Bitboxer - hacking

No Subscription, No Ads - My Local Music Streaming Setup

2026-03-17T00:00:00+01:00

I am currently making my digital life better and more sustainable for every party involved. One of the topics I am changing is music. I want music artists to get a fair share for the music I am listening to. The only way to do that is to actually buy music from them. If possible, through Bandcamp.

I cleaned up my old library of music files and am slowly adding all the music I love and used to stream.

To make this work for me, I investigated a lot and tested a ton of tools. I think I now have found my sweet spot. With apps that I love and are good looking, at least enough to actually use them daily without constantly thinking, “Oh my god, is this really worth it”.

This is what my stack currently looks like:

Jellyfin

Our files are hosted on our trusted Synology server and use Jellyfin as our media server. I also installed a last.fm plugin so that Jellyfin does all the scrobbling and I don’t have to limit myself to apps that also do that. Pretty nifty.

jellyfin.org

Gelly

On Gnome I found this really nice looking app. Highly recommended. Every day I am impressed by how beautiful the Gnome apps are. And this is no exception. I will need to create a separate post about all the things I use on Gnome sometime soon.

Github

Manet

This is the app I use on my iPhone and work Mac. It looks really nice and has all the features I need.

Tilosoftware.io

Symfonium

I now also own an Android tablet. And this is the best app I found for this. There are tons of apps for Android phones that can connect to Jellyfin, but none had at least a half decent tablet layout. This has. So it won.

symfonium

Bonus player: cliamp

Of course there is an amazing cli option, too. cliamp is everything you need from a command line music player. Nice visuals, quick search, easy to use.

cliAmp

French coast and back in an EV camper

2025-08-16T00:00:00+02:00

Last week we came back from a camping trip to Soulac-sur-Mer. Roughly 1600 km through Germany and France to the Atlantic coast. In an EV camper van. An e-Vanster, to be more specific. We got that car two years ago, and we absolutely love it.

This car is a modified e-Spacetourer with an added pop-up roof, a small electric stove in the back, and electrical equipment to make it possible to use campground power systems via a CEE plug. The range is around 317 km on a charge. It’s basically a brick on wheels, so don’t expect it to be fast (limited to 130 km/h) or super energy efficient. But it gets its job done. On the positive side, it rides absolutely smoothly, and the EV part makes it lovely to merge onto a highway. Unlike a diesel camper van, where you’re constantly worried whether the car will accelerate fast enough for the short on-ramp. The turning radius is also roughly a meter better than the diesel counterpart because it has no huge engine block.

This was the first time we used the relatively new e-Routes app that Stellantis/Citroën offers. Before, we used ABRP with a USB-ODB dongle. While ABRP theoretically has better data because of the direct vehicle access, the e-Routes navigation UI was much nicer. And it got the job done very smoothly. It sadly has one little quirk that needs to be fixed: three times the app decided to re-route us to another charger shortly after we left the highway system. Yes, in theory the next charger would have been better, because we had enough battery range to get to it, but the timing was… not good 😅. We also used the Chargeprice to figure out what was the cheapest way to charge along the way. We booked two cards with monthly fees to get the reduced charging price. Something we don’t need in Berlin because we don’t drive enough. But this trip made them worth it.

The drive itself was rather uneventful. We just followed what the e-Routes app told us to do. It showed how many charging spots were free at the next charging point, and how much battery we’d have left when arriving. Simple, easy, and relaxing. The French highway has a speed limit of 130 km/h, so driving there was less stressful. We had one charger that we couldn’t use because the stop was overcrowded by non-EV people trying to park everywhere. And another charger was broken — so we just used the next one 500 m away. At two charging points, we had to wait less than 10 minutes to be able to use the plug. That’s basically it. No struggles, no nail-biting stories I could tell. It was very uneventful. As it should be. And I love the charging breaks. Usually you go grab some snacks or go to the toilette and the battery is full enough again. And once we lifted the roof so that you could do a quick 15 min power nap while the car was charging. A trick normal EVs cannot do 😁.

Would I do this again? Yes, we already booked the same place for next year. Would I change a thing? Yes, we have some ideas on how to improve our camping equipment a bit and will do that soon. Nothing groundbreaking, but you learn by using the equipment and discovering your needs.

Three little tidbits I found interesting:

Even the campground shop had better baguette than anything you can get in Berlin
Bikers in France really want to live dangerously. Driving between two cars at 120–130 km/h on a two-lane highway system to get in front of them? Really?
French people like to use their left blinker on the highway. A lot. And don’t turn it off…

Going viral on mastodon

2025-03-15T00:00:00+01:00

Recently, I had a post go somewhat viral (at least for my standards). The post currently has around 4,200 boosts and 3,700 favorites.

The last time this happened was a couple of years ago. And this time it was different. In many interesting ways.

