.root-servers.net" rel="nofollow">a.root-servers.net</a> instance:
$ /usr/sbin/tcpdump -n -c 20 ... 20:01:34.063474 IP x.x.x.x.7288 > 198.41.0.4.domain: 34260% [1au] A? ip-10-218-80-155. (45) 20:01:34.063474 IP x.x.x.x.31500 > 198.41.0.4.domain: 64756 [1au] AAAA? . (41) 20:01:34.063474 IP x.x.x.x.46073 > 198.41.0.4.domain: 13606 A? cluster1-1.cluster1.etcd. (42) 20:01:34.064413 IP6 x:x:x::x.9905 > 2001:503:ba3e::2:30.domain: 52824 [1au] A? . (53) 20:01:34.064413 IP x.x.x.x.30251 > 198.41.0.4.domain: 9286% [1au] AAAA? cxhplqrpuuck.home. (46) 20:01:34.064413 IP x.x.x.x.56760 > 198.41.0.4.domain: 60980% [1au] A? ofydbfct.home. (42) 20:01:34.065295 IP x.x.x.x.15410 > 198.41.0.4.domain: 21829% [1au] A? . (39) 20:01:34.065295 IP6 x:x:x::x.58815 > 2001:503:ba3e::2:30.domain: Flags [.], ack 3919467200, win 30118, length 0 20:01:34.065295 IP6 x:x:x::x.58815 > 2001:503:ba3e::2:30.domain: Flags [F.], seq 0, ack 1, win 30118, length 0 20:01:34.065295 IP x.x.x.x.17442 > 198.41.0.4.domain: 32435% [1au] A? . (44) 20:01:34.065295 IP x.x.x.x.35247 > 198.41.0.4.domain: 1328% [1au] A? dev-app.stormwind.local. (52) 20:01:34.065295 IP x.x.x.x.18462 > 198.41.0.4.domain: 23433% [1au] AAAA? liffezmsdw.home. (44) 20:01:34.065295 IP x.x.x.x.40905 > 198.41.0.4.domain: 40371% [1au] A? sqtpvvmi.home. (42) 20:01:34.066283 IP x.x.x.x.18125 > 198.41.0.4.domain: 45688% [1au] A? . (37) 20:01:34.066283 IP x.x.x.x.7986 > 198.41.0.4.domain: 60608 [1au] A? . (40) 20:01:34.066283 IP x.x.x.x.53489 > 198.41.0.4.domain: 27734% [1au] A? ip-100-65-32-140. (45) 20:01:34.066283 IP x.x.x.x.54028 > 198.41.0.4.domain: 41670 A? qvo7-itirqg3g.www.rabbitair.co.uk.notary-production. (69) 20:01:34.066283 IP x.x.x.x.43866 > 198.41.0.4.domain: 21093% [1au] A? ip-10-0-71-17. (42) 20:01:34.066283 IP x.x.x.x.41141 > 198.41.0.4.domain: 49747% [1au] A? edu. (32) 20:01:34.066283 IP x.x.x.x.36283 > 198.41.0.4.domain: 65449% [1au] SRV? _ldap._tcp.dc._msdcs.mwaa.local. (60)
(Hover over data to scroll)
In this brief snippet of data, we can see six queries (yellow highlight) for random, single-label names, and another four (green highlight) with random first labels followed by an apparent domain search suffix. These match the pattern from the Chromium source code, being 7-15 characters in length and consisting of only the letters a-z.
To characterize the amount of Chromium probe traffic in larger amounts of data (that is, covering a 24-hour period), we tabulated queries based on the following attributes:
- Response code (NXDomain or NoError)
- Popularity of the leftmost label
- Length of the leftmost label
- Characters used in the leftmost label
- Number of labels in the full query name
Figure 2 shows a classification of data from <a href="http://a.root-servers.net" rel="nofollow">a.root-servers.net</a> on 13 May 2020. Here we can see that 51% of all queried names were observed fewer than four times in the 24-hour period. Of those, nearly all were for non-existent TLDs, although a very small amount comes from the existing TLDs (labelled “YXD” on the left). This small sliver represents either false positives or Chromium probe queries that have been subject to domain suffix search appending by stub resolvers or end-user applications.
Of the 51% observed fewer than four times, all but 2.86% of these have a first label between 7 and 15 characters in length (inclusive). Furthermore, most of these match the pattern consisting of only a-z characters (case insensitive), leaving us with 45.80% of total traffic on this day that appear to be from Chromium probes.
From there we’ve broken down the queries by the number of labels and the length of the first label. Note that label lengths (on the far right of the graph) have a very even distribution, except for 7 and 10 characters. Labels with 10 characters are more popular because older versions of Chromium generated only 10-character names. We believe that 7 is less popular due to the increased probability of collisions in only 7 characters, which can increase the query count to above our threshold of three.
Longitudinal analysis
Next, we turned our attention to the analysis of how the total root traffic percentage of Chromium-like queries has changed over time. We used two data sets in this analysis: data from DNS-OARC’s “Day In The Life” (DITL) collections, and Verisign’s data for <a href="http://a.root-servers.net" rel="nofollow">a.root-servers.net</a> and <a href="http://j.root-servers.net" rel="nofollow">j.root-servers.net</a>.
Figure 3 shows the results of the long-term analysis. We were able to analyse the annual DITL data from 2006-2014, and from 2017-2018, labelled “DITL Full” in the figure. The 2015-2016 data was unavailable on the DNS-OARC systems. The 2019 dataset could not be analysed in full due to its size, so we settled for a sampled analysis instead, labelled “DITL Sampled” in Figure 3. The 2020 data was not ready for analysis by the time our research was done.
In every DITL dataset, we analysed each root server identity (“letter”) separately. This produces a range of values for each year. The solid line shows the average of all the identities, while the shaded area shows the range of values.
To fill in some of the DITL gaps, we used Verisign’s data for <a href="http://a.root-servers.net" rel="nofollow">a.root-servers.net</a> and <a href="http://j.root-servers.net" rel="nofollow">j.root-servers.net</a>. Here we selected a 24-hour period for each month. Again, the solid line shows the average and the shaded area represents the range.
