On July 19th 2022, Google introduced Carbon Language. What exactly is Carbon, and what does it aim to achieve? Note that the Carbon coding language is experimental.
To understand Carbon, we first need to take a look at the language it’s attempting to augment. That is, C++. It remains the dominant programming language for performance critical software, and has been a stable foundation for massive codebases. However, improving C++ is extremely difficult. This is due to a few reasons:
Decades of technical debt
Prioritizing backwards compatibility over new features
C++, ideally, is about standardization rather than design
Uses a committee process that takes multiple years to make changes, and sometimes can’t at all
Carbon, as Google puts it, is okay with “exploring significant backwards incompatible changes”. This has pros for those wanting to work with a language developing with the mindset of “move fast and break things”.
Carbon promises a few things in their readme:
Carbon is fundamentally a successor language approach, rather than an attempt to incrementally evolve C++. It is designed around interoperability with C++ as well as large-scale adoption and migration for existing C++ codebases and developers. A successor language for C++ requires:
Performance matching C++, an essential property for our developers.
Seamless, bidirectional interoperability with C++, such that a library anywhere in an existing C++ stack can adopt Carbon without porting the rest.
A gentle learning curve with reasonable familiarity for C++ developers.
Comparable expressivity and support for existing software’s design and architecture.
Scalable migration, with some level of source-to-source translation for idiomatic C++ code.
Google wants Carbon to fill an analogous role for C++ in the future, much like TypeScript or Kotlin does for their respective languages.
JavaScript → TypeScript Java → Kotlin C++ → Carbon?
Talk is cheap, show me the code
Okay, so what does Carbon look like then?
First, let’s see how to calculate the area of a circle in C++.
C++ coding example
Compared to Carbon:
Carbon coding example
My initial thoughts are that the syntax looks mixed between C#, JavaScript, and C++. Prepending “var” before each variable seems redundant. Why not a type name followed by a declaration? One might argue that it leads to easy variable identification without memorization of variable types but that makes little sense as you put the type anyway. The way variables are initialized with “:” instead of =, reminds me of Javascript. Not sure if that’s a good thing, it looks less like C++ than I expected. Oddly, they chose “import” for the system packages it seems which is also shared with Python. I do like the shortening of function to fn. You could argue shorthand is the point because it’s cleaner and smaller, but again why is it defined as a function and then an ‘i32’? Seems redundant. unless they decided fn FunctionName() -> i32 is shorter than int FunctionName(). It could be their goal is simply to separate the syntax from other known languages enough to recognize at a glance. Maybe I’m missing something.
One neat feature they’ve shown is the interoperability between Carbon and C++. You can call C++ from Carbon and vice versa. You can rewrite or replace as little or as much of your libraries as you want without fear of breaking anything. Well, at least without breaking anything more than normal when dealing with C++.
C++ code used in both Carbon and C++
And better memory safety is also promised
Safety, and especially memory safety, remains a key challenge for C++ and something a successor language needs to address. Our initial priority and focus is on immediately addressing important, low-hanging fruit in the safety space:
Tracking uninitialized states better, increased enforcement of initialization, and systematically providing hardening against initialization bugs when desired.
Designing fundamental APIs and idioms to support dynamic bounds checks in debug and hardened builds.
Having a default debug build mode that is both cheaper and more comprehensive than existing C++ build modes even when combined with Address Sanitizer.
Time will tell if the language develops into a developer favorite or fades into obscurity like Dlang. What, you haven’t heard of D?
At some point when looking through Task Manager you may notice the ‘priority’ setting in Task Manager and decide that you want your favorite game (example: Minecraft) to run faster. You right click the process in Task Manager and set the priority to ‘realtime’, the highest setting.
However, upon clicking that option, a scary looking dialogue option pops up informing you that this is probably a bad move.
Changing the priority in this instance causes our laptop mouse to lag across the screen and explorer.exe to stop responding. Fun! Why is this the case? What’s going on here?
Realtime priority is the absolute highest priority you can set a program. This tells Windows you want to dedicate as much CPU time as possible to that process, so basic process like mouse input and Windows UI start competing for CPU cycles.
Realtime is the highest process class
OPTIONAL: Process Table Explanation and Further Information
The “Base priority” column in Task Manager is showing you the process class (called “process priority class” in some docs). Note that Task Manager (at least in Windows 10) labels the “Idle” priority class as “Low” (probably to avoid confusion with the idle process, etc.).
