Posts

Showcase OSes

by allsparkinfinite on 2024-11-30

Many Linux distributions carry a distinction between the operating system and the desktop environment.

An operating system is the software that manages resources, and provides common services for applications to run. It schedules tasks for efficient use of the processor, storage, and network time. It also acts as the intermediary between hardware and applications. Crucially, it provides only a command-line interface and no graphical user interface.
A desktop environment is software that runs on top of the operating system and provides a graphical user interface. Desktop environments often carry their own sets of settings, keyboard shortcuts, and (importantly) default apps. Since desktop environments have a massive influence on the user experience, it can often make more sense to recommend desktop environments instead of distributions (operating systems) to new linux users.

While desktop environments massively enrich a user's experience of an operating system, the developers of a desktop environment sometimes create an operating system of their own. The reasons could be any or many of the following: - The developers of the desktop environment may feel that none of the popular operating systems show off the strengths of the desktop environment very well - The developers of the desktop environment may wish to provide a way for application developers to test the look-and-feel of their apps on the latest version of the desktop environment - They developers of the desktop environment may wish to showcase their new features, especially to enthusiasts and reviewers, without waiting for an operating system to get an update.

KDE Linux and GNOME OS are two such "showcase" operating systems.

KDE, creators of KDE Plasma, the most popular desktop environment among more hardcore linux distributions like Arch, have announced KDE Linux as an experimental operating system with the goal of eventually becoming "the best choice for home use, enterprise workstations, public institutions, and more". In other words, they want it to become a major operating system. It has an immutable base, which means that once it is installed, the operating system cannot be broken (or "borked") by user error or remote attacks. Updates can also be easily rolled back on immutable operating systems.
It is based on Arch Linux and intends to keep installed applications separate from the operating system for security reasons in addition to reliability.
There are also multiple editions planned (because of course) for testing (daily updates, made for devs and testers), enthusiast (made for enthusiasts and power users), and stable (delayed updates prioritising stability for everyday users) usecases.
Since it is a newly developed operating system, they get to use all the buzzy new technologies in the Linux world. Immutable systems, I have already mentioned. The flatpak app format, Wayland image compositor, and systemd services are some of them. GNOME, a desktop environment made popular by Ubuntu, created GNOME OS for experimental and development reasons. It is heavily container-based, with Flathub as the default app store. It also contains a bunch of additional developer tools for (surprise, surprise) developers to work with.
This comes one year after Germany's Sovereign Tech Fund invested a million euros into GNOME to improve various aspects of the desktop environment.
They intend to take an "opinionated" approach, reducing the feeling of choice paralysis for inexperienced users. This is in stark contrast to KDE Plasma, which focuses heavily on user choice.
GNOME OS is also an immutable distribution for reliability. With each OS copy being identical, troubleshooting is easier. There is, again, a focus on modernity to push progress.

AI: Comprehension And Open Source

by allsparkinfinite on 2024-11-23

Artificial Intelligence has rocked the world lately, but that's a rather loose term. Some would say it is even an inaccurate term.
What has rocked the world lately is Generative AI - models that generate content on a level that can seem like genuine human-generated art to an untrained or gullible eye.

Stages Of Artificial Intelligence

Let's briefly go through the rough phases of AI. Be warned, the terms are not very precise, and different people involved in the field carry different definitions for each term.
For example, what I refer to as artificial intelligence, some would call machine learning.

Machine Learning

What I call machine learning, some might call "best-fit models".
These are simple mathematical models where an algorithm is defined, but some coefficients are left unspecified. The training process then calculates (not "estimates", "calculates") the coefficients that fit the training data best. The inner workings of these models tend to be fairly simple for humans to understand.

Deep Learning

These are neural networks, which is another way of saying "thousands of simple mathematical models working to create one big model". From this point onwards in the complexity scale, the training process estimates the best coefficients, because calculating the exact numbers ranges from impractical to impossible. This also steps into a region of complexity where humans cannot understand the inner workings of the models.

Generative AI

A catch-all term for large language models (chatbots), latent diffusion models (text-to-image), and video diffusion models (text-to-video), which can create content that is remarkably complex. This is the current state-of-the-art in AI.

Artificial General Intelligence

Some would say AGI is the only true AI, and it is indeed the ultimate goal we all picture when we think of AI. A computer algorithm that can do anything, with intelligence coming not merely from computing power but an ability to understand the world.

Does ChatGPT Understand The World?

There was a large language model that could provide really accurate navigation within New York City. However, its performance plummeted when some streets were closed, because it simply hallucinated a lot of non-existent streets. Navigation apps are built with a model of reality specific to their one goal, and so is their training data. The same is not done with generative AI.
GothamChess did a similar evaluation in a video pitting ChatGPT against Stockfish (the best chess playing and evaluating algorithm), where ChatGPT was unable to keep track of the state of the chessboard, bringing in pieces out of thin air.
Large language models in particular are only good at determining what word comes next in a stream of text. That doesn't mean that they actually understand what they write, reminiscent of the urban legend about Max Planck and his chauffeur.

What Does An Open Source AI Look Like?

At first glance, one would say that any model whose underlying mathematical model and its coefficients can be verified can be called an open source model.
However, that definition rings hollow when you consider the collaborative and transparency aspects of open source. We do not start from a god-given definition of open source which we worship - we start with a set of principles and behaviour we value, explore how they apply in different fields, and then create field-specific definitions. Hell, "open source" is just "public domain intellectual property" applied to software.
The Open Source Initiative, an organisation that aims to be, and is widely regarded as, the steward of all things open source, has defined open source AI as AI which provides enough information to substantially rebuild it. This includes a training dataset, and how it was obtained and processed.
This definition is intended to evolve over time as the field expands.

Manifest V2 Discontinued

by allsparkinfinite on 2024-11-16

Browser Extensions

Extensions are tools for web browsers (and other kinds of software as well, but we're discussing browsers today) that use the API published by the developers.

Every browser engine has its own set of exposed APIs. Extensions hosted on the Chrome Web Store can be used on any Chromium-based browser, because they all use the Blink browser engine. Similarly, all Firefox-based browsers can use extensions from the Mozilla Add-Ons site.

There are three kinds of functionality offered by extensions:

Chrome's Extension Format

Chrome's calls its extension format "Manifest", named for the manifest file that many plug-ins and libraries use to declare metadata. In this case, the manifest file would likely contain (caution: this is probably easy to verify but I am lazy and confident enough to go on speculation alone) most of the info you see on the extension page, a list of the files the extension contains, and a list of the APIs the extension wants to access. This list of APIs is used, among other things, to show a permissions dialogue box when installing the extension.

Manifest V2 was the API version used for a long time until very recently, while Manifest V3 was announced in 2018. Google announced a transition period where Manifest V2 and Manifest V3 APIs were simultaneously available, and extensions following both formats were supported, with a deadline on Manifest V2 extensions.

Why End Manifest V2

Manifest V3 brought with it a lot of changes. It overhauled and modernised the extension architecture, implemented finer API permissions for finer control, and updated some background tasks to be more performant.
In addition, it blocked the usage of remotely hosted code, and restricted the webrequest API to send only select connections through extensions. This effectively killed ad-blockers.

Most ads on webpages do not come from the same website, but from a different, advertising-specific, website. This is one of the ways ad-blockers block ads - by blocking all requests to advertiser domains. If there is no way for the user to choose to route all web requests through an extension, the user loses one weapon in their quest to avoid ads.
Another way of blocking ads is using rules to identify the elements on a page that are ads. This turns into a cat-and-mouse game between advertisers and ad-blockers. The way ad-blockers stay on top of this is by having lists published separately, that an installed extension can check regularly. With this being banned, ad-blockers will no doubt lag behind in the evolutionary race, as having an extension update approved by the Chrome Web Store is a whole process.

How To Retain Ad-Blockers

Stay on an old version of the Blink engine, which isn't practical for users or alternate browser developers.
Brave and Vivaldi have their own inbuilt ad-blocking, and Brave promised to support some popular Manifest V2 extensions.
Firefox develops its own implementation of Manifest so that Chrome extensions can be used on Firefox as well, and they will retain all Manifest V2 APIs. They have also promised not to support privacy-affecting restrictions in Manifest V3.

Mozilla's Relationship With The FOSS Community

by allsparkinfinite on 2024-11-09

It's complicated.

The Value Of Firefox

Browser Engines

A browser engine is a software component that renders webpages, handles security, and generally converts all website files into a user experience. Developing a browser engine is quite the task, and nearly all browsers that you see today use one of the three major web engines, with relatively minor changes overlaid on top.
Mozilla develops the Gecko engine, whose codebase it inherited from Netscape. It is the only engine not owned by Big Tech (debatable statement, keep reading).
KHTML is a now-discontinued engine that was maintained by the KDE team. Microsoft also owns two defunct engines called Trident, which was used in Internet Explorer, and EdgeHTML, which was used in the early version of Microsoft Edge.
Apple forked KHTML to create WebKit, which is used by Safari, as well as on all browsers on iOS devices outside the European Union.
Google initially used WebKit for Chrome, but forked it to create Blink. Thanks to Google releasing an open-source version of Chrome, called Chromium, Blink has become the first choice of engine for any new browser to use, including competitors like Edge and privacy-centric browsers like Brave and DuckDuckGo.

Why Gecko Stands Out

While WebKit and Blink are open-source, they are ultimately controlled by giant tech companies. Using any browsers based on these engines means giving up control over your web experience. There is no better demonstration of this than Google's discontinuation of the Manifest V2 extension format, which meant a lot of adblockers went kaput. Brave, to its credit, has committed to supporting some popular Manifest V2 extensions, like uBlock Origin.
Having an independent engine in Gecko allows puts control in a company less likely to throw its users under the bus.

Less Likely? What's Wrong With Mozilla?

Mozilla isn't perfect either. Some long-standing complaints with Mozilla have been: - Its deal with Google where Google is the default search engine on Firefox. I don't think it's a big deal because changing it is just a few clicks away, but I do get that you have to start making noise before the slippery slope starts. - The pay package of its CEO, which I have no idea how to even judge the validity of.

Recent Issues

Mozilla made a few unpopular changes recently, with the explanation that they want to focus on Firefox.

Shuttering Of Its Mastodon Server

Mastodon is a Twitter-like social media server software based on the ActivityPub protocol, and is thus part of the Fediverse. The Fediverse is a collection of independently-hosted but cross-networking-capable social media. This cross-networking is called federation, and it allows, for example, Mastodon accounts to follow PeerTube (YouTube-like fediverse software) accounts. Mozilla has its own instance of a Mastodon server at mozilla.social, which it is shutting down soon.
This is not a big deal in itself for two reasons. It is a small instance with only around 300 users, and it is easy to port one's data from one Mastodon instance to another. However, the bigger issue is that Mozilla has opted to stop showing support for the Fediverse, which rubs a lot of us the wrong way.

Abandoning Advocacy

The Mozilla Foundation is the non-profit arm of Mozilla, and it had an advocacy division. They would advocate for a free and fair internet, digital ownership rights, and other freedoms that Big Tech erodes away at. Mozilla recently opted to drop their advocacy division, which is a horrible idea, unless they choose to invest in more effective digital rights advocacy organisations. So far, closest thing to this I have seen is that Mozilla will be embedding advocacy into its other products, which feels like a big cop-out.

Sports I'm Into | 2024 Oct Recap

by allsparkinfinite on 2024-11-02

Cricket

Bangladesh M Tour of India, 2nd Test, 1st-3rd T20Is

Very comfortable wins for India, including a near-300 total in the final T20I.

ICC Women's T20 World Cup

New Zealand won quite convincingly.

Ireland M v/s South Africa M at UAE, 1st-3rd ODIs

South Africa won the first two matches with a big margin, and Ireland returned the favour in the final match.

England M Tour of Pakistan, 1st-3rd Tests

England won the first test by an innings, declaring their first innings at 823. They then went on to lose the next two matches by 152 runs and 9 wickets.

West Indies M Tour of Sri Lanka, 1st-3rd T20Is, 1st-3rd ODIs

2-1 for Sri Lanka in both series, none of the matches being closely contested again.

New Zealand M Tour of India, 1st-2nd Tests

New Zealand won the first two tests, virtually knocking us out of the World Test Championship finals unless we beat Australia.

South Africa M Tour of Bangladesh, 1st-2nd Tests

Bangladesh took yet another beating.

New Zealand W Tour of India, 1st-3rd ODIs

India wins 2-1, each match feeling one-sided yet again. What is going on?!

England M Tour of WI, 1st ODIs

West Indies might be resurgent here, taking a 8-wicket win to start the series.

Formula 1

US Grand Prix

Verstappen won the sprint race quite comfortably. Norris took pole for the main race, and Verstappen was behind him. Norris attempted to cover the inside line at the race start into the wide Turn 1 as much as he could, but Verstappen sent a divebomb down the inside anyway. Both drivers went off-track at the exit, handing Leclerc the lead. While Verstappen did force Norris off the track and himself gained an advantage by leaving the track, the stewards believed this was par for the course during lap 1. Verstappen, though overtaken by Sainz soon, then built a gap to Norris during the first stint, but Norris caught up during the second stint. Verstappen defended beautifully lap after lap, but Norris finally got a good exit onto the long back straight with 5 laps to go. He got ahead, but Verstappen braked late and both cars went off-track at the exit again. Norris decided to use even more of the off-track area to keep the position, got slapped with a 5 second penalty (mitigating factor: he was forced off track), and was unable to build the gap by the end of the race. Had Norris not overtaken off-track, Verstappen could have been penalised for forcing a driver off the track. However, he was ahead at the apex (by braking way too late, see Brazil 2022) so that muddies the waters.
Hamilton qualified 17th, made up 5 places at the race start, then spun out on his own at the same corner where Russell crashed in qualifying. Russell had to start from the pitlane, and ended the race in 6th.

Mexican GP

Sainz took pole, but Verstappen overtook him on the long run down to Turn 1. Sainz overtook Verstappen later at Turn 1 by positioning his car in a way that hid his intentions, then braking in a straight line to the apex - a trick that Verstappen himself is a master of. Norris then caught Verstappen, stayed alongside him at the apex of Turn 4, and got forced off the track. Verstappen then sent a ridiculous divebomb into Turn 8, forcing both cars off the track, and handing Leclerc second place. Verstappen got two separate 10-second penalties, effectively demoting from 4th to 6th, while Norris managed to overtake Leclerc towards the end. Leclerc's tyres were giving up and he impressively saved a near-certain crash. Hamilton and Russell had a long battle with Hamilton ultimately taking the spoils. Norris was just 4 seconds behind Sainz at the end, so Verstappen's dirty driving effectively made him lose only 10 points to Norris instead of 13.

Piracy And Gaming

by allsparkinfinite on 2024-10-26

What Is Piracy?

Colloquial Definition

When you obtain a copy of some media - could be songs, movies, TV shows, books, or games - through unofficial means, we say that you have pirated it. "Sailing the high seas" and "earning your sea legs" are common euphemisms for piracy.
The most common justification people for pirating something is being broke, and a lot of such people move away from piracy once they are able to pay. Part of the reason to pay when able is that people are (somewhat justifiably) afraid of accidentally downloading malware from piracy websites or torrents.

Legal Definition (In Most Jurisdictions, I Think?)

Legally, piracy is the act of distributing media to others (not obtaining media for yourself) through means that you are not authorized to do under the copyright attached to said media.
While creative work typically enters the public domain after 70 years, many jurisdictions allow it to be fast-tracked for media that is no longer sold legally.

More on this later.

More Justifications For Consuming Pirated Content

Refusal To Financially Contribute To Creators

Sometimes, enjoyable media is created by problematic people, and one may choose to consume (either to enjoy or to critique) said media while not contributing to the revenue stream. I do this with the youtuber exurb1a, watching his videos in a way that doesn't increment the view count.

Convenience And Service Quality

"Piracy is almost always a service problem and not a pricing problem" - Gabe Newell
Some paid streaming services have ads. Netflix blocks 4K content on 4K smart TVs. Some streaming services (youtube included) require the app to have been online recently to play downloaded media. Netflix anime don't even have accurate subtitles. Some games require an internet connection to play single-player. Some media is region-locked.
All of this makes for a crappy experience, and some people may choose the hassle of downloading a pirated copy instead.

Ownership And Archival

"If buying isn't owning, then pirating isn't stealing" - Linus Tech Tips? Louis Rossman? I couldn't track down the owner.
When you purchase a DVD with a game or a movie on it, you own that copy and it cannot be taken from you. When you purchase a game or movie online, you only purchase a licence to access it until the provider chooses not to provide it any more.
On a larger scale, documenting our cultural history in this situation necessitates piracy.

Army Attack Reborn

I used to play a game called Army Attack when I was 13, which was discontinued. Its holding company Digital Chocolate eventually went bankrupt, and most of its assets (including the copyright to this game) were acquired by RockYou Games, which itself went bankrupt later. Its assets were auctioned off, and the game assets are functionally untraceable. Media under similar circumstances are said to have been "orphaned", with "abandonware" being the term for abandoned software.
Army Attack Reborn is a fan-driven effort to recreate the game, and a major asset is the APK that someone extracted back when the game was active. Piracy for the win!

Emulators

Under similar justifications, emulators for discontinued gaming consoles can be justified. The Nintendo DS has been reverse-engineered to such an extent that fans are able to host replacements for DS Wireless Services too!
Of course, there exist emulators for active consoles as well. In fact, the USA does not even classify emulators as piracy. Nintendo has shut down two Switch emulators recently, the first of which was instantly forked.
While the first emulator, Yuzu, was taken down via a legal route, the second, Ryujinx, seems to have been killed via a backroom deal with the lead developer. The timing of this takedown is suspiciously close to reports of a Switch-exclusive game - The Legend of Zelda: Echoes of Wisdom - running better on the emulator than on the Switch itself.

More Corporate Open Source Shenanigans

by allsparkinfinite on 2024-10-19

How Are Companies Dealing With The Negative PR From Open Source Rug Pulls?

How do companies deal with negative PR in the first place?
Advertising is powerful. With the right presentation, public opinion can be shaped. There are courses dedicated to teaching this. Innocuous naming is one of them.