The figure also includes a line labelled “Chrome market share” (note: Chrome, not Chromium-based browsers) and a marker indicating when the feature was first added to the source code.
There were some false positive Chromium-like queries observed in the DITL data before the introduction of the feature, comprising about 1% of the total traffic, but in the 10+ years since the feature was added, we now find that half of the DNS root server traffic is very likely due to Chromium’s probes. That equates to about 60 billion queries to the root server system on a typical day.
Interception is the exception rather than the norm
The root server system is, out of necessity, designed to handle very large amounts of traffic. As we have shown here, under normal operating conditions, half of the traffic originates with a single library function, on a single browser platform, whose sole purpose is to detect DNS interception. Such interception is certainly the exception rather than the norm. In almost any other scenario, this traffic would be indistinguishable from a distributed denial of service (DDoS) attack.
Could Chromium achieve its goal while only sending one or two queries instead of three? Are other approaches feasible? For example, Firefox’s captive portal test uses delegated namespace probe queries, directing them away from the root servers towards the browser’s infrastructure.
While technical solutions such as Aggressive NSEC Caching (RFC 8198), Qname Minimization (RFC 7816), and NXDomain Cut (RFC 8020) could also significantly reduce probe queries to the root server system, these solutions require action by recursive resolver operators, who have limited incentive to deploy and support these technologies.
Contributors: Duane Wessels
Matt Thomas is a Principal Engineer in Verisign’s CSO Applied Research division.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.
🤦♀️ Without compassion, resilient leaders fall...
🤦♀️ Without compassion, resilient leaders fall short.
Reading an article by Carol Kaufman’s in Harvard Business Review where she writes about the experience of one of her clients, I had a super strong sense of déjà vu as she describes her clients contempt for her employees who weren’t keeping up:
Gwen is not a “bad” person. She felt betrayed by her team, who she felt had abandoned her when she needed them most and now threatened her leadership.
I’ve been there, quickly observing that major changes were afoot, orienting to them, and deciding to act well in advance of the rest of my team even knowing there was an issue. It’s a super power, right? Well… not so fast.
It never occurred to her that the members of her team might not be as relentlessly resilient and mentally tough as she was. Blind to this fact, she was unable to relate to her employees empathetically and instead assumed they had chosen to fail her. From her standpoint, they deserved her contempt.
In my case, I’ve been wrapped up totally around the idea of “How the hell do they not get it? We have to do this (whatever it is)! Seriously, how the %u#k can they not understand!?!” And, it’s scary just how fast that turns into, “What are they doing? How can they just sit there doing nothing?”
As a leader, being able to execute a decision-making framework quickly isn’t enough. You have to be able to take the rest of your team with you. Otherwise, along with failure, you’ll likely get the wonderful bonus of not understanding why everyone hates you.
If you’ve ever caught yourself having a whiff of a contempt attack about your team, go read Carol’s article now and put what she teaches into your own personal set of operating principles.
Quoting Adrienne Lowe
Why weekly? You want to keep your finger on the pulse of what’s really going on. When 1:1s are scheduled bi-weekly, and either of you have to cancel, you’ll likely be going a month between conversations and that is far too long to go without having a 1:1 with your direct report. Think of how much happens in a month. You don’t want to be that far behind!
Excess deaths, by race
It’s clear that Covid-19 has affected groups differently across the United States. By geography. By education level. By income. The Marshall Project breaks down excess deaths by race:
Earlier data on cases, hospitalizations and deaths revealed the especially heavy toll on Black, Hispanic and Native Americans, a disparity attributed to unequal access to health care and economic opportunities. But the increases in total deaths by race were not reported until now; nor was the disproportionate burden of the disease on Asian Americans.
With this new data, Asian Americans join Blacks and Hispanics among the hardest-hit communities, with deaths in each group up at least 30 percent this year compared with the average over the last five years, the analysis found. Deaths among Native Americans rose more than 20 percent, though that is probably a severe undercount because of a lack of data. Deaths among Whites were up 9 percent.
Difference charts are used to show deaths above (red) or below (turquoise) normal counts, but of course, it’s mostly red.
See the piece for an additional categorization by state.
Tags: coronavirus, Marshall Project, race
Virgin Mobile, Fido and Koodo now offering $50/9GB plan

