I was out with a friend who worked for Twitter and I asked them whether it would be possible for the museum to “create 200,000 Twitter accounts, one for each object in the Cooper Hewitt’s collection”. My friend looked at me for a moment, laughed, and then simply said: No.
In that blog post, Aaron reveals that the San Francisco International Airport Museum is using ActivityPub to create automated social-media bot accounts for all its exhibits and, possibly, every object it hold.
And why not! That would be close to impossible to do on a centralised service. But on a decentralised service under your own control, it is relatively simple. Perhaps I only want to follow the museum's canteen, or I just want to engage with a specific artefact. The Fediverse makes that possible.
This reminds me of the Melbourne "treemail" phenomenon. Every tree in the city had an email address, ostensibly so residents could email maintenance issues for a specific tree. Instead, people started interacting with the trees and sending them little love notes!
Dearest Golden Elm Tree, I finally found you! As in I see you everyday on my way to uni, but I had no idea of what kind of tree you are. You are the most beautiful tree in the city and I love you
A few weeks ago, I read about Ben Smith inventing Tweeting trains. With a bit of code, every train line in the UK was suddenly represented on the web in a convenient format. Well… Convenient if you were on Twitter.
Museums, trees, and trains naturally brings me on to the Internet of Things. I think it is fair to say that IoT is in a bit of an odd place right now. Matter is a confusing mishmash of standards. Security and privacy issues dog the simplest devices. Many people don't even want their toaster online!
For the majority of domestic uses, people want an Intranet of Things. There's little need to have your light-bulbs controlled when you're outside of WiFi range. Similarly, it is probably a really bad idea to have your hydroelectric dam connected to the Internet.
Which brings me back to the Fediverse.
On the one hand, it would be nice to be able to follow @Yellow_Line@Transit_Authority.gov - or even @Bus_Stop_1234@bus_company.biz - that would allow for hyperfocused data getting to the right people. It seems feasible that every civic object could have a Fediverse account. From the individual streetlights to the municipal sewerage system. Perhaps people won't send love letters to overflowing drains - but a social-dashboard of your civic environment could be both practical and delightful.
And, as for your domestic gadgets? Why not give every room, or every light-bulb, in your home a private Fediverse account? You could send a message like:
Hey @thermostat, please set the temperature to 19°C. Thanks!
That might be a bit much! But I like the idea of a private social network which consists of all my IoT gadgets talking to me and each other.
My Linux laptop used to suspend perfectly. I'd close the lid and it would go to sleep. Open it up, it would spring to life - presenting me with a password screen. But, some time in the last few months, it has stopped doing that.
If I close the lid, it keeps running. This is unhelpful.
If I manually run the suspend command - systemctl suspend - the laptop blanks the screen then immediately turns it back on at the lock screen. It doesn't suspend.
I know that suspend physically works - becasue running any of these other command does properly suspend the machine. But powering it back up goes straight to the desktop - no lock screen!
I went down a bit of a rabbit hole, following lots of suggestions from various people on the Internet. None of these helped me - but they may be useful pointers to you.
I tried disabling everything in . I couldn't get PXSX to be disabled. But even with everything else off, the suspend didn't work.
Google used to have some beautiful logos for its apps. Each had a distinct shape, style, and colour. Then, someone decided that they all needed a consistent visual language. And this mess was born.
sigh I get it. I really do. Brand is a thing. Users often use visual heuristics to identify similar groups. Having each team go wild on an icon design doesn't always reflect the professionalism and consistency that you want to project. The logos aren't awful - but I find them a little boring. Not the worst sin in the world. Though that's only half the problem.
In Google's Android, they've decided that - for consistency - all icons must be firmly encased in a white circle. It makes everything look clean, consistent, friendly, and...
I apologise for getting old. My visual acuity isn't what it once was. When I'm staring at my phone, with its screen caked in fingerprint grease, on a juddering bus, after a long day at work, all I want is a quick way to identify the app I want to use.
Like most people, my brain has evolved to take mental shortcuts. It looks for a distinct shape and colour to identify things. I simply can't do that with modern Android's adaptive icons. They all look like white circles with a splodge of colour in the middle.
A few years ago, I wrote about fixing Android's circular icons. Sadly, I don't have the skill to produce my own icon pack. But using the open source Iconeration I was able to manually set my icons to be beautifully inconsistent.
With a glance, I can immediately see which is which. Do I care that they're not all aligned perfectly? Nope!
I've got a high-resolution screen, I want high-resolution artwork. Look at that Firefox icon! It is gorgeous! It isn't a pale, flat, blob - it has texture and uniqueness.
Phones used to be wild and unique - now they're all boring black rectangles. User Interfaces used to reflect the aspirations of their designers - now they're just a bland corporate mediocrity.
