Smart progress bars

Progress bars suck at predicting how long things will take. I’ll tell you what I want (what I really really want): a system-wide resource that receives a description of what the progress bar will be measuring and uses it to make an informed estimate the entire process’s duration. For example, suppose that an application installer will do several things in series, one after another. Perhaps an explanation of that process could be written in a machine-readable format like this:

vendor: Foo Corp
name: My Cool App installer
stages:
- Downloading files:
  - resource: internet
    size: 1000  # Number of MB to download
- Extracting files:
  - resource: disk_read
    size: 1000  # Size of the downloaded archive file, in MB
  - resource: disk_write
    size: 2000  # Size of the extracted archive file, in MB
- Copying files into place:
  - resource: disk_read
    size: 2000  # Now we read the extracted files...
  - resource: disk_write
    size: 2000  # and copy them elsewhere.
- Configuring:
  - resource: cpu
    size: 100  # Expected CPU time in some standard-ish unit

Because I’ve used the progress bar resource before, it knows about how long each of those things might take:

  • Since I’m currently on my fast home Internet, that download will probably last about 20 seconds.
  • I have a fast SSD, so the “Extracting files” step might be 6 seconds long.
  • “Copying files into place” will run at about the same speed, for another 8 second.
  • My shiny new CPU can chew through 100 CPU units in 10 seconds.

Ta-da! The whole installation should run about 44 seconds. When the installer runs, instead of updating the progress bar manually like

update_progress_bar(percent=23)

it would tell the resource how far it had gotten in its work with a series of updates like

update_progress_bar('Downloading files', internet=283)
...
update_progress_bar('Copying files into place', disk_read=500)
update_progress_bar('Copying files into place', disk_write=500)
...
update_progress_bar('Configuring', cpu=30)

The app itself would not be responsible for knowing how what percent along it is. How could it? It knows nothing about my system! Furthermore, statistical modeling could lead to more accurate predictions with observations like “Foo Corp always underestimates how many CPU units something will take compared to every other vendor so add 42% to their CPU numbers” or “Bar, Inc.’s website downloads are always slow, so cap the Internet speed at 7MB/s for them.” Hardware vendors could ship preconfigured numbers for new systems based on their disk and CPU speeds where the system can make decent estimates right out of the box. But once a new system is deployed, it gathers observations about its real performance to make better predictions that evolve as it’s used.

We should be able to do a much better job at better job of guessing how long it’s going to take to install an app. This solution needs to exist.

Little League wants all your information

To sign kids up for our city’s Little League baseball program, you have to prove that they’re residents, which is reasonable. What’s not reasonable is the amount of information you have to provide on the registration website. You have to upload scans of a document in each of 3 categories:

Proof of Residency 1 Choose one of the following: Driver’s license, School records, Vehicle records, Employment records, Insurance documents

Proof of Residency 2 Choose one of the following: Welfare/child care records, Federal records, State records, Local records, Support payment records, Homeowner or tenant records, Military records

Proof of Residency 3 Choose one of the following: Voter’s registration, Utility bills, Financial records, Medical records, Internet, cable, or satellite bills

That alone is ripe for identity theft, but couple it with their privacy policy which includes this (emphasis mine):

Without limitation, this typically requires the use of certain personal information, including registration data, event data, and other personal information, to provide program information, special offers or services through Little League and/or its trusted sponsors, partners, or licensees, to fulfill your requests for information or products/services, to maintain a list of verified and eligible participants, to maintain a list of volunteers and provide them with the operating tools to manage leagues, or to respond to your inquiries about our programs.

In other words, you have to upload your most private information and agree to allow them to do as they like with it, including sharing it with whomever they like for any reason they choose.

This is unacceptable.

Update 2021-05-20

I contacted the company that manages Little League’s registrations and asked them to delete the documents I uploaded in order to sign up. They replied that their policy is to do that as soon as they’ve been evaluated. I asked the company to verify that they’d deleted our documents specifically. They replied with a video demonstrating that the files were no longer available. Great! The video included the PII of the families on either side of us on the list. Not great!