Virgin Mobile, Fido and Koodo are now offering a $50/9GB plan.
Currently, these sub-brands are now offering a 5GB bonus to their regular $50/4GB plan, which essentially creates the aforementioned $50 for 9GB of data promotion.
For Virgin Mobile, this is a Bring Your Own Device (BYOD) plan.
Virgin is also offering:
- $50/9GB
- $55/11GB
- $60/13GB
- $75/15GB
The $55 for 11GB and the $60 for 13GB seem like the best options in my opinion, however, $50 for 9GB is still not that bad.
Rogers’ sub-brand Fido is also advertising $50 for 9GB of data, but this only works for new activations or hardware upgrades and not BYOD. Fido is offering the above promos as well.
Koodo first only offered $50 for 9GB through Walmart, but it has now expanded it to its website. Similar to Fido, to get access to $50/9GB, you need to purchase a new smartphone with one of Koodo’s Tab plans.
In fact, you won’t even see it on their website unless you add a smartphone to your cart with a Tab plan. Koodo is now also offering Virgin Mobile’s BYOD plans if you purchase a new phone.
It’s worth noting that Rogers, Bell and Telus are still offering $75 for 20GB deals.
Source: Koodo, Virgin Mobile, Fido
The post Virgin Mobile, Fido and Koodo now offering $50/9GB plan appeared first on MobileSyrup.
WSL 2 Support is coming to Windows 10 Versions 1903 and 1909
Support for Windows Subsystem for Linux (WSL) 2 distros is being backported to Windows 10 version 1903, and 1909! Yes, you read that right. We heard how much you liked WSL 2 and wanted to expand its accessibility, and over the last few months we worked on bringing it back to 1903 and 1909.
About Us
We are Ty (Tito) Citrin, a PM, and Mitchell Minkoff, an engineer, both working in Windows Servicing. Together we proudly help keep customers protected and productive by working with feature teams like the WSL team to ship security fixes that address Windows vulnerabilities and cool new features just like this!
Why did we do this backport?
We’ve heard great customer feedback on how many users have enjoyed using WSL 2, and the primary goal for this backport is to make WSL 2 available to more Windows users!
WSL 2 is a new version of the architecture in WSL that changes how Linux distributions interact with Windows. Each Linux distribution can run as WSL 1 or as WSL 2, and can be switched between at any time. All the features for WSL 2 distros will now be available for an even larger user base:
-
File system performance now on par with Mac and Linux speeds
-
Improved System Call Support for all Linux applications notably: Docker, FUSE, rsync, etc.
-
Full Linux kernel built into WSL 2
-
Docker Desktop has added support to use WSL 2 as its engine, giving faster startup speeds and improved resource usage. Please read this blog post on the Docker blog to learn more.
If you’d like to learn more about the benefits of using a WSL 2 distro please see this page on the WSL docs.
How do I get it?
Currently, this backport to 1903 and 1909 will only be for x64 systems. If you are using an ARM64 version, please upgrade to Windows 10 version 2004 and you’ll gain full access to WSL 2.
To get this backport you just need to check for updates. First open Windows Settings, navigate to ‘Update & Security’ and click Check for Updates.

