I’ve been playing with Scheme lately, and the book ‘Beautiful Racket’ made me want to learn a bit more about parsing and interpreting in general, and creating my own domain-specific languages.

When I was at university, there was only one book for this - the ‘dragon book’. It has been a long time since I read it, and I’ve pretty much forgotten all about BNF notation and everything else since then. And I’ve no idea where my copy of the book ended up.

The good news is that in the decades since my reading the book, they've produced a second edition. And it’s not just a fancy re-print, it has new chapters and algorithms, bringing it all up to date with when it was published. And instead of the red dragon on the cover of the first edition, there’s a purple dragon on the second edition.

The bad news is that it’s out of print.

'No problem’, thought I. ‘I’ll just order a used copy from Amazon...'

And here’s where the tale takes an odd turn.

I ordered the book from an Amazon reseller, AmysBookstoreUK. Three days later my order was cancelled. No reason was given, I just got a note from Amazon that my order was cancelled.

Hmm.

I tried again. This time I ordered from Meridian Bookstore. And it was despatched!

Then I got an email from them:

I wanted to inform you that since we have not heard from you regarding this order, we had to cancel this order and we issued you a full refund. The reason is that we discovered the last copy of this item was substantially water-damaged and it wasn't in a condition we could ship to our customers.  You may have received a dispatch notification from Amazon, simply disregard that notification since it was sent in error.

And my money was refunded.

I’m not sure I’ve ever had a reseller cancel an order on me before this, and here two resellers did it for the same item. What was going on?

So I tried again. And this time I was really careful.

I checked the Wikipedia page for the book. It lists the actual book website, which I’ve never been able to connect to, and the publishers page for the book, which requires Flash (remember Flash‽), as well as giving the second edition’s ISBN as 0-321-48681-1.

It turns out that ISBN is used by the second edition in the US, but also used by the ‘international’ edition in other parts of the world. And according to some reports, the international edition isn’t up to the quality of the regular second edition.

This review refers NOT to the original 2006 edition but to the 2014 re-print by Pearson India, via DKIndia. ISBN - 978-93-325-1866-7. The inside page of this book reads "This edition is authorised for sale only in India, BanglAdesh, Bhutan, Pakistan, Nepal, Sri Lanka and the Maldives. Circulation of this edition outside of these territories is UNAUTHORISED." Therefore this edition should not be available to us in the UK.

The back of this Indian edition is even more ominous where it says "For these special editions, the editorial team at Pearson has collaborated with educators across the world to address a wide range of subjects and requirements, equipping students with the best possible learning tools" (MH so far so good). It continues ....

"This international edition preserves the cutting-edge approach and pedagogy of the original, BUT MAY ALSO FEATURE ALTERATIONS, CUSTOMIZATION AND ADAPTATIONS FROM THE UNITED STATES VERSION" (Caps MH).

This is somewhat concerning, as there is no indication within the book what has been changed, altered or customised!

[snip]

Also some readers have reported on the reviews below, that some of the algorithms are wrong. Again I don't know the validity of these statements.

[snip]

(Source: Amazon review by ‘MH’)

I didn’t want to waste time and money reading a book that had the wrong algorithms! (Possibly even worse, the international edition doesn’t have a dragon on the cover.) I could buy the international edition fairly cheaply if I wanted - Abe Books currently have it for £11.83 - but I persisted in trying to track down an actual copy of the proper second edition.

And I found it!

Book Listing

A hardcover of the second edition in ‘Used - Good’ condition. I ordered it from Princes Bookshop, a reseller with a London address, and anticipated the book turning up.

Then, a few days later, I received a FedEx package containing a new, shrinkwrapped copy of the international edition with a sender’s address in India. This confused me greatly. Was it one of the cancelled orders? One of them did have a despatch notice, even though it was refunded.

No, it turns out this was sent by Princes Bookshop. It was neither hardcover, nor used.

