Get yarn to output emoji/icons on non-Mac platforms

By default, the cute magnifying glass, truck, link, etc., emoticons shown as a part of yarn‘s output in most samples only appears on OS X.

In recent versions of yarn, this can be forced on non-Mac by running:

yarn config set -- --emoji true

In most non-Mac terminals, the emojis display in monochrome.

Conversely, these icons can be disabled (on any platform) with yarn config set -- --emoji false.

CyanogenMod 13 Nightly: SetupWizard has stopped working.

I have a OnePlus One and recently upgraded to CM 13 Nightly. After flashing the full version of the 6.0 Gapps listed on the CM wiki, an error that read “SetupWizard has stopped working” occurred in an infinite loop and prevented me from doing anything on the phone.

logcat reports this error:

12–01 15:51:06.145 7860 7860 E AndroidRuntime: FATAL EXCEPTION: main
12–01 15:51:06.145 7860 7860 E AndroidRuntime: Process: com.google.android.setupwizard, PID: 7860
12–01 15:51:06.145 7860 7860 E AndroidRuntime: java.lang.RuntimeException: Unable to create application com.google.android.setupwizard.SetupWizardApplication: java.lang.SecurityException: addOnSubscriptionsChangedListener: Neither user 10002 nor current process has android.permission.READ_PHONE_STATE.

To fix this, run adb shell and enter:

pm grant com.google.android.setupwizard android.permission.READ_PHONE_STATE

The process will stop crashing and you’ll be able to use your phone again. This is most likely a bug in the GApps package being distributed, since it’s supposed to flip the necessary permissions bits after installation.

Ubuntu 14.04+ can’t connect to some servers

Some servers have trouble talking to Ubuntu 14.04+. This is because OpenSSL 1.0.1g, which included a patch to use a different TLS padding value, was not packaged for Ubuntu; OpenSSL security fixes have been backported to Ubuntu’s 1.0.1f since then. The patch in question bears this commit manifest:

commit 6411b83e52fdfd0d3563d50a4dc00838b142fb2c
Author: Dr. Stephen Henson <steve@openssl.org>
Date:   Sat Apr 5 20:43:54 2014 +0100

Set TLS padding extension value.

Enable TLS padding extension using official value from:

http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
(cherry picked from commit cd6bd5ffda616822b52104fee0c4c7d623fd4f53)

Conflicts:

CHANGES

It seems that some MS IIS servers are configured to reject TLS connections that advertise a particular version and do not use this new padding spec, probably in an attempt to mitigate the POODLE attack. Interestingly, OpenSSL 1.0.1a still seems to work.

This problem will often manifest as a hung connection on SSL protocol negotiation, or an error stating that there was an unknown SSL protocol error. It can be worked around without patches by manually specifying the cipher on the commandline.

Rails inserts BLOB data into field with expected TEXT type

Encountering this on Rails 4.0.1 on Ruby 1.9.3. This replica cartier happens because ActiveRecord sees the data you’re inserting as binary. It’s a string encoding issue.

In my particular case, the problem arose from cartier love bracelet
sending the output of Digest::MD5.hexdigest() (disclaimer: do not use MD5 in security-sensitive applications) directly to the ORM for handling. There cartier love bracelet is a bug in Rubies < 2.0.0 that renders the output of hexdigest as ASCII-8BIT instead of US-ASCII. ASCII-8BIT is interpreted by many gems, including ActiveRecord, as binary data.

Thankfully, the workaround is quite simple. Just tack on a force_encoding call after your hexdigest and you should be good, like so:

Digest::MD5.hexdigest("data").force_encoding(Encoding::US_ASCII)

This will return the hexdigest string in a format widely interpreted as text data, and ActiveRecord, YAML, and other gems will begin handling the string as expected.

Once again, this workaround is not necessary on Ruby >= 2.0.0, which already contains a patch for the Digest gems that specifies the correct encoding. Therefore, an alternate solution is to upgrade to Ruby >= 2.0.0, or compile a Ruby that contains the resolving patch.

PSA: Tor exposes all traffic by design. Do NOT use it for normal web browsing.