You can check if you have this backport by verifying the minor build number of your Windows build. To do this, right click on the start menu, click ‘Run’ and then type in ‘winver’ and hit enter. The first number before the . is your major build number, so for version 1903 this will read 18362. The number after the . is your minor build number, and this will let you know whether you have the backport on your machine. This backport has the minor build number: 1049. To summarize, if your minor build number is 1049 or higher on Windows builds 18362 or 18363, then you have the backport and the ability to run WSL 2 distros.

Once you’ve verified that you have the correct version of Windows please follow the instructions here to install WSL, or simply update to use WSL 2.
Follow up with us
Want to be kept in the loop? Follow @mtminkoff for topics in cyber-security and our good friend @craigaloewen on Twitter for all things WSL and WSL 2. If you have technical questions please file them on the WSL Github repo.
The post WSL 2 Support is coming to Windows 10 Versions 1903 and 1909 appeared first on Windows Command Line.
Apple possibly working on low-cost Apple Watch and game controller

Apple could have several new devices in the works, according to YouTuber Jon Prosser.
During a public Twitter Q&A, Prosser discussed several upcoming devices, including a cheaper plastic Apple Watch and the fact that the Apple Watch Series 6 is set to be a relatively minor update to the tech giant’s smartwatch line.
Proser claims he Series 6 will feature improved ECG functionality and a blood-oxygen sensor. Other Apple Watch-related rumours include a new “Kids Mode,” which seems to fall in-line with the possibility of Apple releasing a cheaper smartwatch.
Prosser also discussed several other upcoming devices, including the ‘Apple TV 6,’ which is expected to feature Apple’s A12z processor — the same chip in the iPad Pro (2020) — and surprisingly, its own video game controller. Apple releasing its own gamepad would be an uncharacteristic move by the company, especially given it only recently added Xbox One gamepad and PlayStation 4 DualShock 4 controller support to iPhone, iPad and Apple TV.
While Apple has been pushing the 4th-gen Apple TV as a viable gaming platform since its release back in 2015, it doesn’t even come close to competing with established players like Microsoft’s Xbox One, Sony’s PlayStation 4 and Nintendo’s Switch. Still, the prospect of Apple releasing its own gamepad is intriguing, though it’s unclear how the company would find a way to build on established designs meaningfully.
Other devices are mentioned in the Q&A as well, including Apple’s AirPower multi-device charging mat, which still seems to be in production to some extent, and Apple’s often-rumoured AirPods Studio over-ear headphones. Further, Prosser says no additional information is available about Apple’s AirTag Bluetooth trackers.
He also says he stands behind his leaks related to Apple Glass, the tech giant’s often-rumoured augmented reality (AR) smart glasses.
While Jon Prosser is still relatively new on the Apple leaks scene, he has a surprisingly accurate track record. For example, he leaked the accurate release date for the iPhone SE (2020), and even predicted Apple’s recent iMac refresh.
Source: @jon_prosser
The post Apple possibly working on low-cost Apple Watch and game controller appeared first on MobileSyrup.
Google possibly working on streaming service hub called ‘Kaleidoscope’

Google is working on a new website called ‘Kaleidoscope’ that seems to source video content from several streaming services in one location, similar to Apple’s TV app.
When users visit the site, a tagline reads, “see all your favourite shows in one place, no matter where they’re hosted,” according to Gizmodo UK. However, whenever I tried to reach the site at chrome://kaleidoscope/,’ it didn’t open.
Other publications are reporting that they saw Disney+, Netflix and Prime Video links, leading some to believe that Kaleidoscope will source content from many different streaming video platforms.
Apple TV’s multi-platform integration with its TV app doesn’t that well because the platform doesn’t include Netflix and is somewhat disorganized. Hopefully, Google can find a better way to mesh multiple streaming video services together.
The leaks make it feel like the product is still in really early stages of development, so it doesn’t seem like Kaleidoscope will be ready for a public release any time soon.
Source: Gizmodo UK
The post Google possibly working on streaming service hub called ‘Kaleidoscope’ appeared first on MobileSyrup.
Wichtige Updates diese Woche

Diese Woche gab es eine ganze Reihe von nützlichen Software- und Firmware-Updates:
- Die Unverträglichkeit der Shelly Firmware 1.8 mit der Homebrige ist über eine neue Version des Shelly-Plugins gelöst.
- AVM hat mit dem Fritz!OS-Update 7.20 für die Repeater eine Unverträglichkeit mit Sonos Playern im Wifi-Modus beseitigt. Sie führte dazu, dass Sonos-Player immer wieder aus dem Netz fielen. 7.20 ist auch für die DSL-Router 75xx verfügbar. Für die 7490 gibt es ein sehr stabiles Labor.
- Für Eve Cam und Eve Extend gibt es ein Firmware-Update, das die Stabilität der WLAN-Verbindung verbessert. Auch hier wurde immer wieder berichtet, dass die Geräte aus dem WLAN fielen, wenn sie nicht direkt mit dem Router sondern mit einem Repeater verbunden waren.
- Surface Pro X betreibe ich mit der Dev-Version von Windows 10. Dort funktioniert jetzt bei mir die Funktion "Eye Contact" zuverlässig. Die Software ist auf den SD1-Chipset angewiesen und funktioniert nicht auf Intel-Prozessoren.
Temporarily embarrassed influencers
Socialism never took root in America because the poor see themselves not as an exploited proletariat but as temporarily embarrassed millionaires.
John Steinbeck
Twitter and other social networks provide a digital version of the American dream: you too can be an influencer if you work hard enough and believe in yourself!
As we’ve seen with TikTok, there are powerful algorithms at play beneath of the surface of mainstream social networks. These are valuable commodities, because they provide data which is monetised for the sake of company shareholders.
Even during the pandemic, Wall Street is booming. Why? Because more of our interactions are digital, and therefore can be mediated by networks which are owned by people selling your attention to advertisers.
Influencers are the enablers of social networks and adtech:
Enabler (n.) One who encourages a bad habit in another (typically drug addiction) by his or her behaviour.
Mainstream social networks like Twitter and Instagram are designed to fuel addictive behaviours. However, much like Steinbeck’s comments on the American dream, it is users’ feelings of being temporarily embarrassed influencers that enable them.
This post is Day 36 of my #100DaysToOffload challenge. Want to get involved? Find out more at 100daystooffload.com
The post Temporarily embarrassed influencers first appeared on Open Thinkering.
Elora Cataract Trail
After a week with two ghost bike installations, I wanted to get out of the city to remind myself that riding a bike is fun. I decided on checking out the Elora Cataract Trail. I used this ridewithGPS map, but I started the ride in Erin as I was not sure where to park closer to the Forks of the Credit.

