Smart design

In a world with people, we have a Cambridge Analytica scandal. While the rest of the world is full of smart design. Watching any series from David Attenborough (even if he is only narrator) full of nature is so peaceful, amazing and educational…

When I was young, I was so excited about computers and so, but now I'm very sceptical. I'm not scared of Artificial Intelligence or something. Technology is double-edged sword and I can't help myself, I'm afraid that dark edge is bigger and bigger. We have devices and services with cool abilities, but there is big problem who can control it… Actually, several days ago there was nice XKCD about that:

I think it's time for everybody to really deal with what we do on the Internet. I'm not fan of campaigns like #deletefacebook. Well, we can all leave Facebook, I would be glad, it's horrible platform and I use it only because of Messenger where I can contact all my friends. But it will not end there. Do you know, for example, that WhatsApp or Instagram is owned by Facebook? If you want to really leave, good, but use simple and secure Signal. Don't forget also about like button everywhere with shadow users.

Something else has to happen: you need to… no… you have to be a master of your device and what you read.

Delete apps you don't use or need so much. More than 80 apps on the phone is weird. Verify what permissions your apps have. Keep only needed permissions (Settings > Apps > App permissions on latest Android). Any app with wrong permission can be dangerous. Don't forget that 2FA includes your text messages and if there is an app which can read them… Or are you aware that your phone has two cameras and microphone? An app which has access to that can listen to everything you say or even see you…

Set up notifications in a way which is not disturbing. You don't need to be notified someone tweeted nor even someone messaged you! Read messages and news when YOU have time. Turn off sound for every notification except call. Enjoy that freedom!

And mostly, don't read news on platforms which decides what and in which order you see, like Facebook. Good old pal RSS is still around, not going anywhere and does a very good job. What is RSS? It's a format which can use your favorite magazines and blogs to send new content to your RSS reader. Before I created my own reader, I used Feedly. Give it a try. :-)

…what I was saying? Oh, yes. Nature is full of smart design so animals can be dumb and live happily. Cities are full of smart devices, making a lot of obstacles. We have to be smart to use them.

The ultimate manipulative technique

First, you have to start by acknowledging feelings of other side, e.g. “oh…” or “I see…” Then name it simply as “that sounds frustrating!” or give a fantasy by stating something like “I wish I could make it for you right now!” By now, they should be on your side. The next step is to engage a cooperation. Try it by giving information (not an order) and/or describing what you feel. Never punish, rather state your expectation, or again, express your feeling. The feeling is always good. At last, encourage autonomy with choices, turning questions into “what do you think?” or encourage to use outside sources. As final touch you can raise self-esteem as simply as saying “fantastic”!

Let's try it with an example. Let's say some computer programmer is saying it's not possible to do a feature you want. Say this:

(acknowledge the feeling) I see… (name the feeling) that sounds frustrating! (describe your feeling) I don't like using this software without this feature. (engage cooperation, give an information) This is very important for all users. (don't punish resistance, state your expectation) I expect to have it done after collecting money from all our users. (encourage to use outside sources) Maybe the community have a suggestion. … (self-esteem final touch) It's a pleasure to work with you!

Done! :-)

Of course, it's not from my head. It's from the book. About kids. That book is called How to Talk So Kids Will Listen & Listen So Kids Will Talk, little bit longer name. I really recommend this book even if you don't have or plan kids yet. You know, in the end, adults are just big kids. :-)


…ok, I used little bit of Devil's advocate here. I don't agree this is manipulative technique. It's just the way how to be more nice on each other. At least I think so. ;-)

HaaS: Honeypot as a Service

My team at CZ.NIC finally introduces a stable version of HaaS, Honeypot as a Service. Who knows Czech can read it in an official blog post (edit: English version). For non Czech readers, CZ.NIC is mainly known for Czech domain registry, but does much more. For example secure router called Turris which had honeypot included a long time ago. We decided to provide honeypot for anybody, not just Turris owners.

