The Mandelbear's Musings

Down the Rabbit Hole

Sun, 04 Dec 2022 05:55:06 GMT

1: The Turing Machine

So, Wednesday I looked at Wikipedia's front page and saw, under the "On this day" heading:

1936 – English mathematician Alan Turing published the first details of the Turing machine (model pictured), an abstract device that can simulate the logic of any computer algorithm by manipulating symbols.

It was the ""model pictured" that grabbed me. The caption was/is "A physical Turing machine model. A true Turing machine would have unlimited tape on both sides, however, physical models can only have a finite amount of tape."

I knew that -- everyone who studies computer science knows that, and a few have dreamed, as I had, of building a physical model. I even figured out how to build one out of wood, minus a few details. But there it was.

(If you're not interested in the details, you can skip this and the other indented blocks. But I digress...)
A Turing Machine is a remarkably simple device. It has a read head, a write head, a strip of tape that they operate on, and a controller with a finite number of states. It can read what's on the tape -- the classic machine uses blank, "0", and "1". (Some versions use "X" instead of "1", and some dispense with "0" and just have 1 and blank. That makes programming them a little more complicated, but not by much. Some have more symbols. It doesn't matter -- you can program around it.) The machine can move the tape backward and forward. Numbers are usually represented in Unary, so you count "1", "11", "111", ..., although with both 1 and 0 you could use binary, and some versions do.
The machine has a "state", which selects a line in the machine's program that tells it what to write, which direction to move the tape, and which state to go to next, depending on what symbol the read head is looking at. (Think of the table as a drum with pegs on it, like a music box.)
That's it. That's all you need to compute any function that can be computed by any kind of mechanical or digital computer. Of course you may need a lot of tape -- so you need to attach it to a tape factory -- and a lot of time.

The critical thing is that it's possible to design a universal Turing machine: it takes a tape, and the state table of a Turing machine (in 1's, 0's and blanks), and it uses that description to do exactly what that machine is programmed to do. Turing's big accomplishment was using the universal Turing machine to prove that there some things that a computer can't do, no matter how much time and tape you give it.

But of course I was much more fascinated by the machines, starting at the website of the model that first grabbed my attention., and proceeding to a Turing machine made of legos. I spent some time in the Turing machine gallery. But the rabbit hole went deeper than that.

2: The Universal Constructor

At about that point it ocurred to me to look at the Wikipedia page for the Von Neumann universal constructor. Because once you have a kind of machine that can simulate itself, the natural question is whether you can have a machine that can build a copy of itself.

The trivial answer to this question is "Yes, of course. Cells have been reproducing themselves for billions of years." But in the 1940s when von Neumann was thinking about this, the structure of DNA had not yet been determined -- that was 1953 -- and although it had been known since the late 1920s that DNA had something to do with heredity, nobody knew how it worked. So his insight into the machinery of reproduction was pretty remarkable.

Like Turing's insight into the machinery of computation, von Neumann's insight into the machinery of reproduction was to separate the machine -- the Universal Constructor -- from the description of what it was to construct, stored on something simple -- a tape.

Von Neumann's machine was/is a cellular automaton; it "lived" (if you can call it that) on a grid of squares, where each square can be in one of 29 different states, with rules that tell it what to do depending on the states of its neighbors. A completely working machine wasn't simulated until 1995. Its constructor had 6329 32-state cells, and a tape with a length of 145,315. It took it over 63 billion timesteps to copy itself. (Smaller and faster versions have been constructed since then).

At, say, 1000 steps/second, that would have taken over two years. It wasn't until 2008 that a program, Golly, became able to simulate it using the hashlife algorithm; it now takes only a few minutes.

Which led me even further down the rabbit hole. Because no discussion of cellular automata would be complete without Conway's Game of Life.

3: The Game of Life

It's not really a game, of course, it's a cellular automaton. Each cell in the square grid is either dead or alive. You start with an arrangement of live cells, and turn them loose according to four simple rules:

If a live cell has fewer than two live neighbors (out of the 8 cells surrounding it), it dies of loneliness.

A live cell with two or three live neighbors, stays alive.

A live cell with more than three live neighbors dies of overpopulation.

A dead cell with exactly three live neighbors becomes live.

I first encountered the game in the October 1970 issue of Scientific American, in Martin Gardner's "Mathematical Games" column. The Wikipedia article gives a good introduction.

Patterns in Life evolve in a bewildering variety of ways. Many of them die out quickly -- an isolated cell, for example. Some patterns sit there and do nothing -- they're called "still lifes". A 2x2 block of cells for an example. Some blow up unpredictably, and may or may not leave a pile of random still lifes behind. Some patterns oscillate: a horizontal row of three cells will become a vertical row in the next turn, and vice versa -- it's called a "blinker".

And some patterns move. The simplest, called a "glider", appears in this post's icon. You can crash gliders into blocks or gliders into gliders, and depending on the timing they will do different interesting things. It didn't take people long to figure out that you can build computers, including a universal Turing machine. Or a machine that prints out the digits of Pi.

Or a universal constructor.

4: The universal constructor

While I was falling into this rabbit hole, I happened to remember a passing mention of a universal constructor that can build anything at all out of exactly 15 gliders. (Strictly speaking, anything that can be constructed by crashing gliders together. Some patterns can't be made that way. But almost all the complicated and interesting ones that people are building these days can.) If this intrigues you, go read the article. Or wait until the next section, where I finally get to the bottom of the rabbit hole.

On the way down I encountered lots of weird things -- the aforementioned universal Turing machine and Pi printer, and a variety of "spaceships" that travel by, in effect, repeatedly constructing a new copy of themselves, then cleaning up the old copy. It took a while for me to get my head around that.

Then, sometime Wednesday evening, I found the book.

5: The Book of Life

It's not called "The Book of Life", of course, it's called Conway's Game of Life: Mathematics and Construction. But you get the idea. You can download the PDF.

The book ends with a pattern that simulates a Life cell. There are several different versions of this; this is the latest. It works by making copies of itself in any neighboring cells that are coming alive, then destroying itself if it's about to die. Wild.

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

comments

What Were You Thinking, Patreon?

Sun, 11 Sep 2022 02:23:28 GMT

So, a couple of days ago (September 8th, to be exact) Patreon laid off their entire five-person security team. WTF? The linked article goes on to say,

The firm, which is still doing business in Russia, simply calls it “a strategic shift” (which seems to be corporate mumbo-jumbo for “cheaper outsourcing”). But infosec experts call it a “nightmare” caused by an “untrustworthy” company that’s “just put a massive target on its back.”

You can see links to more articles below in the resources.

The minimum reasonable response to this would be to change your password. Done that. It's not unreasonable to delete your account. I'm still supporting a few sites, so I'll leave my account in place until I see what's going to happen. And laying in a supply of popcorn.

Resources

@ Patreon confirms it 'parted ways' with its 'entire' cyber security team | IT PRO
Patreon confirms security team layoffs | TechCrunch
Patreon Fires its Security Team — and the Internet Freaks Out
Patreon Just Let Its Entire Security Team Go [Updated]
Should You Delete Your Patreon Account After They Laid Off Their Entire Security Team? - Dhole Moments -> excellent discussion of risks and alternatives -> changed password. Probably ought to delete account too, but I'm using it.

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

comments

Update Zoom on Mac ASAP

Tue, 16 Aug 2022 18:25:05 GMT

According to this article posted yesterday on Ars Technica, there is a major security hole in Zoom for the Mac. Zoom issued a security bulletin on Saturday. The article suggests that you should download the update directly from Zoom or click on your menu bar options to "Check for updates" rather than waiting for the auto-update, although if you've already updated since Saturday you're probably ok.

The article goes into more detail; tl;dr is that Zoom's installer is owned by and runs as root, and has a major bug that allows unsigned updates to be installed.

