This website uses third party cookies exclusively to collect analytics data. If you continue browsing or close this notice, you will accept their use. The EU now requires all sites to display this banner which confuses users and does nothing, actually, to improve your privacy.
Read more on why this law is ignorantLearn about this website's cookiesDisallow cookies
Carlos Fenollosa

Carlos Fenollosa

Engineer, developer, entrepreneur

Carlos Fenollosa — Blog

Thoughts on science and tips for researchers who use computers

Links for 2019-12-01

December 01, 2019 — Carlos Fenollosa

Ocarina of Time glitches and code execution

Arbitrary Code Execution in Ocarina of Time (30 min, video via)

I find these kinds of glitches fascinating. See for yourself!

Online tools for pet projects

Software Tools for Hobby-Scale Projects (RH, via)

Below is a list of useful tools I’ve come in contact with over the years.

  • They cost less than a coffee or are free.
  • They can be learned quickly.
  • They allow you to accomplish a single task in a short timeframe (such as a Sunday afternoon)
  • They are less focused on the needs of long term projects (scalability, speed, etc.) and more focused on ease of use and prototyping speed.

Rick Carlino has compiled a very nice list of online tools, such as mobile push notifications, VPS and DB hosting.

I have to admit that many of these were new for me, so it's definitely not a rehash of the usual links. Great list!

BBS: The documentary

BBS The Documentary (5 hours split in 8 videos)

In the Summer of 2001, Jason Scott, a computer historian (and proprietor of the textfiles.com history site) wondered if anyone had made a film about these BBSes. They hadn't, so he decided he would.

Fascinating. I've just put the videos in my watch queue.

Trying out NomadBSD

NomadBSD | Installation & First Impressions (20 min, video via)

For some reason, this is the first time I've heard about NomadBSD. It's a "portable" version of FreeBSD, to be run from a USB drive.

Anybody remember Knoppix? The first popular Linux distro that could be run from a CD. It contributed to hardware discovery on boot, and thanks in part to their efforts, Linux hardware setup did a huge leap forward.

Hope that NomadBSD can do that for FreeBSD, which already has reat hardware support, albeit limited, but its defaults are not so great.

Darwin OS

A Look at PureDarwin - an OS based on the open source core of macOS (5 min, via) provides some background, history and status of the PureDarwin project, a 100% free software OS built on top of the Darwin (macOS) kernel

PureDarwin Xmas, showing the applications xcalc, xclock, xterm and xfontsel running in the Window Maker desktop window manager

Metadata leak with SSH keys

Public SSH keys can leak your private infrastructure (5 min, via)

You don't need a private key to validate if a server allows access from a particular public/private key combination. That is, by having access to a public key, you can check if a server allows access for the specified public key and a username pair

This is a known issue. Filippo Valsorda posted a related proof of concept in 2015.

My SSH server knows who you are (5 min, 2015, via)

Did you know that ssh sends all your public keys to any server it tries to authenticate to?

If this metadata disclosure is a problem for you, the solution is very simple.

  • Configure your ssh to NOT send any pubkey to unknown hosts
  • Create a new ssh keypair for every new host you want to connect to (see link above)

Instructions here, courtesy of HN user chrisfosterelli.

Advent of Code 2019

Advent of Code 2019 (RH, via)

Advent of Code is a code advent calendar. Each day unlocks a new programming challenge. You score points by completing the challenges quickly

A few years ago I solved some of their challenges and they're really fun.

Be careful! As lobste.rs user narimiran says:

Don't be fooled: You will not just solve tasks and be over with it. There will be tasks that you'll think about all day and you won't be able to think about anything else. And you'll love it :)

Yup. The RH tag is warranted here.

Writing a simple window manager

Challenge: Write a bouncy window manager (RH, via)

Julia Evans plays with tinywm and her enthusiasm is contagious.

Though I use the admittedly weird dwm as my WM, and I've hacked some of its code, I've never considered to write my own WM, or even realized how easy it is.

Give it a try: tinywm is just 50 lines of very readable C.

a terminal window bouncing around the screen

On messaging services

Choosing the Right Messenger (10 min, via) is not a list of messenger services, but rather a thoughtful discussion on privacy tradeoffs: encryption, metadata, sign up process, source code availability, etc.

I highly recommend that you read the article if you're interested in learning more context on why some messengers are more secure/private than others.

The end of IPv4

The RIPE NCC has run out of IPv4 Addresses (1 min)

Our announcement will not come as a surprise for network operators - IPv4 run-out has long been anticipated and planned for by the RIPE community.