What is honeypot, exactly? The honeypot is special application simulating operating system and allows potential attacker to log in (we support SSH only now) and do any command or download malware. It's not easy to install such application for ordinary users and mostly it's not very secure. We decided to do it for you. :-)

Unfortunately, still, it's not super easy to join the project. At least now you need to install only very small proxy. The proxy has to be there so we can know small but important detail: IP address of potential attackers. Without proxy we would know only the IP of our user, which is useless.

The collected data are used by our CSIRT.CZ team to inform owners of infected servers and computers by some botnet about the issue. Currently the biggest source of the attacks to our users is coming from China so we share our data with the security team in Taiwan. We plan to share data with other CERT/CSIRT teams as well.

If you want to join the project, you can do that on the page haas.nic.cz. Register new account and install proxy (available as deb/rpm package, on PyPI or as simple tar). In case of interest into analysis, we provide data on page with global statistics. Well, except passwords, because we experienced more than one oversight where the user logged into the honeypot…

Dancers, don't be sorry

Well, be sorry. Of course when you hit or step on someone, apologise. Or when you refuse to dance with someone, it's also better to say no with sorry than without it. But don't feel bad at all in cases you just didn't catch some move. It's totally all right to do something else than leader wanted. Of course I mean when it's within the limits; going to the bar instead of the turn is not in those limits. :-)))

You know, even when I try to not be the same all the time, in the end, I have some set of variations, some set of crazy and funny moves and if all followers would be the same, I would be bored. It's good to do something else. Even if it's a mistake, it's good because then I cannot continue as I would do in most cases. It brings a lot of variations and I like it.

So, please, next time you messed up something, don't say sorry. Smile and do what you like and feel instead. :-)


Django CSRF bug

We had this problem: our application worked well on desktop but on phone any action had CSRF problem.

Mm, strange. Soon we discovered it's problem only with Android. Later we were sure it's only Chrome on Android. Even stranger!

Next step we did was to check what we are using exactly for CSRF validation. Django. Without customization. Of course, no one had this issue by checking Google, so it had to be some problem with our configuration. But it worked everywhere else…

We found that same cookie was used for our top domain and our application runs on sub-domain. It could be an issue, all browsers can handle it but Chrome on Android has some problem with that, we thought. We changed it. Deployed it. And nothing!

Ok, time to plug the phone and open debug tool to see what's happening. In development environment, everything worked just fine. That's very strange and because of that we were still checking configuration for few more minutes. Without success.

After hour or so we noticed that token was really wrong. Token in response from the server was different than which was then set up to the session. We didn't know what to check next so we did the worst thing possible. Add some logging on the server and see what's happening. We noticed some regeneration of token. Why it's regenerated? And why there is more then one request when using phone?!

And then we finally saw it. Android is doing one request for a page user wants and one for some special 96px version of icon it could be used… somewhere. Which generates 404 page and we have some form at every page. But Django (it took us another half an hour, probably more) doesn't use CSRF middleware for 404 and 500 pages! Which means Django is not going to take token from cookie and when token is needed, new one is generated!

Fix is to use decorator for 404 and 500 views, as described in Django documention. It's there, but who would expect that.

Half of the day. We spent half of the day, two of us, to figure out this issue. I really don't know how to explain to people why development of simple websites cost so much money. Better to just laugh, take a glass of whisky and watch Django Unchained. Much more fun than debug Django app. :-P

Can you help with a political question?

Ok, so I have those struggles. I think I'm not alone. Actually, I know I'm not.

Let's start with a little bit different question. In how many fields anyone could be an expert? My personal feeling is like about three, but the average will be definitely less, probably just one. For example, I think I'm an expert in one field, computer programming. I feel when I decide how to solve some problem, I know for sure the result is not going to be a disaster. Because I put a lot of energy to always read, learn, try, use, everything. It's my daily??? job and I also do some projects at home. Without programming at home, I wouldn't feel as an expert at all, yet. So it's like 8+ hours a day. Every day. For more than ten years already.

