Archives

Categories

PinePhone Status

4 months ago I got my PinePhonePro [1]. Since then I have got SE Linux working on it to the stage of allowing it to boot correctly with Debian/Unstable, login with the user_t domain (minimum privilege for the graphical user) and make and receive calls. I finished getting SE Linux working reasonably well 3 days ago and most (but not all) of the SE Linux policy is in Debian now. I’ve been getting good at Github PRs and I’m sending a lot of policy upstream, so the next version of Debian will have a much smaller diff from the upstream Refpolicy. I have been running the PinePhone with Plasma Mobile because I prefer KDE, I would run GNOME/Phoc if it gave significantly better functionality.

3 days ago I moved my main SIM (the one with the number that people call about work etc) to my PinePhone and tried running it as my main phone. Today I gave up on that.

My Android History

The last phone I had that did everything I needed was a Huawei Mate 10 Pro that I bought refurbished in June 2019 for $389. The Mate 10 Pro runs Android with the Google Play store and has been quite unremarkable which is presumably why I forgot to blog about it when I got it, it was a slight upgrade over the Huawei Mate 9 [2] that I had used for 2 years before that. In April 2022 I tried using a Huawei Nova 7i as my main phone without Google Play programs or services [3]. That experiment was a failure as I couldn’t get NextCloud to work for Calendaring and Contacts. It could be that I stuffed something up when trying that, but I put more skill and effort into trying to get it to work than most people ever would. The Nova 7i is a very slick phone, faster and nicer than the Mate 10 Pro (as expected being 2 years newer) while also having ridiculously long battery life. The Nova 7i when always on running the SchildiChat Matrix client and the Conversations Jabber client it will use less than 10% battery in a 8 hour work day.

As nice as the Nova 7i is for the core functions I still need to have Play Store apps for LinkedIn, Twitter, Facebook, Zoom, etc. Which meant connecting the Mate 10 Pro via Wifi. As slick as the Nova 7i is for non-Google stuff running it and the Mate 10 Pro is a medium amount of pain for a small amount of freedom.

So now I have for the moment abandoned the Nova 7i and gone back to the Mate 10 Pro. What I will try to do is to either forcibly install Google Play on the Nova 7i to make it my proprietary phone or to install an open distribution of Linux (IE not Android) to make it at least a small tablet which incidentally is much more powerful than a PinePhonePro.

Issues With the PinePhonePro

The battery charges very slowly (as much as 50 hours estimated charge time) and discharges fast. When used in a typical way in “Caffeine” mode to stop suspend so I can ssh to it etc it won’t come close to lasting an 8 hour day. Also it will only take 5V charging and ideally wants 5V 3A charging which most chargers won’t do. The charging speed over regular USB ports is very slow, sometimes stating it will take as much as 50 hours to charge. A phone that gets below 50% charge in less than 4 hours and can’t be charged at a reasonable speed from a USB port on a laptop or monitor is going to be a major pain to use in the office. I don’t think this can be fixed in software, we can alleviate it by making software more CPU efficient and by enabling various hardware sleep modes more effectively but the slow charging is a hardware issue that can’t be fixed.

The phone call quality is poor. Usually when on a call I hear static and sometimes the person at the other end appears to hear nothing. Also the UI for calls is different from Android which makes it take longer to answer a call and gives more missed calls. The UI issue is a combination of software and habits, both of which can be changed. But the call quality may be a hardware issue. I don’t know if it’s a hardware issue specific to my phone or something related to the PinePhonePro on the Telstra network.

Clicking on notification in the drop-down doesn’t take me to the app. I don’t know if this is regarded as a bug by the Plasma-Mobile developers. Also notifications aren’t displayed on the lock screen and there doesn’t seem to be a configuration option to enable this.

The Plasma-Mobile configuration for the wifi hotspot is difficult. There is no button for it in the drop-down menu (called Quicksettings in Plasma-Mobile) and no way of easily determining whether it’s in hotspot or wifi client mode. This isn’t an insurmountable problem and the worst-case is that I could write a script to do it, but it’s still annoying.

There is apparent support in the desktop version of KDE for syncing contacts from Google and I could probably get that working (although I failed last time I tried on the desktop), but it is a pain.

Conclusion

Most of the problems are software related and therefore I can get involved in solving them. I plan to keep working on these things. If all the software had worked in an ideal manner then I would have spent more time investigating the hardware issues of battery life and charge time and the quality of calls.

I now have my Librem5 [4] running Debian so I will be able to compare call quality with the PinePhonePro. If I’m unable to get the PinePhonePro working adequately then maybe making the Librem5 my main phone will be an option.

I hope that by early next year I will be able to make another test at using a FOSS phone my main phone. In the mean time I can still work on convergence and other things.

Links September 2023

Interesting article in Wired about adversarial attacks on ML systems to get them to do things that they are explicitely programmed not to do such as describe how to make illegal drugs [1]. The most interesting part of this is that the attacks work on most GPT systems which is probably due to the similar data used to train them.

Vice has an interesting article about the Danish “Synthetic Party”, a political partyled by an AI [2]. Citizens can vote for candidates who will try to get laws passed that match the AI generated goals, there is no option of voting for an AI character. The policies they are advocating for are designed to appeal to the 20% of Danes who don’t vote. They are also trying to inspire similar parties in other countries. I think this has the potential to improve democracy.

Vice reports that in 2021 a man tried to assasinate the Queen of England with inspiration from Star Wars and an AI chat bot [3]. While someone who wants to be a real-life Sith is probably going to end up doing something bad we still don’t want to have chat bots encourage it.

Bruce Schneier wrote an interesting article about milestones for AI involvement in the political process [4].

Sam Varghese wrote an interesting article about the allegations that India is following the example of Saudi Arabia and assasinating people in other countries who disagree with their government [5]. We need to stop this.

Ian Jackson wrote an interesting blog post advocating that DKIM PRIVATE keys be rotated and PUBLISHED [6]. The idea is that if a hostile party gets access to the mailbox of someone who received private email from you then in the normal DKIM setup of keys never changing they can prove that the email is authentic when they leak it. While if you mail server publishes the old keys as Ian advocates then the hostile party can’t prove that you sent the email in question as anyone could have forged a signature. Anything that involves publishing a private key gets an immediate negative reaction but I can’t fault the logic here.

Choosing Exclusion

There is an article The Inappropriately Excluded by the Polymath Archives [1] that gets cited a lot. Mainly by Mensa types who think that their lack of success is due to being too smart.