It looks very like they’ve put up a listing for the hardcover second edition and then just gone and ordered a new copy of the Indian international edition and had it shipped directly to me. And did it aiming to pocket the difference between the £11.83 I could have got the international edition for and the £41.75 I actually paid for the second edition. That seems dodgy to me.

I queried this with Princes Bookshop, naturally. Among other things, they said:

We have shipped the same book which you have ordered and the detailed description of the book is available at the web site in our condition note. You can please find the same in your order details page and please note the contents of the book is exactly same as regular edition.

And later:

I am sorry to hear that you’ve received the wrong edition. All our items are listed by their ISBN numbers which does not identify any changes to edition, Amazon list our items and provide the photos of these titles.

I’m not convinced. I can understand some ISBN confusion (although I’d expect a bookseller to be an expert in that area), but listing a used hardcover and shipping a brand new softcover? Hmm.

They’ve offered me a 30% discount if I keep the book. Even at a 30% discount that would be nearly 3 times what I could have bought the international edition for.

I'm trying to return the book for a full refund plus whatever it costs to ship the book back to them. The whole episode leaves a bad taste in my mouth.

And I still haven’t got a copy of the dragon book, plus now I can’t trust resellers who claim they have a copy in stock.

Who’d’ve thought it would be this difficult to buy a book?

Tags: Clueless Idiocy
Created by on Logo15659OpinionatedGeek Ltd.Logo15659

I don’t think much of Philips Hue. I bought them thinking I’d like them, but they had a few problems that I ranted about:

    • If you turned them off at the power, when you turned them on again they came on at full brightness.

    • To use the app on your phone, you had to give up a lot of privacy. For instance, you had to give the app permission to take photos any time it wanted as well as let it know your exact location at all times. And while Android says apps should ask for permission only before taking the action, and should handle being denied permission gracefully, the Hue app just asked every time it started, and it quit if it was denied any permissions.

Now, lest you think I’m a grumpy old curmudgeon (OK, I am) who hates everything, Ikea’s TRÅDFRI are a joy in comparison. Really, unlike Hue there’s not much I wish I knew before buying them.

The TRÅDFRI Gateway Kit costs £69 which is comparable enough to what I paid for the Hue kit (and it comes with a dinky wee remote control that would cost extra with Hue). But the Ikea stuff is better, and simpler.

For a start, the bulbs remember their settings when they’re powered off. This is a big deal - Philips obviously want you to spend a fortune on replacing all your existing switches, but the Ikea system just works with what you've already got.

The app does ask for camera permission so it can scan the QR code on the back of the hub. But you can disable the permission immediately afterwards and the app doesn’t complain, or you can just deny permission to the camera and enter the code by hand. I’ve tried both on different devices, and neither has complained about not having access to the camera after setup. Nor has it ever asked for location access on either device.

I can see why someone said TRÅDFRI was ‘IoT done right’. They've got a lot of things right - including a lot of the security stuff. Unlike Hue, it’s just not designed to be accessible from the internet. If you want to use the app, you have to be on the same local network. Simple and effective. You can set up schedules for the lights to come on when you’re away, but you won’t be able to control the lights remotely.

I like that approach. I can control things remotely if I really want using my Raspberry Pi. There’s no API documentation as far as I know, but the wonderful geeks of the internet had discovered it uses standard protocols, and then gone on to figure out the proper parameters, and setting up a couple of bash scripts to turn my lights on or off was trivial.

Overall I’m pretty impressed with the TRÅDFRI system, even if I'm still not sure how to pronounce it.

Tags: Weird Interweb Stuff
Created by on Logo15659OpinionatedGeek Ltd.Logo15659

‘Fun With Cultural Touchstones’

Score: 5/5

Ernest Cline
£6.49

I thoroughly enjoyed this book.

OK, I guess it’s a Young Adult novel, and some of the story is quite simplistic because of this. There’s also the occasional deus ex machina where unmentioned features suddenly save the day. And I think somehow a general was promoted to an admiral, which confuses me greatly but if it’s a made-up force I suppose you can get away with that.

