Monica

Cory Doctorow's How I got scammed was a fascinating read. Phishing has gotten more sophisticated, but also, even people whose security practices are way above the norm can get hit when the stars (mis)align just so.

There's a name for this in security circles: "Swiss-cheese security." Imagine multiple slices of Swiss cheese all stacked up, the holes in one slice blocked by the slice below it. All the slices move around and every now and again, a hole opens up that goes all the way through the stack. Zap!

The fraudster who tricked me out of my credit card number had Swiss cheese security on his side. Yes, he spoofed my bank's caller ID, but that wouldn't have been enough to fool me if I hadn't been on vacation, having just used a pair of dodgy ATMs, in a hurry and distracted. If the 737 Max disaster hadn't happened that day and I'd had more time at the gate, I'd have called my bank back. If my bank didn't use a slightly crappy outsource/out-of-hours fraud center that I'd already had sub-par experiences with. If, if, if. [...]

The following Tuesday, I called my bank and spoke to their head of risk-management. I went through everything I'd figured out about the fraudsters, and she told me that credit unions across America were being hit by this scam, by fraudsters who somehow knew CU customers' phone numbers and names, and which CU they banked at. This was key: my phone number is a reasonably well-kept secret. You can get it by spending money with Equifax or another nonconsensual doxing giant, but you can't just google it or get it at any of the free services. The fact that the fraudsters knew where I banked, knew my name, and had my phone number had really caused me to let down my guard.

Years ago, I got a call on a weekend from someone claiming to be from my credit card and was just plausible enough for me to not hang up. (Also a claimed fraud alert.) But I got suspicious when the caller started asking me for private information and then claimed it was necessary to authenticate me (at my own phone number). So I said "I also need to authenticate you; what's my mother's maiden name?" Oh no, the caller said, we can't give you that information... but with all the data breaches we've seen, that technique is no longer safe. The phisher might have my mother's maiden name [1]. Doctorow's phisher had his unpublished phone number. Secrets aren't.

[1] Helpful tip: don't use the actual answers for security questions that people might be able to research or guess. As far as your bank is concerned, your mother's maiden name can be QjFVa6ufeqr_7.

My dad's funeral was 30 days ago. For some reason, Judaism counts the first days of mourning from the funeral not from the death, even though the annual commemoration (yahrzeit) counts from the death. Dad wasn't Jewish but I am, and I find our markers in time to be helpful.

Dad was part of a small music group for many years. They were all friends, as you expect in small long-running groups, and the director spoke at the funeral. Later, when I started going through his email looking for things that require action, I found out she has a newsletter and had posted about him. I recognize a lot of that, so I think this is what she read at the funeral.

My dad made a huge difference in my life and in the lives of my mom, sister, and niece -- and I'm learning about some of the other people he also touched deeply.

I love you Dad. I'm sure going to miss you. :-(

An open letter to our governor (against a 1000-character limit on the state web site):

Dear Governor Shapiro,

As you are surely aware as a fellow Jew, the spring primary is April 23, the first day of Passover, a day on which observant Jews cannot participate in the election. The PA government has been talking for months about moving the date, but nothing has happened. Is there anything you can do to help? Disenfranchising Jewish voters is hurtful, especially in the presence of antisemitic candidates. It's also bad publicity for our state. Several other states have already corrected this problem, but we have not.

You might say "vote by mail instead", but the last time I attempted to do so, Allegheny County sent me a spoiled ballot and there was no provision for correcting it. I had to go to the poll on election day anyway and then vote provisionally. That made me feel very marginalized. My vote did not count because of a printing error and county offices that did not answer repeated phone calls. If it happens on Passover, I lose my vote.

Please fix this. Thank you.

--

I am aware that the legislature, not the governor, controls this, but navigating the PA legislature is a challenge and the governor should be able to push, if he hears from enough people that something matters. I thought this problem had been solved a month or two ago, but it turns out that the two houses of the legislature disagree over how to fix it. :-(

I just came across a speech that Bari Weiss recently gave for the Federalist Society, specifically for their lawyers' convention. She starts by talking about how surprising a choice she was for that; she's not exactly their type.

I found this worth my time to read. Choosing concise excerpts (to stay within the bounds of fair use) is hard, but here are some bits to give the flavor. I read the transcript; there's also a video if you prefer to listen.

( content warning: Hamas war and reactions to it )

It's so dangerous to say anything online these days, and it feels wrong to say nothing and continue posting the ordinary stuff of my life. I expect this will be my only post on the subject.

