Unnecessary, but required

In the past year, I’ve hard to learn quite a few different lessons, some harder than others, some more gratifying than others. One of the main (but far from the only) source of these lessons was learning to live with someone else — save for my mother, and a few months with Luca, I have never really shared an apartment, a flat, or a house with someone else for more than a few days. But now that I’m happily married, there’s no going back to solitude. And it’s a feeling I’m really happy about, despite the eventual challenges that this has brought to both of us.

One of the differences that we realised early on is that we have different tolerances to chaos and trinkets. I’m not particularly organised when it comes to sorting out my stuff, but I’m also not a total slob — but I don’t mind having items spread across three rooms, and I was not particularly well known for having ironed t-shirts. My wife’s much less… chaotic, but at the same time has a fairly short patience for technology for the sake of technology.

This pretty much makes a dent in the amount of random gadgets I end up buying for the sake of trying out, because they might just end up not being used, or even not being welcome if they somehow get in the way. I think my most impressive achievement has been making her accept we have an electric cheese grater. I’m still trying to convince her it’s a good idea for me to disassemble the battery charger to replace the current plug-in adapter with an micro-USB port. Which is honestly not necessary at all: the plug is an AC-DC adapter, europlug with one of those europlug-to-british screw-in adapters, which means if we decide to leave London for the Continent, we won’t be needing to replace it — it would only become an issue if we moved to a different part of the world, and we can address it then.

But at the same time, this is the type of modification that in my eyes is… well, required. Why would I not make my electric cheese grater into an USB-powered electric cheese grater?

This reminded me of what Adam Savage (of Mythbuster fame) says in his biography Every Tool’s A Hammer (which, incidentally, is an awesome read that I would recommend everyone who has even a passing interest in creating stuff):

I often describe myself as a serial skill collector. I’ve had so many different jobs over my lifetime […] that my virtual tool chest is overflowing. Still I love learning new ways of thinking and organizing, new technqiues, new ways of solving old problems. […] The skills I have, all of them, are simply arrows in my mental quiver, tools in my problem-solving tool chest, to achieve that thing. […] And I learned each of them specifically for that reason. […] Eventually, […] I came to realise this was the ONLY way I could successfully learn a skill—by doing something with it, by applying it in my real world.

Adam Savage, Every Tool’s A Hammer

This is pretty much my life. I have pretty clearly failed at learning things “academically”, lasting only a few weeks at University of Venice, and instead building up my knowledge by working on different projects, both opensource and for customers, and by trying things out for myself. This has been a blessing and a curse at same time: while it meant that I have been collecting a bunch of skills, just like Adam is saying above, for the most part I have superficial skills: I’ve only rarely had to go deep-dive into a technology or a problem in my dayjob, and the amount of time I have to spend on side projects has been fairly low, and shrinking.

Long are the the days gone when I could sit down to write a stupid IRC bot in Qt, just because I could, and not just for the lack of time. It’s also because, for the most part, I keep telling myself it’s a bad idea to work on something low level, when someone else already did it better than I could possibly do — which is likely true, but it fails to meet my requirement to add the skill to my repertoire. And that’s by itself a career-limiting move, comparable to to the bubble problem.

With these issues in mind, I’m definitely glad my wife is understanding on why I sometimes spend money, time, effort (or most likely, all three) just to get something done because I want to, and not because there’s much need for it. It’s unnecessary, but required for me to keep up to scratch. And being able to do that, without upsetting my partner despite the chaos it creates, is a significant privilege.

As well as privilege is being able to afford the time, space, and money for all these projects. I think this is, for the most part, something that is not quite clear out there yet: being able to contribute to opensource, to write up tips and tricks, to document how to do things are privileges. And I think it’s important to share this privilege, even in form of tips, tricks, videos, and blogs — which is why this blog is still existing, and even with ever-shortening spare time I try to write updates.

Whether it is Bigclive on YouTube, with sometimes off-colour comments that make me uncomfortable, or Adam Savage’s own Tested, that can rely on a real, professional shop, or Micah’s most awesome electronics reverse engineering channel, or Foone’s Twitter feed, I am very glad for those who do their best to share knowledge — and I don’t really need to know why they are doing it. Even when it doesn’t really help me directly (because I can’t learn something if I don’t try myself), I know it can help someone else. Or inspire someone else (or in some cases, me) to go and try something, that will make them learn more.

Abbott, the Libre 2, and the takedown

A few people today messaged and mentioned me on twitter regarding the news that Abbott has requested the takedown of something related to their Libre 2. I gave a quick hot take on this on Twitter, but I guess it’s worth having something in long form to be referenced, since I’m sure this will be talked about a lot more, not least because of the ominous permalink chosen by Boing Boing (“they-literally-own-you”) and the fact that, game of telephone style, the news went from the original takedown, to Reddit phrasing it as “Abbott asserts copyright on your data”, which is both silly and untrue.

So let’s start with a bit of background, that most of the re-posters of this story probably don’t know much about. The Libre 2 is an upgrade on the FreeStyle Libre system that I wrote a lot about and that I use daily. It comes with both a reader device and with support in the LibreLink app for both Android and (on more recent iPhones) iOS. The main difference with the Libre system is that the sensors provide both NFC and BLE capabilities, with the ability to proactively notify of high- or low-blood sugar conditions, that the old NFC-only sensors cannot provide, which is more similar to CGM solutions like Dexcom‘s.

In both the Libre and Libre 2 systems, the sensors don’t report blood sugar values, like in most classic glucometers. Instead they report a number of “raw” values, including from a number of temperature sensors. There’s a great explanation of these from Pierre Vandevenne, here and here. To get a real blood sugar measurement, you need to apply some algorithm, that Abbott still refines. The algorithm is what I usually refer to as “secret sauce”, and is implemented in both the reader’s firmware and the LibreLink app itself.