Let's see if we can quickly move to an ipv6 world -- my mail server will surely benefit from an untainted ip.

The Twitter Purge

Twitter prepares for huge cull of inactive users (1 min) and Twitter account deletions on 'pause' after outcry (1 min)

Twitter is (was) planning to remove inactive accounts. Even though it would free their handles for new users, apparently the main reason is that those users didn't accept the new terms of service.

There are many interesting angles, but for once, I have to stay on Twitter's side.

However, they should have provided an option to archive these old accounts; after all, users accepted that their content was to be owned and distributed by Twitter. Even if they can't log in, or their account is deleted, Twitter could have stored the content somewhere visible.

Tags: roundup

Comments? Tweet  

Links for 2019-11-24

November 24, 2019 — Carlos Fenollosa

Some SSD encryption is not secure

How secure is hardware disk encryption? (1 min, Twitter thread)

Dan Luu links to a paper by Mejier C et al., titled Self-encrypting deception: weaknesses in the encryption of solid state drives

In a nutshell:

We have analyzed the hardware full-disk encryption of several solid state drives (SSDs) by reverse engineering their firmware.

We found that many models using hardware encryption have critical security weaknesses due to specification, design, and implementation issues [that] allow for complete recovery of the data without knowledge of any secret (such as the password).

To make matters worse:

BitLocker, the encryption software built into Microsoft Windows will rely exclusively on hardware full-disk encryption if the SSD advertises support for it. Thus, for these drives, data protected by BitLocker is also compromised.


Roughly 60% of the market [is affected] currently one should not rely solely on hardware encryption offered by SSDs and users should take additional measures to protect their data.

This is really, really bad.

Download old Linux distros

Linux Distros (RH) is an archive of old Linux ISOs that you can install on a virtual machine or similar.

Every entry has screenshots, making it a very nice resource to browse even if you don't commit to testing the distros.

Designing a modern text editor

Neovim and the state of text editor art in 2019 (15 min, pdf, via)

I never thought that a text editor could be such a complex and inspiring software product!

There is a video of the talk (50 min) in case you want more context than the bare slides.

GIF like it's 1999

The 88x31 GIF Collection (RH, via)

A collection of 2680 classic 88x31 buttons from the 1990's, 2000's, and today in GIF format.

Geocities gif Designed with Macintosh Porn button Best viewed with any browser

Windows 95 UI

Designing Windows 95's User Interface (15 min, via)

Three years ago I came across an interesting paper written up by a Microsoft employee, Kent Sullivan, on the process and findings of designing the new user interface for Windows 95.

The website archives Sullivan's paper The Windows 95 User Interface: A Case Study in Usability Engineering, a very interesting text on easly GUI usability, along with screenshots comparing 3.1 and 95 interface which will put a smile on your face.

Windows 95 UI prototype

OpenBSD review

OpenBSD in 2019 (10 min, via)

I've written similar texts about OpenBSD twice, and I like reading other people's opinions.

There is a pattern here: somebody is angry with some Linux drama, tries OpenBSD, likes it, but for some reason can't use it as a daily driver.

Check it out if you are still unsure about its strengths and weaknesses compared to Linux and/or other BSDs.

There is a very good Reddit discussion about this post.

A p2p web browser

Beaker (2 min, via) is an experimental web browser which supports dat://, a modern p2p protocol.

I really like these experiments. I'm not sure if it will take off, but re-decentralizing the web is a great cause.

ASCII art game

ASCIIDENT (RH, via) is an "Open-world sci-fi game with a design completely made by text characters."

After trying the demo, I'd define it as a platform game like Duke Nukum, with a crafting element, and the ASCII novelty which makes it quite nice

ASCIIDENT screenshot

I have to admit I'm tempted to buy the game. To my wishlist it goes...

Save .org

Save .ORG (2 min) is a plea to stop the sale of .org domains control to an equity firm.

Worth a read, check out the original signers. Wikimedia, the FSF, the EFF, the Internet Archive... this is not your typical bullshit change.org petition.

Check out the HN discussion with some alleged ex-ICANN members.

AI is not Terminators

AI today and tomorrow is mostly about curve fitting, not intelligence (5 min, via)

Some people cricize AI because we don't have terminators yet.

On the other hand, there is a lot of AI snake oil

The truth is: people in the field understand that we are harnessing the power of advanced curve fitting, not Hard AI.

It's our job to make journalists and the general public understand it, too.