The process class is used only to initialize the priority of threads created within the process. Every thread is created with the “normal” thread priority. If the process is of the “normal” process class, then that means the thread has a base priority of 8.
Programs can change the priorities of their own threads within their process class. In a “normal” process, setting a thread to THREAD_PRIORITY_HIGHEST sets that thread’s base priority to 10. If you change the priority class of a process (say with Task Manager) then every thread’s base priority changes according to the table.
There are a lot of “name anomalies” in this table. “Highest” is not the highest thread priority, “lowest” is not the lowest, “idle” does not mean you are not or will not be doing anything, and “realtime” does not guarantee scheduling behavior suitable for real-time work (it’s just more predictable than the non-realtime classes, partly because it’s above them all, and partly because automatic priority adjustment is turned off in the “realtime” class).
For processes, one is supposed to use the process classes to indicate how important – or not – it is for each process to get CPU time, relative to a “normal” process. And within each process, the developer is supposed to set the thread priorities similarly, relative to a “normal” thread within the process. In practice, very few developers ever bother. (And they should. For example, a compute-bound task like video rendering should be set to a lower-than-normal priority, to avoid interfering with interactive use of the system.)
And the “idle” process class, and the “idle” thread priority within a process, does not mean nothing will be done by that process or that thread. It just means the thread or the process is willing to live with CPU cycles that nobody else wants.
You’ll notice that there is no “0” on the table. Ordinary applications cannot request running at priority 0 through the normal APIs. Only kernel mode threads can run at priority zero. As you’ve found, that is reserved for the zero page thread – or threads; there may be more than one on a NUMA machine.
This doesn’t lead to locking the system entirely because most programs don’t actually use 100% of the CPU regardless of their priority. Most threads do wait for things sometimes, and that could include waiting for a read/write to complete, or some other thread to indicate that they don’t have to wait any more. Additionally, “real-time priority” as a term actually consists of a range of priorities, as indicated by the table above. It’s possible for one “real-time” process to have higher priorities than those of another “real-time” process.
Most of the time, there’s no real reason to change process priority, although a few times it has been personally helpful in situations where two programs are working on a CPU intensive task, and they are slowing each other down. It’s possible to set the program’s process priority to “Above normal” pretty safely, allowing the CPU to dedicate more time to it.
“Is there even an android version of the game out?” No. 🙂
Undertale has been one of the most influential and one of my favorite games of all time. Since the game’s release in 2015 I’ve been entranced by its secrets and storyline. I played it blind when it first came out and have been hooked ever since.
I’ve been a part of a few different Undertale data mining communities over the years and although I admit there probably aren’t any secrets left, I’m still interested in any new theories or fan works/mods.
I came across a method to patch gamemaker files including Undertale to mobile, and then discovered there’s already been some work in the community into this area. I took the existing mobile Undertale modifications online and added full controller and keyboard support (note this build is Android only). YOU CAN HIDE THE ADDED GAMEPAD IN THE GAME’S BUILT IN SETTINGS MENU. SET THE BUTTON OPACITY TO 0. ❤️
A save editor has also been added into the game. If you visit the SETTINGS menu from either the beginning of the game or the Continue menu, you can overwrite your save file with presets. Save file preset names are below, but THEY CONTAIN SPOILERS (if you haven’t somehow heard/played UNDERTALE already)
This along with the added Bluetooth controller support should make it bearable to play Undertale on mobile devices!
Screenshots
This build is for educational purposes and Undertale research only.
Download
v0.1.0 – Updated internal Undertale version to v1.08 – Fixed name selection screen crash – Add more name easter eggs – Fix save editor crash DOWNLOAD: [APK FILE FOR ANDROID ONLY]
Methods of downloading YouTube videos have changed over the years. Here are two of my preferred methods for doing so in 2022.
tl;dr: easy:
Use a Youtube-Mp3 converter site, if you know how to Google then you’ve probably found one of these already.
tl;dr: is asked to fix printers:
Get the latest ‘youtube-dl’ fork like yt-dlp. Use ffmpeg to convert.
Easy
Yeah there’s really nothing else you need here
The Other Method
Get yt-dlp. Put it in a folder somewhere in C:\ like ‘youtubedownload’. Rename the .exe file to yt.exe.
Get ffmpeg. Put it in the same folder. You could rename this .exe file if you want as well, the names will be the commands used in the future.