I hope, one day soon, the fashion pendulum will swing back and interfaces can become interesting again. Until that day, I'll use Iconeration to make my phone easier and more delightful for me.
The great thing about getting older is that the popular culture of your youth is repackaged and sold back to you with increasing urgency. Yes, I want that Lego set I couldn't afford as a kid. Why, of course I want to watch a reboot of Frasier! Another few Ghostbusters movies? I'm in!
Brendan Murphy has prepared a dose of 100% pure 90's nostalgia and wishes to inject it into your eyeballs. Ahhh! Go on then!
The show styles itself as all 7 seasons, told in 70 minutes, from Spike's perspective. And that's just what we get. Murphy does a commendable job recreating Spike's "authentic" cockernee accent, and is delightfully dappy taking on the mantle of the other characters.
There is so much to love about this performance. The script is written by someone who obviously has great love for the Scooby Gang, but isn't afraid to point out the tropes and weirdness of the series. It is a loud, manic, cavalcade of energy - urged on by a cackling audience who recognise all the obscure quotes.
Several years ago, at the start of the pandemic, I tried using Nintendo's Ring Fit as an exercise method. It didn't last long. I felt I was spending too much time earning in-game currency, making choices on what to spend it on, crafting, managing inventory, choosing power-ups, and all sorts of other tedious nonsense.
In short, I constantly felt like I was working rather than working out.
If you like that sort of game mechanic; I'm happy for you. But it just turned me off the game so much that I never completed it.
A few years later, I got the Meta Quest 2 VR Headset. Most of the games on it are pretty crappy. Nintendo Wii level graphics, screaming kids on the online experiences, and pathetic battery life. There are a few charming experiences, but it mostly sucks.
I think Beat Saber might be my personal zenith of gaming. There are no complex instructions - you slice the blocks in the indicated direction. That's it. Here's me playing a level (with my microphone muted so you can't hear my huffing and puffing).
There are no power-ups to help you cheat your way through the levels. No boss fights. No collecting or spending coins. The only decisions you're ever asked to make are "what song would you like?" and "how difficult do you want this to be?" Much like the fabled L-Game, it is the distillation of ludic perfection.
Best of all, your only opponent is yourself.
As I've previously noted, most games aren't about you getting better at the game; they're about you getting better equipment. Beat Saber is the opposite. You have to physically practice in order to complete a level.
Note - you don't have to "beat" levels in order to progress. This isn't one of those games which holds content back if you can't complete the earlier levels. If you want to skip a song, or try something harder or easier, you can pick whatever you like.
In does have in-app purchases. Far from being the sort of loot-box bullshit most games are infested with, these are brutally honest. You can buy an album of songs for between £10 - £16. If you try to buy a single song, it will warn you that it is probably cheaper to buy the multipack. If you are happy with the base songs, it won't push the premium ones on you.
And, yes, there is online competitive play if you really want to test your mettle against people younger and fitter than you. But why bother? What good does it do you to know there's some kid in Seoul who can dedicate 20 hours a day to practicing? It doesn't.
I don't know if it is making me fitter. I'm certainly sweating more. And I don't know if I'll continue playing it. But, as long as it doesn't change its basic premise, I'm finding it delightful.
By 2008 I was blogging most months. And then I never really stopped. In early 2009 I switched to WordPress which led me down the path of developing my own theme and plugins.
Along the way, I've added necroposts - blog posts from work blogs which have since become defunct, or letters that I wrote to magazines when I was a kid.
I've also been quite liberal with my use of retroposts - posts written far in advance and then published once the dust has settled. There are a few more of those in the pipeline.
As of today, there are about 6,500 pieces of media in my library - taking up 2.3GB.
I don't write every day. But I do write most days. I usually write title and scraps of ideas, then leave them to ferment1. They usually start out as social-media posts which have got a little traction.
When I do write a post, I'll quite often leave it in a half-finished state and come back to it later. I usually have several blog posts on the go at any one time. It is incredibly rare that I'll write something and publish it that same day. And it is only occasionally that I publish something in the same week it was written.
I schedule and reschedule as the mood takes me.
I write in MarkDown using the classic editor. I'm too stuck in my ways to switch to Gutenberg blocks.
Someone once asked me how I managed to read so many books and the answer is simple - because I prefer reading books to doing other things.
I could spend more time playing video games, or learning to solder, or cooking from scratch, or brewing beer, or drinking beer, or any of a thousand hobbies2. But reading and writing are what I prefer doing.
Oh, sure, there's a thrill when a post goes viral. Or when someone you admire says something nice about the writing. Or when someone leaves a comment on an old blog saying how I helped them. Or when I'm cited in academic research.