I have also other hobbies (for example biggest one right now is dancing and helping salsa community), into which I put a lot of energy as well, but I'm unable to say if what I'm doing is right or no. I need much more time and practise. I'm not sure about any decision, I decide only based on intuition. You could see that on results, sometimes it makes perfect sense, sometimes no.

Of course those two hobbies take a lot of energy that I don't have time for anything else. The day has only 24 hours…

Now comes my first struggle: if to be able to decide properly takes a lot of study, how could I vote some candidate I barely know? It seems it's better off to let vote people who keep an eye on politics at least every other day. But actually it means let vote people who think they know what's happening in politics. Which sounds just horrible.

I think I know what many of you are going to think now, like to read a little bit about what's happening in my government every day is not too much of work. Ok, try to think of something you like and something you don't like and compare results. Definitely result of something you like is going to be far more effective and better.

To put it into my second struggle: many people say people have short memory and cannot remember past of candidates. I would for sure fall into that category. Because politics isn't something I like, I would have a problem to remember all details, even major ones! Another question is if that even matter. People can change and deserve a second chance, right? Let's be honest, who of us has a perfect past?

That question reminds me another struggle: let's say I don't have previous struggles at all and I want to vote, but there is no perfect candidate for me (by perfect I mean the best option available). Whom I should vote for, the most perfect one available (but unpopular, so help to some popular bad one for me) or tactically vote for someone who could defeat that bad one (for me) and would be okayish?

Yeah, politics is very complex. Probably I shouldn't care about that at all and just pick some newspapers, let them do the job of watching every move and keep me notified. Problem is, when I did that, I wasn't feeling this was working. I'm not saying it was better before and nowadays there is problem with fake news and so on so it cannot work anymore. It's the same as before as I dig into history from time to time. But this is like a chicken-egg problem because now I need to choose not candidate, but source of information about candidates. Which source is trying to be as objective as possible? Which source is not connected with any side? So many aspects!

This is also my last struggle: which source to follow not to be disgusted? Because many reports are subjective, side-oriented, topic-oriented, … For example right now in the Czech Republic it looks like everybody wants to just defeat current president. I don't care if it's right or not, but it's not quality journalism I want to follow.


To summarise it, everyone should vote during election, right? But how I can vote with a clear conscience? Tell me your opinion!

Maybe I just should ignore everything, vote by feeling and don't care later if it was a good decision. And without any feeling not vote at all. Because life is short to do something you don't like.

Why I don't trust recommendation systems

I liked Google Now. Liked. With the new Android it's changed and isn't very useful anymore. Before, you could just swipe to the left on your home screen and see all important stuff. Like how much time it takes you to go to work right now. Or when is your meeting. How is traffic. Updates about your flight. Hotel reservations. Exchange rate. They even notified you about the most important stuff.

It was scary, but very handy. At least for those who travel a lot. (Scary in a way how much Google knows about you.)

And they changed it. All important stuff is hidden behind one more click and even when I open that section, there is not as much as before. In place of all useful stuff they placed feed of articles Google thinks you would like. Well, it can be useful as well, to stay updated. But…

…but when I upgraded to the new Android there was new Marvel movie and I was looking for some info. Of course Google though “hey, he likes Marvel!” and very quickly I stayed in the Marvel bubble. I even didn't want to click to any of those articles, but I was used to to find important stuff by sliding to the left and then whenever I did that, I saw some tempting title. I would say click bait.

Good recommendation system would do the best to not keep you in some bubble. Well, Google did. I didn't want to use it and so Google kept showing me news about Marvel movies. Google started to care only about what I clicked on in that feed and not what I was searching for. Totally different attitude from previous Google Now functionality. Two years ago, my phone could detect that I go regularly every Wednesday to the same place at the same hour just based on my location and after few weeks I got card saying I should go sooner because traffic is worse that day than usual. Today I'm in some weird bubble.

Of course I noticed that and wanted to turn off that feature. To see again directly useful cards. And you guess correctly, there was no way how to turn it off. Google created something useful to get us used to to swipe left and then they changed that to something which can bring Google a lot of money.

