There’s a tried-and-true ar­chi­tec­ture that I’ve seen many times for sup­port­ing your web ser­vices and ap­pli­ca­tions:

Redis for co­or­di­nat­ing back­ground job queues (and some lim­ited atomic op­er­a­tions)

Redis is fan­tas­tic, but what if I told you that its most com­mon use cases for this stack could ac­tu­ally be achieved us­ing only PostgreSQL?

Perhaps the most com­mon use of Redis I’ve seen is to co­or­di­nate dis­patch­ing of jobs from your web ser­vice to a pool of back­ground work­ers. The con­cept is that you’d like to record the de­sire for some back­ground job to be per­formed (perhaps with some in­put data) and to en­sure that only one of your many back­ground work­ers will pick it up. Redis helps with this be­cause it pro­vides a rich set of atomic op­er­a­tions for its data struc­tures.

But since the in­tro­duc­tion of ver­sion 9.5, PostgreSQL has a SKIP LOCKED op­tion for the SELECT … FOR … state­ment (here’s the doc­u­men­ta­tion). When this op­tion is spec­i­fied, PostgreSQL will just ig­nore any rows that would re­quire wait­ing for a lock to be re­leased.

Consider this ex­am­ple from the per­spec­tive of a back­ground worker:

BEGIN;

WITH job AS ( SELECT id FROM jobs WHERE sta­tus = ‘pending’ LIMIT 1 FOR UPDATE SKIP LOCKED )

UPDATE jobs SET sta­tus = ‘running’ WHERE jobs.id = job.id RETURNING jobs.*;

By spec­i­fy­ing FOR UPDATE SKIP LOCKED, a row-level lock is im­plic­itly ac­quired for any rows re­turned from the SELECT. Further, be­cause you spec­i­fied SKIP LOCKED, there’s no chance of this state­ment block­ing on an­other trans­ac­tion. If there’s an­other job ready to be processed, it will be re­turned. There’s no con­cern about mul­ti­ple work­ers run­ning this com­mand re­ceiv­ing the same row be­cause of the row-level lock.

The biggest caveat for this tech­nique is that, if you have a large num­ber of work­ers try­ing to pull off this queue and a large num­ber of jobs feed­ing them, they may spend some time step­ping through jobs and try­ing to ac­quire a lock. In prac­tice, most of the apps I’ve worked on have fewer than a dozen back­ground work­ers, and the cost is not likely to be sig­nif­i­cant.

Let’s imag­ine that you have a syn­chro­niza­tion rou­tine with a third-party ser­vice, and you only want one in­stance of it run­ning for any given user across all server processes. This is an­other com­mon ap­pli­ca­tion I’ve seen for Redis: dis­trib­uted lock­ing.

PostgreSQL can achieve this as well us­ing its ad­vi­sory locks. Advisory locks al­low you to lever­age the same lock­ing en­gine PostgreSQL uses in­ter­nally for your own ap­pli­ca­tion-de­fined pur­poses.

I saved the coolest ex­am­ple for last: push­ing events to your ac­tive clients. For ex­am­ple, say you need to no­tify a user that they have a new mes­sage avail­able to read. Or per­haps you’d like to stream data to the client as it be­comes avail­able. Typically, web sock­ets are the trans­port layer for these events while Redis serves as the Pub/Sub en­gine.

However, since ver­sion 9, PostgreSQL also pro­vides this func­tion­al­ity via the LISTEN and NOTIFY state­ments. Any PostgreSQL client can sub­scribe (LISTEN) to a par­tic­u­lar mes­sage chan­nel, which is just an ar­bi­trary string. When any other client sends a mes­sage (NOTIFY) on that chan­nel, all other sub­scribed clients will be no­ti­fied. Optionally, a small mes­sage can be at­tached.

If you hap­pen to be us­ing Rails and ActionCable, us­ing PostgreSQL is even sup­ported out of the box.

Redis fun­da­men­tally fills a dif­fer­ent niche than PostgreSQL and ex­cels at things PostgreSQL does­n’t as­pire to. Examples in­clude caching data with TTLs and stor­ing and ma­nip­u­lat­ing ephemeral data.

However, PostgreSQL has a lot more ca­pa­bil­i­ties than you may ex­pect when you ap­proach it from the per­spec­tive of just an­other SQL data­base or some mys­te­ri­ous en­tity that lives be­hind your ORM.

There’s a good chance that the things you’re us­ing Redis for may ac­tu­ally be good tasks for PostgreSQL as well. It may be a wor­thy trade­off to skip Redis and save on the op­er­a­tional costs and de­vel­op­ment com­plex­ity of re­ly­ing on mul­ti­ple data ser­vices.

We come from the fu­tureWe come from the fu­ture

How Fighter Jets Lock On (and How the Targets Know)