But the reason I write is to get all the ideas out of my head3. I blog daily because, deep down, I want to learn something new and surprising every day - and I want to share that with anyone who happens to pass by.
And there are a lot of ideas in there. Not all of them good. Very few of them sensible. But all rattling around. Once written down, they no longer crowd my thoughts. ↩
Infrastructure is impossible. You have to wrangle thousands of people over dozens of months, with a budget of millions, to deliver something made of hundreds of plans, which has to fit seamlessly into the world. How does any infrastructure get built?
It mostly doesn't. This is the terrifying true story of all the different ways big projects fail.
If you've ever been part of a big IT project, some of the themes will give you flashbacks. What kills me is how normalised this has become. We all know that predicted budgets are little more than crystal-ball gazing. We can see that tiny blockers now lead to catastrophes later on.
In plain English, minor changes combined in a way to produce a disaster. In complex systems, that happens so often that the Yale sociologist Charles Perrow called such events “normal accidents.”
This is as much about human psychology as it is planning. Take this example:
“I once asked an engineer why their cost estimates were invariably underestimated and he simply answered, ‘if we gave the true expected outcome costs nothing would be built.’”
Does that ring true to you? Whether you're justifying your own bit of home DIY, or trying to get a multi-billion project off the ground, of course you're going to lie to yourself!
What I love about the book is that it isn't just pointing and snarking. There are excellent suggestions in there; use experts, plan for disaster, do repeatable actions. Nothing revolutionary - but worth hammering into people's brains.
Most big projects are not the first, tallest, biggest, or anything else too remarkable.
It all comes down to the boring magic of standards. Find a standardised way to do something and iterate on that.
The book is, necessarily, a little dry. I think it could have benefited from a few illustrations. Sometimes a little help visualising data is necessary. Some of the megaprojects could have photos to help demonstrate the scale.
It starts as a somewhat jolly romp through grand failures but, by the end, becomes an urgent plea.
In our present situation, wasted resources and wasted time are a threat to civilization.
We don't have the luxury of wasting billions. We don't have the time to do things twice. Grandiose plans based on untested technology aren't going to save us from the climate crisis.
An excellent book for understanding the reality of building anything.
There are a few heartstopping moments when you have to transfer a Very Large Amount of Money. Will the bank deny the transaction? Will I have to remember my mother's cousin's dog's maiden name? Will the money arrive safely?
I clicked the "Transfer Your Life Savings" button on the website. An hourglass appeared. I flipped into the other tab and hit refresh. My balance went from zero to quite-a-bit-more. I flipped back to the first tab. The hourglass faded away and I saw the words "Transfer Succeeded".
For all intents and purposes, money transfer in the UK is free and - just as important - instant. In this case the receiving bank told me the funds were present before the JavaScript on the sending bank had updated.
When I'm due to receive a parcel, most reputable couriers tell me exactly where it is at all times. I can see it transit through customs. I can see it get stuck in Antwerp. I can see it is due to be delivered tomorrow. I can see that it is only 3 stops away. I can see a photo of it hidden in my porch.
I think back to the days when I had to carry a paper cheque between branches to transfer funds - and then wait until my monthly statement to see if they'd been processed. I remember ordering goods from far off lands and never quite knowing when or if they'd arrive.
Nowadays I can play Scrabble against my mother-in-law while she's 18,000Km away - and the moves ping across the æther in an instant.
I applied for a new credit card. The ID verification was pretty much instant but the physical card was going to take a few days to arrive. So they let me create a virtual card number which I could use instantly.
Having sold a property recently, there are so many bewildering slow steps that it's hard not to imagine a conspiracy of lawyers keeping things churning along to pad out their fees.
It bemuses me that so many computer games are multi-GB downloads - why don't they stream to start? Wither Stadia!
There are still long lead times on some physical items. For some reason sofas and spare parts for washing machines are all made by hand and travel on the same slow boat.
Education still hasn't reached the "I know Kung-Fu" stage. Sure, we can dial up a YouTube video on any esoteric subject and watch it at double-speed. But we're stuck with pedagogy which hasn't changed in a thousand years. Read, listen, practice, repeat.
As I've said before, slowness can . Perhaps insurance payouts should wait until an investigation has been completed. And it probably isn't the worst idea in the world to wait between getting a marriage licence and tying the knot.
The Framework laptop has several little slots which can be used be used to expand the functionality of the laptop. They convert the internal USB-C ports into a different sort of port.
It is a much more capable reader. It uses micro-USB rather than USB-C, which isn't insurmountable using a flexible male-male cable. What about the dimensions?
Ignoring the USB jack, the board is about 50mm long. That would leave about 2cm sticking out of the side of the laptop. Which isn't too bad. The width is within what we need. There's even an updated version with a slightly different spec.