The Main Claim is Wrong

The main claim is:
The probability of entering and remaining in an intellectually elite profession such as Physician, Judge, Professor, Scientist, Corporate Executive, etc. increases with IQ to about 133. It then falls by about 1/3 at 140. By 150 IQ the probability has fallen from its peak by 97%!

The first thing to consider is whether taking those professions is a smart thing to do. These are the types of jobs that a school career adviser would tell you are good choices for well paying jobs, but really there’s lots of professional positions that get similar pay with less demanding work. Physicians have to deal with people who are sick and patients who die – including cases where the physician needs to make a recommendation on incomplete information where the wrong choice will result in serious injury or death, there are significant benefits to being a medical researcher or doing biological engineering. Being a Judge has a high public profile and has a reasonable amount of pressure, good for status but you can probably earn more money with less work as a corporate lawyer. Being a professor is a position that is respected but which in many countries is very poorly paid. In a mid-size company executives probably get about $300k compared to $220k for middle managers and $100k-$180k for senior professional roles in the same company.

There has been research on how much happyness is increased by having more money, here is one from CBS saying that income up to $500K can increase happiness[2] which contradicts previous research suggesting that income over $75K didn’t provide much benefit. I think that part of this is determined by the conditions that you live in, if you live in a country like Australia with cheap healthcare then you won’t feel as great a need to hoard money. Another part is whether you feel obliged to compete with other people for financial status, if driving an old car of a non-prestige brand while my neighbours have new BMWs concerned me then I might desire an executive position.

I think that the smart thing to do is to get work that is relatively enjoyable, pays enough for all the essentials and some reasonable luxury, and doesn’t require excessive effort or long hours. Unless you have a great need for attention from other people then for every job with a high profile there will be several with similar salaries but less attention.

The main point of the article is that people with high IQs all want to reach the pinnacle of their career path and don’t do so because they are excluded. It doesn’t consider the possibility that smart people might have chosen the option that’s best for them. For example I’ve seen what my manager and the CIO of my company do and it doesn’t look like fun for me. I’m happy to have them earn more than me as compensation for doing things I don’t want to do.

Why is This Happening?

This section of the article starts with “Because of the dearth of objective evidence, the cause of the exclusion cannot be determined directly” which is possibly where they should have given up. Also I could have concluded this blog post with “I’m not excluded from this list of jobs that suck”, but I will continue listing problems with the article.

One claim in the article is:
Garth Zietsman has said, referring to people with D15IQs over 152, ‘A common experience with people in this category or higher is that they are not wanted – the masses (including the professional classes) find them an affront of some sort.’

The question I have is whether it’s being smart or being a jerk that “the masses” find to be an affront, I’m guessing the latter. I don’t recall seeing evidence outside high school of people inherently disliking smarter people.

The article claims that “We have no reason to conclude that this upper limit on IQ differences changes in adulthood“. Schools don’t cater well to smart kids and it isn’t good for kids to have no intellectual peers. One benefit I’ve found in the Free Software community is that there are a lot of smart people.

Regarding leadership it claims “D.K. Simonton found that persuasiveness is at its maximum when the IQ differential between speaker and audience is about 20 points“. A good counter example is Julius Sumner Miller who successfully combined science education and advertising for children’s chocolate [3]. Maybe being a little smarter than other people makes it more difficult to communicate with them but being as smart as Julius Sumner Miller can outweigh that. The article goes on to claim that the intellectual elites have an average IQ of 125 because they have to convince people who have an average IQ of 105. I think that if that 20 point difference was really a thing then you would have politicians with an IQ of 125 appointing leaders of the public service with an IQ of 145 who would then hire scientific advisers with an IQ of 165. In a corporate environment a CEO with an IQ of 125 could hire a CIO with an IQ of 145 who could then hire IT staff with an IQ of 165. If people with 165 IQs wanted to be Prime Minister or CEO that might suck for them, but if they wanted to have the most senior technical roles in public service or corporations then it would work out well. For the work I do I almost never speak to a CEO and rarely speak to anyone who regularly speaks to them, if CEOs don’t like me and won’t hire people like me then it doesn’t matter to me as I won’t meet them.

Inappropriate Educational Options

The section on “Inappropriate Educational Options” is one where I almost agree with the author. I say almost because I don’t think that schools are good for anyone. Yes schools have some particular problems for smart kids, but they also have serious problems for kids who are below average IQ, kids who have problems at home, kids who are disabled, etc. Most schools fail so many groups of kids in so many ways that the overall culture of schools can’t be functional.

Social Isolation

The section on “Social Isolation” is another where I almost agree with the author. But as with schools I think that society overall is poorly structured to support people such that people on the entire range of IQs have more difficulty in finding friends and relationships than they should. One easy change to make would be to increase the minimum wage such that one minimum wage job can support a family without working more than 35 hours a week and to set the maximum work week to something less than 40 hours Atlassian has a good blog post about the data on working weeks [4]. Wired has an article suggesting that 5 hours a day is an ideal work time for some jobs [5].

We also need improvements in public transport and city design to have less wasted time and better options for socialising.

Conclusion

The blogspot site hosting the article in question also has a very complex plan for funding a magazine for such articles [6]. The problems with that funding model start with selling “advertising” that converts to shares in a Turks & Caicos company in an attempt to circumvent securities regulations (things don’t work that way). Then it goes in to some complex formulas for where money will go. This isn’t the smart way to start a company, the smart way is to run a kickstarter with fixed rewards for specific amounts of contributions and then possibly have an offer of profit sharing with people who donate extra or something. As a general rule when doing something that’s new to you it’s a good idea to look at how others have succeeded at it in the past. Devising an experimental new way of doing something is best reserved to people who have some experience withe the more common methods.

Mentioning this may seem like an ad hominem attack, but I think it’s relevant to consider this in the context of people who score well in IQ tests but don’t do so well in other things. Maybe someone who didn’t think that they were a lot smarter than everyone else would have tried to launch a magazine in a more common way and actually had some success at it.

In a more general sense I think that people who believe that they are suffering because of being too smart are in a similar category as incels. It’s more of a psychological problem than anything else and one that they could solve for themselves.

Links August 2023

This is an interesting idea from Bruce Schneier, an “AI Dividend” paid to every person for their contributions to the input of ML systems [1]. We can’t determine who’s input was most used so sharing the money equally seems fair. It could end up as yet another justification for a Universal Basic Income.

