litchralee

joined 3 years ago
[–] litchralee@sh.itjust.works 6 points 11 hours ago

Since this would be the phone number that you'd rely upon to have continued access to those government services, I wouldn't skimp on the expense: consider the monthly charge for a domestic phone plan as a cost of citizenship or residency.

Supposing you find and set up an eSIM with a domestic carrier in that country, then one which supports WiFi calling would allow you to receive SMS/MMS from anywhere, provided that your phone also supports WiFi connectivity.

As an aside, WiFi connectivity was greatly useful when I was traveling in Japan, since I'd be back at the hotel with WiFi in the evening, which conveniently overlapped with USA West Coast time, so calls were perfectly natural.

[–] litchralee@sh.itjust.works 73 points 1 day ago* (last edited 1 day ago) (3 children)

I'm going to try answering the titular question, despite the factual situation being wholly divorced from sanity, through no fault of the OP directly. Unless some new convention on the laws of the sea has been enacted vis-a-vis international waters -- which the Strait is -- a nation which provides some sort of service over that area is not entitled to remuneration. It would be gratis.

That said, in the very different context of aeronautical navigation, there is indeed precedence for providing a service to an international zone, but this is agreed to by multilateral treaty, not imposed. For this, we look to the massive area of the north Pacific Ocean, for which there is essentially no radar service available. And yet, to enable civil aircraft to fly without colliding with each other at speed, somebody needs to coordinate the flight routes and provide weather information. Through ICAO, the USA is the contracting state that provides such service over the Oakland Oceanic Flight Information Region. This means most of the Pacific Ocean is not USA airspace, but does follow the American procedures for organizing traffic (which follows from ICAO rules but possibly with small tweaks). This is the distinction between "USA airspace" and "USA controlled airspace". ICAO chose the USA because no other country can realistically perform this service, nor has anyone else put in an offer to ICAO.

To pay for this service, the USA FAA charges overflight fees. Since the FAA is a civil agency, it does not have authority to order a shoot-down of an airline's jets due to non-payment. Rather, the FAA can collect the owed fees through the American courts, just like anyone else would through a lawsuit for money damages. The FAA could also take adverse regulatory action, such as providing less or no service, subject to minimum obligations required by ICAO. The agency can also choose to cancel or disapprove of flights headed to/from USA airspace. If an airliner flies into the territorial airspace of any country without permission, then the air force would respond, not the civil air regulator.

So what does this have to do with international waters and maritime navigation? The air example shows how an equivalent fee for water passage would have to be implemented, when it concerns international waters. Everyone has to agree to the terms, the fee has to be economically reasonable, the contracting state must have some relationship to the area in question, and an international organization must actually contract with a qualified state to provide said service.

The present action in the Strait meets none of this criteria. So yeah, a ship could try their luck and pass through the Strait without making payment. Maritime and international law would not support the USA's claims for remuneration, even if adjudicated in an American court.

[–] litchralee@sh.itjust.works 7 points 3 days ago* (last edited 3 days ago) (5 children)

What is the absolute simplest way to accomplish this?

< gets on soap box>

The absolute simplest way is to use IPv6: on your Debian machine, assign multiple IPv6 addresses, one for each service you want to expose to your LAN. There's no penalty with having a dozen v6 addresses.

Although you have those addresses, your machine generally uses just a single one for its own outbound and inbound traffic. For each service, you would edit their config so that they bind to a specific IPv6 address. Finally, you would configure an AAAA entry in DNS so that your chosen subdomain will point to the IPv6 address in question.

As an example, suppose you had three different web servers running Nginx, currently on port 80, 8081, and 42069. What you would change is the server config for each server instance, adidng the IPv6 address as part of the "listen" directive. Since each instance is now bound to a different IP address, nginx can now listen to the conventional port 80 and n'ary will the three collide. In other software, the configuration option you're looking for is the "bind address". By binding each app to its own IP, it will only respond if you send a request to that IP (or DNS name, which translates to an IP); this conveniently makes debugging really easy.

For a home network, you might have a single /64 IPv6 subnet. But that still means you literally have billions upon billions of addresses to use before you ever run out. And as you've recognized, using DNS names to identify services is a lot easier and intuitive than using port numbers. It also neatly avoids the need to memorize IPv6 addresses, because that's never been necessary: we have DNS.

If your ISP won't give you IPv6, you can still use locally-assigned private ranges, known as ULA, and this works because your services are contained to your LAN. Best practice is to randomly generate a subnet then use it.