Pornhub as a bastion of freedom

Banned from Youtube, Chinese propagandists are using Pornhub to publish anti-Hong Kong videos (1 min)

We truly live in the Craziest Timeline

RSS bridge

RSS bridge (2 min, via) is a connector that generates RSS feeds for sites that don't have one (e.g. Instagram, Twitter, Bandcamp...)

Last week I linked to Fraidycat, a similar concept.

I definitely need to set some time aside and check out both tools. I'd love a way to transform friends posts into an RSS feed.

Altair BASIC source code available

Micro-Soft Altair BASIC 3.2 source (RH, via)

After clicking on the link above, since this is the last one in the roundup, now go watch Pirates of Silicon Valley


Tags: roundup

Comments? Tweet  

Links for 2019-11-17

November 17, 2019 — Carlos Fenollosa

PeerTube 2.0 released

PeerTube has worked twice as hard to free your videos from YouTube! (5 min, via)

PeerTube is a decentralized alternative to Youtube. Essentially, you can have your own Youtube-like website, with the added bonus that video traffic is distributed among viewers using p2p techniques.

PeerTube is to YouTube what Mastodon is to Twitter, but with an interesting benefit: you don't need to have your friends using it to enjoy the tool. If a cool video is on PeerTube, you can just go and watch it.

Gaming on OpenBSD

OpenBSD gaming Peertube (RH, via) combines two interesting concepts: Peertube, already mentioned above, and OpenBSD gaming, whichs seems like an oxymoron.

The OpenBSD gaming community is bigger and more vocal than you'd expect, and they have started to do livestreams with their favorite games, some of which, you'd never expected.

Solène is one of the most active members, make sure to follow her on Mastodon.

Using AI to scam $250k

Scammers deepfake CEO's voice to talk underling into $243,000 transfer (5 min, via) and its related AI Clones Your Voice After Listening for 5 Seconds (RH, via)

We're moving into a very cyberpunk future where you can only trust when you use your five senses.

Carmack working on AI

Carmack's statement (1 min)

Starting this week, I'm moving to a "Consulting CTO" position with Oculus. [...] As for what I am going to be doing with the rest of my time: [...] I have sometimes wondered how I would fare with a problem where the solution really isn't in sight. I decided that I should give it a try before I get too old. I'm going to work on artificial general intelligence (AGI).

Let's see what one of the top minds alive can do to help advance AI.

No police in Mastodon

The account of the Assam Police has been suspend from this instance (5 min, Mastodon thread)

An interesting discussion about banning cops in Mastodon instances. This is a gray topic with no easy solution, so I'll share some replies from users:

cm_kropot (OP):

The account of the Assam Police has been suspend from this instance.

We decided that we will not welcome cops on this instance, and we encourage the rest of the fediverse to do the same.

Following multiple reports, we decided that it's more important that our community feels safe and in security, than to be a platform for official communication.

Charles mentions pros and cons:

I can't speak for the mods, but I suspect the issue is more that they don't want the presence of police to have a chilling effect on speech. Police are very often at the sharp end of structural violence in any country.

However, cancelling police accounts may create a false sense of security. The police can still read your posts. They can still subpoena your mods. However, at least they're preventing from stirring up trouble.

Alex shares his experiences:

my experience from moderating a forum globally with popular ravers in the 90s/00s is discouraging overt cops works in the short term but (unsurprisingly) they switch to detective methods to glean info, often co-operating with journalists and agencies (often across borders), and it was still up to "normal" users not to blatantly incriminate themselves.

OTOH US corporate socnets welcome cops as "free moderators" so officers get a sense of entitlement to these spaces..

Ravi arguments on the other side of the spectrum:

Banning their official account from an open network is not going to solve any of those problems in the least. They can carry on their more nefarious activities under cover if required anyway. This ban only serves to illustrate a knee jerk reaction, goes against fediverse practice where somebody is banned only for CoC violation and not on a feel or whim, goes against free speech and is opaque without any upfront policies on this. This is worse than banana republic.

Protonmail can read your emails

Bitcoin and Protonmail, the calling cards of the cryptoshit techbro (5 min, Mastodon thread)

Drew, who you may know as the creator of sourcehut, argues against the use of Bitcoin and Protonmail.

The thread goes back and forth with many people, myself included, asking why Protonmail is not secure as they claim.

After all, the explanation is simple. The only way to send e2e encrypted mail is to use a technology which is similar to PGP.