I started my ride in back of the Erin Community Centre.



What a beautiful day.

When you are headed west, these signs count down. The route I was using turned off at the 8 km mark. I imagine that the 0 km mark is in Fergus.

Parts of the trail were a little overgrown, leaving just two narrow tracks of gravel. In general, the trail conditions were great.

Since the route made a loop around Belwood Lake, I was hoping for lots of waterviews, but the trail was mostly a little away from the shore. This was a typical view from the trail.

Do I look happy?

Belwood Lake Conservation Area had portable washrooms right off the trail. Just past that point, you ride across the dam.

Looking north.

South is prettier.

From this point, my route departed from the rail trail and when through some farmland before crossing back over the lake. In Michigan they talk about corn “as high as your eye on the Fourth of July”.

Nice fast gravel rollers.

Just before the bridge, there is the little village of Belwood, where there was a general store, and a picnic area with cyclists taking a break. Sorry that I didn’t get a picture.
Crossing back over the bridge, and then turning left back on the rail trail.


Taking some care to stay under the posted speed limit of 30 kph 

Signs counting back up.

Km 39 is where there is one of the official trail access points with parking in Erin.

My starting point was just a few hundred meters past this point.
Overall, yet another nice rail trail to enjoy. Well groomed and more or less dead flat.
Vancouver Street Cars and Advertising, 1946

There were streetcars being operated in Vancouver from 1890 to 1947 when routes were converted to trolley operations. There are still trolley buses operating in the city.
But take a look back at the postwar advertising on the number 5 street car. There’s an ad for “Taking a Boat to Bowen Island” with Union Steamships for one dollar for a return ticket. Maxwell House coffee is being advertised as being “Good to the Last Drop”.
There’s also a stellar Vancouver Sun poster with an art moderne sailboat design stating “Refresh Yourself, Read The Sun”. The background foilage, the open window at the back of the streetcar and the street car employee in shirt sleeves suggest this photo was taken in a Vancouver summer.
While Union Steamships have not survived, there is still ferry service to Bowen Island, and Maxwell House Coffee and the Vancouver Sun are still going strong. As for the defunct street car service, there is an excellent article from Spacing.ca detailing its history including the date of the last streetcar rolloff on April 24, 1955.

Images Vancouver Archives
The Best Drawing Tablets
Even as screen-based work replaces more and more of the time that people spend with paper, using a pencil remains a near-universal skill, for good reason. Drawing and writing by hand rank among the most intuitive kinds of physical interaction for most people, and drawing tablets translate that movement almost directly to a PC, laptop, or phone.
As a result, drawing tablets can be indispensable tools for creating art and performing more complicated image editing, and they can also be lifesavers for people who encounter some kinds of repetitive strain injury or pain while using traditional mice or laptop touchpads.
In previous years, a good, full-featured drawing tablet would often cost hundreds of dollars. Today, for under $100, you can get a great, midsize tablet such as the Huion Inspiroy 2 M, which offers plenty of drawing area, lots of function buttons, intuitive software, and an excellent drawing experience.
Verizon Forced To Back Off Charging Extra For 5G
![]()
I just had a flashback from when mobile operators thought 3G was worth pulling this kind of stunt.
It’s been well over a decade, and the industry I identify with the most still lacks a modicum of common sense–and yet I would go back to working at a telco/internet shop in a flash.
Want to show your appreciation?
Urbanist Abroad Okanagan Edition PT1
Rolandtj