For example, HashiCorp switched its open-source products - including the popular TerraForm - to a "Business Source License", with similar restrictions. I already went over why this is a slap in the face to every volunteer that contributed code to the project.
And now Sentry has come up with a "fair source" license, which is also being adopted by GitButler.

What Are All These New Terms?

The idea behind all these new fancy licenses is that the companies want to retain the ability to have the public improve the monetised product, while taking away the public's ability to create a monetisable competitor.

To be fair, both Business Source License and Fair Source do stipulate that the published software be released to an open source license after a specified period of time. For Fair Source, it is 2 years, while for Business Source License, it is 4 years unless specified otherwise.

So why isn't this open source? For one, the definitions in the noncompete stipulations are fuzzy. Secondly, the fact that the license holder is the only entity allowed to monetize the code means that the freedoms do not apply easily, and thus violate the Open Source Initiative's definition of open source.

Then there is the problem of the license being controlled by a single for-profit entity. What's to say they won't come up with a more business-friendly and less open-sourcey version tomorrow, which will be promptly adopted by everyone using the current version. And when there is a risk of the license holder changing the terms of the deal on you, how different is it from a proprietary license?

Another reason I believe that these new terms are more of a branding exercise than a game-changing middle-ground between open source and proprietary licencing is that we already have names for this. A product which makes its source code auditable but not reusable has had a few names for a while - "source available" or "public source".

Okay, But Business Decisions Are Always Evaluated On Company Value, Right?

Rachel Stevens, a senior analyst at Redmonk, looked at the following companies that moved away from open source licences: - MongoDB, which went from GNU Affero General Public License to Server Side Public License - Elastic Co. (owner of ElasticSearch), which went from Apache 2 to Elastic License - HashiCorp, which went from Mozilla Public License 2.0 to Business Source License - Confluent, which went from Apache 2 to Confluent Community License

Of course, a sample size of 4 is not very large, and there are many confounding factors at play. None of these companies are profitable yet, so their valuation is only determined by their potential for profits. However, with that in mind, what did we see from these companies? The rate of revenue growth did not change across the license switch.

An oft-cited reason for open-source rug pulls was that the developers of the software were unable to sell hosted/managed instances of it because cloud providers swooped in with their economies of scale and capture all the value, while giving nothing back to the community.
Six years after MongoDB switched its license, cloud providers remain as profitable as ever, while MongoDB itself is not yet profitable.

Severe Flaw In Linux Distributions Fixed

by allsparkinfinite on 2024-10-12

Major Linux distributions AND Google Chrome use a printing stack called Common Unix Printing System or CUPS. There has been a vulnerability in the library (actually, 4 vulnerabilities in tandem) for years that was just patched.

The vulnerability was discovered, investigated, publicised, and dramatised (with very good reason) by Simone Margaritelli, who has described his process here.

The vulnerability was severe for the following reasons:

The severity was mitigated by the following factors:

The four component vulnerabilities are: - CVE-2024-47176, which allows all data packets from all sources on UDP port 631 to ask for an arbitrary (and malicious, if the data packet so specifies) printer's attributes - CVE-2024-47076, which does not sanitize attributes received from a printer before passing it on to the rest of the CUPS system - CVE-2024-47175, which does not sanitize attributes received from a printer before writing them to a temporary printer-description file - CVE-2024-47177, which allows arbitrary command execution from a printer-description file

The chain of events in the attack is as follows:

Thankfully, if your computer does not connect to the internet directly but rather through a router, your computer was likely never vulnerable.

This was rated a 9.9 on the security scale by multiple security researchers, which may be overselling the vulnerability a bit. Always better to err on the side of caution, however.

I said earlier that this vulnerability was dramatised. It took Simone only two days to figure out the vulnerability in its entirety. However, twenty-two days after making the initial security report and being active in conversations about it, he was unable to convince the maintainers that this vulnerability was worth fixing.
The standard responsible disclosure process is that you reach out to the developers in private, rather than publishing the vulnerability publicly. Obviously, this is to prevent attackers from learning about and taking advantage of the vulnerability before a fix is out.
However, this process seems to be broken in the OpenPrinting organisation. Simone was expected to jump through hoops to prove that this vulnerability is worth fixing. It seems to be a case of "murder your darlings", where people are so attached to their creations that they strongly dismiss criticism.
When 22 days of making his case to the developers didn't show results, Simone took to twitter. With two tweets, he managed to get the team working on the fix, which was then soon published to all software repositories.

To be clear, I don't think this means open source software is less secure - this inability to criticise your own work is something I see in my company as well, writing proprietary code.

Sports I'm Into | 2024 Sep Recap

by allsparkinfinite on 2024-10-05

Cricket

Sri Lanka M Tour of England, 2nd-3rd Tests

England wins the second test and Sri Lanka bounce back in the third for a consolation win.

Bangladesh M Tour of Pakistan, 2nd Test

Bangladesh take the series! Not narrowly either!

Australia M Tour of Scotland, 1st-3rd T20Is

Hosts whitewashed, badly.

England W Tour of Ireland, 1st-3rd ODIs, 1st-2nd T20Is

ODIs go 2-1 to England, T20Is shared 1-1.

Afghanistan v/s New Zealand at India, Only Test

Washed out, sadly.

Australia M Tour of England, 1st-3rd T20Is, 1st-5th ODIs

Closely contested tour, with the T20I series drawn (one match washed out) and Australia taking the ODIs 3-2.

South Africa W Tour of Pakistan, 1st-3rd T20Is

First two matches were closely contested and shared. South Africa won the third easily.

New Zealand M Tour of Sri Lanka, 1st-2nd Tests

New Zealand took a thrashing, especially in the second test.

Afghanistan M v/s South Africa M at UAE, 1st-3rd ODIs

Afghanistan takes the first two matches and the series in very convincing fashion.

Bangladesh M Tour of India, 1st Test

Too easy for India.

New Zealand W Tour of Australia, 1st-3rd T20Is

Comfortable whitewash for the hosts.

Ireland M v/s South Africa M at UAE, 1st-2nd T20Is

Ireland draws the series!

Formula 1

Antonelli To Mercedes

Andrea Kimi Antonelli drove as a rookie driver for Mercedes in the first practice session at Italy, crashed, and was announced to fill Hamilton's seat next year.

Italian Grand Prix

Ferrari made a 1-stop work when everyone stopped twice. Sainz defended against the McLarens to help Leclerc win.
Magnussen had a minor incident with Gasly, which was harshly penalised, earning him a race ban for 12 penalty points over 12 months. This comes after a series of lax penalties for him, FIA seemingly shy to actually hand out a race ban.
The F3 title was won by Fornaroli, who won no races but was consistent enough to take the title. The F2 Sprint Race saw a photofinish between Bortoleto and Hauger for eighth place, the stopwatch reading the exact same time, forcing them to share a point.

Newey To Aston Martin

Adrian Newey, F1's greatest aerodynamicist, has announced a move to Aston Martin, a struggling team with lots of money. However, 2026 will see engines be more important than aerodynamics, which raises doubts over how effective Newey will be.

Azerbaijan Grand Prix

No one could match Leclerc's first Q3 lap, and he went on to improve it for good measure. Norris got a yellow flag on his Q1 lap and started the race from the back. Reserve driver Bearman, rookie Colapinto, and struggling Perez, all outqualified their teammates. Bearman finished ahead of his teammate in the race, Colapinto only slightly behind his teammate, and Perez was about to finish 4 places ahead of Verstappen before he tangled with Carlos on a straight. Unlucky, racing incident. Russell with a surprise podium again.
Norris had a late pitstop, which is a good tactic for a fast car starting out of position. He blocked Perez for a while, saving Piastri from the undercut, who later won the race after a magnificent battle with Leclerc. Overtake once, defend forever. Norris then blocked Verstappen, made his pitstop, and caught back up to and overtook Verstappen.

McLaren Rear Wing Scrapped

Red Bull registered a complaint about McLaren's low-downforce rear wing flex. The regulations require wings to be inflexible. Since there is no such thing as a zero-flex structure, there are tests prescribing how much wings can deform under a specific load. FIA checks every component before it is allowed to be fitted on a car, so we know McLaren's rear wing is compliant. Despite being in compliance with the regulations, McLaren "opted" to retire that design. Unfair.

Singapore Grand Prix

Norris leads every lap and wins.

Ricciardo Dropped In Favour Of Lawson

It was a horrible way to fire a driver. He deserved a better send-off, at least.

Tutorial | PostgreSQL

by allsparkinfinite on 2024-09-28

Any server software that needs to store data needs a database. This blog has one.
There are a few different database systems that we can use. For this post, we will be looking at relational databases only, because I have not worked with document-based databases yet and I do not intend to work with them in the near future.
Since SQL is the language used to interact with relational databases, they are also called SQL databases.

SQL is a rather simple language to learn, with maybe 5 different types of commands. Each database system has its own quirks, so they each publish their own, slightly different, tutorials to learn from.

A relational database has tables to store all the information, with rows being added, read, modified or removed. Columns and tables are generally only added or removed during updates and maintenance.
If your app stores songs in user-defined playlists, would you expect each playlist to have its own table?
The SQL way of doing it is to have one table where each row is a song, another table where each row is a playlist, and a third table where each row is a link between a song and a playlist. Two different rows can put the same song in two different playlists.

SQLite

SQLite is, as the name suggests, a lightweight implementation of a relational database system. It is easy to use, and is a strong contender for being the world's most deployed software.
SQLite is imported as a library in whichever programming language the application is written in. Data is stored in a single file, which makes manual review and backup restoration easy.
SQLite performs best when only a few interactions are made at a time. This is the case for an application on a personal device, but not so for a popular web application which needs to be used by many people at once.

PostgreSQL

PostgreSQL is more of a traditional database system that runs as a server and has some user management features.
Instructions to install and run it on your server are here. Alternatively, you can install it via docker (as I did with the example command in the Docker tutorial).
You can have multiple users and multiple databases in one PostgreSQL instance. With user management features, you can enforce access permissions on each database. Each server software you host can have its own user and database, and it will be unable to see the details of the other databases. This is useful because if an attacker manages to execute code as one of your servers, data related to other servers is not compromised.

Connecting To The Database Server

If you are on a UNIX based system (Linux or MacOS), you can connect to the database as the database admin (called postgres) from the same computer with psql -U postgres -h 127.0.0.1 -p 5432, assuming you exposed it on the default port 5432. Logged in as postgres, you can run the following SQL commands.

Making Schema Details Private-By-Default

By default, PostgreSQL shows all the tables and their columns in a database publicly. You can revoke this with REVOKE ALL ON SCHEMA public FROM public;.
In SQL, the convention is that language-specific words are written in uppercase and variables are written in lowercase. Don't forget the semicolon at the end of the command!

Adding A New User And Their Database

You can create a new user with CREATE ROLE alice LOGIN ENCRYPTED PASSWORD 'alice_password';.
Then create a database owned by that user with CREATE DATABASE alice_db WITH OWNER=alice;.
Finally revoke all public access to this database with REVOKE ALL ON DATABASE alice_db FROM public;.

Do the same with a second user, say bob.

Logging In As A Regular User

Log out from psql with \q, then log in as bob with psql -U bob -h 127.0.0.1 -p 5432 -d bob_db.
Try to connect to alice_db with \c alice_db - this should fail, proving database isolation.

Do this for every server you host, and you'll have completely isolated databases.

Ubuntu Upgrade Problems

by allsparkinfinite on 2024-09-21

Ubuntu Upgrade Schedule

Canonical - the company that develops Ubuntu - releases two major versions of Ubuntu every year. One in April, another in October. They're numbered as YY.MM, so the latest version available right now is Ubuntu 24.04.
Three out of every four Ubuntu versions are only supported for 6 months, until the next version is available.
However, the version released in April of every even year, such as this last 24.04, is called a Long Term Support version, supported for 5 years.

For users that prefer stability over having the latest features, Canonical recommends using LTS versions of Ubuntu, and allows upgrades from one LTS to the next.
Canonical also does not recommend you to jump to the newest LTS version as soon as it is released. Major bugs are ironed out in the first point release, (the first point release of 24.04 would be 24.04.1), and only then is an upgrade recommended.

Ubuntu is released in different flavours, with each flavour adding its own choice of desktop environments, default applications and settings. Flavours are maintained by the community, with a select high-quality ones being featured on the official Ubuntu website. The LTS period for these flavours is only 3 years.

Potential Issues With Upgrades

Upgrades can have issues, but you can decline them indefinitely. A perk of owning your computer!
Delaying your upgrade for about a month while keeping an eye out for complaints online is always a good idea.

The Ubuntu 24.04 version brought with it a controversial and inexplicable change - when you try to install certain applications from their APT repositories, it installs them from the snap repository instead. Snaps are infamous for being slow, resource intensive, and having a proprietary server implementation. This is outright deceptive from Canonical.
If you already have software installed as APT, and that app is then being forced into a snap, that transition was problematic with the 24.04.0 release.

There is another issue tangentially related to Y2K.
The initial Y2K bug was that dates were being stored with years being represented with just two digits. This was going to cause issues when we entered a new millenium, and a new date format was needed.
The new format counted date and time as the number of seconds that have passed since January 1, 1970 00:00:00 UTC. This reference time is called the Unix Epoch. The problem with this time format is that this was stored as a signed 32-bit integer, which only has enough digits to represent numbers till 2,147,483,647 - the digit 1 written 31 times in binary. These many seconds since the Unix Epoch is 2038-01-19 03:14:08 UTC.
The resolution is simply to use more digits, a 64-bit integer. The transition from 32-bit systems to 64-bit systems was also influenced by RAM limitations with 32-bit systems. Hardware transition is as good as complete, and software transition is nearing completion. This transition is also tricky with the update to 24.04.0.

Actual Issues With 22.04 -> 24.04.1 Updates

According to Canonical, there were critical bugs in the release upgrader, which is quite ironic. Your software is fine, the upgrader has a problem. Even if the software you are upgrading is 2 years old, you cannot be releasing these updates without testing. Users have reported other issues as well.

Mitigation

Upgrades are currently paused until a fixed version can be released. Even upon that release, make sure to have a recovery media on hand.

A LiveUSB is the most common type of recovery media, allowing you to boot into the computer and access your files that you might want to recover. File integrity can also be strengthened if you have your home directory in a different partition, which ensures that even if your OS partition is completely shot, your personal data is safe.

Representation

by allsparkinfinite on 2024-09-14

Representation in fiction is a controversial subject. Women are famously underrepresented in fiction, with various tests designed to reveal the status of female representation in individual movies and the industry as a whole.
Studies show that men feel female representation is equitable when 1 in 4 characters are women. When all you know is privilege, equality feels like oppression.

Then we have blowouts over castings of previously white male characters with actors that are not white male.
This happened with Knuckles the Echidna - who was intentionally inspired by Jamaican culture - when a fan artist depicted him as black. It happened with "black female 007", which was ridiculous considering James Bond was still a white man. If my memory serves, James Bond was fired by MI6 as 007 and replaced with a black female agent, who then ends up being mentored by James Bond anyway.
It also happened with a Harry Potter stage play where a woman of colour was cast as Hermione, whose skin colour was mentioned once in the seven books.
Most recently, it happened with Leah Sava Jeffries - a black girl - being cast as Annabeth Chase in the Percy Jackson TV Series.

The most common arguments are "we shouldn't change existing stories" and "just make new stories with proper representation". As someone who's read loads of fanfiction, I can barely understand why. A story whose plot, setting, or characters are based on another with varying degrees of fidelity is not new to me. There is no rule saying the inspired work must not be made by the creators of the original work.
In addition, the race and genders of characters are rarely, if ever, relevant to the plot, so how does it matter?
In my opinion, plain and simple racism and sexism.

Related: when a characters race is not specified, what is the default race to cast them as? And why is there a default race?

My first exposure to the idea of homosexuality was it being used as an insult. For a while I believed gay people did not exist, and it was just a way to call a man feminine.
Rick Riordan's representation with Nico di Angelo and Alex Fierro was the trigger for me to learn about LGBT+ lives. Representation matters.

The early books in the Percy Jackson series had common hair and eye colours for demigods of each of the Greek Gods. While this was core to my engagement with the universe, it really didn't hold up in later books. With confirmation coming that the TV Series will not have book-accurate hair and eye colours, I still need some time to grieve the loss of that aspect of worldbuilding.
What makes it easy is the fact that I don't want to be associated with racists, who used the same excuse to pile on Annabeth exclusively. Rick Riordan's take on this is that this series is just one of many valid interpretation of the books. The world in my head where hair and eye colours matter is just as valid as the series where they don't matter.

More evidence that outrage over "changing the characters" is rooted in bigotry is that whitewashing is barely protested. Jesus isn't white, the Ancient One from Marvel isn't white, and neither is Steve from Minecraft.

This last one is most revealing, in my opinion. Steve is quite obviously Brown in canon. Minecraft has shot up in popularity lately, and many people see themselves in Steve. Since Steve is so relatable, what is the race people expect him to be cast as in the Minecraft Movie?

I can confidently bet that had they cast an actor of colour as Steve, there would have been backlash.

Sports I'm Into | 2024 Aug Recap

by allsparkinfinite on 2024-09-07

Cricket

India M Tour of Sri Lanka, 1st-3rd ODIs

They kicked our asses, no two ways about it. We tied the first match, but lost the next two by 32 and 110 runs. The third one is a stinger.
We got bowled out every match, and 9 wickets in each match were to spinners - the most in a series.

Sri Lanka W Tour of Ireland, 1st-2nd T20Is, 1st-3rd ODIs

When it comes to women's cricket, Sri Lanka and Ireland seem to be on equal footing. The T20I series was tied one-a-piece, and Ireland took two narrow victories in the ODI series before getting comprehensively beaten in the third.

South Africe M Tour of West Indies, 1st-2nd Tests, 1st-3rd T20Is

Interesting that a tour has the two extreme forms of cricket - Tests and T20Is - but no ODIs. Usually when they only play two formats, ODI tends to be one of them.
Well, this series was a tale of two halves. West Indies held on for a draw in the first Test, which could've gone either way given enough time, and South Africa took a 40-run win in the second. Not a comfortable margin as far as tests go, but not a close encounter either. West Indies then took a whitewash in the T20I series, with three comfortable wins - 7 wickets, 30 runs, and 8 wickets.