< gets off soap box>

[–] litchralee@sh.itjust.works 5 points 3 days ago* (last edited 3 days ago) (1 children)

Melodic dubstep when I'm debugging, metalcore when I'm developing new code.

I can't do lyrics when I'm working with GDB, and the gutteral screams help me maintain my composure as I quietly swear at the prior maintainers for leaving me with a poor foundation for my new code.

[–] litchralee@sh.itjust.works 6 points 4 days ago

TUI users have much less tolerance for "lag"

In a lot of ways, I think software that harkens back to an older era understood the assignment exceptional well: when you're working on a glass TTY attached to a 9600 baud modem via a microwave network to the university computer in the next state over, the latency from the connection itself was pretty bad. So to then have inefficient software that "lags" would be intolerable.

Fast forward to the present day, with broadband and 1 ms latency, it's less of a concern, sure. But good software remains good software, even if the environment has improved. And for some, my work often travels with me aboard the train, where the congested 4G backhaul really makes me appreciate the miserly bandwidth of vim and SSH.

I also find myself reconfiguring systems that only have no editor installed except VI (and sed, lol) due to disk constraints. So while the command set is grossly reduced from vim, they have similar commands and workflows that I can maintain proficiency even in these sparse environments.

"Lowest common denominator" software definitely has its use-cases.

[–] litchralee@sh.itjust.works 6 points 4 days ago

Without knowing which medication, there can only be speculation as to why it requires a specific quantity of water. And even then, the best source of authority would be to ask the doctor for the reason.

[–] litchralee@sh.itjust.works 7 points 1 week ago* (last edited 1 week ago)

Is that something you're looking for? As a practical matter, the effort to maintain multiple release branches and backports -- compared to the norm of just maintaining a single main branch -- is an outsized effort, available to only well-funded FOSS projects, usually by having an industry sponsor that makes it a priority.

I posit that the grand majority of selfhosted FOSS software, by project count, do not have back ported branches. And so production environments will want to set up an offline validation setup to evaluate update, prior to making the switch. Not convenient, sure, but not exactly insurmountable either.

At some point, some amount of responsibility for use of FOSS software must fall upon the users, or else the project is less about creating value by building up the commons for software, and more on the exploitation/abuse of the volunteers.

[–] litchralee@sh.itjust.works 10 points 1 week ago (2 children)

Downside: breaking changes are fairly common AFAIK.

By my extremely cursory reading, this stopped being a problem after the v2.0.0 release, when they adopted semantic versioning. According, breaking changes would only occur when the major version number is rolled. And version v3.0.0 was just released 5 days ago, whereas v2.0.0 was released in October 2025.

It may be down to taste, but I view 9 months as being acceptable, given the breadth of features offered and the folks willing to put effort into the project.

[–] litchralee@sh.itjust.works 7 points 1 week ago* (last edited 1 week ago)

There are indeed places where large amounts of human activity takes place underground, often being metro systems and their associated retail spaces; Tokyo Station in Japan comes to mind as having an underground mall attached to it.

But the same caveats for underground construction of transportation systems also apply to all other underground structures that humans would like to build. Consider the differences between ground conditions in: the San Francisco Bay Area, Denver, and New York City.

The Bay Area is the outlet for major rivers in northern California, bounded by mountain ranges on virtually all sides. The surface is either a thin covering of soil atop this mountain rock, or is a layer of looser soil or mud, made from the sediments carried in by those rivers. This makes for fantastic agricultural conditions but presents a real risk of liquifaction when there's an earthquake. While an underground structure wouldn't fall over -- because it's within the ground -- it could certainly lose its supports unless it has piles all the way down to the rock. And that's only buildable on the narrow shoreline region where there's sufficient depth before hitting the rock layer.

With Denver, it's basically all rock, so to build within the rock would require blasting it away and building within the hole, or to build normally then bury the structure in fill, so that it's below grade.

With NYC, it's a different story because the ground conditions make it fairly easy to dig tunnels and drive piles, and the bedrock layer beneath Manhattan is strong enough to support the weight of supertall-class skyscrapers. On this point, the New York Fed's Gold Vault is in the basement in Manhattan, precisely because the volume of gold inside would be a serious strain on any foundation and the geology beneath.