The Long Now foundation has an insightful article about preserving digital data [2]. It covers the history of lost data and the new challenges archivists face with proprietary file formats.

Tesla gets fined for having special “Elon mode” [3], turns out that being a billionaire isn’t an exemption from road safety legislation.

Wired has an interesting article about the Olympics Destroyer malware that Russia used to attack the 2018 Olympics [4].

Wired has an interesting article about Marcus Hutchins, how he prevented a serious bot attack and how he had a history in crime when he was a teenager [5]. It’s good to see that some people can reform.

The IEEE has a long and informative article about what needs to be done to transition to electric cars [6]. It’s a lot of work and we should try and do it as fast as possible.

Linux Tech Tips has an interesting video about a new cooling system for laptops (and similar use cases for moving tens of watts from a thin space) [7]. This isn’t going to be useful for servers or desktops as big heavy heatsinks work well for them. But for something to put on top of a laptop CPU or to have several of them connected to a laptop CPU by heat pipes it could be very useful. The technology of piezo electric cooling devices is interesting on it’s own, I expect we will see more of that in future.

GPT Systems and Relationships

Sam Hartman wrote an interesting blog post about his work as a sex and intimacy educator and how GPT systems could impact that [1].

I’ve read some positive reviews of Replika – a commercial system that is somewhat promoted as a counsellor [2], so I decided to try it out. In my brief trial it seemed to be using all the methods that Android pay to play games are known for. Having multiple types of in-game currency, pay to buy new clothes etc for your friend, etc. Basically it seems pretty horrible. I didn’t pay for it and the erotic and romantic features all require payment so I didn’t test that.

When thinking about this logically, having a system designed to deal with people when they are vulnerable (either being in a romantic relationship or getting counselling) that uses manipulative techniques to get money from them can’t have a good result. So a free software system seems the best option.

When I first learned of virtual girlfriends I never thought I would feel compelled to advocate for a free software virtual dating program, but that’s where the world has got to.

Virtual girlfriends have been around for years now. Several years ago I watched a documentary about their use in Japan. It seemed a bit strange when a group of men who had virtual girlfriends had a dinner party with their tablets and phones propped up so their girlfriends could join in as they all appeared to be dating the same girl. The documentary didn’t go in to enough detail to cover whether the girlfriend app could learn or be customised enough that they would seem to have different personalities.

Virtual boyfriends have also been around for a while apparently without most people noticing. I just Googled it and found a review of a virtual boyfriend app published in 2016!

One thing that will probably concern people is the possibility for virtual dating systems to be used for inappropriate things. That is a reasonable thing to be concerned about but I don’t think it’s possible to prevent technology that has already been released from doing such things. As a general rule technology can always be used for good and bad things so we need to just make it easy to do good things and let the legal system develop ways of dealing with the bad things.

My Predictions for the Ukraine War

There are a lot of people talking about the Russian invasion of Ukraine and a lot of moving goalposts in such discussions. I think that everyone who wants to advocate for it should publish what they expect to happen and what specific things they consider as victory conditions.

When Russia first invaded I thought they would win in a matter of weeks. I underestimated the determination of the Ukrainian people and the corruption and the incompetence and corruption of the Russian military. The first time I thought that Ukraine could win was when I read an analysis of the tires on Russian military vehicles breaking because of the cheapest available tires being bought and then not stored correctly to avoid damage, which led to the long stalled convoy. A successful military campaign requires many more difficult tasks than buying good tires and maintaining them correctly. An army that is too corrupt to buy the bare minimum of usable equipment and too incompetent to adapt to failures is not going to do well.

The Ukrainians have done very well with the equipment available, one example is their use of off the shelf drones for dropping grenades into armoured vehicles and for targeting artillery. While the Russians have responded by buying Iranian military drones because they lack the industrial capacity to make their own ones. From the time when the Russians first got bogged down the Ukrainians have been mostly retaking their territory slowly and steadily.

The Russians started the invasion with a significant advantage in aircraft, armoured vehicles, artillery, and ammunition. This advantage has been significantly decreased due to losses of vehicles and artillery, high rates of ammunition use, and Ukrainian capture of Russian equipment. The Ukrainians are getting new vehicles, aircraft, artillery, and ammunition from western countries while sanctions are preventing Russians from importing or manufacturing much.

Currently one important factor for Russia is the ability of their airforce to attack Ukrainian positions while out of range of Ukrainian air defence systems. The MANPAD systems are good for close support but not good for long range. A problem that the Russians will have in the long term is running out of spare parts and being unable to properly maintain aircraft. This will result in loss of aircraft due to accidents and the inability to repair aircraft that has even minor damage.

Here are my specific predictions:

  1. I predict that by the end of 2023 Russia will have a much smaller number of military aircraft through maintenance problems even if Ukraine doesn’t get long-range SAM systems.
  2. I predict that by mid 2024 Ukraine will have air superiority. They will destroy many Russian SAM systems and be able to bomb Russian targets with little risk.
  3. I predict that Russia won’t impose any significant new conscription programs on their population. Such programs are extremely unpopular and Russia doesn’t have the industrial capacity to equip a larger army as they can’t properly equip their current army.
  4. Currently Ukraine is making slow but steady progress in retaking their territory in the East. I predict that before the end of 2023 they will have cut all supply lines to Crimea from the mainland by having artillery that can accurately cover all the distance to the coast of the Sea of Azov. I also predict that the bridge over the Kerch strait will be mostly unusable from now on (on average less than 1/3 the bridge capacity usable). As fast as the Russians can repair it the Ukrainians will bomb it again. At most they will have half of the road lanes available to cars and will be unable to transport any significant amount of military equipment.
  5. Due to Russians lacking supplies I predict that Ukraine will recapture at least half the Crimean land area by the end of 2023.
  6. The regions of Luhansk and Donetsk will be the most difficult to capture as they have been held the longest. I predict that the war will not end until Ukraine controls everything within their 2013 borders including Luhansk and Donetsk. The final victory may happen due to the Russian military collapsing or due to a new Russian government ordering a withdrawal.
  7. I predict that Russia will make significant efforts to help Trump get elected in 2024. But even if they succeed it will be too late for him to help them much or change the outcome.
  8. I predict that Ukraine will win this war before the end of 2025. Even if some of my other predictions turn out to be incorrect I predict that by the end of 2025 the military forces of Russia and Ukraine will not be fighting and that it will be because Ukraine has given the Russian military a proper spanking. If something like the “Troubles” in Ireland happens (which is a real possibility) that doesn’t count as a war.
  9. I predict that Ukraine will not deploy any significant attack inside Russian territory. They will launch small scale attacks on specific military targets but do nothing that the Russian population might consider to be full scale war.
  10. I predict that Putin will not lead Russia 2 months after Ukraine recaptures all their territory. He may not live for long after Ukraine wins, or the Russian withdrawal might happen because Putin dies of apparently natural causes.
  11. After the war I predict that Ukraine will control all their territory from 2013 and there will be a demilitarised zone or no-fly zone in Russian territory.
  12. I predict that after the war some parts of the Russian Federation will break free. There are many different groups who would like to be free of Russia and Ukraine destroying most of the Russian military will make things easy for them. A Russian civil war is a possibility.
  13. I predict that the US will give minimal support to Russia after the war as a strategic plan to block China. I predict that the quality and efficacy of such support will be comparable to the US actions in the Middle East.

