I don’t code on my personal laptop anymore. I’m scared of supply chain attacks. If I do any research, it’s on a burner laptop where the odd npm or pip package riddled with malware, will just toast the burner and not much else. Are you worried about supply chain attacks? If not, why not? If you are, how do you protect yourself?
Thank you if you’re still reading in 2025.
{“version”: 3, “isGlobalStylesUserThemeJSON”: true }
{“version”: 2, “isGlobalStylesUserThemeJSON”: true }
There’s nothing much to update except that I took down all the Google Ads that I ran. There was a sweet spot around 2010-ish when Google really loved this blog. Whatever I posted would show up on the first page, and very often at or close to the top.
Now, posting on the Web makes you prey to all sorts of “Dark Forest” attacks. As we know from Cixin Liu’s novels, the only way to be safe once you’re targeted for a “Dark Forest” attack is to either quit the space, or look as harmless as possible. I’m going for the later. No ads, so don’t you worry about having to run negative SEO against this blog.
Kidding aside, the real reason is that ads were simply not worth the hassle: increased load times, distraction from your attention, and an audience determined by algorithm just felt cringe to me. Ads are cringe.
I’ve been dabbling in Elixir lately. How it leverages modern, multi-core CPUs makes it a money saver on cloud bills. However, it requires rethinking your code in a functional and an asynch way. This has been super useful for me in dealing with parsing Arabic language data from Wiktionary. More later…
Right now most of my work is in Python. It’s a neat language, but not as fun as Ruby is IMHO. I don’t want to get into a flame war. I prefer Ruby, often say it to someone with a math or data science background, get some eye rolling, and then say, “I work in Python.”
During the 1990s and early 2000s, one language reined supreme as the “Duct Tape of the Internet,” Perl. There are so many reasons Perl isn’t used today. One has to do with its philosophy, TIMTOWTDI. “There Is More Than One Way To Do It.” Such a philosophy, works with language, and is even encouraged in poetry where a poet is asked to use metaphors and similes to poetize. However, today, it is one of the central dogmas of computer science that the most efficient algorithm is the best algorithm. A merge sort is always to be preferred over a quick sort because a quick sort is slower in the case of almost-sorted data. God forbid you suggest an insertion sort!
Why would a programming language encourage inefficiency in algorithm design? The answer to this is a good and empowering one. Larry Wall, the creator of Perl, saw Moore’s Law as creating cheaper and quicker computing power every year, such that during the 1990s, it felt like there was a surplus of computing power. If a query took 9 seconds instead of 3 seconds because the algorithm was exponentially inefficient that was ok, because the main point was:
Great technology empowers everyone.
Larry Wall saw his creation literally as a human language which can be spoken by 5 year olds or Shakespearean actors. The range of expression is what allows natural language and by extension Perl to do so much.
My first paid programming job was in Perl. It involved making changes to a web form for a dentist website. Easy stuff, and it was great getting paid and being able to point to my work online. This dentist and his website have long since retired.
My first project where I saw the magic of Perl had to do with parsing random documents for mailing addresses to create a holiday mailing list. Parsing text is where Perl really shines through. The secretary cried tears of joy when she found out her task could all be done automatically.
My second project where once again Perl proved itself to be a workhorse that made impossible tasks possible had to do with updating spreadsheets for different managers tracking photographs for the NBC Olympics Website. The Perl code would check the state of the photographs from request to publishing, and update spreadsheets accordingly. Yeah, this sounds like a stupid process, but we still haven’t gotten rid of stupid processes to this day.
Much of the work felt like translation from human, natural language to what felt like Perl’s natural language. Today, someone speaking Perl learnt out in the wild wouldn’t really pass any of the tech interviews where there’s only one way to do it.
As time went on folks saw that Perl only empowered individual programmers. Much of the Perl that has been written is unreadable, since everyone makes up their own dialect, and tries to be as terse as possible in the many ways that you can be. Inheriting a Perl project can be a nightmare unless it’s properly documented (more so than say an inherited Ruby project). Also, today, Internet Duct Tape is an anti-pattern. No more using Perl or language of your choice to be a hero and integrate 2 disparate systems on the fly. But for a nice stretch of time, one coder could make a difference through the glory that was Perl.
I still do stuff with Perl like this to check if Twitter is down:
lynx -source https://twitter.com | perl -ne ‘print “$1 on Twitter\n” if /(Something is technically wrong)./’
In my last blog post, I talked about how a seriously compromised supply chain prevents us from ever building a secure computer. This morning I logged into my Instagram account and found that I had 7 followers even though my account was set to private and 2FA. I’m hoping this is a bug, but even so, it just shows that nothing presents as secure.