So let’s go through some of the most noteworthy findings:

It just worked. Last time, the website had problems with the number of notifications. But this time? No issues. All apps I used were okay with the notifications, nothing got noticeably slower. No errors, no crashes.
No weird/spam replies. I still have some stomach ache when I think about the fact that moderation in Mastodon is on the shoulders of mostly unpaid people, but it works amazing. When I got these boost numbers on other platforms, the post would be flooded with spam, scams, and crypto bros. But not on Mastodon. Thank you to all the hardworking people for this ❤️.
No Nazis. This is especially remarkable. It was a post about Nazi Germany. And zero Nazi replies. Keep up the good work, folks ✊.
Grouping of notifications helped. This was added not too long ago, and I could already see how much it improved my life in this situation. Otherwise, I would not have been able to handle the number of messages coming in.
It came in waves. With algorithm-based social media, your post usually either kicks off immediately, stays active for a couple of days and dies off. Or does nothing whatsoever. Mastodon does not have that. All interactions happen organically. For that reason, you see waves of notifications. Occasionally, a post gets traction days or weeks after you post it. A person boosts it and starts another round of interactions with the post. This is charming and shows the power of a non-algorithmic timeline. The message stays alive longer.
I gained around 200 followers. That’s a nice number. Higher than I expected with that number of boosts. Thank you for following me 🥰.

Luckily, I had no bad experiences with this post. But In the future, I really would love to be able to restrict interactions. I would love to be able to easily ban a reply to be attached to my post. Or limit who can interact with it. I know there is work going on about this for a while now. And it’s hard to do correctly, but please implement that this year.

Berlin is Calling: Stand Up and Protest for Change!

2025-01-16T00:00:00+01:00

In a bit over a month, Germany votes for the next government. It looks like conservative, right-leaning parties might win a lot of votes. Let us all try to prevent that. One way to do that is to go out on the street and protest to show others that we fight. That we haven’t given up hope for a better world.

Clicking a ‘Sign the petition’-Button is not as important as thousands protesting on the streets.

Many demonstrations are scheduled in Berlin. It would be great if you could join one (or more) of them.

Here’s a partial list:

Wir haben es satt (We are sick of it)

When: 18.01.2025, 12:00
Where: Federal Chancellery of Germany
By: BUND and several other organizations
Details: wir-haben-es-satt.de

FLINTA* March

When: 19.01.2025, 12:00
Where: Brandenburg Gate
By: FLINTA*-Activists and other organizations
Details: flintamarch.de

Klimastreik (Climate-Strike)

When: 14.02.2025, 12:00
Where: Brandenburg Gate
By: Fridays For Future
Details: fridaysforfuture.de

Winter-CSD

When: 15.02.2025, 11:55
Where: German Parliament
By: CSD e.V.
Details: csd-berlin.de

Wir stehen zusammen – Lichtermeer gegen den Rechtsruck (We stand together – sea of lights against the shift to the right)

When: 25.01.2025, 16:30
Where: Brandenburg Gate
By: Campact, Parents against the Right and Fridays for Future among others
Details: campact.de

A complete list can be found on demokrateam.org.

38c3 retrospective

2025-01-13T00:00:00+01:00

Yes, it’s true. Another year passed. And with it another CCC. Again with me sitting at home, enjoying a nice hot drink and watching the streams. Last years talks were great, but somehow this year’s even topped it.

If you need some nice talks to watch in this cold and gray time of year, here is the list of talks that I can recommend:

Correctiv-Recherche „Geheimplan gegen Deutschland“ – 1 Jahr danach

Video

„Konnte bisher noch nie gehackt werden“: Die elektronische Patientenakte kommt - jetzt für alle

Video

Gefährliche Meinung – Wenn Wälder brennen und Klimaaktivist*innen im Knast sitzen

Video

Der Milliarden-Steuerraub Cum/Ex – wie schädlich ist Wirtschaftskriminalität für unsere Gesellschaft?

Video

Knäste hacken

Video

Das IFG ist tot – Best of Informationsfreiheit, Gefangenenbefreiung & Machtübernahmen

Video

Longtermismus – der „Geist“ des digitalen Kapitalismus

Video

Identity theft, credit card fraud and cloaking services – how state-sponsored propaganda makes use of the cyber criminal toolbox

Video

Security Nightmares

Video

BlinkenCity: Radio-Controlling Street Lamps and Power Plants

Video

Dialing into the Past: RCE via the Fax Machine – Because Why Not?

Video

From Silicon to Sovereignty: How Advanced Chips are Redefining Global Dominance

Video

Favourite Podcasts of 2024

2024-12-31T00:00:00+01:00

According to Overcast these are the podcasts I listened to the most:

I do not listen to as many podcasts as I used to do. Manly because I don’t have a commute and the school of my kid is just a 10-min bike ride away, but 281 hours still sound like a lot of hours 😅.

99% Invisible, the outstanding breakdown of The Power Broker was my surprise delight of the year. Really worth a listen.
Planet Money, getting the latest on finance, without the dread of finance bros.
Piratensender Powerplay, German news discussed in a very left leaning smart way.
Comfort Zone, this was a nice surprise. This is the podcast I look forward to in the week.
Ehrenwort, history, scandals…what do you want more? I visited their first live show in November, can recommend.
Thinking Elixir This is the first and only tech podcast that made the list. I used to listen to more of those, but somehow I needed more time away from work topics.
This American Life. A classic. Still amazing.
Sicherheitshalber, German podcast about military/security. As a green voter, this was important to open up my bubble. And it’s still left-ish, so not too bad.
Camper-Style, camping is our current way of vacationing. This helped me to get inspired for some vacation/gear stuff.

