Skip to main content

External Blogs

Montréal-Python 75: Funky Urgency

Montreal Python - Thu, 06/20/2019 - 23:00

The summer has started and it's time for our last edition before the seasonal break. We are inviting you for the occasion at our friends Anomaly, a co-working space in the Mile-End.

As usual, it's gonna be an opportunity to discover how people are pushing our favourite language farther, to understand how to identify bad habit of most programmers and to have fun with data!

Join us on Wednesday, there's gonna be pizza and we're probably gonna continue the evening to share more about our latest discoveries.

Speakers Josh Reed - Put your Data in a Box

The talk would cover the very basics of Algebraic Data Types (ADTs) and available facilities in python for expressing things like this (namedtuple, attrs, dataclasses). The talk would focus on the advantage of using explicitly structured data over ad-hoc structures like dicts and tuples once programs moved past exploratory phases of development.

Greg Ward - Operator Overloading: You're Doing It Wrong

Some people hate operator overloading so much that they design whole programming languages (Java, Go) to rebel against the idea. And some language communities (C++, Python) are perfectly happy to have operator overloading. But we've all seen examples that make us wonder what the original programmer was thinking. I have discovered some key design principles that will help you avoid such traps.

David Taylor - Dataiku and pytabby demo

I had an idea to give a demo of Dataiku Data Science Studio (http://www.dataiku.com) which is made in Python and uses Python to bridge the gap for organizations that want to do quick-win machine learning without having to hire Ph.D.s. I was the Product Owner of Dataiku at my last job, where we used it to give actuaries who were more comfortable in SAS experience in Python and ML.

Edith Viau - LuminX

Alors que la vitesse à laquelle l’information circule se heurte aux contraintes des lois de la physique, nous nous sommes inspirés de la fibre optique qui sous-tend les échanges à haute fréquence des marchés financiers et de la lumière qui les animent dans cette illustration de l’internationalité des échances commerciaux et financiers.

Le projet LEDxchange se veut une représentation visuelle, en temps réel, des flux des taux de changes de 41 monnaies en rapport à l’euro, une des principales monnaies internationales.

Plus d'informations à propos de LuminX à https://eviau.github.io/finartcialist/luminx.html

Where

Anomaly
5555 de Gaspé, Suite 118,
Montreal, Quebec H2T 2A3
https://goo.gl/maps/rqqAT7ez5dEQ19w27

When

Wednesday, June 26th at 6pm

Schedule
  • 6pm: door opens
  • 6:30pm: talks
  • 8pm: Waverly
Categories: External Blogs

Call for Speakers - Montréal-Python 75: Funky Urgency

Montreal Python - Mon, 06/10/2019 - 23:00

Montreal-Python will be hosting its last event before the summer break. This is also a special moment because it's our 75th event!

You would like to talk about your new project? Or share what you have learned at PyCon? Or maybe you have discovered something new in python and would like to share it with us?

Please contact us, we are looking for presenters!

Thanks for Anomaly Co-Working space for welcoming us for this edition!

Where

Anomaly 5555 de Gaspé, Suite 118, Montreal, Quebec H2T 2A3

When

Wednesday, June 26th at 6pm

Schedule
  • 6pm: door opens
  • 6:30pm: talks
  • 8pm: Waverly
Contact

If you would like to talk at the event, please contact us, either by mail:

mtlpyteam@googlegroups.com

Or on Slack at https://montrealpython.org/fr/slackin, #talks

Categories: External Blogs

Réellement compléter la révolution tranquille

Anarcat - Fri, 05/17/2019 - 07:32

"Compléter l'oeuvre de la révolution tranquille", pour reprendre la couverture du Devoir de ce matin, devrait commencer par réparer les dommages faits par l'Église catholique au Québec. Les crimes horribles des prêtres contre les enfants restent impunis. L'état laisse ici le soin à l'Église de s'occuper de ces affaires criminelles. Pendant ce temps, les évêques font la morale sur l'éducation sexuelle ou religieuse des enfants en prenant position publiquement sur la réforme scolaire. Le banc des accusés est le seul endroit où on devrait permettre aux curés de parler de sexualité et de morale.