Above I used the word “something” to refer to what was taken down. The reason why I say that is that Boing Boing in the title straight up calls this a “tool” — but when you read the linked post from the affected person, it is described as “details of how to patch the LibreLink app”. Since I have not seen what the repository was before it was taken down, I have no idea which one to believe exactly. In either case, it looks like Abbott does not like someone to effectively leverage their “secret sauce” to use in a different application, but in particular, it does not look like we’re talking about something like glucometerutils, that implemented the protocol “clean”, without derivation off the original software.

Indeed, Boing Boing seems to make a case that this is equivalent of implementing a file format: «[…] just because Apple’s Pages can read Word docs, it doesn’t mean that Pages is a derivative of MS Office.» Except that it’s not as clear cut. If you implemented support for one format by copying the implementation code into your software, that actually would make it a derivative work, quite obviously. In this case, if I am to believe the original report instead, the taken down content were instructions to modify Abbott’s app — and not a redistribution of it. Since I’m not a lawyer, I have no idea where that stands, but it’s clearly not as black-and-white as Boing Boing appears to make it.

As I said on twitter, this does not affect either of my projects, since neither is relying on the original software, and are rather descriptions of the protocols. They also don’t include any information or support for the Libre 2, since the protocol appears to have changed. There’s an open issue with discussion, but it also appears that this time Abbott is using some encryption on the protocol. And that might be an interesting problem, as someone might have to get up close and personal with the code to figure that part out — but if that’s the case, we’re back at needing a clean-room design for implementing it.

I also want to quote Pierre explicitly from the posts I linked above:

[…] in the Libre FRAM, what we are seeing is a real “raw” signal. While the measure of the glucose signal itself is fairly reliable, it is heavily post-processed by the Libre firmware. Specifically – and in no particular order – temperature compensation, delay compensation, de-noising… all play a role. That understanding and, to some extent, my MD training, led me to extreme caution and prevented me from releasing my “solution”, which I knew to be both incomplete and unable to handle some error conditions.

The main driver behind my decision was the well known “first do no harm” (primum non nocere) motto, an essential part of the Hippocratic Oath which I symbolically took. I still stick by it today. […]

[…]

Today, there are a lot of add-on devices that aim to transform the Libre into a full CGM. To be honest, in general, I do not like either the results they provide or their (in)convenience. None of those I have tried delivered results that would lead to an approval by a regulatory agency, none of them were stable for long periods of time. But, apparently, patients still feel they are helpful and there is now a thriving community that aims at improving them.

Pierre Vandevenne

While I have not sworn a Hippocratic Oath myself, I have similar concerns to Pierre, and I have explicitly avoided documenting the sensors’ protocol, and I won’t be merging code that tries to read them directly, even if provided.

And when it comes to copyright issues, I do weigh them fairly heavily: they are the fundamental way that Free Software even works, by respecting licenses. So I will prefer someone to provide me with the description of Abbott’s encryption protocol, rather than an implementation of it where I may be afraid of a “poisonous tree.”

Environment and Software Freedom — Elitists Don't Get It

I have previously complained loudly about “geek supremacists” and the overall elitist stance I have seen in Free Software, Open Source, and general tech circles. This shows up not just in a huge amount of “groupthink” that Free Software is always better, as well as in jokes that may sound funny at first, but are actually trying to exclude people (e.g. the whole “Unix chooses its friends” line).

There’s a similar attitude that I see around environmentalism today, and it makes me uneasy, particularly when it comes to “fight for the planet” as some people would put it. It’s not just me, I’ve seen plenty of acquaintances on Twitter, Facebook, and elsewhere reporting similar concerns. One obvious case is the lack of thought given to inclusion and accessibility: whether it is a thorough attack of pre-peeled oranges with no consideration to those who are not able to hold a knife, or waste-shaming with the infamous waste jars (as an acquaintance reported, and I can confirm the same is true for me, would fill up in a fraction of the expected time just from medicine blisters).

Now the problem is that, while I have expressed my opinions about Free Software and activists a number of times in the past, I have no experience or expert opinion to write a good critique of environmentalist groups, which means I can only express my discomfort and leave it to someone else. Although I wrote about this in the past.

What I can provide some critique of, though, is an aspect that I recently noticed in my daily life, and for which I can report directly, at least for a little bit. And it goes back to the zero-waste topic I mentioned in passing above. I already said that the waste produced just by the daily pills I take (plus the insulin and my FreeStyle Libre sensors) goes beyond what some of the more active environmentalists consider appropriate. Medicine blisters, insulin pens, and the sensors’ applicators are all non-recyclable waste. This means that most of the encouragement to limit waste is unreachable for most people on medications.

The next thing I’m going to say is that waste reduction is expensive, and not inclusive of most people who don’t have a lot of spare disposable cash.

Want a quick example? Take hand wash refills. Most of the people I know use liquid soap, and they buy a new bottle, with a new pump, each time it finishes. Despite ceramic soap bottle being sold in most homeware stores, I don’t remember the last time I saw anyone I know using one. And even when my family used those for a little while, they almost always used a normal soap bottle with the pump. That’s clearly wasteful, so it’s not surprising that, particularly nowadays, there’s a lot of manufacturers providing refills — pouches, usually made with thinner, softer plastic, with a larger amount of soap, that you can use to either refill the original bottles, or to use with one of those “posh” ceramic bottles. Some of the copy on the those pouches explicitly state «These refill pouches use 75% less plastic per ml of product than a [brand] liquid handwash pump (300 ml), to help respect the environment.»

The problem with these refills, at least here in London, is that they are hard to come by, and only a few, expensive brands appear to provide them. For instance you can get refills for L’Occitane hand wash, but despite liking some of their products, at home we are not fond of their hand wash, particularly not at £36 a litre (okay, £32.4 with the recycling discount). Instead we ended up settling on Dove’s hand wash, which you can buy in most stores for £1 for the 250ml bottle (£4/litre). Dove does make refills and sell them, and at least in Germany, Amazon sells them for a lower per-litre price than the bottle. But those refills are not sold in the UK, and if you wanted to order them from overseas they would be more expensive (and definitely not particularly environmentally friendly).