Let’s assume – and this is a big assumption – that we can build a secure computer because we now have a secure supply chain. So you buy a CPU, a motherboard, a hard drive, some memory, a power supply, input devices like a mouse and keyboard, something to connect to the Internet with, and a bootable USB stick with the OS of choice on it, for the wiring there are professionals that build them and for more top technology on wiring contact EMS Solutions in Ogden. I won’t go into the specifics of building a computer from these parts, but suffice it to say, you should be asking, “How will I know the OS is secure?” On some level, this is hard to do. Can you imagine reading all those lines of code? Historically, Red Hat Linux 5.2 was insecure. If you installed it with an FTP server running and exposed to the Internets, you would get hacked in days, if not hours. The hacker would just use a buffer over flow attack. For years, SSL, one of the central encryption layers for web browsing, was compromised.
OK, so you boot up your newly built computer with a “secure” OS like Kali Linux or Parrot. You create an account with a super secure, never used before password, and maybe some biometric protection. Nevermind that these OS’s are complicated to use and not consumer friendly. But you can be sure they won’t expose you to the Internet the way something like Mac OS or iOS will with bluetooth, or some other services with file, music sharing and Active Directory.
Are we secure? Well, right now the OS might be asking to run an update to make your OS really secure. However, in doing so, you give up your IP address, and thus an 80/20 chance of giving up your location. So before even getting to this point, you will want to proxy all your connections, but then again this begs the question: how can you even trust the proxy? Does chaining proxies you can’t trust equal security?
Let’s assume we trust a company like NordVPN or a network like TOR. We’ll also setup and turn on a firewall, too. Great, now we can download software updates. We’re not going to use social media though. That will surely give us away, even when we share an alias account with friends and family. When we browse the web we’ll just be using a browser like Brave with ad blocking with JavaScript turned off because we all know JavaScript is insecure – except for the JavaScript subset, CAJA. When we search, we’ll hope that Duck Duck Go doesn’t give up our privacy. We will use proxies all the time to keep our privacy. Still this will leave some sort of fingerprint. If you go to a website like Am I Unique, you can see if your browsing configuration & habits have set you up to be tracked.
Let’s review what we’ve done:
We haven’t even discussed email yet. And your set up isn’t really secure. All I really need is your fingerprint and password. Anyone remember Dark Knight Rises? In my next piece, I’ll discuss secure email. If you’re not using a PGP key to secure your email, it’s not secure. It’s basically yelling in public. We’ll also discuss adding a VM running off of an encrypted key on a USB stick to really secure your computer.
Let’s say I wanted to do basic security. I want to be able to defend myself against cyber attacks on my laptop, network, phone as well as any peripherals I might use that connect to any of the devices I use by switching to a SD-WAN network, if you want to learn more about it, you can check here on this website. I want to communicate securely. According to Andrew Defrancesco if want to be untrackable or have privacy. Basic security for the purposes of this post will consist of 3 things:
Let’s tackle the first one. I have a computer that I just purchased from a store. A sales person might even suggest buying anti-virus software with a firewall. It’s guaranteed to protect me from everything except a zero day hack. Well what about this “zero day hack.” Anything on my computer that is listening to the Internet, e.g. notifications, Dropbox, Adobe, GoogleTalk. Ok, we turn these off. Are we still secure? What if the hardware is not secure? In light of recent revelations, we can’t even trust the hardware anymore. We are forced to build are own computer with our components we can trust, but this begs the question of finding a trustworthy component. Back in the days of 6502 processors, it could be possible to know all the contents in memory, and to even know the factory that made all the components. Catching a breach in the early stages, or detecting a security event before it can take place could also prevent any damage at all. These are just some of the ways that the SIEM software at https://www.sapphire.net/mss/siem/ could enhance and protect your business. With our global economy such an empirical luxury (if it was ever so enjoyed) is no more. You can start by getting a network penetration test to find the areas where you need to boost your cybersecurity measures, view this at Nettitude page. We might as well stop here, and think about what it would take to secure the supply chain of computer components. There’s a suggestion for it in the dystopian, Draka series of novels by S.M. StirlingAll computers are Read Only Memory (ROM), and produced under close government / military scrutiny. What we can conclude is that even on a basic level, we are not secure. You can check out the Venyu homepage and see what can make your connection secure.
In my next piece, I’ll look at secure communications on an ok, sorta secure computer. Call Treasure Valley IT Wilder or other experts if you need help with your business technology and security.