Resources

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

comments

Which tax software platform should I use this year?

Wed, 19 Jan 2022 02:56:00 GMT

I've been using the same software for doing my taxes for somewhere around 30 years. It was called TaxCut back then; the company that made it was bought by H&R Block in 1993, though they didn't rename the software until 2008. For much, if not all, of that time I've been doing it on a Mac of some sort.

Last year I looked at the system requirements and discovered that it would no longer run on my ageing Mac Mini. It also wouldn't run on Windows 7. It needed either NacOS High Sierra or Windows 8.1. So I used their web version, which I remember as rather slow, and enough different from the offline version of previous years to be annoying.

So for this year (which is to say tax year 2021), my options would appear to be:

Use the web version again. Ugh, but at least it would import 2020 without trouble. Maybe. It didn't let me upload a 2019 data file; I had to feed it a PDF and do a lot of fixing up.
Run it on the laptop that has Win 8.1, or put the Win 10 disk that came with (new) Sable back in and use that. Ugh.
Buy a newer Mac Mini. I could get a minimal one for about $100-150, or a more recent one (running Mojave) for around $200-250. (Those are eBay prices, of course.)

(Note that cost of the software is the same for all three options.)

I'm really leaning toward #3. But really that would just be an excuse to buy another computer, and would leave me with two Mac Minis that I'd hardly ever use. More likely I'll dither about it until the end of March and then break down and go use the web version again.

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

comments

Trojan Source

Wed, 03 Nov 2021 04:04:04 GMT

This post in Krebs on Security describes an unusual and potentially very dangerous attack technique that can be used to sneak evil code past code reviews and into the supply chain. Briefly, it allows evildoers to write code that looks very different to a human and a compiler. It should probably come as no surprise that it involves Unicode, the same coding standard that lets you make blog posts that include inline emoji, or mix text in English and Arabic.

In particular, it's the latter ability that the vulnerability targets, specifically Unicode's "Bidi" algorithm for presenting a mix of left-to-right and right-to-left text. (Read the Bidi article for details and examples -- I'm not going to try plopping random text in languages I don't know into the middle of a blog post.)

Now go read the "Trojan Source Attacks" website, and the associated paper [PDF] and GitHub repo. Observe, in particular, the Warning about bidirectional Unicode text that GitHub now attaches to files like this one in C++. Observe also that GitHub does not flag files that, for example, mix homoglyphs like "H" (the usual ASCII version) and "Н" (the similar-looking Cyrillic letter that sounds like "N"; how similar it looks depends on what font your browser is using). If you're unlucky, you might have clicked on a URL containing one or more of these, that took you someplace unexpected and almost certainly malicious.

The Trojan Source attack works by making use of the control characters U+202B RIGHT-TO-LEFT EMBEDDING (RLE) and U+202A LEFT-TO-RIGHT EMBEDDING (LRE), which change the base direction explicitly.

And remember: ШYSINAШYG - What You See Is Not Always What You've Got!

Resources

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

comments

What happened to facebook yesterday?

Wed, 06 Oct 2021 23:06:49 GMT

If you're sensible enough not to use Facebook, WhatsApp, or Instagram, or to have set up "log in with Facebook" on any site you use regularly, you might not have noticed that they all disappeared from the internet for about six hours yesterday. Or if you noticed, you might not have cared. But you might have read some of the news about it, and wondered what the heck BGP and DNS are, and what they had to do with it all.

And if not, I'm going to tell you anyway.

You're more likely to have heard of DNS: that's the Internet's phone book. Your web browser, and every other program that connects to anything over the Internet, uses the Domain Name System to look up a "domain name" like, say, "www.facebook.com", and find the numerical IP address that it refers to. DNS works by splitting the name into parts, and looking them up in a series of "name servers". First it looks in a "root server" to find the address of the Top-Level Domain (TLD) server that holds the lookup table for the last part of the name, e.g., "com". From the TLD server it gets the address of the "authoritative name server" that holds the lookup table for the next part of the name, e.g., facebook, and looks there for any subdomains (e.g. "www").

(When you buy a "domain name", what you're actually buying is a line in the TLD servers that points to the DNS server for your domain. You also have to get somebody to "host" that server; that's usually also the company that hosts your website, but it doesn't have to be.)

All this takes a while, so the network stack on your computer passes the whole process off to a "caching name server" which remembers every domain name it looks up, for a time which is called the name's "time to live" (TTL). Your ISP has a caching name server they would like you to use, but I'd recommend telling your router (if you have full control over it) to use Cloudflare's or Google's nameserver, at the IP address 1.1.1.1 or 8.8.8.8 respectively. Your router will also keep track of the names of the computers attached to your local network.

Finally, we get to the Border Gateway Protocol (BGP). If DNS is the phone book where you look up street addresses, BGP is the road map that tells your packets how to get there from your house, and in particular what route to take.

The Internet is a network of networks, and it's split up into "autonomous systems (AS), each of which is a large pool of routers belonging to a single organization. Each AS exchanges messages with its neighbors, using BGP to determine the "best" route between the itself and every other AS in the Internet. (The best route isn't always the shortest; the protocol can also take things like the cost of messages into account.) BGP isn't entirely automatic -- there's some manual configuration involved.

What happened yesterday was that somebody at Facebook accidentally gave a command that resulted in all the routes leading to Facebook's data centers being withdrawn. In less than a minute Facebook's DNS servers noticed that their network was "unhealthy", and took themselves offline. At that point Facebook had basically shot themselves in the foot with a cannon.

Normally, engineers can fix server configuration problems like this by connecting to the servers over the internet. But Facebook's servers weren't connected to the internet anymore. To make matters worse, the computers that control access to Facebook's buildings -- offices as well as data centers -- weren't able to connect to the database that told them whose badges were valid.

Meanwhile, computers that wanted to look up Facebook or any of its other domains (like WhatsApp and Instagram), kept getting DNS failures. There isn't a good way for an app or a computer to determine whether a DNS lookup failure is temporary or permanent, so they keep re-trying, sometimes (as Cloudflare's blog post puts it) "aggressively". Users don't usually take an error for an answer either, so they keep reloading pages, restarting their browsers, and so on. "Sometimes also aggressively." Traffic to Facebook's DNS servers increased to 30 times normal, and traffic to alternatives like Signal, Twitter, Telegram, and Tiktok nearly doubled.

Altogether a nice demonstration of Facebook's monopoly power, and great fun to read about if you weren't relying on it.

Resources

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

comments

Public Service Announcement: Things to watch out for

Wed, 29 Sep 2021 23:34:59 GMT

A rather mixed bag of things that, arguably, I should have written about a week ago.

1: the Let's Encrypt root certificate.

Hopefully this won't affect you, but if your browser starts complaining about websites suddenly being untrusted, you need to upgrade. The problem is that Let's Encrypt's root certificate is expiring, and will be replaced by a new one (see the link above for details). Starting October 1^st, browsers and other programs that rely on the old cert will have problems if they haven't been upgraded in the last year.

You keep your OS and your browser up to date, right? There are some old apps and operating systems that are no longer receiving upgrades, and so won't know about the new root cert. Specifically, if you're using one of these products:

OpenSSL <= 1.0.2, Windows < XP SP3, macOS < 10.12.1, iOS < 10 (iPhone 5 is the lowest model that can get to iOS 10), Android < 7.1.1 (but >= 2.3.6 will still mostly work), Mozilla Firefox < 50, Ubuntu < 16.04, Debian < 8, Java 8 < 8u141, Java 7 < 7u151, NSS < 3.26, Amazon FireOS (Silk Browser).
Possibly, Cyanogen > v10, Jolla Sailfish OS > v1.1.2.16, Kindle > v3.4.1, Blackberry >= 10.3.3, PS4 game console with firmware >= 5.00, IIS

(You can probably uptrade to the newest Firefox or switch to a recent version of Chrome, which will restore your ability to browse the web, but a few other things might still fail. (For example, Firefox will keep working on my ancient Mac Mini, but Safari probably won't.)

