Releases of the week 12/01/2019 - 18/01/2019

Featured Release

James Blake - Assume Form (Alternative R&B, Art Pop)

"After dropping two new songs yesterday — the subtle trapper “Mile High” and the haunting “Lullaby For My Insomniac” — James Blake reveals today the entirety of Assume Form, his fourth full-length to date and follow-up to 2016’s The Colour In Anything. It’s available to stream in full below via Apple Music and Spotify.
The album spans 12 tracks, including last year’s excellent “Don’t Miss It”, and features guest spots from Travis Scott, Metro Boomin, Rosalía, André 3000, and Moses Sumney. Blake previously contributed to the most recent full-length efforts from Oneothrix Point Never and Travis Scott, as well as on singles from Kendrick Lamar, André 3000, and Moses Sumney.”

Source: Consequence of Sound

Listen to single

Stream

Other Notable Relases

Sharon Van Etten - Remind Me Tomorrow (Indie Pop, Synth)

Listen to single
Stream

Future - The WIZRD (Hip Hop, Trap)

Listen to single
Stream

Deerhunter - Why Hasn’t Everything Already Disappeared (Neo-Psychedelia, Indie Rock)

Listen to single
Stream

Toro Y Moi - Outer Peace (Alternative R&B, Synth Funk)

Listen to single
Stream

Feel free to discuss or feature any and all other releases in the comments below

Discussion Points

Have you listened to any of these releases?
What are your thoughts?
What are you looking forward to listen to?
What have you enjoyed from these artists in the past?

// All feedback on this format welcome below.

so i've just recently learned about this guy, and his work is quickly becoming a favorite of mine.

i'm admittedly crazy poorly-read (is that the antonym to well-read?) when it comes to...

well, anything besides self-help books released up to "The Subtle Art of Not Giving a Fuck" by Mark Manson.

and his work has been concise and just fucking accurate enough for me to enjoy.

so i present you all,

a journey through love, with Richard Brautigan.

-2

Everybody wants to go to bed

with everybody else, they're

lined up for blocks, so I'll

go to bed with you. They won't

miss us.

in this first stage, we see that little Richie's met himself someone special, and off they go arm in arm to live happily ever after.

Romeo and Juliet

If you will die for me,

I will die for you

and our graves will be like two lovers washing

their clothes together

in a laundromat

If you will bring the soap

I will bring the bleach.

and here we see something that, personally, i found surprising from a poet who got his start in the 50s.

this piece emulates the incendiary, passionate, limitless love that some of us have been lucky enough to experience in the early years of our lives. the love where it's the both of you against the world. the love where the most mundane tasks seem incredulous solely because they're done together. the love that i have only seemed to find in life, through trauma bonding.

their love is powerful. their love is radiant.

I Feel Horrible, She Doesn't

I feel horrible. She doesn't

love me and I wander around

like a sewing machine

that's just finished sewing

a turd to a garbage can lid.

their love is over.

the crass yet poignant imagery somehow simultaneously flashing feelings of uselessness, self-loathing, and loss.

you are here.

Haiku Ambulance

A piece of green pepper

fell

off the wooden salad bowl:

so what?

the sheer stoicism here is inspiring to me.

this is the mindset that i want - and don't have the emotional energy to cultivate.

were Brautigan still around and kickin' today, i'd buy the man a shot of the best whiskey i could get with $7 and thank him for emulating the exact mindset i want, need, and desire

in four lines.

it's simple - the green paper is a fraud, illusory. from afar or even from near with a quick glance - the green paper is another leafy green of the salad. a leaf of lettuce, a bit of cabbage. even if you press your face into the bowl and smell, the paper will smell of salad and nothing but.

it falls onto the floor, you pick it up to throw it away. you notice the texture inapropos with more roughness, and frailty than a leaf of a vegetable. you test it - you tear it.

it was paper.

it was not the spinach you'd desired.

it was not real.

it was not what you wanted.

regardless of the time you've spent preparing the salad, chopping your veg, blending your dressing, tossing it all, and fixing it for presentation,

if you throw this paper out - it will be no loss, and your salad will only be better for it.

a green piece of paper fell off the wooden salad bowl.

so what?