Finally, with the latest Android (at least on Pixel phone) you can turn it off. If you like yourself, swipe left, touch three dots, settings and then under Your feed uncheck Show feed. Then the screen will stay blank, there will be no cards as before. At least it will stop trying to seduce you.

As you can see, not even Google can do recommendation system well. And this is one example why I don't trust them. I don't follow anyone on Twitter or Facebook or YouTube, I don't read any page aggregating articles, nothing. I created my own reader with support of RSS, Twitter, YouTube and so on with my own system of how I want to prioritise articles. It's not perfect and needs some help from the user, but at least I'm not in the bubble.

I think everybody should ignore and disable (if possible) any feed managed by someone else than you.

P.S.: If you would like to try my app, well, it runs on my personal server. I could give you invitation token, feel free to write me, but I cannot promise anything. :-) Anyway, this post is not about my app, but about the problems with recommendation systems.

How Twitter support works

I had problem to log in into my Twitter account because I couldn't get SMS code so I sent them message about that. They responded:


Hello,

Thanks for writing in. Many people who have reported issues with login verification have found the following tips helpful:

  • Having trouble receiving push notifications? You can access pending login requests from within your Twitter app on your device: 
    1. Open the Twitter app and navigate to “Settings”.
    2. Tap “Account”, then tap “Security”.
    3. Select “Login Requests” to see a list of all requests available to approve or deny.
    4. Pull down on the list to refresh and see the most recent requests.
  • When you enrolled in login verification from your device, did you generate a backup code? If so, you can use that code to log in to your account on twitter.com from a desktop or laptop computer. Additionally, if you still have access to your app, you can generate a new code from your device. More information can be found here: https://support.twitter.com/articles/20170409#backup-code.
  • If you’re not receiving SMS notifications, but you are still logged in to your Twitter app:
    1. Navigate to your account’s “Settings”.
    2. Tap “Account”, then tap “Security”.
    3. Tap “Login code generator”.
    4. Use the code shown to log in to your Twitter account.
  • If the above tips do not work, and you can still access your account from your device, you can disable login verification by following these steps:
    1. Navigate to your account’s “Settings”.
    2. Tap “Account”, then select “Security”.
    3. Disable “Login verification”.

You can also check out our login verification troubleshooting article for more helpful tips: https://support.twitter.com/articles/20170409.  

If you’ve tried the above options and still need help accessing your account, please reply to this email for further assistance. For security reasons, we can only process this request if you contact us from the email address associated with your Twitter account. 

If you need to file a new report, you can do so here: https://support.twitter.com/forms/signin. 

Thanks,

Twitter Support


I still need assistance as I wrote in the original message. :-)


Hello,

We may be able to help you regain access to your account by disabling login verification.

First, we'll need to confirm you as the account owner. Please try logging in once more on https://twitter.com (from a desktop/laptop computer or a mobile web browser) with your correct username and password. This will generate a notification on our end, and we may be able to use this to confirm you as the owner of the account.

Please reply to this email once you've done that, and we'll do our best to help.


Hello, I did right now.

I was able to find device where I am logged in so I could deactivate SMS confirmation. Also I know where is the problem. My phone is set up correctly but I got no confirmation code. I tried to change phone number, nothing, I tried to set up SMS confirmation again and also nothing. Probably you have problem to send SMS to my country or something? Because it was working just fine when I set it up for the first time...


Hello,

Thanks for letting us know! We're happy to hear that you have resolved the issue.

If you have any other questions, you can always check our Help Center for relevant articles: https://support.twitter.com.


I haven't. I'm logged in but I still cannot use login verification because I don't get any text message... this is bug.


Hello,

If you already have a Twitter account, your next step is to add your phone so you can send and receive Tweets on the go. You can do this via SMS commands, or by going to www.twitter.com.

