majima strikes me as someone who grew up with nothing (in the way of material resources) in a high-stakes environment (think being responsible for your own/your familys finances, maybe a caretaker relying on him for support, stuff like that, from a Very Young Age) where his wits and ability to see things through wouldve been life or death for him (and/or his loved ones). this is also why i think majima would've given up on any dreams basically by the time he hit double digits in age, the reality of his circumstances would've demanded that adaptation. he literally couldn't afford it. he says he's been ready to die since the day he swore his oath, that's way before '85 and that kind of resignation doesn't come from nowhere. but again, he's turned that death drive into a source of power he can draw from, something that makes him reckless but ruthlessly effective in achieving his goals. because this is what he does -- he literally can't stop making *tools* out of everything, even his own suffering becomes a resource for him

so i have to say yes, i think he was like this before '85 because he *had* to be to survive. and in fact i think this wouldve been why shimano took an interest in him in the first place, what he recognized in majima as the thing that had the potential to become his most useful asset. going with the bullet analogy, you just have to aim and shoot, yknow. majima is going to do all the work -- once he gains that momentum he's practically unstoppable

Have you heard about the Polish Train company, Newag, and the bullshit it turns out they got up to?

So, the regional rail operator Koleje Dolnośląskie bought some Newag Impuls back in 2016 . In late 2021, some of them need to have major maintenance done, as they've been in service a while. So the company SPS (Serwis Pojazdów Szynowych) gets the contract to fix them. They basically take the train apart, replace a bunch of it, following all the rules in the documentation Newag gave them, and... it won't move. The train says everything is fine, the brakes are off, there's plenty of power, but you push the throttle up and it won't move.

SPS spends a while trying to figure out what the fuck is wrong, with no luck. So they hire some hackers from the Polish security group Dragon Sector. Dragon Sector figures out how to get into the code of the computer system that runs the train, and OH MY GOD.

So it turns out there's a secret train-lock system. If it's on, the train won't move. This will be triggered in some situations you might think are normal: the clocks are wrong, the serial numbers of the various parts have changed, and a firmware mismatch between the main computer and the power system. Now, the fact that it makes sense to not run the train in these situations until someone can check it? that doesn't extend to the fact the train uses a SECRET lock system, rather than just popping up an error message telling you what's wrong. There's also the problem that while these are all potential error problems, they can't be cleared by anyone with the technical manuals, which are supposed to cover everything about how to run these trains. Only Newag themselves can reset this system.

Which, you know, keeps SPS from properly fixing them. Only Newag can fix them now, but not because SPS lacks any technical ability, but because Newag sabotaged their own trains. But don't worry: it gets worse.

So now that Dragon Sector knows what's happening, they get to look at other trains. It turns out the trains aren't all running the same software, and there are other tricks in there.

One of them is a "how long has the train been stopped?" check. If the train hasn't hit 60 km/h in 10 days, the train locks itself and won't move until Newag can clear it. So, like, if a train is ever out of service, like it's going to a repair place... it'll break itself. Unless the repair place is owned by Newag.

But two of the trains go further: See, these trains have GPS built in, right? You may be able to guess where this is going...

THEY JUST MAKE THE TRAIN CHECK IF IT IS PARKED AT THEIR COMPETITORS' REPAIR YARD AND BREAK ITSELF IF IT WAS.

The sheer audacity of this move. This is frighteningly bullshit anti-competition self-sabotage.

This has, obviously, made some parts of the Polish government to start investigating this. Newag may be (and hopefully will be) in a lot of trouble.

For more info, there's a great video of a presentation by the three people from Dragon Sector who did the hacking, which was presented at the 37th Chaos Communication Congress in Germany.

Ars Technica also has an article on it, but it predates the presentation so it doesn't have some of the later details.

Anyway, the good news is that in the end the hackers at Dragon Sector were able to unlock most of the trains: A few had additional trickery that they didn't want to hack around, because it might break the train's certification. For the others, they discovered undocumented "cheat codes" in the software that they could use to bypass the secret lockouts... presumably the same ones that Newag would have used when they "repaired" trains.