The following articles go into a lot more detail; you can get a good overview from the first two:

Smart TVs, fridges and light bulbs may stop working next year: Here's why An Internet of Trouble lies ahead as root certificates begin to expire en masse, warns security researcher • The Register The Impending Doom of Expiring Root CAs and Legacy Clients Let's Encrypt's Root Certificate is expiring! Certificate Compatibility - Let's Encrypt

2. Phillips Respironics CPAP recall:

If you're using a CPAP made by Phillips Respironics, hopefully you've already seen the Recall Notification [PDF]. I missed it, through my habit of ignoring notifications in the Dreamstation app and website. The email I got from Medicare says:

If you own or rent one of the Philips products that was recalled, talk to your doctor as soon as possible about whether to continue using your recalled equipment. If you would like to replace or repair your equipment, the supplier you bought the equipment from is responsible for replacing or repairing rental equipment at no cost to you when the equipment is less than 5 years old.

If, like me, you insist on continuing to use your facehugger, install an antibacterial filter, which will keep little bits of soundproofing foam out of your lungs. This is probably only necessary if you've been using ozone to clean your device, but I decided not to take chances.

3. Chevrolet Bolt EV recall:

If you own a Bolt, you should have received several letters about this recall. Hopefully you haven't been throwing them away unread, but if you have, you'll want to enable "hilltop reserve" to limit your charging to 90%, don't run your battery down below about 70 miles, park outside immediately after charging, and don't leave your Bolt charging indoors overnight. "Experts from GM and LG have identified the simultaneous presence of two rare manufacturing defects in the same battery cell as the root cause of battery fires in certain Chevrolet Bolt EVs." You don't want to take chances with battery fires. They're nasty; lithium is perfectly capable of burning under water.

Be safe out there.

On a more hopeful(? helpful, at least) note, dialecticdreamer has posted Demifiction: Breaking Omaha!, which despite being set in a fictional universe contains a lot of practical advice for disaster preparedness.

comments

Finding ELIZA

Sun, 06 Jun 2021 00:59:57 GMT

Note: Despite being posted on a Saturday and a title that includes the name of a a character from a well-known musical, this is not a Songs for Saturday post. It doesn't have anything to do with fish, either.

Remarkably, Joseph Weizenbaum's original source code for ELIZA has been rediscovered, after having been missing and believed lost for over half a century, and was made public on May 23rd of this year. ELIZA is probably the oldest and almost certainly the best-known implementation of what is now known as a chatbot.

If you decide to look at the code, start by reading the web page it's embedded in before you dive into the listing. The "Notes on reading the code" section, which comes after the listing, will prevent a lot of confusion. The listing itself is a scan of a 132-column listing, and definitely benefits from being viewed full-screen on a large monitor.

The first thing you see in the listing is the script -- the set of rules that tells the ELIZA program how to respond to input. The program itself starts on page 6. You might be misled by the rules, which are in the form of parenthesized lists, into thinking that the program would be written in LISP. It's not; it's written in MAD, an Algol-like language, with Weisenbaum's SLIP (Symmetric List Processing) primitives embedded in it.

SLIP uses circular, bidirectionally-linked lists. Each list has a header with pointers to the first and last list element; the header of an empty list points to itself. I've lost track of how many times I've implemented doubly-linked lists, in everything from assembly language to Java.

ELIZA is the name of the program, but "Eliza" usually refers to the combination of an Eliza-like program with the Doctor script. The most common script is a (rather poor) simulation of a Rogerian psychotherapist called "Doctor". According to the note at the bottom of the Original Eliza page, actual Rogerian therapists have pronounced it a perfect example of how not to do Rogerian therapy. Nevertheless, many people are said to have been helped by ELIZA, and it's possible to have a surprisingly intimate conversation with her as long as you suspend your disbelief and respect her limits.

If you have Emacs installed on your computer, you can access a version of Doctor with M-X doctor. Otherwise, browse to Eliza, Computer Therapist if you don't mind having a potentially intimate conversation with something hosted on a public website. (Or simply download the page -- it's written in Javascript.)

Resources

ELIZAGEN -- The Genealogy of ELIZA "This site is dedicated to tracing the legacy ofJoseph Weizenbaum's ELIZA (aka. Doctor) program."
ELIZAGEN - The Original ELIZA - the source code.
anthay/ELIZA: A Simulation in C++ of Joseph Weizenbaum’s 1966 ELIZA by Anthony Hay. The README includes both a copy of the transcript published in Wizenbaum's CACM article in 1966, and a detailed description of the script syntax and how it works.
MAD (Michigan Algorithm Decoder) manual by Elliott Organick (1961).
GNU gSlip [PDF Manual(738K)] for C++.
doctor.el\play\lisp - emacs.git - Emacs source repository - the Doctor program as implemented in Emacs LISP.
Eliza, Computer Therapist in Javascript

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

comments

Operation Exchange Marauder

Sat, 06 Mar 2021 06:45:20 GMT

If you happen to be the administrator of a Microsoft Exchange Server that can be accessed from the internet, you need to immediately

Apply the patches that Microsoft released on Tuesday: Multiple Security Updates Released for Exchange Server – updated March 5, 2021 – Microsoft Security Response Center
Use this script (on GitHub) to scan your logs, as described in HAFNIUM targeting Exchange Servers with 0-day exploits - Microsoft Security to determine whether you are one of the at least 30,000 organizations that have been hacked via the holes you just patched (see Step 1). (You did patch them, right?) If you are,...
Figure out what it means to your organization that all of your organization's internal email is now sitting on a disk somewhere in China. If that sounds like A Very Bad Thing,...
Panic.

Resources

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

comments

RIP Fry's Electronics -- the end of an era

Wed, 24 Feb 2021 21:18:59 GMT

Today I was shocked to read that Fry's Electronics has gone out of business, as of midnight last night (February 24th). Their web page has the announcement:

After nearly 36 years in business as the one-stop-shop and online resource for high-tech professionals across nine states and 31 stores, Fry’s Electronics, Inc. (“Fry’s” or “Company”), has made the difficult decision to shut down its operations and close its business permanently as a result of changes in the retail industry and the challenges posed by the Covid-19 pandemic. The Company will implement the shut down through an orderly wind down process that it believes will be in the best interests of the Company, its creditors, and other stakeholders.

It's a sad, sad day. Their first ad, a full page in the San Jose Mercury-News, was like nothing seen before (or since), listing computer chips and potato chips on the same page. (Its relationship to Fry's Food and Drug, which had recently been sold by the founders' father, was obvious.) As time went by the groceries largely disappeared, but soft drinks and munchies remained, and some of the larger stores included a cafeé.

I (snail) mailed a copy of that first ad to my father, and that first Sunnyvale store was one of the tourist attractions we visited on his next visit to the West Coast. I have no idea how much money I spent there over the years.

After I moved to Washington in 2012 my visits to Fry's became much less frequent, and more of my electronics started coming from Amazon. It's been years since I saw the inside of a Fry's store.

I'll miss it.

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

comments

Dependency Confusion

Wed, 17 Feb 2021 02:56:23 GMT

I've always been a little uncomfortable about build systems and languages that start the build by going out to a package repository and pulling down the most recent (minor or patch) version of every one of the package's dependencies. Followed by all of their dependencies. The best-known of these are probably Python's pip package manager, Javascript's npm (node package manager), and Ruby's gems. They're quite impressive to watch, as they fetch package after package from their repository and include it in the program or web page being built. What could possibly go wrong?