Targeting civilians is barbaric. Full stop. There can be no justification for such acts.

Gaza also has a border with Egypt. Maybe the neighbor that wasn't brutally attacked could help Gazan civilians get out?

Gaza elected Hamas. I would normally assume a rigged election or ballots at gunpoint, but to my surprise, I haven't heard anyone make that argument in all this time.

I weep for all innocent bystanders who are harmed or killed in war. One side targets them; the other takes extraordinary steps to protect them even to its own detriment. I wish everyone understood that all human beings are made in the divine image and life is precious.

Peace requires two parties who want it. I pray that day comes soon. Until then, I pray that Israel has the strength to defend itself from barbaric assaults, effectively and with as little collateral damage as possible.

Ken y'hi r'tzono.

The Shabbat between Rosh Hashana and Yom Kippur is called Shabbat Shuva, the Shabbat of returning, and it's customary for the d'var torah or sermon to focus on the themes of the season. This is the d'var torah I gave in our minyan yesterday.

--

Early in the pandemic, when grocery-store shelves were sometimes empty, I started growing a few things to see if I could produce at least a little of my own food. I've always had kind of a brown thumb, but I'd managed to not kill a basil plant that had come in a farm-share box the previous year, so I was game to try.

I didn't grow a lot – more herbs than vegetables – but the cherry tomatoes I planted were extremely bountiful. Encouraged by that success, I planted more. Last year I found myself fighting unknown critters -- I got a few of the tomatoes but I found more that were half-eaten on the ground. Netting didn't help. Tabasco sauce didn't help. So this year I tried a different variety and a different location.

I got to keep three tomatoes. On the day I was going to harvest six more -- they'd been almost ready the previous day -- I found that something had eaten all the tomatoes and most of the leaves besides. The plant looked dead. I left the dejected remains in the pot for the end-of-season cleanup and stopped watering it.

A couple weeks ago I was pruning some other plants and cut away all the dead stems on that plant while I was at it. Then an amazing thing happened: it put out new shoots, then new leaves, and this week, three small tomatoes. That plant stood up to attack followed by neglect and came back strong despite it all.

--

During the high holy days we focus a lot on our own actions and the things we have done wrong. We focus on making amends for our mistakes, on doing teshuva and turning in a better direction for the coming year. We try to make things right with the people we've hurt. These are all critical things to focus on, and I don't have much to add that hasn't been said hundreds of times before.

Instead, today I want to talk about being on the other side -- about being the one who has been hurt. We know what to do when those who hurt us do teshuva, but what about when they don't? Teshuva is hard, and we know it won't always come.

( Read more... )

Last month a friend brought over a copy of Flamecraft, which I recognized from our Origins A-list but it was sold out before we could register. The game is set in a town with a collection of shops, each of which natively has one good type that you can acquire there. You can play cards to expand a shop. If you gather the right combinations of goods, you can enchant shops to make them even better (and earn points). Shops have capacity limits, and as they fill up new shops come out so there's always stuff to do. It's a cute game with (mostly) good production values, and I'm glad we got to play it. One thing that I found suboptimal is that the layout is long and skinny, so no matter where you sit, you can't see everything without getting up and looming over the table. Maybe some people don't have that problem, but several of us did.

At Pennsic our camp has a gameroom (look, have you met us?), and somebody brought a copy of Equinox. This is a card game with betting and attempting to manipulate the outcome. There are eight magical creatures, one of which will be eliminated each round. You can place betting tokens on creatures; earlier bets pay off more, but if a creature you bet on gets eliminated before the end, you get nothing for that bet. For each creature there are cards numbered 0 through 9, plus there are chameleon cards (also 0 through 9) that can be played anywhere. On your turn you play a card from your hand into the corresponding "slot" for the current round. You can play over existing cards -- so if someone played an 8 on that creature you want to eliminate, you can play a "0" there. Turns continue until every creature has something for that round (so at least eight turns but it could be a lot more), and then the lowest-valued creature is eliminated and you go to the next round. Each creature also has a special power, which you can use if you play on it and you're the majority better. I played this a few times throughout the week and enjoyed it. I expect we'll buy a copy.

Yesterday two friends joined us for games and food and we played Point City, which they had just gotten from Kickstarter. (General release is next month.) This is from the same folks who made Point Salad and the style is similar, though Point City has more strategy. Two-sided cards are dealt out into a market; one side shows one of five resources (or a wildcard) and the other side shows a building. Buildings require specified resources and produce some value -- usually they give you permanent resources, but they might also give you victory points or "civics" points, which are variable scoring rewards. In a manner similar to Splendor, you're trying to build up permanent resources so that you can build other cards without first needing to get and spend the one-shot resource cards. On your turn you take two adjacent cards from the market, and if you take a building you must be able to build it immediately (you do not have a hand of cards). If you don't have a valid play, you draw two resources from the deck.

