So as I have mentioned at other points I do collect pens. Specifically I collect fountain pens that I use for note taking and other writing at work and home.
Why fountain pens?
Well I’m left handed and what I find is that the inks that I use in them wind up drying quicker than the normal inks that I find in most ballpoint or gel pens and as such I don’t get as much of it sitting on my hands as my writing hand is dragged through the stuff I just wrote down.
So how did this start?
I was down in San Francisco for a work trip and was wandering in the area around Moscone Center before having to do work stuff and found a Pen Shop that was going out of business, and when wandering around there I found a green Lamy All-Star that caught my eye, and since it was on sale for a good price I picked it up on a whim and within 10 min of using it wound up going back after work to pick up another Lamy Safari that they had in stock since it was again very cheap and I really liked the way that the things wrote.
Over the years any time that I was shipped someplace for work I would wind up sniffing out Lamy Safari and All Stars and would pick them up as souvenirs of my travels. The thing with these pens is that Lamy releases special editions every year with them in new colours, so even after I stopped traveling I kept picking up the special editions from a local pen shop that I like to go to. At this point I think I probably have well over 60 of the things now.
That’s just a few of them.
Since then I’ve also picked up some other pens from Pilot and Twisbi, and I’m eyeing some others that look interesting to me but there’s a limit to how many of these things I can justify having sitting around.
The key for me is that these are pens that I use – I rotate through these things over time switching them out as they run dry on ink so that they just don’t sit laying around doing nothing. I wouldn’t mind having a better way to display these things other than the cases that I’m currently using but I haven’t had time to figure anything out. Might need to spend some time with a 3d modelling tool and a skadis pegboard or something like that.
As I have gotten older over the years I have in a lot of regards become less and less picky about brands for some things. However one place where I don’t like to bend is when I’m picking up tools that I’m going to be using a lot.
I’m not just talking about hand tools here either, one of the strangest things that I am picky about is my writing instruments and the keyboards that I work with.
These are items that, at least while working, I will have my hands on all day long in some form. Either taking notes, typing emails, writing documentation, or just doing other stuff keyboards and pens are two of the more important things that I have in my bag.
When given a choice I don’t think I’ve used anything other than a fountian pen for coming up on a couple of decades now, and I’ve bought far too many keyboards trying to find the right one for a full days use.
Thinking about it this even impacts my choice of laptops, either a Thinkpad or a Apple device since they seem to have the best keyboards around for typing.
Even though I consider myself picky about these tools I will use whatever is at hand if I don’t have a choice in the matter. And while someone might look at me writing with a 75$ pen and think that’s crazy there are people out there walking around with pens worth far more than what I’ve spent in their notebooks.
For me it makes sense to pay the premium for something that I’m using every day all day long. I would rather pay once and cry about the price once rather than keep having to replace tools that break or can’t do the job.
This is definitely something that I picked up from my father. He worked as a mechanic for years and if you look through his tool box he had some stuff in there that was completely overkill for someone who was not pulling massive trucks apart daily. For him however the cost of a broken tool meant that a job might not get finished on time leaving a truck out of service. There were some tools in the box that were really cheap – mostly stuff that it looks like he bought it for a single job and then tossed it in the back of his toolbox and forgot about them. You can tell however what was important just by the feel of the tools that were in the box.
I suppose at some point I’ll do some reviews of pens and other tools that I’ve got sitting around, for now however it’s getting to be bedtime and it’s time for some sleep.
The last season of The Boys is aging on Amazon Prime right now, and if you have not gone through and watched it yet you should.
It’s gory, and not something that you would want kids to watch but it’s dammed good and while I’m kind of sad that it’s going to be ending after this season it’s shaping up to be a banger of a send off.
The folks at Amazon have had a couple of really good shows in the last couple of years. Reacher is a solid watch, and the Eye of the World series they did was good, and it’s too bad that it was cut short since there is a pile of material they could have run through for that series.
Either way, if you haven’t seen it yet go get started on The Boys. It’s well worth the time.
Working in software I frequently find myself having to test things with my companies products and other products that our stuff is interacting with or potentially competing with. A huge tool for this has been the ability to run virtual machines on both my desktop, laptop, and dedicated “servers” that I keep around. For the longest time VMWare was the gold standard for this workflow and I was a huge proponent of their products.
As much as I do like free software and will use it whenever I can for a very long time VMWare Workstation and ESXi Server where the gold standard and I ran both solutions at home and at work to simulate large pools of machines and to test out things that needed to be looked into.