Plenty, as it turns out.

The best-known technique for taking advantage of a package manager is typosquatting -- picking a name for a malware package that's a plausible misspelling of a real one, and waiting for someone to make a typo. (It's an adaptation of the same technique from DNS - picking a domain name close to that of some popular site in hopes of siphoning off some of the legitimate site's traffic. These days it's common for companies to typosquat their own domains before somebody else does -- facbook.com redirects to FB, for example.)

A few days ago, Alex Birsan published "Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies", describing a new attack that relies on the way package managers like npm resolve dependencies, by looking for and fetching the most recent compatible version (i.e. with the same major version) of every package, and the fact that they can be made to look in more than one repository.

Fetching the most recent minor version of a package is usually perfectly safe; packages have owners, and only the owner can upload a new version to the repository. (There have been a few cases where somebody has gotten tired of maintaining a popular package, and transferred ownership to someone who turned out to be, shall we say, less than reliable.)

The problem comes if, like most large companies and many small ones, you have a private repository that some of your packages come from. The package manager looks in both places, public and private, for the most recent version. If an attacker somehow gets the name and version number of a private package that doesn't exist in the public repository, they can upload a bogus package with the same name and a later version.

It turns out that the names and versions of private packages can be leaked in a wide variety of ways. The simplest turns out to be looking in your target's web apps -- apparently it's not uncommon to find a copy of a `package.json` left in the app's JavaScript by the build process. Birsan goes into detail on this and other sources of information.

Microsoft has published 3 Ways to Mitigate Risk When Using Private Package Feeds, so that's a good place to look if you have this problem and want to fix it. (Hint: you really want to fix it.) Tl;dr: by far the simplest fix is to have one private repo that includes both your private packages, and all of the public packages your software depends on. Point your package manager at that. Updating the repo to get the most recent public versions is left as an exercise for the reader; if I was doing it I'd just make a set of dummy package that depend on them.

Happy hacking!

Resources

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

comments

Songs for Saturday: Today is Babbage's birthday

Sat, 26 Dec 2020 20:30:36 GMT

Not only is today Boxing Day, it's also the birthday of Charles Babbage: December 26, 1791. He invented the stored-program digital computer, which he called the Analytical Engine. That also makes the Analytical Engine the first unfinished computer project (unless you count Babbage's Difference Engine, but that wasn't a general-purpose computer). Contrary to popular belief, the mechanical precision of the time was quite capable of producing it (proved by the full implementation of the Difference Engine, using 1820s-level technology, in the 1990s), but the machining proved much more expensive than expected, and the project eventually ran out of funding. It's an old story.

But this post isn't about Babbage, or the Difference Engine -- this post is about a song I wrote back in 1985 called Uncle Ernie's [ogg][mp3], and that in turn was directly inspired by Mike Quinn Electronics, a surplus joint located in a run-down old building at the Oakland airport, run by a guy named Mike Quinn. I had to search for the name of the store; everyone just called it "Quinn's". There's a good description of the place in "Mighty Quinn and the IMSAI connection" on The Official IMSAI Home Page. As far as I know there is no connection to "Quinn the Eskimo" by Bob Dylan besides the title.

At one point Quinn's had a Bendix G-15 for sale, with a price tag just short of $1000. Unlike the one I first learned programming on, it had magtape drives as well as paper tape. Somebody eventually bought it; I hope they gave it a good home. That's almost certainly the origin of the line about magtape drives in the second verse. A 7090 would have occupied the entire building.

Almost all of the other computers mentioned -- Altair, Imsai, Apple 3, PC Junior, Heathkit Hero (yes, Heath sold robot kits back in the 1980s) -- were also quite real, and some of the smaller ones almost certainly did show up at Quinn's from time to time, especially the Imsai and Altair, which were sold in kit form. The only thing I made up completely was the temperature controller in verse three. The only one I actually used was the 7090 (or rather its successor, the 7094, but that wouldn't have scanned).

( lyrics, if you don't want to click through: )

comments

More on branch name changes

Sat, 28 Nov 2020 04:38:49 GMT

You may remember this post about renaming the default branch in Git repositories. Since then I've done some script writing -- they say you don't really understand a process until you can write a program that does it, and this was no exception. (There are lots of exceptions, actually, but that's rather beside the point of this post...)

Anyway, here's what I think is the best way to rename master to main in a clone of a repository where that rename has already been done. (That's a common case anywhere you have multiple developers, each with their own clone, or one developer like me who works on a different laptop depending on the time of day and where the cats are sitting.)

     git fetch
     git branch -m master main
     git branch -u origin/main main
     git remote set-head origin main
     git remote prune origin

The interesting part is why this is the best way I've found of doing it: 1. It works even if master isn't the current branch, or if it's out of date or diverged from upstream. 2. It doesn't print extraneous warnings or fail with an error. Neither of those is a problem if you're doing everything manually, but it can be annoying or fatal in a script. So here it is again, with commentary:

git fetch -- you have to do this first, or the git branch -u ... line will fail because git will think you're setting upstream to a branch that doesn't exist on the origin.

git branch -m master main -- note that the renamed branch will still be tracking master. We fix that with...

git branch -u origin/main main -- many of the pages I've seen use git push -u..., but the push isn't necessary and has several different ways it can fail, for example if the current branch isn't main or if it isn't up to date.

git remote set-head origin main -- This sets main as the default branch, so things like git push will work without naming the branch. You can use -a for "automatic" instead of the branch name, but why make git do extra work? Many of the posts I've seen use the following low-level command, which works but isn't very clear and relies on implementation details you shouldn't have to bother with:

    git symbolic-ref refs/remotes/origin/HEAD refs/remotes/origin/main

git remote prune origin -- I've seen people suggesting git fetch --prune, but we already did the fetch way back in step 1. Alternatively, we could use --prune on that first fetch, but then git will complain about master tracking a branch that doesn't exist. It still works, but it's annoying in a script.

Just as an aside because I think it's amusing: my former employer (a large online retailer) used and probably still uses "mainline" for the default branch, and I've seen people suggesting as an alternative to "main". It is, if anything, more jarring than "master" for someone who has previously encountered "mainlining" only in the context of self-administered street drugs.

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

comments

How to Git out of trouble (part 1)

Wed, 11 Nov 2020 04:30:58 GMT

Hopefully, this post will become the first of a series about solving various common problems with Git. Note that the grouping in that phrase is intentionally ambiguous – it could be either “(solving various common problems) with Git”, or “solving (various common problems with Git)”, and I expect to cover both meanings. Often there are aspects of both: Git got you into trouble, and you need to use Git to get yourself out of it.

“It is easy to shoot your foot off with git, but also easy to revert to a previous foot and merge it with your current leg.” —Jack William Bell

In many cases, though, this will involve git rebase rather than merge, and I think “rebase it onto your current leg” reads better.

Overcoming your fear of `git rebase`

Many introductions to Git leave out rebase, either because the author considers it an “advanced technique”, or because “it changes history” and the author thinks that it’s undesirable to do so. The latter is undermined by the fact that they usually do talk about git commit --amend. But, like amend, rebase lets you correct mistakes that you would otherwise simply have to live with, and avoid some situations that you would have a lot of trouble backing out of.

In order to rebase fearlessly, you only need to follow these simple rules:

Always commit your changes before you pull, merge, rebase, or check out another branch! If you have your changes committed, you can always back out with git reset if something goes wrong. Stashing also works, because git stash commits your work in progress before resetting back to the last commit.
Never rebase or amend a commit that’s already been pushed to a shared branch! You can undo changes that were pushed by mistake with git revert. (There are a few cases where you really have to force-push changes, for example if you foolishly commit a configuration file that has passwords in it. It’s a huge hassle, and everyone else on your team will be annoyed at you. If you’re working on a personal project, you’ll be annoyed at yourself, which might be even worse.)
If you’re collaborating, do your work on a feature branch. You can use amend and rebase to clean it up before you merge it. You can even share it with a teammate (although it might be simpler to email a patch set).