Billionaire-proofing the internet

Picks and Shovels is a new, standalone technothriller starring Marty Hench, my two-fisted, hard-fighting, tech-scam-busting forensic accountant. You can pre-order it on my latest Kickstarter, which features a brilliant audiobook read by Wil Wheaton.

During the Napster wars, the record labels seriously pissed off millions of internet users when they sued over 19,000 music fans, mostly kids, but also grannies, old people, and dead people.

It's hard to overstate how badly the labels behaved. Like, there was the Swarthmore student who was the maintainer of a free/open source search engine that indexed files available in public sharepoints on the LAN. The labels sued him for millions and millions (the statutory damages for digital copyright infringement runs to $150,000 per file) and, when he begged for a settlement, said that they would accept his life's savings, but only if he changed majors and stopped studying Computer Science.

No, really.

What's more, none of the money the labels extracted from teenagers, grandparents (and the dead) went to artists. The labels just kept it all, while continuing to insist that they were doing all this because they wanted to "protect artists."

One thing everyone agreed on was how disgusted we all were with the labels. What we didn't agree on was what to do about it. A lot of us wanted to reform copyright – say, by creating a blanket license for internet music so that artists could get paid directly. This was the systemic approach.

Another group – call them the "individualists" – wanted a boycott. Just stop buying and listening to music from the major labels. Every dollar you spend with a label is being used to fund a campaign of legal terror. Merely enjoying popular music makes you part of the problem.

You can probably guess which group I was in. Leaving aside the futility of "voting with your wallet" (a rigged ballot that's always won by the people with the thickest wallet), I just thought this was bad tactics.

Here's what I would say when people told me we should all stop listening to popular music: "If members of your popular movement are not allowed to listen to popular music, your movement won't be very popular."

We weren't going to make political change by creating an impossible purity test ("Ew, you listen to music from a major label? God, what's wrong with you?"). I mean, for one thing, a lot of popular music is legitimately fantastic and makes peoples' lives better. Popular movements should strive to increase their members' joy, not demand their deprivation. Again, not merely because this is a nice thing to do for people, but also because it's good tactics to make participation in the thing you're trying to do as joyous as possible.

Which brings me to social media. The problem with social media is that the people we love and want to interact with are being held prisoner in walled gardens. The mechanism of their imprisonment is the "switching costs" of leaving. Our friends and communities are on bad social media networks because they love each other more than they hate Musk or Zuck. Leaving a social platform can cost you contact with family members in the country you emigrated from, a support group of people who share your rare disease, the customers or audience you rely on for your livelihood, or just the other parents organizing your kid's little league game.

Hypothetically, you could organize all these people to leave at once, go somewhere else, and re-establish all your social connections. Practically, the "collective action problem" of doing so is nearly insurmountable. This is what platform owners depend on – it's why they know they can enshittify their services without losing users. So long as the pain of using the service is lower than the pain of leaving it, the companies can turn the screws on users to make their lives worse in order to extract more profit from them. This is why Musk killed the block button and why Zuck fired all his moderators. Why bear the expense of doing something nice for users if they'll still stick around even if you cut a ton of headcount and/or expensive compute?

There's a way out of this, thankfully. When social media is federated, then you can leave a server without leaving your friends. Think of it as being similar to changing cell-phone companies. When you switch from Verizon to T-Mobile, you keep your number, you keep your address book and you keep your friends, who won't even know you switched networks unless you tell them:

https://pluralistic.net/2022/10/29/how-to-leave-dying-social-media-platforms/

There's no reason social media couldn't work this way. You should be able to leave Facebook or Twitter for Mastodon, Bluesky, or any other service and still talk with the people you left behind, provided they still want to talk with you:

https://www.eff.org/interoperablefacebook

That's how the Fediverse – which Mastodon is part of – works already. You can switch from one Mastodon server to another, and all the people you follow and who follow you will just move over to that new server. That means that if the person or company or group running your server goes sour, you aren't stuck making a choice between the people you love who connect to you on that server, and the pain of dealing with whatever bullshit the management is throwing off:

https://pluralistic.net/2022/12/23/semipermeable-membranes/#free-as-in-puppies

We could make that stronger! Data protection laws like the EU's GDPR and California's CCPA create a legal duty for online services to hand over your data on demand. Arguably, these laws already require your Mastodon server's management to give you the files you need to switch from one server to another, but that could be clarified. Handing these files over to users on demand is really straightforward – even a volunteer running a small server for a few friends will have no trouble living up to this obligation. It's literally just a minute's work for each user.