If the refills are really making such a difference as the manufacturers insist they do, they should be made significantly more affordable. Indeed, in my opinion you shouldn’t be able to get the filled bottles alone at all, and they should rather be sold bundled with the refills themselves, at a higher per-liter price.

But price is clearly not the only problem — handwash is something that is subjected to personal taste a lot since our hands are with us all day long. People prefer no fragrance, or different fragrances. The fact that I can find the whopping total of two handwash refills in my usual local stores, that don’t cost more than the filled bottle is not particularly encouraging.

Soap is not the only the thing for which the “environmentally conscious” option is far from affordable. Recently, we stumbled across a store in Chiswick that sells spices, ingredients and household items plastic free, mostly without containers (bring your own, or buy it from them), and we decided to try it, easily since I’ve been saving up the glass containers from Nutella and the jams, and we had two clean ones at home for this.

This needs a bit more context: both me and my wife love spicy food in general, and in particular love mixing up a lot of different spices when making sauces or marinades, which means we have a fairly well stocked spice cupboard. And since we consume a lot of them, we have been restocking them with bags of spices rather than with new bottles (which is why we started cleaning and setting aside the glass jars), so the idea of finding a place where you can fill your own jar was fairly appealing to me. And while we did expect a bit of a price premium given the location (we were in Chiswick after all), it was worth a try.

Another caveat on all of this: the quality, choice and taste of ingredients are not obvious. They are, by definition, up to personal taste. Which means that doing a direct price-by-price comparison is not always possible. But at the same time, we do tend to like the quality of spices we find, so I think we’ve been fair when we boggled at the prices, and in particular at the prices fluctuation between different ingredients. So I ended up making a quick comparison table, based off the prices on their website, and the websites of Morrisons and Waitrose (because, let’s be honest, that’s probably the closest price comparison you want to make, as both options are clearly middle-to-upper class).

Price comparison between Source, Morrisons, Waitrose and the Schwartz brand spices. More accessible on Google Drive.
I’ve taken the cheapest priced option for all the searches, looking for bigger sizes.

If you look at the prices, you can see that, compared with the bottled spices, they are actually fairly competitive! I mean cumin costs over four times if you buy it in bottle at Waitrose, so getting it cheaper is definitely a steal… until you notice that Morrisons stocks a brand (Rajah) that is half the price. Indeed, Rajah appears to sell spices in big bags (100g or 400g), and at a significantly lower price than most of the other options. In personal taste, we love them.

A few exceptions do come to mind: sumac is not easy to find, and it’s actually cheaper at Source. Cayenne pepper is (unsurprisingly) cheaper than Waitrose, and not stocked at Morrisons at all, so we’ll probably pop by again to fill in a large jar of it. Coarse salt is cheaper, and even cheaper than the one I bought on Amazon, but I bought 3Kg two years ago and we still have one unopened bag.

The one part of the pictures that the prices don’t tell, of course, is the quality and the taste. I’ll be very honest and say that I personally dislike the Waitrose extra virgin olive oil I chose the price of (although it’s a decent oil); the Morrisons one is not the cheapest, but that one tasted nasty when I tried it, so I went for the one we actually usually buy. Since we ran out of oil at home, and we needed to buy some anyway, we are now using Source’s and, well, I do like it actually better than Morrisons, so we’ll probably stick to buying it, despite it being more expensive — it’s still within the realm of reasonable prices for good extra virgin olive oil. And they sell it in a refillable bottle, so next time we’ll use that one again.

Another thing that is very clear from the prices is just how much the “organic” label appears to weigh in on the cost of food. I don’t think it’s reasonable to pay four times the price for sunflower oil — and while it is true that I’m comparing the prices of a huge family bottle with that of a fill-your-own-bottle shop, which means you can get less of it at a time, and you pay for that convenience, it’s also one of the more easily stored groceries, so I think it’s fair enough.

And by the way, if you followed my twitter rant, I have good news. Also in Chiswick there’s a Borough Kitchen store, old good brick-and-mortar, and they had a 1L bottle for an acceptable £5.

So where does this whole rant get us? I think that the environment needs for activists to push for affordable efforts. It’s not useful if the zero-waste options are only available to the top 5%. I have a feeling that indeed for some of the better, environmentally aware options we’ll have to pay more. But that should not mean paying £5 for a litre of sunflower oil! We should make sure we can feed the people in the world, if you think that the world is worth saving, and do so in a reasonable way.

Before closing let me just point out the obvious: Source appears to have their heart in the right place with this effort. Having had my own business, I’m sure that the prices reflect the realities of renting a space just off Chiswick High Road, paying for the staff, the required services, the suppliers, and the hidden cost of families with children entering the store and letting their kids nibble on the candies and nuts straight out of the boxes (I’ve seen at least one while we were inside!), without paying or buying anything else.

What I fear we really need is this type of services to scale to the level of big high street grocery stores. Maybe with trade-in containers in place of bring-your-own for deliveries (which I would argue can be more environmentally-friendly than people having to take a car to go grocery shopping). But that’s something I can only hope for.

Working in a bubble, contributing outside of it

The holiday season is usually a great time for personal projects, particularly for people like me who don’t go back “home” with “the family” — quotes needed, since for me home is where I am (London) and where my family is (me and my wife.) Work tends to be more relaxed – even with the added pressure of completing the OKRs for the quarter, and to define those for the next – and given that there is no public transport going on, the time saved in commuting also adds up to an ideal time to work on hobbies.