Highway 1 to Hope, Highway 3 to Osoyoos. First impression: it hasn’t changed. Still the same fields of summer crops, still the same backdrop of narrowing mountain ranges, still the same congestion where the industrial parks and shopping malls hug the highway, still some of the same roadside attractions. Then a rising highway into the coast ranges and a subtle shift from fir to spruce to pine. But no billboards, strip malls, or spiring signs to mark the next gas station and McDonald’s. So not I-5. Notably, there’s still only the same small town halfway along – #Princeton. Which, except for an attempt to spiffy up the two main streets, pretty much matches up with my memory. How extraordinary that so much has stayed the same for so long.
A look at password security, Part IV: WebAuthn
As discussed in part III, public key authentication is great in principle but in practice has been hard to integrate into the Web environment. However, we’re now seeing deployment of a new technology called WebAuthn (short for Web Authentication) that hopefully changes that.1
Previous approaches to public key authentication required the browser to provide the user interface. For a variety of reasons (the interfaces were bad, the sites wanted to control the experience) this didn’t work well for sites, and public key authentication didn’t get much adoption. WebAuthn takes a different approach, which is to provide a JavaScript API that the site can use to do public key authentication via the browser.
The key difference here is that previous systems tended to operate at a lower layer (typically HTTP or TLS), which made it hard for the site to control how and when authentication happened.2 By contrast, a JS API puts the site in control so it can ask for authentication when it wants to (e.g., after showing the home page and prompting for the username).
Some Technical Details
WebAuthn offers two new API points that are used by the server’s JavaScript [Technical note: These are buried in the credential management API.]:
- makeCredential: Creates a new public key pair and returns the public key.
- getAssertion: Sign with an existing credential over a challenge provided by the server.
The way this is used in practice is that when the user first registers with the server — or as is more likely now, when the server first adds WebAuthn support or detects that a client has it — the server uses makeCredential() to create a new public key pair and stores the public key, possibly along with an attestation. An attestation is a provable statement such as, “this public key was minted by a YubiKey.” Note that unlike some public key authentication systems, each server gets its own public key so WebAuthn is harder to use for cross-site tracking (more on this later). Then when the user returns, the site uses getAssertion(), causing the browser to sign the server’s challenge using the private key associated with the public key. The server can then verify the assertion, allowing it to determine that the client is the same endpoint as originally registered (for some value of “the same”. More on this later too).
The clever bit here is that because this is all hidden behind a JS API, the site can authenticate the client at any part of its login experience it wants without disrupting the user experience. In particular, WebAuthn can be used as a second factor in addition to a password or as a primary authenticator without a password.
Hardware Authenticators
The WebAuthn specification doesn’t require any particular mechanism for handling the key pair, so it’s technically possible to implement WebAuthn entirely in the browser, storing the key on the user’s disk. However, the designers of WebAuthn and its predecessor FIDO U2F were very concerned about the user’s machine being compromised and the private key being stolen, which would allow the attacker to impersonate the user indefinitely (just like if your password was compromised).
Accordingly, WebAuthn was explicitly designed around having the key pair in a hardware token. These tokens are designed to do all the cryptography internally and never expose the key, so if your computer is compromised, the attacker may be able to impersonate you temporarily, but they won’t be able to steal the key. This also has the advantage that the token is portable, so you can pull it out of your computer and carry it with you — thus minimizing the risk of your computer being stolen — or plug it into a second computer; it’s the token that matters not the computer it’s plugged into. We’re also starting to see hardware backed designs that don’t depend on a token. For instance, modern Macs have trusted hardware built in to power TouchID and FaceID and Apple is using this to implement WebAuthn. We have been looking at similar designs for Firefox.
While hardware key storage isn’t mandatory, WebAuthn was designed to allow sites to require it. Obviously you can’t just trust the browser when it says that it’s storing the key in hardware and so WebAuthn includes an attestation scheme that is designed to let the site determine the type of token/device being used for WebAuthn. However, there are privacy concerns about the attestation scheme 3 and many sites don’t actually insist on it. Firefox shows a separate prompt (shown below) when the site requests attestation.