As news of PRISM and other top-secret domestic surveillance programs cartier jewelry replica has been reported, many Americans have sought out means to prevent the government’s prying eyes from gaining access to their data. One of the most frequently cited methods of circumvention is Tor. NPR’s Science Friday, for instance, spoke about Tor as a potential PRISM circumvention on July 12, and the Tor Browser Bundle is one of the first things promoted on PRISM Break.

This is very bad. Tor should not, I repeat, NOT, be used as as a default wrapper for one’s browsing traffic. I’ve had to stop several friends from making this mistake after being misled by pseudo-technical sources, and now I’m here to stop you.

This is not about a flaw in the Tor protocol; rather, it is a correction of the myth that Tor can protect your conversations from random listeners. This belief is in fact the opposite of the truth; using Tor guarantees that at least one random party will have full access to all packets in both directions going over a specific node chain, because Tor is about hiding your IP address, not hiding your packet contents. As this is the effect that most people are attempting to avoid, Tor is not only counterproductive but dangerous for the average user.

PRISM can only be beaten by not playing

Before we discuss the specific mechanics of why it’s such a big no-no to wrap your web traffic in Tor by default, we should address a more fundamental point. PRISM is a voluntary program of data submission. This means that PRISM participants have been invited by the NSA to upload the contents of their database, and that the vendors have chosen to accept this invitation. It doesn’t matter how you access a PRISM participant’s resources, because they upload all the data they have on you anyway. Therefore, the only way to prevent your data from getting submitted to the NSA, whether you’re connecting from your home DSL or the Starship Enterprise, is to not give any data to the entities that are wrapping it in a neat bow and dropping it on the NSA’s doorstep. Tor will not help with this. Tor will do nothing to prevent this. Tor makes it harder for an endpoint to discover the data’s originating IP address, which is a fairly minor detail when we’re discussing something on the scale of PRISM, since they already have all the emails, IMs, photos, cell phone information, etc. of basically everyone.

I repeat: the only thing that will protect someone from PRISM is refusal to utilize the products of PRISM participants. It does not matter how or why or when or where you access it. If you upload any data to the service of a vendor who participates in PRISM, the NSA has it, and that’s the end of the story. As far as the U.S. government is concerned, using Tor will just result in a flag on your account that makes the guys who’re reading your email laugh and say, “Ha! This guy thinks we care so much about his boring emails that he should try to hide from us. What a jokester.”

However, it is very important that one doesn’t use Tor to do mundane things that are just as well done on a direct connection, because Tor’s infrastructure is inherently insecure for most ordinary uses.

Your traffic is visible to the exit node.

Tor is an acronym for “The Onion Router”. It is so named because it works by wrapping your request in several layers of encryption and then sending this request through an automatically generated chain of nodes. At some point, the request must be unwrapped to be sent to its final destination because most people are trying to communicate with an ordinary online service that doesn’t understand Tor’s methods.

The Tor node that performs the final unwrapping is called an exit node. The exit node decrypts the packet it received from its sibling on the chain of nodes and receives your full, plaintext request, which it submits on your behalf to the intended destination. The exit node waits for the response, encrypts it, and sends the encrypted response back up through the node chain until it reaches you, the dear user and the termination of the chain, where your Tor client decrypts the packet from your chain-sibling and presents your client with a comprehensible piece of data.

There is no way to restrict what an exit node can do with your session’s plaintext, and anyone can run an exit node. There is no qualification process and there are no restrictions. Barack Obama could be running an exit node within minutes, and so could Edward Snowden, and there’d be no way for either replica cartier love bracelet of them to ensure that the other couldn’t see the requests they were sending. The user simply checks a box in Vidalia and he’s running an exit node, relaying plaintext data between conversants. Exit nodes automatically change every few minutes, so many exit nodes will be relaying pieces of your conversation, possibly re-exposing sensitive data to many entities over the course of a single session. Anyone running a Tor exit node is a potential listener.

The Tor project attempts to scare exit node operators straight by citing the possibility of prosecution under wiretap laws, but this is a purely legal restriction; under Tor’s design, there is no possible technical implementation that would prevent the exit node operator from being able to save both incoming and outgoing messages as sent between conversants. Only the threat of prosecutorial pressure (which is basically non-existent for certain parties) stands betwixt an exit node operator and your data. Thus, Tor is extremely dangerous for the ordinary user. It must be used only for specific, carefully-planned sessions, or you risk exposing sensitive personal data to anyone running an exit node.