Honorable mentions

Besides those top 9 shows, I wanted to mention three others. Sometimes quality is more important than quantity 😃.

Art of the score — After a 1 1/2 year hiatus, they came back to just release one episode this year, but it was an “Interstellar” episode, so I can’t complain too much. If you love movies like I do (see my letterboxd account), listening to them going through soundtracks is really wonderful.
Home Cooking - Also one episode after a 2-year break. The chemistry between them is so good. Cannot wait for the next episode in 2 years 😅.
Dear Millennial - This was my favourite podcast for a long time, and I am delighted that it now has new episodes coming out regularly.

If this list is not enough podcasts for you, I have a list of parenting podcasts on PapiBerlin.de that you can follow.

I am always open for podcast recommendations. If you have any, please send them to me either via mastodon or email 🤗.

Smart Heating with HomeAssistant

2024-12-27T22:00:00+01:00

One of the problems in our apartment was this:

A really dumb thermostat. Since we have floor heating, this little thing created tons of problems. Floor heating behaves like a big cargo ship. You cannot quickly move it around. The floor needs time to heat up, and if the desired temperature is reached, you cannot simply shut it down. It will continue to radiate heat to the room. With this dial, a accurate temperature was just not possible. Also we didn’t want to heat the rooms at night and wanted them to cool down. And ideally to warm up just before we wake up.

The solution: get rid of this stupid thing and install something smarter. Something that has ZigBee and can be added to Home Assistant. Something like the MOES ZigBee Smart Thermostat.

First, I had to get rid of the old thermostat and install the new one. Luckily, this was relatively easy. Pull out the dial and you will find a little screw.

After that, you will find that the guts of the device is rather empty.

Get rid of it.

Luckily, they left some nice schematics for us.

Install the new thermostat following the schematics printed on it.

Success.

The next step is to add it to your Home Assistant and add some rules. Since this is an unsupported ZigBee device, you will need to add a custom quirk to Home Assistant. This file works fine with my device. The Readme of the file explains how to add the quirk to Home Assistant.

The rules I have are something like “if the forecasted outside temperature today is below 15 degrees Celsius, activate the heating at 6 o’clock for 5 hours with a target temperature of 21 degrees Celsius”. Nothing too fancy (yet).

I also added a rule that activates the heater for 5 minutes per week in warmer months. That way I can work around the problem that the heating valve gets stuck, and I have to fix it each winter.

If you see that the temperature of the device does not match the room temperature, you can tweak the offset a bit. Simply call the temperature_calibration function via ZigBee and set it to a new offset. After a few seconds, the device will update the temperature to the new value.

Email validation - easy to get wrong, simple to fix

2024-02-03T09:00:00+01:00

If you mention email validation, most developers only think about the technical aspect of it. What is a valid email? Basically, there are two ways of thinking about it: Regular expressions are enough or Regular expressions don’t cover 100% of the email standard. For that I can only say: yes, a regular expression does not work for your esoteric email addresses, but who cares? The w3c spec for <input type="email"> says this should be done with this regular expression:

/^[a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$/

If your email address does not comply with that, you will have problems everywhere.

Now that we have this boring part of the discussion out of the way, let’s focus on the real problem.

I build tons of MVPs in my life, and most of the time we needed to add some form of email validation to the system. Either to comply with European regulations, and/or to verify a correct email address. A correct email address is especially important if you want to make sure that you can successfully convert someone to a user. You need that to send notifications, engage with them and finally turn them into a happy paying customer.

The first, and most important part, should be to check if this is really needed. Do you want to be allowed to send newsletters to the user? If yes, you need a double opt-in. If not, you could simply go ahead without this. Simply let everyone in, regardless of their email address. This has a gigantic upside: users can use your app super quick. And for some use cases, it’s more important to let users in quickly than to have a confirmed email address. The downside is, sadly, rather big. You are not allowed to send marketing emails, you will have some users who cannot log in because two weeks later they realize that they must have had a typo and their cookie expired and so much more.

After you decided you want a double-opt-in and verify the email address, you have to send out a confirmation email. You want this experience to be as smooth as possible. Having users open their email account, wait for an email to arrive, and then hopefully get them to click on the confirmation link, is a long process that can lose lots of potential customers when done wrong.

You need to make sure that all potential errors are addressed and can be fixed quickly by the user.

What could go wrong? Sadly, a lot. Your role is to make it simple for the user to resolve all problems. Let´s go through all the steps and see what can go wrong and how to fix the most common problems.

Step 1: Entering the email address

The most important part is to mark the input field as an email field. Most browsers will show the most recently used email addresses and help the user to fill in the field. This will remove 99% of all typos.

Step 2: Highlight possible typos

After we got rid of 99% of all typos, we still have to deal with the remaining 1%. We cannot do much about the stuff before the @, but we can help with the stuff after the @. There are libraries that can help you with that. They can suggest that gnail.com is probably a typo and the user meant gmail.com.

There are lots of libraries to do that, for example email-misspelled, truemail or valid_email2.

