Tobru Blog

Writing a good design document grantslatton.com

A design document is a technical report that outlines the implementation strategy of a system in the context of trade-offs and constraints.

I love well-written design-documents because they really represent the quality of the system they describe.

#writing

Vibe code is legacy code | Val Town Blog blog.val.town

The worst possible situation is to have a non-programmer vibe code a large project that they intend to maintain. This would be the equivalent of giving a credit card to a child without first explaining the concept of debt.

Exactly!

#ai

Y2K38 bug? Debian switching to 64-bit time for everything www.theregister.com

We say everything... just not the oldest hardware. Unix Epochalypse less than 13 years away

#debian

How I hacked my washing machine - Nex's Blog nexy.blog

Turns out, this washing machine has the capability to send notifications to the mobile app whenever a load finishes.

The S in IoT stands for security.

#iot

Europe's Self Inflicted Cloud Crisis - Bert Hubert's writings berthub.eu

The short version For decades, governments and organizations could run services based on servers we actually owned. These days, we’ve allowed the IT world to convince us no computing is possible outside of US-style clouds, for which we have no European equivalents. And because of this conviction, we are now moving our most precious data and most critical services to US controlled servers. Yet most of European government software still runs on locally owned systems.

Bert always nails it, also with this article. Europe has to work on sovereign services.

#sovereign

The Future is NOT Self-Hosted www.drewlyton.com

A few months ago, Amazon announced that Kindle users would no longer be able to download and back up their book libraries to their computers. Thankfully, I still have access to my library because I saw this video by Jared Henderson warning of the change and downloaded all

Community-hosted open-source software absolutely makes sense, I'm all in for this idea.

#self-hosting

Do not download the app, use the website idiallo.com

Apps often demand excessive permissions, accessing your contacts, location, and more. Discover why sticking to your browser offers better privacy and control.

Absolutely agreed, there's no need for a dedicated app in many cases.

#security, #app

Cyber Resilience Act (CRA) Brief Guide for Open Source Software (OSS) Developers | OpenSSF Best Practices Working Group best.openssf.org

The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers.

It's not getting easier to be an open-source company and contributor.

#policy

The EU can be shut down with a few keystrokes www.bitecode.dev

On a QWERTY keyboardEurope has excellent infrastructure but lacks sovereignty regarding Operating Systems, SaaS platforms, and Chips. We dug ourselves into a dark dependency hole with those, and now the US can turn off the light at any time if it feels like it.

It's time to do things ourselves again.

#security

The secrets we keep | willowbl00 blog.bl00cyb.org

I now know that saying you work at Apple is like saying you work at the government. Which part matters a lot.

Not talking about what I'm doing at work would be a no-go for me.

#work

Using leaked data to examine vulnerabilities in SMS routing and SS7 signalling medium.com

Every day, millions of two-factor authentication codes travel the globe, securing access to bank accounts, email inboxes, dating profiles and encrypted chats. These SMS messages are designed to keep people’s accounts safe, yet rely on a sprawling, opaque and unregulated industry of intermediaries to reach their devices. A new leak obtained by Lighthouse Reports exposes just how vulnerable that system is.

I learned a lot how SMS messages are delivered and how vulnerable this system is. 2FA should absolutely not use SMS, rather use OTP for example.

#security

Get the location of the ISS using DNS – Terence Eden’s Blog shkspr.mobi

Linux and Mac users0 can run: dig where-is-the-iss.dedyn.io LOC And receive back the latest position of the ISS.

I mean, why not?

#dns, #fun

Tyblog | systemd has been a complete, utter, unmitigated success blog.tjll.net

The year is 2013 and I am hopping mad. systemd is replacing my plaintext logs with a binary format and pumping steroids into init and it is laughing at me. The unix philosophy cries out: is this the end of Linux (or, as many are calling it, GNU plus Linux)? The year is 2025 and I’m here to repent. Not only is systemd a worthy successor to traditional init, but I think that it deserves a defense for what it’s done for the landscape – especially given the hostile reception it initially received (and somehow continues to receive? for some reason?). No software is perfect – except for TempleOS – but I think that systemd has largely been a success story and proven many dire forecasts wrong (including my own). I was wrong!

It took me some time to get used to Systemd, but nowadays I see its strength, and I'm happy with it.