Notre histoire est irrémédiablement liée à la colonisation incluant la destruction d'une diversité de peuples autochtones et qui continue à ce jour. On imagine souvent un vague crime passé mais la réalité est que le génocide a continué jusqu'à la fermeture des pensionnats autochtones à la fin du siècle. La Révolution tranquille n'a certainement pas fini ses devoirs, mais pas au sens où l'entend Guy Rocher et les défenseurs du projet de loi 21.

J'ai été éduqué à la Commission des Écoles Catholiques de Montréal (CECM). Durant mon séjour dans cette institution, j'ai suivi des cours de catéchèse "destinée à faire grandir les enfants [...] dans l'intelligence du message chrétien" (Wikipédia). Ce n'était pas l'époque de la grande noirceur mais bien des années 80, où on avait encore le "privilège" d'entrer à l'église durant le curriculum standard de l'école primaire. Évidemment, "communier avec Dieu" était réservé aux baptisés, groupe d'élite dont je ne faisais pas partie. J'ai donc cru important de me faire baptiser à ce jeune âge pour tenter de corriger ce faux-pas parental, dans l'espoir d'atteindre l'illumination dans la noirceur du confessionnal.

Étant donc devenu un athée convaincu, je me désole de voir mes concitoyens s'entre-déchirer sur les questions religieuses. Compléter la véritable Révolution serait de convertir les églises et presbytères en centre sociaux au lieu de condos, traduire les prêtres en justice au lieu de les passer à la radio, redonner aux peuples que nous avons volé et commencer à réparer les erreurs du passé.

Comme disait Borduas, il faut opposer le "refus global" à la "responsabilité entière". Reconnaître les fautes et les erreurs de notre propre culture, et commencer à les réparer, au lieu de s'attarder aux vices possible d'une culture que nous ne connaissons pas vraiment. Alors que l'extrême droite est la source de la majorité des attentats terroristes en Amérique du nord, pourquoi se préoccuper des voiles de nos enseignantes? "Place aux nécessités!" L'urgence climatique et la montée du fascisme devraient être les sujets d'importance au lieu de ces questions vestimentaires.

Cet article a été refusé au Devoir.

Categories: External Blogs

On free speech at Puri.sm and Mastodon

Anarcat - Mon, 05/13/2019 - 10:22

I have been cautiously enthusiastic about Puri.sm. They have done interesting work liberating their own hardware from the clutches of Intel backdoors and are enthusistically creating a new kind of phone. Recently, they figured they would also become a new hosting provider but that not going as well as one might hope. It seems they have decided to rewrite the standard Community Covenant code of conduct and rinse it down to create a absolutist "free speech zone".

This is a serious mistake and will create an escape hatch from mainstream social media for neo-nazis, trolls, masculinists and other scum1 of the internet. Purism should not be part of this, and if they do not revert this stance, I will discourage anyone from doing business with them ever again.

An introduction to the Purism projects

In a private mailing list, I summarized the situation of the Librem projects as follows:

Hi all,

Do people on this list have any opinion about https://librem.one ?

Overall, I think it's a good idea.

Devil is in the details, however. There was some controversy on how Purism has rebranded and forked existing free software projects without giving clear credit in the original announcements. They have responded to this, however, with something I find somewhat satisfactory.

I'm a little concerned about Purism taking on too much: they started by making laptops and ventured into forking Debian to have their own distribution - a common pattern in hardware manufacturers supporting Debian, same happened with System76. But now they are building a phone, and not content with Android, they are building their own OS, based on Debian, and I worry it will not deliver and disappoint a lot of people.

This is another venture that, coming from a hardware manufacturer, I am also somewhat worried about. Launching, simultaneously, an Email, Chat, social networking and VPN provider is a very ambitious goals. Members of our communities have been spending years deploying those services and it's a little frustrating to see Purism just barge in there and offer their services, for a fee on top of that.

But I will be the first to recognize that running services comes at a cost: hardware, cooling, real-estate and especially labor are not free. So I think it's fair they charge a price, and a fair one at that too.

So I wish them good luck and I am curious to see where it will go. At least they picked federated protocols which interoperate with our stuff: that is good. I'm worried they will undercut other community providers like ours, but I guess the more the merrier...