The pri­mary tech­nol­ogy that a mil­i­tary air­craft uses to lock and track an en­emy air­craft is its on­board radar. Aircraft radars typ­i­cally have two modes: search and track. In search mode, the radar sweeps a ra­dio beam across the sky in a zig-zag pat­tern. When the ra­dio beam is re­flected by a tar­get air­craft, an in­di­ca­tion is shown on the radar dis­play. In search mode, no sin­gle air­craft is be­ing tracked, but the pi­lot can usu­ally tell gen­er­ally what a par­tic­u­lar radar re­turn is do­ing be­cause with each suc­ces­sive sweep, the radar re­turn moves slightly. This is an ex­am­ple of the fire con­trol radar dis­play for an F-16 Fighting Falcon when the radar is in a search mode:Each white brick is a radar re­turn. Because the radar is only scan­ning, not track­ing, no other in­for­ma­tion is avail­able about the radar tar­gets. (There is one ex­cep­tion: The Doppler shift of the radar re­turn can be mea­sured, to es­ti­mate how fast the air­craft trav­el­ing to­wards or away from you, much like the pitch of an on­com­ing train’s whis­tle can tell you how fast it’s com­ing at you. This is dis­played as the small white trend line orig­i­nat­ing from each brick.)Note that the cur­sors are over the bot­tom-most brick (closest to our air­craft). The pi­lot is ready to lock up this tar­get. This will put the radar into a track mode. In track mode, the radar fo­cuses its en­ergy on a par­tic­u­lar tar­get. Because the radar is ac­tu­ally track­ing a tar­get, and not just dis­play­ing bricks when it gets a re­flec­tion back, it can tell the pi­lot a lot more about the tar­get. This is what the F-16′s fire con­trol radar dis­play looks like when a tar­get is locked:G/​O Media may get a com­mis­sion15% off Your First OrderGet it for $11 at Hum Nutrition Along the top we have a lot of in­for­ma­tion about what our radar tar­get is do­ing:Its as­pect an­gle (angle be­tween its nose po­si­tion and our nose po­si­tion) is 160° to the left,and our clo­sure rate is 828 knots. With this in­for­ma­tion, the pi­lot gets a much bet­ter idea of what the air­craft is do­ing, but at the ex­pense of in­for­ma­tion about other air­craft in the area.Note that in the above pic­ture, the bot­tom-most (closest) tar­get is locked (circle around it), the two tar­gets fur­ther away are tracked (yellow squares), and there are two radar re­turns even fur­ther away (white bricks). This is demon­strat­ing an ad­vanced fea­ture of mod­ern radars, sit­u­a­tional aware­ness modes. A radar in SAM com­bines both track­ing and scan­ning to al­low a pi­lot to track one or a small num­ber of “interesting” tar­gets while not los­ing the big pic­ture of what other tar­gets are do­ing. In this mode, the radar beam sweeps the sky, while briefly and reg­u­larly paus­ing its scan to check up on a locked tar­get.Note that all of this comes with trade­offs. In the end, a radar is only as pow­er­ful as it is, and you can put a lot of radar en­ergy on one tar­get, or spread it out weakly through­out the sky, or some com­pro­mise in be­tween. In the above photo you can see two ver­ti­cal bars span­ning the height of the dis­play — these are the az­imuth scan lim­its. It’s the air­craft’s way of telling you, “OK, I can both track this tar­get, and scan for other tar­gets, but in re­turn, I’m only go­ing to scan a 40° wide cone in front of the air­craft, in­stead of the usual 60°. Radar, like life, is full of trade­offs.An im­por­tant thing to note is that a radar lock is not al­ways re­quired to launch weapons at a tar­get. For guns kills, if the air­craft has a radar lock on a tar­get, it can ac­cu­rately gauge range to the tar­get, and pro­vide the pi­lot with the ap­pro­pri­ate cor­rec­tions for lead and grav­ity drop, to get an ac­cu­rate guns kill. Without the radar, the pi­lot sim­ply has to rely on his or her own judge­ment.As an ex­am­ple of that, let’s take a look at the F-16′s HUD (heads-up dis­play) when in the process of em­ploy­ing guns at a radar-locked tar­get:It be­comes in­cred­i­bly sim­ple; that small cir­cle la­beled “bullets at tar­get range” is called the “death dot” by F-16 pi­lots. Basically, it rep­re­sents where the can­non rounds would land if you fired right now, and the rounds trav­eled the dis­tance be­tween you and the locked tar­get. In other words, if you want a solid guns kill, sim­ply fly the death dot onto the air­plane. Super sim­ple.But what if there’s no radar lock? Well now the HUD looks like this:No death dot — but you still have the fun­nel. The fun­nel rep­re­sents the path the can­non rounds would travel out in front of you if you fired right now. The width of the fun­nel is equal to the ap­par­ent width of a pre­de­ter­mined wingspan at that par­tic­u­lar range. So, if you did­n’t have a lock on your tar­get, but you knew it had a wingspan of 35 feet, you could dial in 35 feet, then fly the fun­nel un­til the width ex­actly lined up with the width of the en­emy air­craft’s wings, then squeeze the trig­ger.And what about mis­siles? Again, a radar lock is not re­quired. For heat-seek­ing mis­siles, a radar lock is only used to train the seeker head onto the tar­get. Without a radar lock, the seeker head scans the sky look­ing for “bright” (hot) ob­jects, and when it finds one, it plays a dis­tinc­tive whin­ing tone to the pi­lot. The pi­lot does not need radar in this case, he just needs to ma­neu­ver his air­craft un­til he has “good tone,” and then fire the mis­sile. The radar only makes this process faster.Now, radar-guided mis­siles come in two va­ri­eties: pas­sive and ac­tive. Passive radar mis­siles do re­quire a radar lock, be­cause these mis­siles use the air­craft’s re­flected radar en­ergy to track the tar­get.Ac­tive radar mis­siles how­ever have their own on­board radar, which locks and tracks a tar­get. But this radar is on a one-way trip, so it’s con­sid­er­ably less ex­pen­sive (and less pow­er­ful) than the air­craft’s radar. So, these mis­siles nor­mally get some guid­ance help from the launch­ing air­craft un­til they fly close enough to the tar­get where they can turn on their own radar and “go ac­tive.” (This al­lows the launch­ing air­craft to turn away and de­fend it­self.) It is pos­si­ble to fire an ac­tive radar mis­sile with no radar lock (so-called “maddog”); in this case, the mis­sile will fly un­til it’s nearly out of fuel, and then it will turn on its radar and pur­sue the first tar­get it sees. This is not a rec­om­mended strat­egy if there are friendly air­craft in close prox­im­ity to the en­emy.As to the last part of your ques­tion — yes, an air­craft can tell if a radar is paint­ing it or locked onto it. Radar is just ra­dio waves, and just as your FM ra­dio con­verts ra­dio waves into sound, so can an air­craft an­a­lyze in­com­ing ra­dio sig­nals to fig­ure out who’s do­ing what. This is called an RWR, or radar warn­ing re­ceiver, and has both a video and au­dio com­po­nent. This is a typ­i­cal RWR dis­play:Al­though an air­craft’s radar can only scan out in front of the air­craft, an air­craft­can lis­ten for in­com­ing radar sig­nals in any di­rec­tion, so the scope is 360°. A dig­i­tal sig­nal proces­sor looks for rec­og­niz­able ra­dio “chirps” that cor­re­spond to known radars, and dis­plays their az­imuth on the scope. A chirp is a dis­tinc­tive wave­form that a ra­dio uses. See, if two ra­dios use the same wave­form si­mul­ta­ne­ously, they’ll con­fuse each other, be­cause each ra­dio won’t know which radar re­turns are from its own trans­mit­ter. To pre­vent this, dif­fer­ent ra­dios tend to use dis­tinct wave­forms. This can also be used by the tar­get air­craft to iden­tify the type of radar be­ing used, and there­fore pos­si­bly, the type of air­craft.In this dis­play, the RWR has de­tected an F-15 (15 with a hat on it in­di­cat­ing air­craft) at the 7-o’clock po­si­tion. The strength of the radar is plot­ted as dis­tance from the cen­ter — the closer to the cen­ter, the stronger the de­tected radar sig­nal, and there­fore pos­si­bly the closer the trans­mit­ting air­craft.De­tected at the 12- to 1-o’clock po­si­tion are two sur­face-to-air mis­sile (SAM) sites, an SA-5 “Gammon” and an SA-6 “Gainful”. These are Russian SAM launch­ing radars and rep­re­sent a se­ri­ous threat. The RWR com­puter has de­ter­mined the SA-6 to be the high­est pri­or­ity threat in the area, and thus has en­closed it with a di­a­mond.RWR also has an au­dio com­po­nent. Each time a new radar sig­nal is de­tected, it is con­verted into an au­dio wave and played for the pi­lot. Because dif­fer­ent radars “sound” dif­fer­ent, pi­lots learn to rec­og­nize dif­fer­ent air­borne or sur­face threats by their dis­tinc­tive tones. The sound is also an im­por­tant cue to tell the pi­lot what the radar is do­ing: If the sound plays once, or in­ter­mit­tently, it means the radar is only paint­ing our air­craft (in search mode). If a sound plays con­tin­u­ously, the radar has locked onto our air­craft and is in track mode, and thus the pi­lot’s im­me­di­ate at­ten­tion is de­manded. In some cases, the RWR can tell if the radar is in launch mode (sending radar data to a pas­sive radar-guided mis­sile), or if the radar is that of an ac­tive radar-guided mis­sile. In ei­ther of these cases, a dis­tinc­tive mis­sile launch tone is played and the pi­lot is ad­vised to im­me­di­ately act to counter the threat. Note that the RWR has no way of know­ing if a heat-seek­ing mis­sile is on its way to our air­craft.Aside from radar, there are other tech­nolo­gies that are used to lock on to en­emy air­craft and ground tar­gets. A tar­get­ing pod is a very pow­er­ful cam­era mounted on an ar­tic­u­lat­ing swivel that al­lows it to look in nearly every di­rec­tion. This cam­era is con­nected to im­age proces­sor that is able to tell apart ve­hi­cles and build­ings from sur­round­ing ter­rain, and track mov­ing tar­gets. This is the SNIPER XR tar­get­ing pod:And this is what the pi­lot sees when he op­er­ates it:The pod is able to track ve­hi­cles day and night, us­ing vi­sual or in­fra-red cam­eras. Heat-seeking mis­siles ob­vi­ously use this same tech­nol­ogy to home in on air­craft, and elec­tro-op­ti­cal mis­siles use this tech­nol­ogy to track ground tar­gets.Lastly, there are laser-guided mis­siles as well. These “beam rid­ers” fol­low a laser beam em­a­nat­ing from the air­craft to the tar­get. Many ground ve­hi­cles use laser rangefind­ers as well, and some air­craft in­clude a laser warn­ing sys­tem (LWS) that works sim­i­larly to an RWR, but dis­plays in­com­ing laser sig­nals in­stead.How does a fighter jet lock onto and keep track of an en­emy air­craft?orig­i­nally ap­peared on Quora. You can fol­low Quora on Twitter, Facebook, and Google+.This an­swer has been lightly edited for gram­mar and clar­ity.

Something went wrong. Wait a mo­ment and try again.

