We've all been through trainings at work where they tell us to pay attention to URLs and validate their authenticity, examine emails for red flags, not trust calls and messages asking for urgent action - and so on. A false sense of security can creep in: I should be able to recognize a scam. The last week's episode of Smashing Security, however, brought up an attack that is scarily easy to fall for.

Here's my brief summary:

• The attackers sent emails to hotels with a link to an infostealer.
• Once it was executed, they could access booking platforms on behalf of the hotels.
• The attackers contacted customers with urgent requests to update their credit card details - otherwise they'd lose their reservation.
• The link to update credit card details was illegitimate.

Unlike a regular phishing attack that we're all used to, this was performed through legitimate and - you'd think - safe channels. As the report says:

It is often recommended that customers use only official and known methods of communication, such as various messaging platforms within the site, to prevent illegitimate or scam interactions. Unfortunately, this great advice becomes moot now that the attacker can access those methods. <...> It is important to remember that this message comes from within the booking site’s message platform itself.

Honestly, I'm impressed - that's a rather sophisticated attack. Here you can read about it in detail, along with suggestions on how to protect yourself.

Stay safe and inform people around you!

I didn't know much about Tim Berners-Lee, other than that he invented the World Wide Web. Since my journey with computers started in the late 90s, when his creation had already exploded, it felt to me like something that had always been there. Besides, he wasn't exactly a household name. Thus, I wasn't particularly excited when I heard that Tim had published a book, but I made a mental note nonetheless. Good reviews from both the press and readers convinced me to order it.

I was working on my IRC bot recently when I stumbled upon a confusing problem while trying to add a graceful shutdown. The idea is that when a process receives a request to terminate itself (SIGTERM), it should send a QUIT command with some text, rather than disappearing like some barbarian.

Like this:

<= QUIT :bye
=> :poring-dev!~poring@user/poring QUIT :Quit: bye

Alas, the IRC server completely ignored my message, replacing it with a generic "Client Quit" text:

<= QUIT :bye
=> :poring-dev!~poring@user/poring QUIT :Client Quit

I spent about two hours trying different things and debugging my code to no avail. I knew the command I was sending was valid and that Libera Chat supported this feature.

What I didn't know is that there's apparently a type of spam attack that utilizes quit messages.

A film festival called PÖFF is taking place this November in Tallinn. It's a good opportunity to watch something that doesn't usually make it to the big screens - which are mostly reserved for Hollywood movies.

So yesterday I went to see Putnubiedēkļi (or Scarecrows in English). Even though it was filmed at Riga Airport, airplanes and air travel aren't the main focus of the movie. Instead, it shows the daily work of people whose job is to shoo away wild animals. Birds are probably the most dangerous intruders, as they can get sucked into engines, causing damage and expensive repairs. Losing one of the engines this close to the ground isn't ideal either. Other animals also like to visit the airport. Foxes can effortlessly jump over barbed wire fences, a beaver might decide to build a dam, and a family of hares can sneak in too!

Image source: https://poff.ee/en/film/scarecrows/

From my understanding, it was partly filmed by the workers themselves, but there are also beautiful cinematic scenes presumably shot by the film crew. It's really a "watch how we work" type of documentary. There are no interviews, no staged moments, nothing like that - just interesting, challenging, and funny moments from their everyday work. As passengers, we never really notice this battle with nature.

I really liked Scarecrows. The film isn't that long - about 90 minutes - and it has good pacing. Here's the trailer, although it only shows the cinematic segments.

I normally don't do advertising here, whether paid or as a favor. But my cat just got a website, and I couldn't say no: meowsiris.eu

It's a humble beginning - he doesn't know much HTML or CSS, but we all start somewhere. Check it out if you have time, there are some 🔥 photos!

I got myself a new mug!

I saw a meme on reddit with a mug like this and found it hilarious, because:

1. We use claude code at work.
2. It really does say "You're absolutely right!" almost every time.

So, I ordered one from kingitare.ee. They have an online editor where you can upload an image (including an svg!), choose a font, and preview how the product will look like - super convenient. The mug arrived three days after I placed the order.

I'm satisfied with the overall quality, though I haven't tested it in a dishwasher yet. I had a bad experience with an expensive mug from the official Arsenal store - it lost its print after a few cycles.

Happy vibing everyone!

When I got my new laptop two months ago, I needed to choose a Linux distro to install. Arch was my go-to for the last 15 years on desktops, but even though it usually works fine, breaking updates can happen. That's not what I wanted on a portable device I might need to take somewhere on short notice. Since Debian Trixie was about to be released, I decided to give it a try. After all, I'd been using Debian on servers for years, and it's always worked flawlessly.

https://www.debian.org/logos/

I recently took CS50's Introduction to Cybersecurity, an online course from Harvard University on edx.org. It's taught by David J. Malan, who never fails to deliver an energetic and engaging lecture. Over five weeks he covers some of the most important threats in the online world and explains what can be done to mitigate them. The main topics are:

• How to secure our accounts
• How to secure data
• How to secure systems
• How to secure software
• How to preserve privacy

I can really recommend this course to anyone even remotely interested in the subject. Bear in mind, it's an introduction to cybersecurity, so don't expect too much. But these lectures touch on a lot of topics that are good to know in this day and age.