Sri Lanka M Tour of England, 1st Test

England took a comfortable win. If a first-innings lead of 122 runs for England wasn't evidence enough, England chased the target down with 5 wickets to spare. Although, Sri Lanka's second innings was quite a fightback, and they also took three early wickets during England's chase. England did manage to steady the ship and ultimately win by a wide margin, Sri Lanka will be asking themselves "What if we took a couple of wickets more" - that would've sent the last recognised batter home and all bets are off at that stage.

Bangladesh M Tour of Pakistan, 1st-2nd Tests

Historic. Bangladesh take their first test win against Pakistan, their first series win (and whitewash) against Pakistan, and their first series win and whitewash against Pakistan in Pakistan.
Pakistan might well be kicking themselves for declaring in the first innings, although that would likely have done little for the overall result.

Formula 1

Haas Stuck In Netherlands

Haas used to have a Russian sponsor called UralKali in 2021 and 2022, whose owner - Dmitri Mazepin - is close to Putin and likely bankrolling Russia's ongoing invasion of Ukraine. His son, Nikita Mazepin, was driving for Haas as part of the sponsorship deal. When Russia invaded Ukraine at the start of 2022, Haas promptly dropped the sponsorship and the driver, holding onto a bunch of Uralkali money without keeping up their end of the deal. They were also unable to transfer money back to the now-frozen Russian bank accounts. UralKali got in touch with Dutch authorities, who then blocked Haas from leaving the country until they paid back their debt, which they did and left for the next race on time. How did they pay to frozen accounts? It could be anybody's guess.

Dutch Grand Prix

Norris bottled his race start, yet again reaching turn 1 in second place after starting on pole. He did manage to take the position back later and went on to win by 20 seconds. Magnussen blocked a bunch of drivers to give his teammate ahead some breathing room, and nearly ended up causing a 5-car crash at the banked final corner.

Williams Swap Sargeant For Colapinto

With Sainz and Albon locked in for Williams next year, there seems to be no reason to do a mid-season driver swap now… until Sargeant had yet another crash, eating into Williams's meagre budget. I suppose this is the last straw for Williams. However, you have to feel for Colapinto, who's getting half a season at Williams and no clue where he will drive next year.

Microsoft Breaks Dual Boot

by allsparkinfinite on 2024-08-31

Secure Boot

Secure Boot is a security standard that all PC manufacturers implement, that ensures a trusted OS is being run on the computer. Because the PC ecosystem is pretty open, the set of "trusted OS" includes many Linux distributions as well. It ensures that any OS being loaded is legitimate.
Secure Boot has, over time, turned into a patchworked mess, with multiple vulnerabilities being unearthed recently.
Things are complicated further with the standard being open to all Operating Systems, but with Microsoft being the player most obsessed with its security and functionality.

The GRUB Bootloader

GRUB is a bootloader which is used by a lot of Linux distributions. People that dual-boot their systems prefer to use the GRUB bootloader because it offers a choice between booting to Linux or Windows on every boot. The default Windows bootloader does not offer a choice, booting directly into Windows instead.

A Two-Year-Old Vulnerability In GRUB

GRUB's font rendering function had a buffer overflow vulnerability. The details are unclear to me, but a maliciously crafted font could, in theory, bypass the protections provided by Secure Boot.

What's A Buffer Overflow?

A buffer is a set of memory allocated to a program. Sometimes, a program may write data beyond its allotted memory, into memory spaces allotted to a different program. This is a buffer overflow and great care is taken to avoid these.
A carefully crafted input to the first program can then inject data into the memory of the latter program, enabling an attacker to manipulate it.

Microsoft's Fix

Microsoft's monthly update contained a mechanism (called SBAT) to revoke certain components on the boot path (please don't ask me what this phrase means), which would harden Secure Boot on computers that have installed compromised versions of GRUB packages. They would install this on devices that are configured to run only Windows, meaning that dual-boot devices would be excluded from the update.

In theory.

In practice, there seemed to be no exclusion. In Microsoft's words, "some secondary boot scenarios are causing issues for some customers, including when using outdated Linux loaders with vulnerable code", but that seems like corporate-speak for "we messed up".
I say this because companies tend to downplay the prevalence of any issues with their products with phrasing such as "a small percentage of devices", when they have simply cut corners while testing.

Support forums lit up with complaints, with everyone who downloaded the update suffering from being (sorta) unable to boot into Linux. It didn't matter which distro they were on. Ubuntu, Debian and Linux Mint, were all affected. Some people managed to skip the update entirely by not opening Windows during the time when this flawed update was live (no I'm not showing off).

There were multiple ways to fix this issue. One was to turn Secure Boot off in the BIOS settings and just using the computer like that. For users who cannot accept this lack of protection, they could temporarily turn Secure Boot off, log into Linux, delete the offending SBAT policy, and then re-enable secure boot on the next login.

This seems to be another sloppy update, right on the heels of CrowdStrike's own sloppy update. That one took out Windows, this one took out Linux.
To Microsoft's credit, it does seem like they phased the update, but I'm not entirely sure if they tested the "exclude all dual-boot systems" logic properly. Shows a blatant disregard for Linux users, in my completely biased opinion.

On a related note, Secure Boot has had other vulnerabilities. One of them was human error, plain and simple, with a private key being accidentally uploaded to a repository on github. Another vulnerability, somewhat similar to this one, is present in the UEFI's logo parser.

Tutorial | Docker

by allsparkinfinite on 2024-08-24

Why Docker

Dependency Conflicts

A lot of applications depend on other software, sometimes called dependencies or libraries. It could happen that two different apps require different versions of some dependency. This is called a dependency conflict.
Ubuntu, for one, resolves this by fixing a version for commonly used dependencies for every Ubuntu version, and expecting applications to ensure compatibility with the specified library versions. These cannot be upgraded until you upgrade the Ubuntu version. Applications that require some uncommon dependencies can either take the risk with an external dependency as they do with APT) or package the dependencies along with the application itself (as snaps, flatpaks, and AppImages do).

The most common solution to this problem in app development and hosting is a virtual environment. All dependencies are stored in a file - python calls it requirements.txt - and those dependencies are installed by anyone trying to install the application on their computers.

Security

There is always a risk that hackers can execute arbitrary commands on your computer. The best one can do is to reduce "attack surfaces" - reduce the possibly vulnerable components - and to have barriers in place so that arbitrary commands cannot do much damage. This is also the motivation behind having separate users for each server.

Barriers can come in many forms.
The most basic version is a chroot jail - a linux command to make every subsequent command believe that the rest of the filesystem does not exist. This is hard to set up, though. I've tried and didn't feel confident. You need to know which services you need to copy and which ones you need to link.
At the other extreme end is virtual machines - which is a whole computer running inside your computer, sharing some of its resources. Generally easier to set up, but it takes up a lot of extra resources.
A popular middle ground is "containerization", like Docker. Containers are like an extended version of chroot jails, functioning as a fully-fledged server computer running within another.

Docker installation instructions can be found here.
To save space on your root drive and use external storage instead, the Docker data folder can be specified in /etc/docker/daemon.json as {"data-root": "/path/to/newlocation"}

An Example Docker Command

docker run --name postgres-container -p 127.0.0.1:5432:5432 -v postgres-volume:/var/lib/postgresql -e POSTGRES_PASSWORD=mysecretpassword -d postgres

Terrified

I can explain.

In Docker, an image is a snapshot of working software. A container is when that image has been run, has its own processes and data associated with it. A container running Postgres can be created from a image using docker run <options> postgres.
Containers can be allotted names automatically, or we can manually name it "postgres-container" with the --name postgres-container or --name <your-chosen-name> option.
When the container runs, it takes API calls on port 5432. The host machine can be part of multiple networks and have different IP addresses on each. We can have any requests to the IP address 127.0.0.1 (also known as localhost, it is accessible only to other services on the same computer) and port 5432 be forwarded to port 5432 of the container with the -p 127.0.0.1:5432:5432 or -p <host-ip-address>:<host-port>:<container-port> option.
The data in a container cannot be easily accessed by other applications, and is lost when the container is destroyed. We can allot a volume (storage space on the host computer) called "postgres-volume" that stores everything in the container's /var/lib/postgresql location (where postgres stores its data) with the -v postgres-volume:/var/lib/postgresql or -v <volume-name>:<mount-location> option.
Postgres also requires a password to be passed in as an environment variable, which is passed with -e POSTGRES_PASSWORD=mysecretpassword or -e <ENV_VAR_NAME>=<ENV_VAR_VALUE> option.
Finally, we have the container run in the background with the -d option.

Container Management

Containers can be stopped with docker container stop <container-name> and restarted with docker container start <container-name> after a restart.

Tutorial | Server Administration

by allsparkinfinite on 2024-08-17

When you host a server software (or plural) on a server computer, it is often not enough to host it and forget it. Server administration is a big responsibility.
Here are some habits to follow to make it easier on yourself.

Unix User Management

In Unix, each user can be part of multiple groups. Each file is owned by a user and a group. The owning user has some permissions over the file, and so do all members of the owning group. These permissions may not be the same. There are also permissions defined for other users.
Each of the three entities may be permitted to or barred from reading, writing, and executing the file.
This may be represented as a string of the form "rwxrwxrwx". Each of the "rwx"s refers to permission to Read, Write, and eXecute the file, with each triplet representing the permissions held by owner, group, and others respectively. Ungranted permissions are denoted by a hyphen. Most files are owned by the user that created the file, and the group with the same name as the user. The owner and the group are allowed to read and write to the file, while others are only allowed to read it, thus making the permissions "rw-rw-r--".
Permissions can also be represented by three digits, with each digit representing which permissions are had by the owner, group, and others respectively. Read permissions are equivalent to 4, Write permissions to 2, and eXecute permissions to 1. Adding them up gives the digit for that class. The above example would be represented as "664".

Unix Services

In Unix, a service is software that runs in the background, without user interaction. It can be configured to start running automatically. You would want to set this up individually for each of your server software.

"Robot" Users

I recommend creating a dedicated user account for every server software you run. If any of the servers has a vulnerability that allows an attacker to execute arbitrary code, strict permission management will ensure that the effects don't spread to other files.
Instructions on how to do so are here.

Scripting

You will be running bash commands to install, run, and upgrade the server software. Collect them into bash scripts to make it possible to run each process with a single command. Having a run.sh, in particular, also makes it easy to autostart your application through the aforementioned robot user.

Source Code Management

Even if you are not developing the server software yourself, I recommend using a Source Code Management (SCM) tool (the overwhelmingly popular choice being git) just to store your install.sh, run.sh, and upgrade.sh scripts. That way, you can store your code in a hub for SCM (like GitHub) and reuse it.

If you are developing the server software yourself, and not using an SCM tool, it better be because you're new to software development. Using an SCM tool helps you know which version of your software is ready for the public (called production), which is the version in its final stages of testing (called staging or release candidates), and which are the versions which are being currently modified to fix bugs or add features (called development).
Having a staging environment is invaluable for avoiding a mistake like CrowdStrike did, ensuring the update from the previous production version to the next planned production version can be done smoothly.

Logs

Logs are a useful tool for an administrator. Whenever software crashes, it outputs some error message. Usually you would see this in the terminal. For background services, you will need to redirect the output to a log file. This way you can go through the logs when you encounter an issue and trace it back.
If you are a developer, implementing extensive logging in just about every function will help you greatly.

CrowdStrike Lives Up To Its Name, Strikes An Entire Crowd Of Users

by allsparkinfinite on 2024-08-10

At first, the recent massive enterprise Windows outage made me proud I was a Linux user. However, as I learnt more details, I realised this could happen to anyone. It wasn't Microsoft's mistake, but a mistake made by the security company CrowdStrike.

The Background

Corporations are understandably obsessed with security on their employees' work computers. They could lose user passwords, trade secrets, and many other kinds of sensitive information.

CrowdStrike is a company that provides this kind of security to lots of companies worldwide. It's a glorified antivirus, installed at a very core level (called the kernel layer) of the system. Microsoft, obviously doesn't take this lightly, and requires CrowdStrike to go through intensive testing before it can be installed on Windows computers.
The problem here is that CrowdStrike wants to push updates out rapidly to respond to any new kinds of malware, because rapid response is also very critical to cybersecurity.

The compromise they have come up with is that the core functionality files will be kept at the kernel level, and will only be updated with great care. Other files, containing descriptions of the malware, will only be read by the kernel-level files, and can be refreshed as soon as CrowdStrike publishes them.
This division of responsibilities seemed to have been incomplete, however, as a mistake in a file of the second type caused computers to fail starting up.

What Was The Issue?

The exact mistake was that one of the new files had a new function that expected 21 inputs. The code that called this function from the kernel sent only 20 inputs. A lack of graceful error handling meant that the antivirus - running at kernel level - crashed, bringing the rest of the kernel down with it.

The fix was simple. A fixed version of the file was published promptly, and the users just had to boot into recovery mode, delete the offending file, and reboot, allowing the fixed version of the file to be downloaded.
Only issue being most corporate employees don't have the permissions to access recovery mode on their work computers, and the IT department had to reach out to every single one manually.

This issue also struck many virtual machines, but it was much easier to fix virtual machines because they're managed automatically anyway.

A lot of games demand kernel-level anti-cheat software to be installed. This incident raises concerns about that as well. It is one thing to risk bricking corporate computers in the interest of security, and another to risk bricking personal computers just because the user wants to relax.

How Can We Avoid This?

The incident also highlighted some operational shortcomings with Crowdstrike's processes.
Obviously, a glaring error such as this should've been caught in QA, which it was not. Likely because they modified multiple files during development and QA, but only published a subset.
This also shows that they don't have a suite of test machines that are dedicated to running the release candidates. No in-dev code. Only going from one public release to the next, approximating what a customer's computer would do.
And a final mitigating strategy would've been phased releases, which is actually quite common in the software world. Phased releases means that you don't let every user get the update at the same time - a small group gets an update first, and if it seems that there are no issues, the update is made available to progressively larger and larger groups.

Sports I'm Into | 2024 Jul Recap

by allsparkinfinite on 2024-08-03

Cricket

India M Tour of Zimbabwe, 1st - 5th T20Is

Wow, Zimbabwe took a game!

India M Tour of Sri Lanka, 1st - 3rd T20Is

A straight win, a DLS win, and a super over win.

South Africa W Tour of India, Only Test, 1st to 3rd T20Is

Shefali Verma, take a bow for that record breaking performance!
The T20Is were shared equally among the hosts, visitors, and rain.

Formula 1

British Grand Prix

LEWIS HAMILTON WINS! A rare (in recent times) masterclass in strategy from Mercedes, switching to intermediate tyres and then back to slicks on the correct lap each time.

Hungarian Grand Prix

Somehow, McLaren messes up while getting maximum points. Norris started on pole, Piastri overtook him on lap 1 turn 1, and seemed to be controlling the race. For the second pit stop, McLaren pitted Norris early, unnecessarily attempting to cover off Hamilton, and then pitted Piastri two laps later. This gave Norris a massive undercut on Piastri, whose inferior tyre management meant he couldn't catch up to Norris… until McLaren realised they just cheated Piastri out of his maiden F1 victory, and then begged Norris to let Piastri win.
Warning: heavy bias ahead
Verstappen had a terrible race himself, the car being unresponsive. He made an illegal overtake at the start and pretended he was forced to. His team advised him to return the position. Later, he said Hamilton ran him out of room, did not have the investigation go his way, and promised to race like that from then on. As if he hadn't been racing like that till now. He then went for an ambitious move on Hamilton and got some air time, somehow not needing to retire. He was annoyed about being undercut, but the irony is that if he had exercised some patience, he could've easily overtaken Hamilton on a massive overcut. But I guess he still doesn't know how to race fairly.

Ocon To Haas

Feels like a downgrade to me, but good for Haas, I think?

Belgian Grand Prix

Russell did a magnificent one-stop to win, but got disqualified for an underweight car. Considering how fine the winning margin was, I have no doubt the violation was a factor in the win.

Sainz To Williams

They're on the rise, and they have two really good appendix-less drivers now! Although I hoped it was Mercedes for him.

Formula E

London E-Prix

Race 1

Cassidy messed up qualifying, allowing Wehrlein to win and take the lead in the Drivers' Championship. He then had equipment trouble with his Attack Mode activations. Dennis had a scrappy race, acting like if he was alongside a driver, the other driver is supposed to give up the position. Frijns got put into the wall by him, and then Vergne put him into the wall. Interestingly, Vergne himself made that mistake when he got put into the wall by Daruvala. Guenther looked ready for a podium but retired from a gearbox failure.

Race 2

Winner takes all. Cassidy started on pole. Dennis puts Mortara into the wall on a straight, but this time was unintentional. The Jaguars of Evans and Cassidy in the top two positions attempt to work together to baulk Wehrlein in third. They let each other take their first Attack Mode activations without losing position. The second time around, Evans doesn't give Cassidy enough of a gap dropping him to third, behind Wehrlein, after taking his final Attack. He's still in the net race lead because when Evans and Wehrlein will drop back when they take their respective Attack activations. But racing in the pack makes you prone to incidents, and it is Wehrlein's teammate da Costa whose ambitious divebomb puts Cassidy out of the race. I don't see how that was not intentional. Rowland has a scare about the lap counter. Evans then misses yet another Attack activation, allowing Wehrlein to win the race and the title. Jaguar take the Teams' and Manufacturers' titles.

Explainer | Components of a Server

by allsparkinfinite on 2024-07-27

What Else is in Server Software?

We looked at how server sends static content to the browser, and all the magic related to that is performed in the browser.
But the JavaScript also makes some requests to the server to populate the page, and that contains some server-side magic.

REST API

API stands for Application Programming Interface. It is how Software A can utilize the functionality of Software B. The developers of Software B, after coding all the magic they want it to perform, also implement some interfaces. These interfaces are intended to make it easy for Software A to offload some processing to Software B.