Another way to make this stronger is through governance. Many of the great services that defined the old, good internet were run by "benevolent dictators for life." This worked well, but failed so badly. Even if the dictator for life stayed benevolent, that didn't make them infallible. The problem of a dictatorship isn't just malice – it's also human frailty. For a service to remain good over long timescales, it needs accountable, responsive governance. That's why all the most successful BDFL services (like Wikipedia) transitioned to community-managed systems:

https://pluralistic.net/2024/12/10/bdfl/#high-on-your-own-supply

There, too, Mastodon shines. Mastodon's founder Eugen Rochko has just explicitly abjured his role as "ultimate decision-maker" and handed management over to a nonprofit:

https://arstechnica.com/tech-policy/2025/01/mastodon-becomes-nonprofit-to-make-sure-its-never-ruined-by-billionaire-ceo/

I love using Mastodon and I have a lot of hope for its future. I wish I was as happy with Bluesky, which was founded with the promise of federation, and which uses a clever naming scheme that makes it even harder for server owners to usurp your identity. But while Bluesky has added many, many technically impressive features, they haven't delivered on the long-promised federation:

https://pluralistic.net/2024/11/02/ulysses-pact/#tie-yourself-to-a-federated-mast

Bluesky sure seems like a lot of fun! They've pulled tens of millions of users over from other systems, and by all accounts, they've all having a great time. The problem is that without federation, all those users are vulnerable to bad decisions by management (perhaps under pressure from the company's investors) or by a change in management (perhaps instigated by investors if the current management refuses to institute extractive measures that are good for the investors but bad for the users). Federation is to social media what fire-exits are to nightclubs: a way for people to escape if the party turns deadly:

https://pluralistic.net/2024/12/14/fire-exits/#graceful-failure-modes

So what's the answer? Well, around Mastodon, you'll hear a refrain that reminds me a lot of the Napster wars: "People who are enjoying themselves on Bluesky are wrong to do so, because it's not federated and the only server you can use is run by a VC-backed for-profit. They should all leave that great party – there's no fire exits!"

This is the social media version of "To be in our movement, you have to stop listening to popular music." Sure, those people shouldn't be crammed into a nightclub that has no fire exits. But thankfully, there is an alternative to being the kind of scold who demands that people leave a great party, and being the kind of callous person who lets tens of millions of people continue to risk their lives by being stuck in a fire-trap.

We can install our own fire-exits in Bluesky.

Yesterday, an initiative called "Free Our Feeds" launched, with a set of goals for "billionaire-proofing" social media. One of those goals is to add the long-delayed federation to Bluesky. I'm one of the inaugural endorsers for this, because installing fire exits for Bluesky isn't just the right thing to do, it's also good tactics:

https://freeourfeeds.com/

Here's why: if a body independent of the Bluesky corporation implements its federation services, then we ensure that its fire exits are beyond the control of its VCs. That means that if they are ever tempted in future to brick up the fire-exits, they won't be able to. This isn't a hypothetical risk. When businesses start to enshittify their services, they fully commit themselves to blocking anything that makes it easy to leave those services.