And that’s one big reason why I didn’t want to trust them with our information in the first place.

Our info plus a couple of other families'

New favorite command: Zoxide

My favorite new command is zoxide. It’s like a faster z, autojump, or fasd.

In summary, it learns which directories you visit often with your shell’s cd command, then lets you jump to them based on pattern matching. In the event of a tie it picks the one you’ve used most frequently and recently. For instance, if I type z do then it executes cd "~/Library/Application Support/MultiDoge" for me because that’s the best match for “do” in recent history. An optional integration with fzf lets you interactively search your directory history before jumping to one.

It’s lightning fast and integrates perfectly with common shells (even Fish which is my favorite).

I didn’t even know I’d been missing a tool like this.

"Let's Fix OmniFocus", indeed

If you use OmniFocus, you should check out Paul Sahner’s Let’s Fix OmniFocus post:

But lately there has been a growing demand for the company to rethink the user experience and interface of OmniFocus. As popular competitors like Things win acclaim for their clean, modern appearance, OmniFocus – for all of its power – appears stuck in another time period. So I wanted to see what it might take to re-imagine the OmniFocus suite of apps. The answer, it turns out, is not so simple.

Simple or not, Paul’s idea of how a unified Mac / iPad / iPhone interface might work is absolutely gorgeous. I didn’t know I could want this so badly.

Use local Git repos for personal work

I’ve heard a lot of online arguments about whether you should host your Git-based projects in GitHub or GitLab, but a lot of them miss an obvious option. Is this repo for your own personal work that you don’t intend to share with others? Great! You can host unlimited, free, completely private repositories on your own system. Here’s the complete process:

$ mkdir -p ~/src/myproject
$ cd ~/src/myproject
$ git init --bare
$ cd ~
$ git clone ~/src/myproject
$ cd myproject

There, you’re done. Now you have a 100% fully functional Git repo that doesn’t require a network connection and supports every single Git feature. Pull it, push it, branch it, revert it, whatever: it’s your own repo and you can do whatever you want with it. And you don’t have to sign up for anything, or agree to a Terms of Service, or share your work, or trust a company you don’t know very well.

If you want to move your repo to another server later, you can copy ~/src/myproject to its new home via whatever means you find most convenient, use git remote set-url origin [...] to point your existing work toward the new location, and then go on about your business as usual without changing any of your workflow.

GitHub and GitLab have a lot of nice features that may be totally irrelevant if you’re not collaborating with a team. Never forget that you can host Git projects yourself, easily and for free.

Oh, and if you do find yourself needing to work with a handful of people and don’t need all of the integration features of the commercial options, I highly recommend Gitea. It’s a tiny little service you can host yourself and it takes very few resources. I use it whenever I need my Git repo to be accessible across the Internet.

Dell doesn't honor warranties

In late August 2020, I bought my kid a new Dell SE2419HX monitor for his birthday. School was starting back and his laptop’s built-in screen was turning out to be too small for him to use for remote schooling. (If you’re reading about this in the far future, this was the year of COVID.) It arrived a few days later and we plugged it into his computer, sat it on his desk, and watched him happily use it for the next few months.

In February 2021, the monitor stopped working. Although it would still turn on, it had a little window on the screen saying “No HDMI signal from your device”. I swapped in a few known working HDMI cables and even tried connecting it to another computer. Nothing worked, so it seemed clear that its HDMI port was busted. We gave the kid an older TV to use temporarily while I worked through Dell’s warranty process. This involved a few days of back-and-forth with their support department, and they eventually asked me for two pieces of information:

  1. The receipt from purchasing the monitor
  2. A photo of the support case number, my name, and the current date written on a piece of paper and held next to the monitor’s serial number sticker to prove that it really existed

The next day they replied with a terse email:

We have received an update from our internal team and unfortunately, we are unable to process the request for the Monitor replacement as the account information of the system does not match with your information.