REST stands for REpresentational State Transfer. It is the standard API format for two pieces of software to communicate over the internet. Software B, in this case, would be a server software, called a server for short in this context. Software A could be your browser, but it could also be any other app that just uses APIs from a small set of servers. In this context, Software A is called a client.
Every time the client wants some processing to be done by Software A, it has to send some data (called a request), and wait to receive the processed data (called the response). This whole process is called an API call.

The structures of requests and responses are very similar. They both contain:

The request contains some extra information:

The response also contains a status code, the most common of which is "200 OK" but the most well known is "404 Not Found".

Database

A database is a piece of software which stores data in such a way that reading and writing is very efficient. This data is often limited to text, numbers, and date. Some extra data types are sometimes provided, but they are often simple extensions of the pre-existing data types.
Other complicated types of data (such as files) are stored in bulk storage, with some of their metadata and their location stored in the database for easy lookup.

Most databases are setup to store their files in a dedicated folder, and access to the database is through an API. Some databases just store data in a file and leave the reading and writing up to the software that accesses it.

Relational Databases

These store data in tables, with entries in some columns referring to rows in another table. These relations can get quite messy for complex data storage. Structured Query Language or SQL is a language that is used toaccess data in relational databases.

Key-Value Databases

These store data in "documents", where a document is just a list of labels (known as keys), and some data associated with that label (known as values). A value can be an entire document by itself, creating a structure not unlike folders and files in a computer.

Explainer | Components of a Web Page

by allsparkinfinite on 2024-07-20

What's In A Web Page?

Web pages need to have some content in them. Optionally, they need to be styled, although that's not so optional these days. Even more optionally (and also not very optional these days) is that they should be able to modify themselves without having to reload the page.

This is all static content. Since this is to do with files that are processed by the browser, it is called "frontend development".

Let's take a look at the components that enable this.

HTML: Hyper Text Markup Language

HTML is a markup language - a kind of computer language used to format text and make it look good. The formatting is specified using text. A simple markup language is in instant messaging apps like WhatsApp and Discord, where you use asterisks and underscores to make text italics or bold.
HTML is more complicated than that, with more formatting options like: - Telling the browser what icon to use - Telling the browser what to name the tab - Inserting links and images - Forms where user input can be sent to a server

HTML documents are arranged hierarchically. This may not be the most logical way to arrange it, given that other markup languages like Markdown do not require hierarchy, but it might've seemed sensible at the time HTML was being codified. And with CSS and JS, the hierarchical nature is a massive plus.

CSS: Cascading Style Sheets

CSS tells a web page how it should look. Specifically, it can tell each section defined in the HTML how it should look. Text colour, background colour, font, margins, and even positioning of the section is dictated by CSS. If two sections of the HTML document have the same hierarchy within them, CSS will format them similarly. Clever use of the CSS can result in some pretty (as in "rather") pretty (as in "beautiful") webpages that respond to scrolling and mouse movements in an unexpected way.

JS: JavaScript

Some of you have heard of the programming language Java. JavaScript is completely unrelated. The technical name is ECMAScript but no one calls it that. JavaScript is also famously inconsistent. Ask any JavaScript developer what they think of it and they will have no shortage of abuses to hurl at the language.
And yet, it is the most popular language to write webpages in. And in some cases, even server software!

Okay enough ranting, on to what JS actually does. It is a programming language and does everything you expect a programming language to do. Math, string manipulation, library imports, the full Turing Complete gamut. What is special about it is that it has access to HTML and CSS components, and can overwrite them.
What this means is that JavaScript can be used to update webpages without refreshing them. Content and style can be changed on the fly by the browser, without needing any extra information from the server.

Okay, that's a bit of a stretch, but I will explain.

How These Pieces Fit Together In A Standard Web Page

The initial HTML file that the browser receives contains just a skeleton for what the web page is supposed to look like, along with a bunch of JavaScript code tasked with filling in the information. Often, even the template itself has to be loaded in first by the JavaScript. Stylesheets may or may not be included.
The JavaScript code then requests the server for whatever information the page is meant to have, and fills in the information as it is received.
Later, the user takes an action. Instead of reloading the whole page, the code simply updates the relevant portion of the page. This reduces loading times and server workload by allowing it to only send the minimal data required to get the new page, and allowing the browser to do the job of updating the page.

What is Self Hosting? | Part 3: Web Servers

by allsparkinfinite on 2024-07-13

Ports

A request from the browser hits a computer, where the server software does its magic and sends back a response.
What if we wanted two server software running on the same computer?

This is where ports come it. A request can specify a port number, with different server software listening on different ports. This allows for routing of requests to multiple server software within a single computer.

HTTP and HTTPS Ports

There is a convention in modern computer networking that all secure connections (HTTPS) are only made on port 443, while the little handshake (HTTP) required to set up the secure connection is performed on port 80. This is secure, but brings back the problem of wanting multiple software on a single computer.

Reverse Proxy

A reverse proxy is a server software that listens to ports 80 and 443, looks at the address name mentioned in the request, and selects which port to forward that request to. Technically they can forward the request to a different computer as well, but let's not bother with that right now.
There are a few reverse proxies that we can use, like NGINX, Apache, and HaProxy. NGINX comes bundled with Ubuntu by default, so I am using it and I will be talking about it. Most of the information should apply to the other reverse proxies as well.

Static Content

Some actions on the internet require the server to process some information. For example, clicking on someone's profile to see their latest posts. The server has to look up the data in the database and return it to you.
Other actions need no such processing. Getting the logo of a website is such an example. Serving up static content is made easy with NGINX and alternatives - just place all the static files in a folder and organise them in the same way that they would be referred to in URLs. For example, logos could go in static/logos, fonts could go in static/fonts, and so on.
Then, just tell NGINX (or alternative) to serve this folder on a certain address. When you do this, NGINX does not forward the request to another server - it just reads the file at the requested location and sends it back.

It is often recommended to keep as much of a website's content in static content because static content is a lot harder to hack than dynamic content.

SSL Termination

SSL is the algorithm with which network connections are encrypted. The way it works is that the client and the server both have a pair of public and private keys. A message encrypted with a public key can only be decrypted with its corresponding private key, and vice versa. Every request is signed with the sender's private key (so that decryption with the public key verifies identity) as well as with the receiver's public key (so that only the receiver can decrypt it with their private key).

Some hostable server software, like Nextcloud, allow you to specify two different ports for HTTP and HTTPS. However, they also allow you to set an option that says "a different server is handling the security of this connection, so please just work with unencrypted data and don't worry about encryption". That different server is NGINX.

If NGINX is simply forwarding a request to another port in the same physical device, there is no security risk to letting unencrypted data flow within the device. Allowing NGINX to handle SSL gives you a common place to keep an eye on your keys and update them periodically. You can even give different servers the same keys if you want, especially if you're paying for your keys.

Sports I'm Into | 2024 Jun Recap

by allsparkinfinite on 2024-07-06

Cricket

ICC Men's T20 WC

Oh. My. Lord. After the CWC heartbreak from last year, I had no hope. I wasn't even watching the match, I couldn't deal with the disappointment in addition to the nagging feeling that I always jinx the team I support. Competitive sport is a breeding ground for superstition. I was playing a multiplayer game online with my friend, and keeping tabs on the score in the breaks between rounds. India seems to have snatched victory from the jaws of defeat.
Although there is something to be said about how India knew they were going to play the second semifinal regardless of where they finished in the table, because it was decided by scheduling reasons.

USA's reporting on the scores (USA beat Canada 197-194) was simultaneously technically correct and vomit-inducing.

WI Women Tour of SL, 1st - 3rd ODIs

Comfortable clean sweep for the hosts

SA Women in Ind, 1st-3rd ODIs

Clean sweep for the hosts, with South Africa nearly taking the second match.

NZ Women Tour of Eng, 1st - 2nd ODIs

Two comfortable wins for England, looking like another host clean sweep.

SL U19 Men Tour of Eng, 1st ODI

The hosts take a massive loss here, and Sri Lanka can feel confident going into the next couple of games.

Formula 1

Canadian Grand Prix

Verstappen and Russell set identical laptimes for pole position. Russell took pole since he set his time first.
Ferrari's double DNF broke Tifosi hearts, this time not really the team's fault. Although the heartbroken Tifosi aren't always the best at seeing that, and neither are Ferrari's detractors.
Sergio Perez had a crash and drove to the pits under his own power, with his rear wing about to fall off. That was a no-no, and he was given a 3-place grid penalty for driving the car in an unsafe condition.

Spanish Grand Prix

Norris takes pole. Bottles it. Verstappen wins. Hamilton podium. Good run of form for Hamilton, Norris seems to mess up a lot.

Austrian Grand Prix

Verstappen won the Sprint, closely followed by the McLarens. In the main race, he led for a fair bit, but Norris caught up in the later stages of the race and they collided. Russell was there to pick up the pieces, and won the race.
Verstappen raced unfairly through this battle, moving late and running Norris off the track corner after corner. And in the end, Norris retired while Verstappen picked up 7 points, why wouldn't he keep driving like this? It's the best thing to do for the title battle.

Formula E

Portland E-Prix

We went into the penultimate race weekend - and the penultimate double header - of the season, with Cassidy having a chance to take the title. His closest competitors 25 and 35 points away, and there would be 58 points on offer on each of the final two race weekends of the season.

What did happen, however, was that he failed to place in the points in either race. With Wehrlein having mediocre results himself, and Evans doing reasonably well for himself, the two left the weekend 12 points behind Cassidy.

In Race 1, Cassidy moves up from 10th on the grid to lead the race in the final stages. Evans gets a farcical 5 second penalty (which may be nothing in F1 but it's a lifetime in FE) through no fault of his own but was running second near the end. There were no team orders between these two Jaguar teammates, and Evans was hassling Cassidy for the lead. Cassidy, under pressure, loses the car on the final lap and throws away not just the victory, but all his points.

In Race 2, a multi-car collision put Cassidy out of the points. Wehrlein had a moment where his front wing got lodged under his front wheels, but it ultimately came off and he was able to continue.

The final weekend will be amazing to watch, with Formula E's unofficial tagline being "anything can happen and it usually does".

What is Self Hosting? | Part 2: Machines

by allsparkinfinite on 2024-06-29

What Is A Server?

A server is a computer that runs software that serves up content on request. The hardware and software components of it are called, unsurprisingly, "server hardware" and "server software" when we want to be specific. Each server hardware can host multiple server software.
We all know on some level that servers are a thing. Most of us are probably only consciously aware of the servers' existence when they go down and the website or app they serve is unusable.

People that play multiplayer games will have heard of servers. Some games, like Genshin Impact or Paladins, have servers in different geographic locations, so that you have a smooth, low-latency (aka low-ping) connection to the server, each server containing multiple instances of the game for players to play separately. Other games, like Minecraft, have one instance of the game per server.

Those that have played a game with a dedicated server software will know, any computer can be the server hardware. For example, to run a Minecraft game that you can play together with others in the same local network, one would download the server software onto their computer, change whatever settings they want in the properties file, start the server software, and then connect to it using the Minecraft game.
The software that connects to the server - the Minecraft game in this case - is called a client.

Can I Have A Server?

Yes, just go grab a computer! Download and run whatever server software you want on it!

Okay But Can I Have A Server That's Always Online?

Fair question.
First you have to find a computer that's always online. If that's your desktop computer, it could be considered a waste of electricity but who am I to judge? It it's an old laptop that's perpetually plugged in, sounds great. If you use an old phone perpetually plugged in running Termux, that is… why are you even reading this? Come help me write!

But let's look at some more common options.

Cloud Computing

You can go to a cloud service provider like Amazon, Google or Oracle (Oracle has a decent free tier btw) and create a machine.
The only hardware detail to keep in mind is CPU architecture. There are two types - x86_64 (sometimes lazily written as x86 or referred to as Intel) and aarch64 (sometimes written as arm64). These are two different types of CPUs, the former being optimised for performance and the second for power efficiency. A lot of software isn't compatible with aarch64 CPUs, so it is safer to go for x86 CPUs.

You will be asked for storage and RAM requirements, and then an OS to install on it.

On-prem Computer

You can buy a computer to place in your home.
Professional grade server hardware are called rack units, because they're meant to be installed in racks. You might've seen a glimpse of them if you've looked at a server room in real life or in movies.
Hobby server hardware… popular options are mini PCs or microcomputers. Mini PCs tend to be x86 architectures, while microcomputers tend to be aarch64 architectures. You will likely need an external monitor and keyboard to install an OS on a mini PC, but typically not for a microcomputer.

OS To Install

Usually, some version of Linux Server. Microsoft Server might also work but I cannot give any tips on that.
When you install a server OS, it comes with no graphical interface - you only get a command-line interface. If you don't know what it is, imagine a stereotypical hacker in a movie. You can access the computer via a connection called SSH.

You will need to get comfortable with a UNIX-style command line, so I'd recommend working on it. If you have a Mac, you have it pre-installed, but you have to be really careful. If you have a Windows computer, WSL is a really good sandbox for you to fuck around without running the risk of finding out too hard.

Evading Google's Data Collection

by allsparkinfinite on 2024-06-22

Google collects a lot of data from Android phones. A lot of it is GPS and accelerometer data. Even if you do not have a Google account on your phone, Google can use location data to identify where the phones spends most of its time and get a reasonably good idea of your circles.

So how do we block this?

DNS/IP Blocking

The first method is to block all network requests to google servers.

Some VPNs allow you to configure your own DNS, where you can block all google domains. Point them to 0.0.0.0.
But it's hard, verging on impossible to catch all google domains, so there's an easier option

You can block traffic to the following set of IP addresses, which are the ones google currently uses. It's a lot harder to get new IP addresses than it is to get new domain names, so this method should be longer lasting. - 8.8.8.8 - 8.8.4.4 - 2001:4860:4860::8888 - 2001:4860:4860::8844

One downside of this method is that you cannot visit google websites in your browser as well. It is also harder to set up on mobile phones, which sometimes connect to the internet via Wi-Fi and sometimes via mobile data.
Google Services likely is still recording all data and just waiting for a working connection to upload it. If you ever disable this blocking to, say, watch a youtube video, all that data gets uploaded, making the whole process pointless.

Disabling Google Services

You can disable all google apps on your phone. This stops Google from continuously recording what you do. However, with Android that comes installed with your phone, this may not even be allowed. This also interferes with the functioning of all apps that use Google Services, OS updates, and GPS location.

Wait, why GPS?
Well, the way GPS works is that all GPS satellites are broadcasting information about their orbit, called ephemeris data, which needs to be refreshed every few hours. Based on the timing of the messages from different satellites, the GPS receiver can estimate its distance from each satellite and thus its own location. The full message takes 45 seconds to transmit, after which it repeats the message. This means that a GPS receiver has to listen for at least 45 seconds to know its location.
However, what if we could get the ephemeris data from elsewhere, and then just listen to the satellites and instantly get the current location? This is made possible by making the ephemeris data available online. On your Android, Google Services provide the pre-loaded ephemeris data.

You can enable Google Services when you want them, and they will only record your data for as long as they are enabled.

Installing a Custom OS Without Google Services

Take Android out, replace it with an OS with no Google Services at all! GPS augmentation is done using a different provider!

Changing the OS on a smartphone is a lot trickier than changing the OS on a computer. Most reputed distributions provide detailed instructions which you can follow to safely install the custom OS, but you have to follow the instructions exactly. Mistakes carry a high risk of rendering your phone unusable, which happened to me when I first tried this. For this reason, it is recommended that you read through the instructions a few times first before starting anything.
Since that first misadventure, replacing the OS has always gone smoothly for me, but the tension is always heart-wrenching.

The process generally involves unlocking the bootloader, installing the custom recovery software, installing the OS itself, and then relocking the bootloader.

You can then install Google Services if you use any apps that need them, and keep it disabled until you need it. GPS and updates work with no issues.

Installing a Custom OS With Google Services Sandboxing

GrapheneOS, ironically available only for Pixel devices, lets you install Google Services without giving them too much access to the sensors. This seems to strike the best balance between usability and privacy, in my opinion.

Tutorial | Installing Linux

by allsparkinfinite on 2024-06-15

BIOS

BIOS, standing for Basic Input Output System, is the software that comes with the motherboard of your computer. It is really basic, handling the startup of the actual OS you have installed.
Technically, BIOS is the old version of the software, and the modern replacement is UEFI, but we call it BIOS anyway because we're quirky. UEFI stands for Unified Extensible Firmware Interface.
The BIOS settings page, which we also call BIOS (hey I didn't make the rules), is usually accessed by spamming some key while the computer is booting up.
Which key?
Big Shrug
It depends from device to device. You can either look online for your particular computer, or you can try out all the likely keys. Every computer I've seen had the BIOS shortcut key as either ESC, F1 - F12, DEL or ENTER. Older computers also display it on the screen during the boot sequence but newer computers, especially SSD-equipped ones, boot up way too fast to display it.
Once in BIOS, you can change the Boot Order - this is the order in which BIOS scans all storage devices to find a bootable OS. Look through the settings to find this option, there shouldn't be many options.
For the process of dual booting, you will need to do this twice - once to ensure that USB has higher priority than internal storage, and once after installation (I'll tell you when) to ensure that within the internal storage, the Linux Bootloader (usually GRUB) has higher priority than the Windows Bootloader. Each time, make sure to actually save the settings.

Booting from the LiveUSB

The USB drive to which we wrote the ISO is now called a LiveUSB, because it contains a live version of the OS we can try out without installing.
Once you have given the USB boot device higher priority, you can plug in the LiveUSB and reboot. It should show your chosen OS ready for you to try out, with the basic apps installed, along with an option to install the OS. Try out the OS, make sure there are no black flags that disqualify it for your use, resolve red flags, find workarounds to yellow flags, and then you're good to install!

Filesystem Structures

In Windows, everything exists on the C:\ drive, with extra stuff on the D:\ drive if you have one.
Fun fact, A:\ and B:\ are names reserved for floppy disks in Windows convention, and any changes to it now will just break a lot of apps.
All program files live in the C:\ drive, unless installed elsewhere. User data is stored in a dedicated folder - C:\Users\ - with each user getting their own folder within it. Each of those folders contains all your favourite locations - Documents, Downloads, Pictures, all the shortcuts you see in the File Explorer.