The System Is DownHow To Win At Risk By Using Systems ThinkingSystems Thinking gives you an ad­van­tage in al­most every area of life - even the game of Risk. Systems think­ing is a way of view­ing com­pli­cated net­works in re­al­ity in terms of the re­la­tion­ships be­tween the parts and the whole. It is about think­ing holis­ti­cally about such re­la­tion­ships so as to (1) truly un­der­stand how they work and (2) change them for the bet­ter. The best strate­gies in life (and in games) come from sys­tems think­ing. This is the case be­cause things are far more com­pli­cated than they seem at first glance and it takes care­ful at­ten­tion to come to know them. Systems think­ing of­fers names and cat­e­gories for un­der­stand­ing the com­plex­ity of re­al­ity—and you can’t re­ally know any­thing with­out first giv­ing it a name. Before we ap­ply the power of sys­tems think­ing to the game of Risk, let’s take a crash course in sys­tems think­ing first. Note: I’m as­sum­ing you know the rules of the game of Risk, but if not, read the rules of Risk here.The Simplest Example of a System: A BathtubYou might not think of a bath­tub as a sys­tem, but it is. You fill the tub to the de­sired level and tem­per­a­ture, con­stantly ad­just­ing the faucet in re­sponse to the feed­back you are get­ting from the tem­per­a­ture of the wa­ter and the cur­rent amount of wa­ter in the tub. Then, when your goal is met, you take your bath and then let the wa­ter out—a com­plete sys­tem. Granted, a bath­tub is a very sim­ple sys­tem, but it serves as an in­tro­duc­tion to the dis­ci­pline of sys­tems think­ing. If you want to go deeper, read Donella Meadow’s Thinking in Systems. It is bril­liant. Let’s dig into the bath­tub ex­am­ple a bit more and use it to ex­am­ine the dis­crete parts of a sys­tem.Every System Is Made of These PartsStocks: Stocks are the col­lec­tion of re­sources or in­puts into a sys­tem. In a bath­tub, the stock is the amount of wa­ter in the tub.Flows: Flows are move­ments be­tween stocks. A bath­tub has two flows, the faucet let­ting wa­ter into the drain let­ting wa­ter out of the tub. The amount of wa­ter in the stock of the tub is the re­sult of the in­ter­ac­tion be­tween the in-flow (the faucet) and the out-flow (the drain).Re­in­forc­ing Feedback: Change in sys­tems hap­pen in loops, not lines. These loops take the form of feed­back forces that in­ter­act with the stocks and flows. Reinforcing feed­back, also known as “growth force,” hap­pens when the stocks in a sys­tem are in­creas­ing. In the bath­tub ex­am­ple, the growth force is the wa­ter com­ing out of the faucet, in­creas­ing the stock of wa­ter in the tub. Limiting Factor: Systems col­lapse if the growth force is al­lowed to run unchecked. At a cer­tain point, the sys­tem hits a lim­it­ing fac­tor. In the bath­tub ex­am­ple, the lim­it­ing fac­tor is the de­sired level of wa­ter in the tub. You can al­ways spot the lim­it­ing fac­tors in a sys­tem by look­ing at the (1) car­ry­ing ca­pac­i­ties of the stocks or (2) the goals of the play­ers in the sys­tem. Balancing Feedback: Balancing feed­back, or “balance force,” kicks as the sys­tem ap­proaches one of its lim­it­ing fac­tors. In a bath­tub, as the amount of wa­ter in the tub ap­proaches the de­sired wa­ter level, the per­son fill­ing the tub reaches out and turns the faucet off. Suddenly, the sys­tem is bal­anced. Anywhere there is a goal, for ex­am­ple, the de­sired wa­ter level in a bath, you’ll find forces at work that are try­ing to achieve that goal by bal­anc­ing the sys­tem.Equi­lib­rium: When a sys­tem is bal­anced, it reaches equi­lib­rium. There are two types of equi­lib­rium: sta­tic and dy­namic. In the tub ex­am­ple, if the faucet is off and the drain is plugged, sta­tic equi­lib­rium has been reached since no flows (in-flow or out-flow) is com­ing off the stock. Dynamic equi­lib­rium is reached when the to­tal flows into and out of a stock con­tinue, but are equal, as would be the case if the wa­ter in a tub was fill­ing at the same rate it was drain­ing. Leverage: Systems are hard to change be­cause bal­anc­ing feed­back does such a good job of re­turn­ing the sys­tem to equi­lib­rium. Leverage refers to the forces that are ap­plied to a sys­tem in an at­tempt to change it, but, as you will see be­low, not all levers are cre­ated equal, nor equally ef­fec­tive. In fact, pulling on some levers only makes the sleep­ing drag­ons of bal­anc­ing feed­back wake up and lock down the sys­tem. However, savvy sys­tems thinkers are able to find the lever­age points in a sys­tem that can change it so dra­mat­i­cally that a new bal­ance is reached—per­haps tipped in your fa­vor.But what does all this have to do with Winning At Risk?A lot, as it turns out. The magic starts to hap­pen when you do two things:Map the parts of Risk onto the parts of a sys­tem.An­a­lyze the sys­tem of Risk to find the best strat­egy ac­cord­ing to the rules of sys­tems think­ing. Here we go.Step One: Map the Parts of Risk onto the Parts of a SystemStocks: In the game of Risk, your stocks are the num­ber of armies in your coun­tries, the num­ber of coun­tries un­der your com­mand, and the num­ber of con­ti­nents you con­trol.Flows: The in-flow in the game of Risk are the num­ber of new armies you get each turn. The out-flow is the num­ber of armies you lose in bat­tle each round.Re­in­forc­ing Feedback: There is a strong growth force at play in the game of Risk since the num­ber of ex­tra armies you get is tied to the num­ber of coun­tries and con­ti­nents you con­trol. So the stronger your armies be­come, the faster they be­come stronger. If left unchecked, this would quickly be­come an ex­po­nen­tially re­in­forc­ing loop that would re­sult in the strongest player quickly tak­ing over the game. Balancing Feedback: But, un­like re­al­ity, a good game would never let that hap­pen. If you push the sys­tem in the wrong way, the sys­tem al­ways pushes back. In Risk, the wrong way to push the sys­tem is to try to ride the re­in­forc­ing feed­back all the way to vic­tory, get­ting more and more con­ti­nents un­til you win. However, re­in­forc­ing feed­back al­ways trig­gers bal­anc­ing feed­back to kick in and keep the strong player in check. In fact, the stronger any sin­gle player gets, the stronger the bal­anc­ing feed­back ar­rayed against them be­comes. In Risk, the main bal­anc­ing feed­back is the op­po­si­tion the strongest player en­coun­ters from all the other play­ers. That is why it is such a ter­ri­ble idea to grab a con­ti­nent too early; it awak­ens the bal­anc­ing feed­back be­fore you are too strong to re­pel it. (Taking Australia is an ex­cep­tion to this. For some rea­son, every­one ex­pects Australia to get taken in the first two turns and thus the bal­anc­ing feed­back of the other play­er’s fear is­n’t awak­ened. This ex­cep­tion is prob­a­bly ex­plained by the fact that you only get two bonus armies from keep­ing Australia. The small num­ber lulls play­ers into feel­ing that it is safe to al­low the player who con­trols Australia to keep con­trol of it.)Lim­it­ing Factor: Because the bal­anc­ing feed­back is awak­ened by the per­ceived ad­van­tage any one player has (or is about to have) over the other play­ers, the clear­est lim­it­ing fac­tor is al­most al­ways tak­ing a con­ti­nent. Remember, the lim­it­ing fac­tors are trig­gers that the sys­tem deems dan­ger­ous enough to de­ploy bal­anc­ing forces against. Because of this, tak­ing a con­ti­nent can be a bad strat­egy even though it promises to in­crease the flow of armies into your stocks. If the other play­ers unite to op­pose you, the re­sult will be a di­min­ish­ment of your stock of armies.Equi­lib­rium: In Risk, equi­lib­rium sets a cap on how strong any one player is al­lowed to be­come. If you want to win, you have to wait un­til the equi­lib­rium has risen high enough to al­low you to have large enough armies for quick, dev­as­tat­ing strikes. The more un­ex­pected those strikes are, the more suc­cess­ful they will be. People only tend to de­fend against their im­me­di­ate neigh­bors, so they will not be wor­ry­ing about your coun­try with 30 armies be­cause it is all the way across the board, when the re­al­ity is that (depending on what stage the game is in) a coun­try with 30 armies can usu­ally find a path to go wher­ever it wants, leav­ing a trail of death in its wake. Now that we have mapped the parts, lets try to fig­ure out what to do with them.In Risk, “the game of global dom­i­na­tion,” the goal is pretty clear: take over the world. Determining the goal of a sys­tem won’t al­ways be this easy, but this time it’s a gimme. Let’s press on.Step Three: Start with the Goal and Strategize Backward.Starting with the goal of global dom­i­na­tion, let’s walk back­ward and see if we can find our way into a vi­able strat­egy that will let us reach the goal. I’ll write it as a log­i­cal chain of If/then state­ments.If the goal is global dom­i­na­tion, then you need to make sure you have greater strength in armies than any other player.If you need to have more armies than any other player, then you should do every­thing you can to (1) in­crease the rate at which you gain armies and (2) avoid los­ing the armies you re­ceive.[We’ll cover the best way to in­crease the rate at which you gain armies be­low, so let’s fo­cus on the sec­ond one here.] If you need to avoid los­ing the armies you re­ceive, then you need to avoid bat­tles, specif­i­cally, you need to re­duce the num­ber of times you roll the dice as much as pos­si­ble. And there it is, one half of the win­ning strat­egy: Roll the dice as lit­tle as pos­si­ble. You can’t lose armies that never fight.But how do you ac­com­plish this? Just do these things:Con­sol­i­date most of your armies on a hand­ful of ad­ja­cent coun­tries that are strong enough that no one wants to at­tack them. Keep the num­ber of armies in the rest of your coun­tries low. This makes you con­tinue to look weak, re­duces the num­ber of armies you might lose if an­other player takes that coun­try from you, and makes your op­po­nents di­vide their forces if they want to move into one of your weak coun­tries. Initiate as few at­tacks as pos­si­ble. When you do ini­ti­ate an at­tack, make sure you have an over­whelm­ing ad­van­tage. Better yet, don’t at­tack at all. Remember, you are try­ing to avoid hav­ing to roll the di­ceIf you have to at­tack, do so only from a place of great ad­van­tage. Nothing wastes more armies than long, drawn-out bat­tles be­tween coun­tries with many armies on them. If you only en­gage in short bat­tles when­ever pos­si­ble, you will roll the dice fewer times.Let your en­e­mies break up each oth­er’s con­ti­nents, not you. If you can get peo­ple to fight among them­selves by not be­ing the one to en­force the bal­anc­ing feed­back (i.e. at­tack some­one to break up their con­trol of a con­ti­nent), some­one else will have to do it. Just wait. Don’t be the global po­lice, let your op­po­nents do the dirty work. Take only one coun­try per turn. Again, let your en­e­mies kill one an­oth­er’s armies as they squab­ble for ter­ri­tory. They are do­ing your work for you. Your job is to grow stronger, not to win bat­tles. Growing stronger slowly lets you keep a strong core of armies in a clus­ter of key coun­tries with­out arous­ing the other play­er’s worry. “But,” you might be ask­ing, “If I only take one coun­try per turn, how will I ever win the game?” Keep read­ing.Step Four: Find Leverage that will Avoid Awakening Balancing FeedbackThere are three ways to get more armies in the game of Risk:Of these three, con­trol­ling con­ti­nents is the surest way to awaken bal­anc­ing forces in the game that will op­pose you on your path to global dom­i­na­tion. That means if you can grow the size of your armies with­out tak­ing a con­ti­nent, you gain lever­age that can change the whole game. The first two are “safe.” Most of the time, only tak­ing con­ti­nents way awak­ens the drag­ons of bal­anc­ing feed­back.To get this lever­age, you have to do two things:Find a way to grow in strength by tak­ing lots of coun­tries (but not tak­ing a whole con­ti­nent). There is only one area of the board that will let you do this, luck­ily, it is also the part of the board that no one wants: Asia. Even though you get seven bonus armies for con­trol­ling Asia, most play­ers don’t pur­sue it be­cause it is so hard to hold. That means that it can only be suc­cess­fully con­trolled in the fi­nal stages of the game. Thus, in the early stages, it can be your play­ground. There are enough coun­tries in Asia to al­low your in-flow of armies to con­tinue to rise as the game pro­gresses with­out trig­ger­ing bal­anc­ing feed­back.Make sure you get lots of cards for bonus armies. The best way to do this is just to take one coun­try every turn. This will al­low you to keep get­ting cards with­out spread­ing your forces too thin. When you get enough cards to get bonus armies, you can (if the tim­ing is right), move on to Step Five.Step Five: Increase Your Stock of Armies Until You Can Make a Fast, Devastating AttackTo re­view, the strat­egy up to this point con­sists of (1) wait­ing, (2) not spread­ing your­self too thin, (3) tak­ing one coun­try per turn (4) con­sol­i­dat­ing your armies on a few, very strong coun­tries, and (5) en­abling your op­po­nents to tar­get one an­other. This strat­egy is a slow burn in the early parts of the game, but there comes a time when you need to go on the warpath. If you suc­ceed in lay­ing low and not get­ting in too many bat­tles, you should be able to build up a good num­ber of armies in at least one coun­try (especially with card bonuses). If you play this strat­egy well, you might end up with even three or four times the num­ber of armies in the av­er­age coun­try on the board (in fact, this should be a goal). When you reach that level, you have some de­ci­sions to make. Should you go on the of­fen­sive. Is it time to take over an en­tire con­ti­nent in one fell swoop? Maybe. Is it time to com­pletely an­ni­hi­late one of your op­po­nents from the board, tak­ing their un­spent cards in the process? Perhaps. Is it time to split your force in half, us­ing one half as a beach­head to hold ter­ri­tory in an­other part of the board? Possibly. It is up to you and will de­pend on the cur­rent sit­u­a­tion on the game board.The im­por­tant thing is to make a choice that will set you up well in the fu­ture, but not too well. Even af­ter you make this big move, you are go­ing to want to con­tinue to avoid be­com­ing the ob­ject of bal­anc­ing feed­back, which means the mis­sion is still to strengthen your own po­si­tion with­out be­ing per­ceived as the top player. Sometimes this will mean not tak­ing a whole con­ti­nent. In this case, us­ing your big of­fen­sive push to just weaken key op­po­nents can be a good strat­egy. You’re go­ing to have to use your judg­ment.The key thing to re­mem­ber here is that when you reach this stage in the strat­egy, the strat­egy is­n’t over. Just go back to step one and keep it go­ing. Rinse, con­quer, re­peat.Step Six: Don’t Forget All This Other StuffPlay the Players Too: The other play­ers are part of the sys­tem of the game too. If you are go­ing to have a hope of win­ning, you have to beat the oth­ers at play­ing the “player-level” of the game. The strat­egy of avoid­ing tak­ing con­ti­nents will serve you well in the player-level of the game be­cause it sets you on a course of wait­ing at the back of the pack and draft­ing off of your op­po­nen­t’s poor choices. The play­ers at the bot­tom are al­ways on the same team, or, at least, that is the men­tal­ity you should en­cour­age every chance you get.Lose Fewer Armies Than Your Opponents: This may sound self-ex­plana­tory, but there are two ways to have more armies than your op­po­nents: to gain them faster (in-flow) or to lose them more slowly (out-flow). Most peo­ple pour all their at­ten­tion into get­ting more in-flow than every­one else (more re­in­force­ments per turn), but there is a com­pet­i­tive ad­van­tage to be found if you ded­i­cate your­self in­stead to get­ting more armies than your op­po­nents by not los­ing the ones you get. If you fol­low the rest of this strat­egy, the ef­fects of your con­ser­v­a­tive play should be com­pounded as you al­low and en­cour­age your op­po­nents to hack away at each other and leave you alone. Find the lim­it­ing fac­tors. Limiting fac­tors will show them­selves as the sys­tem be­gins to try to main­tain equi­lib­rium, but you have to learn how to rec­og­nize them when they do. Some of those lim­it­ing fac­tors will orig­i­nate on the player-level of the game. When you hear peo­ple say things like, “If some­one does­n’t take that coun­try away from Sam, he is go­ing to run away with this game” it means Sam has hit a lim­it­ing fac­tor on the so­cial level of the game. Fan those sparks into flames. This is bal­anc­ing feed­back wait­ing to be trig­gered. Helping other play­ers be­come the ob­ject of bal­anc­ing feed­back is a big part of this strat­egy.Use the Threat of Your Strength to Control the Game. As you get stronger, specif­i­cally, as you have one coun­try with a large num­ber of armies on it, you can be­gin to ex­ert an in­flu­ence on the so­cial level of the game. The other play­ers will be­gin to won­der what you are go­ing to do with all that strength once you go on the warpath. Use that ques­tion in their minds to bend events in your fa­vor. Make an al­liance. Leak your plans to key al­lies. Work to­gether with them to be a part of the bal­anc­ing feed­back di­rected against the top player(s).Know What Stage You’re In. Risk has stages. Things that are pos­si­ble in the early stages are not pos­si­ble in later ones, and vice versa. To suc­ceed, you have to read the stage of the sys­tem and make your moves ac­cord­ingly. Early stages will largely be about jock­ey­ing for po­si­tion on the map, stak­ing out ter­ri­tory, claim­ing a con­ti­nent, and en­coun­ter­ing light re­sis­tance from the other play­ers. The mid­dle stage will be about con­sol­i­dat­ing your first con­ti­nent (unless you are us­ing this bril­liant strat­egy) and fend­ing off the har­ry­ing at­tacks by peo­ple who don’t want you to con­trol that con­ti­nent. By the late stage of the game, a few play­ers may have been elim­i­nated, each player is en­trenched in a cor­ner of the board, and they are try­ing to build enough strength to take out their fel­low play­ers one by one. Watch Out For The Death Spiral: The Death Spiral is an­other kind of re­in­forc­ing feed­back at play in the mid­dle and late stages of the game. This hap­pens when one player be­comes too weak to fend off the other play­ers and the stronger play­ers try to com­pletely elim­i­nate them from the game, thus tak­ing their un­used cards and get­ting a huge bonus for them­selves. Don’t let this hap­pen to you! If it does, re­vert to the player-level of the game and try to awaken the bal­anc­ing feed­back in­her­ent in the pity of your fel­low play­ers. Also, if you are in dan­ger of be­com­ing the vic­tim of the Death Spiral, don’t hoard cards—use them as soon as you can so you don’t tempt your op­po­nents to come and take them. Lastly, if you are one of the strong play­ers, you can use the Death Spiral to your ad­van­tage by keep­ing weak en­emy-con­trolled coun­tries near your strong coun­tries. If one of your fel­low play­ers is about to be knocked out of the game, just make sure their last coun­try is within your range of at­tack, then grab it and the bonus cards that come with it. TopNewCommunityWhat is The System Is Down?About