Offer a simple “Did you mean gmail.com?” button to the user that they can click to replace the typo.

Step 3: After sending the email

After the user submits the form, you send out an email and wait for the user to click on the link. In my experience, THIS is usually the page where users realize that they had a typo or used the wrong email address.

You need to make sure that the user can resolve this problem as quickly as possible. You should show the user a message to what address the email was sent to and that they should check their email account. If the user sees a problem, you should give them the option to change the address. You should not force the user to go back to the form and fill it out again. Simply give them the option to fix the email address right there.

Additionally, add a “resend email” button. This will help with cases where the user deletes the email accidentally or the email gets lost in the spam folder.

Step 4: After clicking the link

After the user clicks the link or enters the confirmation code, you should send the user to a page that enables them to use your product as fast as possible. Please don’t end on a page that simply says “Thanks for confirming your email address”. This is the first page ‘inside of the app’ for your customers. They should be greeted as such and have a clear path to using your product.

I hope this helps you to make your email validation process as smooth as possible. If you have any questions or suggestions, feel free to send me an email.

Tuya Zigbee IR Blaster in Home Assistant

2024-01-20T09:00:00+01:00

Note: previously you needed a custom quirk, but since September the Tuya IR Blaster is natively supported in Home Assistant

After years of playing around with Philips Hue and never being really happy about it, I switched to Home Assistant. I installed it on a Raspberry Pie, added a ZigBee USB-Stick and never looked back.

It’s simply amazing. Fully customisable, everything local. And zero problems.

There was only one thing I wished it had. Infrared output. I wanted to remote control devices that only had IR-Input. I tried two Broadlink devices, and both sucked. The first just didn’t want to connect to a properly secured wifi, the other one was buggy as hell. I needed something better. And I found it.

The Tuya Zigbee IR Blaster ZS06

Setting it up is as easy as the usual “a couple of clicks” in Home Assistant.

Let’s start.

Requirements

Things you need:

Fully installed Home Assistant
A Zigbee USB-Stick
A fully configured Zigbee Home Automation device

Installation

To enable the support for the Tuya IR, you need to install have a working zigbee stick. After that it is pretty straight forward.

Add the device to your system

Initiate the pairing process by pressing the button on the device for around 5 seconds till the LED starts blinking. You will be able to add the device in Home Assistant now.

Navigate to the ZHA configuration page and click on the “Add Devices” button. The device should show up as “Tuya Zigbee IR Blaster ZS06”. Click on it and wait for the pairing process to finish.

After the device was added, navigate to it and click on the “…” button in the device info box. Click on “Manage zigbee device” to open the device configuration page. There you can send commands to the device.

Select the “ZosungIRControl” cluster and the “IRLearn” command. Your dialog now should look like this:

Press “Issue Zigbee command” and then the blue led should start to light up, indicating that the device is waiting for an IR code.

After you pressed a button on the remote, you can see the code in the attributes tab. For that you have to select last_learned_ir_code in the dropdown and press the read attribute button.

You can now test the code by selecting the “IRSend” command and paste the code into the “code” field. Click on “Issue Zigbee command” and the device should send the IR code.

If everything works, you can now create a script to send the code. For that you need to grab the ieee code that is shown in the device info box after you expanded the “Zigbee info”. The cluster_id is the ID of the ZosungIRControl cluster, in my case 0xe004. Convert that to decimal and you get 57348. The command in my case is “IRSend (id: 0x0002)”, which translates to decimal 2 and the command type is always “server”.

The final script should look like this:

service: zha.issue_zigbee_cluster_command
metadata: {}
data:
  cluster_type: in
  ieee: 90:39:5e:ff:fe:0b:e4:cc
  endpoint_id: 1
  command: 2
  command_type: server
  cluster_id: 57348 # = 0xe004
  params:
    code: >-
B3UjhBFrAo8GgAMALOAAAeABCwGPBkADQA8BawKABwEsAuAHB+AHAcAfQAFAC4ADQAuAA0AB4AMLAc6gwIcBLAJAA+AFAQFrAkADAY8GgAPAC+ALB0AT4AMDQDPAD0AL4AEDACxgCwUsAmsCjwaAA0AL4AGHAWsCQANAE+AHA0AXQANAF+APB0Ab4AMDA48GLALAAUAL4AED4AEbAY8GQAMCawIsIAGAhwMsAo8GgAPgCwHgAxtAC0AB4AEHgEfgBwEDjwYsAsABQAvgBwNANcATQAHgBYdAHeAJAQGPBoADQAFAC0Al4AcHQBPgAwPAH0ATQAvgBwPgAxcDawIsAg==

Now you have everything you need to control your IR devices.

Book review: Naming Things

2024-01-08T09:00:00+01:00

At the end of last year, I realized that I somehow stopped reading technical books. There was just too much going on to read that kind of content in my leisure time. Why learn a new thing when you also could escape to Teixcalaanli? But I started to crave some technical content and I looked at my pile of unread technical books.

Luckily, one of the books I chose was this one. Naming things is hard. And on top of that, a wrong name leads to all kind of problems. This book explains the basic rules how you should name things in your code. Plain and simple. Luckily, the author also didn’t make the explanations longer than needed. These kinds of books are the best. Short enough to read in one sitting, long enough to cover everything you need to know.