The Purism code of conduct tolerates Nazis

Now something else came up and that's the Librem.one code of conduct which more less says "Nazis are okay, as long as they don't harrass people", a position which I have come to fundamentally disagree with.

This post is what brought the problem to my attention. It includes screenshots2 from a conversation with Kyle Rankin, the Purism Chief Security Officer where he claims that Purism doesn't need to list "bad behaviors" in their code of conduct because "harrassment" suffices. He also argues that control over content isn't required because they don't have a "shared Mastodon3 timeline".

Concretely, their code of conduct states that:

This Code of Conduct is adapted from the Community Covenant, The only change made was to remove the list of examples in the interest of readability.

This seems innocuous enough, but the changes go beyond simply "readability". This is how the Covenant code of conduct actually begins:

Our pledge

In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.

In comparison, this is how the Purism code begins:

Our goal

This community is dedicated to providing a harassment-free experience for everyone. We do not tolerate harassment of participants in any form.

By removing specific the list of unacceptable behavior, they are implicitely allowing it. Purism seem to pivot around "legally protected free speech" and argue that "harrassment is not legally protected" which is why it's not allowed in their code of conduct. Their argument is they shouldn't decide what's allowed on their own server and instead seem to delegate this to the US constitution and law enforcement. Indeed, their FAQ says:

How do I report illegal content?

Any illegal content or illegal acts should be reported to the appropriate authorities who are equipped to handle it.

So it's not just a matter of "readability", but also that they don't actually want to "restrict free speech". This seems to me, at best a cop-out that leaves victims totally on their own, and, at worst, creates a "safe space" for neo-nazis to escape the narrowing controls imposed on larger platforms like Twitter, Facebook and Reddit. This is the same position that "big tech" (as Purism calls its competitors) are taking. They are trying really hard to remove themselves from the editorial process and claim they are not responsible for content.

In practice, this is a little white lie: Facebook, Twitter and all those platforms employ armies of moderators that constantly police their network.4 The question, therefore, is what that platform specifically allows and refuses. Pornography, for example, is definitely allowed "legally protected free speech" in the USA, yet it's forbidden on Facebook. Some large providers have also started to crack down on neo-nazis, like Facebook, Youtube, Apple, and Spotify banning Alex Jones from their networks. Twitter seems slower to follow and some claim that's because they might they risk banning Republicans as well because they confuse artificial intelligence (and, arguably, human intelligence as well).

Free speech absolutism and its impacts

The first impact of this is that some Mastodon servers are blocking the Purism instance altogether. This makes Purism's claims of federation somewhat dishonest:

Yes, you can follow and fully interact with people inside or outside the librem.one domain. (not locked-in to one technology company)

Of course, that's the nature of federation, but I am not aware of such a company (especially one which claims to have a social purpose) blocked right off the bat from the federation.

The second impact, of course, is that free speech fanatics, the alt-right, and neo-nazis are soon going to invade that space. The hordes of trolls, tired of getting banned on Twitter, will be happy to find a safe haven on Librem.one, especially since there will be a juicy community of unsuspecting "social justice warriors" like me there to troll and brutalize.

There's a long history of tolerating hate speech in the USA, based on the US constitution, at least from state institutions. As a reminder, the first amendment says that:

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

Free speech absolutits like to read this by disregarding the words "congress", "law" and "government" in there and interpret this as applying to the entire fabric of society. But that's not how free speech works, even in the US. The first amendment concerns Congress and the laws it passes. There is absolutely no law in the US that forbids a private company to enforce contents on its own. It's the editorial right of any content editor (because that's what you become when you start your own twitter) to censor any speech that they like. This is also how XKCD put it:

Public Service Announcement: The Right to Free Speech means the government can't arrest you for what you say.

It doesn't mean that anyone else has to listen to your bullshit, or host you while you share it.

The 1st Amendment doesn't shield you from criticism or consequences.

If you're yelled at, boycotted, have your show canceled, or get banned from an Internet community, your free speech rights aren't being violated.

It's just that the people listening think you're an asshole.

And they're showing you the door.

For the record, I used to be a free speech absolutist myself. But I have since then reviewed my position on this: I think free speech, like any human right, is not absolute, and should take into account political and social dynamics. Free speech, right now, is not in danger, or at least specifically not right wing fear-mongering, racism and sexism. Hate speech is on the rise, and I find it particularly offensive to hear the arugment that it is "legally protected" because it is false and dangerous.