Via SMS:

  1. First, send START to your Twitter code (40404 in the US).
  2. Reply with YES since you already have an account.
  3. When prompted, send us your username and password. You will receive a message when your sign-up is complete.
  4. Turn Tweets off or on by sending "OFF" or "ON" to Twitter from your phone.

More information can be found here: https://support.twitter.com/articles/14589#add-phone-sms

Via the web:

  1. Log in to www.twitter.com and navigate to your Mobile settings: https://twitter.com/settings/devices
  2. Enter your phone number and click "Activate Phone".
  3. You will then be prompted to send GO to your short code from your mobile device.

More information can be found here: https://support.twitter.com/articles/110250-adding-your-mobile-number-to-your-account-via-web

Hope this helps!


Do you even read my messages or is it just some automat? I didn't received any SMS! My phone number is correct and working, I got verification SMS before but not now. There has to be some problem on your part... Can you look at it?


Hello,

We found a page in our help center that we think will help you out: (https://help.twitter.com/en/search?q=received+sms)

If you've checked out that page and are still confused, write back to let us know more about where you're stuck. We'll do our best to help you out!


Really? Please, read my messages. You have somewhere bug because I don't get any text message to my phone. Please check where is the problem. I would like to use 2FA but cannot because of that.


Hello,

We found a page in our help center that we think will help you out: https://help.twitter.com/en/managing-your-account/two-factor-authentication

If you've checked out that page and are still confused, write back to let us know more about where you're stuck. We'll do our best to help you out!


Yeah, I'm stuck, I guess, with your support to not look into the bug I reported. What page you would recommend me to visit now?


Hello,

We found a page in our help center that we think will help you out: (https://help.twitter.com/en/managing-your-account/issues-with-login-authentication)

If you've checked out that page and are still confused, write back to let us know more about where you're stuck. We'll do our best to help you out!


My phone is working and I waited more than ten minutes and still didn't get the code. Really, can you fix it or say to me what's wrong?


Hello,

You tried to update a case that has been closed. Please submit a new case at http://support.twitter.com/forms. You can also visit our help center at http://support.twitter.com for self-help solutions to common problems.



Hm.

So… who is afraid of AI? Not me. I just hate how it's used everywhere nowadays and it just sucks. Pretty hard.

Zápisky z cest: Šibenik

Už jsem tu jednou psal o návštěvě Chorvatka, to bylo s cílem týden se plachtit na vodě. Chorvatsko mne hodně překvapilo, ale stále mne neláká jeho návštěva jako taková. Přesto jsem tam byl už třikrát, po druhé a po třetí v Šibeniku kvůli skvělému salsa festivalu. Jeden z nejlepších, které tu jsou. A to neříkám proto, že to byl můj první. :-)

Resp. minimálně byl. Zatím má oblíbená trojice je Mamboland, protože jsem zatím lepší způsob jak se hodně posunout na festivale nezažil, El Sol, protože tam jsou téměř všichni, které znám, aneb taková celá salsa rodinka pohromadě, říkejme tomu malé Vánoce, a pak právě Šibenik, protože párty.

To jsem řekl hodně stručně… tak jinak:

  • Normálně festival bývá přes víkend. V pátek člověk dorazí, častokrát po normálním pracovním dnu, a je unaven po cestě. První den moc nevydrží. Druhý den si člověk začíná zvykat na festivalovou atmosféru. Na to, že nemusí jít spát brzy, na to že nemusí vstávat brzy, na to že nemusí myslet na práci, atd. Ale stále to není nejlepší den. A pak je neděle, kdy se člověk pořádně roztancuje… a už se končí. Šibenik začíná už v úterý.
  • Social tanečníci mají rádi social tanec. Festivaly to kazí různými workshopy a show, kde stejně nejde stihnout vše. Záchrana jsou rozšiřující se salsa maratony, ale ještě před všemi salsa maratony Šibenik už dělal social i přes den. Jinými slovy připočtěte si k těm protancovaným nocím z celého týdne ještě i celé dny.
  • Pokaždé, když se tancuje i přes den, jsou všichni hodně uvolnění. Nikdo si z ničeho nic nedělá, tancuje se v klidu, prostě úplně jiná a lepší atmosféra. V Šibeniku to je navíc na pláži. S barem. Sluníčkem. Víc už to uvolnit snad ani nejde.
  • Mimochodem noční párty končí také venku a je možné při tancování pozorovat východ slunce.
  • Festival je relativně malý, nijak zvlášť přeplněný. Ale zároveň je tam hodně šikovných tanečníků a tanečnic.
  • A poslední den se na salsu více méně kašle a jde se pařit na pool party.
  • Mimochodem, takový bonus, Šibenik je jednou z lokací natáčení Game of Thrones!