We played this a few times and liked it -- it's a nice, tight game that doesn't take a long time to play (though I disbelieve the claimed lower bound of 15 minutes, even for experienced players). We plan to buy this when it's available.

With no prior expectations, this being my first year, I almost missed this in the pot:

And it turns out there's a second cucumber, almost full-grown, under those big wide leaves toward the left.

I dunno; I was expecting the fruits to appear where flowers had been, farther out from the base. I guess there was a flower under there. I haven't tasted my new produce yet, but soon!

This is, according to the tag from the seedling, a cucumber "bush". I expected a bush to be less vine-like, but fortunately I could move the pot near a trellis once I realized what I was dealing with. (I have another one that admitted to being viney and it has a tomato cage.)

Meanwhile, I have gotten exactly three small tomatoes off of that plant before the others started disappearing -- two that were almost ripe the previous day, gone when I went to harvest them, and today, many of the still-green ones are gone. This happened with a different variety in a different location last year, too. I might have to give up on tomatoes until I'm ready to build a greenhouse (ha, not going to happen on this property).

We went to Origins Game Fair for the first time since before the pandemic. We played games.

Wednesday

• Empire Builder "pot luck": this was a general sign-up, specific groups and games to be sorted out on arrival. We ended up in a four-player game of Eurorails, which I enjoyed. It took longer than usual; part of that was one player, but I think part of it was also some unfortunate card draws. (Fortunately, this was the only thing we signed up for Wednesday evening.) The game has gotten some usability upgrades since last I saw it: the goods chits are now colored with corresponding color-coding on the contract cards, and we played on a dry-erase map (single sheet). I asked about the map: that's something the folks running this did, not commercially available "but maybe later". (The organizers had a large art portfolio with all the maps.)

Thursday

• Hamburg: Nominally a city-building game (the veneer is kind of thin), the idea is that you have cards that can be used for different purposes: building (two stages), getting workers (needed for buildings), averting catastrophes, building walls, and (if I recall correctly) getting money. In each of eight rounds, the player with the most advanced position in each of five categories gets to check off an accomplishment (if not already met) for end-game points. There's not a lot of interaction among players. It was ok.

• Fortune and Famine: You're playing leaders in a fantasy setting and your goal is to maximize the grain you have stored by the end of the game. Each round you can bid on new workers: the two fundamental ones are the farmer (pay coins, get grain) and the merchant (pay grain, get coins), and there are several others. In later phases there are upgraded versions of workers, like more lucrative merchants. There are also wizards who perform one-time actions, some of which are attacks on other players, and there are thieves. Sometimes when you draw workers you get famine cards instead and all players lose half their unprotected grain. You can protect (store) grain, so it's safe but no longer available for spending. Each leader has a special ability; mine was being able to protect three grain and/or coins without storing, another was being able to ignore famine effects three times during the game, and I forget what the others were. It's a pretty light, fast game -- I'm going to guess 45 minutes once you know the rules. I enjoyed it enough to buy a copy.

• Familiars and Foes: A cooperative game in which you're playing low-powered familiars trying to rescue your witches and wizards from monsters. The session was led by the game designers, one of whom also played. It felt a little juvenile; I don't know how much of that was the game itself and how much was this particular session. (We were all adults, to be clear.) I felt it was trying too hard to be cute.

• Wingspan: I've been hearing good things about this game, and it did not disappoint! (We bought a copy on the way home.) Your goal is to attract birds to your habitat; each bird type contributes to your score and might have special powers that help either the game engine or your final score. Birds can lay eggs (usually needed to get more birds), and birds require the right food to be brought into play. On your turn you can draw bird cards into your hand, play birds, lay eggs, or collect food. Each round has an additional goal (like "birds in trees" or "eggs in box nests") that awards extra points. The game is well-designed (except for storage), well-made, pretty, and fun.

Having two "F-something and F-something" games on the same day was tripping us up all day.

Friday

• La Familia Hort: Players are competing to inherit granny's farm by building the most profitable plot. Each turn you can buy crops or farm animals, water and fertilize (limited options so you have to choose), and -- when a crop is ready -- either sell it or use it to feed livestock for income. There are also some tools that help you enhance the value of other tiles. You can only have six tiles at a time, though, so you're giving up substantial space to play a tool. The game was light, cute, and pretty forgettable, and did not consume more than half of its two-hour slot.