Linux does something very similar. Everything exists under "root", represented by /. User data is stored in /home, with each user getting their own folder within it, and each of those folders containing all those same locations.

Installation

The one thing you need to watch out for is the location of the install. It will ask you if you want to remove Windows or install alongside Windows or a third manual option. The "Install alongside Windows" is usually a safe option and you can select the 150 GB free space we created earlier.
A slightly better option is to go for the manual option, and create two partitions. One will be 50 GB in size with its mount point as the filesystem root, represented by a single slash /. The second will take up the rest of the space, with its mount point as /home.

After this point, the process varies, but it is also relatively straightforward. You will want to do a network install, where it downloads any updates needed.

After installation, when it prompts a reboot, you will need to set the Linux Bootloader higher than the Windows one.

Tutorial | Preparing to Install Linux

by allsparkinfinite on 2024-06-08

Installing Linux is often a critical step in an open-source enthusiast's life. It may come before or after their (sometimes unhinged) interest in open-source. I, for example, first started using Linux when I was told to, because I was supposed to use a programming software that only ran on Linux.
I never did end up using that particular software, but other apps ran a lot quicker on Linux than Windows, so I slowly moved over.

Why Linux?

I've harped on about privacy enough. However, one of the first differences I noticed was performance - Linux just tends to be less bloaty than Windows, leaving more CPU and RAM available to run what you want to run. MATLAB takes famously long to open, and it would open a lot quicker on my Ubuntu install than on my Windows install. Same hardware, same device, different OS. Another benefit is that most malware targeted towards desktop users are targeted for Windows users, so there's a little bit of safety there, but that doesn't mean you can go around clicking whatever sketchy links you want.
Battery life is worse. And there's a lot of software that isn't made for linux at all, you can't even install them. The Adobe Creative Suite, for example, which I suggest you avoid anyway.

Who Linux?

You can't install Linux on an Apple computer.
Well, you can, actually, but it's tough and definitely not something I'd recommend for a beginner. If you're confident, go look up the Asahi Linux project.
But the bottom line is that if you have a PC that's running Windows, and are able to access BIOS, you're set.

What Linux?

Linux is not an operating system, it's just the kernel of an operating system. There are many linux-based OSes, called distributions, one of which I'd like you to install.
Ubuntu is the most popular option, but Linux Mint is slightly more beginner-friendly.

Moreover, the same operating system can have multiple Desktop Environments - the look and feel of the screen. Linux Mint's Cinnamon is the most Windows-like, GNOME looks different but is easy to use, and KDE Plasma is a helluva lot more customizable.

If you don't want to make a choice and are looking for me to give you one recommendation, it's Linux Mint with Cinnamon.

Where Linux?

Once you select a distro and a desktop environment (sometimes called flavours), you can go to the download page from the distribution's website. They will often link to a page of instructions on how to install your new OS. In general, following them should give you a good experience. If there isn't, well, follow what I say.

First, you download the OS "image", usually a file with a ".iso" extension, and write it to a USB drive. That doesn't mean just pasting that file in the USB drive though - you can download an application called Rufus to write the ISO to the USB drive. Beware, all the previous contents of the USB will be overwritten.

You also have to decide whether you want to keep Windows or not. My suggestion: keep Windows. If that is what you choose, open up the Disk Management app in Windows and start making some changes.
In Disk Management, you will see some "partitions" or "volumes" of your disk. Some partitions are likely big and empty enough that you can truncate them by 150GB and not lose any data - we will create those 150GB of unallocated disk space.
Right click on a volume that has enough free space, and select "Shrink Volume" (make sure not to hit "Format" or "Delete"). It will only let you recover free space - it will not let you cut out any actual data. Shrink the volume by 150 GB, or 150000 MB.

So far, we've been safe. There are guardrails to ensure nothing goes wrong here. The next post will show the scary installation parts.

Stay tuned!

Sports I'm Into | 2024 May Recap

by allsparkinfinite on 2024-06-01

Cricket

IPL 2024

Neither Mumbai nor Chennai made it to the playoffs! That's rare.
RCB fans face disappointment again.

India W Tour of Bangladesh, 3rd - 5th T20Is

Clean sweep! 'Nuff said.

Zimbabwe M Tour of Bangladesh, 1st - 5th T20Is

Bangladesh dominated the first two matches, narrowly won the next two, and Zimbabwe stole a consolation win at the end.

Pakistan W Tour of England, 3 T20Is and 3 ODIs

I just need to know how Pakistan managed to lose both tour matches.

Pakistan M Tour of Ireland, 1st-3rd T20Is

Ireland stole a win at the start and got our hopes up. Then Pakistan won the next two matches in convincing fashion.

Bangladesh M Tour of USA, 1st-3rd T20Is

USA stuns by winning the first two matches??? And then they had the complacency to rest some of their first-choice players for the third match??? The confidence, the disrespect! Bangladesh did win that third match by a full 10 wickets for a consolation win but this was a stunner.

South Africa M Tour of West Indies, 1st-3rd T20Is

West Indies might be turning back into a serious force to contend with, having done a clean sweep.

Formula 1

Miami GP

Shocking news from the Red Bull garage this weekend as a huge torrent of rumours is confirmed - superstar car designer Adrian Newey will be leaving the team's trackside operations immediately, and will be quitting the team at the end of the year! Big, big blow for Red Bull Racing.
And as if to be poetic, Lando Norris wins his first race, beating out Max Verstappen. Norris qualified 5th but opted for a late pitstop, and benefitted from a Safety Car to put him into the lead. Ricciardo also scored his first points of the season in the sprint race.

Emilia-Romagna GP

Verstappen won this one, but he was being hunted down at the end by Norris. The fans did pile on Norris for not being able to make the overtake stick, but I think that's unfair. These cars have a lot of dirty air (again) and overtaking at Imola with these massive cars is not easy. Norris gets a lot of undeserved (and blind) hate from the fans.

Monaco GP

Perez qualified badly, crashed on lap 1. Many people think it's Magnussen's fault, but in my opinion Perez knew Magnussen was there and yet left no room. The wall does curve, which makes assigning blame difficult, but ultimately on Lap 1 you can't say a lot.
Carlos had collided with Piastri and lost a lot of places, but the red flag caused by the Perez-Magnussen crash let him reset his position.
After the red flag, everyone changed their tyres and the race effectively became a no-stop, with everyone driving real slow just to keep the tyres alive till the chequered flag. With minimal tyre degradation, there were no overtakes. This led to the race becoming more of a parade in 4 groups. Verstappen was sandwiched between Russell and Hamilton, the latter making a free pitstop (with Tsunoda being a lap down) to try to overtake Verstappen. He was told to take a normal outlap, which meant Verstappen could pit and come out ahead, leading to a lot of headache for Mercedes fans.
Ultimately the race was won by the polesitter, Leclerc, whose run of bad luck at home finally came to an end. The race was boring but the commentator's speech at the end was amazing.

Formula E

Berlin E-Prix

Lots of drivers had to go for their WEC commitments, leading to a lot of reserve drivers taking the wheel here. In the midst of all this, Barnard (subbing in for Bird) scored points in both races!

Shanghai E-Prix

First race at this F1 circuit, even if it's on a modified layout. Last lap battle with Cassidy not being able to make full use of his saved energy in Race 1. Fun racing!

Open-Source Rug Pulls

by allsparkinfinite on 2024-05-25

I'm a huge advocate of open-source software. It's built for and by community. The open-source utopia is a world where everyone writes software with source code freely available for review. Interested and able members of the community will try, test, review, and submit improvements to projects that they wish to use and/or improve. Some may "fork" a project to take in a somewhat different direction to the original project, reusing most of the code but making significant modifications of their own. Collaboration at its finest. Communism in software, if you will.

We live under capitalism, though. Many companies zealously protect the source code for their software when it's their money maker. They expended significant effort in writing this code, dammit, and they'll be damned if they let anyone else have it before they've squeezed every last penny they can make out of it. It's the only course of action their shareholders will accept.

And yet, there are some for-profit organizations that make open-source software. Angels who share the fruits of their labour with the public, often to the detriment of their bottom line. Corporate open-source seemed to be a safe haven for open-source idealists in the warzone of capitalism.

Seemed to be.

Of late, there have been many examples of companies taking away the open-source licences of some of their products. HashiCorp of Terraform fame, Redis as in RedisDB, Red Hat known for RHEL, MongoDB, CockroachDB, Confluent, ElasticSearch, Sentry.
"Wait, who are those last few guys?", I hear you ask.
Well, those are small companies that got away with this first, emboldening the bigger players to do it as well.

Detriment Of Their Bottom Line?

Whenever you see a company with an open-source product, two things are true.
One, there is a community of volunteers around this project which is happy to provide their effort to keep the project moving.
Two, the community is good enough at creating bug reports and pushing patches to the code that it makes financial sense for the company to rely on the volunteers instead of hiring a few more developers and testers.

In other words, the decision to keep a project open-source can also be driven by capitalistic sentiments.

Why Do Commies Go For Corporations?

The open-source utopia makes no claims about who is the ultimate decision maker of a project. It could be a single dedicated person, it could be a committee, and it could be a corporation. All we need is the freedom to view and modify the source code of the project. This is the implicit contract between open-source project maintainers and volunteers. This trust can be broken in a couple of scenarios.

The project may reach a stage of maturity where the company is ready to take all development in-house. Or maybe the value provided to the company by the volunteers reduces, and it no longer makes sense to trade-off ownership for volunteer labour.

How Is This Breaking Trust, Exactly?

A part of the open-source ideal is that everyone is free to use the software without contributing anything in return. Users don't have to volunteer for every project they use. When a company decides to move an open-source project to a proprietary licence, this part of the ideal is violated.
Additionally, the company then assumes ownership of the project, including the parts contributed by volunteers.

How Is This Legal?

Loopholes.

Open Source Licenses are written to avoid these kinds of rug pulls, but they don't cover all the cases.

RHEL in particular is built on the Linux kernel, which is published under a license (GPL) that requires everything built upon it to make its source available as well. RHEL is now making source code available only to paying customers, which technically satisfies the requirements of GPL.

In addition, taking these violators to court is also not a feasible option for non-profits like the Linux Foundation.

What Can We Do?

Fork them. The community is often quick to create a new branch of the project from the last version that was published under an open-source licence.

Privacy-Focused Alternatives | Part 9: Photos

by allsparkinfinite on 2024-05-18

Photos. And increasingly, videos as well. We capture copious amounts of them on our phones. It syncs automatically with Google Photos or iCloud. We create albums in the app for events and share them with our friends and family, who can then add more photos to the shared album. We can switch phones without worrying about losing our photos, as long as we use the same account - everything's backed up on the cloud!

Except there is no cloud, there is only someone else's computer.

You Will Let Us Look At Your Photos And You Will Thank Us For It

CSAM Scanning Programmes

In August 2021, Apple announced a plan to scan photos stored on iCloud for any instances of Child Sexual Abuse Material (CSAM), in order to report it to authorities. They would later scrap this plan in an announcement on December 2022.
Google quietly started a similar programme and it continues to this day.

Apple's Promises of Privacy

Apple gave its users the following guarantees:

What Went Wrong?

There were cases of false positives. Famously, in August 2022, a couple that had previously shared photos of their toddler's infected genitalia with a doctor (and received a quick and accurate diagnosis and treatment plan) lost access to the google account that they had used, and were the subject of a police investigation. They didn't get charged, but this points to a deeper problem.

The Revealed Risks

  1. An AI model that can look at your photos and flag it for illegal material. What happens if it's trained to detect not CSAM but, say, government dissent?
  2. The fact that "manual review" exists - what if the threshold for it is set really low?
  3. Evidence gained through illegal surveillance is inadmissible in court, in order to deter the police from violating citizen's privacy without reasonable cause. What does this look like when you're sharing everything about your life with a corporation?

Same Tech, Different Goals

A homophobic government could strongarm the companies into deploying models that check for pride flags and similar symbols of the LGBT+ community. If you believe that the correct thing to do here is to let the companies direct police action towards queer people (or any other community that a future government may target, some of which may include you) while you try to change the system through state-approved means, you may continue as you are. If, however, you believe that the correct thing to do is to take this power away from tech giants in the first place, then you also know it's preferable to do it one day before the government gets to them than one day after.

Alternatives

Move Everything to a Hard Drive

The simplest alternative, and how we used to do things pre-cloud. Organize photos by yourself and store them in a computer or an external disk. It starts getting tough if you have many photos, or if you want to be able to access it remotely.

Host Your Own Cloud

Nextcloud or something similar could be a place for you to upload your photos automatically, which you can then access and share over the internet.

Nextcloud Photos, Ente Photos, Immich, PhotoPrism

These open-source apps do something I'm pleasantly surprised about. You can host these services on a device of your choosing, and they will download an AI model to categorize photos by faces and objects. You get the full Big Tech Experience without any of the Big Tech Privacy Concerns.
Now, I have not tested these services so I do not know how user-friendly they are, but I can vouch for their privacy because they are popular FOSS projects with lots of eyeballs on them.

Privacy-Focused Alternatives | Part 8: Maps, Notes

by allsparkinfinite on 2024-05-11

Maps

Open Street Maps is the only alternative that's atleast partly practical. The map data is crowd-sourced and under a libre licence.
They only have a web interface, though, with no official apps to download.

No worries, this is the world of open-source. There are a hundred and one apps built on OSM.
For Android, some alternatives are Organic Maps and OsmAnd.

These apps need an internet connection only to download maps, after which they work completely offline.
The navigation algorithm is also completely offline - it uses the downloaded map to decide a route.
Since these apps have no live traffic data, the route they show might not always be the quickest one, and one would need to be familiar with the traffic patterns of the route to be able to travel on the quickest route.

Organic Maps - My Experience

Accuracy of Map Data

Road data seems to be slightly outdated, with Organic Maps asking me to sometimes make U-turns that have since been blocked. The majority of info seems to be in order, though, so you can get from point A to point B using Organic Maps

Availability of Location Entries

Landmarks, buildings, businesses, anything - don't take Organic Maps, or Open Street Maps, as gospel. You'll miss out on a lot. Maybe the most private way is to look something up on Google Maps and then manually set the location in Organic Maps navigation? It's a hassle, yes. But on the flip side, I was also impressed at some of the places that I could find on Open Street Maps.

Navigation Algorithm

So the first thing I noticed was that Organic Maps is biased towards wider roads, where going through a bunch of narrow roads would be a somewhat shorter route. This leads me to believe that Organic Maps estimates travel speed based on road width and tries to estimate the quickest route based on that, which seems to be badly tuned for Indian roads.

A positive, though, is that I was more likely to get a route that's simpler and easier to learn using Organic Maps than Google Maps.

Notes

Most people use either the default notes app on their phone or Notion.

On an unrelated note, having a good Personal Knowledge Management system is quite important now. Tiago Forte has a book called Building A Second Brain which talks about a lot of stuff, but the two key concepts are: - Organize your folders by frequency of use first. In the top-level of your folder structure, you must have folders for Projects (temporary tasks you are actively working on), Areas (responsibilities that require constant supervision, and can include a string of Projects), Resources (reference material sorted by topic), and Archives. - Progressive Summarisation - have a copy of the full text, highlight key sentences, italicize key phrases, and embolden key words. Finally, summarize the text in your own words. This allows you to be efficient when rereading notes.

Obsidian

A really good Notion alternative. Notes are stored locally, and can by synchronised with Nextcloud (using an Obsidian plugin) or through Syncthing.
It comes with really impressive features as well.
Another bonus is that the notes are stored as plaintext. This means that if you ever need to migrate to another app, or just temporarily use a different editor, you can with no trouble.
Notes are also version-controlled, so you can view note history.

The only downside is that it is not open-source software.

QOwnNotes

A desktop-only app with version-control and the capability to integrate with Nextcloud Notes (which does have an android app).
It doesn't have any of the bells and whistles of Obsidian or Notion, but there is something to be said for the unreasonable effectiveness of plaintext.

Sports I'm Into | 2024 Apr Recap

by allsparkinfinite on 2024-05-04

Cricket

India W Tour of Bangladesh, 1st - 2nd T20Is

Super-dominant wins in both T20s. Either Bangladesh isn't the force in Women's cricket that it is in Men's cricket, or India is even better in Women's cricket than in Men's.

IPL 2024

I know runfests are what most fans want but it's just not for me. I want to see some dot balls!

Formula 1

Japanese Grand Prix

Red Bull domination continues.
Ricciardo and Albon had a crash on the opening lap in the S Curves, making things worse for both sides. Daniel has not been performing and there is talk of replacing him. Williams, after their Australia fiasco, have lost MORE parts.
As for the crash itself, it was clearly a first-lap incident, but I'd be blaming Ricciardo if it was not lap 1. Most fans would disagree with me. I feel the current standards are not conducive to overtakes.
Charles Leclerc went from 8th to 4th on an amazing 1-stop strategy, with predictions showing he would've finished 7th had he gone with the "optimal" 2-stop. When you start around cars that are much slower than you, alternative strategies become more effective.
Yuki Tsunoda scores points in his home grand prix, so that's good for him.

Chinese Grand Prix

More Max domination, it's getting disheartening to think about the next few seasons already.
In the sprint, Lando qualified ahead of Hamilton, but lost the place in turn 1. Lewis led the sprint for a while before Max made his way past with no effort. Alonso also got a penalty for causing a collision with Carlos Sainz, much to the chagrin of fans - will discuss this later.
For the main qualifying, Carlos Sainz caused a red flag, stuck trackside for 77 seconds. The car had stalled, but he eventually managed to get it restarted and continued taking part in qualifying. Aston Martin lodged a protest of the results, because stopped cars must not be allowed to continue. The agreement between the teams and FIA, however, has been that "stopped car" in this context means a car that cannot continue moving under its own power, which Sainz did, even if very late.
There was a safety car during the race, and Alonso locked up at the restart. The resulting chain reaction caught out Stroll, who drove into the back of Ricciardo (who could've finished in the points if not for this incident), pushing him into the back of Piastri. Stroll got a penalty here.
What angers us fans is that Alonso got 3 penalty points for causing a collision while racing, and Stroll got only 2 penalty points for causing a collision under Full Course Yellow conditions, which is much worse.