Several years ago, I had a CT scan of my jaw. The dentist wasn't sure if she was allowed to give me a copy of the scan, which led me to ask "who owns the copyright to my medical images?" I still don't have an answer to the copyright question - but I do now have a copy of a CT scan!
Last week - following some dental trauma - I had another scan of my head. The dentist took great delight in showing me my bones in 3D. So I asked for a copy.
This was something he'd never done before! So, together, we navigated the software, found the export button, and generated a copy. Even zipped up it was half a gigabyte - a bit too much for email and, not unreasonably, he didn't want me plugging in strange USB devices to his medical equipment. So he sent it over WeTransfer. Possibly not the most secure method for my medical data, but I didn't really have time to set up a personal SFTP site or teach him about installing WSL so he could SCP the content. Ah well, needs must.
Unzipped, the folder was about 700MB. Of that, 400MB was taken up by the included Windows app "Ez3D-i". Unsurprisingly, it didn't run on Linux.
The other 300MB was taken up by 450 .DCM files. These are medical images in the DICOM format. This is a relatively open standard which uses JPG plus lots of metadata. There are dozens of Linux programs which can read this - although many haven't been updated in years.
The easiest GUI for viewing the images is Mango. It presents a view of the CT Scan that you can move around.
But once you get the hang of it, you can manipulate the 3D scan and view it from all angles. It's possible to peel away the soft tissue and do all sorts of other fancy trickery. Even on my laptop without a fancy graphics card, it was fast. Here's a quick animation showing the (false colour) version.
If you have had a CT scan, please do ask for a copy of the DICOM files. It is great fun to explore around your own body.
Now I just need to find a way to import this into my Meta Quest so I can enjoy these teeth in VR!
Book cover showing a towering structure covered in plants.This is a fascinating story told on an almost geological timescale. It is a tantalisingly glimpse, into a much larger world. It is a story of contradiction - there's an epic universe, but we're stuck in a parochial backwater. It is full of un-human creations - yet its politics are firmly a reflection of the 2020s.
I loved the story - it's almost impossible to describe how wild it gets - but found myself continually frustrated with the po-faced nature of the characters. The protagonists are so morally-righteous that it gets a little repetitive and tiresome. That's balanced by the bonkers notions of sexually-active trains getting involved in labour organising.
There are a number of sub-plots, which tease their way in with sentences like:
They held the League’s biggest archive of intellectual property, as well as a massive stable of slaved creators whose dance moves you could get for free at one of Lefthand’s many branded nightclubs.
I found it deeply weird. Absolutely enjoyable, but perhaps a little too strident to be fun.
Our roof is non-optimal. We have an East/West split rather than the more usual South-facing panels. We have some big trees near us. And we live in a rainy, cloudy, overcast region of London.
We still produce more than the average household consumes!
Depending on the Carbon Intensity of the UK grid, we've saved about 3 tonnes of CO2.
Imagine if we could put solar on the roof of every house in the country. Domestic consumption from the grid would fall to zero on sunny days. Even in winter it would dramatically reduce usage. If you can add a battery and smart meter then domestic costs would plummet.
Let's talk about money for a moment. I don't know how much it will cost you to put solar panels up on your roof. You might need lots of scaffolding, your wiring and consumer unit may need an upgrade, there might be bats in your loft. Get a couple of quotes and find out for yourself.
But I can talk about how much money solar panels can save.
Over the last 4 years, UK electricity prices have fluctuated considerably. Somewhere between 20p/kWh and 30p/kWh. That means those 15,480kWh are worth somewhere between £3,000 and £4,600.
Of course, not all of that electricity gets consumed by us. Some of it flows back to the grid. As a rough rule of thumb, most systems seem to export half of what they produce.
Octopus Energy (join and we both get £50) pay 15p/kWh on export.
So let's say 50% is used, saving 25p/kWh, and 50% is sold at 15p/kWh. That means we have profited by roughly £3,000 over 4 years.
Every day at sunset, I automatically publish data straight from the solar inverter. You can grab the data from GitLab. It will show you real data, changing every 5 minutes, and could be useful if you're modelling something.
Photovoltaic cells are the ultimate in "boring magic". Stick them on your roof and forget them. Year after year they'll happily sit inert, chugging down photons and spitting out electrons. The rain washes them clean. The warranties are generous. The technology behind them is stable and well understood. All you have to do is watch your electricity bills fall.
There's nothing finer to do in Brighton than walk along the promenade eating a wodge of chips the size of your face. But it was raining, so we sat inside and ate all the chips instead. This is Brighton's 100% vegan chippie. As well as big fluffy chips, battered (veggie) sausage, and all the standard condiments - they specialise in fishless-fish.