Unfortunately, this year I’m feeling pretty useless on this front, and I thought this uselessness feeling is at least something I can talk about for the dozen-or-so remaining readers of this blog, in an era of social media and YouTube videos. If this sounds very dismissive, it’s probably because that is the feeling of irrelevancy that took over me, and something that I should probably aim to overcome in 2020, one way or another.

If you are reading this post, it’s likely that you noticed my FLOSS contributions waning and pretty much disappearing over the past few years, except for my work around glucometerutils, and the usbmon-tools package (that kind-of derives off it.) I have contributed the odd patch to the Linux kernel, and more recently to some of the Python typing tooling, but those are really drive-by contributions as I found time for.

Given some of the more recent Twitter threads on Google’s policies around open source contributions, you may wonder if it is related to that, and the answer is “not really”. Early on, I was granted an IARC approval for me to keep working on unpaper (which turned out possibly overkill), for the aforementioned glucometerutils, and for some code I wrote while reverse engineering my gaming mouse. More recently, I’ve leveraged the simplified patching policy, and granted approval for releasing both usbmon-tools and tanuga (although the latter is only released as a skeleton right now.)

So I have all the options, and all the opportunities, to contribute FLOSS projects while in employment of a big multinational Internet company. Why don’t I do that more, then? I think the answer is that I work in a bubble for most of the day, and when I try to contribute something on my spare time, I find myself missing the support structure that the bubble gives me.

I want to make clear here that I’m not saying that everything is better in the bubble. Just that the bubble is soft and warm enough that makes the world outside of it scary, sometimes annoying, but definitely more vast. And despite a number of sensible tools being available out there (and in many cases, better tools), it takes a significant investment in researching the right way to do something, to the point that I suffer from CBA syndrome.

The basic concepts are not generally new: people have talked out loud at conferences about the monorepo, my friend Dinah McNutt spoke and wrote at length about Rapid, the release system we use internally, and that drives the automatic releases, and so on. If you’re even more interested in the topic, this March the book Software Engineering at Google will be released by O’Reilly. I have not read it myself, but I have interacted on and off with two of the curators and I’m sure it’s going to be worth its weight in gold.

Some of the tools are also being released, even if sometimes in modified ways. But even when they are, the amount of integration you may have internally is lost when trying to use them outside. I have considered using Bazel for glucometerutils in the past — but in addition to be a fairly heavy dependency, there’s no easy way to reference most of the libraries that glucometerutils need. At the end of the day, it was not worth trying to use it, despite making my life easier by reducing the cognitive load of working on opensource projects in my personal time.

Possibly the main “support beam” of the bubble, though, is the opinionated platform, which can be seen from the outside in form of the style guides but extends further. To keep the examples related to glucometerutils, while the tests do use absl‘s parameterized class, they are written in a completely different style than I would do at work, and they feel wrong when it comes to importing the local copy of the module to test it. When I looked around to figure out what’s the best practice to write tests in Python, I could find literally dozens of blog posts, StackOverflow answers, documentation for testing frameworks, that all gave slightly different answers. In the bubble you have (pretty much) one way to write the basic test — and while people can be creative even within those guidelines, creativity is usually frown upon.

The same is true for release engineering. As I noted and linked above, all of the release grunt work is done by the Rapid tool in the bubble — and for the most part it’s automated. While there’s definitely more than one way to configure the tool, at least you know which tool to use. And while different teams have often differing opinions on those configurations, you can at least find the opinion of your team, or the closest team to you with an Opinion (with the capital O) and follow that — it might not be perfect for your use, but if it’s allowed it usually means it was reviewed and vouched for (or copy-pasted from something else that was.)

An inside joke from the Google bubble is that the documentation is always out of date and never to be trusted. Beside the unfairness of the joke to the great tech writers I had pleasure to work with, who are more than happy to make sure the documentation is not out of date (but need to know that’s the case, and most of them don’t find out until it’s too late), the truth is that at least we do have documentation for most processes and tools. The outside world has tons of documentation, and some of it is out of date, and it’s very hard to tell whether it’s still correct and valid.

Trying to figure out how to configure a CI/CD tool for a Python project on GitHub (or worse, trying to figure out how to make it release valid packages on PyPI!) still feels like going by the early 2000s HOWTOs, where you hope that the three years old description of the XFree86 configuration file is still matching the implementation (hint: it never did.) Lots of the tools are not easy to integrate, and opting into them takes energy (and sometimes money) — the end result of which is that despite me releasing usbmon-tools nearly a year ago, you still need an unreleased dependency, as the fix I needed for it is not present in any released version, and I haven’t dared bothering the author to ask for a new release yet.

It’s very possible that if I was not working in a bubble all of these issues wouldn’t be be big unknowns — probably if I spend a couple of weeks reviewing the various options for CI/CD I can come up with a good answer for setting up automated releases, and then I can go to the dependency’s author and say “Hey, can I set this up for you?” and that would solve my problem. But that is time I don’t really have, when we’re talking about hobby projects. So I end up opening up the editor in the Git repository I want to work on, add a dozen line or so of code to something I want to do, and figure out that I’m missing the tool, library, interface, opinion, document, procedure that I need, feel drained, and close the editor without having committed – let alone pushed – anything.

Stop slagging off IoT users if you care about them

It’s the season for gifts (or, as some would say, consumerism), and as way too often is the case, it starts a holy war between those who enjoy gadgets, new technology, and Internet-connected appliances, and those who define themselves as security conscious and tell people that they wouldn’t connect a computer to the Internet if they didn’t have to.

Those who follow me on Twitter, probably already know which side of this divide I find myself in: I do have a few IoT devices at home, and I’m “IoT-positive”. I even got into a long Twitter discussion years ago about the fact that IoT is no longer just a random marketing buzzword, but got to actually refer to a class of devices that the public at large can identify, the same way as “white goods” would, in the British Isles.