Hate speech was the prelude to the rise of facism in the early 20th century. Those fascists support free speech as long as it serves their purpose, but they are the first to destroy it when they are back in power. Not only figuratively, through censorship, but litterally, by harrassing, beating up, and murdering people. By allowing hate speech, we are paving the way for those people to come out of the closet and pose more daring actions.

We can already see this happening in the US and elsewhere:

  • In 2015, a white supremacist walked into a church in Soutch Carolina and murdered nine african-americans "in the hope of igniting a race war".

  • In 2017, Heather Heyer was one of the victims in a large fascist rally in Virginia. The perpetrator was previously posting neo-nazi memes and symbols on Facebook.

  • In 2018, another neo-nazi walked into a synagogue in Pittsburg and murdered eleven people. He had previously posted anti-semitic comments on the far-right Gab social network.

  • And this year, in 2019, another neo-nazi walked into a Mosque and murdered 51 people in New Zealand. He streamed everything on Facebook Live and he distributed his manifesto on Twitter and 8chan.

This is real. This is now. This is what Purism enables by tolerating hate speech. And it's not right. Free speech should never be an enabler for such horrors. We don't tolerate it for ISIL and jihadist terrorism, why should we tolerate it for the white supremacy groups?

First they came for the socialists, and I did not speak out — because I was not a socialist.

Then they came for the trade unionists, and I did not speak out — because I was not a trade unionist.

Then they came for the Jews, and I did not speak out — because I was not a Jew.

Then they came for me — and there was no one left to speak for me.

Martin Niemöller

For the sake of transparency, I should state that I have ordered a laptop from Purism about a month ago and the machine was "dead on arrival" when it arrived last week. I've also been having trouble getting the machine returned although it seems this will might resolve itself today.

  1. scum, the topmost liquid layer of a cesspool or septic tank, a reprehensible person or persons. Nazi Scum. ↩

  2. The screenshots do not display correctly in the thread, but here are Internet Archive links: 1 2. ↩

  3. For context, Mastodon is a Twitter/Twitdeck clone that implements standard federated protocol and can interoperate with other instances like Gnu Social. It's presumably Twitter done right, like email. In practice, you'll see there are tricky edge cases, naturally. ↩

  4. For a good perspective on that gruesome work, I recommend this article on The Verge and there are also two documentaries I'm aware of that cover the topic as well, The Cleaners and The Moderators. ↩

Categories: External Blogs

Montréal-Python 74: Virtual Echo

Montreal Python - Tue, 03/26/2019 - 23:00

We will meet up at Shopify for the first Montreal Python of the year. We will start with 4 most interesting presentations, and then we will move up to Benelux to continue the discussion.

Speakers Nicolas Kruchten: Explore Your Data and Then Let Others Do It Too: Plotly Express and Dash

You start the morning exploring some data in a Jupyter notebook with Plotly Express and after lunch you whip up a web application to give your non-programmer colleagues access to those same insights with Dash, all in under a 100 lines of Python, no Javascript required. This talk will show you how Plotly's open-source libraries fit together to make this possible.

Adil Addiya: Building a standalone app using electron and flask Federico Ariza: Python Camera Simulator

Overview and use of the EMVA1288 camera Simulator. With the rapid development of autonomous driving, there is a need for more realistic hardware simulation that provide the same kind of challenge to the Computer Vision systems as the real deal. This Simulator is being used in professional environments around the world. It provides accurate physics model to reproduce characteristics and defects of different kind of sensors.

Matthieu Ranger: Feedback loops in data systems

When 'filter bubbles' came to public attention, it became pressing that systems that consume their own recommendations as data can be subject to noxious feedback loops.

In this talk, we go over several examples of feedback loops, then discuss the technical and management issues related.