That last rule is a lot less important if you’re working by yourself, but it’s still a good idea if you want to keep your history clean and understandable – see Why and How To Keep Your Master Happy. And remember that you’re effectively collaborating if your project is on GitHub or GitLab, even if nobody’s forked it yet.

Push rejected (not fast forward)

One common situation where you may want to rebase is when you try to push a commit and it gets rejected because there’s another commit on the remote repo. You can detect this situation without actually trying to push – just use git fetch followed by git status.

I get into this situation all the time with my to-do file, because I make my updates on the master branch and I have one laptop on my desk and a different one in my bedroom, and sometimes I make and commit some changes without pulling first to sync up. This usually happens before I’ve had my first cup of coffee.

The quick fix is git pull --rebase. Now all of the changes you made are sitting on top of the commit you just pulled, and it’s safe for you to push. If you’re developing software, be sure to run all your tests first, and take a close look at the files that were merged. Just because Git is happy with your rebase or merge, that doesn’t mean that something didn’t go subtly wrong.

Pull before pushing changes

I get into a similar situation at bedtime if I try to pull the day’s updates and discover that I hadn’t pushed the changes I made the previous night, resulting in either a merge commit that I didn’t want, or merge conflicts that I really didn’t want. You can avoid this problem by always using git pull --rebase (and you can set the config variable pull.rebase to true to make that the default, but it’sa little risky). But you can also fix the problem.

If you have a conflict, you can back get out of it with git merge --abort. (Remember that pull is just shorthand for fetch followed by merge.) If the merge succeeded and made an unwanted merge commit, you can use git reset --hard HEAD^.

Another possibility in this situation is that you have some uncommitted changes. In most cases Git will either go ahead with the merge, or warn you that a locally-modified file will be overwritten by the merge. In the first case, you may have merge conflicts to resolve. In the second, you can stash your changes with git stash, and after the pull has finished, merge them back in with git stash pop. (This combination is almost exactly the same as committing your changes and then rebasing on top of the pulled commit – stash actually makes two hidden commits, one to preserve the working tree, and the other to preserve the index. You can see it in action with gitk --all.

… and I’m going to stop here, because this has been sitting in my drafts folder, almost completely finished, since the middle of January.

Resources

Man page for git-merge
Man page for git-pull
Man page for git-rebase
Man page for git-stash

NaBloPoMo stats:
   5524 words in 11 posts this month (average 502/post)
    967 words in 1 post today

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

comments

Renaming master to main in Git

Wed, 04 Nov 2020 06:48:18 GMT

If you've been paying attention to the software-development world, you may have noticed a movement to [remove] racist terms in tech contexts. The most obvious such terms are "master" and "slave", and there are plenty of good alternatives: primary/secondary, main/replica, leader/follower, etc. The one that almost every software developer sees every day is Git's "master" default branch. This issue on GitLab includes some good discussion of what makes "main" the best choice for git. (I've also seen "mainline" used.)

Renaming your master branch is easy. If you have a local repo that isn't a clone of anything (so it doesn't have any remotes), it's a one-liner:

   git branch -m master main

Renaming the default branch on an existing repo is trivial. If it has no remotes, for example if it's purely local or a shared repo on a server you have an ssh account on, it's a one-liner:

   git branch -m master main

It's a little more complicated for a clone, but not much more complicated:

   git branch -m master main
   git push -u origin main
   git symbolic-ref refs/remotes/origin/HEAD refs/remotes/origin/main
   git pull

What you need to do at this point depends on where your origin repo is located. If you've already renamed its default branch, you're done. If you haven't, the git push -u created it. At this point if your origin repo is on GitHub, need to log in and change its default branch from master to main because it won't let you delete its default branch.

Then, delete the old master branch with

   git push --delete master

This works for simple cases. It gets a little more complicated on GitHub because you might have web hooks, pull requests, and so on that still refer to master. GitHub says that renaming master will be a one-step process later in the year, so you may want to wait until then. For less complicated situations, any URLs that reference master will get automatically redirected to main. See this page for details.

I had a slightly different problem: my shared repositories are on my web host, and there are hook scripts that pull from the shared repo into the web directory. My version of the post-update only looks for changes in the master branch. Fortunately that's a one-liner, too:

   ssh HOST sed -i -e s/master/main/g REPO/hooks/post-update

The next problem is creating a new repo with main as the default branch. GitHub already does this, so if you are starting your project there you're good to go. Otherwise, read on:

The Git project has also added a configuration variable, init.defaultBranch, to specify the default branch for new repositories, but it's probably not in many distributions yet. Fortunately, there's a workaround, so if you don't want to wait for your distribution to catch up, you can take advantage of the way git init works, as described in this article by Leigh Brenecki:

Find out where Git keeps the template that git init copies to initialize a new repo. On Ubuntu, that's /usr/share/git-core/templates, but if it isn't there look at the man page for git-init.
Copy it to someplace under your control; I used .config/git/init-template.
cd to the (new) template and create a file called HEAD, containing ref: refs/heads/main.
Set the init.templateDir config variable to point to the new template.

Now when git wants to create a new repo, it will use HEAD to tell it which branch to create. Putting all that together, it looks like:

   cp -a /usr/share/git-core/templates/ ~/.config/git/init-template
   echo ref: refs/heads/main > ~/.config/git/init-template/HEAD
   git config --global init.templateDir ~/.config/git/init-template

You can actually replace that initial copy with mkdir; git is able to fill in the missing pieces. Alternatively, you can add things like a default config file, hooks, and so on.

(I've already updated my configuration repository, Honu, to set up the modified template along with all the other config files it creates. But that probably doesn't help anyone but me.)

Resources

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

NaBloPoMo stats:
   2146 words in 4 posts this month (average 536/post)
    814 words in 1 post today

comments

Keeping backups

Fri, 23 Oct 2020 17:22:29 GMT

It's been a while since I described the way I do backups -- in fact, the only public document I could find on the subject was written in 2006, and things have changed a great deal since then. I believe there have been a few mentions in Dreamwidth and elsewhere, but in this calamitous year it seems prudent to do it again. Especially since I'm starting to feel mortal, and starting to think that some day one of my kids is going to have to grovel through the whole mess and try to make sense of it. (Whether they'll find anything worth keeping or even worth the trouble of looking is, of course, an open question.)

My home file server, a small Linux box called Nova, is backed up by simply copying (almost -- see below) its entire disk to an external hard drive every night. (It's done using rsync, which is efficient because it skips over everything that hasn't been changed since the last copy.) When the disk crashes (it's almost always the internal disk, because the external mirror is idle most of the time) I can (and have, several times) swap in the external drive, make it bootable, order a new drive for the mirror, and I'm done. Or, more likely, buy a new pair of drives that are twice as big for half the price, copy everthing, and archive the better of the old drives. Update it occasionally.

That's not very interesting, but it's not the whole story. I used to make incremental backups -- instead of the mirror drive being an exact copy of the main one, it's a sequence of snapshots (like Apple's Time Machine, for example). There were some problems with that, including the fact because of the way the snapshots were made (using cp -l to copy directories but leave hard links to the files that haven't changed) it takes more space than it needs to, and makes the backup disk very difficult -- not to mention slow -- to copy if it starts flaking out. There are ways of getting around those problems now, but I don't need them.

The classic solution is to keep copies offsite. But I can do better than that because I already have a web host, and I have Git. I need to back up a little.