I have a very hard time giggling Twitter posts from geek supremacists making fun of Internet-connected ovens, when the very same geeks insist they would never possibly buy something like that — despite the excited reactions of the Linux, BSD and FLOSS communities nearly fifteen years ago at the release of a NetBSD-operated toaster.

This does not mean that I’m okay with all the random stuff that’s being proposed as an Internet-enable device. I have looked briefly at Bluetooth toothbrushes and I’m still lost on what the value proposition is with them. And even last year when I got a smart plug it took me a lot of thoughts to figure out what it would be used for, and decided that, for 11 months of the years, the plug will stay in a box, and it will come out at the same time as the Christmas Tree.

Today’s musing is finding a “Smart Essential Oil Diffuser” which was funny because I was looking for something completely different (a kitchen oil bottle, it’s a long story), but I actually clicked on it out of curiosity. I have looked into this type of devices last year, while I was writing my post about smart plugs: they sounded like an interesting approach to make sure they are on for a few minutes before we arrive home, just to give a good smell to the flat without having to keep a more standard Ambipur on all the time.

Indeed, I have considered converting our Muji diffuser into a “Smart” one with an Adafruit Featherwing, but it works too good to open it up right now, and nearly everything I can see in stores like TkMaxx appears to be fairly low quality and with power supplies that look too low to be true. But the device I found over there also appears to be a fairly bad one, so I think our old-school Muji diffuser will stay around instead.

The thing is, whether you like it or not, the public at large, not just the geeks, are the driving force of manufacturers. And you won’t win anyone over by being smug and pointing at how good you are at not buying stuff that is Internet-enabled, because you don’t trust it. The public will. So instead of throwing all IoT options under a bus, and making fun of their users, I prefer Matthew’s approach of actually looking into the various lightbulbs and documenting which ones are, indeed, terrible.

Indeed, if you think that Internet-enabled aroma diffusers are pointless, useless, and nobody will want to have one… you’ll find out that someone will be making one, people will buy one, and most likely some random Chinese factory will start making a generic enough model that other companies can rebrand, and provide the least secure option out there.

I think this is also a valid metaphor for politics nowadays. It doesn’t matter that you are sure you have the right answer — if you demonize the public at large telling them they are stupid, or that they are at fault for things, you’re not likely going take your advice for long.

So if you care about the people around you, instead of telling them that IoT is terrible and you shouldn’t connect anything to a computer ever in a million years, try finding what is not terrible, while still providing them with the convenience they desire. Whether it is a smart lightbulb, a smart thermostat, or an app-enabled doorbell. And if you can’t find anything, and you still think you’re smarter than others, make it. Clearly there’s desire for those tools, can you make a secure and safe one?

Curve is giving "free" money away, again.

About a year and a half ago, I reviewed the Curve debit card, and I went back talking about it when talking about foreign transaction fees. If you don’t want to go back and read the whole set of text, I’ll give a very brief description: Curve is a proxy-card, that allows you to connect a bunch of other debit and credit cards, and to decide when you pay (or, critically, shortly after) which card you want to charge your expense to. It includes a few features such as some amount of free (or cheaper) transaction fee spend, but the “proxy” nature of the card is the selling (or not-really-selling as I’ll explain later) point.

In my previous posts, I have made two main points about Curve: the first is that they give away for free most of the useful features of the service, and the other that they make no real sense in the UK, as one of the possibly biggest selling points (the foreign transaction free nullification) is vastly irrelevant: most high street banks have some offering with no foreign transaction fee, and I still venture that Santander is the best UK offering for globetrotters who need to use their card in many different currencies. Despite my fairy pessimistic view of Curve’s business plans, it seems like the management is taking a different view — even FT Alphaville wrote about their marketing campaign.

Speaking of pessimistic view — I am a bit skeptical about their marketing of “100 Cards in One”. While it would be a great feature a few years ago, in 2019 most of my spending goes through my phone, with Google Pay. While I have half a dozen separate cards, most of them are compatible with Google Pay, so I don’t carry them with me. The ironic exception being my company card. As it turns out, this is something that Curve can help with: it now supports Google Pay, and on a business trip I can proxy my expenses to the company card.

Now, one claim on their website that appears to mostly hold true is «Your gateway to money for nothing.» Because they do appear to run lots of promotions that give you free money. Indeed, in the past week I received two email from Curve: one to announce that they would give me £5 if I just used my card at all (which I did, just to see if they pay up), and another to tell me that they are giving a “Christmas gift” for all their users to select three new retailers to get their 1% cashback from. All of this for a “Curve Blue”, which is their totally free tier.

Speaking of the 1% cashback, when I signed up last year, Amazon was not one of the options, or I would have taken it. It was this time, so I did that, under the impression that one way or another I do end up buying stuff off them often enough, and in the next three months I may get some value out of it. Despite this, their paid offer is still pointless: they charge you £9.99 a month, and to cover that on cashback alone you would have to spend £1000 a month from those three retailers. And no, I don’t think the Travel/Gadget insurances that they peddle with the offer mean anything else — there’s a doubling of how much free cash you can get from ATMs, but they appear to have closed the loophole that allowed you to withdraw cash and get loyalty points, or cashback, from a credit card, without incurring in cash handling fees.

So yeah, it looks like they do give money for nothing. Well, for some profiling data I guess. The obvious question is where that money comes from, given that the free offering is just compelling enough, and their paid offering are… in one word, overpriced. As I said in the previous post on foreign transaction fees, Santander offers their All in One Credit Card for £3 a month, and is also 0% foreign transaction fees and comes with a 0.5% cashback on all purchases; recovering that monthly fee requires “only” £600/month spend across any vendor (and not just three), and if you spend more you can probably pay for the travel/gadget insurance separately. And since it’s issued as a World MasterCard (rather than a Debit MasterCard), it also allows you to use some of the available perks worldwide, including some airports’ priority lane at security (as it turns out, that includes Venice Airport, which is very handy since that’s where we fly in and out for to see my family.)