All that said, the surface conditions in some extreme climates may warrant building underground, or avoiding the underground outright. Burying a dwelling in New Mexico would make a lot of sense, due to the hot and dry Southwestern climate. But in Alaska, an underground dwelling would cause melting of the permafrost layer below, resulting in a similar situation to liquefaction. I suppose this can be mitigated, but it would be a monumental effort, akin to Camp Century in Greenland. That project was abandoned due to changing ice geology.

[–] litchralee@sh.itjust.works 3 points 1 week ago* (last edited 1 week ago)

I generally shy away from downvoting even things I dislike. I don't want to fall into an echo chamber where all I see are only the things I agree with.

This is not how Lemmy works. If you don't ever up or down vote anything, and if you have your client hide the up/down votes on all comments and posts, you will still see the same content as someone who prodigiously votes. Votes here are, in the truest possible way, optional.

But for people who do utilize up/down votes, they are a signal. Sometimes they're a weak signal, sometimes a bad signal, and yet other times might be a strong signal from the community. How to evaluate the signal is a matter of continued debate.

Now, as an aside, a major difference in the Fediverse compared to commercial social media networks is that the block functionality here is used for more than just dodging abusers. Precisely because there is no algorithm, blocks and mutes are how users curate what they don't want to see. This alone does not create a so-called online echo chamber, the same way that most people don't want to see a steaming pile of poo on their morning walk. People reasonably deserve to have a pleasant experience online. And depending on their life circumstances, this might be a lot better than their IRL situation.

[–] litchralee@sh.itjust.works 2 points 1 week ago

You can, of course, engineer reliable things from unreliable components.

I think the only way this statement can hold true in all circumstances is if we select an arbitrary boundary for what constitutes "reliable". And that's no small matter, because the threshold of reliability in a consumer IoT device would be inappropriate in a commercial or automotive setting, would be deeply wrong for industrial personnel safety, would be manifestly unlawful for a military or aerospace application, and potentially fatal for medical use.

Engineering is all about balancing a set of objectives, be it cost, time to market, efficiency, size, weight, or competitive advantage, and more. Doubling up as a way to improve reliability necessarily implicates size, complexity, and efficiency, but that's tolerable for large data centers where the customer counts servers by the number of floors, not the number of Rack Units (RU). But no one would accept installing two pacemakers because one of them might fail early; that's an intolerable solution to the product's base objective.

As it happens, most USA jurisdictions only require a single brake on a bicycle, and it doesn't even have to be on the more-effective front wheel. But the idea in law is to enforce the absolute minimum of requirements: having no brakes at all is where the line has been drawn, for a mode of transport that rarely gets above 50 kph (~30 MPH). But even then, all commercial bicycles for sale must have two brakes, so the law implicitly allows for some lost redundancy, because even one brake should be enough.

Could a bicycle brake be developed such that it is inherently always able to stop? Likely yes. Would it appreciably improve macro safety objectives such as by reducing collisions with stationary objects? No, not really.

And that's the rub: just because engineers can double up things to get more redundancy, is this any better than the alternative? If an LLM is used as a search engine, is that appreciably better than using "grep", a battle tested, secure, locally-ran application with a lineage harkening back to the 70s?

The drawback with inherent unreliability is that it can only be statistically reduced, but never eliminated. NASA understands this risk better than most, because cost pressures mean they can't be using military-grade hardware for everything. Perhaps then, it can be better said that engineers also have to balance risk in their decisions, and as it stands right now, the risk/uncertainty for LLM output is unquantifiable by any existing approach.

Academics have long been researching ways to make LLMs "safe", so that their outputs are constrainted in concrete ways. But I believe they've long concluded that the current approach of generative transformers simply cannot have safety "bolted on" after the fact. New constructions for machine learning will have to be invented with safety from day zero. The academics continue to work on that, while the commercial AI vendors are barreling ahead with LLMs, in spite of their risks and in the pursuit of a return.

I've not seen anything that would suggest the academics are wrong, nor that industry has managed to produce large safety or reliability improvements, so at this point, I only see a plateau and dead end for the industry. Maybe if the industry would put more into R&D and theoretical work, this would be a lot more graceful as they run up against the buffer stops.

[–] litchralee@sh.itjust.works 6 points 1 week ago* (last edited 1 week ago) (1 children)

If a Nintendo Wii counts as retro, there's at least one person hosting a website using one: https://infosec.exchange/@alexhaydock/114377262481451962

But that was (incredibly!) able to run a prebuilt version of NetBSD, which had drivers for the official Wii USB LAN adapter. If instead there's a piece of hardware that can boot an OS but doesn't have a network interface device, then SLIP could be useful. Here's a vape hosting a website: https://bogdanthegeek.github.io/blog/projects/vapeserver/

And if still, said retro device has no concept of IP or networking, can it at least speak serial over a 300 baud modem?