Thick and juicy plant-based protein (available in "Smoked Haddock" or "Cod" flavours), wrapped in a sheet of seaweed, and coated in thick and crunchy batter. Delicious! The flavour was more intense than the normal sort of Quorn fish-style fingers, chips were as good as any I've had elsewhere, the tartare sauce and aioli were nice - although perhaps a bit cheeky to charge extra for them.
The restaurant is down a steep flight of stairs, but they also do delivery and take-away. There's a few seats available, as well as customer loos.
We couldn't finish all our chips, but the staff were happy to give us a takeaway box. So we munched them on the way home - in the rain.
It is tempting to think that users are to blame for their own misfortune. If only they'd had a stronger password! If only they didn't re-use credentials! If only they had perfect OpSec! If only...!
Yes, users should probably take better care of their digital credentials and bury them in a digital vault. But there are some things which are simply impossible for a user to protect against. Take, for example, a SIM-swap attack.
You probably have your phone-number tied to all sorts of important services. If you want to recover your email, log in to a bank, or prove your identity - you'll probably need to receive a call or SMS. If an attacker can take over your phone number, they're one step closer to taking over your accounts.
I keep saying "your phone number", but that's a clever lie. The phone number does not belong to you. It belongs to the network operator and they define which SIM the number points to.
This means a suitably authorised person at the telco can point "your" number to a new SIM card. That's helpful if you've lost your SIM but bad if an attacker wants to divert your number.
What can you do to stop this attack? Nothing.
Oh, you can have a strong and unique password on your account, and you can hope your telco uses TOTP and PassKeys. But it turns out that it is possible to bribe telco employees for the low, low price of US$1000.
If your security rests on a phone number, you've effectively outsourced your security to the most bribeable manager employed by your telco.
Now, I said there's nothing you can do. That isn't quite true. You can attempt to pen-test yourself.
Go to your phone company's account. Set a long password and complex password. Change your mother's maiden name to HK2BY@]'PU,:!VQ;}baTj. Turn on every security measure you can find. Call the phone company from a different phone and explain that you lost your phone and want a new SIM card. If they ask for your mother's maiden name, say "Oh, I set it to a long stream of gibberish". If they ask where to send the SIM, give a trusted friend's address. If your phone company is negligent and send out a new SIM on the basis of poor verification, then you should move your number to a more reputable provider.
It's good fun to try and social-engineer a call-centre worker for your own details. But it's probably illegal to try and bribe someone to hijack yourself.
Anyway, please try to remove your phone number as a critical lynchpin in your security regime.
I use a self-built WordPress theme for this blog. I also use a variety of self-developed WordPress plugins for various enhancements. I used to publish these plugins, but I get terribly confused by the SVN shenanigans involved, and they weren't used by many people, so I stopped.
Recently, I've been moving all my plugin code into my theme. This is sort-of-but-not-quite a MonoRepo.
I've also tried to move away, as far as possible, from using other people's plugins. Most of the ones I had were single-shot plugins which did one thing and needed the minimum amount of configuration. So I learned from their code and re-implemented it into my theme.
This isn't quite digital-homesteading. I'm not rolling my own crypto, or building my own CMS. I'm just taking back a little control, learning how things work, and enjoying the busy-work of Digital Gardening.
I don't know if this is a good idea. It means I don't get security updates if my knock-off code is vulnerable. I don't get new features. But I also don't have to trust that a 3rd-party developer isn't going to screw up (I can screw up on my own, thank-you-very-much!). I've had a few bad experiences with plugins which suddenly stopped working, or had abusive behaviour.
I put new functionality into a file with a descriptive name, for example related-posts.php and I save it in my-theme/includes/.
In my WordPress's theme, I add this to functions.php:
// Load all the files$includes_path = get_template_directory() . "/includes/";foreach ( new DirectoryIterator( $includes_path ) as $fileInfo ) { if( $fileInfo->isDot() ) continue; // Ignore . and .. if( $fileInfo->getExtension() != "php" ) continue; // Only load PHP require_once( get_template_directory() . "/includes/" . $fileInfo->getFilename() );}
That loads all the .php files from /includes/.
I have no idea how performant this is. I have some fairly aggressive caching plugins which should minimise any slowness - and they're not part of my MonoRepo.
Android's user-hostile interface never fails to disappoint! I was struggling to get a new eSIM working. I could make and receive calls / texts, but data just wasn't connecting. I tried rebooting, flipping to aeroplane mode, changing bearer, manually selecting the network. Nothing!
Then, I remembered my ancient GSM knowledge. All mobile networks need an APN - Access Point Name - in order to connect to data services. Tucked at the bottom of the SIM settings screen is the "Access point names" option. I tapped on it, and got this unfriendly error message:
THIS IS A LIE! What it really means is that the phone doesn't have an APN listed for this specific SIM.
