Weekly Head Voices #118: Accelerando.

Too much nerdery took place from Monday February 20 to Sunday March 5. Fortunately, be the end of that period, we found ourselves here:

The view from the shark lookout all the way to Hangklip.

bibtex references in orgmode

For a technical report, I thought it would be handy going from Emacs orgmode (where all my lab notes live in any case) to PDF via LaTeX.

This transformation is more or less built-in, but getting the whole machinery to work with citations from a local BibTeX export from my main Zotero database does not work out of the box.

I wrote a post on my other even-more-nerdy blog showing the extra steps needed to turn this into an easy-peasy 38-shortcut-key-combo affair.

Google GCE K80 CPUs available, cheap(ish)!

I’ve been using a cloud-hosted NVIDIA Tesla from Nimbix for my small-scale deep learning experiments with TensorFlow. This has also helped me to resist the temptation of buying an expensive new GPU for my workstation.

However, Google Compute Engine has finally shipped (in beta) their cloud-based GPU product. Using their pricing calculator, it turns out I can get a virtual machine with 8 CPU cores, 30G of RAM, 375GB of local SSD and a whole NVIDIA Tesla K80 GPU (12GB of memory) in their EU data centre for a paltry $1.32 / hour.

This is significantly less than half of what I paid Nimbix!

(That resistance is going to crumble, the question is just when. Having your stuff run locally and interactively for small experiments still beats the 150ms latency from this here tip of the African continent to the EU.)

nvpy leaves the nest :`(

My most successful open source project to date is probably nvpy, the cross-platform (Linux, macOS, Windows) Simplenote client. 600+ stars on github is not A-list, but it’s definitely also nothing to sneeze at.

nvpy stats right before the hand-over

Anyways, I wrote nvpy in 2012 when I was still a heavy Simplenote user and there was no good client for Linux.

In the meantime, Emacs had started taking over my note-taking life and so in October of 2014, I made the decision to start looking for a new maintainer for my open-source baby nvpy.

That attempt was not successful.

By the end of 2015 / early 2016 I had a bit of a Simplenote / nvpy revival, as I was using the official client on my phone, and hence nvpy on the desktop.

Emacs put a stop to that revival also by magically becoming available on my phone as well. I have to add that the Android Simplenote client also seems to have become quite sluggish.

I really was not using nvpy anymore, but I had to make plans for the users who did.

On Saturday March 4, I approached github user yuuki0xff, who had prepared a pretty impressive background-syncing PR for nvpy, about the possibility of becoming the new owner and maintainer of nvpy.

To my pleasant surprise, he was happy to do so!

It is a strange new world that we live in where you create a useful artifact from scratch, make it available for free to anyone that would like to use it, and continue working on improving that artifact for a few years, only to hand the whole thing over to someone else for caretaking.

The handing-over brought with it mixed feelings, but overall I am super happy that my little creation is now in capable and more active hands.

Navel Gaze

Fortunately, there’s a handy twitter account reminding us regularly how much of 2017 we have already put behind us (thanks G-J van Rooyen for the tip):

That slowly advancing progress bar seems to be very effective at getting me to take stock of the year so far.

Am I spending time on the right things? Am I spending just the right amount of effort on prioritising without this cogitation eating into the very resource it’s supposed to be optimising? Are my hobbies optimal?

I think the answer is: One deliberate step after the other is best.

Android security in 2016 is a mess.

Summary

Your phone probably contains banking, payment and personal information that can be remotely stolen via numerous known and unknown bugs in the Android software. This is attractive to criminals.

Vendors (LG, Samsung, Xiaomi, etc.), after selling you their phone, have no incentive to keep your phone’s software up to date with Google’s fixes. Your Android phone is probably out of date and therefore a gaping security hole through which attackers can steal your stuff from the safety of their own laptops.

Read on for more.

Between 1.3 and 1.4 billion Google Android phones in March of 2016. Click image for source.
Between 1.3 and 1.4 billion Google Android phones in March of 2016. Click image for source.