That's why Apple went so hard after Beeper Plus, a service that enhanced iMessage's security by making conversations between Apple and Android users as private as chats that were confined to Apple users:

https://pluralistic.net/2023/12/07/blue-bubbles-for-all/#never-underestimate-the-determination-of-a-kid-who-is-time-rich-and-cash-poor

It's why Elon Musk periodically freaks out and suspends users who list their Mastodon userids in their Twitter bios:

https://techcrunch.com/2022/12/15/elon-musk-suspends-mastodon-twitter-account-over-elonjet-tracking/

And it's why Meta will suspend your account if you link to Pixelfed, a Fediverse-based alternative to Instagram:

https://www.404media.co/meta-is-blocking-links-to-decentralized-instagram-competitor-pixelfed/

Once upon a time, we had a solid way of overcoming the problem of lock-in. We'd reverse-engineer a proprietary system and make a free, open alternative. We've been hacking fire exits into walled gardens since the Usenet days, with the creation of the alt.* hierarchy:

https://www.eff.org/deeplinks/2019/11/altinteroperabilityadversarial

When the corporate owners of Unix started getting all weird about source-code access and user-modifiability, we didn't insist that Unix users were bad people for sticking with a corporate OS. We reverse-engineered Unix and set all those users free:

https://en.wikipedia.org/wiki/GNU_Project

The answer to Microsoft's proprietary SMB network protocol wasn't a campaign to shame people for having SMB running on their LANs. It was reverse-engineering SMB and making SAMBA, which is now in every single device in your home and office, and it's gloriously free as in speech and free as in beer:

https://www.eff.org/deeplinks/2019/07/samba-versus-smb-adversarial-interoperability-judo-network-effects

In the years since, a thicket of laws we colloquially call "IP" has grown up around services and products, and people have literally forgotten that there is an alternative to wheedling people to endure the pain of leaving a proprietary system for a free one. IP has put the imaginations of people who dream of a free internet in chains.

We can do better than begging people to leave a party they're enjoying; we can install our own fucking fire exits. Sure, maybe that means that a lot of those users will stay on the proprietary platform, but at least we'll have given them a way to leave if things go horribly wrong.

After all, there's no virtue in software freedom. The only thing worth caring about is human freedom. The only reason to value software freedom is if it sets humans free.

If I had my way, all those people enjoying themselves on Bluesky would come and enjoy themselves in the Fediverse. But I'm not a purist. If there's a way to use Bluesky without locking myself to the platform, I will join the party there in a hot second. And if there's a way to join the Bluesky party from the Fediverse, then goddamn I will party my ass off.

Check out my Kickstarter to pre-order copies of my next novel, Picks and Shovels!

If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2025/01/14/contesting-popularity/#everybody-samba

On Documenting History

I've mentioned a couple times before that the first computer I really got to use was the Sanyo MBC-1000, a Z80-based CP/M machine. In the greater picture it was a largely forgettable machine with little to differentiate it from its competitors. Which is pretty much what has happened. There are a few units sitting in museums and the odd Reddit post of someone acquiring one, but not much real information.

So last year I started taking a closer look at the machine I grew up with to try to learn what I could about how it works. And in the interest of preservation and education, I've pushed my notes to a GitHub repository.

There is much more work to be done, but so far I've made an entry-level attempt at reverse-engineering & annotating a disassembly of the boot ROM, documented all of the components on the main logic board, documented the expansion card specifications including modeling the slot and mounting brackets in freecad as well as the board outline in kicad. I've also made an effort to reverse engineer a schematic for the serial expansion card — which as far as I am currently aware is the only official expansion card that was ever produced.

I plan to continue adding notes to this repository as I learn more about this machine. It may not have made any significant historical impact, but it was a solid machine that was more than capable of doing some serious work. I believe it can still teach us something and deserves to be remembered.

I do have a secondary motive for taking such a detailed look at this machine though — at some point in the last 20 years we misplaced the box containing its boot disks and other software. I have found an old Teledisk image of an MBC-1000 boot disk which does appear to have all of the important CP/M components (like the disk format utility, sysgen, and assembler), but there is no guarantee it will work. Beyond that, its floppy drives were never terribly reliable and out-of-production magnetic media does not have much life left anyway. I want to come up with some way to attach a modern storage device to the machine to breathe new life into it (a Gotek would probably be easiest since it uses standard Shugart floppy drives, but I would love to come up with a way to give it an SD card interface or something like that). All this information will be useful for developing anything new for this machine.