I welcome comments disagreeing with this. But please make specific predictions that can be tested and sign your name to them. If you don’t think that a certain event will happen when I predict it then provide a date when you think it will happen or a date by which the opposite will have happened. Also please show enough confidence to make multiple predictions. I’ve made 12 specific predictions, if you think I’m doing badly then make at least 3 specific competing predictions. If you think that Russia will “win” then define what a “win” means in terms of territory occupied when fighting between armies ends and when that will happen. Also if you think that Russia will win then please make a prediction about whether there will be a Ukrainian equivalent of the IRA and if so what they will do.

Links July 2023

Phys.org has an interesting article about finding evidence for nanohertz gravity waves [1]. 1nano-Herz is a wavelength of 31.7 light years!

Wired has an interesting story about OpenAI saying that no further advances will be made with larger training models [2].

Bruce Schneier and Nathan Sanders wrote an insightful article about the need for government run GPT type systems [3]. He focuses on the US, but having other countries/groups of countries do it would be good too. We could have a Chinese one, an EU one, etc. I don’t think it would necessarily make sense for a small country like Australia to have one – but it would make a lot more sense than having nuclear submarines (which are much more expensive).

The Roadmap project is a guide for learning new technologies [4]. The content seems quite good.

Bigthink has an informative and darkly amusing article Horror stories of cryonics: The gruesome fates of futurists hoping for immortality [5].

From this month in Australia psilocybin (active ingredient in Magic Mushrooms) can be prescribed for depression and MDMA (known as Ecstacy on the streets) can be prescribed for PTSD [6]. That’s great news!

Slate has an interesting article about the Operation Underground Railroad organisation that purports to help sex trafficed chilren [7]. This is noteworthy now with the controverst over the recent movie about that. Apparently they didn’t provide much help for kids after they had been “rescued” and at least some of the kids were “trafficed” specifically to fulfill the demand that they created by offering to pay for it. Vigilantes aren’t as effective as law enforcement.

The ACCC is going to prevent Apple and Google from forcing app developers to give them a share of in-app purchases in Australia [8]. We need this in every country!

This site has links to open source versions of proprietary games [9].

Vice has an interesting article about the Hungarian neuroscientist Viktor Tóth who taught rats to play Doom 2 [10]. The next logical step is to have mini tanks that they can use in real battlefields. Like the “Mason’s Rats” episode of “Love Death and Robots” on Netflix.

Brian Krebs wrote a mind boggling pair of blog posts about the Ashley Adison hack [11]. A Jewish disgruntled ex-employee sending anti-semitic harassment to the Jewish CEO and maybe cooperating with anti-semitic organisations to harass him is one of the people involved, but he killed himself (due to mental health problems) before the hack took place.

Long Now has an insightful blog post about digital avatars being used after the death of the people they are based on [12].

Tavis Ormandy’s description of the zenbleed bug is interesting [13]. The technique for finding the bug is interesting as well as the information on how the internals of the CPUs in question work. I don’t think this means AMD is bad, trying to deliver increasing performance while limited by the laws of physics is difficult and mistakes are sometimes made. Let’s hope the microcode updates are well distributed.

The Hacktivist documentary about Andrew “Bunnie” Huang is really good [14].

Bunnie’s lecture about supply chain attacks is worth watching [15]. Most descriptions of this issue don’t give nearly as much information. However bad you thought this problem was, after you watch this lecture you will realise it’s worse than that!

Matrix

Introduction

In 2020 I first setup a Matrix [1] server. Matrix is a full featured instant messaging protocol which requires a less stringent definition of “instant”, messages being delayed for minutes aren’t that uncommon in my experience. Matrix is a federated service where the servers all store copies of the room data, so when you connect your client to it’s home server it gets all the messages that were published while you were offline, it is widely regarded as being IRC but without a need to be connected all the time. One of it’s noteworthy features is support for end to end encryption (so the server can’t access cleartext messages from users) as a core feature.

Matrix was designed for bridging with other protocols, the most well known of which is IRC.

The most common Matrix server software is Synapse which is written in Python and uses a PostgreSQL database as it’s backend [2]. My tests have shown that a lightly loaded Synapse server with less than a dozen users and only one or two active users will have noticeable performance problems if the PostgreSQL database is stored on SATA hard drives. This seems like the type of software that wouldn’t have been developed before SSDs became commonly affordable.

The matrix-synapse is in Debian/Unstable and the backports repositories for Bullseye and Buster. As Matrix is still being very actively developed you want to have a recent version of all related software so Debian/Buster isn’t a good platform for running it, Bullseye or Bookworm are the preferred platforms.

Configuring Synapse isn’t really hard, but there are some postential problems. The first thing to do is to choose the DNS name, you can never change it without dropping the database (fresh install of all software and no documented way of keeping user configuration) so you don’t want to get it wrong. Generally you will want the Matrix addresses at the top level of the domain you choose. When setting up a Matrix server for my local LUG I chose the top level of their domain luv.asn.au as the DNS name for the server.

If you don’t want to run a server then there are many open servers offering free account.

Server Configuration

Part of doing this configuration required creating the URL https://luv.asn.au/.well-known/matrix/client with the following contents so clients know where to connect. Note that you should not setup Jitsi sections without first discussing it with the people who run the Jitsi server in question.