When

Monday April 1st at 6PM

Where

Shopify, 490 rue de la Gauchetière Montréal, Québec https://goo.gl/maps/FccEH2n7EPm

Déroulement
  • 6:00PM - Door opens
  • 6:30PM - Presentations
  • 8:00PM - End of talks
  • 8:15PM - Benelux
Categories: External Blogs

Securing registration email

Anarcat - Wed, 03/20/2019 - 10:28

I've been running my own email server basically forever. Recently, I've been thinking about possible attack vectors against my personal email. There's of course a lot of private information in that email address, and if someone manages to compromise my email account, they will see a lot of personal information. That's somewhat worrisome, but there are possibly more serious problems to worry about.

TL;DR: if you can, create a second email address to register on websites and use stronger protections on that account from your regular mail.

Hacking accounts through email

Strangely what keeps me up at night is more what kind of damage an attacker could do to other accounts I hold with that email address. Because basically every online service is backed by an email address, if someone controls my email address, they can do a password reset on every account I have online. In fact, some authentication systems just gave up on passwords algother and use the email system itself for authentication, essentially using the "password reset" feature as the authentication mechanism.

Some services have protections against this: for example, GitHub require a 2FA token when doing certain changes which the attacker hopefully wouldn't have (although phishing attacks have been getting better at bypassing those protections). Other services will warn you about the password change which might be useful, except the warning is usually sent... to the hacked email address, which doesn't help at all.

The solution: a separate mailbox

I had been using an extension (anarcat+register@example.com) to store registration mail in a separate folder for a while already. This allows me to bypass greylisting on the email address, for one. Greylisting is really annoying when you register on a service or do a password reset... The extension also allows me to sort those annoying emails in a separate folder automatically with a simple Sieve rule.

More recently, I have been forced to use a completely different email alias (register@example.com) on some services that dislike having plus signs (+) in email address, even though they are perfectly valid. That got me thinking about the security problem again: if I have a different alias why not make it a completely separate account and harden that against intrusion. With a separate account, I could enforce things like SSH-only access or 2FA that would be inconvenient for my main email address when I travel, because I sometimes log into webmail for example. Because I don't frequently need access to registration mail, it seemed like a good tradeoff.

So I created a second account, with a locked password and SSH-only authentication. That way the only way someone can compromise my "registration email" is by hacking my physical machine or the server directly, not by just bruteforcing a password.

Now of course I need to figure out which sites I'm registered on with a "non-registration" email (anarcat@example.com): before I thought of using the register@ alias, I sometimes used my normal address instead. So I'll have to track those down and reset those. But it seems I already blocked a large attack surface with a very simple change and that feels quite satisfying.

Implementation details

Using syncmaildir (SMD) to sync my email, the change was fairly simple. First I need to create a second SMD profile:

if [ $(hostname) = "marcos" ]; then exit 1 fi SERVERNAME=smd-server-register CLIENTNAME=$(hostname)-register MAILBOX_LOCAL=Maildir/.register/ MAILBOX_REMOTE=Maildir TRANSLATOR_LR="smd-translate -m move -d LR register" TRANSLATOR_RL="smd-translate -m move -d RL register" EXCLUDE="Maildir/.notmuch/hooks/* Maildir/.notmuch/xapian/*"

Very similar to the normal profile, except mails get stored in the already existing Maildir/.register/ and different SSH profile and translation rules are used. The new SSH profile is basically identical to the previous one:

# wrapper for smd Host smd-server-register Hostname imap.anarc.at BatchMode yes Compression yes User register IdentitiesOnly yes IdentityFile ~/.ssh/id_ed25519_smd

Then we need to ignore the register folder in the normal configuration:

diff --git a/.smd/config.default b/.smd/config.default index c42e3d0..74a8b54 100644 --- a/.smd/config.default +++ b/.smd/config.default @@ -59,7 +59,7 @@ TRANSLATOR_RL="smd-translate -m move -d RL default" # EXCLUDE_LOCAL="Mail/spam Mail/trash" # EXCLUDE_REMOTE="OtherMail/with%20spaces" #EXCLUDE="Maildir/.notmuch/hooks/* Maildir/.notmuch/xapian/*" -EXCLUDE="Maildir/.notmuch/hooks/* Maildir/.notmuch/xapian/*" +EXCLUDE="Maildir/.notmuch/hooks/* Maildir/.notmuch/xapian/* Maildir/.register/*" #EXCLUDE_LOCAL="$MAILBOX_LOCAL/.notmuch/hooks/* $MAILBOX_LOCAL/.notmuch/xapian/*" #EXCLUDE_REMOTE="$MAILBOX_REMOTE/.notmuch/hooks/* $MAILBOX_REMOTE/.notmuch/xapian/*" #EXCLUDE_REMOTE="Maildir/Koumbit Maildir/Koumbit* Maildir/Koumbit/* Maildir/Koumbit.INBOX.Archives/ Maildir/Koumbit.INBOX.Archives.2012/ Maildir/.notmuch/hooks/* Maildir/.notmuch/xapian/*"