I noticed that almost everything I was backing up fell into one of three categories:

Files I keep under version control.
Files (mostly large ones, like audio recordings) that never change after they've been created -- recordings of past concerts, my collection of ripped CDs, the masters for my CD, and so on. I accumulate more of them as time goes by, but most of the old ones stick around.
Files I can reconstruct, or that are purely ephemeral -- my browser cache, build products like PDFs, executable code, downloaded install CDs, and of course entire OS, which I can re-install any time I need to in under an hour.

Git's biggest advantage for both version control and backups is that it's distributed -- each working directory has its own repository, and you can have shared repositories as well. In effect, every repository is a backup. In my case the shared repositories are in the cloud on Dreamhost, my web host. There are working trees on Nova (the file server) and on one or more laptops. A few of the more interesting ones have public copies on GitLab and/or GitHub as well. So that takes care of Group 1.

The main reason for using incremental backup or version control is so that you can go back to earlier versions of something if it gets messed up. But the files in group don't change, they just accumulate. So I put all of the files in Group 2 -- the big ones -- into the same directory tree as the Git working trees; the only difference is that they don't have an associated Git repo. I keep thinking I should set up git-annex to manage them, but it doesn't seem necessary. The workflow is very similar to the Git workflow: add something (typically on a laptop), then push it to a shared server. The Rsync commands are in a Makefile, so I don't have to remember them: I just make rsync. (Rsync doesn't copy anything that is already at the destination and hasn't changed since the previous run, and by default it ignores files on the destination that don't have corresponding source files. So I don't have to have a complete copy of my concert recordings (for example) on my laptop, just the one I just made.)

That leaves Group 3 -- the files that don't have to be backed up because they can be reconstructed from version-controlled sources. All of my working trees include a Makefile -- in most cases it's a link to MakeStuff/Makefile -- that builds and installs whatever that tree needs. Programs, web pages, songbooks, what have you. Initial setup of a new machine is done by a package called Honu (Hawaiian for the green sea turtle), which I described a little over a year ago in Sable and the turtles: laptop configuration made easy.

The end result is that "backups" are basically a side-effect of the way I normally work, with frequent small commits that are pushed almost immediately to a shared repo on Dreamhost. The workflow for large files, especially recording projects, is similar, working on my laptop and backing up with Rsync to the file server as I go along. When things are ready, they go up to the web host. Make targets push and rsync simplify the process. Going in the opposite direction, the pull-all command updates everything from the shared repos.

Your mileage may vary.

Resources and references

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

comments

Memoir: How I Came to Have an Erdős Number of Seven

Mon, 12 Oct 2020 19:11:06 GMT

I really need to write my memoirs, preferably before my memory deteriorates to the point where I can't. (I am inspired by my mom, who published the third edition of hers last year.) I have, however, given up on the idea of following the King of Hearts' advice to "begin at the beginning, [...] and go on till you come to the end: then stop". (I note in passing that I haven't come to the end yet.) So I'm just going to dive in at whatever point seems interesting at the moment. I'll tag these by year, so that anyone interested (possibly as many as two of you) can sort them out later.

This particular point was suggested by somebody's mention of their Erdős number, so I suppose I ought to explain that first. Content Warning: contains math, which you can safely skip over if you're math-phobic. Deciding which parts to skip is left as an exrcise for the reader.

You have perhaps heard of the parlor game called "Six Degrees of Kevin Bacon", based on the concept of "six degrees of separation". The idea is to start with an actor, and figure out the shortest possible list of movies that links them with Kevin Bacon. The length of that list is the actor's "Bacon number", with Bacon himself having the number zero, anyone who acted in a movie with him having the number one, and so on. As far as I know I don't have a finite Bacon number, but it's not outside the realm of possibility if, as most people do, you include TV shows and so on. I think I've been in at least one brief local TV news item.

But sometime during my senior year at Carleton College, I co-authored a paper with one of my math professors, Ken Wegner, which gave me an Erdős number of 7. The paper, published in 1970 in The American Mathematical Monthly, was "Solutions of Φ(x) = n , Where Φ is Euler's Φ-Function" [Wegner, K., & Savitzky, S. (1970), The American Mathematical Monthly, 77(3), 287-287. doi:10.2307/2317715].

So now I have three things to explain: What is an Erdős number? What is Euler's Φ function? And finally, What was my contribution to the paper?

Erdős number: As you might expect from the introduction about the Bacon Number, a mathematician's Erdős number is the smallest number of co-authored papers connecting them to Paul Erdős (1913–1996), an amazingly prolific (at least 1,525 papers) 20th Century mathematician. He spent the latter part of his life living out of a suitcase, visiting his over 500 collaborators (who thus acquired an Erdős number of 1. The Erdős number was first defined in print in 1969, so about the time I was collaborating with Wegner on Euler's Φ function.

Euler's Φ function, Φ(n), also called the Totient function, is defined as the number of positive integers less or equal to n that are relatively prime to n; or in other words the numbers in the range 1 ≤ k ≤ n for which the greatest common divisor gcd(n,k) = 1. (You will also see it written in lower-case as "φ", or in Latin as "phi".)

The totient function is pretty easy to compute, at least for sufficiently small numbers. The inverse is rather less straightforward, and has been the subject of a considerable number of StackExchange queries. (This answer includes a good set of links.) I was thinking of including some detail about that, and was barely able to keep myself from falling down the usual rabbit-hole, which almost always ends up somewhere in group theory. For example, φ(n) is the order of the multiplicative group of integers modulo n. See what I mean?

My contribution to the paper was not very closely related to the actual mathematics of the problem; what I did was write the computer program that computed and printed out the table of results. That involved a hack. A couple of hacks, actually.

In 1969, Carleton College's computer lab contained an IBM 1620 and a couple of keypunches. The 1620 was fairly primitive even by 1960s standards; its memory consisted of 20,000 6-bit words, with a cycle time of 20 microseconds. Each word contained one BCD-coded decimal digit, a "flag" bit, and a parity check bit. It did arithmetic digit-by-digit using lookup tables for addition and multiplication. It was not particularly fast -- about a million times slower than the CPU in your phone. But it was a lot of fun. Unlike a mainframe, it could sit in one corner of a classroom (if it was air-conditioned), it was (comparatively) inexpensive, and it could stand up to students actually getting their hands on it.

A lot of the fun came from the fact that the 1620's "operating system" was the human operator sitting at the console, which consisted mainly of an electric typewriter and a row of buttons and four "sense switches" that the program could read. If you wanted to run a program, you put a stack of punched cards into the reader and pushed the "load" button, which read a single 80-column card into the first 80 characters of memory, set the program counter to zero, and started running. My program was written in FORTRAN. Not even FORTRAN II. Just FORTRAN.

Computing the table that occupied most of the paper took about a week.

Here's where it gets interesting, because obviously I wasn't the only student who wanted to use the 1620 that week. So I wrote an operating system -- a foreground/background system with my program running in the background, with everyone else's jobs running in the "foreground". That would have been easy except that the 1620 could only run one program at a time. Think about that for a moment.

My "operating system" consisted mainly of a message written on the back of a Hollerith card that said something like: "Flip sense switch 1 and wait for the program to punch out a deck of cards (about a minute). When you're done, put the deck in the reader and press LOAD."

Every time the program went around its main loop, it checked Sense Switch 1, and if it was set, it sent the contents of memory to the card punch. Dumping memory only took one instruction, but it wasn't something you could do from FORTRAN, so I put in a STOP statement (which FORTRAN did have) and changed it to a dump instruction. By scanning the program's object code (remember this is a decimal machine; an instruction took up 12 columns on the card) and replacing the HALT instruction with DUMP.

It worked.