And if you want to compare with the Curve Metal offering at £14.99 a month, well, Santander offers a World Elite Mastercard at the same price point, which comes with the same 0.5% cashback (although capped to nullify the monthly fee.) Despite not coming with the insurances (which again I don’t find particularly compelling, it does have a discount for Santander’s own offering. And it provides LoungeKey access just as well, except that you don’t have to pay the £20 per person entry fee. Being a World Elite card, it also comes with a bunch of other perks, including a Boingo subscription (not particularly compelling to me either, but worth noting.)

Anyway, if you are yet to make your Christmas purchases, and are interested in getting some more extra cashback with Curve, you can download the app from their website and if you want you can sign up with the code BG2G3 to get another £5 out of the magic free money card (and give me the same.)

MSI X299 SLI PLUS problems and solutions

Last year, I posted about an issue with missing BitLocker and PIN authentication with my replacement Gamestation build. While it does not look like this is a particularly popular post, I did confirm that at least a couple of people managed to get good use out of that blog post.

As usual, my Twitter feed contains spoilers of this blog post, as I have ranted, complained, and asked questions (mostly to Jo) trying to figure out my Windows problems. The reason I’m writing this down is as usual as a reference to myself, so I don’t repeat the same mistakes over and over again, and as a reference for others, since particularly one of the error codes I’m going to talk about appears to find almost exclusively scammy “PC fixing” websites. And yes I know that I’m repeating the word BIOS later while this is clearly an UEFI board, but MSI calls it as such, and to be honest for most non-technical folks the differences between the two terms don’t exist.

All long help threads should have a sticky globally-editable post at the top saying ‘DEAR PEOPLE FROM THE FUTURE: Here’s what we’ve figured out so far …’

First of all, as noted in the previous post, it looks like nearly all of the settings in the BIOS are lost at any upgrade of the firmware. This is particularly annoying when it looks like a lot of the updates are early boot microcode updates to cover the increasing complexity of mitigating Spectre-style vulnerabilities, and reasonably shouldn’t need to change the semantics or format of settings such as Secure Boot, TPM settings, or smart fan configuration.

So make sure to take good screenshots of all your settings before updating your firmware, as otherwise you’ll fight for hours trying to reconfigure it as you had it before.

Your computer is not resuming from sleep when you press the power button. This appears to be common, I’ve found a bunch of forums posts by people complaining about this behaviour on a number of MSI motherboards. Most of them appears to be in the form of DenverCoder9, although with a little more detail: people claiming they solved the issue by either downgrading or upgrading the motherboard’s BIOS. Not wanting to downgrade my BIOS and having just upgraded it, I wanted to find a better answer, and turns out I probably did find it. Here’s the solution: disable GO2BIOS feature.

Some more details, which can be useful for others in the future if they encounter similar issues and the solution I’m providing is not helping them. The GO2BIOS feature by MSI is a shortcut to enter the BIOS configuration screen without using the keyboard, and it’s particularly handy once you enable all the fast-boot options, as the keyboard might not respond at all. To force entering the BIOS configuration, then, you just need to keep pressed the power button for four seconds when you turn on the computer. That’s what clued me to the connection between the setting and the failure to resume, as they both related to the power button.

The reason why downgrading or upgrading the BIOS appeared to solve the issue is the one I noted above: all firmware updates on these boards appear to completely reset the settings to defaults, and the GO2BIOS feature is not enabled by default (and probably few people would consider re-enabling it in the hurry.)

Windows 10 bluescreens with WHEA_UNCORRECTABLE_ERROR. This is trickier, mostly because all of the search hits for this particular code appears to point at very dodgy websites, and the only hit I could find on the Microsoft website was for a forum post where it was suggested that the particular code I was saying was related to AMD CPUs. Since my machine is an i7, that made no sense whatsoever.

The WHEA in the name stands for Windows Hardware Error Architecture, which suggested that the cause of the bluescreen is caused by something like a Machine-Check Exception. This was particularly scary because it started happening right after I installed a new NVMe SSD, which appeared to get very warm, leading me to first install two more fans, and then replacing the original fans with PWM ones.

During this “ordeal” I also had been installing and updating quite a few pieces of software, related to CPU, motherboard, the Kraken cooler, and so on. And since I had just updated the BIOS I also had been tweaking a lot of parameters around, including tried re-enabling the auto-over-clock feature that, as I discussed previously, appears to be implemented mostly in firmware.

Eventually, I found that I solved the problem by uninstalling MSI’s Control Center software. I had already previously disabled the OC assistant, but even with that I kept receiving random blue screens when browsing websites, or just opening Lightroom. Since I uninstalled the Control Center software I have not experienced a single one for a few days. And that including a “torture test” with Prime95 that brought the CPU to 100C and to thermal throttling.

I’m not sure what the root cause for this is. I can only imagine that there’s some strange interaction between the firmware and the software that was not quite well tested. Or maybe there’s a new update on Windows 10 that caused Control Center to fight for resources. But whatever the reason it seems the right thing to do was to remove MSI’s software, which anyway does not really do anything you can’t do in the BIOS configuration screen.

I hope this post can find its way to those looking for answers for these (or similar enough) issues. And if you find that there are other possible causes for this, feel free to leave a comment on the post.

Planets, Clouds, Python

Half a year ago, I wrote some thoughts about writing a cloud-native feed aggregator. I actually started drawing some ideas of how I would design this myself since, and I even went through the (limited) trouble of having it approved for release. But I have not actually released any code, or to be honest, I have not written any code either. The repository has been sitting idle.

Now, with the Python 2 demise coming soon, and me not interested in keeping around a server nearly only to run Planet Multimedia, I started looking into this again. The first thing that I realized is that I both want to reuse as much code exist out there as I can, and I want to integrate with “modern” professional technologies such as OpenTelemetry, which I appreciate from work, even if it sounds like overkill.