All of which misses the point. The whole book is an homage to the culture I grew up with, from Iron Eagle to Galaxians. To playing loud music when you game because the rhythm helps you. To identifying with the lead character in The Last Starfighter and Flight of the Navigator even though you knew it was cheesy. To losing hours (and sleep) because you couldn’t stop playing a game.

Yeah, this brought back a lot of fun memories. Totally worth it just for that.

And then I found out that someone had put together a Spotify playlist of the tracks in the 80s ‘Rock The Arcade’ mix tape in the book! Awesome stuff for rocking out when I’m next in-game. Or something.

Tags: 4 Word Book Reviews
Created by on Logo15659OpinionatedGeek Ltd.Logo15659

Why do leading sites require a phone number for 2-Factor Authentication (2FA)?

There’s plenty of people telling me I need to turn on 2FA for important sites, but I’ve given up.

All I want:

  • Security
  • Privacy

What I don’t want:

  • To be woken at 2am by sales calls.
  • To receive annoying text messages.

Seriously. I don’t like phone calls at the best of times, and calls from companies are right at the bottom of my list. Sales calls are at the bottom of that list, the bottom of the bottom of the list.

And one thing I learned from spam - the simplest step to avoid getting spam from a company is not to give that company your email address. It seems perfectly sensible to me that to avoid getting phone calls from a company, don’t give them your phone number.

But you can’t turn on 2FA on sites like Google Mail or Twitter without giving them your phone number.

I find this annoying.

It’s not a technical requirement. Yes, they have a way to do a 2FA by texting your phone number, but that’s not the only way to do 2FA. Google have put a lot of effort into 2FA, have created their own ‘Authenticator’ app, and even support open-source apps using these standard 2FA protocols. But you can’t use any of these standard protocols without first giving up your phone number.

These standard protocols (RFCs 4226 and 6238) don’t require your phone number - they use some fancy encryption to verify things. So there’s no reason a secure 2FA implementation needs to ask for a phone number. It can work perfectly well without it. The NIST has even deprecated the use of SMS in 2FA!

I’ve been told ‘But Google say they’ll only ever use the number for 2FA’ as if, somehow, that was immutable. Google can (and probably do) change their Terms and Conditions without me noticing. Changing the use of the phone number from 2FA-only to 2am-sales-call-o-rama doesn't seem beyond the bounds of possibility for a company that used to have the mantra ‘Don’t Be Evil’ but then... changed.

And Google is one of the better companies out there! If I don't want to give Google my number for 2FA I certainly don’t want to give it to any of the worse companies.

So I’m wondering about ways around this. There are mailinator-like services for SMS messages, but I don’t think that would increase my security... I could get a free SIM and use it to set up 2FA, but that would turn in to an ongoing cost because 2FA is an ongoing problem and I’ll likely need to enable 2FA in future on sites that don't even exist yet. I’m reluctant to have an extra mobile phone and SIM and overhead and cost just because companies want my phone number.

Why do they all want my phone number so much anyway?

Bah to the lot of ‘em.

Tags: Clueless Idiocy
Created by on Logo15659OpinionatedGeek Ltd.Logo15659

‘Just Keeps Getting Better’

Score: 5/5

Ben Aaronovitch
£5.43

I’m really enjoying this series. Wish the new books would come along faster!

Tags: 4 Word Book Reviews
Created by on Logo15659OpinionatedGeek Ltd.Logo15659

‘Nicely Tense Psychological Thriller’

Score: 5/5

Belinda Bauer
£6.19

I bought this from No Alibis (We have a specialist crime bookstore in Northern Ireland! I’ve never been able to focus on the tag line ‘Northern Ireland's only specialist crime bookstore’ when I’m so glad we actually have a specialist crime bookstore!)

(I feel guilty that I don't go there enough.)