However, in 2022 an announcement was made by Broadcom that they were going to aquire VMWare.
Anybody who’s been in enterprise software for a while kind of had a bad feeling at that point. Broadcom has a bit of a reputation of acquiring companies and maximizing shareholder value at the expense of end users.
Now roll the clock forward two years and the free version of ESXi that a lot of people cut their teeth on is gone without anything to replace it from Broadcom. And sure, they have made the desktop product(s), VMWare Workstation and Fusion, free for pretty much anybody who wanted to use them there’s also no support for those products any more from the folks at Broadcom so if you have any issues you better pray that someone on the forums has an answer and that they will continue to see value in updating the product so that it keeps working properly.
Personally once I heard about the purchase I started looking into some other options. After playing with XCP-ng, Proxmox, and a few other options I eventually landed on Proxmox as a replacement on my server side of things. Turns out that it worked well enough that it replaced the OS on not only my own servers but on all the devices that I had sitting at work that were running VMWare products on them. We still have the desktop product sitting around as it’s still a better user experience than VirtualBox, but as we start refreshing hardware I’m starting to force my staff to deal with VirtualBox just to see if we can’t make that work in preperation for Broadcom doing something to finish off killing VMWare Workstation.
Given that it’s alaways a good idea to have a backup plan I’m probably going to toss XCP-ng on another box at home and start playing with that more just in case Proxmox decides to do someting that I can’t stomach in the future, hopefully that’s something that’s a good long way off though.
While my D70 did a great job for me for 20 years it recently became time for a new camera and after a lot of digging around I picked up a Nikon Z50 II to replace it.
I was considering something in the Nikon DSLR range rather than the mirrorless cameras but after looking at the DSLR range and looking into the differences between them I really liked that the Z Series was a bit smaller and lighter and that would be better for packing the thing around while travelling since that was one of the things about the D70 – it wasn’t really a small camera.
So, after looking at the options I ruled out the Z30 since I like having a viewfinder for composing photos but anything higher than the Z50 or Z50 II jumped the price up quite a bit and didn’t give me enough to justify paying the extra.
Since they generally have deals on kits with these things I picked up a two lens kit that paired the body with a DX16-60mm f3.5-6.3 and a DX 50-250 f4.5-6.3 lens. I know that a lot of people poke at the kit lenses as being less than ideal the pricing of the kit was such that the lenses were almost a 2 for the price of 1 thing and it gave me some glass to put on the body to get started.
The lenses are good enough for most of what I’m doing right now, they give me a good range of focal lengths and are fast enough that I can actually use them when I’m walking around. Now personally I prefer shooting with prime lenses, not zooms. On the D70 the most common lens for you to find attached to that body was the 50mm f.1.8 that I picked up and after a short while I found that I really missed having a fixed lens on the camera. Shortly after I picked up the kit there was a point where the Nikor Z DX 24mm f/1.7 was on sale and after taking a look at some reviews I picked that up for the kit as well.
In the end I’m going to be looking for a couple more prime lenses, probably something in the 40-60mm range, and then something around 100mm or so. There’s lots of nice options in the line up, and I really have a eye on the MC 105mm f/2.8 VR S and the 50mm f/1.4 that they have in the lineup right now.
The other thing that I did have to do was pickup some extra batteries and some SD cards. The batteries man, those were just wild. On Nikon’s website the batteries from them run about 100$ cad, but you can’t charge them outside of the camera unless you pick up a charger that they don’t include with the Z50II. What I wound up finding was a set of batteries from a company called SmallRig that not only replaced the OEM one but have a USB-C connector on them so that you can just plug the battery in to charge with any USB power source. That option being about half the price wasn’t hurting the decision either.
SD cards were pretty simple, just some reasonably fast Sandisk ones at 256GB and I’m good to shoot for a very long time with those.
The nice thing about sticking with Nikon is that the Flash unit that I have works with the new body, it’s limited to lower sync speeds and such than the newer ones but it still works as well as it did on the D70 and if I’m in a space where I need a flash head I’m probably not too concerned about the 1/60th sync time. At some point I’ll swap out to something newer but that can take a back burner until some of the lenses are swapped out or the existing flash unit packs it in.
I’ve had the camera for a couple of months now, so in about a year I should have a handle on it and be more comfortable with the use of the device, until then I need to just get out there and snap photos as often as I can.