Please contact the store/person where you purchased the system for further assistance. Proof of Possession seems to be Invalid/tampered with/fake.

What? I replied that this must be a mistake and asked them to review the evidence again. I got back a nearly identical copy of the prior email, with an apology “for any inconvenience this may have caused you”. I replied again: yes, but there’s been a mistake on Dell’s end, and please fix this. I got back another nearly-identical with the same apology, plus a cryptic “WE have limited access”.

At this point my confusion was turning to anger. I replied to insist that they fix my broken monitor, problems on their end be damned. The same support supervisor replied:

We apologize but we cannot warranty support this monitor with the available information.

At this point I vented a little on Twitter, and the @DellCares account replied to me to ask me to send them a direct message. I did, explaining the situation. They replied with a copy-and-paste of the last unhelpful email I’d received.

The happy resolution to Dell’s utter failure to honor their warranty is that Amazon made good on it. Even though the purchase was outside their normal return window, because Dell was so horrible, Amazon made an exception and allowed me to return it for a full refund. For that, I greatly thank them.

I have a guarantee of my own: under no circumstances will I allow Dell junk into my home again.

Automating this static website

I use the Hugo website generator to create this website out of a bunch of Markdown fils. A lot has been written about this approach, but the main advantages are that the site can load quickly even when it’s serving a lot of traffic, and you don’t have to worry about bugs in the blog software when there isn’t any. The downside is that you can’t post to it as easily when you’re out and about on a mobile device.

I wired up a nice little workflow for making it as easy easy to post here with my iPad as to a Wordpress site:

  • I write the blog post in Markdown in the Drafts app.
  • When done, I run an action that triggers a Shortcut which adds it to a Git repo in the Working Copy app, commits it, and pushes it to my Gitea server.
  • A cron job on the web server runs a git pull from Gitea, runs Hugo to generate the site, then copies the output to the web server.

So the plumbing is a little more complicated than just opening a website form and clicking a “post” button, but from the user’s perspective it’s every bit as simple. iOS and iPadOS are starting to get a nice ecosystem of Unix-style “do one thing and do it well” tools that can be strung together with scripting.

Security training for the masses

My company is going through its annual HIPAA privacy and security refresher training. This is a good thing and I wholeheartedly support it, as it’s always nice to be reminded of some of the details. “Oh, I forgot that we’re allowed to do X! That’s good to know.”

But the most irksome thing in the world is when you know the right answer to a test question but are required to give the wrong one to pass it. For instance, we were asked:

If you then connect with a VPN, will that ensure a file sent via email will be secure all the way through to its destination? Yes / No / Maybe

Test says: maybe! If you change nothing about your setup except adding a VPN into the mix, you may now be able to send email securely.

I say: The correct answer is “of course not”. Our company uses a “split tunnel” VPN so that only connections to certain services go over the VPN but the rest of our traffic goes over the open Internet? Do we need to route someone’s after-hours Netflix viewing through an encrypted connection? No thank you. But even without that, once you send an email to your own server, you have no control over what happens next. Does the recipient’s server support TLS connections? Are emails stored on that server encrypted at rest? Does their email app require TLS? Who knows! You sure won’t. So no, a VPN absolutely does not guarantee an email will be secure all the way through to its destination.

If you encrypt the file you are emailing, will that ensure a file sent via email will be secure all the way through to its destination?

Test says: yes! If you encrypt an email to an employee at another company, it’s guaranteed to be secure.

I say: Maybe, sure. I’d even go so far as saying it probably will. However, for all I know the recipient’s company uses some key escrow thing that lets them decrypt and analyze all inbound mail, and Joe from IT occasionally sells the interesting ones to North Korea.

Thing is, our particular training program is for the most part pretty decent, as far as such things go. Again, I’m glad we’re doing it. I just wish their post-training exams were a little more carefully worded.