Press the WINDOWS key, and type ‘path’. (INCOMING WALL OF PICTURES)
Choose ‘Enviroment Variables’
Then,
You can then add a new entry for the ‘path’ environment variable. The system uses this to allow the executing directory to be in any directory listed in the path. Meaning, when you run a command in CMD, the system will always check any directories in the ‘path’.
Click OK on all open windows after adding the directory the exes are in to the ‘path’.
Right click on your Desktop > ‘Open Command Window Here’. If you don’t have this option in the context menu, you can download these registry edits to add it.
Next type the name of the yt-dlp .exe followed by a space and the url. So if you renamed it ‘yt’ like stated previously, it would look like so: yt https://www.youtube.com/watch?v=dIMdcJWOEFM Hitting enter will start downloading that video to the desktop directory you just launched the CMD window in. (Hint! If you want to use a Soundcloud URL like we have below, that will work too! Isn’t technology great?)
If you want to convert the resulting video to a proper audio file like .mp3, you have two options. You can use the quick solution right from yt-dl:
You can ignore missing (“unavailable in your country”, or removed) videos with an -i flag. If your playlist isn’t working and the URL contains v=<ID>, remove it so just the ?list= item is in the query string.
Or, since ffmpeg is useful for other tasks (and you should have it anyway), you can use it directly. A simple syntax of an ffmpeg command that would convert to an mp3 would look like ffmpeg -i [input file name] [output file name].[output file extension]. But wait, we don’t want to type that long, ugly file name in that yt-dlp just spit out onto our desktop… luckily we have a trick for that.
Run ‘dir /x‘ in the open CMD window. This is an extremely helpful windows command that will show ‘short’ filenames for files, making working with longer file names a breeze. Windows is telling us in the screenshot above that we can refer to the video we just downloaded as ‘moving~3.web’. Now assuming no renaming of the ffmpeg .exe took place in the setup step, our command simply becomes:
ffmpeg -i moving~3.web output.mp3
And you’re done! You now have ‘output.mp3’ on your desktop saved as the song we were just playing on YouTube. I’ve combined this process with scripted metadata adding/titling for an offline library. And, with the right yt-dlp commands it can even become an efficient way to export entire playlists of music.
Link rot is a problem that affects everyone using the internet on a daily basis. This is when a link becomes dead and no longer links to where it’s supposed to because of site changes. Either the owner stopped maintaining and paying for the domain/hosting, the structure changed, or it was deleted or inaccessible for another reason. Nothing is permanent online (unless it’s your ad data 😉), regardless of what your parents may have said.
Research from Harvard Law School shows about a quarter of all articles on the New York Times suffer from link rot, meaning resources linked on the page are no longer accessible. Additionally, links are not immutable. I personally have links such as ‘https://l.gmr.dev/tiktok‘ that link to my TikTok blog post and that can be changed so I can always keep it up to date. This can be a disadvantage if the site goes offline or the link is mismanaged however.
The problem can be combated by using web archivers, and linking to primary, trusted sources as much as possible. Additionally, it’s helpful to copy + paste the information that’s relevant from the site you’re sharing/linking in case it dies somehow later on.
Factcheck.org, which launched in 2004 now has almost 6,000 dead links. Roughly one third of all the links on Pagella Politica, the Italian fact-checking website I edited before joining Poynter, are currently broken. At the same time, trying to manually keep tabs on the state of a site’s links is too time-consuming to be feasible.
cjr.org
The advent of ‘online-only’ services have marked a period full of slow, buggy, overly designed applications, such as Creative Cloud or Epic Games, that run at all times on your computer to feed you advertisements or update notifications. Engines like Unity have transitioned more and more of their editor services and features to online services. Or, they’ve deprecated more traditional methods that would eliminate the need to connect to “Unity Teams” and/or login to their accounts & manage organizations.
When Flash was purged from the internet a few years ago, one of the largest issues Flash archivers faced were games that required connections to servers. Because those servers are no longer around, a game’s functionality can be crippled or even completely broken without a solution. This can easily happen to any server in the future. A program’s functioning that exists on something that may not be there in the future… well, it makes relying on that utility poor planning at best. Many modern day software applications ship without any sort of offline mode or planned use case 20-30 years from now, so that will be interesting to see.
Photos, old posts, and media people thought would be around forever are constantly being deleted. Make any playlist on YouTube with a sizeable number of videos and soon enough a fair number of them will be unavailable. My music library exists entirely on my own servers streamed to me because I can’t trust that Spotify or an alternative will be around in 20 years with the same music I listen to or want to stream now.