In principle, Tor is not very complex. It simply automates what would otherwise be a very cumbersome manual process of chaining proxies and encrypting a message for each replica cartier love bracelets proxy’s public key. Tor’s directories and announce mechanisms mean that one no longer must trawl for private proxies, but they also mean that anyone can register a node as a proxy and do whatever they like with the traffic they’re passing. Tor puts no restrictions on any of this — literally anyone running the Tor software can volunteer to pass along traffic and will automatically begin receiving the traffic of other users.

You are much safer with just the NSA spying on you than all the people you invite to spy when you utilize Tor indiscriminately.

What about SSL/TLS?

Encryption protocols implemented by browsers may mitigate this issue to varying degrees, dependent on the details of the cryptography’s implementation and negotiation (and the assumption that an exit node isn’t tampering with the negotiation handshakes to allow easier interception of the encrypted conversation), the validity and trustworthiness of the certificates in use, the server’s proper attribution of security flags, and other variables. That’s sure a lot of stuff to have to assume is in place when you’re broadcasting your packet-level conversations out to potentially any Joe Blow on the street.

Why does Tor exist if it’s so unsafe?

Because Tor is not designed to be a universal privacy tool. It was built for a specific purpose, which was the circumvention of restrictive firewalls. The default example is China; Tor could be used by Chinese dissidents to post or access information that is censored in China, but available in the “free world”. Tor would make it impossible for the Chinese government to tell which computer was used to post a certain piece of information, and would hide the fact that other information was being accessed at all. Tor is meant as a lifeline to the outside world. Tor actually makes it much easier to spy on random conversations between entities, if you’re into that kind of thing (and the government obviously is), because the idea is to get public information in and out of a locked-down environment. And it works very well for that.

With this in mind, it’s ironic to look back on the way that certain persons have clung to Tor as a solution to domestic spying, because in actual fact, Tor makes such spying easier for an adversary that is only slightly removed from many of Tor’s biggest participants (universities), and opens the user’s traffic up to the possibility of tampering or recording from a potentially infinite collection of more ignominious foes.

OK, when can I use Tor?

Assume any data you pass through Tor, including usernames and passwords, will be publicly visible. If you have a use case where you’re OK with that happening, you’re OK to use Tor; if not, you aren’t. As most people do many things that they don’t want publicized, Tor is a very bad solution for most people.

A note on the martyrdom of Aaron Swartz

Just a quick note on the Aaron Swartz posts, which are still coming up near-daily on HN.

When there’s a mass shooting, many people point out that psychologists have recommended news stations avoid delivering any attention to the individual who committed the act. The main idea is to prevent copycats (though I guess there’s a secondary desire to deprive the assailant of any fame he thought he would gain).

There’s an obvious connection here. If we want to stop people from killing either each other or themselves, we shouldn’t martyrize people who distribute death, whether to self or others. Despite external pressures, Aaron Swartz holds the ultimate responsibility for what he did. And the message that’s getting sent is, “If you’re being persecuted and have minor notoriety among your peers, and you want to get talked about for months, and get laws named after yourself, or otherwise ‘die for the cause’, kill yourself. Make the sacrifice for the greater good. You’ll save others.”

Some would find that message problematic.

I understand that this subject has been replica cartier love bracelets taboo because of our affection for Swartz and his obvious mistreatment by the government, but the continued proliferation of posts glorifying and/or justifying Swartz’s action, and the particular annoyance inspired hermes h bracelet
by a U.S. Representative replica cartier from a tech-heavy sector attempting to play this event into an opportunity to pander, has finally provoked me into writing this post.

PulseAudio: combine sinks for simultaneous output

Most stuff on this is dated and/or speculative, so here’s a quick and easy howto on combining sinks in PulseAudio for simultaneous output.

If you’d like to include a Bluetooth headset or similar transient output device in your combined sink, please ensure it is correctly connected and visible in your preferred PulseAudio volume manager before proceeding.