If you click on the + button in the top corner, you'll get to a screen where you can add your APN details manually. You'll need to get these from your mobile operator. But that's not quite all! In order to save the APN, you need to tap the ⋮ button and select "Save":
One of my most memorable experiences in the Civil Service1 was discussing link shortening services with a very friendly2 person from the Foreign and Commonwealth Office.
I was trying to explain why link shortners like bit.ly and ow.ly weren't sensible for Government use. They didn't seem to particularly care about the privacy implications or the risk of phishing. I needed to take a different tack.
"So, you know how .uk is the UK and .de is Germany, right?"
"Yes."
"What country do you think .ly is for?"
There was some consulting of ISO 3166-1 alpha-2 whereupon the blood drained from their face and they stepped outside to make a phone call.
Throughout my time in the Civil Service I advocated for the use of .gov.uk URls everywhere. They're a trusted destination for users, they're under Government control so are less likely to be hijacked, and they don't require users to give their data to third parties.
Childcare Choices is a leaflet which is, I assume, shoved through everyone's letterbox. All the URls in the leaflet say gov.uk3 - but what happens when you scan?
Our old friend enemy Bitly. A user scanning this has no idea where that code will take them. They cannot access the content without giving their data away to Bitly.
Surrey also sent me a leaflet with two different QR codes.
There are many reasons not to use .io. Of particular interest is the scnv.io privacy policy which, if you click that link, you will see is missing from their website! What does this company do with the data of people who scan that code? No one knows!
Aside from using an unintelligible Bitly link, the QR code is inverted. The QR standard is very clear that the codes should be black-on-white. Some scanners will have difficulty scanning these white-on-dark codes. They may look æsthetically pleasing, but it's a pretty rubbish experience if you can't scan them.
Is there a risk risk of QR hijacking? Possibly. The best defence is to train users to look for a trusted URl.
In this case, using link shorteners is training users to be phished. If they are used to official Government QR codes going to weird locations, they won't notice when a scammer tries to send them to a dodgy site.
Please practice safe QR generation!
I am no longer a Civil Servant. The Government's views are not my own. And vice-versa. ↩
But not so friendly that they'd tell me their surname... ↩
When I was there, the "Brand Police" were insistent that it should be referred to as GOV.UK in all-caps. The leaflet exclusively uses the lower-case version. Sorry Neil! ↩
You know that ice-breaker game "Two Truths And A Lie"? When I'm forced into some mandatory office fun, I always say...
I've sat in the seat of a space shuttle.
I still have two of my baby teeth.
I used to be a voice-over artist.
Well, one of those truths is about to come crashing down.
When I was younger, I had two of my adult teeth removed. They were coming out at such a crazy angle that they couldn't be tackled with braces. So they were surgically yanked out. I was a teenager at the time and was told that, with care, my remaining baby gnashers would probably last another decade or so - if I remembered to floss.
Three decades on, and I thought the chompers were doing relatively well. Sure, they looked a little worn and stubby - but they had certainly exceeded their manufacturer's guarantee. My lovely dentist had been prodding at them for the last few years with increasing worry. But reassured me they were doing better than expected.
And then, one morning, one of the teeth suffered a catastrophic structural integrity failure.
Aiii! Luckily it didn't hurt - although it did rip into my lip a bit. But it was clear this tooth needed something more drastic than extra-strength Colgate.
The dentist has whittled down the remaining fang to be a bit less stabby. Now I have to decide what I want to happen to the remainder of my tusks.
I've previously wondered about high-tech dental implants - but it looks like there's nothing available. No NFC, light up, Internet-of-Teeth for me!
So I guess I'm going under the gas once again. These old ivories are destined for the scrap-heap. Titanium implants with glow in the dark colour-matched crowns, I guess. I'm not sure I want to travel abroad to get the procedure done. It may be cheaper, but there's less recompense if things go wrong.
If you've have dental implants in the UK, and want to hit me up with strategic info, please use the comment box.
An HTTP Message Signature is a header which is separate to the message it signs. You might receive a JSON message like this:
{ "actor": "https://example.com/user/Alice", "message": "We strike at dawn!"}
How do you know that really came from Alice? You look at the header of the message. It will be something like:
Signature: keyId="https://example.org/user/Alice#main-key", algorithm="rsa-sha256", headers="(request-target) host date digest", signature="/AJ4Dv/wSL3XE1dLjFHCYVc7AF4f3+Q10G/r8+6cPsooiUh2K3YX3z++Nclo4qKHYr61yu+T4OMqUry1T6ZHmZqmNkg1RpVg=="
We want to check that Alice signed this message with her private key. So we grab her public key given by the keyId.