If you are a software developer, you really should get this book and put it next to your desk after you finished reading it. You will start referencing it when talking to your colleagues about code.

5/5 stars from me.

Get Naming Things at https://www.namingthings.co/.

Follow me on bookwyrm.social for more book reviews.

37c3 retrospective

2024-01-07T09:00:00+01:00

The last time I did a CCC event retrospective was 4 years ago. I skipped 36c3 for reasons, but with 37c3 I’m back. I wasn’t in Hamburg this year, and I’m not sure if I want to join 38c3 in Hamburg, but time will tell.

But let’s start with the talks I’ve watched and liked. If you think I missed something, please let me know.

Breaking “DRM” in Polish trains

This was the talk that had the most impact in the public media. A team of researchers showed how a polish train manufacturer implemented DRM in their Trains and lied to the customer about it. Trying to get them to only use their own service for maintenance.

Video

Heimlich-Manöver

The talk from FragDenStaat is a must watch for me. Nice recap what they did since 2020.

Video

Operation Triangulation: What You Get When Attack iPhones of Researchers

Researchers from Kaspersky show how they found out that iPhones from their coworkers were hacked with a rather complex malware. This talk explains how they found out and what the malware did to infect the devices.

Video

Scholz greift durch: Die AfD wird verboten - Deepfakes auch!

This talk by the art collective Politische Schönheit was a nice mix of art and politics. They explained their last project where they created a deepfake of the german chancellor Olaf Scholz. They used this deepfake to create a video where he announces the ban of the german right wing party AfD.

Video

Bifröst: Apple’s Rainbow Bridge for Satellite Communication

A nice overview of how Apple is using satellite communication to provide internet access to their devices.

Video

The Extremely Large Telescope (ELT)

Always wanted to know how the biggest telescope in the world is built? This talk is for you.

Video

Hirne hacken: Hackback Edition

How do you act after you’ve been hacked and got a ransom note? Nice walk through of how to react and what to do.

Video

Security Nightmares

The (nearly) yearly talk about the state of IT security in the world.

Video

Hacking the climate

What are the current ideas how to fix climate change? This talk gives a nice overview of the current ideas and how they could work.

Video

KIM: Kaos In der Medizinischen Telematikinfrastruktur (TI)

How bad is the german medical infrastructure? This talk gives a nice overview of the cryptographic and security flaws in the german medical infrastructure.

Video

Öffnet eure Spaces für Gehörlose!

How can you make your space more accessible for deaf people? This talk gives a nice overview of what you can do.

Video

Unlocking Hardware Security: Red Team, Blue Team, and Trojan Tales

This is a nice overview of how to attack hardware security and how to defend against it.

Video

NEW IMPORTANT INSTRUCTIONS

LLMs have a lot of new security challenges. This talk gives a nice overview of ways to hack them and to extract data from people using the LLM.

Video

BLUFFS: Bluetooth Forward and Future Secrecy Attacks and Defenses

An attack on the Bluetooth protocol that showed that it’s possible to decrypt the traffic. This talk gives a nice overview of the attack and how to fix it.

Video

How to build a submarine and survive

Never thought a talk about building a submarine would be this funny and interesting. Initially I skipped it, but thanks to Malte I watched it and it was great.

Video

Parenting resources

2024-01-03T01:00:00+01:00

Back in 2019 I started a digital fathers* community. We have a really nice Slack channel with tons of activity. In that channel, we share countless interesting links. I didn’t want those links to be lost in that massive pile that is the Slack history. And for that reason, I started to collect them on this page. Hopefully, this page is also useful for you. If you have any suggestions that fit there, please let us know.

Story points - mostly worthless

2023-12-09T19:00:00+01:00

Story points are just smoke and mirrors. Yes, hear me out.

People can’t stand chaos; we crave order. Many folks view story points as a way to inject some order into the chaos of, say, agile development. This is especially intriguing for large enterprises, those companies with a waterfall mindset that decide to casually slap the word “Agile” onto their established way of doing things.

Now, let me break down why story points are nothing but a facade and share what I prefer instead.

Estimating is no walk in the park

In a perfect, predictable world, this sentence might actually make sense:

The 4-Sprint-average is (0.5 + 0.63 + 0.67 + 0.82) / 4 = 0.655. If you have 36 person-days available in your upcoming Sprint, you should aim for ~24 Story Points.

Such order. We can clearly see how much we can fit into a sprint. All we need to do is to figure out a solid way to assign precise points to stories and integrate them into the sprint. The worst implementation I’ve ever witnessed was at a company with three dev teams. After collectively estimating the tickets, they randomly assigned them to the teams until each team hit the maximum number of points. Chaos ensued. Tickets dependent on each other were spread across three teams, resulting in Team 1 being blocked by Team 2. Not ideal.