The universe giveth and the universe taketh away.

I created this pull-request today. I guess that's it: the best pull-request of my life. I'll never be able to top it.

(no functionality has been lost in the process)

I'd never attempted to refund a digital product. Most services explicitly state that they don't do refunds, so I just accepted that reality. There are exceptions, of course, like Steam and you-know-what-VPN. But I think Steam was forced to add a refund feature by law, while for you-know-what-VPN it's probably a marketing strategy: only a small number of users actually invoke their money-back guarantee.

Photo by Andrea Piacquadio

At some point, I learned that people sometimes get refunds through customer support. Today I had the chance to try it myself - and it worked!

I added a few more options for those who might want to contact me, so check out this new contact me page! Previously, there was only my email, and a few people even wrote me (not all of theme were spammers btw).

I included a few other channels, such as:

• Signal
• Mastodon

I thought about IRC and LinkedIn. I might still add IRC (placebo @ LiberaChat), but LinkedIn isn't the place for daily communications for me. It's rather a site I feel obligated to check out from time to time because how relevant it is (was?) for IT jobs in Estonia.

In any case, thanks for your attention to this matter!

I was recently learning how to play a new song on the guitar. While it sounded fine - considering my skill level - when I practiced with a metronome, I struggled a lot to play along with the actual recording. With how some songs are mixed, it can be difficult to pick up the drum track. Even if there is a backing track, the lead guitar can sometimes start alone and be on its own for the first several bars.

At some point I thought: why not add a metronome track to the recording? It would provide a rock-solid rhythmic reference! There must be a way to do this, right? Audacity can do exactly that in just a few clicks.

Photo by Ylanite Koppens

I recently bought a laptop that came with an RTL8852BE network controller. After installing Debian, I faced an issue with the wireless connection: it wouldn't disconnect or show any errors, but traffic would stop moving. So I went online, looking for a solution.

Photo by Jakub Zerdzicki

I wrote about WireMock last year. It's a very powerful tool that lets us replace external services with stubs while testing. Since it can be configured on the fly by tests, it allows us to validate virtually any behavior. Here's how I use it:

In this sequence diagram, a test tells WireMock to return a JSON body for every request to /fetch-details. During execution, the test calls /some-endpoint to validate it. This endpoint needs data from an external service to produce a response, so it requests /fetch-details and gets the JSON body that the test fed WireMock at the start. By changing what /fetch-details returns, we can easily simulate various scenarios.

In this post, I want to cover a case I dealt with recently: form data with decimal numbers.

Navigraph is probably the most popular source of navigation data for flight simulators. Roughly once a month they release a new data package with updated waypoints and metadata, such as altitude and speed restrictions, as well as changes to procedures at airports around the world. Updating this data can be a bit tedious, so they offer a program to help us with that - which, of course, isn’t available on Linux. There isn't much information on this topic online, so hear me out, world wide web: you can run FMS Data Manager using WINE.

As more and more companies migrate from Java to JavaScript for UI and API testing, I decided to study it too. After all, even this blog is powered by React. One of the features I sometimes used in Java is function overloading, which I thought wasn't possible in JavaScript. However, as I've recently learned, TypeScript adds this functionality. Well, kind of.

Photo by Pixabay

I've recently switched from Plasma to Cinnamon, and so far, I like it. However, while the latter is more stable, it's also less feature-rich - at least on Arch Linux. So, when I'd installed GNOME Sreenshot, I realized that I can't really configure it through the user interface. It's rather basic, with no settings in the menu to change the default directory or file format.

Search results on the subject were old, with posts dating back 10-15 years, which always makes me suspicious: how relevant is that information today? That's why I decided to jot down my findings.

Today I received a scary looking letter from abuse@hetzner.de, which is my German hosting provider. The text started as follows:

We have received a notification from the German Federal Office for Information Security...

Knowing how notorious German laws are when it comes to intellectual property, I immediately thought: "What did I do?" and "How big is the fine?" To my best knowledge, my blog doesn't violate any rules, yet I didn't expect a message from a Federal Office without any wrongdoing.

Photo by Maria Tyutina

Awaitility is an excellent Java library. It's especially useful for working with eventually consistent APIs. For instance, when a client sends a POST, PUT, or DELETE request, you might need to make several GET requests before observing the changes, which is terrible for automated tests. A common solution to this problem is to use Awatility. You can ask it to execute code for n seconds until the request succeeds or the timer expires.

await()
    .atMost(Duration.ofSeconds(5))
    .until(() -> apiClient().get(id).getStatus().equals("expected"));

Unfortunately, the default error messages could use some work.

Photo by Mike