This ar­ti­cle was pub­lished on­line on March 10, 2021.

The United States had long been a hold­out among Western democ­ra­cies, uniquely and per­haps even sus­pi­ciously de­vout. From 1937 to 1998, church mem­ber­ship re­mained rel­a­tively con­stant, hov­er­ing at about 70 per­cent. Then some­thing hap­pened. Over the past two decades, that num­ber has dropped to less than 50 per­cent, the sharpest recorded de­cline in American his­tory. Meanwhile, the “nones”—atheists, ag­nos­tics, and those claim­ing no re­li­gion—have grown rapidly and to­day rep­re­sent a quar­ter of the pop­u­la­tion.

But if sec­u­lar­ists hoped that de­clin­ing re­li­gios­ity would make for more ra­tio­nal pol­i­tics, drained of faith’s in­flam­ing pas­sions, they are likely dis­ap­pointed. As Christianity’s hold, in par­tic­u­lar, has weak­ened, ide­o­log­i­cal in­ten­sity and frag­men­ta­tion have risen. American faith, it turns out, is as fer­vent as ever; it’s just that what was once re­li­gious be­lief has now been chan­neled into po­lit­i­cal be­lief. Political de­bates over what America is sup­posed to mean have taken on the char­ac­ter of the­o­log­i­cal dis­pu­ta­tions. This is what re­li­gion with­out re­li­gion looks like.

Not so long ago, I could com­fort American au­di­ences with a con­trast: Whereas in the Middle East, pol­i­tics is war by other means—and some­times is lit­eral war—pol­i­tics in America was less ex­is­ten­tially fraught. During the Arab Spring, in coun­tries like Egypt and Tunisia, de­bates weren’t about health care or taxes—they were, with some­times fright­en­ing in­ten­sity, about foun­da­tional ques­tions: What does it mean to be a na­tion? What is the pur­pose of the state? What is the role of re­li­gion in pub­lic life? American pol­i­tics in the Obama years had its mo­ments of fer­ment—the Tea Party and tan suits—but was still rel­a­tively bor­ing.

We did­n’t re­al­ize how lucky we were. Since the end of the Obama era, de­bates over what it means to be American have be­come suf­fused with a fer­vor that would be unimag­in­able in de­bates over, say, Belgian-ness or the “meaning” of Sweden. It’s rare to hear some­one ac­cused of be­ing un-Swedish or un-British—but un-Amer­i­can is a com­mon slur, slung by both left and right against the other. Being called un-Amer­i­can is like be­ing called “un-Christian” or “un-Islamic,” a charge akin to heresy.

