Periodic wellness check on Pablo Escobar's Cocaine Hippos:

Doin' fine.

'When he was shot dead in 1993,, most of the animals were shipped away, but four hippos were left to fend for themselves in a pond.

Although nobody knows exactly how many there are, estimates put the total number between 80 and 100, making them the largest invasive species on the planet. Scientists forecast that the number of hippos will swell to almost 1,500 by 2040. They conclude, that at that point, environmental impacts will be irreversible and numbers impossible to control.

"Nobody likes the idea of shooting a hippo, but we have to accept that no other strategy is going to work," [...]

Environmentalists have been trying to sterilise the hippos for years [...] Male hippos have retractable testes and females' reproductive organs are even harder to find, according to scientists. "We didn't understand the female anatomy," said David Echeverri Lopez, a government environmentalist. "We tried to sterilise females on several occasions and were always unsuccessful."

He is also playing an impossible game of catch-up. Mr Echeverri told The Telegraph that he is able to castrate roughly a hippo per year, whereas scientists estimate that the population grows by 10 percent annually. [...]

"Relocation might have been possible 30 years ago, when there were only four hippos," said Dr Castelblanco-Martínez. "Castration could also have been effective if officials had provided sufficient resources for the programme early on, but a cull is now the only option."

Previously, previously, previously, previously, previously.

Tags: , , , ,

Space Monkey

How did I not know about this until today??

In 2016, former astronaut Mark Kelly sent his twin brother and ISS commander Scott Kelly a gorilla suit for their birthday.

Previously, previously, previously, previously, previously, previously.

Tags: , ,

Today is Johnny Mnemonic day.

Thursday, January 17th, 2021.
That's right, today's Thursday.
It says so right there.

"Fax the images to Newark."

I wrote a review of it ten months ago -- I saw it at Alamo shortly before lockdown, which probably means that Johnny Mnemonic was the last movie I saw in a theatre.

Previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously.

Tags: , , , , ,

WTF, certbot

A few weeks ago, my Let's Encrypt cron job started complaining that certbot-auto is no longer supported on CentOS 7.7. Ummmm thaaaaanks? So I changed "certbot-auto" to "certbot" but now it's saying:

Attempting to parse the version 1.9.0 renewal configuration file found at /etc/letsencrypt/renewal/ with version 0.38.0 of Certbot. This might not work.

How is this shit supposed to work? What am I expected to do on CentOS 7.7? Certbot 0.38.0 is the latest version in yum.

Previously, previously.

Tags: , , , ,

10K September

Today is day 10,000 of The September That Never Ended.

The Internet: Mistakes Were Made.™

Previously, previously, previously, previously, previously, previously.

Tags: , , , , ,

Stealing Your Private YouTube Videos, One Frame at a Time

Turns out you can exfiltrate every possible thumbnail of a private video via an Adwords account.

Previously, previously, previously, previously, previously, previously.

Tags: , , ,

I told you so, 2021 edition

Cinnamon-screensaver got popped, again.

If you are not running XScreenSaver on Linux, then it is safe to assume that your screen does not lock.

The latest:


You will recall that in 2004, which is now seventeen years ago, I wrote a document explaining why I made the design trade-offs that I did in XScreenSaver, and in that document I predicted this exact bug as my example of, "this is what will happen if you don't do it this way."

And they went and made that happen.


Every time this bug is re-introduced, someone pipes up and says something like, "So what, it was a bug, they've fixed it." That's really missing the point. The point is not that such a bug existed, but that such a bug was even possible. The real bug here is that the design of the system even permits this class of bug. It is unconscionable that someone designing a critical piece of security infrastructure would design the system in such a way that it does not fail safe.

Especially when I have given them nearly 30 years of prior art demonstrating how to do it right, and a two-decades-old document clearly explaining What Not To Do that coincidentally used this very bug as its illustrative strawman!

These bugs are a shameful embarrassment of design -- as opposed to merely bad code.

This same bug keeps cropping up in these other screen lockers for several reasons.

  1. Writing security-critical code is hard. Most people can't do it.

  2. Locking and authentication is an OS-level problem. And while X11 is at the heart of the OS of a Linux desktop computer, it was designed with no security to speak of, and so lockers have to run as normal, unprivileged, user-level applications. That makes the problem even harder.