Love Poem

the piece that brought Brautigan in to my attention in the first place.

It's so nice

to wake up in the morning

all alone

and not have to tell somebody

you love them

when you don't love them

any more.

resolve.

clarity.

peace.

the earlier bleach has gone unsipped. she has come, she has gone. he has suffered, he has grown.

and now, he is at peace.

his world back to...

normal.

this has been a journey through love with Richard Brautigan.

hey this is tildes so i should talk about code.

i dont type each > for the markdown individually.

got a tiny function i wrote that does it for me: https://repl.it/repls/HonoredRubberyProfessional

so there's that for anyone who wants an easier time formatting their thing.

stuff at the bottom. not necessarily inspo. just.

yeah

i just

want to go back

to normal.

normal like in 2016

when i had a little cash

and spent it all

on books, coffee, clothes, teenage shit

i was nineteen

we had yet to meet

back to normal

like the centuries

where i would never be

from the dawn of the earth

up to the nineties.

back to normal

back to friends

back to hobbies and dreams

back to having endless things

that i found exciting

back to normal

when i'd stay up a little late

and fall asleep, be up at 8

and make my coffee

not living in the night,

sleeping in the morning.

.

but the meds are all a hex,

cyanide with side effects

take this pill if you're depressed

now youre a narcoleptic wreck

and your car's a crumpled mess

so momma drives you to your check-

ups full of shit you never said

like how you wanna quit - dead.

because you say something she think

is wrong you end up in the shrink

with all the people with the bigger problems

thrashing as they shriek

and you wake up on a table

see the warden of the clink

shoving hands into your mouth

tryna feed you what they think

'll fix your fucking problems.

hooked - benzodiazepines.

and now you're mellow, now you're numb

for now your skin'll cease to bleed

and still you look around in envy

pretty people - normalcy.

.

i gotta get out this house

get back to normal

maybe she can't find me there.

maybe i can get a text

or get some coffee

breathe, not even care

'bout if i'll turn a cursed corner

see her curly golden hair,

and have a flashback to the nights

spend crying lonely in despair

as she would sit, a room away

sipping vodka in here chair

taking snaps and scrolling insta

for her modelling career

and i would wail my soul would bleed

praying that her heart would hear

and she would get up, come and hold me

stroke my hair like "mama's here."

and i could breathe

our love immortal

i want nothing but a world

where i am back in full control

through death or breath

just make me normal.

https://www.youtube.com/watch?v=5NB7RBZ1yGY

https://www.youtube.com/watch?v=w--D1S8SrCQ

https://www.youtube.com/watch?v=NO5JLdsNxSk | Lyrics

This is a general, "what books have themes or content that would make for great movies" question. Graphic novels are included here.

Could have posted in ~talk or ~movies, but I'm seeking the opinions of dedicated readers, who've had the thought in considering a story, "I'd really like to see the visuals for this", or "a movie/series adaptation could expand on these themes".

Also, what were your biggest disappointments in the rendering of a book into a movie/TV series?

My picks:
Ursula Le Guin, The Dispossessed. Can't say that it's likely to get the nuanced treatment it deserves, but an even-handed visualization of socialist vs. capitalist societies is overdue, and it's got spaceflight and FTL information transfer.
Warren Ellis, Transmetropolitan. Not that he's ever going to grant the rights, but this one's a no-brainer for American cinema - brash, loud, splashy, violent, with bigger-than-life characters and themes.
James Tiptree, Jr. (a/k/a Alice Sheldon), Her Smoke Rose Up Forever. I'd love to see a short series based on this collection.
China Mieville - anything from the New Crobuzon books. The baroque ruin backgrounding the scenes, and the panoply of characters, should make for amazing cinema; a little judicious editing will be needed to make the stories work for the screen.
[Obscure] Norman Spinrad's Bug Jack Barron, subject to timely and relevant updates for 21st Century media. There's a great theme about how selective presentation of video clips and the editor's viewpoint influences the story being told.
K.W. Jeter, Farewell Horizontal, this one's gonna have great visuals, trust me.
John Steinbeck's The Grapes of Wrath, remade as a story about border migration.
Joe Haldeman, The Forever War - man, is it ever time for this one in the U.S.
Dan Simmons, Hyperion - the World Tree, the Shrike, and plenty of other opportunities for fine visuals.
Salman Rushdie, Haroun and the Sea of Stories. Another candidate for an anthology series; perfect for animation.
Tibor Fischer, The Thought Gang - it's a heist story, but also a comedy and a satire. Kind of amazed no one has made it into a movie before.