So it’s time again to reload the operating system on my gaming machine, and the question that I had to answer was what operating system I was going to run this time around.
The options are to stick with Windows 11, or move over to some flavour of Linux for my operating system. This specific machine is primarly a gaming machine these days since anything of importance has been moved over to the MacBook Pro that I’m typing this on now. And because I’m going to be gaming on the thing more than anything else that drives me back into running a version of Windows.
I know that gaming on Linux has come a very long way in the last few years with what Valve is doing, but every time that I try to run games on a Linux machine I wind up having to deal with fiddly bits and problems – all things that can be overcome, but all are things that I shouldn’t have to overcome at all.
The gaming machine is essentially a toy for me. I want to sit down in front of it, click an icon and enjoy a couple of hours of distraction from my day to day. I work with Linux a fair bit at work, and run multiple systems running various editions of Linux at home for various reasons and in the places where I have it running it’s solid. Gaming though is not quite there and Windows isn’t quite bad enough to force the switch for me right now.
Will this change later? Possibly.
Microsoft is saying the right things about cleaning up a lot of my objections about the operating system in the last few weeks, but those are just words and we will have to see if their actions actually pan out.
For now though, it’s a install of Windows. The question is what one?
Well it’s some flavour of Windows 11 since Windows 10 is out of support and while using the LTSC/LTSB or IOT version might seem like a interesting idea to avoid some of the bloat getting licensing for those versions isn’t always easy for a home user, and I’ve seen a few oddities with those versions of Windows when trying to use them for general purpose use. Again, nothing horrid, but I don’t really want to be chasing down problems so Windows 11 Pro it will be.
And it’s Windows 11 Pro mainly because that’s what I have a license for, the non-pro edition would have worked just as well for gaming but it is nice to be able to remote desktop into the machine when I’m away from home. The othe added bonus is that you can start turning off some of the annoying Microsoft Account prompts as well as turning off some of the cloud content that is generally a headache to deal with.
Another thing to consider is that I can go from bare metal to a working OS on the Windows side of things fiarly quickly. Over the years I have had to build a number of scripts and other tools to speed up deployments. With Winget and a few other powershell commands I can get the software that I need on a Windows machine by running two commands. On a linux box I haven’t spent enough time to have that level of automation built so setting up a machine on that platform will take me longer. It’s also going to involve a lot more tinkering for something that does just work on a Windows device.
And really these days I’m all about making things simple.
There are enough places where I can’t get away with that and have to go through all sorts of mess to keep things secure, locked down, and safe. A gaming machine that’s going to have no critical data on it should just be something that I can play with.
So someone in the extended family is looking at getting a new PC, and normally I’m all in to helping with that. I enjoy browsing parts, looking for deals, and otherwise just sniffing around and seeing what I can find.
However the situation with RAM and Storage just has me shaking my head.
I bought this same kit of RAM about a year ago for less than half of what it’s going for on Amazon right now.
Even smaller kits are just getting stupid in price. So this time around digging into parts kits something that I would have easily been able to do for around 1000$ is suddenly looking like a 1300$ affair. And god help you if you wanted something with a GPU in the thing.
It’s just dissapointing that for the first time in as long as I can remember the amount of computer that you can buy for a given price has dropped significantly.
I run a pile of Proxmox clusters at work and home for various reasons and while they work well and the IU is functional I still have eight different clusters that I’m logging into to manage devices on.
Yes, I know we could just put all the servers into a single cluster but there are reasons that we aren’t doing that I’m not going to get into here.
What I did find interesting was that this presented as a open source option for consolidating the control of the hypervisors in a single location. And after watching some reviews I was looking at setting this up, but some of the reviews online were insinuating that the entire project was vibe coded by AI. I’ve played with some of those tools and while I’m not a coder/developer for a living playing with those tools has given me a distaste for vibe coded applications.
Generative AI has a place in software development – it’s going to be able to review for common problems, audit for common security issues, and stuff like that faster than a person can read through the code. However every time that I was playing with tools that generate code they are super literal if you ask them to build something. For example I was looking at using one to build a web app to handle checking out loaner equipment for my team, and the first run of the application built out a way to check out equipment, but no way to check it back into inventory when the loan was complete. Now any of the human developers I’ve worked with would have made the jump and figured that if the device was being checked out that it would need to be checked back in – but the AI tool didn’t.
To be fair, it built exactly what I asked it to, so you can argue that the fault here is that I didn’t prompt the tool correctly and technically you are right.