    MR: Collaboration Distance
     MR Erdos Number = 7
     S. R. Savitzky 	  coauthored with    Kenneth W. Wegner 		MR0260667
     Kenneth W. Wegner 	  coauthored with    Mark H. Ingraham 		MR1501805
     Mark H. Ingraham 	  coauthored with    Rudolph E. Langer 		MR1025350
     Rudolph E. Langer 	  coauthored with    Jacob David Tamarkin 	MR1501439
     Jacob David Tamarkin coauthored with    Einar Hille 	        MR1555331
     Einar Hille 	  coauthored with    Gábor Szegő 	        MR0008279
     Gábor Szegő 	  coauthored with    Paul Erdős 	        MR0006783
     MR0260667 points to: K. W. Wegner and S. R. Savitzky, (1970)
     Solutions of φ (x) = n, Where φ is Euler's φ-Function on JSTOR,
     The American Mathematical Monthly, 77(3), 287-287.
     DOI: 10.1080/00029890.1970.11992471.

There are two other numbers of interest: the Shūsaku Number, measuring a Go player's distance from the famous 19th-Century Go player Hon'inbō Shūsaku, and the Sabbath Number, measuring a musician's distance from the band Black Sabbath. I'm pretty sure I have a Sabbath number through filkdom. I definitely have a Shūsaku number of 5 from having lived down the hall from Jim Kerwin, Shūsaku Number 4, my sophomore and junior years at Carleton. That's another story.

And if I expect to write more journal entries about math, I'm going to have to extend my posting software to allow entries written in LaTeX. Hmm.

The Mandelbear's Memoirs

comments

Done Since 2020-09-20

Sun, 27 Sep 2020 20:50:10 GMT

Bad week. Continuing the trend set last week, the filk community lost Lindy Laurant. Meanwhile what used to be a free country continues its descent into theocratic dictatorship with kleptocracy. Colleen's nausea and diarrhea also continued, though somewhat improved over the previous two weeks. The USB connector on my old Thinkpad keyboard died while I was in the process of moving the cable to its replacement. Poor little Cygnus suffered a tea spill, so I ordered a replacement keyboard.

It's a good thing that I keep spare laptops in the house. (I'm always happy to take unwanted computers off your hands.) It's a good thing that I don't actually need Bluetooth to work on Sable.

The week to come isn't likely to be any better.

( Notes & links, as usual )

comments

Review: the Lenovo ThinkPad trackpoint Keyboard II

Sat, 26 Sep 2020 03:15:22 GMT

For some time now I've been eyeing Lenovo's ThinkPad Compact Bluetooth Keyboard with TrackPoint with a mixture of gadget lust and skepticism -- most of the reviews I saw said that the Bluetooth connection had a tendency to be laggy. Combined with the amount of trouble I've been having with Bluetooth on Linux Mint lately, and the lack of a USB connection, and the high price, it's been pretty far down on my list of things to buy.

Anyone who knows my ~~fondness for~~ addiction to Thinkpad keyboards can figure out what was going to happen when Lenovo came out with the ThinkPad TrackPoint Keyboard II, featuring both Bluetooth and a wireless USB dongle, but otherwise looking almost exactly like my wired KU-1255 keyboard and the keyboards on most of my Thinkpad laptops. I discussed that in "The Curmudgeon Contemplates Keyboards", a couple of weeks ago.

It arrived yesterday, much sooner than I'd expected. It's lovely, and just about what I expected. It's hard to go wrong with a Thinkpad keyboard.

Being nearly icon-blind it took me a while to puzzle out the switches, because the quick-start sheet had nothing but a few pictures to explain them. It didn't say anything at all about the "Android/Windows" switch. So I went looking on their tech support website and found nothing but a PDF of the quick-start. Not helpful. (After a day and a half I found a review that explained that it gives F9-F12 Android-specific functions, and indeed I was eventually able to make out the tiny markings above them on the beveled edge of the bezel.)

The website -- and most of the reviews -- also mentioned its support for "6-point entry for the visually impaired", but DDG and Google found nothing except references to this keyboard. Braille, maybe? Whatever. There's nothing about it on the tech-support site.

There are some things I really appreciate as a cat's minion. It's exactly the right size to sit on top of my laptop (Sable is a Thinkpad X230; the keyboards are almost identical) with the lid closed and an external monitor plugged in. If a cat shows signs of wanting to sit on it, I can set it aside (or close the lid), and pick it up later. (I broke the micro-USB connector on one of my wired Thinkpad keyboards, because I often flip it up behind the laptop with the keys away from me -- and the cat.) If a cat does sit on it, the on-off switch is easily reachable on the right-hand side. Much easier than unplugging the cable.

So let's sum up. On the positive side: the wireless USB, Bluetooth, the classic ThinkPad feel and layout, the TrackPoint nub, and two of the three buttons are exactly as I would expect. (The middle button is in the same plane as the two side buttons, and the raised dots are much lower and are no longer blue.) The charging connector is USB-C. I haven't used it long enough to evaluate battery life, but it's been on since yesterday and claims to be at 99%; Lenovo claims two months, so that's believable. It's just the right size to sit on an ultrabook like a Thinkpad X230 with the lid closed.

I'm not sure whether to count the low-contrast markings on the function keys as positive or negative. I've pretty-much abandoned my old emacs key-bindings for them, and some of the functions indicated by the icons are actually useful. I'll get out my label-maker, or label them with white-out.

On the negative side: the USB cable is just for charging. For goodness' sake, how much circuitry would it have taken for it to make that a third connection mode? The documentation is sketchy -- the QuickStart page is nothing but icons and arrows, and for an icon-impaired curmudgeon that's a bit of a problem. Nowhere in the documentation does it explain what the Android/Windows switch is for. There's nothing on Lenovo's tech support website, either. There's no backlight, and the function keys are labeled with low-contrast tiny letters. The dongle is, of course, incompatible with Logitech's, so it uses another USB port. (This is a minor quibble, because I had the slot I unplugged the old keyboard from.)

Some people would make the position of the Fn key, to the left of Ctrl, as a problem. They might also complain about the Page Up and Page Down keys' flanking the Up-Arrow in the inverted T arrangement. Since I've be using Thinkpads since sometime in the last Millennium, and the new page-up/page-down positions for 95% of the last decade, I don't have a problem with either of those -- they're exactly what I want. Some people would miss the trackpad and palm rest; I've been using a wired but otherwise identical keyboard for years, and don't miss them. Your mileage may vary.

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

comments

Setting Up Sable

Fri, 18 Sep 2020 04:38:54 GMT

Setting up a computer so that it can boot into one of several different Linux distributions is something of a challenge; I haven't done it in quite a long time, and of course hings have changed. You may remember the previous post in this series, in which I discuss the proposed partitioning scheme for Sable's new terrabyte SSD. ( So if that didn't interest you, this probably won't either. )

Resources

The rEFInd Boot Manager.
Booting multiple Ubuntu versions with EFI
Linux on your laptop: A closer look at EFI boot options | ZDNet
Stephen Savitzky / Honu · GitLab (more relevant later in the series).

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

comments

Done Since 2020-09-06

Sun, 13 Sep 2020 19:14:30 GMT

Not a good week. Not horrible, either, by contemporary standards, but Colleen spent Monday through Thursday in the hospital with another UTI, and the air quality has gotten progressively worse. Up until today Whidbey Island -- or at least the Oak Harbor measuring station -- has had a slightly lower AQI than most of the surrounding measurements, but today it's solidly up into "Unhealthy" (around 185, though it depends somewhat on which map you're looking at and how you interpolate; the Washington department of Ecology's map has it in the mid-to-high 200s, which is Very Unhealthy). Parts of Seattle are up into the Hazardous range. "Don't breathe anything you can see" -- good advice if you can manage it. I can't.