Privacy Properties and User Interactivity
While as a technical matter a browser or token could just do all the WebAuthn computations automatically with no user interaction, that’s not really what you want for two reasons:
- It allows sites to track users without their consent (this already happens with user login fields which is why Firefox requires that the user interact with the page before filling in your username or password.)
- It would allow an attacker who had compromised your computer to invisibly log in as you.
In order to prevent this, FIDO-compliant tokens require the user to do something (typically touch the token) before signing an assertion. This prevents invisible tracking or use of the key to log in. Apple’s use of FaceID/TouchID takes this one step further, requiring a specific user to authorize a login, thus protecting you in case your laptop is stolen.
Alternative Designs
If you’re familiar with Web technologies, you might be wondering why we need something new here. In particular, many of the properties of WebAuthn could be replicated with cookies or WebCrypto. However, WebAuthn offers a number of advantages over these alternatives.
First, because WebAuthn requires user interaction prior to authentication it is much harder to use for tracking. This means that the browser doesn’t need to clear WebAuthn state when it clears cookie or WebCrypto state as they can be used for invisible tracking. It would be possible to add some kind of explicit user action step before accessing cookies or WebCrypto but then you would have something new.
Second, when used with keys in hardware, WebAuthn is more resistant to machine compromise. By contrast, cookies and WebCrypto state are generally stored in storage which is available directly to the browser, so if it’s compromised they can be stolen. While this is a real issue, it’s unclear how important it is: many sites use cookies for authentication over fairly long periods (when was the last time Facebook made you actually log in?) and so an attacker who steals your cookies will still be able to impersonate you for a long period. And of course the cost of this is that you have to buy a token.
Adoption Status
Technically, WebAuthn is a pretty big improvement over pre-existing systems. However, authentication systems tend to rely pretty heavily on network effects: it’s not worth users enabling it unless a lot of sites use it and it’s not worth sites enabling it unless a lot of users are willing to sign up. So far, indications are pretty promising: a number of important sites such as GSuite and Github already support WebAuthn as do SSO vendors like Okta and Duo. All four major browsers support it as well. With any luck we’ll be seeing a lot more WebAuthn deployment over the next few years — a big step forward for user security.
Up Next: Login and Device Encryption
This about wraps it up for remote authentication, but what about logging into your computer or phone? I’ll be covering that next.
Acknowledgement
Thanks to JC Jones and Chris Wood for help with this post.
- The WebAuthn spec is pretty hard to read. MDN’s article does a better job. ↩
- For instance, with TLS the easiest thing to do is to authenticate the user as soon as they connect, but this means you don’t get to show any UI, which is awkward for users who don’t yet have accounts. You can also do “TLS renegotiation” later in the connection but for a variety of technical reasons that has proven hard to integrate with servers. In addition, any TLS-level authentication is an awkward fit for CDNs because the TLS is terminated at the CDN, not at the origin. ↩
- The idea behind the attestation mechanism is that the device manufacturer issues a certificate to the device and device uses the corresponding private key to sign the new generated authentication key. However, if that certificate is unique to the device and used for every site then it becomes a tracking vector. The specification suggests two (somewhat clunky) mechanisms for reducing the risk here, but neither is mandatory. ↩
The post A look at password security, Part IV: WebAuthn appeared first on The Mozilla Blog.
Old School Art Advice
I just returned from a government-approved pandemic vacation in British Columbia. We stayed on Gabriola Island where the sandstone beaches are lovely and there’s lots of wildlife. It was the kind of low key holiday where the responsibilities are few and wifi is spotty, so I read all the books I never seem to get around to finishing at home.
I read two art books which both offered practical advice to artists but were otherwise quite different. The first book I read was Finding Your Artistic Voice by Lisa Congdon. This book has taken me an embarrassingly long time to finish. I generally read 2-3 books a week, both fiction and non-fiction. Because I read so many books, there are a certain number of books I don’t finish. Irritating narrators, misogynistic plots, or boring writing can all cause me to put books down. But the Congdon book had none of these characteristics, and I was wondering why it had taken me over six weeks to finish it.
The book had a few things going against it. First of all, the font was thin and tiny. My aging eyes can’t handle this. Secondly, the book didn’t flow because it was divided into advice and interviews sections. And thirdly, the first three-four chapters dealt with becoming an artist and imposter syndrome, topics which don’t interest me. Perhaps because I became an artist later in life or because I was a very artistic child, I have zero problem declaring myself an artist.
Now that I’ve finished the Congdon book, I would say that it’s not a book to read in one sitting, but possibly dip into on studio days when you’re looking for ideas or encouragement. I enjoyed the artist interviews and the advice in the later chapters.
The other book I read is How To Be an Artist by Jerry Saltz. Saltz appeared in the movie, The Price of Everything which I reviewed last month. His biggest complaint in the movie was that once important paintings were bought by rich private collectors, he would never get to see them again. Saltz came off as a smart, opinionated art critic who has seen it all. This is exactly the role he takes as narrator of this book. (Thanks to the magic of long library holds, I both read and listened to this book at the same time. While you get to hear Saltz’s voice in the audio version, the hardcover is better because it has paintings in it!)
I really enjoyed his practical advice, which is arranged so that each chapter is one dictum, like: Finish the Damn Thing or No, You Don’t Need Graduate School. It’s filled with art history examples. Despite being a Pulitzer Prize winning critic, Saltz uses zero art world jargon.
Listening to Saltz’s advice—he’s like the best-connected art world uncle you always wished you had—reminded me of going to art school in the nineties. The art school I attended had moved from being a college to a university, and was going through the pains of that transition. There were still art instructors from the original art academy days as well as the new, conceptual artists with MFAs. Since I already had a couple of university degrees, I was more interested in learning the technical side of making art. My favourite instructor was a stern older man who taught drawing. All he insisted on was that students show up and do the work. I loved his class and learned so much. His crits were honest and often harsh. I sat beside a young Korean man who was an amazing technician; he could draw the human figure in gorgeous 3D. But his attendance was spotty and he often asked me for the previous week’s assignments. At midterm, we had to bring in our homework portfolios for marking, and the Korean student turned up with his completed drawings. The instructor refused to mark his portfolio, saying, “How can you have done the work if you haven’t been to class? The classes are here to teach you something new about drawing.”
While the Congdon book does have useful advice, all the time spent reassuring people that they are artists reminded me of the bad side of art school. When the class would spend twenty minutes discussing a conceptual artwork that clearly took the student five minutes to make. And in fact, it was an insincere conceptual artist who instructing a sculpture class who finally convinced me to quit art school. I’d already been turned down for third year painting classes by an indifferent department head, and attending this useless sculpture class made me realize that I’d be better off working in my studio.
I feel that Uncle Jerry would approve. One of his chapters is entitled Work, Work, Work and includes the line: “It doesn’t matter how scared you are; everyone is scared, Work, you big baby!” That was the bigger lesson being taught in my drawing class, you have to show up and put the time in or you will never be a true artist.
Sony releases software to allow its cameras to be used as webcams on Windows