From there, we do some fancy maths using RSA-SHA256 and conclude that, when you put together the (request-target) host date digest content-type and compare them to the public key, they can only have be signed by the private key. Hurrah!
Did you spot the mistake I made? It wasn't in the maths, or the complex ordering of the data, or the algorithm choice, or some weird Unicode problem.
I made an error in trust.
Take a look at the Signature again.
The keyId is from example.org. But the actor is from example.com.
This message is signed correctly. It is cryptographically valid. But it wasn't signed by the actor in the message!
In this case, the fix is simple. Get the public key from keyId. Then independently get the named actor's public key. If they match, all is well. If not, skulduggery is afoot.
I'm almost tempted to say that you should ignore the provided keyId entirely; the source of truth is the actor's key - and the best way to get that is directly from the actor's profile.
Please explain why I'm wrong in the comments.
You might think the Entscheidungsproblem is hard, but that's just peanuts compared to etc. etc. ↩
These are notes to myself - and anyone else who finds them useful.
Before starting, I booted the Google OS to install the latest firmware and an eSIM. After a few days of enduring Google's naggy software, I was ready to commit to installing something better.
I tried using the Web Installer. It managed to flash some of the partitions and then failed with:
Failed to execute 'claimInterface' on 'USBDevice'
So I used the CLI instructions which were comprehensive. Worth re-reading them a few times to make sure you understand what needs doing. I (foolishly) assumed my fastboot didn't need updating. Tsk!
And then... it just worked!
Well, almost. The device saw the previously installed eSIM, but wouldn't connect to its network. I manually removed it, reloaded it. Still nothing. So I manually chose the network and that seemed to fix it. No idea if that's a problem with the network, the eSIM, or something else.
This is a known problem but it makes for a crappy user-experience. There's no way to update the app in Graphene - you need to manually install your preferred SMS app.
In similar UX fails, I tried to add the clock widget to my home screen. This is what I saw. Hard to see graphics.
If you peer carefully, you'll see an analogue and digital clock. I hadn't switched to dark mode or anything like that - this is the default experience.
I wanted to see how long I could go before installing Google Play Services. The answer was... five minutes. I tried to log in to my password manager using a WebAuthN token and it wouldn't work. The default Vanadium browser can't handle them. Again, this is a known problem - but it does slightly undermine the attraction of Graphene. I'm privacy conscious and want as little Google in my life as possible. I'm security conscious and want to use MFA everywhere. Pick one.
Partway through the day, I got this internal error:
I was happily browsing the web with no connectivity issues. So I'm not sure what caused that.
It's annoying that Graphene doesn't support LineageOS's bottom-button changes. I have a decade of muscle-memory saying back is on the right. There's no way to change it, so I've swapped to gesture navigation.
The icon size on the stock launcher are far too small. On a massive screen like the 8 Pro they are tiny. So I've installed NeoLauncher which is a lot more customisable.
The only other (non-essential) thing missing is the ability to use Cast to screen share a device. There's a button in the UI, but it does nothing.
Setting up a work-profile required a little bit of a work-around, but seems to have worked. Hurrah for forum threads detailing the various tricks you need.
A software update allowed DisplayPort via USB-C. I plugged the 8 Pro into my USB-C hub, it detected the ethernet, keyboard, mouse, and display - graphics came through fine. Although there's no way to rotate an external screen - so you're stuck with landscape orientation. My HDMI adapters showed as detected via a little icon - but no video came out.
The Graphene camera's interface isn't as good as GCam and it is missing a bunch of options. Installing the stock Pixel camera worked - and there are lots of hacky derivatives.
Other than that, it has been pretty good so far. My banking apps work, call recording works, 5G and Bluetooth works, eSIM and regular SIM works. There have been a few odd things where apps have complained that they can't work and then suddenly sprang to life - but that might just be Android.
The only big thing Graphene is missing is Google Pay / Wallet. It is so convenient using tap to pay - but getting rid of the rest of the incessant Google bloat is worth the sacrifice.
Overall, I'm happy with the decision to nuke the original Google software. I know they say they'll support the device for 7 years - but I literally have no reason to trust them. Maybe I'm being naïve trusting a group of random hackers to produce a more secure OS - but I'd rather that than further entanglement with an organisation which has repeatedly shown contempt for its customers and users.
Every single frame of this movie is a delight - even the closing titles. It is an explosion of outrageous colour, extravagant lenses, and delirious shots. Like an Escher woodcut electrified into life.
I adored director Yorgos Lanthimos' earlier film The Lobster - this feel almost like that film was injected with several million more dollars and a sprinkling of psychedelics. This magic is what happens when you give creative people freedom to be as weird as their dare.