Google v. Oracle, by analogy

Suppose Joe opens a restaurant. He hires a waiter who is really great at following directions, but speaks no English. Over time, Joe comes up with a way of working with this waiter that’s very precise and detailed. You can ask the waiter for things like “order burger plus cheese plus ketchup no tomato no onion” or “bring check” or “bring water”. However, you have to say things exactly the right way each time. You can’t just say “order cheeseburger” instead of “order burger plus cheese”, or “bring me some water” instead of “bring water”. If you do, the waiter will only say “I don’t understand” and wait for you to say it the right way.

All of this is explained on the menu, and the waiter is otherwise good enough at his job that people are willing to learn the Joe’s Cafe way of ordering their food and asking for the check afterward.

A while later, Gina decides to open a different restaurant across town from Joe’s place. Her food is nothing like Joe’s, she uses different suppliers, her kitchen has a brand new setup she invented herself, and she uses little robot dogs instead of waiters. However, she does a little market research and finds out that a lot of people in her city are use to ordering food the Joe way. To make it easier for her customers, she programs her robot dogs to respond to requests the same way that Joe’s waiter would. Then they’ll be able to order food and enjoy her restaurant without having to learn a whole new system!

Now, at Joe’s, if you say “order burger plus cheese”, the waiter writes this down, carries the order to the kitchen, and hands it to the cook. The cook follows the instructions, hands the food to the waiter, and the waiter takes it back to the table. Gina’s restaurant doesn’t have burgers, but if you tell her robot dog to “order steak plus potato”, it transmits the order via radio to the kitchen where a 3D printer makes it and then sends it to your table via a flying drone.

In other words, you place your order at Gina’s restaurant the same way you would at Joe’s, but almost everything else about the process is completely different because Gina came up with her system from scratch. As it turns out, a few orders do happen to work the same because there are only so many ways to react to “bring water”. That’s natural, though. Gina didn’t copy Joe’s “leave the table, fill a pitcher with water, bring it back to the table, and fill the empty glasses” process; that’s just the way you do it.

This is same as the relationship between Oracle and Google. Oracle bought a company who made a programming language called Java that became popular. When Google was making their Android phones, they wanted to make it easy for developers to write apps and games for it. Since so many people were already familiar with Java, they decided to let developers use it. However, they made their own Java from scratch that looks like Oracle’s Java from a programmer’s point of view but is completely different behind the scenes. As with Joe and Gina, the way you place your order is the same, but that’s where the similarity ends.

Oracle is suing Google because they say it’s unfair that Google allowed their developers to write programs in something that looks like Java, except without it actually being Java, and that Google should pay them for the privilege.

If it’s not reasonable that Gina should have to pay Joe just because her robot dog knows how to respond to “order steak plus potato”, then it’s not reasonable that Google should have to pay Oracle since they didn’t use any of Oracle’s underlying work.

Google is asking the US Supreme Court to declare that they didn’t copy Oracle’s programming code when they created their own work-alike system. For the sake of the US software industry, I hope Google wins.

As a personal note, I don’t like eating at either Joe’s or Gina’s restaurant. The food’s awful in both places. I still don’t think that Gina (or Google) owe Joe (or Oracle) anything.

November 2020 Voting Guide

These are the notes I collected to determine how I’m going to vote on November 3, 2020. I’m posting this not to tell you how you should vote, but to share my reasons for why I’m voting this way.

United States

President

Biden is the only serious candidate.

Congress

U.S. House California District 13

Barbara Lee (D, Incumbent)

California

State Assembly District 18

Rob Bonta (D, Incumbent)

State Senate District 9

Nancy Skinner (D, Incumbent)

Ballot measures

Prop 14: Stem Cell Research Institute Bond Initiative

Slightly oppose: It’s a good thing to research and support in general, but this isn’t a good time to incur more public debt.

For

  • Gavin Newsom
  • Cal Dems
  • Diabetes research
  • University of California regents

Against

  • No one organized group
  • Main argument: it’s a $5B bond issue we can’t afford right now, even if it’s probably a good thing.