Drew explains:

  1. I write a plaintext email to you@protonmail.com
  2. My mail server connects to mail.protonmail.ch and writes the plaintext email to it
  3. mail.protonmail.ch now has the plaintext email


I feel kind of cheated by Protonmail, because they are claiming something which is just impossible to do technically.

A more thruthful claim would be: after sending your unencrypted mail to the recipient, we promise to delete it and only keep an encrypted copy. But they do have access to a plaintext copy at some point. The only exception, it seems, is for mail sent between Protonmail accounts.

If you want security, disable hyper-threading

Running on Intel? If you want security, disable hyper-threading, says Linux kernel maintainer (2 min, via)

Here is a summary:

MDS is where one program can read another program's data. That's a bad thing when you are running in a shared environment such as cloud computing, even between browser tabs [...] I see a slowdown of about 20 per cent. That's real. As kernel developers we fight for a 1 per cent, 2 per cent speed increase. Put these security things in, and we go back like a year in performance. [...] We are still fixing Spectre 1.0 issues [almost] two years later. [...] If you're not using a supported distro, or a stable long-term kernel, you have an insecure system. It's that simple. All those embedded devices out there, that are not updated, totally easy to break [...]

Go ahead and read the full article, it's not much longer, and paints a pretty depressing picture for current Intel users.

(If you prefer to run a faster system with no security, read this)

The SQL detective

sql-murder-mystery (RH, via) is a game where you have to solve a crime by writing SQL queries.

Fun, but this is not a five minute game. Prepare a whole afternoon if you want to solve it.

An aggregated "home feed"

Fraidycat (2 min, via)

is a browser extension for Firefox or Chrome that can be used to follow folks on a variety of platforms. But rather than showing you a traditional 'inbox' or 'feed' view of all the incoming posts, you are shown an overview of who is active and a brief summary of their activity.


Fraidycat attempts to dissolve the barriers between networks - each with their own seeming 'network effects' - and forms a personal network for you, a personal surveillance network, if you will, of the people you want to monitor.

I need to check this out in more depth. I would love to have something similar to this on my server, so I can access it from anywhere.

I want to follow people, not networks

Fraidycat feed

You should have seen this

Greg Rutter's definitive list of the 99 things you should have already experienced on the internet unless you're a loser or old or something and his second list (RH, via)

  • Charlie bit me
  • Chocolate rain
  • Mentos and diet coke
  • Badger Badger Badger
  • Play him off, keyboard cat

Stop reading this and watch the 198 videos NOW!

Feature comparison of UNIX flavors

Linux VS open source UNIX (30 min, via)

Is a very in-depth feature comparison of Linux and the BSDs, mostly at the kernel level. Not everybody's cup of tea, but make sure to at least check out the first table and the summary.

Table comparing UNIX kernel features

The Real UNIX

Will the real UNIX please stand up? (2 min, via) opens a discussion about UNIX roots and its impact in the 21st century.

At our level it's not worth worrying too much about which is the "real" UNIX, because all of these projects have benefitted greatly from the five decades of collective development. But it does raise an interesting question: what about the next five decades? Can a solution for timesharing on a 1960s minicomputer continue to adapt for the hardware and demands of mid-21st-century computing?

No more random phone searches in US airports

EFF statement (1 min, via)

In a major victory for privacy rights at the border, a federal court in Boston ruled today that suspicionless searches of travelers' electronic devices by federal agents at airports and other U.S. ports of entry are unconstitutional.

Some good news to wrap this roundup.

Tags: roundup

Comments? Tweet  

Google may terminate your account if you're not profitable

November 17, 2019 — Carlos Fenollosa

Youtube's new ToS, emphasis mine, via

YouTube may terminate your access, or your Google account's access to all or part of the Service if YouTube believes, in its sole discretion, that provision of the Service to you is no longer commercially viable.

Initially, this was interpreted as a way of kicking non-profitable channels out of the platform.

However, the implications are wider. Watching a Youtube video with adblock enabled may wipe your whole Google account.

It's not like they couldn't do this before, and good luck contacting Google's support channels, but the fact that they have made it explicit is a bit scary.

Personally, I've been slowly transitioning out of Google services for a while, but this is going to accelerate the process.

If you want to be safe, make sure that your gmail account is expendable before December 10th.

(Obligatory if you're not the customer, you're the product)

Tags: internet

Comments? Tweet  

Links for 2019-11-10

November 10, 2019 — Carlos Fenollosa

Windows backwards compatibility is amazing

The Windows Update Marathon in a VM: From Windows 1.01 to XP (5 min, in German) and Upgrading Windows NT 3.51 to Windows 10 via 2000, XP, Vista, 8 and 8.1 in under a minute (1 min, video) both via

Windows 95 opening Windows 3.1 apps

I can already hear the Windows 3.1, 95, 98 and XP startup sounds in my head. Can you?