The module-combine-sink module (previously simply “module-combine“) provides the functionality we need.

pacmd is [usually] distributed with PulseAudio and allows the user to send commands to the running PA server. Start pacmd and send list-sinks to the server. You’ll get output like:

x sink(s) available.
index: 0
name:
driver:
flags: HARDWARE DECIBEL_VOLUME LATENCY FLAT_VOLUME DYNAMIC_LATENCY
[...]
index: 1
name:
driver:
flags: HARDWARE HW_MUTE_CTRL HW_VOLUME_CTRL DECIBEL_VOLUME LATENCY FLAT_VOLUME DYNAMIC_LATENCY
[...]

Read this list and copy the names of the sinks (without the enclosing brackets) that you would like to combine; they should be fairly self-explanatory.

Then, create a combined sink containing all sinks on which you’d like simultaneous output by sending this command to the pacmd:

load-module module-combine-sink sink_name=combined slaves=alsa_output.pci-0000_09_04.0.analog-stereo,alsa_output.pci-0000_01_00.1.hdmi-stereo-extra3

sink_name is the name by which the sink will be identified and slaves is a comma-delimited list of all sinks upon which simultaneous output of the desired stream should occur.

This new sink should be immediately visible in your volume manager, from which you can switch individual streams to the combined sink or set the new sink as the default output.

Note that on transient devices like Bluetooth headsets, it may be necessary to recreate this sink each time the device is reconnected. In my experience, it’s just simpler to restart PulseAudio before connecting your new transient device, or else the old sink may linger and create issues. This can be done simply by issuing pulseaudio --kill; pulseaudio --start at your user’s shell.

How Mojang and Minecraft Could Change the World

This article is draft quality and needs references and restructuring. It is pretty boring at the beginning, too long, and doesn’t really have a conclusion, for instance. I’m publishing it this way because I have a lot of other stuff to do and I don’t know when I’ll have time to polish, but I think this article can be helpful as-is in the interim. Please excuse the spotty quality.

Minecraft is an intriguing exploration game by Swedish game development company Mojang. In the last almost two years, Minecraft’s community has exploded via exposure on tech aggregators like reddit. Minecraft has always cost money, allowing the independent developer Notch to form Mojang and turn Minecraft into a full-time enterprise and hire additional developers.

Minecraft’s Current License

As I mentioned, Minecraft has been distributed under what is effectively an All Rights Reserved copyright license since its inception. However, as Minecraft’s community has grown and particularly because Minecraft’s main audience is the tech-savvy reddit crowd, which contains a disproportionate amount of software developers, interest in modifying and customizing the game has flourished.

Mojang does not distribute Minecraft’s source and does not allow redistribution of its files (despite Notch’s realistic viewpoint on software piracy). One Minecraft license allows one licensee to play.

The State of Minecraft Modding

Minecraft is written in Java, and that heritage has also played an important role in the modding community for two main reasons: first, Java is an accessible language frequently taught as an introduction to programming, and secondly, and most importantly, Java bytecode can be decompiled to meaningful and useful source code without much difficulty (like most bytecodes).

Mojang uses an obfuscator in an attempt to make decompilation of the distributed jars impractical, but the fine folks at the Minecraft Coder Pack provide a great infrastructure and service to the community in de-obfuscating the obfuscated code (decompilation results in the obfuscated codebase, and MCP contains patches that de-obfuscate and change variable back to meaningful names).

There is a large selection of mods for Minecraft that have been made primarily with this deobfuscated, decompiled source code, some of which are extremely impressive, especially considering the circumstances around the codebase, a complete lack of any official modding support, and the difficulty in working with decompiled, (de)-obfuscated Java.

The Minecraft protocol, interface, mapping format (which was originally contributed by a community member), and other fundamentals have been thoroughly documented despite its closed nature.

The Possibilities

As you can probably tell, a lot of people really like Minecraft, and are really interested in contributing to the project, even if it requires a totally absurd time commitment in order to reverse engineer an entire codebase of obfuscated Java. Mojang is doing a large disservice to themselves and the Minecraft community by maintaining these conditions.

Most open-source projects have to struggle and bite and claw to generate interest adequate to get patches from more than one or two developers. Mojang is sitting on a golden opportunity to vastly improve their game, provide useful, marketable skills to individuals, and increase its profitability.