#linux

Picking uncontested private IP subnets with usage data blog.benjojo.co.uk

If the device you are reading this on has an IPv4 address, it is very likely not a publicly routeable one. This is because the wide scale deployment of NAT and RFC1918 space has ensured that billions of devices (for better or worse) are addressed using a small set of “private” IPv4 addresses that are then translated on the way out to the wider internet with universally addressable ones.

Nice observation; I'll certainly take more care choosing an IP range for a future private network. Luckily I've already chosen a random 192.168.x.x segment for most of the networks I've built.

#network

Hyperbole and a Half: The Alot is Better Than You at Everything hyperboleandahalf.blogspot.com

The Alot is an imaginary creature that I made up to help me deal with my compulsive need to correct other people's grammar. It kind of looks like a cross between a bear, a yak and a pug, and it has provided hours of entertainment for me in a situation where I'd normally be left feeling angry and disillusioned with the world.

I won't be able to forget Alot anymore

#musings

Fun with uv and PEP 723 www.cottongeeks.com

How to use uv and the Python inline script metadata proposal PEP 723 to run scripts seamlessly.

uv FTW

#python

MCP: An (Accidentally) Universal Plugin System worksonmymachine.substack.com

The beautiful chaos is that every MCP server built for Claude or ChatGPT or whatever becomes a free plugin for anything that speaks MCP. It's accidentally creating a universal plugin ecosystem. Nobody planned this (I don’t think). It's just happening.

Looks like I should dive in to MCP eventually, in a broader context than AI.

#ai

Engineered Addictions - by Mason - Noiseproof masonyarbrough.substack.com

We don’t all have ADHD. We have an addiction. Growing up, I barely knew a world without social media, and neither did my friends. We were the guinea pigs for Silicon Valley's great dopamine experiment, and now we’re waking up with the side effects.

Yeah, algorithms... I prefer the chronological algorithm which at some points showed all current updates to me and then stops until new content is available. I really don't need any algorithmic recommendations, I get them from reading the content.

#social

Reading NFC Passport Chips in Linux – Terence Eden’s Blog shkspr.mobi

The NFC chip in a passport is protected by a password. The password is printed on the inside of the physical passport. As well as needing to be physically close to the passport for NFC to work, you also need to be able to see the password. The password is printed in the "Machine Readable Zone" (MRZ) - which is why some border guards will swipe your passport through a reader before scanning the chip; they need the password and don't want to type it in.

#security

Tim Dierks: Security Standards and Name Changes in the Browser Wars tim.dierks.org

As a part of the horsetrading, we had to make some changes to SSL 3.0 (so it wouldn't look the IETF was just rubberstamping Netscape's protocol), and we had to rename the protocol (for the same reason). And thus was born TLS 1.0 (which was really SSL 3.1). And of course, now, in retrospect, the whole thing looks silly.

#history

Writing a basic Linux device driver when you know nothing about Linux drivers or USB // crescentro.se crescentro.se

But this small proof of concept shows that writing simple device drivers is not all that hard, and that 50 lines of code can bring you quite far.

#linux

Rolling the ladder up behind us - Xe Iaso xeiaso.net

Who will take over for us if we don't train the next generation to replace us? A critique of craft, AI, and the legacy of human expertise.

Interesting thoughts, and I can agree on some of them. But I'm still looking very positive into the future with AI in IT. It will change some things, but I'm sure we'll find a good way to make best use of it. Such articles certainly understand the problem at hand.

#ai

The Future of Vibe Coding: Building with AI, Live and Unfiltered | Peter Steinberger steipete.me

I demonstrate 'vibe coding' - a new approach to software development with AI, building two apps from scratch in a 3-hour live workshop.

Some might say "vibe coding is shit", I say it's important to learn how it works and feels to know what's coming (or is already there)

#ai

Plasma 6.4 - KDE Community kde.org

A new version of Plasma is here, and it feels even more like /home, as it becomes smoother, friendlier and more helpful. Plasma 6.4 improves on nearly every front, with progress being made in accessibility, color rendering, tablet support, window management, and more.

My favorite desktop environment for Linux has released a new version. I'm always happy when that happens, since many years.

#kde

crawshaw - 2025-06-08 crawshaw.io

That is, an agent is a for loop which contains an LLM call. The LLM can execute commands and see their output without a human in the loop.

I learned quite a lot reading this article, and it gives me confidence to continue learning how LLM agents can help me.