  3. This mistake of the X11 architecture can never, ever be fixed. X11 is too old, too ossified, and has too many quagmire-trapped stakeholders to ever make any meaningful changes to it again. That's why people keep trying to replace X11 -- and failing, because it's too entrenched.

As always, these bugs are terrible because bad security is worse than no security. If you knew for a fact that your screen didn't lock, you would behave appropriately. Maybe you'd log out when you walked away. Maybe you wouldn't use that computer for certain things. But a security placebo makes you behave as if it's secure when in fact it is not.

One of the infuriating parts of these recurring bugs is that the screen-locker part of XScreenSaver isn't even the fun part! I do not enjoy working on it. I never have. I added it in response to demand and necessity, not because it sounded like a good time. I started and continue this project as an outlet for making art. I'd much rather be spending my time pushing triangles.


And in not-at-all-unrelated news:

Just to add insult to injury, it has recently come to my attention that not only are Gnome-screensaver, Mate-screensaver and Cinnamon-screensaver buggy and insecure dumpster fires, but they are also in violation of my license and infringing my copyright.

XScreenSaver was released under the BSD license, one of the oldest and most permissive of the free software licenses. It turns out, the Gnome-screensaver authors copied large parts of XScreenSaver into their program, removed the BSD license and slapped a GPL license on my code instead -- and also removed my name. Rude.

If they had asked me, "can you dual-license this code", I might have said yes. If they had asked, "can we strip your name off and credit your work as (C) William Jon McCann instead"... probably not.

Mate-screensaver and Cinnamon-screensaver, being forks and descendants of Gnome-screensaver, have inherited this license violation and continue to perpetuate it. Every Linux distro is shipping this copyright- and license-infringing code.

I eagerly await hearing how they're going to make this right.


Since writing the above, I significantly refactored the security-critical parts of XScreenSaver, making it even safer. Details of what was involved are in my post about the XScreenSaver 6.00 release.

In the intervening two years, the various Linux distros have done nothing to address their copyright- and license-infringement issues.

Previously, previously, previously, previously, previously.

Tags: , , , , , ,


"Wow, I sure do hate this weed-and-bongs billboard outside my window."

[ Monkey's paw curls ]

Now there's an anti-abortion billboard too.

Previously, previously.

Tags: , , ,

Sony Scopeman

Niklas Fauth:

Hardware Design files of a replacement mainboard for the Sony Watchman FD-10. This turns it into a bluetooth and WiFi-enabled vector display.

In "Audio" mode, the ESP32 acts as a bluetooth speaker. Play back audio files from your smartphone or laptop to hear and see the soundwaves. You can change the size by adjusting the playback volume.

In "Video" mode, the ESP32 renders the result of the Lorenz Attractor equation. You can change the simulation speed using the "Tune" knob.

Previously, previously, previously, previously, previously, previously, previously, previously.

Tags: , , , , , ,

Facebook Is Showing Military Gear Ads Next To Insurrection Posts

[ 0 ]
Facebook has been running ads for body armor, gun holsters, and other military equipment next to content promoting election misinformation and news about the attempted coup at the US Capitol, despite internal warnings from concerned employees.

In the aftermath of an attempted insurrection by President Donald Trump's supporters last week at the US Capitol building, Facebook has served up ads for defense products to accounts that follow extremist content, according to the Tech Transparency Project, a nonprofit watchdog group. Those ads -- which include New Year's specials for specialized body armor plates, rifle enhancements, and shooting targets -- were all delivered to a TTP Facebook account used to monitor right-wing content that could incite violence. [...]

These ads for tactical gear, which were flagged internally by employees as potentially problematic, show Facebook has been profiting from content that amplifies political and cultural discord in the US.

"Facebook has spent years facilitating fringe voices who use the platform to organize and amplify calls for violence," said TTP Director Katie Paul. "As if that weren't enough, Facebook's advertising microtargeting is directing domestic extremists toward weapons accessories and armor that can make their militarized efforts more effective, all while Facebook profits." [...]

During Monday's interview, Sandberg also addressed the proliferation of hate-related content on Facebook. "I think there's a false belief that we somehow profit, that people somehow want to see this content," she said. "That's just not true." [cue laughter]

Previously, previously, previously, previously, previously.

Tags: , , , , ,

  • Previously