As beautiful as it all is, the story is vicious and nasty. It has a slimy and voyeuristic atmosphere which suffuses the sex-scenes, moving them from titillation to pivotal set-pieces in the development of the characters.
This isn't an easy film to watch. While it superficially shares a garish palette with Barbie and a sceptical view of science with Oppenheimer, it is so far away from those two mainstream films that I am stunned it exists.
It is impossible not to be constantly entertained - and continually horrified - as the film progresses. It is visceral fun.
I've recently signed up to the privacy-preserving service Proton. All the email, calendar, drive, VPN, and other services seem to hang off the proton.me domain.
I wanted to download the Android apps to my phone - without using the Google Play Store. The VPN app is on F-Droid but none of the others are. So, because I'm lazy, I Googled "Download Proton Mail".
It looks like a genuine site. But is it? .me is signed by Let's Encrypt, whereas .com is signed by Amazon. There is no link from Proton.me to ProtonApps.com. There's nothing I can find that shows it is genuine.
But, let's assume for the moment, that it is legitimate. What happens when you try to download the Android apps from it?
So there are multiple domains - Proton.me, ProtonApps.com, ProtonMail.com, ProtonVPN.com - and there are at least 2 different GitHub organisations.
How do you tell which ones are legitimate? I signed up and paid on the .me page - so I have high confidence in it.
The official Proton Mastodon account says the ProtonApps.com site is legitimate (and the Mastodon account is verified by the .me site). But you can't expect users to chase through a dozen different pages and enquire on social media just to verify which page is safe.
This is my plea to all developers - simplify your customer-facing infrastructure to make your domains consistent & trustworthy.
I've been watching the new 4K77 fan-releases of Star Wars (AKA - A New Hope). It is amazing seeing the graininess of the original picture and hearing just how lush the original stereo soundtrack is. There's even some good bonus content in terms of a long-lost LaserDisc commentary.
But rewatching the film made me re-asses what I thought I knew about The Force. My childhood was dominated by trying to perform telekinesis and mind-reading. In retrospect, those are mostly artefacts of Empire and Jedi.
In the original Star Wars, it feels like The Force is irrelevant to the plot. The tiny glimpses we get of a Jedi's awesome powers are (in order):
Obi-Wan screams at the Sand-People to make them run away. I'm not sure if that's a retconning of a Jedi's powers, but it certainly made no impact on me as a kid.
Darth Vader uses The Force to choke an Imperial officer. Despite, during the opening scenes, physically choking an Rebel soldier.
Obi-Wan Kenobi uses The Force to convince some Storm Troopers to let Luke pass without identification. "The Force can have a strong influence on the weak-minded". Yet, a few minutes later in the Cantina, Ben chooses violence and chops off a dude's arm rather than gently mess with his mind.
Obi-Wan "senses" the destruction of Alderaan. But that doesn't change the ship's destination.
Luke is able to sense the remote and deflect its blasts - even with the blast-shield down. But, again, not really relevant to the plot.
Vader thinks he senses Kenobi's presence. This eventually has a pay-off when he reveals Kenobi's presence to Tarkin.
Kenobi distracts the Storm-Troopers who are guarding the tractor-beam. That's probably the most impactful use of The Force in the whole film!
Finally, at the end of the movie, Luke switches off his targeting computer and manually fires his proton torpedoes. Does he guide the torpedoes into the exhaust port with the force? Is it skill or luck?
Basically, what I'm saying, is that if The Force didn't exist - the story of Star Wars would remain unaltered.
Think about all the times The Force could have been useful.
Obi-Wan could have helped Luke get more money for his speeder - and could have convinced Han to ask for less money.
Obi-Wan didn't sense that they were being followed by Garindan (the guy with the long nose) after selling the speeder.
At no point does Darth Vader use The Force to read Princess Leia's mind - indeed, he says "her resistance to the mind probe is considerable". Implying that mind-reading isn't in a Sith Lord's skillset?
Similarly, he doesn't realise that Leia's confession about Dantooine is a lie - although obliquely suggests he know she wouldn't "consciously betray the rebellion".
Vader's abilities don't seem to extend to distracting the X-Wing pilots he's targeting - nor sensing the Millennium Falcon approaching.
Perhaps my entire childhood was a lie? The Jedi are nothing more than cheap magicians and their main source of power is distraction!
Virgin Media - a UK-based fibre-optic ISP - recently sent me a survey about their potential product offerings. It was desperate to know if I wanted bundled streaming video (no), or Sky Sports (LOL no), or any other digital subscriptions (no, go away), or a landline (what, is this the 1990s?). They even wanted to know if I'd pay extra for priority support.
Here are some of the offerings they proposed. I must not that these are from a market research exercise. Whether they'll ever launch, and whether the prices are accurate, is something we'll have to wait to see.