Anyway, we were there between a couple of NI Science Festival events and couldn’t resist a few books. This one I’d never heard of, so it was a bit of an impulse purchase. When I was paying at the till, DT (the shop owner) reassured me it was a really good book, even before I’d said it was an impulse purchase.

And he was right!

It’s not a whodunnit, it’s not a police procedural, it’s not a detective story, but it is a very tense thriller. To say any more could spoil things so all I’ll say is if you get this book you’re in for a treat.

Tags: 4 Word Book Reviews
Created by on Logo15659OpinionatedGeek Ltd.Logo15659

‘Meh. It Was Alright’

Score: 3/5

E. M. Foner
£6.95

Coming after so many great books this left me more disappointed than I probably should have been with this book. It was OK. It doesn't really have a plausible, richly imagined environment, the aliens aren’t very detailed and the characters are fairly thin. (I was going to say that the aliens weren’t very realistic but that opens up a whole can of worms given that we don’t know if any exist. Maybe ‘plausible’ is a better word?)

But what bothered me was the cover. Who is in the red dress? The author is at pains to point out the main character only has one dress, a black cocktail dress she wears with pumps. This crops up repeatedly. So who is in the red dress? Is it her? If it is it’s never mentioned in the book. Is it someone else? Who? They’re never mentioned either. Is it just lazy art, because a black dress there would be too dull for the cover?

Now that I’ve got that out of my system, I can see that the covers of all the books are the same apart from the dress colour. And none of them are black. So I guess I’m no wiser about the point of the cover or who it’s supposed to be.

I probably won’t bother with more of this series. It was OK, and certainly readable enough, but I have plenty of others in my to-read pile.

Tags: 4 Word Book Reviews
Created by on Logo15659OpinionatedGeek Ltd.Logo15659

‘Rich And Highly Imaginative'

Score: 5/5

Scott Hawkins
£10.27

I wasn’t sure what to expect with this book but I’m glad I bought it. I’m not even going to try and summarise any of it, just know that if you get it you're in for a treat.

Tags: 4 Word Book Reviews
Created by on Logo15659OpinionatedGeek Ltd.Logo15659

‘Current Thinking On Aliens’

Score: 4/5

Jim Al-Khalili (Editor)
£6.99

A collection of essays from a wide range of prominent scientists and thinkers. (And Dallas Campbell.) It’s edited by Jim Al-Khalili and it’s another book we bought when he was over for his NI Science Festival talks. Essays cover astronomy, physics, biology, with some stuff that was new to me as well as a few old favourites. It’s not entirely cutting edge (I’m keeping an eye on the news around Tabby’s Star) but it’s quite up to date and interesting.

The cover is a bit lurid and the pages have a green edge, which isn’t too pleasant to read. But one remarkable thing - the pages all have a flip-book animation of an alien landing and taking off. I thought it was cheesy at the start but by the end of the book I’d warmed to the wee character.

I still haven’t warmed to Dallas Campbell though.

Tags: 4 Word Book Reviews
Created by on Logo15659OpinionatedGeek Ltd.Logo15659

Let’s start by stating something I believe is so obvious it shouldn’t need stated:

You should not have to worry about your tools spying on you.


You should be able to run a command that doesn’t use the network, knowing that it won’t open a network port. You should be confident that your tool is doing its best for you, not reporting back on you to someone else. In short, you should be able to run software without it looking over your shoulder like a voyeur with a clipboard.

But nearly a year ago that kind of spyware is just what Microsoft/.Net Foundation added to the dotnet command line.

I’ve been using the dotnet core since well before then and I never knew about this. And I’m one of the few people I know who tries to keep up with this kind of nonsense! I feel foolish and embarrassed for not knowing about this spyware when it was added. And maybe my embarrassment at having been spied upon for months is colouring my judgement a little. But I still believe it’s wrong.