{
  "m.homeserver": {
    "base_url": "https://luv.asn.au"
  }
  "jitsi": {
    "preferredDomain": "jitsi.perthchat.org"
  }
  "im.vector.riot.jitsi": {
    "preferredDomain": "jitsi.perthchat.org"
  }
}

Also the URL https://luv.asn.au/.well-known/matrix/server for other servers to know where to connect:

{
  "m.server": "luv.asn.au:8448"
}

If the base_url or the m.server points to a name that isn’t configured then you need to add it to the web server configuration. See section 3.1 of the documentation about well known Matrix client fields [3].

The SE Linux specific parts of the configuration are to run the following commands as Bookworm and Bullseye SE Linux policy have support for Synapse:

setsebool -P httpd_setrlimit 1
setsebool -P httpd_can_network_relay 1
setsebool -P matrix_postgresql_connect 1

To configure apache you have to enable proxy mode and SSL with the command “a2enmod proxy ssl proxy_http” and add the line “Listen 8443” to /etc/apache2/ports.conf and restart Apache.

The command “chmod 700 /etc/matrix-synapse” should probably be run to improve security, there’s no reason for less restrictive permissions on that directory.

In the /etc/matrix-synapse/homeserver.yaml file the macaroon_secret_key is a random key for generating tokens.

To use the matrix.org server as a “trusted key server” and not receive warnings put the following line in the config file:

suppress_key_server_warning: true

A line like the following is needed to configure the baseurl:

public_baseurl: https://luv.asn.au:8448/

To have Synapse directly accept port 8448 connections you have to change bind_addresses in the first section of listeners to the global listen IPv6 and IPv4 addresses.

The registration_shared_secret is a password for adding users. When you have set that you can write a shell script to add new users such as:

#!/bin/bash
# usage: matrix_new_user USER PASS

synapse_register_new_matrix_user -u $1 -p $2 -a -k THEPASSWORD

You need to set tls_certificate_path and tls_private_key_path to appropriate values, usually something like the following:

tls_certificate_path: "/etc/letsencrypt/live/www.luv.asn.au-0001/fullchain.pem"
tls_private_key_path: "/etc/letsencrypt/live/www.luv.asn.au-0001/privkey.pem"

For the database section you need something like the following which matches your PostgreSQL setup:

  name: "psycopg2"
  args:
    user: WWWWWW
    password: XXXXXXX
    database: YYYYYYY
    host: ZZZZZZ
    cp_min: 5
    cp_max: 10

You need to run psql commands like the following to set it up:

create role WWWWWW login password 'XXXXXXX';
create database YYYYYYY with owner WWWWWW ENCODING 'UTF8' LOCALE 'C' TEMPLATE 'template0';

For the Apache configuration you need something like the following for the port 8448 web server:

<VirtualHost *:8448>
  SSLEngine on
...
  ServerName luv.asn.au;

  AllowEncodedSlashes NoDecode
  ProxyPass /_matrix http://127.0.0.1:8008/_matrix nocanon
  ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
  AllowEncodedSlashes NoDecode
  ProxyPass /_matrix http://127.0.0.1:8008/_matrix nocanon
  ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
</VirtualHost>

Also you must add the ProxyPass section to the port 443 configuration (the server that is probably doing other more directly user visible things) for most (all?) end-user clients:

  ProxyPass /_matrix http://127.0.0.1:8008/_matrix nocanon

This web page can be used to test listing rooms via federation without logging in [4]. If it gives the error “Can’t find this server or its room list” then you must set allow_public_rooms_without_auth and allow_public_rooms_over_federation to true in /etc/matrix-synapse/homeserver.yaml.

The Matrix Federation Tester site [5] is good for testing new servers and for tests after network changes.

Clients

The Element (formerly known as Riot) client is the most common [6]. The following APT repository will allow you to install Element via “apt install element-desktop” on Debian/Buster.

deb https://packages.riot.im/debian/ default main

The Debian backports repository for Buster has the latest version of Quaternion, “apt install quaternion” should install that for you. Quaternion doesn’t support end to end encryption (E2EE) and also doesn’t seem to have good support for some other features like being invited to a room.

My current favourite client is Schildi Chat on Android [7], which has a notification message 24*7 to reduce the incidence of Android killing it. Eventually I want to go to PinePhone or Librem 5 for all my phone use so I need to find a full featured Linux client that works on a small screen.

Comparing to Jabber

I plan to keep using Jabber for alerts because it really does instant messaging, it can reliably get the message to me within a matter of seconds. Also there are a selection of command-line clients for Jabber to allow sending messages from servers.

When I first investigated Matrix there was no program suitable for sending messages from a script and the libraries for the protocol made it unreasonably difficult to write one. Now there is a Matrix client written in shell script [8] which might do that. But the delay in receiving messages is still a problem. Also the Matrix clients I’ve tried so far have UIs that are more suited to serious chat than to quickly reading a notification message.

Bridges

Here is a list of bridges between Matrix and other protocols [9]. You can run bridges yourself for many different messaging protocols including Slack, Discord, and Messenger. There are also bridges run for public use for most IRC channels.

Here is a list of integrations with other services [10], this is for interacting with things other than IM systems such as RSS feeds, polls, and other things. This also has some frameworks for writing bots.

More Information

The Debian wiki page about Matrix is good [11].

The view.matrix.org site allows searching for public rooms [12].

Sandboxing Phone Apps

As a follow up to Wayland [1]:

A difficult problem with Linux desktop systems (which includes phones and tablets) is restricting application access so that applications can’t mess with each other’s data or configuration but also allowing them to share data as needed. This has been mostly solved for Android but that involved giving up all “legacy” Linux apps. I think that we need to get phones capable of running a full desktop environment and having Android level security on phone apps and regular desktop apps. My interest in this is phones running Debian and derivatives such as PureOS. But everything I describe in this post should work equally well for all full featured Linux distributions for phones such as Arch, Gentoo, etc and phone based derivatives of those such as Manjaro. It may be slightly less applicable to distributions such as Alpine Linux and it’s phone derivative PostmarketOS, I would appreciate comments from contributors to PostmarketOS or Alpine Linux about this.

I’ve investigated some of the ways of solving these problems. Many of the ways of doing this involves namespaces. The LWN articles about namespaces are a good background to some of these technologies [2].

The LCA keynote lecture Containers aka crazy user space fun by Jess Frazelle has a good summary of some of the technology [3]. One part that I found particularly interesting was the bit about recognising the container access needed at compile time. This can also be part of recognising bad application design at compile time, it’s quite common for security systems to flag bad security design in programs.