From the October 2018 is­sue: The Constitution is threat­ened by trib­al­ism

This is be­cause America it­self is “almost a re­li­gion,” as the Catholic philoso­pher Michael Novak once put it, par­tic­u­larly for im­mi­grants who come to their new iden­tity with the zeal of the con­verted. The American civic re­li­gion has its own found­ing myth, its prophets and pro­ces­sions, as well as its scrip­ture—the Declaration of Independence, the Constitution, and The Federalist Papers. In his fa­mous “I Have a Dream” speech, Martin Luther King Jr. wished that “one day this na­tion will rise up and live out the true mean­ing of its creed.” The very idea that a na­tion might have a creed—a word as­so­ci­ated pri­mar­ily with re­li­gion—il­lus­trates the unique­ness of American iden­tity as well as its predica­ment.

The no­tion that all deeply felt con­vic­tion is sub­li­mated re­li­gion is not new. Abraham Kuyper, a the­olo­gian who served as the prime min­is­ter of the Netherlands at the dawn of the 20th cen­tury, when the na­tion was in the early throes of sec­u­lar­iza­tion, ar­gued that all strongly held ide­olo­gies were ef­fec­tively faith-based, and that no hu­man be­ing could sur­vive long with­out some ul­ti­mate loy­alty. If that loy­alty did­n’t de­rive from tra­di­tional re­li­gion, it would find ex­pres­sion through sec­u­lar com­mit­ments, such as na­tion­al­ism, so­cial­ism, or lib­er­al­ism. The po­lit­i­cal the­o­rist Samuel Goldman calls this “the law of the con­ser­va­tion of re­li­gion”: In any given so­ci­ety, there is a rel­a­tively con­stant and fi­nite sup­ply of re­li­gious con­vic­tion. What varies is how and where it is ex­pressed.

No longer ex­plic­itly rooted in white, Protestant dom­i­nance, un­der­stand­ings of the American creed have be­come richer and more di­verse—but also more frac­tious. As the creed frag­ments, each side seeks to ex­ert ex­clu­sivist claims over the other. Conservatives be­lieve that they are faith­ful to the American idea and that lib­er­als are be­tray­ing it—but lib­er­als be­lieve, with equal cer­ti­tude, that they are faith­ful to the American idea and that con­ser­v­a­tives are be­tray­ing it. Without the com­mon ground pro­duced by a shared ex­ter­nal en­emy, as America had dur­ing the Cold War and briefly af­ter the September 11 at­tacks, mu­tual an­tipa­thy grows, and each side be­comes less in­tel­li­gi­ble to the other. Too of­ten, the most bit­ter di­vides are those within fam­i­lies.

No won­der the newly as­cen­dant American ide­olo­gies, hav­ing to fill the vac­uum where re­li­gion once was, are so di­vi­sive. They are meant to be di­vi­sive. On the left, the “woke” take re­li­gious no­tions such as orig­i­nal sin, atone­ment, rit­ual, and ex­com­mu­ni­ca­tion and re­pur­pose them for sec­u­lar ends. Adherents of wokeism see them­selves as chal­leng­ing the long-dom­i­nant nar­ra­tive that em­pha­sized the ex­cep­tion­al­ism of the na­tion’s found­ing. Whereas re­li­gion sees the promised land as be­ing above, in God’s king­dom, the utopian left sees it as be­ing ahead, in the re­al­iza­tion of a just so­ci­ety here on Earth. After Supreme Court Justice Ruth Bader Ginsburg died in September, droves of mourn­ers gath­ered out­side the Supreme Court—some kneel­ing, some hold­ing can­dles—as though they were at the Western Wall.

On the right, ad­her­ents of a Trump-centric ethno-na­tion­al­ism still drape them­selves in some of the trap­pings of or­ga­nized re­li­gion, but the re­sult is a move­ment that of­ten looks like a tent re­vival stripped of Christian wit­ness. Donald Trump’s bois­ter­ous ral­lies were more fo­cused on blood and soil than on the son of God. Trump him­self played both sav­ior and mar­tyr, and it is easy to mar­vel at the hold that a man so im­per­fect can have on his sol­diers. Many on the right find so­lace in con­spir­acy cults, such as QAnon, that tell a re­li­gious story of earthly cor­rup­tion re­deemed by a god­like force.

From the June 2020 is­sue: Adrienne LaFrance on the prophe­cies of Q

Though the United States was­n’t founded as a Christian na­tion, Christianity was al­ways in­ter­twined with America’s self-de­f­i­n­i­tion. Without it, Americans—conservatives and lib­er­als alike—no longer have a com­mon cul­ture upon which to fall back.

Unfortunately, the var­i­ous strains of wokeism on the left and Trumpism on the right can­not truly fill the spir­i­tual void—what the jour­nal­ist Murtaza Hussain calls America’s “God-shaped hole.” Religion, in part, is about dis­tanc­ing your­self from the tem­po­ral world, with all its im­per­fec­tion. At its best, re­li­gion con­fers re­lief by with­hold­ing fi­nal judg­ments un­til an­other time—per­haps un­til eter­nity. The new sec­u­lar re­li­gions un­leash dis­sat­is­fac­tion not to­ward the pos­si­bil­i­ties of di­vine grace or jus­tice but to­ward one’s fel­low cit­i­zens, who be­come em­bod­i­ments of sin—“de­plorables” or “enemies of the state.”

This is the dan­ger in trans­form­ing mun­dane po­lit­i­cal de­bates into meta­phys­i­cal ques­tions. Political ques­tions are not meta­phys­i­cal; they are of this world and this world alone. “Some days are for deal­ing with your in­sur­ance doc­u­ments or fight­ing in the mud with your po­lit­i­cal op­po­nents,” the po­lit­i­cal philoso­pher Samuel Kimbriel re­cently told me, “but there are also days for solem­nity, or fast­ing, or wor­ship, or feast­ing—things that re­mind us that the world is big­ger than it­self.”

Absent some new re­li­gious awak­en­ing, what are we left with? One al­ter­na­tive to American in­ten­sity would be a world-weary European res­ig­na­tion. Violence has a way of tam­ing pas­sions, at least as long as it re­mains in ac­tive mem­ory. In Europe, the ter­rors of the Second World War are not far away. But Americans must go back to the Civil War for vi­o­lence of com­pa­ra­ble scale—and for most Americans, the vi­o­lence of the Civil War bol­sters, rather than un­der­mines, the na­tional myth of per­pet­ual progress. The war was re­demp­tive—it led to a place of promise, a place where slav­ery could be abol­ished and the na­tion made whole again. This, at least, is the nar­ra­tive that makes the myth pos­si­ble to sus­tain.

For bet­ter and worse, the United States re­ally is nearly one of a kind. France may be the only coun­try other than the United States that be­lieves it­self to be based on a uni­fy­ing ide­ol­ogy that is both unique and uni­ver­sal—and avowedly sec­u­lar. The French con­cept of laïc­ité re­quires re­li­gious con­ser­v­a­tives to priv­i­lege be­ing French over their re­li­gious com­mit­ments when the two are at odds. With the rise of the far right and per­sis­tent ten­sions re­gard­ing Islam’s pres­ence in pub­lic life, the mean­ing of laïc­ité has be­come more con­tro­ver­sial. But most French peo­ple still hold firm to their coun­try’s found­ing ide­ol­ogy: More than 80 per­cent fa­vor ban­ning re­li­gious dis­plays in pub­lic, ac­cord­ing to one re­cent poll.

In democ­ra­cies with­out a pro­nounced ide­o­log­i­cal bent, which is most of them, na­tion­hood must in­stead rely on a shared sense of be­ing a dis­tinct peo­ple, forged over cen­turies. It can be hard for out­siders and im­mi­grants to em­brace a na­tional iden­tity steeped in eth­nic­ity and his­tory when it was never theirs.

Take post­war Germany. Germanness is con­sid­ered a mere fact—an ac­ci­dent of birth rather than an as­pi­ra­tion. And be­cause shame over the Holocaust is con­sid­ered a na­tional virtue, the coun­try has at once a strong na­tional iden­tity and a weak one. There is pride in not be­ing proud. So what would it mean for, say, Muslim im­mi­grants to love a German lan­guage and cul­ture tied to a his­tory that is not theirs—and in­deed a his­tory that many Germans them­selves hope to leave be­hind?

An American who moves to Germany, lives there for years, and learns the lan­guage re­mains an American—an “expat.” If America is a civil re­li­gion, it would make sense that it stays with you, un­less you re­nounce it. As Jeff Gedmin, the for­mer head of the Aspen Institute in Berlin, de­scribed it to me: “You can eat strudel, speak flu­ent German, adapt to lo­cal cul­ture, but many will still say of you Er hat einen deutschen Pass—‘He has a German pass­port.’ No one starts call­ing you German.” Many na­tive-born Americans may live abroad for stretches, but few em­i­grate per­ma­nently. Immigrants to America tend to be­come American; em­i­grants to other coun­tries from America tend to stay American.

The last time I came back to the United States af­ter be­ing abroad, the cus­toms of­fi­cer at Dulles air­port, in Virginia, glanced at my pass­port, looked at me, and said, “Welcome home.” For my cus­toms of­fi­cer, it went with­out say­ing that the United States was my home.