I’m sure they’ll say that it’s to improve the tools, but - while I have my doubts that’s true - it does bring up the question:

Would you prefer a tool you can just trust, or a tool that may have better features but that you constantly have to check to verify isn’t doing anything it shouldn’t?

I’d rather be able to trust my tools. I just don’t like the idea of a voyeur with a clipboard watching over my shoulder, sating its prurient interest by taking notes and gathering statistics.

This dotnet voyeur then sends these notes and statistics to Microsoft without asking the user.

Your only chance of opting out is knowing the special environment variable incantation to use.

But maybe they’ve tweaked it so that today it’s sending files as well? They managed to sneak the first change past me, so have I missed another? No? Maybe not. But tomorrow? I can’t know, since they’ve demonstrated I can’t trust them or the tool they created.

What used to be a simple ‘dotnet run’ command has turned into something that has me watching my back. Why are they so interested in my typos that they’ve paid someone to sit down and write code to capture them? If they actually want to improve the product, why not have that developer writing code that adds new features rather than spying on me?

And that’s why it’s not a minor thing. I’m not (quite) so arrogant that I think Microsoft is targeting me. I don’t even think they’re especially interested in the telemetry from ‘dotnet run’. It’s that they’re seeking to normalise this spying that makes it more than a minor problem.

We’ve seen this with Windows 10 hoovering up all the data it can get, just like Facebook, Google, Apple and Amazon. It’s in all their interests to have us become inured to this constant surveillance. And I don’t like it.

Homebrew faced a similar issue around the same time dotnet introduced their telemetry. I noticed the Homebrew debacle but didn’t notice the introduction of telemetry in the tool I use all the time. (I’m still embarrassed by that.) To show I’m not the only person concerned about telemetry-gathering tools, here’s a blog post about Homebrew - ‘Homebrew betrayed us all to Google’. It starts with the summary:

    1. Open-source is about trust. Trust is underminded by things like tracking.
    2. Do not track your users. In the rare case you really need anonymous data, ask your users first.
    3. Never use Google products (or any other “big data” company that relies on making money out of the data you provide) to track your users.
    4. Using Google’s tracking and then calling it “anonymous” is a lie. Google collects tons of information of its users and even non-users. There’s no way to know what data Google will relate internally. Even if you don’t get to see all of the collected information, Google still has them.
    5. Opt-out is never an excuse. It always excludes most users (which either don’t care, or have more severe things to care about than protecting their privacy in every random app they’re using).

(Source: ‘Homebrew betrayed us all to Google’)

Homebrew backed down a little and provided a better opt-out mechanism, but it annoyed a lot of people. (More, probably, than are annoyed at Microsoft. Let’s hear it for low expectations!)

Opt-out mechanisms aren’t really enough though. For one thing, why should I have to opt out when I didn’t opt in in the first place? For another, that may fix it for me, but I don’t want your tools spying on you either. For a third, the opt-out procedure is (deliberately?) awkward.

It’s not something you just pick, it’s something that needs to be set for every user on every machine in every shell and every container. And you need to get it perfect every single time, or else the tool will assume it can report back on what you’re doing.

Opting everyone in automatically as Microsoft have done is just plain dishonest. There’ll always be some portion of users who’d opt in, some portion who’d opt out, and some who’d go with the default. But you know what, Microsoft? Those people who wouldn’t have opted in but who haven’t opted out? They’re the ones whose data you’re taking without permission. You just don’t have permission to take that data. (Don’t start me on EULAs when the person agreeing to the EULA may not be the person running the software…) You don’t have informed consent here, because you didn’t actually ask. Worse - you know that if you asked for informed consent, you might not get it. That’s an argument against spying on people, not an argument for spying and not asking.

And that’s before you get to people like me who - despite what you consider ‘transparency’ - didn’t even know there was a possibility of a voyeur with a clipboard looking over my shoulder.

So how could Microsoft fix the issue?