#llm

I Convinced HP's Board to Buy Palm for $1.2B. Then I Watched Them Kill It in 49 Days philmckinney.substack.com

This is the story of how smart people destroyed $1.2 billion in innovation value in just 49 days. It's about the brutal personal cost of being blamed for a disaster that happened while you're recovering from surgery. And it's about why I still believe in HP despite everything that went wrong.

Interesting story I haven't heard about yet.

#story

Daniel Sada Caraveo – Part 7: Office Migration from Source Depot to Git, or how I learned to love DevEx. – Software, Notes & Culture danielsada.tech

Developer productivity is always ‘Multiplier work’, especially in places where you have a lot of developers. By saving a couple minutes from every developer, every day, you’ve saved years of human life waiting for stuff.

Interesting story on how to introduce change in a large-scale development environment.

#devex

Covert Web-to-App Tracking via Localhost on Android localmess.github.io

We disclose a novel tracking method by Meta and Yandex potentially affecting billions of Android users. We found that native Android apps—including Facebook, Instagram, and several Yandex apps including Maps and Browser—silently listen on fixed local ports for tracking purposes.

This is why I hate native apps, they can do what they want.

#privacy

Daten-Gier der AI-Techkonzerne: Wir sitzen in der Whatsapp-Falle | Tages-Anzeiger www.tagesanzeiger.ch

Seit Mittwoch zapft Meta User-Chats ab fürs Training von KI. Die Politik muss für die Sicherheit der Daten von Schweizerinnen und Schweizern endlich entschlossen einstehen.

Es ist ein harter Kampf! Gewohnheiten zu ändern, ist sehr schwierig.

#privacy

JA Westenberg: "No, You Shouldn't Let Your Kids Use ChatGPT. A th…" - Mastodon mastodon.social

You wouldn’t let your child hang out unsupervised with a stranger - especially one who lies confidently, speaks with artificial authority, and occasionally invents facts.

A thread on how not to let children use $ChatGPT unsupervised.

#ai

Thoughts on thinking dcurt.is

I thought I was using AI in an incredibly positive and healthy way, as a bicycle for my mind and a way to vastly increase my thinking capacity. But LLMs are insidious–using them to explore ideas feels like work, but it’s not real work.

I can relate to that. Starting a new coding project? Just spin up an AI and let it do it's job. But what have I learned? Not a lot.

#ai

Grepping logs remains terrible - Chronicae Novis Rebus chronicles.mad-scientist.club

And not because it was all cached in memory! These are all cold queries. Cached queries are much, much faster. But how can it be that such an underpowered device runs circles around a powerful desktop? Purpose-built software, dear reader. Purpose built software.

This makes so much sense

#performance

Just fucking use HTML justfuckingusehtml.com

Stop reinventing the wheel. The web was doing just fine before your bloated frameworks crawled out of the sewer.

Yikes!

#opinion

Yeah, it is on YouTube or LinkedIn and has cookies - Bert Hubert's writings berthub.eu

If you start your new open source / open tech thing, start it right. There’s no need to launch your site full of trackers. You can find a decent place to host your mailing list. There are fine alternatives to Google Forms. You don’t need to put stuff on a VM from Azure, there are better places available that are cheaper too.

Yes! That's absolutely what I did with Nomindo. It's hosted on Hetzner Cloud and uses Pirsch for web analytics and Keila for newsletter sending, which both are absolutely privacy respecting. I try hard not to use any third-party tooling which is not absolutely required.

#privacy

BGP handling bug causes widespread internet routing instability blog.benjojo.co.uk

At 7AM (UTC) on Tuesday May 20th 2025 a BGP message was propagated that triggered surprising (to many) behaviours with two major BGP implementations that are often used for carrying internet traffic.

I'm not wondering. Having worked as a network engineer in the past at an ISP, I've seen lots of nasty things with BGP.

#internet

Galileo's Testing Communications - Bert Hubert's writings berthub.eu

When Galileo (the European satellite navigation system) was proposed there was a lot of criticism. “We already have the US GPS”, and we’d always be able to rely on our historical partner to take care of us. The US very much also said this. Yet, the EU persevered and now we have an independent worldwide navigation capability. And given recent developments, I think we can be well pleased that we don’t have to rely on the US, China or Russia for this vital need!

Very interesting read, I learned a few things about Galileo.

#location

OpenCage 👉🌍: "For this week's #geoweirdness thread, we head bac…" - OSM Town | Mapstodon for OpenStreetMap en.osm.town

For this week's #geoweirdness thread, we head back to Europe - join us as we consider the geographic oddities of Switzerland 🇨🇭

I like geographic interesting topics

#geo

Semantic Line Breaks sembr.org

When writing text with a compatible markup language, add a line break after each substantial unit of thought.