 

The convention in the USA for old urban centers and new suburban sprawl is to construct a street or road with a crown that drains rainwater to gutters along both sides of the road, then have storm drains to convey the water from the gutter to some nearby creek or tributary. But why?

Wouldn't it be easier to construct the road in a roughly canal shape, so that rainwater drains towards a single V-shaped gutter at the road's center? This would cut the number of storm drains by roughly half, prevent leaves from falling directly into a drain and clogging it, make it possible to clear a drain by driving a streetsweeper over it, and also prevent a clog from flooding adjacent properties, since the road itself can temporarily impound more water until municipal authorities can clear the blockage (whereas side gutters would invariably flood the sidewalk and carry sharp debris that would damage tires entering a driveway).

Furthermore, a center drain can be built once and then retained as-is each time a suburban arterial needs expanding -- "just one more lane, bro" -- whereas side gutters are regularly demolished and rebuilt to accommodate additional lanes. By routing water away from the edges of the road, sidewalks avoid freeze/thaw cycles, and the road surfacing can be continuous from the curb: no more bike lanes in the gutter. As a convenient benefit, the "drop" off at a curb-cut from a driveway to street level would cease to exist.

And where required to improve water quality due to runoff pollution, a center drain can be excavated and rebuilt as a linear stormwater retention pond, where moderate stormwater can filter into the local soil slowly, with a predefined overflow level that will drain to the existing stormdrain pipes. This is already done for both surface parking lots as well as Interstate highways, so it's not an unproven design.

Narrow alleyways in older cities do use a central drain, so I can't see why the idea stops making sense for larger streets and roads. The only drawbacks I can envision are aesthetic -- a neighbor's excessive lawn irrigation would draw a wet line across half the street -- and that the center channel would also carry leaves and wayward soccer balls into the middle.

But even still, that doesn't seem worse than the status quo: gutters attract all sorts of detritus, but it's usually hidden beneath the wheels of parked cars until something punctures a tire. And at least in water-starved California, irrigation runoff deserves to be noticed and called out so that it gets fixed. There may even be some small road safety benefit from having a V-shape channel in the center, since it would unmistakably divide opposite sides of the street.

For larger arterial roads that have trees in the center, this seems like free irrigation and water pollution control. It even works when the center traffic lanes are converted for running a tram or light rail train.

What am I missing here?

 

cross-posted from: https://sh.itjust.works/post/61250326

A crafted MeshCore node name could compromise any Home Assistant instance running meshcore-card as soon as someone viewed a dashboard with that card.

The same XSS (cross-site scripting) pattern appears to be present in MeshCore-Home-Assistant-Panel-v2 and its HACS variant

To be abundantly clear, and the post goes into detail why, this is not a bug in MeshCore but rather in how web dashboards are not properly sanitizing untrusted input. In this case, the untrusted input is via a field that any malicious MeshCore node could send.

Well worth a read and a follow on their Mastodon.

 

A crafted MeshCore node name could compromise any Home Assistant instance running meshcore-card as soon as someone viewed a dashboard with that card.

The same XSS (cross-site scripting) pattern appears to be present in MeshCore-Home-Assistant-Panel-v2 and its HACS variant

To be abundantly clear, and the post goes into detail why, this is not a bug in MeshCore but rather in how web dashboards are not properly sanitizing untrusted input. In this case, the untrusted input is via a field that any malicious MeshCore node could send.

Well worth a read and a follow on their Mastodon.

 

A reasonable overview of the MeshCore architecture and tunable parameters.

Probably the only part I don't agree with is the idea that the companion/repeater dichotomy is an inherent part of the MeshCore architecture. I don't believe it is, although it's certainly part of the practical implementation. That is to say, if someone wants to use MeshCore purely as a private point-to-point link, then they can jettison the motions of companions and repeaters entirely. As a person to person mesh network, though, companions and repeaters are essential. The distinction I'm trying to draw is that MeshCore can be a lot more than text messages sent amongst friends.