Prop 15: Tax on Commercial and Industrial Properties for Education and Local Government Funding Initiative

Support. Raises taxes on large companies while specifically exempting houses, farms, and small businesses.

For

  • Everyone

Against

  • CA Republicans
  • Coalition of industrial property owners

Prop 16: Repeal Proposition 209 Affirmative Action Amendment

Support. Prop 209 ended affirmative action. This doesn’t bring it back, but allows it to be considered when it makes sense.

For

  • Cal Dems
  • Everyone else

Against

  • Cal GOP

Prop 17: Voting Rights Restoration for Persons on Parole Amendment

Support. If someone’s done their time, then they should be able to participate in society again.

For

  • Everyone

Against

  • CA Republicans

Prop 18: Primary Voting for 17-Year-Olds Amendment

Mildly support. It seems goofy to allow a 17 year old to vote in the primary for someone they can’t vote for in the actual election, but it’s probably not the end of the world

First time we have a record turnout because a YouTuber urges everyone to support Deez Nuts for the CA Democrat nomination, I’ll protest this with a pitchfork.

For

  • Gavin Newson
  • CA Dems
  • ACLU

Against

  • Not really anyone

Prop 19: Property Tax Transfers, Exemptions, and Revenue for Wildfire Agencies and Counties Amendment

Oppose. This is charity for the rich. You can sell your house and transfer the low tax basis to a new, more expensive house three times? No way. It has some good ideas but we should weigh them in a standalone proposition, or better, a state bill.

For

  • Everyone

Against

  • ACLU

Prop 20: Criminal Sentencing, Parole, and DNA Collection Initiative

Oppose. This is a charity to the prison systems. Collecting DNA on shoplifters and drug possessors? WTF.

For

  • CA Republicans
  • Police associations
  • Albertsons Safeway?

Against

  • CA Dems
  • ACLU

Prop 21: Local Rent Control Initiative

Support. It makes sense to let cities experiment. If it doesn’t work locally, change it. What’s good in Oakland may suck in San Diego and vice versa.

For

  • Bernie
  • Employee unions
  • Underlying theme of endorsements: “let cities decide which policies make sense for them at the local level.”

Against

  • Gavin Newsom
  • Builders unions
  • Underlying theme of opposition: “Will reduce incentive to build affordable housing.”

Prop 22: App-Based Drivers as Contractors and Labor Policies Initiative

Oppose: This is some bullshit charity for Uber, Lyft, and Door Dash.

Everything about this seems to be a lie. For example, it provides a good minimum wage, but only while the drive is actively on a run, not when they’re between runs.

For

  • GOP
  • Police unions
  • Chambers of commerce

Against

  • Everyone else

Prop 23: Dialysis Clinic Requirements Initiative

Oppose: No, and stop asking. No one wants this. As a prop, it’s super hard to get rid of if it turns out to be a horrible idea.

For

  • Healthcare workers union. This would require clinics to hire more workers. It’s a job handout.
  • Cal Dems

Against

  • Cal Republicans, oddly enough
  • Cal Medical Association. Doctors are saying this isn’t necessary.
  • Cal Nurses union

Prop 24: Consumer Personal Information Law and Agency Initiative

Oppose. I generally support privacy laws, but this has issues. The EFF described Proposition 24 as “a mixed bag of partial steps backwards and forwards.” I’m very skeptical of a privacy bill that the EFF doesn’t actively endorse.

Come back next election with a better version and I’ll totally back it.

For

  • Some CA Democrats
  • CA firefighters union?

Against

  • Republicans
  • Greens
  • CA nurses association
  • ACLU

Prop 25: Replace Cash Bail with Risk Assessments Referendum

Support. End the cash bail system. Don’t let “perfect” be the enemy of “good”. This is a good idea.

For

  • Everyone

Against

  • ACLU doesn’t like the new assessment system, which is a legit concern.

Alameda County

AC Transit District

Director At-large

Peeples (Endorsed by papers. Opponents aren’t bad, but Peeples is more experienced and seems to be pretty good at this.)