An illustration: MediaTek / BLU phones are uploading your data.

You might recently have read about the incident with the popular BLU phones sold by Amazon in the US (interestingly, the author deleted their article from both hackernoon.com and from medium; I now link to the Wayback Machine’s stored copy). It turned out that these phones were regularly sending bunches of personal information to servers in China: text messages, call logs, contact lists and so forth. After more investigation, it came to light that this was happening via a low-level piece of software called ADUPS.

When Google had previously updated its systems to check for ADUPS, MediaTek (they make the chipset in millions of low-end phones) simply modified their system software to evade Google’s checks. Nice one MediaTek!

This is a painful example of the fact that the software on your phone, although based on Google’s software, is customised by the phone vendor. The further frustrating effect of this is that when Google releases security patches to Android (which they do regularly), there is very little incentive for the phone vendor to spend money on updating phones they have already sold.

What about A-list phone makers?

I bought my LG G3 in 2014 here in South Africa. It was LG’s flagship in that year, and sold extremely well. LG is a well-known smartphone OEM.

However, only because I took steps to flash the official KDZ image (V30a-ZAF-XX), which consumers would normally not do, am I now running Android 6. However, my security patch level is 2016-03, meaning there are 6 months of security updates I don’t have. (You can check your Android security patch level by going to Settings | General | About Phone | Software info.)

Before you think six months lag is not too bad, here’s a nice example vulnerability from the November 1 Android security bulletin:

The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.

In short, your phone could be hacked wide open from afar through a single innocent-looking email, MMS or web-page.

My friend’s South African LG G3 is still stuck on Android 5.0 (V20n-ZAF-XX). Most probably this is being blocked due to his carrier (MTN). In any case, 5.0 does not even show the security patch level, so we have no idea how many months of security fixes this phone is missing.

(LG seems to be tracking Google’s security updates quite well, but somehow these updates are not reaching phones.)

A scary little aside

I just tried Check Point Labs’ QuadRooter Scanner app on my “updated” LG G3, and this is what I saw:

LG G3 with Marshmallow and Android security patch level 2016-03 is vulnerable to QuadRooter.
LG G3 with Marshmallow and Android security patch level 2016-03 is vulnerable to QuadRooter.

So my manually updated LG G3 is still very much vulnerable to QuadRooter. In theory, my phone could be (or already has been) rooted and pillaged by any old innocent-looking app, although I keep mostly to the official Play Market, so the risk is slightly mitigated.

At this stage, even as a relatively knowledgeable user, there’s not much I can do to patch my phone against this vulnerability.

Google’s leniency cuts both ways: More than a billion Android users, but most of them vulnerable.

It’s fantastic that Google’s openness and leniency with Android has helped to make smartphone technology accessible to more than a billion users (probably closer to 2 billion taking into account Chinese Android phones not connected to Google services, see Ben Evans’s post). However, this same leniency allows manufacturers to be irresponsible about keeping their customers safe.

The fundamental problem here is that there are a great deal of Android phone vendors who make phones from absolute entry-level to top-of-the-line flagships, who have very little incentive to spend money on post-sale security updates.

Once you’ve paid for the phone, you’re not important enough anymore to have a secure(ish) telephone.

What can we do?

Buy an iPhone. No really.

I’ve been using Android since the HTC Desire Z. I love Android, because I love Linux which I have been using since 1993.

However, if money is no object, my only sound advice can be to buy an iPhone. Apple is still shipping security updates, albeit on iOS 9, for the iPhone 4s which was released in 2011 (5 years ago). The iPhone 5 is still being kept up to date with iOS 10.

Furthermore, in terms of phone encryption, iOS 4, released 6 years ago, was already more advanced than than Android 7 Nougat, released in August of this year. In short, already then Apple made better choices in how exactly different files are encrypted, whilst Android implemented full disk encryption, which for the smartphone usecase is not the right choice. In Nougat, Android has finally also changed to file-based, but they’re missing important parts of the puzzle. The phone encryption blog post I link to is insightful, please take a look.