Estimating how long a task takes is a challenge. There are always surprises lurking around the next corner. A story that seems “easy” could unexpectedly turn into a two-month effort to refactor the code before it’s possible to implement the ticket. Yes, it happens. Should it happen often? No. It’s a red flag if it does. But more often than not, a ticket that is estimated for 2 days needs 3. And that’s okay. It’s not a failure. It’s just how it is. If you look at the sentence in the quote, you see the that they tried to factor in this uncertainty by averaging the last four sprints. But that’s just a band-aid. It doesn’t solve the actual problem: estimating is hard. Sometimes it’s just not possible. Adding a factor to the equation doesn’t make it any easier. Or more correct. If estimate most tickets take 2 days, but in reality, they take 3? You’ll end up with a sprint that’s 50% over capacity. And that’s not good. Usually that’s when the blame game starts.

Pressure to finish by estimated time

If you estimate a ticket takes 2 days, you’ll feel the pressure to finish it in 2 days: that’s not good. You’ll be tempted to cut corners, to take shortcuts, to do whatever it takes to finish the ticket in time. It creates technical debt. It creates bugs. It creates an atmosphere of pressure. Cutting corners or taking shortcuts can be a good thing. But only if you do it consciously. If you do it because you feel the pressure to finish in time, you’ll end up with a mess. A team that constantly feels this pressure will burn out.

Comparing teams with each other

Unfortunately, I’ve seen many managers who compare teams based on how many story points they complete in a sprint. This leads to peculiar outcomes. A team judged by the number of points it can achieve in a sprint will likely estimate tickets more generously. Maybe it’s subconscious, but they’ll do it. They just don’t want to look bad compared to other teams that finished more points. And this renders story point estimation worthless. You might see a cheerful “the team is becoming more and more efficient” chart, but in reality, it may be the opposite. The truth only reveals itself when you see what they actually delivered and try to understand why.

Long-Term Planning

If you’re sizing up everything for the next four sprints down the road (yes, I’ve witnessed this in more than one team) and just chipping away at those tickets, you’ve basically crafted a fancy version of waterfall. Agile isn’t about that. Not at all. Long-term planning calls for different tools. If you’re basing your long-term planning on the story points’ scope of tickets, you’re planning with a level of detail that’s just not practical. It’s bound to fail. Take a step back and attempt to plan with a higher level of abstraction.

Understanding Ticket Complexity

Another reason why folks fancy story points is because they’re a proxy for ticket complexity. This actually comes in handy when a team is trying to grasp the details of a ticket. If one person estimates the ticket as a 5-day task and everyone else sees it as a 3-day task, there’s a good chance the person rating it at 5 days has a better idea on the ticket’s complexity. This gives you an opportunity to understand why the ticket is so complex and perhaps reconsider the approach, or at the very least, document the complexity within the ticket. However, I think using a Fibonacci Sequence to estimate complexity for this reason is a bit much.

My Suggestion

During your sprint planning, go over the tickets and try to estimate roughly as “small,” “medium,” or “big.” This should give you a ballpark idea of the ticket’s complexity. If there’s a significant difference within the team, discuss it. Record your findings in the ticket, and then let them go.

Move tickets into your sprint based on priority and a sense of how much you can fit into a sprint. If you find you need more tickets in the sprint, pull them from the backlog (which should be sorted by priority) into the sprint. If you end up with too many tickets in the sprint, shift them to the next one. Yes, this is a bit chaotic. But it’s also agile. It’s okay to have a bit of chaos.

The crucial thing is not to feel pressured into finishing all the tickets planned for the sprint. If there’s a deadline, plan accordingly. Communicate the deadline, what exactly needs to be delivered and (most importantly) why. You might have to cut corners or take shortcuts, but do so consciously. The manager’s role is to ensure the team doesn’t burn out, but also delivers. It’s a delicate balancing act. If everyone is on the same page, it’s much easier to achieve the goal.

Still not sold on the idea?

“Estimating tasks will slow you down. Don’t do it. We gave it up over 10 years ago.”
— Jeff Sutherland (Co-Creator of Scrum) (Source)

Thanks to Andrew, Luca and Peter for reading and correcting drafts of this and to Frederic for sending me the quote of Jeff Sutherland.

Deadloch

2023-11-27T01:00:00+01:00

Have you heard of Deadloch? The chances are rather high that you haven’t yet, which is a shame. It is one of the hidden gems of streaming. There are so many shows released currently that some fantastic ones fall through the cracks.

Deadloch is a show about a female police detective in a small New Zealand town who has to investigate a murder. Sounds like a typical murder mystery so far, but luckily, it isn’t. It’s way smarter than that. It constantly plays with gender roles, the cast is filled with queer people, and it doesn’t take itself seriously at all. The best ingredients to create an amazing show.

Please do yourself a favor and try it. It’s on Amazon Prime.

My default apps at the end of 2023

2023-11-12T01:00:00+01:00

In 2017 I did an interview with Sweet Setup and talked about all the apps I was using at that moment. Last week I stumbled upon this post by Matt Birchler and saw more and more people doing the same. So I thought it would be fun to do the same and see how my setup has changed over the years.