This makes it somewhat easier to read the source. I'm doing that since years already

#writing

GSoC 2025 Project Intro: Developing Karton, the KDE Virtual Machine Manager! - KDE Blogs blogs.kde.org

Hi everyone! I'm Derek Lin, also known as kenoi. I'm a second-year student at the University of Waterloo and really excited to be working on developing Karton, a virtual machine manager, this summer. This project will be a part of the Google Summer of Code (GSoC) 2025 program and mentored by Harald Sitter, Tobias Fella, and Nicolas Fella. Over the past few months, I've been contributing to the project through some merge requests and I hope to get it to a somewhat polished state towards the end of the program!

Great to see more KDE native apps

#kde, #vm, #libvirt

O2 VoLTE: locating any customer with a phone call | mastdatabase.co.uk mastdatabase.co.uk

Privacy is dead: For multiple months, any O2 customer has had their location exposed to call initiators without their knowledge.

When looking behind the curtain to see how things actually work, it's often pretty interesting (and concerning).

#security

A New Era: Microsoft Open Sources WSL linuxiac.com

After years of anticipation, the Windows Subsystem for Linux is now fully open source—developers can build, enhance, and contribute to WSL starting today.

How would I want to use such a thing and a badly broken operating system when I can run Linux natively? Why would I want to contribute to such a thing where Microsoft earns the money I spend on something which only runs on their proprietary operating system?

#linux, #microsoft

Ditching Obsidian and building my own amberwilliams.io

Tired of migrating notes apps like Obsidian or Evernote? Learn how to build your own private, long-term PKM using self-hosted Directus for control & longevity.

I'm a heavy user and I'm happy. Syncing can be easily done for free, for example with Nextcloud. Paired with Nextcloud Notes, it gives me a well working mobile experience. And because Obsidian stores all notes in plaintext on the file system, it will be accessible even when Obsidian is gone.

The only thing I don't like about Obsidian is that it isn't Open Source. This is bad because should Obsidian vanish, so will the code.

#notes, #obsidian

Outlook stores email in Microsoft Cloud - what you need to know - Runbox Blog blog.runbox.com

The new Outlook acts more like a middleman, and the app is now more like a web-based client than a traditional desktop program. It no longer logs directly in to the Runbox servers, but rather uses a web connection (HTTPS) via Exchange Web Services (EWS) or Outlook Web Access (OWA). This means that Microsoft’s own cloud service logs in to your email account, stores a copy of your emails, and then delivers that data to your Outlook app.

Whoever still uses Outlook and all these cloud-connected privacy invading software is at more risk than ever. Use open source wherever possible! There are so many great alternatives out there.

#privacy

A First Glimpse of the Starlink User Ternimal | DARKNAVY www.darknavy.org

During device initialization, if the system identifies itself as a user terminal, the initialization script automatically writes 41 SSH public keys into /root/.ssh/authorized_keys. Notably, port 22 on the UTA remains open to the local network at all times. Having such a large number of unknown login keys on a user product certainly raises eyebrows.

I wouldn't feel safe when I would have to use Starlink for Internet access.

#security

Shell startup scripts — flowblok’s blog blog.flowblok.id.au

If you’re a regular shell user, you’ve almost certainly got a .bash_profile or .bashrc script in your home folder, which usually contains various tweaks, such as setting environment variables (adding that directory to $PATH), telling your shell to do clever things (like set -o noclobber) and adding various aliases to commands (like alias please=sudo).

I didn't know that this is such a complex system. A wonder that it works.

#shell, #bash, #linux | Via: Julia Evans: "i enjoy this flowchart explaining how bash decide…" - Mastodon

GitHub - obra/Youtube2Webpage: I learn much better from text than from videos github.com

I learn much better from text than from videos.

A Perl tool which converts YouTube videos to a webpage. Very handy, as I also learn much better by reading than by watching videos.

#tool, #youtube, #github, #perl

Vulnerability Database euvd.enisa.europa.eu

EU Vulnerability Database (EUVD) - the official EU repository for timely, curated cybersecurity vulnerability intelligence and remediation guidance.

#security, #vulnerability, #opendata

tobru Website www.tobru.ch

My current (as of spring 2025) website

#people

Tags