Jediná nevýhoda Šibeniku je, že letos už nebyla párty celý večer na pláži (přesunula se tam až po páté) a na příští rok se ubytování v Chorvatsku hodně zdražilo. Aneb pokud se jinému festivalu podaří mít na pláži stan pro noční párty, dávám ihned Šibenik na druhou kolej!

Jo a taky jsem byl ve městě. Krásné. :-) Architektura v Chorvatsku je velmi fotogenická!

Whisky I like

I will not give you a professional analysis of whiskies. I'm really bad at describing the flavor of food and drinks. Take it just as my few notes which can maybe help you to find something new you could also like.

Let's start with something more soft you can drink all day long. O:-)

  • Cardhu 12yo
  • Dalwhinnie 15yo: Soft, fruity taste turning into light smoke and back to finish again with fruit.
  • Glenglassaugh 1986 MM (Murray McDavid): First whisky in sherry cask. Very sweet with very dark color you would not think you drink whisky. One glass is enough of sweet, but worth to try it.
  • Kilchoman Machir Bay: Intensive sweet fruit with little bit of hint of smoke.
  • Nikka Pure Malt Black: It starts with caramel, but you finish with feel like you ate very bitter chocolate. Unbelievable!
  • Scapa Skiren: Pleasant honey with fruits.

Something more sharp, for real men. :-)))

  • Ardmore Legacy: Similar to Talisker, but more soft suitable for every part of the day.
  • BenRiach Couriositas 10yo: Similar to BenRiach 17yo, ideal way how to save money!
  • ! BenRiach 17yo: Not too sharp from a sherry cask with gentle smoky feeling and long finish.
  • Springbank 12yo: Very spicy.
  • Springbank 15yo: Partly from sherry cask makes it soft on the beginning but soon you will get rich and long spicy and salty taste.
  • ! Talisker 57° North: Very complex, rich and long taste. I don't know anybody who wouldn't like it.

And now my favorite section, smoky ones.

  • anCnoc, cutter limited edition: Just drink and wait for the smoke.
  • Ardbeg 10 Year Old
  • Blackadder: The best about this whisky is the finish. Finish will say everything, the beginning will not even tell you is cask-strength.
  • ! Bruichladdich Octomore 04.2 Comus: One of the best whisky I had at home.
  • Bruichladdich Octomore 06.1: Not so super as 04.2 or 06.1 but still very good intensive smoky taste.
  • ! Bruichladdich Octomore 06.3: You wouldn't tell smokiness by smelling, probably you would say fruity. But then you will get explosion of all tastes. You can feel that smokiness even hour and more after.
  • Edradour Ballechin 10yo
  • Gerston, Lost Distillery: Intensive smoke which gets bigger and bigger. You can feel caramel in the background.
  • Glenlivet Cipher: The taste is changing and is very complex. The only problem is it does not take a long time.
  • Kilchoman 4th edition: It's totally opposite to Machir Bay from sherry cask. Smoky with hint of sweet fruit. 
  • Lagavulin 12yo: Favorite one in 12yo version did not disappoint me.
  • Lagavulin 16yo: One of my favorite smoke whisky.
  • Laphroaig Quarter Cask

Note to my list: bold ones are those I like very much and those with an exclamation mark are my tops. Sadly, often also very pricey ones.

Please, share also which ones you prefer and why. Winter is here so is good to keep our self warm!