Peralta Community College District Trustee

Heyman (Incumbent; opponent doesn’t have much reason to vote for him.)

Superior Court

Condes (Supported by majority of progressive groups. Opponent isn’t awful, though.)

Measure V: Sales Tax

Support. Extends the existing sales tax.

Measure W: Sales Tax

Lightly oppose. Good to fund housing and services, but we’re already slammed with super high sales taxes and that feels regressive.

City of Alameda

Auditor

Kearney (unopposed)

AUSD board

(Best profiles, and endorsed by groups that seemed relevant.)

  • Aney
  • Little
  • Williams

City Council

(By ruling out other candidates, not as an endorsement of these)

  • Codiga
  • White

Measure AA

Mildly support. It’s goofy that voters are being asked to rule on this petty internal bickering, but here we are.

Measure Z

Mildly oppose. Allows altering existing 3-bedroom homes into 2 1-bedroom. Parking and traffic are already bad. We couldn’t live in Alameda if we couldn’t find 3-bedroom housing.

Treasurer

Kennedy (unopposed)

Sources

Staying away from WD NAS drives for now

Western Digital just admitted to Tom’s Hardware that they use a notoriously slow technology, shingled magnetic recording (SMR), in the WD Red drives they market for use in high performance storage devices. This is a very bad look for them.

I just replaced my last 6TB Red with a Seagate IronWolf over the weekend (coincidentally; it had nothing to do with this). In my experience, Reds have a nasty habit in their old age of taking performance nosedives without reporting any SMART errors. Suddenly my storage volume would be slow and pegged at 100% utilization without anything out of the ordinary running, but everything would look OK otherwise. My NAS’s resource monitor would show that all drives are at like 30% utilization, except for a single Red hovering at the top of the graph. The drive would show no errors or really any problems at all, but would be slow as molasses for no apparent reason.

This has happened to me three times now, and each time the fix is to replace the lame duck Red. My storage volume over the weekend was actually faster during the RAID rebuild than it was with the dying drive.

I don’t trust Western Digital’s drives right now, which is a pity because they use to have a great reputation and I loved them.

The Kansas City Wormhole

I’ve had one inexplicable thing happen in my life. I remembered it today and texted an old buddy about it, and his memory of it was identical to mine.

One day after high school, 3 friends and I piled into my car and drove to Kansas City to meet up with some other friends who had moved there. They weren’t home when we arrived, and at some point we had the idea to go to the zoo to kill time because we thought it was free (and we were broke). Turns out the KC zoo was very much not free, so we decided to go back to our friends’ home.

We tried to take a shortcut through the parking lot of the Blenheim Square Research Hospital next to the zoo but got turned around in a series of one-way lanes and toll gates before we were dropped back onto the surface streets. Thing is, when we got back on the road and were trying to get our bearings, none of us could see the hospital we’d just left. We pulled into a gas station a block away and asked the attendant which direction we were from the hospital.

“Which hospital? I don’t know where that is.” When we asked him to show us where we were on a map, he pointed to the corner of Lamar Ave & Shawnee Mission Parkway - which was a good half an hour drive from the hospital whose parking lot we’d been in less than 5 minutes ago.

We were utterly flummoxed. I can’t emphasize this enough: our 1 block drive dropped us 30 minutes from where we’d started. We drove through a parking lot, turned around, and were… transported?… across town. Everyone was cold sober and very freaked out. When we compared notes, we all remembered it exactly the same way. We kind of jokingly (and more than a little seriously) talked about the “wormhole” through Kansas City.

To this day, my recollection of this is crystal clear and I simply cannot explain what happened that day.

More apps lost to subscriptions

Two more apps I really like(d) have recently announced that they’re moving to subscription models: Fantastical and Paste. The Internet almost universally decided to stomp on the former’s announcement, but I’m not sure that the latter is widely popular enough to get a lot of people riled up. With rare exception, these moves are death knells for my usage of such apps. As I’ve written before, the bottom line is that apps have to offer good value to their users. To me, $40 per year for a pretty calendar does not offer good value. A clipboard manager which jumps from $15 once to $10 per year does not offer good value.