Stick with Android Pixel or Nexus.

If you prefer sticking with Android, the best choice is getting an official Google device, which means either a Nexus or a new Pixel. Google’s policy for Pixel and Nexus security states that they will ship security updates either for three years after device introduction, or for 1.5 years after the device was last officially sold from the Google Store, whichever is longer.

Unfortunately, iPhones are really expensive, and Google’s new Pixel devices are also aiming for the higher-end market. The previous generation Nexus phones offer a more mid-range but very temporary reprieve.

In other words, most normal consumers on a budget, i.e. the largest part of the Android user base, actually of the smartphone-using world, are stuck with insecure, vulnerable phones. This is not cool.

Consider installing a custom ROM.

Installing a custom ROM such as Cyanogenmod brings with it another set of issues with regard to the phone being rooted, and with regard to driver-level support of proprietary hardware. In any case, this is not something your average consumer will have access to, but Android gurus can certainly apply.

Efforts like CopperheadOS (hardened Android) are certainly promising, but it will be quite a while before they are accessible to the largest group of Android users.

Update: David Metcalfe pointed out in the comments that you can buy a secure Android phone from Copperhead.  If you are in the US or Canada, and you have some budget, you could buy the LG Nexus 5x or the Huawei Nexus 6P with CopperheadOS pre-installed. It’s great that this is available, but due to price and geography not really accessible to most Android users.

Keep manufacturers honest.

Ideally, Google starts taking a much harder line with manufacturers who put Android on their phones. They could for example maintain and publish a list of phone models that are kept up to date with the latest security fixes, and a list of those that aren’t.

I was happy to see that at least Huawei has a pretty good record in terms of keeping their Android phones up to date (although the results were probably skewed as they counted the Huawei-produced Nexus 6P phones, and these formed the majority of the test set, doh). This factor will play a role in the next smartphone that I buy.

Do you know of any (other) manufacturers of more affordable Android phones who are committed to keeping their users safe? Please let me know in the comments!

Addendum: Android phones with acceptable security update records

Blackberry PRIV, DTEK50 and DTEK60

lobste.rs user jabberwock tipped me off to the fact that Blackberry’s Android phones get monthly security updates. Read more at CrackBerry and here in the BlackBerry Android security bulletin for November: It looks like these phones receive monthly updates (when not blocked by the carrier, sigh) and have already received the November 2016 update.

Here is the original blog post where BlackBerry explained their security patching policies for the PRIV.

Google’s 0-shot neural machine translation system shows intriguing evidence of an interlingua

In recent research (full paper also available), researchers from the Google Brain and Google Translate teams have shown intriguing evidence of a so-called interlingua, that is, a language-agnostic common representation of sentences with the same meaning from different languages.

What I also found interesting about this work (and related to the above finding), is that they’re able to perform translations between language pairs that the system has never trained on.

A further pleasant surprise was seeing how they used the t-SNE visualization technique to embed the high-dimensionally represented sentences in 2D, in order to study the interlingua phenomenon.

Why it’s healthy that Microsoft and Google are eating Apple’s lunch

Last week Apple announced their new Macbook Pro laptops.

Their great innovation (a “game-changer” in their words) was a sliver of a touch screen above the keyboard which is able to show touchable context-specific buttons. They’ve dubbed this the TouchBar. Although the OLED technology is certainly pretty, one could almost hear the enormously disappointed collective “MEH” uttered by millions of users and suddenly erstwhile Apple fans world-wide.

Was Apple, in the form of the Phil Schiller really trying to sell this? By the way, if you represent Apple, a company traditionally known for its great design sensibilities, should you not spend just a little more money to dress a little better than the couture equivalent of an old Lada? Suit up man!

Phil Schiller not suiting up.
Phil Schiller not suiting up.