While reading, the explainer for the three-tier t delay seemed especially analogous to me to how circuit breakers are arranged: a nearby power strip might have a fast-tripping 15 amp thermomagnetic breaker, the upstream main panel might be using a 20 amp curve B (moderate trip rate) thermomagneric breaker, and the utility might be using a magnetic 400 amp breaker. By their nature, thermomagneric breakers will handle localized faults that are 3-5x the rating, while the utility's magnetic breaker will trip precisely at 400.1 amps, to protect line-side equipment. Whereas if the utility breaker tripped first, it would unnecessarily black out a whole neighborhood.

Also observe that MeshCore's "flood-then-direct" behavior is identical to that of Ethernet (ie unknown unicast, then unicast), except that Ethernet frames do not get appended with the network path as they progress, which is akin to the postal service where letters arrive at their destination but with no indication of the routing. Accordingly, the MeshCore sender necessarily reserves space to store the mesh route, choosing a tradeoff between node-count (up to 64) or granularity (up to 3 bytes per repeater). This seems complex, but just like with the tax code, complexity is necessary to handle every reasonable scenario.

I will also reiterate the ongoing bug in MeshCore's encryption, which is the use of AES-ECB in the year 2026. Although it's AES-256, ECB has been a known encryption vulnerability for decades and should not have been used in the MeshCore spec. Meshtastic appears to have avoided this particular foible.

Note: the author's blog mentions in the About page that some AI is used to assist in his writing.

 

Background: I spent 40 minutes typing up a reply to a different post, but decided that it ran on for too long. I'll include it at the bottom, but I'm curious to know how much cash is still used in this country.

Certainly, a like-for-like Giro (Europe) system doesn't exist in the USA, with ACH, checks, and Zelle almost filling the void -- albeit incompletely -- which I suspect is responsible for the remaining cash utilization. But is that right? Is cash only used for when there isn't another option? Or is it a matter of consumer preference?

I can understand tipping in cash, or paying for a Craigslist purchase in cash. But maybe I'm missing another dimension? Do some folks pay rent in cash? Or taxes? I'm genuinely curious, but please make sure not to dox your finances in the comments.


My original comment

It's annoying when they get suspicious of a 25k USD withdrawal for instance (even if you managed to prove the purpose of such a withdrawal, it remains at the banks discretion whether they'll approve the transaction).

Let's break this down into multiple points:

  1. Suspiciousness of a 25k USD cash withdrawal
  2. Suspiciousness of a $25k USD electronic or check withdrawal
  3. Necessity to "prove the purpose" of any withdrawal
  4. Bank discretion and considerations regarding withdrawals
  5. Necessity of approval by the bank

I don't believe any of these five points are actually issues. As background, cash withdrawals within the USA are still very commonplace, as the country is fairly rather cash-centric when it comes to businesses, due in part to the lack of a system like Giro (Europe) that has both low, fixed transfer costs and can be sent or received by third-parties. The Federal Reserve's ACH system requires established relationships between accounts, whereas Giro does not. Debit card systems aren't a replacement for Giro either. Zelle (USA) is closer, but still isn't quite as full-fledged. Hence, businesses often deal in cash, pay employees in cash, and consumers pay other individuals in cash (eg buying an automobile).

To that end, for point 1, $25k as a cash withdrawal is not a daily occurrence but it does happen. I can't really think of ever paying for a private party used car by check, and such a cash-heavy transaction is often performed at the buyer's bank, so the seller is assured that the cash is good. In this setting, requesting to withdraw $25k cash is ordinary and mundane, if done very rarely. I doubt even prolific car buyers have this problem, but would be open to hearing evidence otherwise.

For point 2, electronic and check withdrawals have even less suspicion than cash, because they always leave traceable evidence. Money laundering concerns are reduced because the entire money trail can be reestablished later, whereas as cash can easily disappear or be "forgotten". To that end, the suspicion isn't about the cash amount but the source and destination. Even a $1 million check is not suspicious, if it's coming from a law firm's client account to a client's personal bank account. That is, again, a thing that happens fairly regularly. More down to earth, people can and do pay housing deposits by check, and property taxes are often drawn electronically. When one or both accounts to a transaction is prominent and established, there is a low probability of money laundering.

Point 3 is often though to be an issue, due to confusion about regulations for bank clerks on when to file a Suspicious Activity Report (SAR). Bank tellers are required to follow Federal Reserve regulations that aim to prevent abuse of the American financial system for money laundering. An SAR must be filled in whenever the teller: a) thinks money may be laundered, or b) the transaction is above the bank's or regulation's fixed amounts. The latter is often pegged at $10k, so this is where people think that it's disallowed to withdraw over $10k. This is not correct.