Formula E

Misano E-Prix

Da Costa won the first race of this double header, but was disqualified for an illegal throttle damper. Feels unfair, because that's no performance gain, but an illegal part is an illegal part. This handed the win to Rowland.
In the second race, Rowland was leading quite convincingly until it fell apart on the last lap. It began at the race start, when he crossed the start/finish line (control line) as he took off from the grid. That first control line crossing should be ignored for the lap count, but it was not, causing the energy targets to be off by 1 lap for the entire race, hitting 0% energy as the penultimate lap ended. Rowland even told his team that the energy targets were looking suspicious but they did not catch the error - he could've fixed it from his steering wheel had they understood what was going on. Heartbreaking but what can you do?

Monaco E-Prix

Sam Bird injured his hand in a crash during practice, handing the car to Taylor Barnard for the rest of the weekend. He qualified dead last but made up 8 places to finish 14th.
Evans and Cassidy, Jaguar teammates, coordinated the whole race to help each other and took a commanding 1-2. Strategy!
Monaco in Formula E always sees plenty of overtakes 😌

Privacy-Focused Alternatives | Part 7: Creatives

by allsparkinfinite on 2024-04-27

We often use software for creative work. The Adobe suite is a set of popular software that is often associated with creative work. Of course, like any corporation, they have their share of shitty practices, particularly around subscription models.

Adobe Controversy

Adobe used to offer perpetual licenses to its creative software, known as the Creative Suite (CS). However, they dropped the perpetual licensing model and adopted a subscription-based model, known as Creative Cloud (CC). Users that installed CC were unable to migrate back to their CS licences because Adobe shut down the CS licence activation servers, bringing into question the honesty of the word "perpetual". This also caused users to be unable to reinstall their perpetual licences on newer computers.

Recording and Streaming - OBS Studio

Getting an easy one out of the way. Plenty of content creators record what they do on the computer and upload it - either edited into a coherent video, or as an unedited livestream. Gaming channels are the prime example, of course, but there are a few other channels that also get into the business of sharing what's on their screen with an audience.
A lot of them use OBS Studio. It's free-as-in-beer, free-as-in-freedom, and it's also easy to use. It's already the industry standard in recording what's happening on your screen, if you ever need to.

Audio Editing - Audacity

Another industry standard, Audacity is hard for beginners to pick up but is one of the best audio editors out there.

3D Modelling and Animation - Blender

Yet another FOSS app that's already the industry standard in its field, Blender is widely used for creating 3D worlds and "recording" videos in them.

Photo Editing - GIMP

The first in the list that's not an industry standard - Photoshop is the standard. However, it requires a subscription. Photopea is a browser-based alternative, but I don't trust the data privacy on browser-based apps at all. GIMP has all the simple editing features that one needs, but lacks the more complex features (especially AI features) that Photoshop provides. Intuitiveness takes a hit, though, as I needed a tutorial to figure out how to draw a rectangle in GIMP.

Drawing - Krita, MyPaint

This section was written in collaboration with Siri - you can find her on Instagram as @what.the.artt

Most hobby digital art these days is done on iPads, using Procreate. Apple is famously good on privacy and security. However, we do not know when that will change - tech companies pulling the rug has been a frequent occurence of late. Sketchbook and Fresco are available for both Android and Apple tablets. Those on computers use Illustrator or Corel Draw - the latter being offered for free with some Wacom tablets.
Krita and MyPaint are open source drawing apps, with Krita being available for Androids as well. MyPaint is more intuitive to use in my opinion, but Krita tends to be the favourite among the more professional artists that value open-source software.

Video Editing - Kdenlive

KDE Non LInear Video Editor - or kdenlive (yes, quite the reach for an acronym) is the most popular open-source video editor. I've used Windows Movie Maker and kdenlive is as good. The Windows Photos app comes with a movie maker which is very user-friendly and has great effects, but is not good for non-linear video editing. DaVinci Resolve is non-linear and has professional effects, but isn't open source.

Vector Graphics - Inkscape

Illustrator is probably the industry standard here, but Inkscape isn't far behind in terms of features. Jacqui uses Inkscape for her vector drawing needs.

Photography - Darktable

I hadn't known RAW image editing needed something different from Photoshop or GIMP, but here we are. Lightroom (by Adobe) is the most popular option, with Darktable (FOSS) being faster and more performant, but lacking some features - notably photo organisation.

Privacy-Focused Alternatives | Part 6: Instant Messaging

by allsparkinfinite on 2024-04-20

Instant Messaging. Also known as chatting, texting, or DMs.

We love to text each other. It's become the default mode of communication for nearly everyone. It's asynchronous, it's quick, it's lightweight, it's searchable, it's reliable, it's flexible. It allows for freedom in communication that no other form of communication has achieved.

So naturally, I am here to ruin this for you as well.

Data Retention

So one of the pros of IMs that I mentioned is that it's searchable. If someone sends me a message - their address, details for some event, anything - that I need to look at again, I can tap the little magnifying glass icon and search for that message. The message isn't deleted (unless by sender's choice, receiver's choice, or Snapchat) so it is convenient for me to look it up.

But where are all the messages stored to enable this lookup? Is it on your phone, or on a server somewhere?

If it's on a server somewhere, is it protected against hackers? Is it protected against employee voyeurism? Is it protected against government warrants? Is it protected against targeted ads? Is it protected against LLM training?

And if you delete your messages or account, are those messages deleted from the servers as well?

So What Apps Should I Use?

Unfortunately, this isn't a decision that's completely yours. You can switch to a private email service, a private operating system, but to switch to a private IM app, you need all your friends to be on it. What I do is to have a set of apps, and try to keep as many conversations on the more private apps as I can.

Signal

The best option currently available, in my opinion. Open-source, zero-trust app. It assumes the server is being spied upon, and its encryption systems act as such. Open-source means that its encryption is verifiable. Even the server code is open source. They even use post-quantum cryptography, if I'm reading their blog correctly.
I nearly called this the gold standard, but I remembered I do have some complaints with it. You cannot easily host a signal server on your own. Their server code is open-source only for verification, even though there is no way to verify that the servers are running the same code. The apps are built to maintain security despite compromised servers - and if you do manage manage to host one, you cannot easily configure the client to use the new server.

Telegram

Positions itself on privacy. They claim to store every user's data on servers in at least two different countries, requiring multiple jursidictions to coordinate in order to reveal information about a user. They also tend to have good features before others IM platforms do. And their client-side code is open-source, so you can verify that Secret Chats are indeed secret, with end-to-end-encryption.
The negatives? They do end up complying with law enforcement requests to reveal information. Also, their default chats aren't protected with end-to-end-encryption, and Secret Chats are not synced like in Signal.

WhatsApp

Owned by Meta. Claim to have end-to-end-encryption, but clients are never open-source, so there's no trust. Also, it's Meta, so there's no trust. Still, one of the most popular IM apps so, tends to be used by nearly everyone.

Snapchat

Chats are not stored longer than 24 hours. Which infuriated me, as someone who hates to lose chats. No one with access to your phone can read your old chats, but again there's no trust about what Snapchat itself does with your messages.
Also, I hate the quantification of friendship in Snapchat.

Discord, Instagram, and other DM platforms

Data is often stored on the cloud, with no end-to-end encryption. There's no thought of privacy or security here, but they sure as hell are convenient!

Privacy-Focused Alternatives | Part 5: Cloud Storage, Password Manager

by allsparkinfinite on 2024-04-13

Cloud Storage

There is no cloud, there is only someone else's computer

Here, the options get murky. Google Drive is obviously the giant in this space. Apple positions itself on privacy, and they do have a better track record than google. However, it's still a for-profit corporation, one policy change away from becoming evil.

Alternatives based in countries with strong privacy laws

Proton and Tuta provide secure emails and cloud storage to go with it. However, their free offerings are paltry. They do provide end-to-end encryption for your stored documents. Their apps are open-source, so the encryption is verifiable.

For those that do not want to spend money, and are willing to sacrifice some convenience for secure cloud storage, another option is to encrypt all files before uploading them to the cloud.
If you happen to use a WebDAV-enabled cloud that you do not own (someone else's Nextcloud server, for example), you can use an app like Cryptomator to do this encryption on your device automatically before uploading.

The ultimate option for cloud storage is to host your own. Nextcloud and Owncloud can be self-hosted, and they provide guides and strong community support for this.
One downside of Nextcloud is that the owner of the instance can access your files, so it's not advised to blindly use a Nextcloud server owned by someone you don't trust. Of course, this is where local encryption and apps like Cryptomator come in handy.

Syncthing is yet another open-source option for cloud storage. Sort of.
Rather than providing a centralised storage space, it merely provides an interface for your devices to exchange files in an encrypted form. If you have a perpetally-online, high-storage device, syncthing is indistinguishable from any other cloud storage. If you don't, it still is a capable, low-effort tool to help synchronise your files.
However, the lack of self-hosting is a concern in case the main web service ever goes down. Your files would still be safe, though.

Password Manager

Password managers are an interesting phenomenon. We've been advised to use different passwords on different apps so that a password breach at one of them does not affect others. We've also been advised to use complicated passwords. So now we use password managers that help us remember the different complicated passwords, which is itself a single point of failure protected by a password that's easy to remember.

Again, Google and Apple provide password management services, and a data leak (or an evil employee) could compromise your saved passwords. The same is true for nearly any other password management providers.

On the other end of the spectrum is writing down your passwords in a notebook. This has the added advantage of allowing your loved ones to access your passwords in case of emergencies. I do not need to highlight the insecurity with this method, though.

Bitwarden is a provider with open-source server and client software, with some peripheral proprietary modules. The data model here is similar to syncthing, in that none of your data rests on any centralised server - all data is transferred between your devices. It does flow through the centralised server in an encrypted form, but the option to self-host is already available. The only reason you would not choose bitwarden is if you lost access to all your devices and needed to still be able to access a password from, say, a friend's device.

Nextcloud, the self-hostable cloud storage, provides a password manager, imaginatively named Nextcloud Passwords.

A crazy-but-practical solution is to have a private git repository - which could live on github or gitea or wherever you like - and store your passwords on it. Encrypted or not.
Password Store automates this for you. The android app has been discontinued, and may soon disappear from F-Droid. Hopefully someone will fork it.

Sports I'm Into | 2024 Mar Recap

by allsparkinfinite on 2024-04-06

Cricket

England M tour of India, 5th Test

Not much to say. The test series was already won, and the final test was icing on the cake.

Afghanistan v/s Ireland M at UAE, Only Test

Ireland gets their first test win!

Afghanistan v/s Ireland M at UAE, 1st-3rd ODIs

Afghanistan gets the series win on tests, winning the first and third matches. The second was washed out completely.

WPL 2024

The RCB women's team won a trophy before the men's team. The memes are legendary.
A curious observation I made - the same players are playing well in nearly every match they play. It's as if the gradient of sporting ability is steep. Contrast this with men's cricket, where everyone is of nearly the same sporting ability, so different players shine in different matches.
I wonder if this could be a metric to gauge how much talent makes it from grassroots sport to the international level - the number of different players receiving player of the match awards, for example.

Formula 1

Bahrain Grand Prix

Welp, Max dominance has begun.

Saudi Arabian Grand Prix

Max dominance yes, but also Oliver Bearman was called in for reserve duties after Carlos Sainz went down with appendicitis. He qualified outside the top ten but fought his way to a P7 finish, setting similar laptimes as his more experienced teammate by the end. His neck is unfortunately not yet built for F1, with him leaning on the headrest towards the end of the race because he couldn't keep his head up.
In the F1 Academy race, Doriane Pin won by quite a margin. However, her radio failed and the checquered flag was not waved in clear view of the drivers, so she did an extra lap at racing speed and the race had to be red-flagged for her to stop. She got disqualified for no fault of her own.

Australian Grand Prix

Verstappen and Hamilton retire for different reasons, and Carlos Sainz takes the win! Right out of appendicitis, putting himself on the map for a seat next year. Carlos ends Max's winning streak for a second time.
With Max's teammate Perez not winning this race after a Verstappen retirement, questions are being asked if he's the right fit for Red Bull. They need him to be there to pick up the pieces on days that Max has issues, and he did not. Alex Albon crashed his car in practice and his (underperforming) teammate Logan Sargeant was asked to give up his car. To make it worse, Alex had had virtually no practice on Friday before being handed the car on Saturday. Logan had two practice sessions where he notably did not wreck the car. Since track acclimatization is a vital part of driver preparation, if Williams still did not expect Logan to perform better than Alex, why even have him in the team at all?

Formula E

Sao Paulo E-Prix

Sam Bird takes McLaren's first FE win by making an overtake on his old teammate Mitch Evans... who was unfortunately suffering from a battery derate at the end. He had the energy but the battery was too hot to safely discharge it to him.
Especially important because Sam was dropped by Jaguar last year for underperforming, and he's back to his winning ways. He'd won races in every season since the beginning of FE, and that streak was broken over the last couple of seasons. 3 different winners in 3 different races.

Tokyo E-Prix

There's a bump in the track which gives cars some airtime. Fun!
Nissan had pole with Ollie Rowland but failed to convert to a win at their home race.
This makes it 4 different winners in the first 4 races. F1 fans cannot comprehend this.

What Is Self Hosting? | Part 1: Infrastructure

by allsparkinfinite on 2024-03-30

"But how can I live without [include necessarily online service here]?"

Some tools have to be online. It is all well and good to have my files not sync to OneDrive, because privacy, but how do I store important files that need to be accessible from anywhere? How do I collaboratively edit files with my friends?

Password managers are another example which are useless offline.

The solution to it all is self-hosting. To run the service on a computer and a domain you own.

A Computer You Own

To self-host a service (like I do with this blog), you need a perpetually-online computer.

I've got a Raspberry Pi, but I could just have easily used an old laptop or a computer. Or a computer on a cloud offering - OCI, AWS, Azure, you name it.

The first thing to do would be to install Linux.
To install on a Raspberry Pi, the Raspberry Pi Foundation provides an Installer app which you can use to flash an OS onto an SD card, which then goes into the Raspberry Pi.
To install on a computer, you can download the linux ISO, put it on a pen drive using Rufus to create a LiveUSB, boot through it, and install the OS.
On a cloud computer, well, there are entire certification courses dedicated to how to set up and run them.

A Dedicated Public IP Address With Open Ports

If your ISP gives you a dedicated public IP address, you can put in a request to have some ports forwarded.

Computers perform networking on "ports".
Think of an IP address as pointing to an apartment building. Any mail that reaches the apartment's mailbox now has to be sorted by apartment number, which is a port number.
Typically, for security reasons, all incoming connections on all ports are blocked by the ISP (you only need outgoing connections normally), and you will need to request those ports to be opened or forwarded.

What if your ISP denies your request? What if your ISP doesn't provide a dedicated public IP address?

One solution is to look for an ISP that will give you these things. They could be part of commercial packages only, making it expensive.
Another solution is to look for a VPN that will give you these things. Again, will often cost money.
My solution was to get a computer on Oracle Cloud Infrastructure under their Always Free offering, which comes with a dedicated public IP address and an ability to open up ports.

Localhost Tunnels

"What happened to 'There is no cloud, there is only someone else's computer'?"

My Raspberry Pi still sits on my desk, running most of the software I need.

The virtual computer on OCI runs a localhost tunnelling software called Rathole, which my Raspberry Pi connects to, and all traffic is routed through OCI into my Raspberry Pi. Since my SSL endpoint is on the Raspberry Pi, all data that OCI sees is encrypted.

There are other options, of course. PageKite, for one, allows you to create a account and pay them $3/mo to use them as a localhost tunnel frontend.
Again, if you terminate SSL on a device you own, all traffic PageKite sees will be encrypted.

Domain

A domain is basically a URL.
The url of this blog, for example, is blog.allsparkinfinite.name. Here, ".name" is a top-level domain or a TLD, "allsparkinfinite.name" is a domain, and "blog.allsparkinfinite.name" is a subdomain.

Getting a domain for free is nearly impossible now. I used to own allsparkinfinite.tk for free, but Freenom (the registry for .tk domains) got sued by Facebook for failing to control spam on its domains. It subsequently had its authority revoked, and I couldn't renew the domain.

I ended up coughing up money for allsparkinfinite.name, because .name is one of the cheapest TLDs around.

You can, however, get subdomains for free at FreeDNS.

Privacy-Focused Alternatives | Part 4: Browser, Search, News

by allsparkinfinite on 2024-03-23

Browser

Brave browser is a good browser that provides all the privacy features out-of-the-box.

However, it's not as configurable as I'd like, so I've picked Firefox and hardened it.

I use a suite of adblockers on Firefox. uBlock origin is the best one, but just like Brave, it doesn't give you much control.
AdNauseum is an adblocker which loads ads, and then clicks on every single ad, therefore increasing the clickthrough rate but dropping the conversion rate of every ad campaign. In addition, it doesn't allow the ad-agencies to build an accurate profile on you.
FadBlock is an extension which loads and skips youtube ads, bypassing their adblock-blocker.

I prefer to use Firefox because it's completely independent.
Brave is built on the Chromium Open Source Project, which means Google still has some level of control over it. Google could do something like abandoning the Chromium Open Source Project, which would seriously stunt Brave's development if not outright halt it.

Firefox needs to survive for a free internet, but Mozilla isn't perfect either.
There are versions of Firefox called LibreWolf and WaterFox which are more private out-of-the-box, and they keep Mozilla's scummy decisions at bay.

There is no such thing as unbiased news

There are differing levels of bias in news.

The first is bias via outright lies, where people make stuff up to push an agenda. You've come across a lot of it in the misinformation age, but it's only popular on social media and not so much on reputed news outlets. For good reason.

The second is bias via loaded phrasing. The reporting may be based in facts, but it also tells you how to feel about it. You've seen this as well, and it's the most common form of bias from reputed news outlets.