And finally we add the new profile to the systemd services:

diff --git a/.config/systemd/user/smd-pull.service b/.config/systemd/user/smd-pull.service index a841306..498391d 100644 --- a/.config/systemd/user/smd-pull.service +++ b/.config/systemd/user/smd-pull.service @@ -8,6 +8,7 @@ ConditionHost=!marcos Type=oneshot # --show-tags gives email counts ExecStart=/usr/bin/smd-pull --show-tags +ExecStart=/usr/bin/smd-pull --show-tags register [Install] WantedBy=multi-user.target diff --git a/.config/systemd/user/smd-push.service b/.config/systemd/user/smd-push.service index 10d53c7..caa588e 100644 --- a/.config/systemd/user/smd-push.service +++ b/.config/systemd/user/smd-push.service @@ -8,6 +8,7 @@ ConditionHost=!marcos Type=oneshot # --show-tags gives email counts ExecStart=/usr/bin/smd-push --show-tags +ExecStart=/usr/bin/smd-push --show-tags register [Install] WantedBy=multi-user.target

That's about it on the client side. On the server, the user is created with a locked password the mailbox moved over:

adduser --disabled-password register mv ~anarcat/Maildir/.register/ ~register/Maildir/ chown -R register:register Maildir/

The SSH authentication key is added to .ssh/authorized_keys, and the alias is reversed:

--- a/aliases +++ b/aliases @@ -24,7 +24,7 @@ spamtrap: anarcat spampd: anarcat junk: anarcat devnull: /dev/null -register: anarcat+register +anarcat+register: register # various sandboxes anarcat-irc: anarcat

... and the email is also added to /etc/postgrey/whitelist_recipients.

That's it: I now have a hardened email service! Of course there are other ways to harden an email address. On-disk encryption comes to mind but that only works with password-based authentication from what I understand, which is something I want to avoid to remove bruteforce attacks.

Your advice and comments are of course very welcome, as usual

Categories: External Blogs

Montréal-Python 74: Call for speakers - Virtual Echo

Montreal Python - Sun, 03/17/2019 - 23:00

Spring is upon us and it's time for Pythonistas to gather and discuss the latest news and their latest projects.

For this occasion we are looking for speakers who would like to share their latest discoveries. This is the best opportunity to reach out to the Montreal python community.

To submit your talk, write us at the following address: mtlpyteam@googlegroups.com or join us on Slack at https://mtlpy.org/slackin.

When

Monday April 1st 2019 at 6pm

Where

Shopify, 490 rue de la Gauchetière Montréal, Québec (map) https://goo.gl/maps/FccEH2n7EPm

Schedule

6:00PM - Doors open 6:30PM - Presentations 8:00PM - End of the event 8:15PM - Benelux

Categories: External Blogs

Epic Lameness

Eric Dorland - Mon, 09/01/2008 - 17:26
SF.net now supports OpenID. Hooray! I'd like to make a comment on a thread about the RTL8187se chip I've got in my new MSI Wind. So I go to sign in with OpenID and instead of signing me in it prompts me to create an account with a name, username and password for the account. Huh? I just want to post to their forum, I don't want to create an account (at least not explicitly, if they want to do it behind the scenes fine). Isn't the point of OpenID to not have to create accounts and particularly not have to create new usernames and passwords to access websites? I'm not impressed.
Categories: External Blogs

Sentiment Sharing

Eric Dorland - Mon, 08/11/2008 - 23:28
Biella, I am from there and I do agree. If I was still living there I would try to form a team and make a bid. Simon even made noises about organizing a bid at DebConfs past. I wish he would :)

But a DebConf in New York would be almost as good.
Categories: External Blogs
Syndicate content