An SAR is something the teller fills in, and to do that, they might ask the customer some questions about the transaction. For the grand majority of people, the purpose is quite simple: cash purchase of a car, housing down payment, loan for a friend. Would the teller know if the customer is lying? Nope, not at all. But the SAR forms part of a trail of records, so that money laundering investigators can trace funds in the future. But note that the clerk can fill in an SAR for any type of transaction, including checks, and don't strictly need the customer's truthful answers (or any answers) anyway. An obligation to fill in an SAR does not prevent the transaction from going through. It's a speed bump, not a stop sign.

As for the actual stop signs, that's what point 4 covers. A bank obviously cannot allow a withdrawal if it would exceed the customer's balance, or if they don't physically have enough cash, or if the withdrawal is not authorized (ie not named on the account, or PIN not known), full stop. But other situations may arise where the withdrawal must be delayed, either for the bank's own convenience or because the account agreement specifically requires certain holdings times.

I quickly perused a random account agreement for Wells Fargo and the Available of Funds section describes that new accounts (less than 30 days old) will have elongated hold times for withdrawal against newly-deposited funds. This is applied in a first-in-first-out fashion, so only fully-draining the account would incur the longer hold time. In other cases, the bank may take more time but is required to inform you of that, and provide a definite date for when the withdrawal will clear. This verbiage does not distinguish cash vs non-cash, so they're within their rights to delay a check, as long as they obey their own agreement. If this is not tolerable, find a different bank.

Finally, this also gives us some insight into the default behavior for banks subject to Federal Reserve regulations, which is point 5. A bank may not deny a withdrawal of unencumbered, unheld funds (cash or otherwise), except when the bank has actual knowledge that the withdrawal definitely is for laundering. It is, after all, not their money: it belongs to the customer and they are just the regulated custodian of it. A bank can certainly advise a customer not to fall for a pig-butcherint scam, but they cannot block the customer from obtaining their own money back out. They can, as described earlier, apply a temporary, finite-time hold on the funds, but that's it.

To my knowledge, there is no Fed-regulated, FDIC/NCUA bank or credit union that requires pre-authorized approval to access a customer's own funds. I am open to hearing evidence to the contrary, but I don't believe such a thing exists. How would they even stay in business? To be clear from point 4, a bank can certainly ask for a few day's notice to prepare $50k in new $2 bills. But that's easy enough: just call the bank and verbally request the withdrawal, then collect it in-person days later.

Who is disadvantaged by this? Mostly money launderers and con artists trying to abscond with their scam proceeds. But I'd be remiss if I didn't also mention rich people that prefer to suddenly go on vacation and pay for everything in cash. But the system is designed to be no obstruction to those that plan ahead, or are dealing in such small amounts that it's not a big issue. Normal everyday people all share the costs of money laundering, so it's not fair to disadvantage them just so rich people and scammers aren't inconvenienced by their inability to plan ahead. They don't even have to plan ahead: just keep a few racks in the safe.

It is to me, frankly, a non-issue to withdraw money for me or anyone in the working or middle class, because the very issue of being "flagged by US banks" just rarely even a speed bump. And the rich folks have private banks that will gladly give them inordinate amounts of cash to spend.

What exactly is the problem here, specifically?

 

What can be done

The most glaring problem with MeshCore is that the maintainers do not openly communicate vulnerabilities. Users are left without knowledge of any problems, unable to judge whether to trust MeshCore with their private communication.

 

Here is the thing about open source, Andy: it isn't yours to fence. You don't get to ride a community's goodwill into a USPTO filing and a paywall. You don't get to turn "we built this together" into "I own this, pay me." That isn't a pivot. That's a rug pull dressed up as a business model.

And here is the thing about the "license check" you shipped: it is a 32-bit djb2 hash of the device's Android ID, XORed with the four ASCII bytes MCPP, hex-encoded. That's it. Thirty-two bits. Less entropy than a decent ZIP password. A first-year CS student could break it. You used Claude to generate the code. We used Claude to read the code. It took 19 minutes. The receipts are one click away.

 

CLAUDE CODE JUST RICKROLLED ME. I'm working on a project where part of it will involve videos, and in building out the project it created a dummy page, with made up content (relevant to me!) with two video links pretending to be something else and BOTH WERE RICKROLLs.