Biggest recent disappointment - The adaptation of Richard Morgan's Altered Carbon. Edited to completely discard the political messaging and amplify the sex/violence. Turgid, poor special effects, and gruesome acting.

Preface

Software security is one of those subjects that often gets overlooked, both in academia and in professional projects, unless you're specifically working with some existing security-related element (e.g. you're taking a course on security basics, or updating your password hashing algorithm). As a result, we frequently see stories of rather catastrophic data leaks from otherwise reputable businesses, leaks which should have been entirely preventable with even the most basic of safeguards in place.

With that in mind, I thought I would switch things up and discuss something security-related this time.

Background

It's commonplace for complex software systems to avoid unnecessarily large expenses, especially in terms of technical debt and the capital involved in the initial development costs of building entire systems for e.g. geolocation or financial transactions. Instead of reinventing the wheel and effectively building a parallel business, we instead integrate with existing third-party systems, typically by using an API.

The problem, however, is that sometimes these third-party systems process requests over a long period of time, potentially on the order of minutes, hours, days, or even longer. If, for example, you have users who want to purchase something using your online platform, then it's not a particularly good idea to having potentially thousands of open connections to that third-party system all sitting there waiting multiple business days for funds to clear. That would just be stupid. So, how do we handle this in a way that isn't incredibly stupid?

There are two commonly accepted methods to avoid having to wait around:

1. We can periodically contact the third-party system and ask for the current status of a request, or
2. We can give the third-party system a way to contact us and let us know when they're finished with a request.

Both of these methods work, but obviously there will be a potentially significant delay in #1 between when a request finishes and when we know that it has finished (with a maximum delay of the wait time between status updates), whereas in #2 that delay is practically non-existent. Using #1 is also incredibly inefficient due to the number of wasted status update requests, whereas #2 allows us to avoid that kind of waste. Clearly #2 seems like the ideal option.

Method #2 is what we call a webhook.

May I see your ID?

The problem with webhooks is that when you're implementing one, it's far too easy to forget that you need to restrict access to it. After all, that third-party system isn't a user, right? They're not a human. They can't just give us a username and password like we want them to. They don't understand the specific requirements for our individual, custom-designed system.

But what happens if some malicious actor figures out what the webhook endpoint is? Let's say that all we do is log webhook requests somewhere in a non-capped file or database table/collection. Barring all other possible attack vectors, we suddenly find ourselves susceptible to that malicious actor sending us thousands, possibly millions of fraudulent data payloads in a small amount of time thanks to a botnet, and now our server's I/O utilization is spiking and the entire system is grinding to a halt--we're experiencing a DDoS!

We don't want just anyone to be able to talk to our webhook. We want to make sure that anyone who does is verified and trusted. But since we can't require a username and password, since we can't guarantee that the third-party system will even know how to make use of them, what can we do?

The answer is to use some form of token-based authentication--we generate a unique token, kind of like an ID card, and we attach it to our webhook endpoint (e.g. https://example.com/my_webhook/{unique_token}). We can then check that token for validity every time someone touches our webhook, ensuring that only someone we trust can get in.