Cory Doctorow on Democracy Now on tech laws and tariffs

Decided to try default-replacing the default EA 'fur' (since we can't add more till MorphMaker is updated!) with the SSO Curly Horse texture and,,, mmmm.......

It has a normal map as well to make the curls pop a bit <: it'll get released, uh, eventually LMAO

the pocket paradise files:

banner.bmp

the outlines in kirby's return to dream land deluxe are very interesting, theyre definitely the cleanest 3d outlines i have ever seen anyone do

visually theyre just the model but darkened and expanded out a bit, and instead of clipping into any geometry they simply fade out and seem aware of the other outlines and models in the scene, merging together perfectly

im VERY surprised no one else has done this, because the way they pulled it off is actually EXTREMELY simple

(this will go into kinda technical graphics rendering talk)

the first clue is that looking into the code used for rendering reveals that the game draws the outlines after the rest of the scene has been drawn

specifically, the order that objects are drawn from this function is:

opaque models (deferred rendering)

decals (deferred)

opaque models (forward rendering, essentially just fully rendering every single model)

outline models (forward)

transparent models (forward)

interestingly, outline models count as transparent, disabling transparency rendering will also disable outlines

the next hint about how it works comes directly from this enum listing all of the passes the game draws

the most important part of this is "OutlineDepth" and "Outline", which reveals that the outlines render their own depth buffer!! this contains essentially how far away each pixel is from the camera, in ingame/world space units

looking into the models themselves, all of the models for characters have duplicated meshes that use a material specifically for outlines

using this information alone, its very easy to recreate the outlines in blender!!

this is achieved in the same way, by rendering the raw scene and the outlines in two separate images using blender's render layers feature, with the outlines being significantly darkened, using only the diffuse texture, and the meshes themselves expanded slightly using geometry nodes

the rest of the models are rendered normally with PBR

determining where the outlines are drawn is just the result of some extremely simple math using the depth buffer of each layer

if you would like to see the result of this math, this is the "outline mask buffer":

as a bonus, if we gaussian blur the outline we can achieve a similar look to the game's promo art as well!! however, this doesnt look super good, improving on how this looks specifically most likely requires more tinkering in image editing software like photoshop

[Spade no Kuni no Alice] Machine Translation Patches (White & Black) Download

White World Screenshots

Black World Screenshots

This is a machine translation patch which was created by running the dialog files for both games through Google translate. The game should be mostly understandable but there will occasional nonsense translations or cut off lines. very basic JP knowledge makes some of the translation oddities easier to understand.

Patch should work on emulator and modded Switch

Patch Downloads: White: DL Black: DL Please note that the patch for White World is much larger since the game has one large asset bundle that contains all the code/levels rather than multiple smaller ones like Black World.

100% Save Data Downloads: White: DL Black: DL

Installation instructions are included in the patch README file

Some mistranslation/oddity examples, some are kinda funny. (These are old screenshots from before I fixed the color of character dialog boxes and backlog portraits, they are fixed in the actual patch)

Wow this writed in Estonian, dev roots!

"You'd better be on your guard - the shotguns in this package will knock the legs out from under even the toughest man.Rather give the old heathen a drop of blood before you bother to swallow it!!!!.

I When I buy a Raagupesa burger and find out that the price of a tra jalle is 8 euros normally" (Buckshot godot reverse engineering 4/?)

i mean. i tend to go for "milder" childhood trauma for majima in my hcs (that would still qualify for a Traumatic Childhood), "mundane" tragedies like death and illness and broken marriages and domestic abuse, and i dont doubt* he was physically abused as a kid but. there is so much rage he is tapping into when he fights, every time he fights, and it's always on behalf of other people, people he cares about. that's what the hannya is about for him. to such an extent that i can't help but think he grew up simmering in that anger. and he's still carrying it and fighting is the only outlet he has for it, and it literally keeps him sane. and that's not really the kind of thing that happens without. injustice of great proportions (often accompanied by violence and cruelty) and witnessing it constantly, or having its effects be permanent one way or the other. which makes me think there might have been something more catastrophically disruptive that happened. something devastating that he was not the victim of

hiya foone! i'm working on the surprisingly lofty task of modding barbie fashion show 2004 and i've been told twice to ask if you have any leads on how to get to the game files. i don't know how to simplify it because i'm so in over my head at this point. here is the thread

okay so here's how you reverse engineer an arbitrary game, the quick version:

Research. Who made the game? what else did they make? Maybe they made a game with the same engine, and someone already figured out that one? (not that I saw on a quick look, but you may be able to dig deeper) Also, look in the game files. There's a PowerRender.dll and a sipEngine.bc file. Nothing for sipEngine, but PowerRender has a hit on the internet archive, maybe that download includes some info on how it encodes files?

Look at the files (with a hex editor, like HxD). KAR files seem to be the main storage mechanism, and they've got a RIFF header. RIFF is a standard, though they're not using it exactly. But this might help. Another thing you can spot in the KAR files is a bunch of english strings (CreditsTb.kar is lousy with them). That's a good sign: it means the files aren't compressed, so you don't have to figure out the compression method.

Static analysis of the EXE. Get Ghidra and load up the EXE. Find where it opens files (CreateFileA/CreateFileW on windows), trace back from there. Check the strings. Hey look, function FUN_004e6260 is called with "KAResource.kar". so FUN_004e6260 is probably a function to load arbitrary resource files. Dig through that, figure out how it works.

Dynamic analysis of the EXE. Stick it in a debugger and see what it does. Set a breakpoint on CreateFileA/W and follow the execution. I don't have a good recommendation for what tool to use here, I'm from the past. I've used Ollydbg a lot but it hasn't been updated in 9 years.

Hijack the EXE and make it do your work for you. One thing I noticed while looking around was references to Python. This game apparently embeds a python interpreter, version 2.2. Maybe you can find where it loads the code from, or inject your own code?

Anyway those are some introductory ideas. feel free to ask any follow-up questions, but this hopefully gives you some idea of where to start?

Good luck!

Reverse engineers bust sleazy gig work platform

If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2024/11/23/hack-the-class-war/#robo-boss

A COMPUTER CAN NEVER BE HELD ACCOUNTABLE

THEREFORE A COMPUTER MUST NEVER MAKE A MANAGEMENT DECISION

Supposedly, these lines were included in a 1979 internal presentation at IBM; screenshots of them routinely go viral:

https://twitter.com/SwiftOnSecurity/status/1385565737167724545?lang=en

The reason for their newfound popularity is obvious: the rise and rise of algorithmic management tools, in which your boss is an app. That IBM slide is right: turning an app into your boss allows your actual boss to create an "accountability sink" in which there is no obvious way to blame a human or even a company for your maltreatment:

https://profilebooks.com/work/the-unaccountability-machine/

App-based management-by-bossware treats the bug identified by the unknown author of that IBM slide into a feature. When an app is your boss, it can force you to scab:

https://pluralistic.net/2023/07/30/computer-says-scab/#instawork

Or it can steal your wages:

https://pluralistic.net/2023/04/12/algorithmic-wage-discrimination/#fishers-of-men

But tech giveth and tech taketh away. Digital technology is infinitely flexible: the program that spies on you can be defeated by another program that defeats spying. Every time your algorithmic boss hacks you, you can hack your boss back:

https://pluralistic.net/2022/12/02/not-what-it-does/#who-it-does-it-to

Technologists and labor organizers need one another. Even the most precarious and abused workers can team up with hackers to disenshittify their robo-bosses:

https://pluralistic.net/2021/07/08/tuyul-apps/#gojek

For every abuse technology brings to the workplace, there is a liberating use of technology that workers unleash by seizing the means of computation:

https://pluralistic.net/2024/01/13/solidarity-forever/#tech-unions

One tech-savvy group on the cutting edge of dismantling the Torment Nexus is Algorithms Exposed, a tiny, scrappy group of EU hacker/academics who recruit volunteers to reverse engineer and modify the algorithms that rule our lives as workers and as customers:

https://pluralistic.net/2022/12/10/e2e/#the-censors-pen

Algorithms Exposed have an admirable supply of seemingly boundless energy. Every time I check in with them, I learn that they've spun out yet another special-purpose subgroup. Today, I learned about Reversing Works, a hacking team that reverse engineers gig work apps, revealing corporate wrongdoing that leads to multimillion euro fines for especially sleazy companies.