But that’s where things get complicated: while going full “left-pad” of having a module for literally everything is not something you’ll find me happy about, a quick look at feedparser, probably the most common module to read feeds in Python, shows just how much code is spent trying to cover for old Python versions (before 2.7, even), or to implement minimal-viable-interfaces to avoid mandatory dependencies at all.

Thankfully, as Samuel from NewsBlur pointed out, it’s relatively trivial to just fetch the feed with requests, and then pass it down to feedparser. And since there are integration points for OpenTelemetry and requests, having an instrumented feed fetcher shouldn’t be too hard. That’s going to probably be my first focus when writing Tanuga, next weekend.

Speaking of NewsBlur, the chat with Samuel also made me realize how much of it is still tied to Python 2. Since I’ve gathered quite a bit of experience in porting to Python 3 at work, I’m trying to find some personal time to contribute smaller fixes to run this in Python 3. The biggest hurdle I’m having right now is to set it up on a VM so that I can start it up in Python 2 to begin with.

Why am I back looking at this pseudo-actively? Well, the main reason is that rawdog is still using Python 2, and that is going to be a major pain with security next year. But it’s also the last non-static website that I run on my own infrastructure, and I really would love to get rid of entirely. Once I do that, I can at least stop running my own (dedicated or virtual) servers. And that’s going to save me time (and money, but time is the most important one here too.)

My hope is that once I find a good solution to migrate Planet Multimedia to a Cloud solution, I can move the remaining static websites to other solutions, likely Netlify like I did for my photography page. And after that, I can stop the last remaining server, and be done with sysadmin work outside of my flat. Because honestly, it’s not worth my time to run all of these.

I can already hear a few folks complaining with the usual remarks of “it’s someone else’s computer!” — but the answer is that yes, it’s someone else’s computer, but a computer of someone who’s paid to do a good job with it. This is possibly the only way for me to manage to cut away some time to work on more Open Source software.

Revolut, as of October 2019

A few months ago I wrote a not-so-short comparison of a few FinTech services with offerings from high street banks in the UK — and I would note again, that the comparison does not hold up in Ireland, so it’s definitely biased, but I would uphold it for good reason. I think it might be time to do a bit more dusting over it.

The first service I should get back to talk about is Revolut, which I first praised and more recently complained about. As I said in a number of previous posts, my reasons to keep using Revolut for day-to-day transactions have pretty much disappeared: my Santander credit card gives me 0.5% cashback on all transactions, and no foreign transaction fee, why would I use Revolut? Virtual cards, and rotating-number cards are interesting and have their use, but honestly, I can’t be bothered unless it’s for very shady operations where I don’t trust giving my credit card, but those are pretty much corner cases.

Revolut has been running multiple advertising campaign throughout the London Tube, the most recent one promising three Tube trips free if you pay with Revolut. I could probably do that, next week, maybe, if I paid enough attention — I don’t use monthly tickets, so I can change card any Monday as long as I use it until the same until Sunday to cover the 7-day cap. But I had bad history with using Revolut on the TfL network before, although admittedly that was when I was landing from Dublin, and the location-based security tripped.

Update 2019-10-07: turns out I cannot actually use their TfL offer because it relies on Google Pay (which with Revolut I found already too unreliable to use for commuting) and only works if you have a Visa-issued card. My card is MasterCard-issued still.

If you check the news, the FT reported just this week how Revolut expects to reach “viability” despite continuing to lose money. This is likely because, as I pointed in my complain-post, Revolut makes perfect sense as long as you’re not paying anything for it. The only reason to sign up for any Premium or Metal tier in London (where most of their advertising budget appears to be spent, from what I read from news) is if you don’t understand the services available from the high street, or if you want to subsidize the free tier for everyone else. Funnily enough, FT Alphaville reported on the same day of the staff cashing it in.

I had to use Revolut only once in the past few months, and that was a couple of days ago. My sister asked me if I could send her some money for her to use the card, as her debit cards expired and she was trying to buy something — remember Italy does not have “faster payments” so inter-bank transfers are not instantaneous. It should be a simple operation: top-up £50, send £50 to my sister, she can convert to € and spend it.

Topping up worked like a charm. But sending the money didn’t: in addition to confirming my fingerprint, the app said it would send me an email, and to check the email from the same device to confirm the operation. The email can be re-sent only after one minute, but (as often) it recommends you to check your Junk or Spam folder too. The email never arrived. I don’t mean within a minute. I mean that this is two days later, the email has still not arrived yet.

No the mail server was not having a hiccup. Yes I did try resending it five minutes later. Yes I did check the Spam folder. No it’s not graylisting. My email address is served by G Suite, which means it’s more reliable than a normal Gmail address. Revolut can’t seem to be able to send email to Gmail. And it’s not just me. The same problem with email not arriving happened a number of months ago to my girlfriend, while sending money to my Revolut account! Anyway the answer is that I now have £50 that I can’t seem to be able to send to my sister, she ended up asking our mum for the transfer instead, and I have even less trust in the service.

I complained on Twitter about this, but without tagging in the Revolut account. When this happened to my girlfriend, and I ranted at them about it, they kept insisting to “check [my] spam folder”, which of course we did. If I asked now, I’m expecting to hear that “PSD2 made them do it”.

It’s sad, but I can’t really expect much better from a service that, despite a lot of nice ideas at the start, appear to have found a business model only to augment banks in places where high street has no offering (Ireland), or for people who can’t seem to know better (the whole Bitcoin/cryptocurrency part, that appears to be the sole attraction for Premium/Metal for quite a few people).