In In the Light of What We Know, a novel by the British Bangladeshi au­thor Zia Haider Rahman, the pro­tag­o­nist, an enig­matic and trou­bled British cit­i­zen named Zafar, is en­vi­ous of the nar­ra­tor, who is American. “If an im­mi­gra­tion of­fi­cer at Heathrow had ever said ‘Welcome home’ to me,” Zafar says, “I would have given my life for England, for my coun­try, there and then. I could kill for an England like that.” The nar­ra­tor re­flects later that this was “a bit­ter plea”:

When Americans have ex­pressed dis­gust with their coun­try, they have tended to frame it as ful­fill­ment of a pa­tri­otic duty rather than its nega­tion. As James Baldwin, the rare American who did leave for good, put it: “I love America more than any other coun­try in the world, and, ex­actly for this rea­son, I in­sist on the right to crit­i­cize her per­pet­u­ally.” Americans who dis­like America seem to dis­like leav­ing it even more (witness all those lib­er­als not leav­ing the coun­try every time a Republican wins the pres­i­dency, de­spite their promises to do so). And Americans who do leave still find a way, like Baldwin, to love it. This is the good news of America’s creedal na­ture, and may pro­vide at least some hope for the fu­ture. But is love enough?

Conflicting nar­ra­tives are more likely to co­ex­ist un­easily than to re­solve them­selves; the threat of dis­in­te­gra­tion will al­ways lurk nearby.

On January 6, the threat be­came all too real when in­sur­rec­tionary vi­o­lence came to the Capitol. What was once in the realm of “dreampolitik” now had phys­i­cal force. What can “unity” pos­si­bly mean af­ter that?

Can re­li­gios­ity be ef­fec­tively chan­neled into po­lit­i­cal be­lief with­out the struc­tures of ac­tual re­li­gion to tem­per and post­pone judg­ment? There is lit­tle sign, so far, that it can. If mat­ters of good and evil are not to be re­solved by an om­ni­scient God in the fu­ture, then Americans will judge and ren­der pun­ish­ment now. We are a na­tion of be­liev­ers. If only Americans could be­gin be­liev­ing in pol­i­tics less fer­vently, re­al­iz­ing in­stead that life is else­where. But this would come at a cost—be­cause to be­lieve in pol­i­tics also means be­liev­ing we can, and prob­a­bly should, be bet­ter.

In History Has Begun, the au­thor, Bruno Maçães—Portugal’s for­mer Europe min­is­ter—mar­vels that “perhaps alone among all con­tem­po­rary civ­i­liza­tions, America re­gards re­al­ity as an en­emy to be de­feated.” This can ob­vi­ously be a bad thing (consider our in­ef­fec­tual fight against the coro­n­avirus), but it can also be an en­gine of re­ju­ve­na­tion and cre­ativ­ity; it may not al­ways be a good idea to ac­cept the world as it is. Fantasy, like be­lief, is some­thing that hu­mans de­sire and need. A dis­tinc­tive American in­no­va­tion is to in­sist on be­liev­ing even as our fan­tasies and dreams drift fur­ther out of reach.

This may mean that the United States will re­main unique, torn be­tween this world and the al­ter­na­tive worlds that sec­u­lar and re­li­gious Americans alike seem to long for. If America is a creed, then as long as enough cit­i­zens say they be­lieve, the civic faith can sur­vive. Like all other faiths, America’s will con­tinue to frag­ment and di­vide. Still, the American creed re­mains worth be­liev­ing in, and that may be enough. If it is­n’t, then the only hope might be to get down on our knees and pray.

Drop any files to any de­vices on your LAN.

No need to use in­stant mes­sag­ing for that any­more.

de­vices

When we say it, we mean it. iOS, Android, ma­cOS, Windows, Linux, name yours.

bolt

Uses your lo­cal net­work for trans­fer­ring. Internet speed is not a limit.

touch_app

Intuitive UI. You know how to use it when you see it.

lock

Uses state-of-the-art cryp­tog­ra­phy al­go­rithm. No one else can see your files.

wifi_teth­er­ing_off

Outside? No prob­lem. LANDrop can work on your per­sonal hotspot, with­out con­sum­ing cel­luar data.

im­age

Doesn’t com­press your pho­tos and videos when send­ing.

Thanks for us­ing LANDrop!

LANDrop Organization does­n’t col­lect, share, or store any of your per­sonal data. All per­sonal data re­quired for the nor­mal op­er­a­tion of the app are stored en­tirely and ex­clu­sively on your de­vice.

When you send or re­ceive files to or from other de­vices, your de­vice’s name, type, and/​or lo­cal IP ad­dress may be shared with the other party. You can choose not to ac­tively share this in­for­ma­tion by turn­ing off “Discoverable” in the app. This in­for­ma­tion is not col­lected, shared, or stored by LANDrop Organization in any way and is only used for the nec­es­sary op­er­a­tion of the app.

If you have any ques­tions re­gard­ing this pri­vacy pol­icy, please send an email to [email protected]

LANDrop is fea­tured in the fol­low­ing sites (sorted in al­pha­bet­i­cal or­der):

A while back there was a thread on one of our com­pany mail­ing lists about

SSH quot­ing, and I posted a long an­swer to it. Since then a few peo­ple have asked me ques­tions that caused me to reach for it, so I thought it might be help­ful if I were to anonymize the orig­i­nal ques­tion and post my an­swer here.

The ques­tion was why a se­quence of com­mands in­volv­ing ssh and fid­dly quot­ing pro­duced the out­put they did. The first ex­am­ple was this:

Oh hi, my du­bi­ous life choices have been such that this is my spe­cial­ist sub­ject!

This is be­cause SSH com­mand-line pars­ing is not quite what you ex­pect.

First, re­call that your lo­cal shell will ap­ply its usual pars­ing, and the ac­tual OS-level ex­e­cu­tion of ssh will be like this:

Now, the SSH wire pro­to­col only takes a sin­gle string as the com­mand, with the ex­pec­ta­tion that it should be passed to a shell by the re­mote end. The OpenSSH client deals with this by tak­ing all its ar­gu­ments af­ter things like op­tions and the tar­get, which in this case are:

It then joins them with a sin­gle space:

This is passed as a string to the server, which then passes that en­tire string to a shell for eval­u­a­tion, so as if you’d typed this di­rectly on the server:

The shell then parses this as two com­mands:

The di­rec­tory change thus hap­pens in a sub­shell (actually it does­n’t quite even do that, be­cause bash -lc cd /tmp in fact ends up just call­ing cd

be­cause of the way bash -c parses mul­ti­ple ar­gu­ments), and then that sub­shell ex­its, then pwd is called in the outer shell which still has the orig­i­nal work­ing di­rec­tory.

The sec­ond ex­am­ple was this:

Following the logic above, this ends up as if you’d run this on the server:

The third ex­am­ple was this:

And this is as if you’d run:

Now, I would­n’t have im­ple­mented the SSH client this way, be­cause I agree that it’s con­fus­ing. But /usr/bin/ssh is used as a trans­port for other things so much that chang­ing its be­hav­iour now would be enor­mously dis­rup­tive, so it’s prob­a­bly im­pos­si­ble to fix. (I have oc­ca­sion­ally ag­i­tated on openssh-unix-dev@ for at least doc­u­ment­ing this bet­ter, but haven’t made much head­way yet; I need to get round to prepar­ing a doc­u­men­ta­tion patch.) Once you know about it you can use the proper quot­ing, though. In this case that would sim­ply be:

Or if you do need to specif­i­cally in­voke bash -l there for some rea­son (I’m as­sum­ing that the orig­i­nal ex­am­ple was re­duced from some­thing more com­pli­cated), then you can min­imise your con­fu­sion by pass­ing the whole thing as a sin­gle string in the form you want the re­mote sh -c to see, in a way that en­sures that the quotes are pre­served and sent to the server rather than be­ing re­moved by your lo­cal shell:

The re­cent re­veal of Meltdown and Spectre re­minded me of the time I found a re­lated de­sign bug in the Xbox 360 CPU — a newly added in­struc­tion whose mere ex­is­tence was dan­ger­ous.

Back in 2005 I was the Xbox 360 CPU guy. I lived and breathed that chip. I still have a 30-cm CPU wafer on my wall, and a four-foot poster of the CPU’s lay­out. I spent so much time un­der­stand­ing how that CPU’s pipelines worked that when I was asked to in­ves­ti­gate some im­pos­si­ble crashes I was able to in­tuit how a de­sign bug must be their cause. But first, some back­ground…

The Xbox 360 CPU is a three-core PowerPC chip made by IBM. The three cores sit in three sep­a­rate quad­rants with the fourth quad­rant con­tain­ing a 1-MB L2 cache — you can see the dif­fer­ent com­po­nents, in the pic­ture at right and on my CPU wafer. Each core has a 32-KB in­struc­tion cache and a 32-KB data cache.

Trivia: Core 0 was closer to the L2 cache and had mea­sur­ably lower L2 la­ten­cies.

The Xbox 360 CPU had high la­ten­cies for every­thing, with mem­ory la­ten­cies be­ing par­tic­u­larly bad. And, the 1-MB L2 cache (all that could fit) was pretty small for a three-core CPU. So, con­serv­ing space in the L2 cache in or­der to min­i­mize cache misses was im­por­tant.

CPU caches im­prove per­for­mance due to spa­tial and tem­po­ral lo­cal­ity. Spatial lo­cal­ity means that if you’ve used one byte of data then you’ll prob­a­bly use other nearby bytes of data soon. Temporal lo­cal­ity means that if you’ve used some mem­ory then you will prob­a­bly use it again in the near fu­ture.