One such company is Foodinho, an Italian subsidiary of the Spanish food delivery company Glovo. Foodinho/Glovo has been in the crosshairs of Italian labor enforcers since before the pandemic, racking up millions in fines – first for failing to file the proper privacy paperwork disclosing the nature of the data processing in the app that Foodinho riders use to book jobs. Then, after the Italian data commission investigated Foodinho, the company attracted new, much larger fines for its out-of-control surveillance conduct.

As all of this was underway, Reversing Works was conducting its own research into Glovo/Foodinho's app, running it on a simulated Android handset inside a PC so they could peer into app's data collection and processing. They discovered a nightmarish world of pervasive, illegal worker surveillance, and published their findings a year ago in November, 2023:

https://www.etui.org/sites/default/files/2023-10/Exercising%20workers%20rights%20in%20algorithmic%20management%20systems_Lessons%20learned%20from%20the%20Glovo-Foodinho%20digital%20labour%20platform%20case_2023.pdf

That report reveals all kinds of extremely illegal behavior. Glovo/Foodinho makes its riders' data accessible across national borders, so Glovo managers outside of Italy can access fine-grained surveillance information and sensitive personal information – a major data protection no-no.

Worse, Glovo's app embeds trackers from a huge number of other tech platforms (for chat, analytics, and more), making it impossible for the company to account for all the ways that its riders' data is collected – again, a requirement under Italian and EU data protection law.

All this data collection continues even when riders have clocked out for the day – its as though your boss followed you home after quitting time and spied on you.

The research also revealed evidence of a secretive worker scoring system that ranked workers based on undisclosed criteria and reserved the best jobs for workers with high scores. This kind of thing is pervasive in algorithmic management, from gig work to Youtube and Tiktok, where performers' videos are routinely suppressed because they crossed some undisclosed line. When an app is your boss, your every paycheck is docked because you violated a policy you're not allowed to know about, because if you knew why your boss was giving you shitty jobs, or refusing to show the video you spent thousands of dollars making to the subscribers who asked to see it, then maybe you could figure out how to keep your boss from detecting your rulebreaking next time.

All this data-collection and processing is bad enough, but what makes it all a thousand times worse is Glovo's data retention policy – they're storing this data on their workers for four years after the worker leaves their employ. That means that mountains of sensitive, potentially ruinous data on gig workers is just lying around, waiting to be stolen by the next hacker that breaks into the company's servers.

Reversing Works's report made quite a splash. A year after its publication, the Italian data protection agency fined Glovo another 5 million euros and ordered them to cut this shit out:

https://reversing.works/posts/2024/11/press-release-reversing.works-investigation-exposes-glovos-data-privacy-violations-marking-a-milestone-for-worker-rights-and-technology-accountability/

As the report points out, Italy is extremely well set up to defend workers' rights from this kind of bossware abuse. Not only do Italian enforcers have all the privacy tools created by the GDPR, the EU's flagship privacy regulation – they also have the benefit of Italy's 1970 Workers' Statute. The Workers Statute is a visionary piece of legislation that protects workers from automated management practices. Combined with later privacy regulation, it gave Italy's data regulators sweeping powers to defend Italian workers, like Glovo's riders.

Italy is also a leader in recognizing gig workers as de facto employees, despite the tissue-thin pretense that adding an app to your employment means that you aren't entitled to any labor protections. In the case of Glovo, the fine-grained surveillance and reputation scoring were deemed proof that Glovo was employer to its riders.

Reversing Works' report is a fascinating read, especially the sections detailing how the researchers recruited a Glovo rider who allowed them to log in to Glovo's platform on their account.

As Reversing Works points out, this bottom-up approach – where apps are subjected to technical analysis – has real potential for labor organizations seeking to protect workers. Their report established multiple grounds on which a union could seek to hold an abusive employer to account.