Firejail

To sandbox applications you need to have some method of restricting what they do, this means some combination of namespaces and similar features. Here’s an article on sandboxing with firejail [4]. Firejail uses namespaces, seccomp-bpf, and capabilities to restrict programs. It allows bind mounts if run as root and if not run as root it can restrict file access by name and access to networking, system calls, and other features. It has a convenient learning mode that generates policy for you, so if you have a certain restricted set of tasks that an application is to perform you can run it once and then force it to do only the same operations in future. I recommend that everyone who is still reading at this point try out firejail. Here’s an example of what you can do:

# create a profile
firejail --build=xterm.profile xterm
# now this run can only do what the previous run did
firejail --profile=xterm.profile xterm

Note that firejail is SETUID root so can potentially reduce system security and it has had security issues in the past. In spite of that it can be good for allowing a trusted user to run programs with less access to the system. Also it is a good way to start learning about such things. I don’t think it’s a good solution for what I want to do. But I won’t rule out the possibility of using it at some future time for special situations.

Bubblewrap

I tried out firejail with the browser Epiphany (Debian package epiphany-browser) on my Librem5, but that didn’t work as Epiphany uses /usr/bin/bwrap (bubblewrap) for it’s internal sandboxing (here is an informative blog post about the history of bubblewrap AKA xdg-app-helper which was developed as part of flatpak [5]). The Epiphany bubblewrap sandbox is similar to the situation with Chrome/Chromium which have internal sandboxing that’s incompatible with firejail. The firejail man page notes that it’s not compatible with Snap, Flatpack, and similar technologies. One issue this raises is that we can’t have a namespace based sandboxing system applied to all desktop apps with no extra configuration as some desktop apps won’t work with it.

Bubblewrap requires setting kernel.unprivileged_userns_clone=1 to run as non-root (IE provide the normal and expected functionality) which potentially reduces system security. Here is an example of a past kernel bug that was exploitable by creating a user namespace with CAP_SYS_ADMIN [6]. But it’s the default in recent Debian kernels which means that the issues have been reviewed and determined to be a reasonable trade-off and also means that many programs will use the feature and break if it’s disabled.

Here is an example of how to use Bubblewrap on Debian, after installing the bubblewrap run the following command. Note that the –new-session option (to prevent injecting characters in the keyboard buffer with TIOCSTI) makes the session mostly unusable for a shell.

bwrap --ro-bind /usr /usr --symlink usr/lib64 /lib64 --symlink usr/lib /lib --proc /proc --dev /dev --unshare-pid --die-with-parent bash

Here is an example of using Bubblewrap to sandbox the game Warzone2100 running with Wayland/Vulkan graphics and Pulseaudio sound.

bwrap --bind $HOME/.local/share/warzone2100 $HOME/.local/share/warzone2100 --bind /run/user/$UID/pulse /run/user/$UID/pulse --bind /run/user/$UID/wayland-0 /run/user/$UID/wayland-0 --bind /run/user/$UID/wayland-0.lock /run/user/$UID/wayland-0.lock --ro-bind /usr /usr --symlink usr/bin /bin --symlink usr/lib64 /lib64 --symlink usr/lib /lib --proc /proc --dev /dev --unshare-pid --dev-bind /dev/dri /dev/dri --ro-bind $HOME/.pulse $HOME/.pulse --ro-bind $XAUTHORITY $XAUTHORITY --ro-bind /sys /sys --new-session --die-with-parent warzone2100

Here is an example of using Bubblewrap to sandbox the Debian bug reporting tool reportbug

bwrap --bind /tmp /tmp --ro-bind /etc /etc --ro-bind /usr /usr --ro-bind /var/lib/dpkg /var/lib/dpkg --symlink usr/sbin /sbin --symlink usr/bin /bin --symlink usr/lib64 /lib64 --symlink usr/lib /lib --symlink /usr/lib32 /lib32 --symlink /usr/libx32 /libx32 --proc /proc --dev /dev --die-with-parent --unshare-ipc --unshare-pid reportbug

Here is an example shell script to wrap the build process for Debian packages. This needs to run with –unshare-user and specifying the UID as 0 because fakeroot doesn’t work in the container, I haven’t worked out why but doing it through the container is a better method anyway. This script shares read-write the parent of the current directory as the Debian build process creates packages and metadata files in the parent directory. This will prevent the automatic signing scripts which is a feature not a bug, so after building packages you have to sign the .changes file with debsign. One thing I just learned is that the Debian build system Sbuild can use chroots for building packages for similar benefits [7]. Some people believe that sbuild is the correct way of doing it regardless of the chroot issue. I think it’s too heavy-weight for most of my Debian package building, but even if I had been convinced I’d still share the information about how to use bwrap as Debian is about giving users choice.

#!/bin/bash
set -e

BUILDDIR=$(realpath $(pwd)/..)
exec bwrap --bind /tmp /tmp --bind $BUILDDIR $BUILDDIR --ro-bind /etc /etc --ro-bind /usr /usr --ro-bind /var/lib/dpkg /var/lib/dpkg --symlink usr/bin /bin --symlink usr/lib64 /lib64 --symlink usr/lib /lib --proc /proc --dev /dev --die-with-parent --unshare-user --unshare-ipc --unshare-net --unshare-pid --new-session --uid 0 --gid 0 $@

Here is an informative blog post about using Bubblewrap with Seccomp (BPF) [8]. In a future post I’ll write about how to get this sort of thing going but I’ll just leave the URL here for people who want to do it on their own.

The source for the flatpak-run program is the only example I could find of using Seccomp with Bubblewrap [9]. A lot of that code is worth copying for application sandboxing, maybe the entire program.

Unshare

The unshare command from the util-linux package has a large portion of the Bubblewrap functionality. The things that it doesn’t do like creating a new session can be done by other utilities. Here is an example of creating a container with unshare and then using cgroups with it [10].

systemd --user

Recent distributions have systemd support for running a user session, the Arch Linux Wiki has a good description of how this works [11]. The units for a user are .service files stored in /usr/lib/systemd/user/ (distribution provided), ~/.local/share/systemd/user/ (user installed applications – in debian a link to ~/.config/systemd/user/), ~/.config/systemd/user/ (for manual user config), and /etc/systemd/user/ (local sysadmin provided)

Here are some example commands for manipulating this:

# show units running for the current user
systemctl --user
# show status of one unit
systemctl --user status kmail.service
# add an environment variable to the list for all user units
systemctl --user import-environment XAUTHORITY
# start a user unit
systemctl --user start kmail.service
# analyse security for all units for the current user
systemd-analyze --user security
# analyse security for one unit
systemd-analyze --user security kmail.service

Here is a test kmail.service file I wrote to see what could be done for kmail, I don’t think that kmail is the app most needing to be restricted it is in more need of being protected from other apps but it still makes a good test case. This service file took it from the default risk score of 9.8 (UNSAFE) to 6.3 (MEDIUM) even though I was getting the error “code=exited, status=218/CAPABILITIES” when I tried anything that used capabilities (apparently due to systemd having some issue talking to the kernel).