✉️ Mail service: mailbox.org
📬 Mail client: Apple Mail
✅ Tasks: OmniFocus
📰 RSS service: Self hosted stringer
🗞️ RSS client: Reeder
⌨️ Launcher: Alfred, I am too old school for Raycast
☁️ Cloud storage: iCloud
🌅 Photo library: iCloud
🤳🏻 Photo editing: Photoshop and Lightroom
🌐 Web browser: Firefox on Desktop, Safari on iOS
🔖 Bookmarks: Raindrop.io
📆 Calendar: Fantastical
📹 Meeting reminders: MeetingBar
📖 Read it later: Pocket
🌤️ Weather: Carrot Weather
🎙️ Podcasts: Overcast
🎶 Music: Spotify
🔐 Passwords: 1Password
💸 Budgeting: YNAB
🍿 Movie discovery/tracking: Letterboxd
📖 Book tracking: bookwyrm, and Goodreads as fallback
📺 TV show tracking: Television Time
⛰️ Habbit/Mood tracking: Daylio
📝 Notes: Bear for most stuff, trying Obisidian for my current gig…let’s see.
🧮 Code Editor: Visual Studio Code and NeoVim
🔍 Code documentation browser: Dash
👨🏻‍💻 Terminal: iTerm2
🔎 Search: Kagi
📦 Package tracking: Parcel
👩‍🍳 Recipe management: Mela
📁 File management: Forklift 4, I need a Norton Commander way of working
⌨️ Keyboard: Moonlander

As you see, I am still ways away from the setup of Terry Prattchet 😅.

Three things your API for mobile apps should have

2021-03-14T01:00:00+01:00

Every time I join a team as a freelancer I check a couple of things during my initial code review. Some are quite common, like:

Is the onboarding document and README still up to date?
Are the tests green?
How much do they test?

…and many more.

Besides all those rather common checks I also check a few things regarding the design of the API (if the project has one). Most of the time there are some important things missing. For example, the following three things.

Decline too old clients

You always want to be able to see the version and type of your clients. It’s nice to have for statistics, but also gets important if you want to introduce API breakage. You need a defined API response to force users to update the app. The app should get a return value that triggers a “Hey, this app needs an update to continue working“ screen. How you implement it depends on your API design.

Maintenance mode

You need a way to communicate a maintenance mode to your clients. The client then should show a warning or disable the app. Ideally, the app could continue to work, but that depends on what the app is about. As a bonus, you could show a message how long this maintenance will take, or show updates if this is an unexpected maintenance (for example because the servers are on fire). Alternatively, link to a status page with further updates.

Communicate with the users

This is more optional than the two things above, but I found it rather useful. Build a way to communicate news to the users. Maybe as news section within the app, a popup dialog for urgent messages or something that fits your app design better. Having the possibility to inform about maintenance windows and to stay connected to your users reduces the bad reviews by a lot. Just make sure the news are not too spammy.

New project: Hier Baut Berlin

2021-03-06T01:00:00+01:00

A couple of years ago I was lucky to be in the first round of the Prototype Fund and was able to build SignDict. A German sign language dictionary that now has around 88,500 unique visitors a month and is one of the leading sign dictionaries in Germany.

I couldn’t believe my luck when I got accepted to the 9th round with another project. Starting this month I will be working on a project called Hier Baut Berlin while being paid by the German government.

So, what does it do? It will help you see what the city of Berlin is doing in your local neighborhood. After you opened the site and specified a location, it will show you all construction projects and other things that the city has planned or is building in your area at the moment. Additionally, you can also subscribe to that neighborhood and will be notified via email when new entries have been added.

From now on, I will post progress reports every two weeks on the blog at blog.hierbautberlin.de.

If you want you can also follow all updates on Twitter or GitHub.

Disable iOS/IE phone number detection

2021-02-28T01:00:00+01:00

If you have a website with a lot of text on it, you might discover that iOS and Internet Explorer will sometimes add links when they think they discovered a phone number.

A lot of the time the detection is wrong and might even destroy a bit of the layout of the page.

To fix this you have to add some attributes to the page to disable the automatic format detection.

For IE you have to add the x-ms-format-detection attribute and set it to none in the html header, like so:

<html lang="en" x-ms-format-detection="none">

See MDN for details.

For iOS/Safari you have to add this meta attribute:

<meta name="format-detection" content="telephone=no">

See the Apple Developer documentation for details.

It seems the list of stuff you have to add to a page to make it work smoothly everywhere gets longer and longer by every year.

A rather complete list of things you could put into the header can be found on htmlhead.dev.

"Your eReader is not authorized" on Kobo devices

2020-07-23T02:00:00+02:00

I really love my Kobo eReader. Cheaper than Amazon, I can put epubs on it and buy ebook at every store that is not called “Amazon”. Most ebooks are just watermarked and don’t have any DRM attached to them ♡. You can even lend epubs from your local library using awesome services like OverDrive.

There is just one problem. If you own a Kobo eReader you might have seen this:

Your eReader is not authorized to open this book. Because you previously deauthorized your eReader, you need to reimport the book using ADE“

After that point you are not able to add any book from your library to it. My solution to this was to hard reset the device. Luckily there is another workaround. A disclaimer first: I really love most Adobe products, but the Adobe Digital Edition is 🤬. It’s totally unclear to me why that software is in this state and why this is the only DRM solution for ebooks outside the Amazon walled garden nowadays.

