This website uses third party cookies exclusively to collect analytics data. If you continue browsing or close this notice, you will accept their use. The EU now requires all sites to display this banner which confuses users and does nothing, actually, to improve your privacy.
Read more on why this law is ignorantLearn about this website's cookiesDisallow cookies
Carlos Fenollosa

Carlos Fenollosa

Engineer, developer, entrepreneur

Carlos Fenollosa — Blog

Thoughts on science and tips for researchers who use computers

Link roundup for 2019-09-15

September 15, 2019 — Carlos Fenollosa

Twitter CEO gets his Twitter account hacked

Hackers Hit Twitter C.E.O. Jack Dorsey in a 'SIM Swap.' You're at Risk, Too. (5 min, via)

Here's how it works:

Sometimes hackers get phone numbers by calling a customer help line for a phone carrier and pretending to be the intended victim. In other recent incidents, hacking crews have paid off phone company employees to do the switches for them, often for as little as $100 for each phone number.

Once the hackers have control of the phone number, they ask companies like Twitter and Google to send a temporary login code, via text message, to the victim’s phone. Most major online services are willing to send those messages to help users who have lost their passwords.

But the temporary code is sent to the hackers.

2FA over SMS is not the best, but not the worst. The problem is that Twitter's implementation was bad, as it allowed you to reset anybody's password with —this is key— only their phone number.

HN user zaroth explains it well:

Twitter uses SMS as a single factor, because you can reset the password with only access to the text message. If Twitter was using SMS only as a 2nd factor, this attack would not have worked without also knowing Jack’s password or having access to his email. Twitter’s password reset function could require an SMS code and then send a password reset email to complete the process.

While user fulafel summarizes it in a tweet-like sentence:

It's really ½FA, worse than 1FA authentication because it's sufficient to clear any 1 of the 2 factors.

Favorite old books?

Ask HN: What are your favorite books or essays written at least 100 years ago? (10 min - RH) user marceee0901 asks an interesting question, and the replies are very interesting, too.

Some non-tech books surface to the top, like:

  • The Count of Monte Cristo
  • Meditations
  • The Prince
  • Anna Karenina

And user cbailes suggests a site I wasn't aware of: The Hacker Classics, a list of HN links with a date on the title, e.g. (1928), sorted by this date.

Facebook fighting deepfakes

In Creating a data set and a challenge for deepfakes (2 min, via), Facebook announces that they are committing $10M to create a dataset of True Positive deepfakes so researchers can develop tools to detect them.

Thanks, Facebook.

Firefox sending DNS queries to Cloudflare

What's next in making Encrypted DNS-over-HTTPS the Default (2 min, via) Mozilla explains why they will send all your DNS queries to Cloudflare.

I do not like this on the slightest bit. The current DNS system is good as it is now; you can choose to trust your ISP, typically the default choice, or use a third party system like Google's

However, the browser should definitely NOT run their own DNS subsystem and bypass the OS or network default.

Neither should us collectively, as a matter of principle, give too much power over the internet infrastructure to a single company. We already made this mistake with Google (search and mail) and Facebook (personal data) and, well, I rest my case.

And, though not related to my point, let's not forget that Cloudflare apocalyptically screwed up in 2017 by unknowingly leaking HTTPS traffic in plain text

Overall, a bad idea, Mozilla, and you should step back on this.

The Senior Engineer's Checklist

A Senior Engineer's CheckList (5 min, via) is a good compilation of both technical and human tasks that a senior engineer should be aware of.

Really good read, check the author's comments at the via link.

Sunsetting Python 2

Sunsetting Python 2 (2 min) explains why Python 2 needs to die. And it does so in an excellent and thoughtful way, providing real answers to real questions that Python 2 users may have, both experts and novices.

I especially like the last two FAQ points:

I didn't hear anything about this till just now. Where did you announce it?


How can I make sure announcements like this don't surprise me again?

Finally, I found it brilliant how they emphasize that this decision will benefit the whole community by optimizing volunteers' time. The word volunteer appears all over the FAQ, which I think is a great way to avoid pointless discussions: volunteers don't owe you anything, please use Python 3 now.