[Unit]
Description=kmail

[Service]
ExecStart=/usr/bin/kmail

# can not limit capabilities (code=exited, status=218/CAPABILITIES)
#CapabilityBoundingSet=~CAP_SYS_TIME CAP_SYS_PACCT CAP_KILL CAP_WAKE_ALARM CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER CAP_LINUX_IMMUTABLE CAP_IPC_LOCK CAP_SYS_MODULE CAP_SYS_TTY_CONFIG CAP_SYS_BOOT CAP_SYS_CHROOT CAP_BLOCK_SUSPEND CAP_LEASE CAP_MKNOD CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_RAWIO CAP_SYS_PTRACE CAP_SYS_NICE CAP_SYS_RESOURCE CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_ADMIN CAP_SYSLOG

# also 218 for ProtectKernelModules PrivateDevices ProtectKernelLogs ProtectClock

# MemoryDenyWriteExecute stops it displaying message content (bad)

# needs @resources and @mount to startup
# needs @privileged to display message content
SystemCallFilter=~@cpu-emulation @debug @raw-io @reboot @swap @obsolete
SystemCallArchitectures=native
UMask=077
NoNewPrivileges=true
ProtectControlGroups=true
PrivateMounts=false
RestrictNamespaces=~user pid net uts mnt cgroup ipc

RestrictSUIDSGID=true
ProtectHostname=true
LockPersonality=true
ProtectKernelTunables=true
RestrictAddressFamilies=~AF_PACKET
RestrictRealtime=true

ProtectSystem=strict
ProtectProc=invisible
PrivateUsers=true

[Install]

When I tried to use the TemporaryFileSystem=%h” directive (to make the home directory a tmpfs – the most basic step in restricting what a regular user application can do) I got the error “(code=exited, status=226/NAMESPACE)”. So I don’t think the “systemd –user” setup competes with bubblewrap for restricting user processes. But if anyone else can start where I left off and go further then that will be interesting.

Systemd-run

The following shell script runs firefox as a dynamic user via systemd-run, running this asks for the root password and any mechanism for allowing that sort of thing opens potential security holes. So at this time while it’s an interesting feature I don’t think it is suitable for running regular applications on a phone or Linux desktop.

#!/bin/bash
# systemd-run Firefox with DynamicUser and home directory.
#
# Run as a non-root user.
# Or, run as root and change $USER below.
SANDBOX_MINIMAL=(
    --property=DynamicUser=1
    --property=StateDirectory=openstreetmap
    # --property=RootDirectory=/debian_sid
)
SANDBOX_X11=(
    # Sharing Xorg always defeats security, regardless of any sandboxing tech,
    # but the config is almost ready for Wayland, and there's Xephyr.
#    --property=LoadCredential=.ICEauthority:/home/$USER/.ICEauthority
    --property=LoadCredential=.Xauthority:/home/$USER/.Xauthority
    --property=Environment=DISPLAY=:0
)
SANDBOX_FIREFOX=(
    # hardware-accelerated rendering
    --property=BindPaths=/dev/dri
    # webcam
    # --property=SupplementaryGroups=video
)
systemd-run  \
    "${SANDBOX_MINIMAL[@]}"  "${SANDBOX_X11[@]}" "${SANDBOX_FIREFOX[@]}" \
    bash -c '
        export XAUTHORITY="$CREDENTIALS_DIRECTORY"/.Xauthority
        export ICEAUTHORITY="$CREDENTIALS_DIRECTORY"/.ICEauthority
        export HOME="$STATE_DIRECTORY"/home
        firefox --no-remote about:blank
    '

Qubes OS

Here is an interesting demo video of QubesOS [12] which shows how it uses multiple VMs to separate different uses. Here is an informative LCA presentation about Qubes which shows how it asks the user about communication between VMs and access to hardware [13]. I recommend that everyone who hasn’t seen Qubes in operation watch the first video and everyone who isn’t familiar with the computer science behind it watch the second video. Qubes appears to be a free software equivalent to NetTop as far as I can tell without ever being able to use NetTop.

I don’t think Qubes is a good match for my needs in general use and it definitely isn’t a good option for phones (VMs use excessive CPU on phones). But it’s methods for controlling access have some ideas that are worth copying.

File Access – XDG Desktop Portal

One core issue for running sandboxed applications is to allow them to access files permitted by the user but no other files. There are two main parts to this problem, the easier one is to have each application have it’s own private configuration directory which can be addressed by bind mounts, MAC systems, running each application under a different UID or GID, and many other ways.

The hard part of file access is to allow the application to access random files that the user wishes. For example I want my email program, IM program, and web browser to be able to save files and also to be able to send arbitrary files via email, IM, and upload to web sites. But I don’t want one of those programs to be able to access all the files from the others if it’s compromised. So only giving programs access to arbitrary files when the user chooses such a file makes sense.

There is a package xdg-desktop-portal which provides a dbus interface for opening files etc for a sandboxed application [14]. This portal has backends for KDE, GNOME, and Wayland among others which allow the user to choose which file or files the application may access. Chrome/Chromium is one well known program that uses the xdg-desktop-portal and does it’s own sandboxing. To use xdg-desktop-portal an application must be modified to use that interface instead of opening files directly, so getting this going with all Internet facing applications will take some work. But the documentation notes that the portal API gives a consistent user interface for operations such as opening files so it can provide benefits even without a sandboxed environment.

This technology was developed for Flatpak and is now also used for Snap. It also has a range of APIs for accessing other services [15].

Flatpak

Flatpack is a system for distributing containerised versions of applications with some effort made to improve security. Their development of bubblewrap and xdg-desktop-portal is really good work. However the idea of having software packaged with all libraries it needs isn’t a good one, here’s a blog post covering some of the issues [16].

The web site flatkill.org has been registered to complain about some Flatpak problems [17]. They have some good points about the approach that Flatpak project developers have taken towards some issues. They also make some points about the people who package software not keeping up to date with security fixes and not determining a good security policy for their pak. But this doesn’t preclude usefully using parts of the technology for real security benefits. If parts of Flatpak like Bubblewrap and xdg-portal are used with good security policies on programs that are well packaged for a distribution then these issues would be solved.