• Final Strike: Players are gladiators competing for glory points by killing monsters and their sidekicks. You have a hand of weapons (everyone starts with the same hand), which deal varying amounts of damage and can be upgraded for better weapons that sometimes have special powers. You're trying to deal damage but not so much that someone else can "scoop" you for the kill; the killing shot brings a lot more glory. This game was run by the designer.

• Gempire: Zarmund's Demands The novelty of this game is simultaneous play with actions recorded on dry-erase boards for simultaneous reveal. The boards were laid out well so you could easily see what your options are. I am now out of positive things to say about this game.

• New York Pizza Delivery Lightweight resource-allocation game. You're building pizzerias in different NYC neighborhoods to meet delivery orders and collect victory points and maybe tips. Ingredient cards in your hand can be used to match delivery orders, or you can use them to add permanent ingredients to one of your pizzerias (can satisfy an order without more cards), or you can discard them to improve your range. There is a "marketplace" of ingredient cards that, in our game, grew quite large and unmanageable. There are also event cards and other special abilities. I came away thinking "meh", though possibly with a better playing space and fewer players it could be fun.

Saturday

Origins has activities other than board games too. Saturday morning we went to a lecture called something like "why you don't want too much realism in your game". This was put on by a wargaming group, so this realism was about battle plans and stuff. The presenter was an Army logistics officer who talked a lot about the stuff that needs to go onto the map that isn't "pieces shooting or blowing things up" -- stuff that's essential to an army actually functioning, but not very much fun for most people to play out. I wasn't the target audience but I still found it interesting. Apparently it was immediately followed by a presentation about making games more realistic (drawing from experience in Desert Storm, it sounded like), but we had somewhere else to be.

• Mistwind (not published; that's a Kickstarter link): Players are competing to deliver goods to places where they're in demand, using flying whales (if there's a reference here I missed it) to navigate from place to place and building outposts to reduce costs. On each round you will play four of your five numbered tokens, discarding one at the beginning of each round. Each token can, in turn, be played in one of four places: a row of options that give you resources in different combinations, a row of cards that let you build outposts in specific locations, a row of action options (like building whales and outposts or taking the first-player position), and a row of cards giving special abilities or end-game scoring. The trick here is that each of these four areas has five numbered positions, and you have to play your corresponding numbered token. So you can only play one "3" position, for instance, among those four choices. That all sounds complicated and there was definitely a learning curve, but I was getting it by the end of the game and the next one would be smoother. We were playing a prototype and the session was run by the designer, who was taking detailed notes and asked us for feedback. I like what I saw and expect to back the Kickstarter when it goes live.

• Railways of the World: Rail-building and goods delivery. We've played this successor to Steam twice at past Origins conventions and had one good and one terrible experience (which seemed to be players not the game itself). This time was a good experience; the map for the six-player game is huge and the convention gave them a big round table, which leads to visibility problems for me. The bad experience (last time) was other players basically saying "you'll have to cope"; this time, in contrast, the other players were willing to move the map toward an edge and let me choose my seat to maximize what I could see, at the cost of others having to work harder, and people were happy to help with reading things I couldn't see, and it was all very friendly and positive. With six players there's a lot of contention for routes; each player also has a secret goal that encourages building in different places, which helps mitigate that. You have to look at where the goods come out at the beginning of the game and think ahead to where you might be able to deliver them and what track you'll need to build to do that. It's more forgiving than Steam and we now own a copy (which we will not play on a big round table).

• Obelisk: Cooperative puzzle-style game. You have a 5x5 grid of tiles, each with an exit arrow on one side, one of which is the monster-spewing portal. During the players' phase you can rotate tiles to build a path (one rotation per tile ever), build towers at intersections to capture monsters from the adjacent four tiles, mine resources needed to upgrade towers, and do those upgrades. During the monsters' phase, a random assortment of monsters (three different types, varying in speed and strength) emerge on the portal and start to move along the path. If you have a strong-enough tower when a monster passes by, you can capture it (one capture per tower per phase). If a monster escapes the board or visits a tile for a second time, the players lose. It's a quick game, maybe 20 minutes; we lost our first game, declared the second layout untenable from the start, and won a third game with effort. We bought a copy. This game, too, was run by the designer.