A civ1 clone in Excel

I'm creating a Civ1 clone - in Excel (RH, via)

Super impressive and really cool!

A full featured toy OS that runs Doom

Soso, a simple unix-like operating system (1 min, via) is a nice toy OS with a lot of features:

Soso is a 32-bit x86 operating system and its features are

  • Multitasking with processes and threads
  • Memory Paging with 4MB pages
  • Kernelspace (runs in ring0) and userspace (runs in ring3) are separated
  • Virtual File System
  • FAT32 filesystem using FatFs
  • System calls
  • Libc (Newlib is ported with only basic calls like open, read,..)
  • Userspace programs as ELF files
  • mmap support
  • Framebuffer graphics (userspace can access with mmap)
  • Shared memory

Soso has Libc, so existing applications depending only on a small part of Libc can easly be ported to Soso. I have managed to build and run Lua and Doom on Soso!

You can download an ISO and run it with qemu, go ahead and try it!

Tags: roundup

Comments? Tweet  

La predicción del tiempo en tu calendario

September 11, 2019 — Carlos Fenollosa

(Even though I write my blog in English, this post is in Spanish for obvious reasons. Click here to translate it with Google)

Si te pasas el día mirando el calendario, agendando reuniones y eventos, y echas en falta tener a mano el tiempo que va a hacer, he creado una utilidad que te puere resultar muy interesante.

Se trata de mostrarte la predicción del tiempo en tu municipio en el mismo calendario

Es muy sencillo: escribe el nombre de tu municipio y pulsa el botón. No hay que registrarse, ni dar tus datos, ni pagar nada. Es una herramienta simple y anónima.

Es compatible con todos los teléfonos y ordenadores ya que usa tecnologías estándar. Tu dispositivo se encargará de ir actualizando las predicciones de manera regular.

Creé esta utilidad para mi uso personal al descubrir que no existía nada similar, y tras usarla unas semanas pensé que podía ser útil dar acceso a los demás.

Los datos están sacados de AEMET por lo que sólo funciona en el territorio español.

Tienes el enlace aquí: el tiempo en tu calendario

Tags: software, projects, spanish

Comments? Tweet  

The iPhone 11 & co.

September 10, 2019 — Carlos Fenollosa

This year's phone keynote has delivered, according to Apple, all-new products from the top down

Quite boring hardware unfortunately, as was expected.

  • Better cameras, though for use cases I'm not sure are very useful
  • Better battery life thanks to the A13 chip
  • Marginally better screen on the Pro phone
  • Always-on screen on the Watch, which is nice
  • Simple update on the entry-level iPad

The landing page for each phone is 60% camera features and 40% other features. Not saying that is wrong, on the contrary, the marketing team is doing their job as in my experience most people use their phones as an Instagram device.

Where I think Apple nailed it is with the Watch. They are really, really good at the health and fitness message, and the product itself is fantastic.

However, I will criticise them for two things.

First, the fact that they are not even advertising the full price for the phone, but rather an installment plan first, then a discounted price with the trade of an old phone, and only when you say "no" to these options you get the actual price. Let me reiterate that. When you visit Apple.com the price you see for the phones is not the actual retail price.

They are aware that their hardware is not attractive at those price points, but at the same time they can't lower them because of positioning. Well; to be precise, the iPhone 11 is actually sliiightly cheaper than last year's but, in my opinion, not attractive enough to upgrade. And let's not even mention EU prices. On top of the 21% sales tax —nothing to do there— we are eating up a 1:1 USD:EUR ratio which is bullshit.

Second, Apple is advertising a "Pro" phone that can shoot incredible 4K movies, but stuffing it with only 64 GB of storage. The consumer experience is terrible when you are out of disk space.

My phone memory is full and every time I take a picture it is immediately uploaded to iCloud and deleted from the phone. If I want to show it to somebody later the same day, I have to wait for it to load from the network. My UX is that I have no pictures or videos stored locally, not even for pictures I took 15 minutes ago. That is definitely not a feature you want on a super advanced camera-phone.