I've been making progress on upgrading (laptop)Sable to a 1TB SSD and three distributions (Mint/MATE, LMDE/Cinnamon, and UbuntuStudio/Xfce4). The main obstacles are the fact that Mint and UStudio both identify themselves as "ubuntu", so their boot/efi information clobber one another, and the fact that a lot of my setup for (window manager)Xmonad was based on Gnome, which doesn't play well with MATE or Xfce. And some of it was based on the (previously-valid) assumption that I would need only one set of config files per machine. Working on it, and (setup manager)Honu will be the better for it when I'm done. Hopefully this week. I also expect to get a few curmudgeon posts out of it.

I have not been singing nearly as much as (I feel that) I should be. A lot less than is good for me. This is, sadly, typical.

( Notes & links, as usual )

comments

Done Since 2020-08-30

Mon, 07 Sep 2020 05:53:28 GMT

A week. Mostly spent caring for Colleen, doing household chores, Getting A Few Things Done, making sure everything on Sable is ready to be replaced with fresh installs, and researching how to set up a computer to boot multiple OSs using EFI and the GPT partition table format. Documentation for this is thinner on the ground than one would like. (I started actually doing it today.)

Things that Got Done included ordering two new Thinkpad keyboards (the Bluetooth one will ship in "more than five weeks", which is why I ordered the other one), calling a handyman to (finally) make a concrete pad for the end of the ramp to replace the gravel nightmare that's there now, and writing a few posts. Actually, five posts, which is a little more than usual. Between the writing and various computer tasks I was actually able to get into flow a few times, which is good and keeps me from looking at the news.

... and Mom's not doing all that well. I mean, she's doing really well for someone who's 99 years old and on hospice care, but that's not really saying very much.

( Notes & links, as usual )

comments

The Curmudgeon Thinks Out Loud

Sat, 05 Sep 2020 05:07:25 GMT

...about disk partitioning. Content warning: rather specialized geekness. If that's not something you're into, you might want to skip this.
( tl;dr )

Dreamwidth makes an excellent rubber duck -- thanks for listening.

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

comments

The Curmudgeon Contemplates Keyboards

Wed, 02 Sep 2020 18:36:27 GMT

For the last week or two my external keyboard has been flaking out -- dropping keystrokes, and occasionally barfing out a string of repeats. The cats, of course, know nothing about this. Or will admit to nothing, in any case. So yesterday, after determining that a blast of canned difluoroethane wasn't going to fix it, I finally started to think seriously about replacing it.

The keyboard has only a limited set of plausible replacements, because there are only two types of external keyboard that I can stand: the Model M and the ThinkPad TrackPoint Keyboard. The Model M and the oldest of the Thinkpad keyboards (the marvelous SK-8845 Ultranav) can be dismissed out of hand because they lack a logo key, which I've gotten used to using as Xmonad's Mod key. Most Model Ms lack a trackpoint, although I have one that has it -- and two PS-2 connectors on the cable. Besices, I'm not positive that I can find my Model M at this point, and it takes up a lot of desk space that I don't have anymore.

The second generation of Thinkpad keyboards -- the SK-8855 -- have a logo key, and an attached USB cable that stows into a recess on the back, but have the page-up and page-down keys on the right-hand edge, in what has become, for me, the wrong place. That makes them just enough different from the keyboards on the newer Thinkpads that it's annoying. I have one that I'd consider using anyway, but it's broken; my second one is out on loan.

(You might well ask why, since both of the laptops I'm using -- Sable and Raven -- are Thinkpads with the right keyboard, I would be looking at external keyboards. I blame the cats. If I have an external keyboard and an external monitor on my desk, I can close the lid and let Desti sit on it. Come to think of it, that may be why I need a replacement keyboard in the first place.)

There are three Thinkpad keyboards with the new layout -- the KU-1255, which is what I'm looking to replace, the Bluetooth version, and the shiny new ThinkPad TrackPoint Keyboard II. The Bluetooth version has gotten poor reviews -- apparently it tends to be laggy -- and in any case one of the laptops it needs to go with doesn't have Bluetooth. (I know -- dongles. I'm also running out of USB ports.) The Keyboard II has both Bluetooth and a wireless USB dongle. (It would, of course, be ideal if it were compatible with Logitech's, but of course it wouldn't be.)

I was just about to order one when I saw this line on Lenovo's website:

Ships in more than 5 weeks.

So it looks as though I get to spend $60 on a KU-1255 to use while I'm waiting. Or instead. Or maybe an SK-8855, because they have an attached USB cable instead of requiring a (fragile) micro-USB, except that those appear to be made of unobtainium today. And I can get the KU-1255 from Amazon and have it delivered tomorrow.

Just for the record, here's what I like (and some reviewers detest, of course) about the newer Thinkpad keyboards:

Page-up and page-down keys. (Many -- perhaps most -- newer compact keyboards require using the function key on the up and down arrows, which makes it hard to hit one-handed. Because cat.)
The cursor keys are all in one place on the lower right: the arrows in an inverted-T arrangement, with the page-up and page-down on either side of the up-arrow in what practically every other keyboard leaves as empty space. Huh?
Trackpoint -- the little red pointing stick between the G, H, and B keys. I don't always use it, but it's there when I need it. And you can scroll with it.
Along with the trackpoint, there are three buttons directly under the space bar. The middle one is what you hold down to scroll with the trackpoint; on Linux it's also "paste selection" in most places, and "download" in browsers.
The classic Thinkpad key-feel. A lot like a Model M clicky-key only silent. Less travel than the mechanical keys on the Model M, but I've come to prefer that.

I'm still waffling over the II. It's hard to justify, now that I have a 1255 on order. But not impossible. Meanwhile I'll just sit here listening to The Typewriter (a concerto for orchestra and solo typewriter) by Leroy Anderson). (There's a version that includes a repeat performance using an IBM Selectric, but I can't seem to find it now. It would have been perfect for this post.)

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

comments

Done Since 2020-08-23

Sun, 30 Aug 2020 19:18:37 GMT

Hmm. File corruption on (laptop)Sable, political corruption (a given these days), some interesting debugging on (temporary replacement laptop) Raven, singing, no walking to speak of, Colleen doing her exercises, Colleen's usual medical problems and some less usual ones, deli sandwiches by curbside pickup, killer hurricane, killer cops,... FSCK (literally as well as indirectly figuratively).

Oh yeah, almost forgot -- C.D.C. Now Says People Without Covid-19 Symptoms Do Not Need Testing (via siderea | How Can You Tell the CDC is Lying? Their Lips Are Moving.)

The usual mixed week, here at this end of the Rainbow Caravan.

( Notes & links, as usual )

comments

The Mandelbear's Musings

Down the Rabbit Hole

1: The Turing Machine

2: The Universal Constructor

3: The Game of Life

4: The universal constructor

5: The Book of Life

What Were You Thinking, Patreon?

Resources

Update Zoom on Mac ASAP

Resources

Which tax software platform should I use this year?

Trojan Source

Resources

What happened to facebook yesterday?

Resources

Public Service Announcement: Things to watch out for

Finding ELIZA

Resources

Operation Exchange Marauder

Resources

RIP Fry's Electronics -- the end of an era

Dependency Confusion

Resources

Songs for Saturday: Today is Babbage's birthday

More on branch name changes

How to Git out of trouble (part 1)

Overcoming your fear of git rebase

Push rejected (not fast forward)

Pull before pushing changes

Resources

Renaming master to main in Git

Resources

Keeping backups

Resources and references

Memoir: How I Came to Have an Erdős Number of Seven

Done Since 2020-09-20

Review: the Lenovo ThinkPad trackpoint Keyboard II

Setting Up Sable

Resources

Done Since 2020-09-06

Done Since 2020-08-30

The Curmudgeon Thinks Out Loud

The Curmudgeon Contemplates Keyboards

Done Since 2020-08-23

Overcoming your fear of `git rebase`