Minecraft should change immediately to a shared source model where each licensee receives a full copy of the game’s source code and is granted the right to share that code and any modifications thereto with other MC licensees. Think how much effort currently wasted on working around the program’s propreitary nature would be saved, and instead invested in under-the-hood improvements, new features, etc. Any Minecraft player knows that there is definitely a lot of room for improvement in Minecraft’s performance.

Minecraft should be developed in public on a site like GitHub, allowing users to track changes, fix bugs, test immediately, and generally providing all of the other benefits of an open development model. Minecraft’s community has already demonstrated its value, practically forcing a closed development environment wide open as far as can be done with the material Mojang provides; the expansive possibilities yielded to MC from an open development model should be obvious at this point.

An Industry Leader

Mojang also has the opportunity to secure for themselves an historic leadership position in software. By providing a thorough shared-source license, Mojang can demonstrate that giving your users source code can vastly improve your product, vastly improve your sales, and vastly improve the freedom and enjoyment of your customers. This is a very important lesson to teach.

The only defense left in the digital realm is entirely legal. Your programs will be distributed on pirate networks if there is any semblance of wide interest in them. Your programs will be disassembled, decompiled, cracked, and reverse-engineered until they can be used without restriction by interested parties. This is just a fact of wide dissemination of object code, and the only reason an informed individual (like the audience that you meet when reddit is your primary avenue of exposure) ever buys your software is because he thinks he should. As such, it should be painstakingly obvious that draconian DRM measures only further impede the sales of a product, as legitimate users are forced to obtain the content via pirate distribution if they are to be expected to use it in a normal and convenient manner.

So, what is gained by keeping your source close to chest? It certainly doesn’t change your sales numbers at all. A legitimate company won’t copy your source code in circumvention of a shared source license because they know that they’d immediately be sued and immediately lose in a blatant case of copyright infringement. Your users will just download your program for free on pirate networks anyway if it is more convenient for them to do so (except for a very small portion of users that do not want to violate copyright law and will therefore probably never even use your program, a net loss even if they would have paid $0 because it deprives potential word-of-mouth marketing, etc.).

There is no logic in this kind of fear. The Free Software methodology has set a precedent and created an impression that supplying your users with source means a complete depletion of meaningful revenue, but a shared source license can demonstrate that it’s in the best interest of every involved party to include source code with every application as long as the FSF’s so-called “freedom to help your neighbor” (i.e., the virtual elimination of traditional copyright privileges (also called copyleft), allowing unlimited distribution by anyone for any reason as long as source and a copy of the license is included) is taken out of equation. Mojang can become a great leader in establishing software freedom for a great many users by demonstrating by example the benefits of providing licensed users with source code and relying on legal remedies (the only realistic remedy for any pirate activity anymore) to ensure that sales remain intact.

With the vast interest in Minecraft, including interest by youth, Mojang can also lead the industry by switching to an open development model and tutoring interested contributors. Getting code included in a game like Minecraft in itself can be a huge motivator for a teen, especially if Mojang offers a small cash bounty for useful fixes, and with Mojang’s help there is potential to succor many-a-youth to a skillset that will allow them to provide utility to the world and a goodly supply of income for their (future and current) family.

Minecraft sales can also be expected to skyrocket as with Mojang’s cooperation, extensive new features can be added (Hammer-like object creator and internal scripting mechanisms, allowing users to craft a model and integrate all-new items into MC without heavy recoding, anyone?), the (many) performance issues can be addressed and enhanced, and so on.

With a community as fervent and committed as the community behind Minecraft, the possibilities really are tantalizing. I sincerely hope that Mojang embraces this great potential.

The Netflix/Qwikster disaster

As usual, this post is merely an edition of comments I’ve made on HN.

The Lowdown

Netflix has announced its intention to spin out its DVD-by-mail service into a separate entity called “Qwikster”. Netflix will henceforth offer streaming video exclusively. The two sites are completely discrete and will no longer share data or even a billing mechanism.

This is a terrific disaster for Netflix devotees and Netflix itself.

The Customers’ Disaster

The primary issue is that Netflix has made a major consumer-facing split on what is really an implementation detail. Netflix users want to watch movies. That is the reason you get a Netflix account, that is the goal of the Netflix customer. Whether that movie is available on DVD or via the intertubes’ streaming fairies is not really exceptionally relevant to the customers’ ultimate goal of watching that movie. Netflix is a company for intrepid movie-watchers, and artificially restricting this to intrepid streamers is just leaving money on the table.