In Episode 83 of the now defunct Hashtagged Podcast, Jordan Powers interviews Tyson Wheat, who talked about the early days of Instagram. Back then (2011), he says, “You just needed 10 or so likes within 5 minutes to get onto the popular page.” Â When I heard this, I realized Instagram was gamed from the beginning. This isn’t saying that without enough hard work, luck and skill you couldn’t use Instagram in 2011 to launch a career. It’s just that already in 2011, you’re competing in the Tour de France with somebody that’s doping, or you’re in a sport where you’re competing with somebody on steroids. Instagram was never fair. The superb photos that ended up on the popular page back then sure had me fooled, though.
The first screenshot I have of Instagram from October of 2011
Hey, spamming likes to gain follows worked back then in 2011
By 2012, you could see that something was wrong in all social photo apps. People were gaming the system.
Hardwork and talent were still wonderfully rewarded on Insta back in 2011/2012.
In 2010, Sean Ellis coined the term growth hacking. Andrew Chen goes on at length in this classic article on what it means to be a growth hacker. For me though, growth hacking is finding flaws in the system and exploiting them in ways very similar to how the Russians tipped the 2016 election using hacking. So how did folks take advantage of the growth hacks on the popular page? In a similar way that diggs got monetized (Remember Digg?) the popular page on Instagram got monetized. According to Phil Gonzalez, a consortium of shady Turkish marketers would report a photo that naturally got to the popular page so it would get taken down, and then replace it with a post that got 100s of artificial likes from fake accounts within minutes.
But the popular page really didn’t help that much. I got on it once by posting around 8pm at my silent reading book club back in 2012. A few hundred likes and a score of follows rolled in finally pushing me above 100 followers. I had been stuck at below 100 for a year which is laughable now, but I’d have to say those first 100 followers were all awesome people and really great photographers. Eventually, Instagram would replace the popular page with the explore page, and basically had the algorithm dictate which photos got shown to whom on that page. But crappy photos selling the scam of the week (pills or bitcoin depending on the year) always seemed to find a way there every now and then.
What really helped grow accounts was becoming a suggested user. Instagram could choose anyone and let them be suggested for at least two weeks to years. This meant that when people first signed up, the UI would strongly suggest that they follow the suggested user. You could grow at a rate of 10,000 followers a week as a suggested user. For those not handpicked, working with services like The Marketing Heaven offers another route to significant growth through strategic exposure and audience targeting.
How’d this dude get suggested on the bottom? His photos are so so.
The second way to grow would be to get a suggested user to follow you. This is where some shady paying for follows came in.
The 3rd way was doing a free for all where you gave photos to people, asked them to do their best edit, and you would choose photos to feature as long as they tagged you in the photo of yours that they posted.
The 4th way, way back in 2012 was botting by using follow and unfollow. Companies like Massplanner which Instagram has now shutdown would sell these services for around 50 to 100 a month depending on how many followers you wanted. It’s not as shady as fake accounts since all you’re doing is suckering someone by following them, and then unfollowing them. Lots of folks have used this strategy from 2012 to 2016 to grow from 0 to 100,000 in a year. The downside is that your engagement is real low, and now that everybody is clued into it, your account just looks fake. The problem is folks who got suggested user back in the day, or coat-tailed off of them look just as fake. What’s even worse is that the algorithm for awhile gave the advantage to folks that botted. Here’s a chart showing that.
In blue @kingy_kings legit working hard to grow; in orange, @jackson.groves doing follow/unfollow by botting. The algorithm has them neck and neck, but then eventually the algorithm fails and rewards the cheater.
However by 2018, the algorithm would actually take away followers for botting, and it did this by feeding the botters to the botters as you can see in the chart below:
@teresa_ on Instagram is the worst. She’s botting and losing followers. lol
From 2016 to 2018 people would try the following to grow:
Our website address is: https://www.codebelay.com/blog.
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.
We do not share your data with anybody except what Dreamhost.com can glean from the server logs, which should just be your IP address, web browser, and URLs visited.
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Visitor comments may be checked through an automated spam detection service.
Feel free to contact me at barce [ a t ] no spam – this site’s name dot com.
We use ssh and encrypted connections. If you have something super secret to say though, this is not the place.
We rely on backups from Dreamhost, and have used their restore services as “practice” for a data breach.
We get data from Google and Quantserve as part of serving ads.
We do not profile and do not make automated decisions, but boy that would be great.
I have no sponsors and no longer run ads from Google.