General

We had more gaps in our schedule than in past years, some by design and some by games running short. We planned for some of that and got a hotel room across the street from the convention center. That location turned out to be noisy, but the convenience of being able to go back to the room for an hour instead of finding a place in the convention center to sit and read was a big win. And the hotel room didn't have annoying fluorescent lights.

In the past there have been some "general game-store" vendors, but this year we didn't see that -- general vendors for trading-card games and lots of individual publishers, along with the usual assortment of auxiliary vendors (dice, art, t-shirts, special-purpose gaming tables, costumes, etc), but no general stores for board games. Fortunately, we have a local game store we can support, and they even had Wingspan in stock so we didn't have to wait.

We were on the fence about True Dungeons this year, and then learned they wouldn't be there -- dilemma solved. :-)

Attendance was a lot lower than what I remember from 2019 (and some vendors commented on this too). I'm guessing half?

I don't have time for a full writeup of this right now, but here are the "highlights" of Stack Overflow Inc.'s latest community-affecting actions.

The CEO has recently gone all-in on generative AI and LLMs, the technology used by ChatGPT. He allocated 10% of the company to work on unspecified ways to use LLMs in their platform, and he's made some incoherent blog posts that scream "chasing the hype train". He also laid off 10% of the company including 30% of engineering and two community managers.

Stack Overflow the site does not allow answers written by ChatGPT. They worked together with community managers to develop that policy. Their moderators are seeing an increased workload because there's so much machine-generated crap showing up now, but the moderation tools and processes in place are handling it.

Or were. On Monday the company announced a policy that basically bars moderators from moderating this content. For further complication, the public announcement does not match what moderators say they were told privately -- they were actually told to start enforcing a strict hands-off policy without letting users know.

(The public post kind of back-handedly called moderators bigots, too. I guess at least this time they didn't smear anyone by name. But still... ick.)

People are, naturally, upset, both by a policy that invites non-vetted machine-generated "answers", and by the way it was done. Moderators' attempts to discuss these issues with the company have been rebuffed. One popular theory is that the CEO, having gone publicly all-in on LLMs, was embarrassed to find out that his flagship site deletes that stuff.

So there's going to be a strike. More than half of the Stack Overflow mods, many other mods across the network, non-moderator users who do the important curation tasks, and the user-run tools that detect spam and other problems across the network -- all shutting down. These people are all unpaid volunteers who are realizing that the company that relies on their free labor doesn't actually care about them.

Noticed in passing: there are a bunch of userscripts that power users use to make the site easier to maintain. These scripts are very popular. One of them now adds a banner to the top of the site that says:

We are calling for solidarity against actions taken by Stack Overflow Inc, which is posing a major threat to the integrity and trustworthiness of the platform and its content.

Clever.

For more detailed background and why this matters so much to the people involved, I recommend this post from a former community manager.

--

Update, 2023-06-05: From Meta.SE: Moderation Strike: Stack Overflow, Inc. cannot consistently ignore, mistreat, and malign its volunteers (includes demands), mirrored on Stack Overflow Meta.

Huh, this is interesting. There are many top-level domains these days; we're way past the days when the world consisted of .com, .edu, .org, and .gov. I hadn't realized that one of those TLDs is .zip.

Yeah, really. That seems like asking for trouble. People sometimes do legitimately download ZIP files from sites they trust, like GitHub. But maybe you're not really talking to GitHub...

This post does a good job of explaining how a stray @ in a URL might ruin your whole day:

Can you quickly tell which of the URLs below is legitimate and which one is a malicious phish that drops evil.exe?

https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip

https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip

[...] As you can see in the breakdown of a URL below, everything between the scheme https:// and the @ operator is treated as user info, and everything after the @ operator is immediately treated as a hostname. However modern browsers such as Chrome, Safari, and Edge don’t want users authenticating to websites accidentally with a single click, so they will ignore all the data in the user info section, and simply direct the user to the hostname portion of the URL.

For example, the URL https://google.com@bing.com, will actually take the user to bing.com.

I didn't know that part about user info. Combined with Unicode fakes of characters you expect in URLs, this can send you somewhere very different from where you thought you were going.

We all know not to trust links or attachments from unverified sources (right?). But stealth URLs add extra risk; you might eyeball the URL in that email and decide "yeah, I trust GitHub/Dreamwidth/Google/whatever". Be careful out there.

Edit: also .mov. This post does a good job of demonstrating how this can be exploited and catch even people who are careful (thanks gingicat).

I might just edit my hosts file to wholesale block these domains.

Someone on my previous post mentioned pictures, so I'll go ahead and record the starting state of the garden.

( photos )