But let’s go back to PegaProx and have a peek at their website;
So they don’t hide that they are using AI assisted development. Points to them on that I suppose, and they do then explain their view regarding the us of AI. They classify Vibe Coding as getting into a cab and and telling the driver to take you someplace with good food, vs picking a place and using a GPS to get to your destination. In both cases you wind up getting something to eat, but in one case you aren’t deciding where you are going or how you get there at all, in the other you are the one picking the route and making the turns.
In the end the developers of this project are saying that all the code is reviewed by humans, throughly tested, and they are taking full ownership of what’s being put out. And that’s something that aligns with my view on these tools. If what they are posting on their website is accurate then this might be something worth having a look at. However I don’t know the people behind this and this is a pretty new project – the first “release” was only back in January of this year so there’s not a lot of history here to look at.
So, while they are saying the right things they haven’t been around long enough for me to just toss this into production right now. And when looking at one of the documents online they implied that the authors recommend using the root account for your Proxmox servers to set this up. And after poking in the documentation;
Yep, that’s what they are recommending. And honestly that’s more of a red flag to me than the use of the AI tools is. Root accounts are not things that you just toss around, integrations like this should always be done through API’s or service accounts, much like how Proxmox does this with their Datacenter management tool. Handing over the root account for my servers to any other tool is not something that I’m really comfortable with.
I think that this project is definitely worth watching to see where it goes. Hopefully they are onto something good and can keep building something useful here.
Ok in my post on the whole situation with routers in the US I mentioned something about supply chain attacks and as someone who works in the software world those things are absolutely terrifying and I think that it deserves a bit of a deeper dive.
So, for people that work in software, probably going to be a bit boring here, but for people that aren’t in software for a living you need to understand how software works when people are building products for you to use.
Software can be complex, so complex that in a lot of cases people will re-use code to prevent having to rewrite things from the start each time they go to do something. This can come in a bunch of different forms but it usually winds up as being a dependency that comes into play when you go to use a product.
So let’s say that I’m building software that tracks inventory. Details don’t matter much but at some point I’m going to have a requirement to store data for use of the product, and chances are that I’m going to be using some type of database engine to allow that to happen. So I can go and write my own database engine from the ground up and go through all the work of getting that developed, performance tuned, and ready to go.
Or I can just install PostgresSQL, a FOSS project that already does this. It has solid documentation, community support, and a history of being able to scale in a way that’s probably in excess of what I’m going to require.
The same thing applies to my user interface. I can build my own from the ground up, or I could use something like Gradio that provides me with a lot of building blocks to make building my UI quicker so that I’m not having to reinvent the wheel.
Now here’s where things start to get messy. While our application only has two dependencies each of those products have their own dependencies, and each of those dependencies have their own dependencies, and each of those dependencies have potentially more dependencies that come into play. How deep is that rabbit hole?
You can get to the bottom of that rabbit hole, and I’m sure that there are companies out there that will spend the time to do so. However I’ve worked around software developers for a long time and as sure as I am that there are companies that handle this properly I’m just as sure that there are many that do not.
So why is this important and how does it become an attack vector?
Let’s say that my inventory application becomes something crazy good, winds up getting used all over the place, even to the point where it’s now in government systems being used to track things that are considered very important. Let’s even say that whatever the application is tracking is important enough that there are people who are now very interested in breaking into those systems and getting access to the data that they contain.
So now my little application is a target. Potentially one that’s worth some money to somebody who is able to break into it.
So now that I’m a target people are poking at my software, looking anything that would allow them to get into my product and mess around. However, let’s say that for purposes of this post that I’m reasonably competent and that my app is solid enough that attackers can’t get in by going after my code. So now what do they do?
Well my product has some dependencies, and those products have dependencies, and lets say they walk down that chain and eventually come across something used by one of my dependencies – and now by extension used by my product. Now the objective is to get control over whatever that is and try to bend it to their will.
Perhaps they submit some helpful bugfixes that hide some malicious code. Perhaps they bribe or buy the control of that dependency from the person who is in control of it now. In either case they now have control over that dependency and by extension can now get into my chain of dependencies and start looking at ways to cause problems for my product. Perhaps they write code that steals passwords and other secrets. Perhaps they find a way to build code that lets them copy data out of my product. In either case the attacker has managed to breach my product.