But some­times tem­po­ral lo­cal­ity does­n’t ac­tu­ally hap­pen. If you are pro­cess­ing a large ar­ray of data once-per-frame then it may be triv­ially prov­able that it will all be gone from the L2 cache by the time you need it again. You still want that data in the L1 cache so that you can ben­e­fit from spa­tial lo­cal­ity, but hav­ing it con­sum­ing valu­able space in the L2 cache just means it will evict other data, per­haps slow­ing down the other two cores.

Normally this is un­avoid­able. The mem­ory co­herency mech­a­nism of our PowerPC CPU re­quired that all data in the L1 caches also be in the L2 cache. The MESI pro­to­col used for mem­ory co­herency re­quires that when one core writes to a cache line that any other cores with a copy of the same cache line need to dis­card it — and the L2 cache was re­spon­si­ble for keep­ing track of which L1 caches were caching which ad­dresses.

But, the CPU was for a video game con­sole and per­for­mance trumped all so a new in­struc­tion was added — xd­cbt. The nor­mal PowerPC dcbt in­struc­tion was a typ­i­cal prefetch in­struc­tion. The xd­cbt in­struc­tion was an ex­tended prefetch in­struc­tion that fetched straight from mem­ory to the L1 d-cache, skip­ping L2. This meant that mem­ory co­herency was no longer guar­an­teed, but hey, we’re video game pro­gram­mers, we know what we’re do­ing, it will be fine.

I wrote a widely-used Xbox 360 mem­ory copy rou­tine that op­tion­ally used xd­cbt. Prefetching the source data was cru­cial for per­for­mance and nor­mally it would use dcbt but pass in the PREFETCH_EX flag and it would prefetch with xd­cbt. This was not well-thought-out. The prefetch­ing was ba­si­cally:

A game de­vel­oper who was us­ing this func­tion re­ported weird crashes — heap cor­rup­tion crashes, but the heap struc­tures in the mem­ory dumps looked nor­mal. After star­ing at the crash dumps for awhile I re­al­ized what a mis­take I had made.

Memory that is prefetched with xd­cbt is toxic. If it is writ­ten by an­other core be­fore be­ing flushed from L1 then two cores have dif­fer­ent views of mem­ory and there is no guar­an­tee their views will ever con­verge. The Xbox 360 cache lines were 128 bytes and my copy rou­tine’s prefetch­ing went right to the end of the source mem­ory, mean­ing that xd­cbt was ap­plied to some cache lines whose lat­ter por­tions were part of ad­ja­cent data struc­tures. Typically this was heap meta­data — at least that’s where we saw the crashes. The in­co­her­ent core saw stale data (despite care­ful use of locks), and crashed, but the crash dump wrote out the ac­tual con­tents of RAM so that we could­n’t see what hap­pened.

So, the only safe way to use xd­cbt was to be very care­ful not to prefetch even a sin­gle byte be­yond the end of the buffer. I fixed my mem­ory copy rou­tine to avoid prefetch­ing too far, but while wait­ing for the fix the game de­vel­oper stopped pass­ing the PREFETCH_EX flag and the crashes went away.

So far so nor­mal, right? Cocky game de­vel­op­ers play with fire, fly too close to the sun, marry their moth­ers, and a game con­sole al­most misses Christmas.

But, we caught it in time, we got away with it, and we were all set to ship the games and the con­sole and go home happy.

And then the same game started crash­ing again.

The symp­toms were iden­ti­cal. Except that the game was no longer us­ing the xd­cbt in­struc­tion. I could step through the code and see that. We had a se­ri­ous prob­lem.

I used the an­cient de­bug­ging tech­nique of star­ing at my screen with a blank mind, let the CPU pipelines fill my sub­con­scious, and I sud­denly re­al­ized the prob­lem. A quick email to IBM con­firmed my sus­pi­cion about a sub­tle in­ter­nal CPU de­tail that I had never thought about be­fore. And it’s the same cul­prit be­hind Meltdown and Spectre.

The Xbox 360 CPU is an in-or­der CPU. It’s pretty sim­ple re­ally, re­ly­ing on its high fre­quency (not as high as hoped de­spite 10 FO4) for per­for­mance. But it does have a branch pre­dic­tor — its very long pipelines make that nec­es­sary. Here’s a pub­licly shared CPU pipeline di­a­gram I made (my cy­cle-ac­cu­rate ver­sion is NDA only, but looky here) that shows all of the pipelines:

You can see the branch pre­dic­tor, and you can see that the pipelines are very long (wide on the di­a­gram) — plenty long enough for mis­pre­dicted in­struc­tions to get up to speed, even with in-or­der pro­cess­ing.

So, the branch pre­dic­tor makes a pre­dic­tion and the pre­dicted in­struc­tions are fetched, de­coded, and ex­e­cuted — but not re­tired un­til the pre­dic­tion is known to be cor­rect. Sound fa­mil­iar? The re­al­iza­tion I had — it was new to me at the time — was what it meant to spec­u­la­tively ex­e­cute a prefetch. The la­ten­cies were long, so it was im­por­tant to get the prefetch trans­ac­tion on the bus as soon as pos­si­ble, and once a prefetch had been ini­ti­ated there was no way to can­cel it. So a spec­u­la­tively-ex­e­cuted xd­cbt was iden­ti­cal to a real xd­cbt! (a spec­u­la­tively-ex­e­cuted load in­struc­tion was just a prefetch, FWIW).

And that was the prob­lem — the branch pre­dic­tor would some­times cause xd­cbt in­struc­tions to be spec­u­la­tively ex­e­cuted and that was just as bad as re­ally ex­e­cut­ing them. One of my cowork­ers (thanks Tracy!) sug­gested a clever test to ver­ify this — re­place every xd­cbt in the game with a break­point. This achieved two things:

The break­points were not hit, thus prov­ing that the game was not ex­e­cut­ing xd­cbt in­struc­tions.

The crashes went away.

I knew that would be the re­sult and yet it was still amaz­ing. All these years later, and even af­ter read­ing about Meltdown, it’s still nerdy cool to see solid proof that in­struc­tions that were not ex­e­cuted were caus­ing crashes.

The branch pre­dic­tor re­al­iza­tion made it clear that this in­struc­tion was too dan­ger­ous to have any­where in the code seg­ment of any game — con­trol­ling when an in­struc­tion might be spec­u­la­tively ex­e­cuted is too dif­fi­cult. The branch pre­dic­tor for in­di­rect branches could, the­o­ret­i­cally, pre­dict any ad­dress, so there was no “safe place” to put an xd­cbt in­struc­tion. And, if spec­u­la­tively ex­e­cuted it would hap­pily do an ex­tended prefetch of what­ever mem­ory the spec­i­fied reg­is­ters hap­pened to ran­domly con­tain. It was pos­si­ble to re­duce the risk, but not elim­i­nate it, and it just was­n’t worth it. While Xbox 360 ar­chi­tec­ture dis­cus­sions con­tinue to men­tion the in­struc­tion I doubt that any games ever shipped with it.

I men­tioned this once dur­ing a job in­ter­view — “describe the tough­est bug you’ve had to in­ves­ti­gate” — and the in­ter­view­er’s re­ac­tion was “yeah, we hit some­thing sim­i­lar on the Alpha proces­sor”. The more things change…

Thanks to Michael for some edit­ing.

How can a branch that is never taken be pre­dicted to be taken? Easy. Branch pre­dic­tors don’t main­tain per­fect his­tory for every branch in the ex­e­cutable — that would be im­prac­ti­cal. Instead sim­ple branch pre­dic­tors typ­i­cally squish to­gether a bunch of ad­dress bits, maybe some branch his­tory bits as well, and in­dex into an ar­ray of two-bit en­tries. Thus, the branch pre­dict re­sult is af­fected by other, un­re­lated branches, lead­ing to some­times spu­ri­ous pre­dic­tions. But it’s okay, be­cause it’s “just a pre­dic­tion” and it does­n’t need to be right.

Discussions of this post can be found on hacker news (hacker news in 2021), r/​pro­gram­ming, r/​em­u­la­tion, and twit­ter.

A some­what re­lated (Xbox, caches) bug was dis­cussed a few years ago here.

NymphCast is a soft­ware so­lu­tion which turns your choice of Linux-capable hard­ware into an au­dio and video source for a tele­vi­sion or pow­ered speak­ers. It en­ables the stream­ing of au­dio and video over the net­work from a wide range of client de­vices, as well as the stream­ing of in­ter­net me­dia to a NymphCast server, con­trolled by a client de­vice.

In ad­di­tion, the server sup­ports pow­er­ful NymphCast apps writ­ten in AngelScript to ex­tend the over­all NymphCast func­tion­al­ity with e.g. 3rd party au­dio / video stream­ing pro­to­col sup­port on the server side, and cross-plat­form con­trol pan­els served to the client ap­pli­ca­tion that in­te­grate with the over­all client ex­pe­ri­ence.

NymphCast re­quires at least the server ap­pli­ca­tion to run on a tar­get de­vice, while the full func­tion­al­ity is pro­vided in con­junc­tion with a re­mote con­trol de­vice:

Client-side core func­tion­al­ity is pro­vided through the NymphCast li­brary.