Collectively, the internet was disappointed. Why no touch screen? Why no new iMac (last refresh a year ago) or Mac Pro (last refresh 3 years ago)? What is happening at Apple?

The day before, on October 26, 2016, Microsoft revealed the Surface Studio. Watch this introduction:

… and also this video with Microsoft partners who have in secret been working with the Studio:

Even if you did not like Microsoft, you can get a good sense of the emotion around this new product.

They’ve managed to make something that speaks to the imagination. When I see this, as an outspoken Microsoft critic, I do get the distinct feeling that the Surface Studio is a physical artefact of the science fiction dream that my reality is gradually (and very pleasingly) turning into. My less nerdy technology-critical better half’s first reaction was: When can we get this?

It seems that Microsoft has convincingly out-Appled Apple.

In other words, Microsoft has somehow become sexy whilst Apple seems to have developed strong feelings for the Lada.

As an interesting related tidbit, a friend, whom I was trying to convince NOT to get Google’s new Pixel XL phone because reasons, recently sent me this short post on The Verge by Vlad Savov, a camera phone expert who until recently was of the educated opinion that the iPhone 7 was still the king of the smartphone castle. He writes:

On the basis of my extended experience with Google’s Pixel, I consider it an all-around better phone than the iPhone 7. The final exhilarating straw that broke the camel’s back was the photo below, coming straight out of the Pixel XL’s camera, undoctored other than for a horizon adjustment.

WHAT IN HEAVENS IS HAPPENING?! OUR WHOLE WORLD IS COLLAPSING!

Perhaps not…

During a Signal App conversation (you should really use Signal, it now has privacy-conscious Giphy support) with another friend, I realised that what’s happening here, is in fact wonderfully capricious human emotion interfering with the machine that is capitalism.

Left to its own devices, the nature of capitalism means that successful companies tend to evolve into capitalistically optimal dead ends. In other words, large successful companies lose the will to innovate, because they realise they are able to make more money at less risk by simply not rocking that boat. Instead of investing in innovation, they invest in sales and marketing to milk their large customer-base.

Ironically, Steve Jobs explained this idea quite eloquently during this interview where he talked about the decline of Xerox:

Fortunately, when a company like Microsoft throws an innovation curve-ball that appeals to our emotion and to our imagination, they can rock the boat for everyone.

Even although we’re talking about three absolute behemoths, it’s gratifying that they, as well as their smaller competitors, keep each other on their toes through the fickle wonder that is human behaviour.

Here’s to hoping that AI never manages to model or predict our precious caprice. :)

The Monthly [Weekly Head Voices #50]

HEY!

I’m still here, and it seems I really have to catch up on my backlog of WHVs, all the more as I was starting to notice the beginnings of BPP (Backlogged Posting Paralysis, of course). So I’ve spent a few minutes gathering a selection of life snippets of the past six weeks (week 21 through week 26) and will now proceed blasting them out this old Web 1.0 exhaust. I wasn’t completely idle blog-wise, however. I did write a post about my EuroVis 2011 and my Schloss Dagstuhl SciVis seminar adventures.

Before the blasting commences, I would like to present some relaxing visual input brought to you via my cell phone camera, which at the time of capturing found itself in my hand, itself being inside the chapel in Herberg op Hodenpijl, a short westward cycle from my house:

Herberg op Hodenpijl chapel roof detail.

The picturesque surroundings are home to the chapel, which hosted an art exhibition at that point, and an organic restaurant and grocer. Most (all?) of the produce comes from a small farm across the road that you can also visit. The goats are really friendly. You could do worse than popping by on a sunny day.

Herberg op Hodenbijl chapel roof detail.

The rest of this post has been categorised, with nice headings, so that you can skim through it even faster.