But this bottom-up approach also holds out the potential for developing direct-action tools that let workers flex their power, by modifying apps, or coordinating their actions to wring concessions out of their bosses.

After all, the whole reason for the gig economy is to slash wage-bills, by transforming workers into contractors, and by eliminating managers in favor of algorithms. This leaves companies extremely vulnerable, because when workers come together to exercise power, their employer can't rely on middle managers to pressure workers, deal with irate customers, or step in to fill the gap themselves:

https://projects.itforchange.net/state-of-big-tech/changing-dynamics-of-labor-and-capital/

Only by seizing the means of computation, workers and organized labor can turn the tables on bossware – both by directly altering the conditions of their employment, and by producing the evidence and tools that regulators can use to force employers to make those alterations permanent.

Image: EFF (modified) https://www.eff.org/files/issues/eu-flag-11_1.png

CC BY 3.0 http://creativecommons.org/licenses/by/3.0/us/

ROBLOX 2007 and 2008 RBXGS/RCCService leaks

Yesterday, multiple internal ROBLOX applications ranging from 2007 to 2008 were found and released. Most of these are RBXGS, which is what ROBLOX originally used for their game servers. It requires a 2003 Windows Server with IIS (Internet Information Services) installed on it to run. One of these (0.3.784.0, dated 5/13/2008) is another application called RCCService. It fulfills mostly the same purpose that RBXGS did such as rendering avatars and hosting games. RCCService is still used by ROBLOX today. It can be installed and run on your PC without modification.

After a little setup, I was able to render some avatars with it.

Here's a noob in 4k. We can render in any size we want.

This one is 64x64 large. We can modify any of the properties of the character.

A character with colors, a transparent arm, a missing leg, and a fucked up head. It's looking great! We can also add T-Shirts...

Shirts and pants...

Fucked up faces (they weren't supported in 2008)...

And with a little bit of troubleshooting, hats.

Here's builderman

We can render more than just avatars. We can render parts...

and Places. I could probably do entire models too.

You can do a lot with it if you mess around. You could also implement it into your own website to render avatars automatically and host 2008 games.

Using 2008 RCC to host games also results in more security over self hosted servers.

Player IPs are not exposed if someone attempts to grab them. It only shows the Server IP

Servers automatically shut down if a DLL is injected into a client

RCC checks the version of clients trying to join, and will refuse to connect if it does not match. This can be bypassed if you change the version of the client with a program, though

There are still RCE vulnerabilties in the client, however, so I'd be wary.

Another huge discovery in the RBXGS are PDB files. These files contain symbols (function names), where they are, and line information. Using this makes it much easier to reverse engineer. This means that we might see a reverse engineered 2007 or 2008 ROBLOX source available at one point, if someone decides to make it.

If you wish to check these out for your self, you can download them here.

Well, it took me about an hour to throw this texture together and it took me all of five minutes to get it into game; a default replacement base horse texture to cure this poor creature of its default EA textures. This first beta run is probably leaning too Alpha for my Maxis Match tastes (but tbf, the assets I used were also more realistic than stylized, so that's likely why) but still, neat to know it can be done and rather quickly.

I also overrode the muscle definition texture (which is literally just a slightly-more defined diffuse; if you use the muscle definition w/ the fuzzy coat thickness on, you can't even see it LMAO) to be the same texture as the base but for future base replacements, it could definitely be done to have a custom base and a custom muscled base too. This also doesn't affect foals (because they have a different base texture, I kind of sussed it out and just ignored it when default-replacing).

Eh, it's good enough progress for tonight. I am more excited about fur presets allowing me to have multiple 'new base textures' in the game. I'm looking forward to having a stock "coat" preset for my muscle gods that gives them a buffer body texture & a lanky "coat" preset for my warmbloods that gives them more slender textures.

Anyhoo, since I'm bottlenecked on making any hair or tack, I'm probably going to explore stencils and paint mode tomorrow and custom coat colours. I have a few horse OCs I plan to try and drop-kick in.