PSD2 Made Me Do It

The European “Revised Directive on Payment Services” (usually just called PSD2) has recently enter into to legislation in many countries, including the UK — despite the current political turmoil. In addition to requirements around data access and APIs, and additional limitations for financial service providers, it includes the requirement for financial institutions to provide what is called “Strong Customer Authentication”.

The idea is to provide a stronger guarantee that it is indeed the customer accessing their balance or executing a financial operation. None of this should feel particularly sophisticated, given that banks have provided multi-factor authentication options for many years before this. But if you have read my blog before, you probably know my opinion on banks’ security theatre features.

Indeed, UK – and Irish – banks still appear to believe that asking only a subset over characters of a password, or of digits of a pin, is a good security practice, despite this been easily debunked by any web engineer with a bit of sense.

My job has nothing to do with financial services or PSD2, which means I have a very basic understanding of its intricacies. On the other hand, I’m able to observe how various companies are receiving the directive and implementing it for their customers. Take for example American Express, who sent reminders to their customers to keep their Android app up to date, as they are preparing to send SafeKey notifications – their “2FA” authentication similar to Verified by Visa and MasterCard SecureCode – directly to the customers’ phones. Similarly, Santander recently sent me a contract update that, among other things, gives them permission to send notification via app or email, rather than just SMS. Pretty much the same story applies to the Italian UniCredit, which also replaced their physical password cards (yes, they still had some) and RSA tokens with app notifications.

This is not rocket science or anything particularly new. Even my American bank, Chase, send similar notifications to either SMS, or email, whether it is while logging in, or executing a transaction — and American banks are not particularly well known for their innovative ideas. Indeed, Chase has been doing this for the past three years, without any directive requiring it, and with a fairly low bullshit level. And it even supports OAuth2 delegation for transfers, which TransferWise uses. I guess we’re now seeing European banks catching up to be fairly low bar.

On the other hand of this we have Fineco, now no longer part of UniCredit. Their “strong customer authentication” appears to be an additional 7 digits PIN called “mobile code.” How and where this is going to be used is not particularly clear — the announcement says it’ll be used to hide your balance, but that does not appear to be the case right now. You need to set it in the mobile app, and once done, you’re proposed to link it to your fingerprint. The interesting part is that you already need an additional code to execute operations, and you needed it for the past two years. You also have a separate “client services” PIN, and both of those are 8-digits. And the “web password” is itself only 8 characters. You would think that instead of four “memorables”, having one that can be longer than 20 characters would work better.

Settings banks and financial institutions aside I think nothing can top the original email sent by John Lewis, the British department store (that also operates the Waitrose supermarkets). On September 2nd, they sent an email titled Important information about payment changes, which effectively introduced PSD2 and SCA to their customers. In the email, there was this gem:

SHOPPING IN STORE
You’ll notice changes when making contactless payments in our shops, including when using Apple Pay, Samsung Pay and payments via wearable technology such as smart watches. You may be asked to insert your card and key in your PIN. Chip and PIN payments will continue to work as normal.

WHAT YOU NEED TO DO
As the checks are random, you won’t know in advance whether validation is required, and neither will our Partners. So if you plan to use contactless payment, make sure you have the relevant card with you, or an alternative method to use, so you can continue with your purchase.

my John Lewis email, 2019-09-02

I took it to Twitter then to rant about the insanity of suggesting customers to insert a card when using a mobile-based payment system. Not just because there may not be a card to insert (Revolut allows connecting a virtual card to Google Pay, so there’s no matching physical card for it), not because there shouldn’t be a way for merchant to link the Google Pay/Apple Pay to the original card you connected, but most importantly because the authentication provided by an unlocked phone is stronger than that of a Chip’n’Pin card.

But they went even worse with “What you need to do”, because they are explicitly saying that they were introducing random checks, not risk-based checks which PSD2 and SCA are usually suggesting. And let’s ignore again the note of “relevant” card that may not exist. It makes it a lottery to figure out if you can pay for the groceries you’re buying, and honestly I don’t want to have an awkward moment when their till system decide to quiz me on a card I might not have to begin with.

I don’t know if anyone at the store chain noticed my tweet rant, but two days later, they sent another email, titled An update on Strong Customer Authentication.

At John Lewis & Partners, we are committed to ensuring you have a safe and secure experience when shopping with us. On Monday 2 September we sent you an email about Strong Customer Authentication (SCA) and the importance of your card issuer having your most up-to-date contact information.
We incorrectly suggested that you may be asked to insert your card and key in your PIN when using Apple Pay and Samsung Pay. We are pleased to tell you that you are not required to present your card or enter your PIN when using these payment methods, and you can continue to use Apple Pay and Samsung Pay as normal.

my John Lewis Email, 2019-09-04

I don’t know if this is a change of plan, where someone pointed out that implementing it that way was silly, or just a communication error in the first place. But it definitely shows how careless the communication around this was from John Lewis. I somehow expect that other companies are on the same boat, and I just haven’t noticed because I’m not their customer.

Speaking of Twitter, I saw at least two people recently complaining that their banks refuse connection from IP addresses from countries outside their operation area. While this does not seem to be announced as part of SCA, I have a certain feeling that this is becoming more popular because of it. It’s the same kind of risk analysis that forces me to use TunnelBear to connect to my GP’s online services to order my medical supplies if I’m traveling, as their app is rejecting any request coming from a non-UK address.

I’m afraid that as usual, with bank security, we’re not talking about rational solutions. We’re instead looking at solutions that consultant can sell to banks, and that bank management can feel confident enough to defend in court. And maybe confuse their customers over the fact that they may be making their life miserable, but they do so for security.

It effectively reminded me of Andrea’s work on chip-and-pin implementations, now nearly eight years ago:

Andrea Barisani and Daniele Bianco talking about Chip&PIN.

Honestly, I wish banks took their ideas from TransferWise, which, among all of my bank accounts, is the only one implementing 2FA as push notifications with the app they have on my phone.