Jailbreaking iOS is an increasingly difficult task, and I switched to Android away from Apple’s walled garden a few years ago, but even now most companies are locking it down more and more in the name of security and the common user experience. Samsung removes the ability to unlock the bootloader in most US variants of their new models, so rooting Android is out of the question for me as well.
A bit rambly, but I don’t think there’s much to do about this other than being personally careful about what technologies I enable and what I work on. I’m simply commenting on the current direction of the Internet as a whole because I want the best for it. I’ve become more and more aware of how fragile the current state of everything online is, and began saving and archiving everything preemptively.
Voting with your money and just being aware is probably the best move, and I’ve personally been more and more selective about digital media or programs I’m choosing to spend time, data, energy and finances on.
…is hopefully almost over. The past few years have seen GPU prices skyrocket, and most GPUs are unobtainable even today because of a chip shortage.
This has led to it being a hostile environment to build a desktop computer in and pushes newcomers away from the PC building scene.
In fact, it’s actually made the age old advice of building your own computer over buying a prebuilt almost obsolete, as many prebuilt PC prices are now as competitive if not a better option for those looking to acquire new hardware.
More than ever, it makes sense to choose a laptop or similarly priced alternatives rather than a desktop PC.
TikTok is the most popular growing social media right now by far, surpassing the likes of Reddit, Snapchat, Twitter, Pinterest and Quora.
And it’s much more popular among Gen Zs and Millenials.
But TikTok was declared as a security threat and many have growing concerns about the operations of ByteDance as a whole.
TikTok Source Code Analyzation
Step 1: Obtain TikTok source code
This is the step most people might get stuck on…
Step 2: Spend hours looking through said program for suspicious things
Step 3: Share!
Beyond initial paranoia, let’s be realistic about what apps collect. Even Google collects IP (and therefore geographic location), and other pieces of personal data:
Google might collect far more personal data about its users than you might even realize. The company records every search you perform and every YouTube video you watch. Whether you have an iPhone or an Android, Google Maps logs everywhere you go, the route you use to get there and how long you stay — even if you never open the app.
So then what are we looking for? How is this different? For one thing, Google, Facebook, Reddit, and Twitter apps don’t collect anywhere near the same amount of data that TikTok does, and they don’t obfuscate and hide their methods sneakily like TikTok. Additionally, TikTok has some weird code in it that no normal social media app should have. Here’s a quick comparison of the APIs TikTok accesses vs the Facebook app:
They both collect data, but TikTok collects more. And needs access to your SMS messages for some reason, even though it doesn’t interact with that…
Below deconstructs more about what the TikTok app can/does do and why it might do it. Make your own judgement at the end of the day. However, this is all just what’s able to be seen. Note that TikTok has the ability to update their app and add / remove code without updating the app through the store.
Things TikTok Collects
Location (once every 30 seconds for some versions)
Phone Calls
Screenshots(?)
Network Information (Wifi Networks’ SSID, MAC address, Carrier, Network Type, IMSI (possible), IMEI, local IPs, other devices on the network)
Facial Data
Address
Clipboard
Phone Data (cpu, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)
Installed Apps
Rooted/Jailbroken Status
All keystrokes in the browser (more below)
address code
location
phone number/call log code
facial verify protocol
location code
location code 2
screenshot code
screenshot observer
track all actions in app (including what you copy to clipboard/share)
Examples of code of each of the above collected items (click an image to see big!)
Location
Most apps collect your location, so there’s nothing too fishy about this. However, one could argue that your location is not useful to TikTok’s general functioning and therefore shouldn’t attempt to locate you so often or at all unless you’re using a feature that takes advantage of that. The data collected here includes your latitude and longitude, and exact location if they can pull it from the WiFi (done in the wifi collecting code).
Phone Calls/Call Log/Phone Number
TikTok requires you to provide a phone number upon signup on most occasions to function normally within the app, so they can link your identity to your phone number. They also collect your call log (people you’ve called) and have the permission to make calls from your device, although I’ve never heard of a case of this happening. Phone numbers are generally very unique, so this combined with location and name would already be enough to identify virtually anyone using this app in the U.S.
Screenshots
The app hooks an observer at some point (it would make sense to be on app load) that watches when the user takes screenshots. It’s unlikely this code can run in the background or does, but the app at least knows everything you take a screenshot of while using the app. Additionally, TikTok includes a string, “KEYWORDS”, that may be of significance. A keyword is defined as: “an informative word used in an information retrieval system to indicate the content of a document”. They may use this variable to find screenshot files and potentially scan/upload/use them. However, this may have legitimate use in categorizing images for upload by the user or be non malicious.