Class is in Session

Just as there are two commonly accepted models for how to handle receiving updates from third-party systems, there are also two common models for how to assign a webhook to those systems:

1. Hard-coding the webhook in your account settings, or
2. Passing a webhook as part of request payload.

Model #1 is, in my experience, the most common of the two. In this model, our authentication token is typically directly linked to some user or user-like object in our system. This token is intended to be persisted and reused indefinitely, only scrapped in the event of a breach or a termination of integration with the service that uses it. Unfortunately, if the token is present within the URL, it's possible for your token to be viewed in plaintext in your logs.

In model #2, it's perfectly feasible to mirror the behavior of model #1 by simply passing the same webhook endpoint with the same token in every new request; however, there is a far better solution. We can, instead, generate a brand new token for each new request to the third-party system, and each new token can be associated with the request itself on our own system. Rather than only validating the token itself, we then validate that the token and the request it's supposed to be associated with are both valid. This ensures that even in the event of a breach, a leaked authentication token's extent of damage is limited only to the domain of the request it's associated with! In addition, we can automatically expire these tokens after receiving a certain number of requests, ensuring that a DDoS using a single valid token and request payload isn't possible. As with model #1, however, we still run into problems of token exposure if the token is present in the URL.

Model #2 treats each individual authentication token not as a session for an entire third-party system, but as a session for a single request on that system. These per-request session tokens require greater effort to implement, but are inherently safer due to the increased granularity of our authentication and our flexibility in allowing ourselves to expire the tokens at will.

Final Thoughts

Security is hard. Even with per-request session tokens, webhooks still aren't as secure as we might like them to be. Some systems allow us to define tokens that will be inserted into the request payload, but more often than not you'll find that only a webhook URL is possible to specify. Ideally we would stuff those tokens right into the POST request payload for all of our third-party systems so they would never be so easily exposed in plaintext in log files, but legacy systems tend to be slow to catch up and newer systems often don't have developers with the security background to consider it.

Still, as far as securing webhooks goes, having some sort of cryptographically secure authentication token is far better than leaving the door wide open for any script kiddie having a bad day to waltz right in and set the whole place on fire. If you're integrating with any third-party system, your job isn't to make it impossible for them to get their hands on a key, but to make it really difficult and to make sure you don't leave any gasoline lying around in case they do.

What are you reading currently? Fiction or non-fiction, any genre, any language! Tell us what you're reading, and talk a bit about it.

Past weeks: Week #1 · Week #2 · Week #3 · Week #4 · Week #5 · Week #6 · Week #7 · Week #8 · Week #9 · Week #10

The study published in the Lancet: Food in the Anthropocene: the EAT–Lancet Commission on healthy diets from sustainable food systems

The editorial in the Lancet: The 21st-century great food transformation

An article in Cosmos for people (like me!) who don't have access to the Lancet: Feeding the planet: a call for radical action

Personally, I strongly dislike it. Every aspect of every film is way overblown there.

If there's a funny scene in a movie, they LITERALLY die laughing and wake their whole neighbourhood up.

If there's a scene that is in the slightest bit sad, they're going to cry their eyes out for months.

If there's a movie that's decently good, then it's an absolute masterpiece and the best movie of the decade.

And so on... Everything is always really exaggerated.

On top of that, there's always the circlejerk hivemind aspect. Threads are closed after 6 months, so the whole discussion about the film is divided between many threads, but because every thread is small and new, you often get the same fluff comments.

For more popular flims, it is the absolute worst. With half the thread being just funny quotes from the movie with no additional commentary or anything valuable, yet having thousands upon thousands of upvotes. It's kind of sad.

I used to go to IMDb boards, –which, admittedly, had their own issues– but they were still pretty useful for discussion. And shutting people up wasn't as easy as it is on Reddit, so the opinions there were much more varied. However, since they shut them down, Reddit is the closest thing I've found. Moviechat.org is supposed to be a replacement to the IMDb boards, but it's pretty inactive.

So, even though I kind of despise r/movies, I'm sort of forced to use them. But reading it makes me somewhat bitter.

What about you?