The phone market is too mature

Regarding innovation, what can Apple really do? I honestly do not have an answer. The majority of the population is not renewing their phones on a yearly cycle, not even a two year cycle. I have an SE only because my 5S broke. I loved my 5S and there is no feature in current phones that would make me upgrade.

I commute every day and see what "normal people" (excuse me) do on their phones. It is 40% scrolling through Instagram, 30% Whatsapp, 20% watching shows, 5% taking pictures, 5% playing games.

If you want to read the best take on the keynote, read Ben Thompson's The iPhone and Apple’s Services Strategy.

The phone market and phone technology have crossed the chasm long ago and they're on diminishing returns. I stick by my reaction of last year's keynote:

  • Apple should seriously consider 2-year iPhone cycles.
  • People who want smaller phones, regardless of price, may move to Android, myself included, so an updated iPhone SE is strategic for Apple.
  • Hardware improvements are going to be mostly incremental from now on. Therefore...
  • Apple should focus on software, which they are doing very well, and keep coming up with really crazy innovative hardware, which they appeared to be doing but rumors say they scraped at the last minute like the U1 chip.

Apple is a company full of smart people that can reinvent boring products like beige PCs, Nokia phones, and even headphones and watches. I am hopeful for the next wave of hardware, whatever it is. AR glasses? Car stuff? TVs? We will see.

Personally, I am indifferent at this keynote. Since my main need is a laptop, I'm still waiting for the new wave of macbooks to renew my 2013 MBA. I simply refuse to buy any laptop from Apple's current lineup. The rumors are very promising, so let's check what they can come up with!

Tags: apple

Comments? Tweet  

If Harari's Sapiens was a blog post

September 09, 2019 — Carlos Fenollosa

If Sapiens were a blog post (30 min, via) is, in words of the author:

I spent over 25 hours building a cut-down version of Sapiens. The goal? Future-me should be happy to read this once future-me forgets how we evolved. It's massive for a blog post, just under 30 minutes, but that's the best I could do, condensing 9 hours worth of material.

The book is fantastic, a must-read, despite its flaws and objections. The blogpost has one big problem, despite the meritable effort: it summarizes the whats but not the whys.

I've skimmed through it, trying to find if it talks about what, for me, was the biggest realization of Sapiens: why humans transitioned from hunter-gatherer tribes into agricultural civilizations.

Hunterer-gatherer foraging was enough to feed a small tribe; a group of 30 people can be fed with a deer and some apples. A town of 200 people needs something more, so agriculture was developed. This new technology allowed for bigger human concentrations in a small area.

But why would humans want to live in larger groups, if it brought a lower quality of life? Famines, infections, fights, enslaving work, extreme class differences?

Harari argues that this was due to the appearance of religion.

Religion demanded that people (well, it was self-imposed, but bear with me) overcame bigger and bigger projects, like temples, sacrifices, wars, and other, which require a minimum amount of people to succeed. 30 people cannot build a temple, but 200 people can.

Therefore, it was due to religion that civilization as we know it developed. Religion needs large groups of people to work, and that is why we transitioned from hunting to agricultural societies. Maybe it was the other way around? With agriculture came religion? Again, the direction of this implication is what Harari defends, and I don't know enough to argue otherwise.

The blogpost devotes one chapter to talk about religion but doesn't mention that concept. Since it is one of the main points of the book, I'm not sure to which degree this summary looks over other core conclusions. This is a bit disappointing, but maybe it was not the author's intent to begin with.

For me, the magic of Sapiens is that it's not just a Wikipedia-like compendium of timelines and events, but rather provides some theories as to why things happened.

In any case, if this blogpost encourages you to read Sapiens, it will be time well spent.

Tags: books

Comments? Tweet  

Link roundup for 2019-09-08

September 08, 2019 — Carlos Fenollosa

Welcome to this week's roundup. From now on I'll be including an estimated read time for each link, so you have a general idea of what to expect.