Netflix’s success heretofore has been based upon a vast simplification in watching movies. In splitting the service and creating an artificial rift in their offerings, they’ve backpedaled tremendously; with the hard division of DVD and streaming, Netflix has gone to lengths to de-simplify your movie watching in order to remedy what really was a problem with management structure.

Netflix emphasizes, as they have for years, that DVD-by-mail will eventually go away. They do this in the same breath as they attempt to encourage users to register for Qwikster, essentially promising that those who are still interested in receiving physical DVDs will, in the relatively near-term future, have even greater hassle to their ultimate goal of watching movies, because Qwikster will shut down and take its users’ ratings, recommendations, and rental history with it.

What Should Have Happened: Redbox + Netflix

Instead of dividing the company in a way that made movie-watching less convenient, Netflix should have turned its attention to Redbox. Netflix and Redbox (which is now owned by Coinstar, a much less compatible couple) are a match made in heaven; Redbox is ubiquitous in most areas of the US these days and could function well as Netflix’s physical distribution arm, cutting Netflix’s dependence on the dwindling US Postal Service and saving postal costs.

I am personally acquainted with several individuals whose Redbox usage has replaced Netflix. These people are primarily interested in recent-ish releases and might have streamed if the content were available for streaming, but since desired content is rarely streamable, found it simpler just to go to Redbox and pick up the physical DVD. This is much faster than waiting for the mail, which in most cases has a 2-4 day turnaround.

Redbox would be an investment worth quite a significant chunk of money and integrating a user’s Redbox experience with the Netflix website would have been a great win. My speculation is that Coinstar doesn’t really know what to do with Redbox and they may have acquired the kiosks in anticipation of reselling in the first place, since it really doesn’t fit in with their standard business practice.

I recognize that Reed Hastings would probably balk at this suggestion; Netflix doesn’t want any of the hassles of pesky physical media anymore, and if nothing else they’ve made that quite obvious today. But I think it’s misguided — as exciting as streaming is, I don’t think discs are going to make a permanent exit any time soon. There are still issues with streaming delivery, like conflicted, guarded ISPs (Comcast, whose cable subscription tallies are constantly diminished by Netflix) and the non-tech-savvy who insist on using ancient computers riddled with spyware and can barely get Gmail to load in less than 10 minutes, let alone stream a HD movie. It’s much easier to go pick up a disc and place it in a tray than it is to start a Netflix Instant movie, especially since one must usually install Silverlight before watching.

The staying power of physical DVDs is really its own post, so I’ll just stop there.

And on top of all that, the prevalent red color schemes of the Netflix website and the Redbox kiosk already match. How is this not obvious?

wm-read: bookmarklet to enhance readability on Wikimedia projects

If you find yourself often reading long articles on Wikipedia, Wikisource, or other Wikimedia sites, you may appreciate this simple bookmarklet I put together.

It removes the sidebar from the document so that you can read without a big chunk of your screen being consumed by ominous gray.

To use this bookmarklet, drag this link to your bookmarks bar and click on it whenever you want to apply these transformations:

wm-read

Here’s a couple of screenshots using today’s featured article (coincidentally, Utah-related), with the original on the left and the post-wm-read on the right:

Top of page diffMid-page comparison shot

I do not believe the bookmarklet to be of sufficient uniqueness to qualify for copyright protection. In case some person believes it qualifies for copyright protection, I hereby release it into the public domain and willfully revoke any copyright protection which may have been applicable.

That gray is not so bad when you’re reading a short article or just browsing through, but if you are trying to read a long piece it can definitely get irksome for horizontal space to be wasted like that.

Most readers probably already know about Arc90’s Readability,  a set of JS and CSS transformations that attempt to make articles more readable by removing cruft, sidebars, and headers and just leaving with you a page of readable text. I love Readability and use it often.

I have found, however, that most articles on Wikimedia projects flow better and are easier to comprehend in their original style … except for that big, wasteful sidebar. As such, Readability was not desirable in my case, especially since the articles I read on Wikisource have the original page breaks preserved, and Readability mangles these into the main body of the article, which is rather disruptive.