Sony has revealed a new program for Windows 10, which will make it easier for its Sony cameras to be used as a webcam.
This new program is called Imaging Edge Webcam, and you’ll be able to connect your Sony camera to a PC with a USB and you won’t need any other hardware.
35 of the company’s cameras are available to use.
Other manufacturers have released software that lets their cameras be used as webcams such as Canon, Olympus, Panasonic, Fujifilm and GoPro.
So far this feature is only available for Windows users, so if you have a Windows PC and a compatible camera you can check out the Windows 10 software, here.
The post Sony releases software to allow its cameras to be used as webcams on Windows appeared first on MobileSyrup.
Meeting… Katerina Iliakopoulou, Lead Software Engineer

“Meeting…” is an ongoing series from NYT Open that features New York Times employees from different corners of the company. In this installment, we meet Katerina Iliakopoulou, a lead software engineer.
What is your name?
Katerina Iliakopoulou
What are your pronouns?
She/Her
What is your job?
Lead Software Engineer
What does that mean?
I help build products that enable the newsroom to reach our readers.
How long have you been at The Times?
Four years.
Most Times employees are working remotely right now. Where are you working from these days?
I’m working from my apartment in Astoria, Queens.
How do you start your day?
I usually try to go out for a run for 30 minutes. I’m lucky to live right next to the waterfront, which means I get to enjoy the skyline views. Also, there are very few people outside early in the day.
When I get back home, I get ready, make coffee and start working by checking email and Slack.
What is something you’ve worked on recently?
I’m working on understanding how New York Times content ranks on Google Search and collaborating with the newsroom to develop the tools that help them optimize for off-platform performance.
Tell us about a project you’ve worked on at The Times that you’re especially proud of.
That would be the work I did as the tech lead of the messaging group to scale our in-house messaging platform that sends newsroom-produced newsletters and push notifications. I led my team to redesign the platform architecture so that it can still send newsletters and push alerts to an increasingly growing audience, while also improving their delivery speed. I presented this work at O’Reilly’s Software Architecture conference in New York at the beginning of 2020.
What was your first job?
I worked as a research assistant in the Centre for Research & Technology — Hellas (CERTH) in Greece on a European-funded project for viral news detection. During this project I had the opportunity to work with journalists from different news organizations, such as the BBC and Deutsche Welle, to develop a tool that helps reporters find breaking stories from social media posts.
What is something most people don’t know about you?
I dance tango!
What is your secret to career success?
Work hard and help others as you would hope they help you.
What is your superpower?
If I’m tired, I can fall asleep anywhere regardless of what’s happening around me. I have fallen asleep in clubs, loud bars, parties, on the beach, you name it.
What are you inspired by?
My fiancé. He is brilliant and a constant inspiration for me to do more and aim higher.
Name one thing you’re excited about right now.
I have been focusing a lot on my yoga practice, so I’m excited to start reaching some new levels, such as being able to do a handstand.
What is your best advice for someone starting to work in your field?
Be intentional in your work. Know how you want to grow in your career and look out for opportunities that will help you build those skills. At the same time, be open to working on things you didn’t plan to. You might be surprised.
Meeting… Katerina Iliakopoulou, Lead Software Engineer was originally published in NYT Open on Medium, where people are continuing the conversation by highlighting and responding to this story.

bullshit 