The third is bias via selective reporting.
"It's amazing that the amount of news that happens in the world every day always just exactly fits the newspaper." - Jerry Seinfeld
This is the most insidious form of bias. You can report on facts, and offer no default emotional response to the reader, but by simply showing only one side of the story, you create bias. And it's really hard to catch this. To figure out selective reporting, you need to know an unselective reporter, and how do you get that?

News aggregators

Ground News is a US-based app that aggregates news from various sources, and helps you tackle the second and third forms of bias.

To get a similar result in India, I've figured the following chain of trust:

I have then picked out all Indian news outlets rated by MBFC as being at least "mostly factual" and "high traffic". This way, I can get news of all biases, but mostly factual news, from reputed sources.
I haven't actually started reading my curated list of news sites yet, but that's a problem for a different time.

Search

Yes, DuckDuckGo is private, Brave Search is private, Ecosia is private and plants trees...
But I've just set my search engine to wikipedia lately and it's been so much better.

"But wikipedia is not a search engine"
Look I've already figured out where to go for news, so what more do I need search for?
Information on something random? What's better than Wikipedia and its citations?
Details about games I play or TV series I watch? Fandom.
Help with coding? StackOverflow. Community help with something? Much as I hate to say it, Reddit is the best forum for a lot of things.

Why use a search engine when you're going to visit the same sites again and again? Just pick a forum for your topic and put all related queries in said forum's dedicated search field.

When I do need search, I use Ecosia. But I've cut down massively

Privacy-Focused Alternatives | Part 3: Operating Systems

by allsparkinfinite on 2024-03-16

Operating Systems

MacOS/iOS

Much as I hate Apple for its anti-consumer behaviour, it is an operating system that's (at least marketed as being) centered around privacy.

"What's so anti-consumer about Apple, they have the best customer service in the industry?"

So long as your device is working. Louis Rossmann will be more than happy to tell you what happens when you need an Apple device repaired.
And the best part? Apple is just the wayfarer in restricting your ability to get your device repaired independently. Authorized service from every company is often overpriced, because they don't attempt a chip-level repair. They just replace the whole component, which is bad for the environment and your wallet.

Android

Android is open-source, so it must be private, right?

lolz

Okay, so there's a difference between open-source and open-core. Android and VSCode are examples of open-core software. They're both software which are built on an open-source core, but have proprietary layers added onto them before distribution.
This ensures that they can market themselves as being open-source, commericialize the work of unpaid volunteers, and distribute proprietary code to their users.

"But if it's open-core, why don't people just use the core and make a fully open-source version of it?"

LineageOS, GrapheneOS, and other Custom ROMs

There are a few open-source implementations of Android out there you can try.
Whether a phone is supported by a custom ROM or not is a tossup, though.

LineageOS supports a lot of devices for a lot of time, but it doesn't come with Google Play Services, rendering a lot of apps useless. One option is to build with microg, which I have not tried and cannot give a tutorial for currently.

GrapheneOS, on the other hand, supports only Google Pixel devices (ironic, I know, but there are no privacy concerns here), has a shorter device support time (8 years for LineageOS vs 5 years for GrapheneOS), and allows sandboxed Google Play Services.
Sandboxed Google Play Services allows apps to be functional while also massively reducing the amount of device data Google has access to.

Aurora Store

Aurora Store is an alternative frontend to the Google Play Store, and it allows you to install apps from the play store without actually letting Google know you're installing them.

For the most part, it only makes sense when used in conjunction with micro-g, and not with sandboxed google play services.

F-Droid

F-droid is a repository of open-source apps for android, all of them usable on their own without any google services.

Some app developers provide their own repositories as well, such as IzzyOnDroid and FUTO.

If you want to have a phone which is completely free of google, F-Droid is your place to get all your apps.
Heck, if you want your main phone to have as few google-dependent apps as possible, F-Droid is your place.

Random shoutout

AlternativeTo has helped me find open-source alternatives to a lot of apps I couldn't do without.

Word of warning, open-source alternatives to niche apps often come with UI and UX downsides.
But as long as the functionality is present, I will take an open-source alternative (conditional on its actual maintenance of privacy) over a proprietary, cloud-based app.

Windows

lolz

Windows has managed to ruin both privacy and usability because they're just the default on so many laptops and simply don't feel the pressure to be good.

Linux

Linux has a learning curve.
You know what else has a learning curve? Windows. MacOS.

Everything takes time to learn how to use. Linux Mint is a beginner-friendly distribution to use. It is based on Ubuntu so a lot of Ubuntu's community knowledge transfers over to Linux Mint.

Steam Proton is an official compatibility for Steam, which allows a lot of games to be run on Linux.
Steam's horse in this race is their Steam Deck, their console which is essentially a Linux computer. They found it easier to make a console out of a Linux computer and start playing whack-a-mole with compatibility, than to make a console out of a Windows computer.

Wokeness in Motorsport

by allsparkinfinite on 2024-03-09

Addition to last post: Fernando Alonso could replace Hamilton. A 2-time world champion, he's since been a champion-level driver without the machinery to match. His recent move to Aston Martin finally put him back in the frontrunning teams, but he could do one better at Mercedes in 2025.

Overview

Something frustrating I see online is when right-wing topics are discussed by celebrities, the majority of the pushback they get is a rebuttal of their points. I'm not saying it's always right, but the most pushback they get is about the content of what they've spoken.
With left-wing topics, however, there is a lot of "you may be correct but you should stick to your field".

Here's an acknowledgement and appreciation of wokeness at the top level of motorsport.

Mental Health

Lando Norris was popular on twitch while he was climbing up the junior formulae. He discussed mental health with his twitch fans regularly, whom he brought with him into F1. Bottas, Ricciardo, and Perez have also since opened up about their own struggles.

Environmental Consciousness

Sebastian Vettel, 4-time F1 World Champion, recently retired from the sport, and had often made statements about his complicity in F1's emissions.

Formula E is a racing series in its 10th season which has been certified carbon-zero since inception. They make competing manufacturers focus on electric powertrain efficiency, hoping that these improvements make it to the road.

Discrimination

Lewis Hamilton, the first ever black driver in the sport, is naturally very vocal about discrimination. The fact that the only black driver in the sport is tied for having won the most championships with Michael Schumacher raises a question in my mind: are sponsors reluctant to support a young black driver unless he shows a lot more potentialns? And what other demographics are disadvantaged in this way?

W Series

To improve the participation of women in motorsport, a female-only one-make F3-machinery championship was launched, called W Series. It did away with some of the problems of junior formulae by scrapping entry fees and providing a common pool of engineers to every driver.

Jamie Chadwick won all three seasons before the series imploded, with investors pulling out because of the lack of ROI. The series, however, was not a complete failure, because all the investors went to...

F1 Academy

When W Series showed signs of failing, Hamilton put some public pressure on F1 to look into what could be done, and F1 Academy was set up.
F1 Academy is a female-only one-make F4-machinery championship, with entry fees being half of that in other F4 series. The engineers are also provided by big-name teams from junior formulae all over the globe.

F1 Academy's first champion and first runner-up left for FRECA, which is considered the most competitive F4-machinery championship.
My only concern is that they don't follow in the footsteps of Jamie Chadwick - I have heard that when Chadwick raced in FRECA, the team did not provide her with engineers, putting her at a machinery disadvantage.

Women Are Cunning

Red Bull Racing's Head of Strategy Hannah Schmitz and F1 Academy MD Susie Wolff have both faced baseless public criticism for awful things - race-fixing and corruption respectively. While such allegations should be taken seriously, I also feel that the public tends to disproportionately vilify women.

Christian Horner Allegations

A very recent turn of events is that Red Bull Racing's Team Principal has been accused by an unnamed female staff member of "controlling behaviour". After an independent barrister hired by Red Bull Gmbh cleared Horner of any wrongdoing, some screenshots incriminating Horner were leaked to the press.

Max Verstappen is rumoured to be unhappy with this situation and considering a move to that Mercedes seat.

I would normally side with the results of an independent investigation, but we need a little more transparency, like the name of the barrister. Especially when the complainant has also been suspended.

2024 Feb Recap - Sports I'm Into

by allsparkinfinite on 2024-03-02

Cricket

England M tour of India, 2nd-4th Tests

Ha! Take that, Bazballers! I'll bet the 3rd test left them speechless!

Formula 1

Hamilton To Ferrari

Apparently Hamilton wanted a 3-year contract with Mercedes and Mercedes wanted a 1-year contract, so they compromised and went for a 2-year contract with an exit clause at the end of the 1st year.
It must've been a liberal exit clause because Hamilton triggered it before any track running.

This kicks Silly Season into chaos, with a vacant Mercedes seat and Carlos Sainz of Ferrari out of a seat.
Everyone who has a shot at the Mercedes seat:

Kick Sauber

Sauber is based in Switzerland.
Stake is a gambling platform.
Advertising of gambling platforms is banned in Switzerland.
Having a title sponsor counts as advertising.
Bye-bye first half of "Stake F1 Team Kick Sauber".

Will be interesting to see what they do about the Stake logos on the car and overalls when they go race in other countries where it is illegal to advertise gambling companies.

Car reveals

A lot of the field has gone for less paint on their car for weight saving reasons, making the cars less distinguishable from each other.

Liveries

I love the Ferrari livery with cleverly hidden bare carbon fibre.
I love the Williams livery but they might quietly replace dark blue with bare carbon fibre.
I like the Mercedes, McLaren, Aston Martin, and Haas liveries, which have pleasingly-placed bare carbon fibre.
I like the colours on the Sauber, but the design looks terrible.
I like the colours and the design on the Alpine, but the difference between their blue and pink liveries is unnoticeable.
The Red Bull is same as always, and the V-CARB looks horrible but is the only light-coloured car on the grid.

Cars

Mercedes are giving me hope.

Red Bull did not upgrade their car last year and brought massive upgrades for this car. Their design looks similar to the previous Mercedes design that they couldn't make work... and if Red Bull makes it work I am going to be very annoyed.

They do seem to be dominant anyway, and I will probably create a "Formula 1.5" where I ignore Red Bull. Stay tuned.

Formula E

Hyderabad E-Prix

Last year's Hyderabad E-Prix was a success in racing terms, but it was a disaster operationally. Communications between the FE Management and the Race Promoter was terrible, and there were lots of delays in construction, yada yada. If you're an Indian like I am, you're unfazed by this, but the Formula E Management decided they did not want this headache next year.

Privacy-Focused Alternatives | Part 2: Social Media

by allsparkinfinite on 2024-02-24

Social Media

Fediverse FTWWWWWWWWWWW

So you know how you can send an email from your gmail account, and someone using yahoo mail can still read it?
The fediverse is based on a similar concept, under a standard called ActivityPub.
There are many services that are part of the fediverse, and I'm gonna pick Mastodon and PeerTube to explain. These are the fedi alternatives to Twitter and YouTube respectively.

Also, while these can be self-hosted, I do not plan on exploring the self-hosted options here. It works just as well to join a community that already exists, especially if it's a tight knit one.

Anyone can host their own Mastodon servers, and "federate" it with other Mastodon servers. This way, all posts you see are under the control of your host (who is likely a volunteer, don't forget to tip them), while also being able to share posts with other servers. This decentralized architecture is wonderful for escaping the algorithm and the ads that necessitate it.

So let's say you have a network of Mastodon servers giving you a Twitter-like interface with less toxicity, and the same with PeerTube. Here is where the beauty of ActivityPub comes in.
(Warning: oversimplified explanation coming up)

Since Mastodon and PeerTube both implement ActivityPub, all users on both services are identified as <username>@<server.address>.
All content on both services are stored with the following details: - Content ID (in a similar way to how every tweet or youtube video has a unique ID)
- User who posted it
- If replying to or commenting on someone else's post, the ID of that post
- The content matter

Whether it's a video, or a post, or a comment, or an image, everything is stored in the same format, which means an account on Mastodon can like and reply to a video on PeerTube, and they would show up on the PeerTube video as likes and comments. You can have all your content in one central feed, if you so wish.

But... what about my For You Page?

Something that you might not like is that there's no recommendation algorithm. If you prefer having content recommended to you via an algorithm, that might not really work for you. I know I am a nerd and have enjoyed watching random youtube videos.
However, recommendation algorithms are obviously bad for privacy. In addition, they're addictive, and radicalizing (will get into that later), and are likely an overall negative on my life.
Trending feeds do not take the user into account, so they can be considered the private version of a recommended feed, but that doesn't work too well on the fediverse. I will likely resort to personal recommendations - having a creator explicitly recommended to me by another creator.

The lack of a recommendation algorithm also ensures you only see content from people you intentionally follow, which means your feed is less cluttered.

Detour: Tom Scott's There Is No Algorithm For Truth

Tom Scott gave a wonderful 1-hour talk at the Royal Institution in Oct 2019, going into the problems with algorithms. Here's the link to the video on YouTube.

Detour in a detour: WTF, YouTube???

I was originally intending to embed the video here to be fancy and all. Embedding the video allows you to play the video without leaving the page.
Howeverrrrrrrrrrrrr, apparently youtube collects data about the google accounts that visit my site when I do that!

This blog is about privacy, so you are all gonna have to be happy with the link instead of an embedded video.

Detour in a detour in a detour: Share IDs

Instagram and youtube append share IDs to the links when you share content by copying links. This allows them to track the shared video from original sharer to sharee. Tiktok does this in a way that's scrambled into the content ID, so that's not avoidable.
But for the other services, consider downloading this URL cleaner to share links, or manually stripping out the share IDs from the links.

Privacy-Focused Alternatives | Part 1: Email, Office Suite

by allsparkinfinite on 2024-02-17

Email

Pretty much everyone has a gmail account, and that's probably where google learns the most about us.

To touch on security a little, Google does something right with OAuth. Whenever you see a "login with your google account", you are interacting with Google's OAuth. It allows you to use an already-logged-in account from your device to sign in to a different service, reducing the attack surface for a phishing scam.

Although now that I think about it, a well placed phishing attack on the OAuth page would compromise everything...
Well, if there are any hackers reading this, please don't do this as it would be highly unethical and in direct opposition to the goals of my blog.

Oh no! Anyway...

Back when I was making these changes for myself, I did not seriously consider self-hosting an email service. I used to own allsparkinfinite.tk at the time, having picked it because it was free. It is widely known that .tk websites are popular sources of scams (because they were free), so there was a reasonable chance of the entire .tk space not being accepted by email services.
Justifiably.

Yes, I chased the allure of free. I have ended up with a story to tell for it, which I will probably get to when I talk about hosting.

I have no good reason not to host my own email now, and I will attempt it at some point in the future. For now, I will be giving tips on alternatives to gmail.
The caveat here is that these suggestions are not popular with those that demand absolute security, but the suggestions I give in this post will be doable by most people.

Protonmail

Based in Switzerland, with some of the best personal data protection laws, Protonmail markets itself as a privacy-focused company. How much you believe this is, of course, entirely up to you. For what it's worth, Proton makes security audit reports of each of their services available here

Tuta (formerly Tutanota)

Based in Germany, again with some of the best personal data protection laws, Tuta markets itself as even more of a privacy-focused company. By the descriptions on their website, they do indeed go further than Proton when it comes to encryption and privacy. To the point that I wish I knew of their existence before I signed up with protonmail.
However, I cannot find references to security audits of Tuta on their website, so it is again up to you how much you believe them.

SimpleLogin

Not entirely a privacy solution, but have you ever had spam emails that you can't seem to unsubscribe from?
SimpleLogin allows you to create email addresses which forward to your email address. That way when you sign up with some website for a one-off thing and they start spamming you, you can simply turn it off by deactivating that alias.
There is a self-hosted option with this, which I will be covering along with my email self-hosting guide.

Office Suite

MSOffice used to be the most popular option here, but it's Google Docs these days. Yay, more Google.

Keeping with the spirit of "there is no cloud, there is only someone else's computer", I would strongly recommend storing your documents on your device.
The solution I've been using for as long as I've been using Linux is LibreOffice.
It does pretty much everything you need from an Office Suite, costs less than MS Office, and gives you more control over your data than Google Docs.

Of course, sharing and simultaneous editing is a problem when your files reside on your computer, and collaborating has become important in recent times. The solution there is Collabora Office, which is a self-hostable alternative to Google Docs, in the shared editing sense. I will be putting up a tutorial for this along with the Nextcloud tutorial.

Of course, your mileage may vary, based on how resistant you and your collaborators would be to switch to Collabora, but at least make the attempt to keep your individual files on your device with LibreOffice.

Basic Steps For Digital Security

by allsparkinfinite on 2024-02-10

Here are some things everyone should be doing to improve their security.

Passwords

How they are stored

The way most reputed websites store your passwords is by salting and hashing them. (I'm not currently salting passwords on this blog, but then again I'm not accepting registrations either)
To salt a password is to add a lot of extra randomized text at the end. The next step is hashing, where the password+salt is essentially encrypted. Hash functions are extremely chaotic and computationally intensive to reverse, and a minor change in the input leads to a completely different output (called a hash). That way, similar passwords will not have similar hashes. The salt and hash are then stored with your username.
When you attempt a login, it adds your salt to the password you entered, and then hashes it. If the result is the same as the stored hash, then it knows that the entered password is correct, all without storing the correct password.

This way, if the database gets leaked, and the hacker wants to gain access to your account in particular, it would still take them a few months to reverse your hash to get your password.

How to maintain this security

First, change your important passwords every time you change your toothbrush.

Second, don't use any arbitrary rules for your passwords. Assuming all your previous passwords are known to the hackers, you do not want to give them any pattern that allows them to only test out a subset of all possible passwords. Make your passwords as chaotic and difficult to predict as possible.

And remember, the most secure password manager is a piece of paper.

Phishing

Phishing is a collection of a variety of techniques where the goal is to get someone to enter their login credentials into a website that looks legitimate but is actually not.

The first thing to keep in mind is: never trust a link with an "@" symbol in it. This is a remnant of the old internet, where username:password@domain.com was a shorthand to log into the domain. These days you have links like https://legit.domain.com/@some.name.com to underhandedly send people to a different domain from what they're expecting.

The second thing is to always think twice before you enter your credentials somewhere, especially if there's reason to expect that your credentials are already stored in the browser.
For example, if you click on a link someone sent you in discord, and you need to enter your discord credentials again, you are most certainly being phished.