You will start seeing the term Rabbit Hole, or RH for short, to indicate those links that can lead to hours and hours of new and interesting discoveries.

More on the iOS implant

In A message about iOS security (2 min, via), Apple responds to the terrifying implant that was reported last week.

First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones "en masse" as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community.


Google's post, issued six months after iOS patches were released [...] We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it

A bit of damage control and down-toning Google's report, however, I still stand by my take on it.

Apple Music official web app

Apple Music launches on the web (via)


Apple is serious about competing with Spotify, which is good. However, I couldn't make it work on Linux (Chrome and Firefox). Let's see if they support these configurations soon.

Librem 5 phone shipping

Librem 5 Shipping Announcement (1 min, via)

The Librem 5 is here. I'm very curious as to how the phone is going to turn out and surely will have an eye opened for the first reviews.

Google keeps selling their user data

Brave uncovers Google's GDPR workaround (10 min, via)

Google claims to prevent the many companies that use its real-time bidding ad (RTB) system, who receive
sensitive data about website visitors, from combining their profiles about those visitors. It also announced that it had stopped sharing pseudonymous identifiers that could help these companies more easily identify an individual, apparently in response to the advent of the GDPR.

But in fact, Brave's new evidence reveals that Google allowed not only one additional party, but many, to match with Google identifiers. The evidence further reveals that Google allowed multiple parties to match their identifiers for the data subject with each other.

Don't use Google.

How does BitTorrent work?

How Does BitTorrent Work? a Plain English Guide (15 min) is a long and comprehensive explanation of the BitTorrent protocol, written in a language that most engineers will understand. There are many emojis and beautiful illustrations, but this is definitely not something you can send your mom.

How Netflix uses Python

Python at Netflix (5 min, via) details a series of Python tools and how they are used at Netflix.

Some may be interesting for you, some may be not. Skim the text and focus on whatever catches your eye!

How Tetris decides which piece comes next

The history of Tetris randomizers (1 min, via) is a short and interesting read on how Tetris chooses the next piece, with pros and cons of each approach which affect released games, like the NES version.

If you want to enter the Tetris Nirvana, check out Tetris.wiki (RH, via)

A historical tour of software and websites

The Version Museum (RH) "showcases the visual history of popular websites, operating systems, applications, and games that have shaped our lives."

If you like this website, you can't miss the GUIdebook Gallery and the GUI Gallery, both of them are excellent, and especially the latter contains literal screen shots of very old, obscure systems.

UNIX PC screen shot

More on deepfakes

The Verge reports that Another convincing deepfake app goes viral prompting immediate privacy backlash (1 min), and TheNextWeb informs that Fraudsters deepfake CEO’s voice to trick manager into transferring $243,000 (1 min)

We all knew this day would arrive, and now it's here—it's been here for a couple years now, really.

changing actors faces in Game of Thrones

In the 90s, Photoshop became a verb that stands for changing a picture in such a way that the end result is fake but believable. Technology now allows us to do the same with video and audio.

This is a very interesting social challenge. Not being able to trust any picture/video/audio will for sure change concepts like proof and deniability which are core for law and society.

Cool CSV utils for the command line

eBay has a Github repo (1 min read, more to try the code, via) with sort of a "framework" to handle csv/tsv files from the command line.

User JimmyRuska also contributed with more tools and other users have linked to their favorite scripts in the comments. I highly recommend you check out the discussion if you work with csv files regularly. Being able to transform data quickly on the terminal is a true superpower.

Of course, you can convert any csv file into a SQL database using sqlite's .mode csv, which I recommend even more for huge datasets that don't fit in memory.

Read time: 1 minute to check it out, more if you actually run the code

Learning how to read

User vilvadot asks HN how do others read a book (5 min to RH)

The answers are very interesting, and user guidoism recommends How to Read a Book: The Classic Guide to Intelligent Reading (Wikipedia link), and user Scarbutt links to a University of Michigan's 11-page document How to Read a Book, v5.0

Check it out if you want to improve your reading techniques

Tags: roundup

Comments? Tweet