Health and well-being

  • In a recent cooking insert on the television, two chefs prepared Loup farci en croûte, or sea bass filled with julienne vegetables in a pastry of a thousand layers. Take a look at the video clip: The chefs put an amazing amount of effort into preparing this visually beautiful and apparently delectable dish.
  • My TNR and since recently also business partner, who can often be found hurtling down mountains on various and high-speed forms of personal transportation, and when he’s not is involved in a number of other extreme sports activities, managed to break two fingers on his right hand cycling over the flat and otherwise uneventful piece of earth between the computer science and physics buildings on our campus. Go figure.
  • In a recent study with 48000 (yes, that’s fourty eight thousand) men followed over a period of 22 years, a strong correlation was found between drinking six cups of coffee per day and a lowered risk of prostate cancer. Also men (but can you still call them men?) drinking fewer than 6 cups of coffee per day had a lower risk. The study did correct for other lifestyle factors. The linked summary also mentions other studies in which coffee drinking has been associated with lower risk of Parkinson disease, type 2 diabetes and liver cancer. I guess I can worry less about this addiction than, euhm, the other ones.

Nerd News

  • Dropbox has recently activated functionality they call shareable links, meaning that you can request a unique http://db.tt/some_code link for any file or directory anywhere in your dropbox and share it with anyone else (also non-dropbox users), who is then able to download said file or directory given the link. There’s a page on the website where you can manage all of your shared links, for example deactivating ones you don’t want people to access anymore. Read the help on shareable links for more information.
  • As you might know, I keep a lab journal documenting in some detail my daily work activities. I also maintain a personal journal, mostly for dumping stuff that might be interesting for this blog. I used to do all of this in Google Docs, but for the past few weeks I’ve experimenting using TiddlyWiki (this is a single file JavaScript-heavy wiki implementation) on my Dropbox for all my journaling and personal knowledge base needs. It’s been going swimmingly for at least two reasons: 1) It’s available also when I’m offline. 2) The idea of being able to break out into a new wiki page (called a tiddler) at the drop of a hat takes some getting used to, but fits the non-linear nature of my journal and personal knowledge base entries much better than the mostly linear google docs.
  • I’ve settled on using the free tonido personal cloud software to make all the files on my home server available via the internets. This means I can get to all of my music, photos are whatever no matter where I am. Pretty neat! (I have too much to fit on my 50G dropbox account. There’s also the PogoPlug software, but the free version has its limitations.)
  • Just a few days before Google+ (Google’s new social networking religion, in case you’ve been sleeping for the past week) hit the internets, I installed the Google +1 button on this blog, see right at the bottom of every post. So now you know what to do with every post: Click my +1 button, then click my facebook like button, then leave me some snarky comment right here. Easy as 123, and I’m a happy camper.

Comedy

Whilst flipping through channels one Saturday night,  I flipped right into the stand-up comedian Demetri Martin. I made a note of it in my journal, and now here we are. Watch him present his research findings on his large pad, with his pointer:

That’s it for now dear readers. I really do hope to be back soon, and I hope to do so with a slightly more focused contribution. See you on Google+!

UPDATE 2011-07-23 note-taking strategy

To you I might appear fickle, but I guarantee that it’s just hyperactivity. I’ve since adjusted my note-taking strategy again. As you will have seen in the comments, Pieter Kitslaar subtly influenced me to go searching for a note-taking solution that syncs between phone and everywhere else. Fortunately, I ran into the SimpleNote universe and I’m now officially in note-taking heaven. I have Flick Note on my Android, the SyncPad extension on Chrome (for sometimes) and ResophNotes on Windows and on Linux with Wine. All apps work exactly as I would expect a super-fast and efficient note-taking app to work, with real-time incremental searching, hotkeys everywhere, and best of all, offline use and transparent syncing. ResophNotes is especially cool, definitely give it a shot.

So I’m using this SimpleNote setup for all my personal knowledge base and general note-taking needs. For detailed work and lab journaling, I’m now using linear OpenDocument files on my Dropbox, which solves the offline problem I had with Google Docs, which I do still adore for collaborative work.

Lemme know in the comments what you think!