Note: I'm using a broad definition of "programmer" to include HTML generation, and a broad definition of "humor" that includes Rickrolling. Together, I think this is appropriate for c/programmerhumor. Mods, please remove if not correct.

 

The money quote:

VTA buses and light rail carried 30,000 people to and from Levi's Stadium, according to the agency. That was 5,000 more than they anticipated and "far surpassing" ridership records set when Taylor Swift played there in 2023.

 

As background from the Wikipedia page, the Anaheim Transit Network (ATN) was established as a city-sponsored non-profit in 1998 to operate bus lines around the Disneyland resort in California, with private funding from the various hotels in the area to run this public bus system. These hotels are obliged to operate or pay for shuttles to Disneyland as part of their development agreements with the city, presumably to avoid untold amounts of automobile traffic.

As the linked press release says, ATN will shutter its operations on 31 March 2026. The area will still be served by Orange County Transportation Authority (OCTA), the county-wide bus service, but looking at the bus lines near Disneyland, coverage seems non-optimal as a replacement to ATN's service.

Other reporting indicates that the City of Anaheim was unwilling to invest further into ATN (despite earlier indications), nor were the hotel operators.

What I find utterly inexplicable is that these stakeholders -- especially the city -- are not recognizing this fact: data from Q3 2025 shows that ATN fixed-buses moved 96,300 average daily riders. From the same document, the USA's heavy rail systems did not exceed that rate, except in the San Francisco, Washington DC, Atlanta, Chicago, Boston, and NY/NJ areas. Basically, ATN was moving metro rail levels of people on buses.

I shudder to imagine how bad this will be for Anaheim once the closure occurs, where workers, visitors, and all other former riders will need to figure out how to move around Anaheim. Ride share automobiles hardly have enough capacity to absorb even a fraction of the prior riders, let alone more automobiles, even if they all carpooled. And seeing as many visitors to Disneyland use the buses to stay at farther hotels to reduce costs, this is a negative attraction. The difficulty of car-seats on ride share made the buses particularly attractive to transport younger children safely.

Each individual hotel operator made an economic choice to not properly fund ATN, but together they will all lose out. Likewise, I don't see how the City of Anaheim is going to make up the transportation capacity around the Disneyland area. Disneyland itself isn't party to the agreement that funds ATN, but they do contract with ATN to shuttle visitors from a far-flung parking lot. But they too will be impacted if staff and guests can't afford to get to the park.

Everyone is going to be worse off, and no one is stepping up to the plate to keep the buses rolling, when it's clearly the obvious thing to do.

 

To make it easier for the haulers, I sort my flattened cardboard boxes by size, and then insert the smaller ones within the larger ones, rotated 90 degrees. That way, they can grab larger bundles at once.

To me, this is less effort than the Japanese approach of using twine to tie bundles of cardboard together.

 

Every so often, I think about how much electric power my house consumes at all hours, even when it's the dead of night and nothing is really being used. So this morning, I went out and flipped each breaker off, one by one slowly, while watching the instantaneous kilowatt reading on the electric meter and taking observations.

This took about 20 minutes for all circuits, and then I honed in on the suspicious circuits, the ones which don't have a known appliance like a fridge which should always be running. Years ago, when I moved into this house, I drew out a map which describes which outlets and appliances belong to which circuit.

The two suspicious circuits were the living room and bedroom circuits, and armed with a Kill-o-watt, I ended up finding that my very old Bose Companion 5 desktop speakers will draw 23 Watts doing absolutely zilch. And my 2018-era Roku TCL so-called "smart" TV draws 20 Watts when it's "off".

I've been meaning to replace the Bose speakers -- due to a separate issue where the mute button only works half the time, and horrific Linux support -- and a friend recently offered to sell me some reference speakers that I can pair with a Class D amplifier, one which has a physical on/off switch.

For the TV, I'm not exactly sure what to replace it with, since I was going to wait until it died and replace it with a commercial-spec display, one that has no remnants of "smart TV" anything. I don't allow my TV to even have a network connection or WiFi, so it really shouldn't be doing anything. So I guess in the meantime, I'll just pull the plug when I'm not watching; at least it's easy to reach.

EDIT: the TV is now showing inconsistent results. It will occasionally drop down to a more-reasonable 0.1 Watt. But it might also remain at the aforementioned 20 Watts. Not entirely sure what it's doing, whether just sitting there or staying on for a while after turning "off" the TV.

view more: next ›