What these changes really do for me is nudge me out of complacency and into reevaluating my app choices. As it turns out, the built-in Calendar.app isn’t as pretty as Fantastical, but for $40 per year it’s gotten to be good enough. There are any number of clipboard managers - some inside apps I was already using, like Keyboard Maestro - that aren’t as nice as Paste, but for $10 per year they’re good enough. And so those moves to subscription models, which are always accompanied by long blog posts explaining how it’s really in my best interest, move me away from the apps I had liked and push me to check out the alternatives. What they almost never do is get me to switch to the desired Patreon-like financial model.

Merlin Mann described the category of little things that sit in the background and suck money or resources from you as eels attached to your neck. One is bad. Dozens are terrible. Well, I’m getting rid of my neck eels. There are very few apps I use that can’t be replaced. And when an app’s price suddenly skyrockets and stops offering good value, that’s exactly why I do.

Commodore declared bankruptcy 25 years ago today

Commodore International declared bankruptcy on April 29, 1994, and pretty much sealed the fate of the Amiga. I couldn’t care less about Commodore, but I think we lost something special when Amiga died.

An Amiga 500

My parents bought an Amiga 1000 shortly after it launched (and then, begrudgingly, a 256KB RAM expansion a month later because otherwise you couldn’t do much with it). It was a magical machine with true preemptive multitasking at a time when DOS was normal, and years before Macs could decently run multiple programs at once. I exclusively used it and its successors into the late 90s, until it became obvious to me — probably years after it was obvious to everyone else — that I was past the end of the road and well off into the weeds. The most frustrating thing about owning one of those clearly superior machines was the bragging of PC and Mac owners when their clearly inferior systems added features I’d enjoyed for years. High-res color graphics! Speech synthesis! Sampled sound! A usable GUI! Shared libraries! An object-oriented plugin system! Cross-application scripting! And most importantly, that gorgeous multitasking! Yes, yes, that’s great; I’d had those for a decade before they became popular on other personal computers.

Other people have written better than I possibly could, and at great length, about the many ways that Commodore managed to screw up their golden child. I was only peripherally aware of all that at the time. But I know that they had something amazingly special that earned a fiercely loyal cult following, and I truly believe we lost something good when they died.

RIP, Amiga. You were loved.

A standard for describing a site's password rules

There’s not a universal standard for what a valid password on a website must look like. Some sites allow you to use any four letters. Others require at least twenty characters, including at least one numeric digit and one “special character” (aka punctuation). Even when using a password manager, the process of creating a good one looks a lot like:

  • Turn the password manager’s strength settings all the way up and generate a password.
  • The website replies “passwords can’t be more than 20 characters long”.
  • Adjust the length down to twenty. Generate a new one and send it to the website.
  • The website replies “passwords may only contain the special characters ‘$_!#’.
  • Adjust the number of symbols down to zero. Generate. Try again.
  • The website replies “passwords must contain at least two special characters”.
  • Turn the number of symbols back up to two. Click “generate” until you a password that contains punctuation from “$”, “_”, “!”, and “#”, but nothing else. Generate. Try again.
  • …and repeat until you’ve appeased the website’s rules.

I propose instead that websites should document their password rules in a standardized, machine-readable manner. For instance, suppose that each site hosted a file in a pre-defined location, like /.well-known/password-rules.yaml, in a format such as:

max_length: 64
min_length: 8
allowed_symbols: "$#@!"
min_symbols: 1
min_upper: 1
min_lower: 1
min_digits: 1
matches: "^[a-z]+(.*)+$"

Then tools like 1Password could look for that file and tune their settings to suit. The new process for creating a password would look like:

  • Tell 1Password to generate a password for the site you’re currently looking at.
  • It fetches the rules file, interprets it, creates a password that satisfies all the requirements, and pastes it in the password field on the site.