The third precaution to take is to always verify and type out domain names. You don't want to enter your work account credentials at companyname.conn, but there's a greater danger. Sometimes, the link will have letters from the cyrillic alphabet in it, which makes it impossible to visually tell whether it's the right domain or not. Typing the link out will ensure you're going to a website with all english letters in the domain name, at least.

Deepfakes

Always verify source.

Someone using deepfakes will always try to create a sense of emotionality or urgency. Like using a voice changer to sound like a loved one and ask for money to be sent to a number you don't recognize because it's an emergency.

Think about setting up emergency passwords with your family to verify such cases. Also a good thing to teach kids - only go somewhere with a stranger if they can verify said emergency password.

"There is no cloud, there is only someone else's computer"

Cloud offerings started out as a way for Amazon to rent out spare compute when their main business began bleeding traffic. When it got profitable, Oracle and Google followed.

Make sure any sensitive documents you put on the cloud are end-to-end encrypted. Or at least password-protected.

2024 Jan Recap - Sports I Love

by allsparkinfinite on 2024-02-03

Cricket

India M tour of South Africa, 2nd Test

SA 55, Ind 153, SA 176, Ind 80/3, Ind win by 7W
Not entirely sure what happened here. My first reaction was that both teams made a mockery of the sport, but maybe it's just the bowlers making a mockery of the batsmen,

*Zimbabwe M tour of Sri Lanka, 2nd T20I

SL 173/6, Zim 178/6 (19.5), Zim win by 4W, 1b in hand
Maybe a few years ago I'd have been shocked at this, but Sri Lanka has really fallen off a cliff lately. As has West Indies, which makes the last entry here rather shocking...

Afghanistan M tour of India, 3rd T20I

Ind 212/4, Afg 212/6, Afg 16/1, Ind 16/0, Ind 11/2, Afg 1, Ind win 2nd SO
What a rollercoaster of a match. 2 Super Overs, Afghanistan played rather well. One piece of controversy though - Rohit Sharma retired at the last ball of the first Super Over for reasons other than injury, and therefore should not have been allowed to bat in the second Super Over. It probably did not have an effect on the outcome, but still.

West Indies M tour of Australia, 2nd Test

WI 311, Aus 289/9d, WI 193, Aus 207, WI win by 8 runs
Interesting choice by Australia to declare while trailing. I can only infer that they wanted their bowlers to attack tired West Indian openers under the lights. Bowling with Mitchell Starc, and Josh Hazlewood (both had been resting and were energetic), Australia got Tagenarine Chanderpaul's wicket to show for this gambit. However, with Pat Cummins looking set at 64* at declaration, was scalping Chanderpaul early really worth giving up a set Cummins's extra runs at the tail end? I think it was, but we'll never know.

England M tour of India, 1st Test

Eng 246, Ind 436, Eng 420, Ind 202, Eng win by 28 runs
No words.

Formula 1

"When you are strong, appear weak, and when you are weak, appear strong" - Sun Tzu, The Art of War

Red Bull say they may not make as big a step forward as other teams this year.
McLaren are confident of taking the fight to Red Bull, who have been utterly dominant for 2 seasons.
Aston Martin are confident they've made progress, learning from their mid-season slump last year.
Mercedes say this year's racecar feels like a car for the first time in two years.

McLaren's surprise livery reveal

They archived all their posts, put up an almost-black profile picture (a cryptic pattern made of the digits 1601 - denoting 16 Jan, the day of the suprise - in dark gray on a field of black) a video saying "whatever it takes". Maybe whatever it takes to be the first one to show off their livery. Which is not that great, I might add.

Stake F1 Team Kick Sauber

Someone needs to kick Sauber for agreeing to rename their team to this.

Visa Cash App Racing Bulls

I would like to make a formal apology for my earlier disrespectful comments towards Sauber, because what the hell is VCARB for a team name???

Formula E

Formula E gets a lot of criticism for their racecars sounding like vacuum cleaners - the distinctive EV sound. And more criticism for not being as fast as Formula 1 or not racing on permanent racing circuits.

As for the first issue, I do wish the broadcasters turned down the high-pitched whine on the sound mixers, especially on onboard camera footage. The second, though? It works, we have overtakes.

Mexico City E-Prix
The recent pattern at this racetrack has been that Porsche is quite strong here. Especially 2022, where they screwed over half the field with their energy management. So will someone explain why my fantasy team did not have Porsche for this race????????
Their driver took a dominant victory, and I had specifically taken them out of my team.

Preview

LEWIS HAMILTON TO FERRARI

This happened in Feb. I'll recap this on the first Saturday of March.
Just know that my world has been shaken.

Hubris

by allsparkinfinite on 2024-01-27

(written 3 Mar 2021)

"I study in IIT Bombay."
Hearing that one sentence alone would make a lot of Indians feel a sense of awe. Saying it would fill me with pride, almost 4 years ago.
And why shouldn't it? I spent 7 months busting my ass off practicing to do well in JEE. I deserved it.

My journey in IITB has been... interesting, to put it mildly. The diversity combined with the free time led me to some revelations that (among a LOT of other things) replaced my pride with gratitude. This is the focus of this article.

12,00,000. That's the number of students who attempted what is probably the most glorified college entrance exam in India.
11,000. That's how many would be selected. Yes, a selection ratio worse than 1%.
A candidate's performance on the day of the exam depends on a whole host of factors. Factors like preparation could be controlled by them (my philosophical deterministic worldview disagrees, but that's a whole another discussion), while those like their health were outside their control. Let us, for the purpose of this article, use the (admittedly ill-fitting) terms "skill" and "luck" to describe these factors.

Draw a square. As you go from the bottom to the top, your luck increases. As you go from the left to the right, your skill increases. Let's assume that our 12 lakh candidates are spread uniformly over this square. How do we decide how many make it through? We give each candidate a score, that's 95% skill and 5% luck.
In this scenario, a candidate with 100 skill and 0 luck would score the same as a candidate with 94.737 skill and 100 luck. The line joining these two points on the square is what one would call a contour. In a linear case such as this, all contours are parallel lines. Once we choose a cutoff total score, we pick the contour line representing that total and select everyone that falls to its top-right.

Yes, the selected candidates are incredibly skilled. But, they were also lucky. For just about any candidate, you have someone else who is more skilled but performed worse and vice versa. Granted, the effect of luck is much smaller than that of skill, but it is present and it is non-negligible. We have just quantified it in the earlier paragraph.

What's my point with all this? I realise now that I have been lucky in ways I never appreciated before. This luck eventually factored into my selection into an IIT. Others did not have that privilege.
I was, first and foremost, born into a family that encouraged me. I had teachers that taught me well. I have core competencies that align very well with the "default" career path in this country.
The last one, perhaps, is the most mind boggling.

Why do we have a default career path? If everyone was free to choose their career path, we wouldn't have so many people trying to define their self worth by a (metaphorical) piece of paper that's ultimately meaningless to them. We wouldn't have people squandering 6 years of their life pursuing a Bachelor's in Technology even if they're going to work a completely non-technical job. Such people get into IITs and in healthy proportions at that. Imagine their growth had they actually done what they wanted to! Imagine the seats freed up for people that are interested in Engineering. Everyone would have a better life.

So what do we do? I think we can all agree that the less role luck plays, the purer the selection. So we work to create a society where luck is no longer a factor. Unfortunately, a lot of our current action, through ignorance of even the presence of luck, create a world where circumstances beyond a person's control play a larger and larger role in their success. Equality of opportunity is the way to go forward.
One part (among many) of it is need to rethink education as a society. There is nothing shameful about pursuing your interests. I single this problem out because it is the most noticeable from my perspective. There are likely other problems apparent from other perspectives.
Every last one of them needs addressing.

Oh, and the cutoff score for selecting 11k out of 12lc? It corresponds to a line passing through 100 skill and 40 luck.
In a world where luck plays only a 5% role for a very competitive position, the most skilled of us only do slightly better than a coin toss.

How To Take Care Of Your Privacy

by allsparkinfinite on 2024-01-20

"If you're not the customer, you're the product"

This saying came about when there was a boom in free services, which had to rely on advertising to stay profitable. To make more revenue, they needed to make advertising more effective. To make advertising more effective, they needed to understand their users on a personal level. The result is that the most successful of those free services were successful because they were able to, in a sense, sell their users to companies advertising their products.

The saying may not be so true today. There are plenty of services that take your money and still advertise to you. You pay for a Windows licence, and yet Bing serves you ads. Netflix is coming up with an ad-supported version as well. How can Amazon dream of functioning without building a database of pesonalized user profiles?

A detour into ownership

Do you really own your device?
Are you able to use it as you please?
If it breaks, are you able to repair it?
Are you in full control of what happens inside your device?

A car can run the AC when there is no windshield fluid in it, because those are two unrelated systems.
Some printers do not support scanning when out of printer ink, even though they are unrelated systems.

A car can be taken to an independent repair center to swap out a faulty or worn part.
Phone and laptop manufacturers have begun entering into exclusivity contracts with component manufacturers so that spare parts are unavailable to anyone but the manufacturer.

If a car manufacturer puts a GPS inside a car to track everything you do, they are sure to get sued.
Computers track you into oblivion...

With the industry following Google in data collection, and Apple in device ownership, we're in a terrible place. Google collects insane amounts of data, and Apple has increasingly restricted the market on repairs to the point that "repair" costs nearly as much as buying a new phone entirely.

How to not be the product

You will need to transition, where reasonable, to services with the following features.

And don't be a miser. Don't chase the allure of free. That's how we got into this mess in the first place.
And make sure to donate to open-source projects that are useful to you and that accept donations. They're mostly volunteer-supported, and could use the support.

"I have nothing to hide"

by allsparkinfinite on 2024-01-13

As our lives depend more and more on digital technology, digital privacy and security have increased in importance. General awareness about these topics may have been lacking, especially when it comes to privacy. The ad-based internet is at its most profitable (or least lossy) when it can accurately assess individual interests.

Let's first start with security, though. Digital security is, loosely speaking, about hacking. Some examples of security violations are:

Privacy, on the other hand, is kinda about nosiness. Your privacy can be invaded in the following cases:

Ad platforms and content recommendation engines (which is to say, nearly every popular app) benefit from identifying details about you and serving you ads/content based on that. While you do get more relevant results, they may end up identifying things about you that you are not aware of. This sounds super futuristic, but it raises the question of what these platforms can do with this information.

The Facebook-Cambridge Analytica data scandal was a series of events in the 2010s where personal data of Facebook users was collected by Cambridge Analytica and was predominantly used for pollitical advertising. Imagine the power to shape public opinion one can hold. Elections can be manipulated by the highest bidder. Critical voices can be drowned out by amplification of propaganda. Conspiracy theories can be pushed via selective reporting.

Conspiracy theories brings me to a related danger of algorithmic content. It has been observed that YouTube, if allowed to autoplay videos, will gradually go from videos showing moderate ideas to videos showing extremist ideas. Rage-bait gets clicks, and one could get radicalized by simply following the recommended videos for a few months.

Even if you trust a company to be respectful with your data, there is no telling when that trust may be broken. Maybe an employee decides to abuse privilege and spy on a customer that they know personally. Or the employee may be bribed. Or hacked. Or the entire company may get bought out by another company that has no interest in careful handling of personal data.

This is why you may want to pay attention to your digital privacy.

The Purpose Of This Blog

by allsparkinfinite on 2024-01-06

It's Friday afternoon and I'm just sitting down to write this article. I have no idea what this article is going to look like beyond the basic premise. This is likely how it's going to be every week, unfortunately.

A phrase deemed unparliamentary by New Zealand comes to mind: "idle vapourings of a mind diseased". That may well be what this blog turns out to be. I will be writing about my hobbies (Formula 1, cricket, maybe rubik's cubes at times but there's not much happening in that space), putting out some random articles (those of you who follow me on Instagram can read my articles titled "Hubris" and "Is Fatalism Just Escapism In Disguise" from my bio, both of which will invariably be posted here on a week I have no other content to post), or writing about activism.

Ah, activism. I consider myself a supporter of many social causes. Gender equality. LGBT+ ally. Race equality. Animal rights. However, these subjects are not going to feature heavily in this blog, although the undertones will be undeniable. What I hope to make the main focus of this blog is digital privacy.

As I have alluded to in my previous post, I have seen companies - my employers - be rather careless with sensitive personal data (I now realize this is more a question of security than privacy, but I will get into that in a future post). This led to me taking a careful look at my own digital life and consider which companies I have allowed access to what aspects of my life.

One of the steps I decided to take was to de-google my life. If any google service has a reasonably functional and more private alternative (preferably open-source and on-prem) I will use it.
I have begun using ProtonMail and Ecosia Search, and plan on subscribing to Nebula to move away from YouTube. However, a huge point of concern is Google Drive. How do you replace a cloud service? How do you find an alternative for a service whose USP is to allow you to access your files from any device anywhere?

I stumbled upon Nextcloud, which is a cloud application that you can run off of your own computer. So as long as your computer is powered on and addressable by the internet, you have a Google Drive alternative.
Keeping your computer powered on is simple. Having it addressable by the internet? Oooofffffff that's a pain and a half. And actually setting up Nextcloud to work like I want it to? Gods of Olympus, if it were obvious, no company would ever need sysadmins.
The only reason I was able to figure out how to do it was that I already had some knowledge of computers and coding and linux and webhosting and TLS. Put it down to my being a nerd. But that level of involvement essentially makes hosting Nextcloud inaccessible to privacy-focused people who don't even know where to start. You need tutorials to understand the tutorials. When something is missing, you don't even know how to ask a question.

That is the aim I have with this blog. Provide an ELI5 (explain like I'm 5) tutorial to setting up Nextcloud, and other privacy tips. If someone has an actual 5-year-old I can explain these things to to ensure my posts' quality, I would greatly appreciate that.
Actually, no. I cannot write a post on Friday afternoon and have it validated by a 5 y/o by Saturday noon. Which, by the way, is the target upload time for each post. Saturday noon.

Well, there's the aim and there's the target. But like I said earlier, this blog may well turn out to be the idle vapourings of a mind diseased. But it's something I'm going to do and I would love having readers.

Happy 24th Birthday To Me!

by allsparkinfinite on 2023-12-30

24 years in my life. 24 hours a day. If I've lived a day, I've got 3 more to go. And what a day it has been.

0245 - a memory of walking with my dad to visit the hospital where my brother was being born. Except I'm told this never happened.
0400 - was ahead of all the other kids at kindergarten. Still wetting my pants because I was too scared to ask for permission to use the toilet.
0500 - another fake memory of going "hiking" with my dad and my uncle.
0530 - moved from Bhopal to Hyderabad via a long car drive. Smol pillows coloured pink and yellow. Living close to the aforementioned uncle, who would get us remote controlled cars as gifts every time he returned from abroad on a work trip.
0740 - all third grade sections across all school branches had an Independence Day quiz. My team finished dead last, with a perfect score of 0.
0930 - a new house, a new school.
1030 - school separated boys from girls by putting each gender in different sections, then sent me and a few other boys to "compete with the girls". I was in the hypercompetitive Battle of the Sexes phase at the time, but now I have lots of questions.
1130 - a new school because the old one was clearly weird.
1150 - school tour to Kerala.
1250 - school tour to Rajasthan, and a friend I still talk to. No more school trips because a few students would drown on a school trip within the next year and that would put everyone on edge.
1300 - inter-school group competition for responses to natural disasters, where we won the engineering task by combining a raft, a tank, and a crane. Some teams combined a tank and a crane, but never a raft as well.
1310 - first crush, AFTER she left the school and I never managed to get in contact with her ffs.
1445 - #1 in school and city in a competition that I only managed to enter because I forgot to register for another, more prominent one. Won two tabs as a result, ruined one but still using the other. #2 in state in a Spell Bee, and made a close friend who I've since lost touch with.
1500 - contemplated suicide for external reasons. Decided against attempting and started hating myself for beng so selfish (so wrong...).
1530 - went to FIITJEE and found a group of friends I still love.
1640 - #2 in a two-person-group logic competition by IIT Guwahati. Could've been #1, I like to believe, if I, my teammate, and the equipment didn't each malfunction at various points.
1645 - a lecturer in FIITJEE finally acknowledged that "12th ke baad maze hi maze nahi hai", which motivated me to adopt an insane, unsustainable work ethic, that I needed the 2 months after JEEA to recover from.
1655 - National Science Camp at IISc Bangalore, interesting lectures and a beautiful supersonic aerodynamics laboratory.
1730 - #749 in JEEA, and Aerospace at IIT Bombay. Joined NCC. Entered a long-distance relationship with a friend from school.
1830 - NCC Junior Council, and a tech team.
1845 - breakup.
1930 - quit NCC, become head of one of the 4 subsystems in tech team.
2000 - turned vegan after realizing that commercial dairy farms in India are bad too.
2005 - breakdown after a series of bad decisions culminating in a lot of self-hatred, self-introspection leads to a rebalancing of life and a promise to love myself again one day.
2015 - CoViD saves my ass, academically.
2030 - Windows BSoDs, I become Linux supremacist.
2100 - hired for data analysis role.
2130 - start job, see absolute disregard for employee data privacy by client. Decide that privacy of my personal data from other companies is important to me. Started watching F1.
2150 - jump ship to startup, as an AI developer. Enjoyable job in a field that I'm incompetent in. Started working with LineageOS.
2200 - personal laptop died. Experiments with LineageOS indefinitely halted, although I would still use it. Stopped hating myself.
2240 - beat the scalpers by luck and bought a Raspberry Pi. Began work on setting up Nextcloud.
2300 - actually love myself again.
2330 - I finally gave up on the friends-after-lovers charade with my ex-girlfriend for my own mental health.
2340 - permanent WFH!

It's been a very unorganized first quarter of a life, and I feel like I haven't got much to show for it. I also often feel like I threw away my career at the first opportunity. However, just because I'm not where I want to be doesn't mean I can't work towards getting there. And I owe it to myself to try.

Here's to 24. Here's to Day 2. Here's to building a life worth living.

Long version here