There’s really only one fix I’d like - take the spying code out of the tool completely. If there are people who really want to send their telemetry to Microsoft, by all means find a way to accommodate them. But don’t put spying code into the tool. Keep it clean. Have the telemetry spyware in a separate module that has to be explicitly downloaded and installed. (Call it ‘Voyeur.DLL’ if you like.) Keep the core pure.

And have a strong ‘Private By Default’ policy. Allow people to feel safe using your tools. It’s hard enough keeping up with the latest in technology without having to keep up with the latest in obnoxious business practices.

Private By Default would mean guaranteeing that it never gathered any information on you, even in aggregate. That it never sent any data that you didn’t explicitly ask it to send. That it never opened any network connections you didn’t ask it to open. That it never did anything not explicitly to do with carrying out the user’s intent.

In absence of that, what can I do to stop it spying on me?

  1. I could just not use dotnet. For me this is the easiest and the hardest approach. It’d be easy because just walking away from dotnet would mean it’s not my problem any more. There’d be no voyeur looking over my shoulder. It’d be hard for me too though. I’m getting to the point where a large side project is becoming useful, and it’s based on dotnet. It’d be difficult just to walk away from that.
  2. I could block telemetry traffic on the router or firewall. Here’s someone’s (not my) best guess at the hosts to which it sends data. I like the idea of ISPs blocking all those hosts - denying access to login.windows.net because of Microsoft’s telemetry-gathering could be hilarious.
  3. I could wrap the dotnet command in a script that automatically sets the environment variable for every single invocation of the command. Here’s one way to do it:

    #!/bin/sh
    echo "Trying to run a non-spying version of dotnet..."
    DOTNET_CLI_TELEMETRY_OPTOUT=true /usr/local/share/dotnet/dotnet $*
    
    (That’s for bash on OS X - if you call it ‘dotnet’, make sure it’s on your $PATH ahead of /usr/local/share/dotnet/dotnet.)
  4. I could add the environment variable to every single RC file for every single shell for every single user. And every single docker file. For every single development machine and server.

I’ll be doing a combination of all those things. I might keep using dotnet for existing projects, but I’m fucked if I’m starting any new dotnet projects now.

The ‘tech stack’ conversation has come up in $WORK a few times recently. Where before I’d have talked about dotnet core I’m sure as hell not going to now. I won’t just not be talking it up, I’ll be actively talking it down and discussing alternatives.

From a wider perspective, what could I do to fix the root of the dotnet spying problem?

  1. Rewrite the part of the tool that calls the spying code. It’d be easy enough for me to fix (it’s right here), but that wouldn’t solve the problem of Microsoft writing tools that spy on users, it would just stop my version of the tool from spying on me. Your version could still spy on you.
  2. Send the code change to Microsoft as a ‘pull request’. I think we both know what would happen with that.
  3. ‘Fork’ the code, and provide a binary distribution of the fixed/improved code so that everyone that wants can use it.
  4. Start a ‘Private By Default’ campaign in the hope we can shame Microsoft into behaving better.

But you know what? I’m not going to do any of that. I’m just going to point out why I think it’s wrong, then try moving on to using better, more trustworthy tools. I’ll still use it for current projects but I’ll be trying to move away from the platform.

Today I was planning on settling down to read the new AssemblyLoadContext design document pull request and delving a lot deeper into that area. My dotnet project needs to generate and load assemblies in different contexts and it has got as far as it can without this kind of functionality. I might even have written a blog post about it. After all, it’s an area not well served by others and the documentation doesn’t go into a lot of detail about how to use the API.

Instead I’m writing about how dotnet has managed to shatter my trust.

I’ve no enthusiasm for working with dotnet now. No desire to watch the weekly ASP.Net standups. No desire to write C#. No desire to work on my side project built on dotnet core MVC. I keep looking around for the voyeur with the clipboard.

Tags: Clueless Idiocy
Created by on Logo15659OpinionatedGeek Ltd.Logo15659