Of course, nostalgia paints everything with rose colored glasses. Windows 3.1 was an amazing improvement over DOS. 95 brought real multitasking but it crashed constantly. 98 SE was the shit. XP started a bit wonky but with SP2 became a great OS. And anything that came later just sucks

Which brings us to...

Windows is not for OP

Back to windows after twenty years (2 min, via)

Apple's stubborn four-year refusal to fix the terminally broken butterfly keyboard design led me to a crazy experiment last week: Giving Windows a try for the first time in twenty years.

I have done this, for the same reasons (see link above)


Anyway, I started this experiment on a Monday. I kept going all the way through Friday. Using the laptop as I would any other computer for the internet, and my new hobby of dealing with the stubbed toes of setting up a *nix development environment, but when I got to Saturday I just... gave up

Yup, seems about right.

Several top Spanish companies hit by ransomware

Everis and others hit by ransomware (2 min, Tweetstorm, in Spanish, via and discussion in English)

Two years ago, Telefonica, the Spanish telco, was hit by Wannacry, too

Ransomware is pretty scary. However, when you remember how viruses in the past just deleted your files, it makes you think. Do you prefer total destruction or a possibility of recovery through blackmail?


  • Check your backups
  • Keep your OS always up to date
  • Don't use Windows unless strictly necessary

Spain passes its own "PATRIOT Act"

Críptica analyzes the new Spanish Digital Act (2 min, Tweetstorm, in Spanish)

Yes, Spain has hit the tech news twice this week.

Well, it was a matter of time. Spain already had a law which allowed the Government to close websites without a court order, which is outrageous on itself and has recently been used already to silence political dissent.

Now, the Government will have power to cut communications infrastructure (i.e. cellphone signal, internet at the ISP level) in situations where national security is at risk (ok) but also to protect public order (not ok)

Since any protest can disrupt public order, this new mechanism can be used almost indiscriminately.

Note: This law has been tuned by an acting government, during the general elections campaign.

All issues of the now defunct Linux Journal

Linux Journal complete (PDF) collection (RH, via) is an archive of the recently discontinued Linux Journal, a veteran in the industry.


Web vs native

Apple Is Trying to Kill Web Technology (2 min, via) is a manifesto that defends web apps.

In my opinion, it is misleading because it blames Apple, not the Electron developers, who are at fault for accessing private APIs. That is another topic of discussion, but hey, isn't it ironic? If you develop a web app that accesses private APIs, maybe you would be better served by a... native app?

Regardless, there a few valid points:

Apple's control over its app ecosystem is a new type of monopoly that's hard to understand for lawmakers, and difficult for us to fight back against — because there simply isn't a way out of these restrictions when the company controls both the distribution method and the platform itself

But again, this has nothing to do with Electron using private APIs to try and suck less.

I hate Electron apps, in case you didn't notice. Sorry. Everybody has their own biases.

Bash toolchain

Library for bash utility methods and tools, Shell Script Library, Bash Automated Testing System and Bash Infinity, a modern boilerplate / framework / standard library for bash (RH, via)

You may know I'm a Bash fan, so these finds are like gold to me.

The moral of the story is: don't dismiss bash without analyzing your requirements first.

Know Thy Computer

There's No Such Thing as Knowing Your Computer 'All the Way to the Bottom' (5 min, via)

I initially thought the title was about blobs in firmware, but no, the article is about programming languages, focusing on C.

Interesting, check it out if you're a systems programming nerd.

Give Firefox a chance

Give Firefox A Chance For A Faster, Calmer And Distraction-Free Internet (10 min, via) is a very good write-up with tips and tricks to maximize the usefulness and also the fun of Firefox.

A must read, and hopefully it may convince some people to switch from Chrome.

Boot sector games

Boot sector games (10 min, video)

The 8-Bit Guy has fantastic tutorials and reviews of cool old tech. If you want to see what can be done in 512 bytes you definitely need to watch this video.

Space Invaders clone that fits in 512 bytes

Use IRC as a private chat

IRC for DMs (2 min, via) is a quick review of current chat systems and why they suck.

I like crazy, statu-quo breaking ideas, though the practicality of using IRC as a private chat system is nuts. Nuts, as in 90's rad.

Tags: roundup

Comments? Tweet