Now let’s say that I’m really good that what I do and I maintain a full software build of materials and I know that this dependency exists and is something that I have to keep track of and watch out for problems with. In a lot of cases dependencies are just used by the people building the code without a huge amount of review of the actual code involved. That type of review is something that’s fairly labor intensive. So even if I am crazy good and willing to put the time in to review the code there’s still a chance that it might be outside of my area of expertise and I might not catch what was being done and flag it as being malicious.
Let’s say that I’m as good as possible, and I’m paranoid as hell and decide to fork whatever I’m using and freeze things so that I’m not pulling in the changes from the products once I have things working. At some point there’s still going to be some problem that I run into that will require me to update the dependencies that I’m working with either because of a vulnerability or functional bug that needs to be fixed. At that time there’s still a chance that things that I don’t want get into my product.
The software industry as a whole has processes in place to try to catch this stuff, but there’s still a lot that just seems to run on trust, and some programs pull in a lot of libraries for simple things. Hell, a few years ago a small utility (11 lines of code) in NPM was pulled from their repository over a dispute and managed to cause enough chaos in the course of a couple of hours that NPM wound up restoring the thing from backups to keep the world working properly. In this case the supply chain attack wasn’t being done to break into systems or steal data, it was a protest of sorts but the end result was very disruptive.
So, even doing everything right, and being very good about the security of my product there’s still a very real possibility that I’m getting breached, and if I’m not paying attention and happen to catch what’s going on this type of breach could run for a very long time before it’s caught, patched, and no longer a threat.
That’s why these supply chain attacks are terrifying. And if you have coworkers or other folks who don’t seem to see this as a issue that’s a pretty big red flag to watch for.
So a couple of days ago the FCC updated a list of banned telecomunications equipment to include, and I’m quoting here;
Routers produced in a foreign country, except routers which have been granted a Conditional Approval by DoW or DHS.
If you want to read it’s all linked on the FCC site linked here.
Now, from what I’m aware there are no domestic manufacturers of routers in the USA. So what they have done is ban the import and sale of any new equipment that does not already have a FCC approval tagged to the device.
If there was a legitimate concern about the security of routers that are deployed in the world why are only new devices being targeted? I would assume that the decision to ban these things is based on some legitimate history of security issues or a history of operating in bad faith on the part of these manufacturers. So if that is the situation why are the existing devices not getting flagged as a problem? Why are we not being told that it’s time to replace those devices?
So if there isn’t a history of bad behavior what is this about? The argument as I understand it is that there are concerns about the security of the devices and their potential to be used as an attack vector rather than any indication that they have been used as such.
Is that legit?
Arguably yes, but without a history of bad behavior this is either the US Government pressuring the hardware vendors to move manufacturing back to the US or it’s a breakdown in the chain of trust that has allowed us to take advantage of offshore manufacturing for as long as we have.
If you look at it every device that you use establishes a chain of trust, regardless of if you realize it or not. Let’s look at your phone, say a iPhone of some generation.
First of all you are trusting Apple, since they built the device and the operating system that it’s running. Implicit in that is that you are also trusting everybody that Apple has trusted as part of their development and supply chain on both the hardware and software side of things. This includes the folks that manufacture the screen, storage, and the developers that write the software that makes up iOS – including any libraries or tools that they use to build the operating system.
You would think that this is fairly simple but the supply chain for software and hardware gets really complicated, really quickly. If you look at the news there have been all sorts of supply chain attacks showing up in the news recently like the one below;
The general idea is to look at software libraries and service providers that your providers make use of and attack those instead of coming after you directly. The impacted software library that I linked above is downloaded somewhere around 3.4 million times per day, and this attack was live for about three hours. Assuming a even distribution of downloads that would mean that the people that got away with this hit 500k downloads while this was live, and who knows where they were able to get from there.
So obviously we have to draw a line and work on the assumption that Apple is doing what’s right our example and that they have done their due diligence on things further down the chain.
So if we take this new ban at face value the US Government has some trust issues with the router manufacturers and is taking steps to try to address those by forcing manufacturing of the devices into the hands of domestic companies that they can regulate and mandate some level of security. However the cynic in me is wondering what hardware vendors – if any – are already going through the process of greasing palms to get exemptions for their hardware in place under this program.
And to be clear it’s going to have to be some level of exemptions going through here – it’s going to take a long time for someone to gear up to build out routers domestically in the US for consumer use considering the number of these things that are sitting in peoples homes, offices, and in datacenters.