The Flatpak app author’s documentation about package requirements [18] has an overview of security features that is quite reasonable. If most paks follow that then it probably isn’t too bad. I reviewed the manifests of a few of the recent paks and they seemed to have good settings. In the amount of time I was prepared to spend investigating this I couldn’t find evidence to support the Flatkill claim about Flatpaks granting obviously inappropriate permissions. But the fact that the people who run Flathub decided to put a graph of installs over time on the main page for each pak while making the security settings only available by clicking the “Manifest” github link, clicking on a JSON or YAML file, and then searching for the right section in that shows where their priorities lie.

The finish-args section of the Flatpak manifest (the section that describes the access to the system) seems reasonably capable and not difficult for users to specify as well as being in common use. It seems like it will be easy enough to take some code from Flatpak for converting the finish-args into Bubblewrap parameters and then use the manifest files from Flathub as a starting point for writing application security policy for Debian packages.

Snap

Snap is developed by Canonical and seems like their version of Flatpak with some Docker features for managing versions, the Getting Started document is worth reading [19]. They have Connections between different snaps and the system where a snap registers a “plug” that connects to a “socket” which can be exposed by the system (EG the camera socket) or another snap. The local admin can connect and disconnect them. The connections design reminds me of the Android security model with permitting access to various devices.

The KDE Neon extension [20] has been written to add Snap support to KDE. Snap seems quite usable if you have an ecosystem of programs using it which Canonical has developed. But it has all the overheads of loopback mounts etc that you don’t want on a mobile device and has the security issues of libraries included in snaps not being updated.

A quick inspection of an Ubuntu 22.04 system I run (latest stable release) has Firefox 114.0.2-1 installed which includes libgcrypt.so.20.2.5 which is apparently libgcrypt 1.8.5 and there are CVEs relating to libgcrypt versions before 1.9.4 and 1.8.x versions before 1.8.8 which were published in 2021 and updated in 2022. Further investigation showed that libgcrypt came from the gnome-3-38-2004 snap (good that it doesn’t require all shared objects to be in the same snap, but that it has old versions in dependencies). The gnome-3-38-2004 snap is the latest version so anyone using the Snap of Firefox seems to have no choice but to have what appears to be insecure libraries.

The “strict” mode means that the Snap in question has no system access other than through interfaces [21].

SE Linux and Apparmor

The Librem5 has Apparmor running by default. I looked into writing Apparmor policy to prevent Epiphany from accessing all files under the home directory, but that would be a lot of work. Also at least one person has given up on maintaining an Epiphany profile for Apparmor because it changes often and it’s sandbox doesn’t work well with Apparmor [22]. This was not a surprise to me at all, SE Linux policy has the same issues as Apparmor in this regard.

The Ubuntu Security Team Application Confinement document [23] is worth reading. They have some good plans for using AppArmor as part of solving some of these problems. I plan to use SE Linux for that.

Slightly Related Things

One thing for the future is some sort of secure boot technology, the LCA lecture “Becoming a tyrant: Implementing secure boot in embedded devices” [24] has some ideas for the future.

The Betrusted project seems really interesting, see Bunnie’s lecture about how to create a phone size security device with custom OS [25]. The Betrusted project web page is worth reading too [26]. It would be ironic to have a phone as your main PC that is the same size as your security device, but that seems to be the logical solution to several computing problems.

Whonix is a Linux distribution that has one VM for doing Tor stuff and another VM for all other programs which is only allowed to have network access via the Tor VM [27].

Xpra does for X programs what screen/tmux do for text mode programs [28]. It allows isolating X programs from each other in ways that are difficult to impossible with a regular X session. In an ideal situation we could probably get the benefits we need with just using Wayland, but if there are legacy apps that only have X support this could help.

Conclusion

I think that currently the best option for confining desktop apps is Bubblewrap on Wayland. Maybe with a modified version of Flatpak-run to run it and with app modifications to use the xdg-portal interfaces as much as possible. That should be efficient enough in storage space, storage IO performance, memory use, and CPU use to run on phones while giving some significant benefits.

Things to investigate are how much code from Flatpak to use, how to most efficiently do the configuration (maybe the Flatpak way because it’s known and seems effective), how to test this (and have regression tests), and what default settings to use. Also BPF is a big thing to investigate.

Links June 2023

Tablet Magazine has an interesting article about Jewish men who fought in the military for Nazi Germany [1]. I’m surprised that they didn’t frag their colleagues.

Dropbox has an insightful interview with a lawyer about the future of machine learning in the legal profession [2]. This seems like it could give real benefits to society in giving legal assistance to more people and giving less uncertainty about the result of court cases. It could also find unclear laws for legislators who want to improve things.

Some people have started a software to produce a free software version of Victoria 2 [3]. Hopefully OpenVic will become as successful as FreeCiv and FreeCraft!

Hackster has an interesting article about work to create a machine that does a realistic impersonation of someone’s handwriting [4]. The aim is to be good enough to fool people who want manually written assignments.

Ars technica has an interesting article about a side channel attack using the power LEDs of smart-card readers to extract cryptographic secret key data [5]. As usual for articles about side channels it turns out to be really hard to do and their proof of concept involved recording a card being repeatedly scanned for an hour. This doesn’t mean it’s a non-issue, they should harden readers against this.

Vice has an interesting article on the search for chemical remnants of ancient organisms in 1.6 billion year old fossils [6].

Bleeping Computer has an interesting article about pirate Windows 10 ISOs infecting systems with EFI malware [7]. That’s a particularly nasty attack and shows yet another down-side to commercial software. For Linux the ISOs are always clean and the systems aren’t contaminated.

The Register has an interesting article about a robot being used for chilled RAM attacks to get access to boot time secrets [8]. They monitor EMF output to stop it at the same time in each boot which I consider the most noteworthy part of this attack.

The BBC has an interesting article about personalised medicine [9]. There are 400 million people in the world with rare diseases and an estimated 60 million of them will die before the age of 5. Personalised medicine can save many lives. Let’s hope it is used outside the first world.

Knuth’s thoughts about ChatGPT are interesting [10].

Interesting article about Brown M&Ms and assessing the likely quality of work from a devops team [11].

The ABC has an interesting article about the use of AI and robot traps to catch feral cats [12].