So how do you fix this problem? Like this:

Delete the not working ebook
Connect the kobo with your computer and leave it plugged in.
Start the Adobe Digital Editions App on your Mac
Delete the not working book from your ADE, you will need to re-download the .asm file again later.
Remove the authorization of your eReader
Remove the authorization on ADE (Help -> Erase Authorization)
Go to your library and fetch a different book. Yes you have to find a totally different book than the book that is not working.
Open it in ADE, it will ask you to re-authorize it.
Re-Authorize your eReader
Import the new book to the eReader
Open the book on your eReader and check that it is working
Download the book that was not working from your library and add it to ADE. This is really important. Do not re-import your existing .asm file. You need a new one.
Add it to your eReader
Done

I am writing this down to remember these steps when I have to do them again 😉.

Coworking for parents

2020-06-11T02:00:00+02:00

My wife is currently opening a coworking space for parents called little village and because of that, I investigated the topic a lot in the last couple of months.

Parents have different needs than other people. They have kids. And if the kid is too young for a kindergarten or you couldn’t manage to get a spot yet, you still need a place to work. These places are the ideal solution. Work on your stuff and your kid is in safe hands near you.

What was missing was a page with an overview of all coworking places all around the world. Luckily I already had a huge list of places and just needed to put them on a map. With the awesome little power tool that is jekyll it was relatively easy to build.

Please see for yourself: coworkingforparents.org.

Bitboxer - hacking

No Subscription, No Ads - My Local Music Streaming Setup

Jellyfin

Gelly

Manet

Symfonium

Bonus player: cliamp

French coast and back in an EV camper

Going viral on mastodon

Berlin is Calling: Stand Up and Protest for Change!

Wir haben es satt (We are sick of it)

FLINTA* March

Klimastreik (Climate-Strike)

Winter-CSD

Wir stehen zusammen – Lichtermeer gegen den Rechtsruck (We stand together – sea of ​​lights against the shift to the right)

38c3 retrospective

Correctiv-Recherche „Geheimplan gegen Deutschland“ – 1 Jahr danach

„Konnte bisher noch nie gehackt werden“: Die elektronische Patientenakte kommt - jetzt für alle

Der Thüring-Test für Wahlsoftware

Wir wissen wo dein Auto steht - Volksdaten von Volkswagen

We’ve not been trained for this: life after the Newag DRM disclosure

Erpressung aus dem Internet - auf den Spuren der Cybermafia

From Pegasus to Predator - The evolution of Commercial Spyware on iOS

Wann klappt der Anschluss, wann nicht und wie sagt man Chaos vorher?

7 Years Later: Why And How To Make Portable Open Hardware Computers (mntm)

Autoritäre Zeitenwende im Zeitraffer

Hacking yourself a satellite - recovering BEESAT-1

Projekt Bucketchallenge

Gefährliche Meinung – Wenn Wälder brennen und Klimaaktivist*innen im Knast sitzen

Der Milliarden-Steuerraub Cum/Ex – wie schädlich ist Wirtschaftskriminalität für unsere Gesellschaft?

Knäste hacken

Das IFG ist tot – Best of Informationsfreiheit, Gefangenenbefreiung & Machtübernahmen

Longtermismus – der „Geist“ des digitalen Kapitalismus

Identity theft, credit card fraud and cloaking services – how state-sponsored propaganda makes use of the cyber criminal toolbox

Security Nightmares

BlinkenCity: Radio-Controlling Street Lamps and Power Plants

Dialing into the Past: RCE via the Fax Machine – Because Why Not?

From Silicon to Sovereignty: How Advanced Chips are Redefining Global Dominance

Favourite Podcasts of 2024

Honorable mentions

Smart Heating with HomeAssistant

Email validation - easy to get wrong, simple to fix

Tuya Zigbee IR Blaster in Home Assistant

Requirements

Installation

Add the device to your system

Book review: Naming Things

37c3 retrospective

Breaking “DRM” in Polish trains

Heimlich-Manöver

Operation Triangulation: What You Get When Attack iPhones of Researchers

Scholz greift durch: Die AfD wird verboten - Deepfakes auch!

Bifröst: Apple’s Rainbow Bridge for Satellite Communication

The Extremely Large Telescope (ELT)

Hirne hacken: Hackback Edition

Security Nightmares

Hacking the climate

KIM: Kaos In der Medizinischen Telematikinfrastruktur (TI)

Öffnet eure Spaces für Gehörlose!

Unlocking Hardware Security: Red Team, Blue Team, and Trojan Tales

NEW IMPORTANT INSTRUCTIONS

BLUFFS: Bluetooth Forward and Future Secrecy Attacks and Defenses

How to build a submarine and survive

Parenting resources

Story points - mostly worthless

Estimating is no walk in the park

Pressure to finish by estimated time

Comparing teams with each other

Long-Term Planning

Understanding Ticket Complexity

My Suggestion

Deadloch

My default apps at the end of 2023

Three things your API for mobile apps should have

Decline too old clients

Maintenance mode

Communicate with the users

New project: Hier Baut Berlin

Disable iOS/IE phone number detection

"Your eReader is not authorized" on Kobo devices

Wir stehen zusammen – Lichtermeer gegen den Rechtsruck (We stand together – sea of lights against the shift to the right)