Further suppose that the standard defined the calling conventions of a REST endpoint for changing passwords, and the rules file included that URL like:

change_url: /ajax/change_my_password

Wouldn’t it be just lovely if 1Password could automatically update every such website on a monthly basis, or whenever a site announces a security breach?

Ringing the bird

I was on an early morning walk and came across a guy staring at the telephone wires. As I approached, I caught the distinct aroma of marijuana. I turned to see what he might be looking at, and he held a finger to his lips to quiet me. He whispered, “there’s a mockingbird up there. If you listen, he’ll ring like a bell.” Sure, buddy.

So we stood there in silence, and then the little bird opened his mouth and sang chimes to us. He rang like a bell.

The stranger and I looked at each other, then smiled and laughed as we went our separate ways. That was a nice way to start a day.

Heavy traffic is not a DDoS

Ajit Pai claimed that when the FCC asked citizens to comment on Net Neutrality, their website was attacked with a distributed denial of service, or DDoS. I’ve heard many of his defenders claim that an overwhelming number of people trying to use the website to comment was in fact a DDoS. This is a lie.

It was not a kind of DDoS. Words mean things, and “DDoS” specifically means a coordinated attack. What the FCC experienced is what we call “heavy traffic”. A car analogy:

  • “Heavy traffic” is rush hour on the freeway.
  • “DDoS” is a mass protest with people physically blocking lanes on the road.

Even though the end result might be everything moving slower than desired, if you’re stuck in traffic but you tell your boss that you’re late to work because a protest blocked the street, you’re exactly as much a liar as Ajit Pai was when he perjured himself to Congress.

Happy birthday to me!

I registered Honeypot.net on July 1, 1998, so today is its twentieth birthday. We’ve had fun, little domain. Here’s to twenty more!

"At a Crucial Juncture, Trump's Legal Defense Is Largely a One-Man Operation"

At a Crucial Juncture, Trump’s Legal Defense Is Largely a One-Man Operation — The New York Times

Highlights:

Joseph diGenova, a longtime Washington lawyer who has pushed theories on Fox News that the F.B.I. made up evidence against Mr. Trump, left the team on Sunday. He had been hired last Monday, three days before the head of the president’s personal legal team, John Dowd, quit after determining that the president was not listening to his advice.”

Also:

“Mr. Dowd had concluded that there was no upside and that the president, who often does not tell the truth, could increase his legal exposure if his answers were not accurate.”

Jokes about “the best people” aside, it sounds like genuinely competent people want nothing to do with the fiasco in DC.

How many minutes of Internet are you paying for each month?

If you pay for a 100Mbps cable connection to the Internet and your plan sets a 300GB data cap, you can use your connection at full speed for 8.3 hours per month before hitting overuse charges.

If your cell phone plan supports 50Mbps LTE speeds and has a 10GB data cap, you’re only allowed to use it at full speed for 33 minutes per month.

I think it’s deceptive for an ISP to advertise an Internet connection’s speeds without disclosing how much you can actually use it without being disconnected or racking up extra fees. I’ve written to my senators asking them to introduce legislation to protect customers from this misleading and predatory practice:

I believe that all Internet service providers should be required to disclose, as part of their advertising, how many minutes you may use their service at full speed without hitting data caps.

For instance, a cable company advertising “100 megabits!” but imposing a 300GB data cap only allows their users to download information for about 8 hours per month. A cell phone company that advertises fast 50 megabit LTE speed but has a 10GB data limit only gives their customers about 33 minutes per month of full speed usage.

I believe that simultaneously advertising fast Internet connections while only allowing customers to use it for a short amount of time each month is highly deceptive and should be illegal. Please introduce truth in advertising legislation requiring ISPs to disclose what portion of time customers on a typical plan would be allowed to use an Internet service being advertised.

I don’t reasonably expect anything to come of this, but I’m going to try anyway.