Network Information
It also collects lots and lots of Network data. The app uploads full lists of network contacts, SMS logs, IP, local IP, MAC address information, and probably anything else it can read from the phone (which is virtually everything).
Facial Data/Recognition
TikTok includes facial verification code as well, which upon first glance I believed to be for the face filters they include, but does a little more than that. The code includes a link to this domain (archived). Translating said domain states:
Oops, my bad. Should’ve known I had to reverse-engineer the app, extract a developer URL, and then get a translator just to see that I’d even agreed to facial recognition logging by ‘continuing to use this service’.
And further on, it states what I believe to be particularly interesting:
Near the bottom it states facial images are transmitted to the parties listed above.
In specific:
ByteDance developed this function, which includes but not limited to the Ministry of Public Security’s “Internet +” trusted identity authentication platform, “Query Center” and other institutions to provide verification data and technical support.
This is very important because it mentions a “Ministry of Public Security”, and an “Internet+” identity authentication platform/program of some sort, and it also states near the bottom of the same translated text that facial images and identity verification results + data is transmitted to said 3rd party.
It seems they serve the Chinese Communist Party, or are at least connected to the government in a very direct way.
And what is the trusted identity authentication platform? More research turns up articles such as this, and this. It appears likely all facial recognition data would be sent back to China and saved by various parties.
TikTok seems to be sending facial recognition data of anyone who uses the app back to some sort of 3rd party associated with the CCP that has all the other information combined. This could create a very scarily comprehensive profile and location on high-interest targets China wants to keep track of. Additionally, it can use shadow tracking, which is a term pioneered by the era of Facebook. Shadow tracking or shadow profiles are collected data or hidden profiles of people that don’t use the app but TikTok can keep tabs on because of connections. For instance, when you upload your contacts to TikTok, it will track the names you’ve assigned to each contact and use that data in cross-checks with other uploaded contacts of your friends. For every person that uploads their contacts. This can quickly create a vast network of phone numbers and identities, even for people who aren’t associated with TikTok at all. Combining facial recognition data with shadow tracking techniques, and everything listed in this post could make for a pretty sophisticated tracking tool.
Address
I’ve used TikTok for a while before now, and I’ve never been asked to enter my address, city, or where I live. However, the TikTok app contains code to parse and send addresses of locations. This is probably to generate addresses from locations collected for internal logging and ease of viewing user’s geographical locations. This is not to say that is malicious.
TikTok collects lots of data about the device you are using to access their app. Installed app list, device ID, phone name, phone storage, etc. Extrapolating from this, it also probably collects more data not proven here.
Rooted/Jailbroken Status
Detects whether or not you’re rooted. This isn’t that big of a deal but I thought it was worth a mention. Could be used in combination with other obfuscation techniques to hide nefarious actions.
Other Problems
Beyond straight up tracking and collecting data about their users, there is also a number of fundamental design issues with the app as well. For instance, the app uses out of date cryptographic algorithms, including MD5 and SHA-1 for hashing. Both of which have been broken wide open and are no longer secure. Additionally, the app used to only use HTTP, not HTTPS until recently, and that exposed user’s emails, date of birth, and username in plaintext to anyone smart enough to look for it.
Execution of Remote Code & System Calls
Some research states TikTok executes OS commands directly on the phone and has the ability to download remote .zip files, extract them, and execute arbitrary binaries on your device, allowing TikTok to run whatever code they want. While I don’t doubt this is possible, I have not personally verified the code in my research. However, I would not put it past the app to have this capability. Perhaps it’s better hidden now.
Keystrokes in the Browser
The app was tested with inappbrowser.com which shows all JavaScript events that are hooked. If you open this page in your browser, no events will show. This is a good thing. There are no events being monitored in a default, safe browser. The site is meant to show how a 3rd party app is abusing its in app browser. TikTok happens to monitor all keystrokes and key inputs in its in app browser, so the output looks a little more like below.
Security Research Files
Penetrum Security wrote an in-depth paper on TikTok if you’re interested in reading into a lot of what I’ve discovered here, and also compared how much data Facebook, Twitter, and common social media apps collect vs. TikTok. They’ve done great work and I’ve archived those files here. The data collection comparison paper is very interesting (second download).