The cur­rent de­vel­op­ment ver­sion is v0.1-al­pha4. Version 0.1 will be the first re­lease. The fol­low­ing list con­tains the ma­jor fea­tures that are planned for the v0.1 re­lease, along with their im­ple­men­ta­tion sta­tus.

* Streaming on­line con­tent by pass­ing a URL to the server.

* Support all main­stream au­dio and video codecs us­ing ffm­peg.

* Playback of me­dia con­tent shared on the lo­cal net­work.

The NymphCast pro­ject con­sists out of mul­ti­ple com­po­nents:

The NymphCast Player pro­vides NymphCast client func­tion­al­ity. It is also a demon­stra­tion plat­form for the NymphCast SDK (see de­tails on the SDK later in this doc­u­ment). It is de­signed to run on any OS that is sup­ported by the Qt frame­work.

The server should work on any plat­form that is sup­ported by a C++17 tool­chain and the LibPoco de­pen­dency. This in­cludes Windows, MacOS, Linux and BSD.

FFmpeg and SDL2 li­braries are used for au­dio and video play­back. Both of which are sup­ported on a wide va­ri­ety of plat­forms, with Linux, MacOS and Windows be­ing the pri­mary plat­forms. System re­quire­ments also de­pend on whether only au­dio or also video play­back is re­quired. The lat­ter can be dis­abled, which drops any graph­i­cal out­put re­quire­ment.

Memory re­quire­ments de­pend on the NymphCast Server con­fig­u­ra­tion: by de­fault the ffm­peg li­brary uses an in­ter­nal 32 kB buffer, and the server it­self a 20 MB buffer. The lat­ter can be con­fig­ured us­ing the (required) con­fig­u­ra­tion INI file, al­low­ing it to be tweaked to fit the use case.

For the Qt-based NymphCast Player, a tar­get plat­form needs to sup­port LibPoco and have a C++ com­piler which sup­ports C++17 ( header sup­ported) or bet­ter, along with Qt5 sup­port. Essentially, this means any main­stream desk­top OS in­clud­ing Linux, Windows, BSD and MacOS should qual­ify, along with mo­bile plat­forms. Currently Android is also sup­ported, with iOS sup­port planned.

For the CLI-based NymphCast Client, only LibPoco and and C++17 sup­port are re­quired.

Mobile plat­forms are a work in progress. An Android client (native Java with JNI) is in de­vel­op­ment.

The repos­i­tory cur­rently con­tains the NymphCast server, client SDK and NymphCast Player client sources.

To start us­ing NymphCast, you need a de­vice on which the server will be run­ning (most likely a SBC or other Linux sys­tem). NymphCast is of­fered as bi­na­ries for se­lected dis­tros, and as source code for use and de­vel­op­ment on a va­ri­ety of plat­forms.

NymphCast is cur­rently in Alpha stage. Experimental re­leases are avail­able on Github (see the ‘Releases’ folder).

Some pack­ages also ex­ist for se­lected dis­tros.

* APK for in­stal­la­tion on Android, see ‘Releases’

If pre-com­piled re­leases for your tar­get de­vice or op­er­at­ing sys­tem are cur­rently not listed above, you may need to build the server and client ap­pli­ca­tions from source.

The server bi­nary can be started with just a con­fig­u­ra­tion file. To start the server, ex­e­cute the bi­nary (from the bin/ folder) to have it start lis­ten­ing on port 4004:

The server will lis­ten on all net­work in­ter­faces for in­com­ing con­nec­tions. It sup­ports the fol­low­ing op­tions:

The client bi­nary sup­ports the fol­low­ing flags:

The NymphCast Player is a GUI-based ap­pli­ca­tion and ac­cepts no com­mand line op­tions.

Note: This sec­tion is for build­ing the pro­ject from source. Pre-built bi­na­ries are pro­vided in the ‘Releases’ folder.

The steps be­low as­sume build­ing the server part on a sys­tem run­ning a cur­rent ver­sion of Debian (Buster) or sim­i­larly cur­rent ver­sion of Arch (Manjaro) Linux or Alpine Linux. The player client demo ap­pli­ca­tion can be built on Linux/BSD/MacOS with a cur­rent GCC tool­chain, or MSYS2 on Windows with MinGW tool­chain.

Once the pro­ject files have been down­loaded, run the setup.sh script in the pro­ject root, or in­stall the de­pen­den­cies and run the Makefile in the client and server fold­ers as de­scribed. Either method will out­put a bi­nary into the newly cre­ated bin/ folder.

To build the cor­re­spond­ing client-re­lated parts of NymphCast, in ad­di­tion to a C++ tool­chain with C++17 sup­port, one needs the de­pen­den­cies as listed be­low.

If us­ing a com­pat­i­ble OS (e.g. Debian Buster, Alpine Linux or Arch Linux), one can use the setup script:

Run the setup.sh script in the pro­ject root to per­form the be­low tasks au­to­mat­i­cally.

Run the in­stal­l_linux.sh script in the pro­ject root to in­stall the bi­na­ries and set up a sys­temd/​OpenRC ser­vice on Linux sys­tems.

Else, use the man­ual pro­ce­dure:

Check-out NymphRPC else­where and build the li­brary with make lib.

Use sudo make in­stall to in­stall the server and as­so­ci­ated files.

Use sudo make in­stall-sys­temd (SystemD) or sudo make in­stall-openrc (OpenRC) to in­stall the rel­e­vant ser­vice file.

This demon­stra­tion client uses Qt5 to pro­vide user in­ter­face func­tion­al­ity. The bi­nary re­lease comes with the nec­es­sary de­pen­den­cies, but when build­ing it from source, make sure Qt5.x is in­stalled or get it from www.qt.io.

Or (building and run­ning on Windows & other desk­top plat­forms):

Build the lib­nymph­cast li­brary in the src/​clien­t_lib folder us­ing the Makefile in that folder: make lib.

Create player/​Nymph­Cast­Player/​build folder and change into it.

The player bi­nary is cre­ated ei­ther in the same build folder or in a de­bug/ sub-folder.

Compile the de­pen­den­cies (NymphCast client SDK, NymphRPC & Poco) for the tar­get Android plat­forms.

Ensure de­pen­dency li­braries along with their head­ers are in­stalled in the Android NDK, un­der where TARGET is the tar­get Android plat­form (ARMv7, AArch64, x86, x86_64). Header files are placed in the ac­com­pa­ny­ing usr/​in­clude folder.

Open the Qt pro­ject in a Qt Creator in­stance which has been con­fig­ured for build­ing for Android tar­gets, and build the pro­ject.

An APK is pro­duced, which can be loaded on any sup­ported Android de­vice.

Now you should be able to ex­e­cute the player bi­nary, con­nect to the server in­stance us­ing its IP ad­dress and start cast­ing me­dia from a file or URL.

The fo­cus of the pro­ject is cur­rently on the de­vel­op­ment of the NymphCast server and the pro­to­col parts. Third par­ties are en­cour­aged to con­tribute server-side app sup­port of their ser­vices and de­vel­op­ers in gen­eral to con­tribute to server- and client-side de­vel­op­ment.

The cur­rent server and client doc­u­men­ta­tion is hosted at the Nyanko web­site.

An SDK has been made avail­able in the src/​clien­t_lib/ folder. The player pro­ject un­der player/ uses the SDK as part of a Qt5 pro­ject to im­ple­ment a NymphCast client which ex­poses all of the NymphCast fea­tures to the user.

To use the SDK, the Makefile in the SDK folder can be ex­e­cuted with a sim­ple make com­mand, af­ter which a li­brary file can be found in the src/​clien­t_lib/​lib folder.

Note: to com­pile the SDK, both NymphRPC and LibPOCO (1.5+) must be in­stalled.

Note: For Android, one can com­pile for ARMv7 Android us­ing make lib ANDROID=1and for AArch64 Android us­ing ANDROID64=1. This re­quires that the Android SDK and NDK are in­stalled and on the sys­tem path.

After this the only files needed by a client pro­ject are this li­brary file and the nymph­cast_­client.h header file.

NymphCast is a fully open source pro­ject. The full, 3-clause BSD-licensed source code can be found at its pro­ject page on Github, along with bi­nary re­leases.

NymphCast is fully free, but its de­vel­op­ment re­lies on your sup­port. If you ap­pre­ci­ate the pro­ject, your con­tri­bu­tion, Ko-Fi or do­na­tion will help to sup­port the con­tin­ued de­vel­op­ment.

Over the past decade, Lisbon’s city hall has reg­u­larly shared the per­sonal in­for­ma­tion of hu­man rights ac­tivists with a va­ri­ety of re­pres­sive regimes, ex­pos­ing them and their fam­i­lies to un­told dan­ger.

The prac­tice was ex­posed Friday af­ter a group of Russian dis­si­dents re­vealed ear­lier this week that city au­thor­i­ties had shared their per­sonal data with the Russian em­bassy and the Ministry of Foreign Affairs in Moscow.

After ini­tially brush­ing off the in­ci­dent as a bu­reau­cratic mishap, mu­nic­i­pal au­thor­i­ties on Friday ad­mit­ted it was ac­tu­ally part of city hal­l’s stan­dard op­er­at­ing pro­ce­dure: Since 2011 city em­ploy­ees have dis­closed the names, iden­ti­fi­ca­tion num­bers, home ad­dresses and tele­phone num­bers of ac­tivists to coun­tries that pro­test­ers were tar­get­ing.

Authorities had the in­for­ma­tion be­cause of a lo­cal or­di­nance that re­quires ac­tivists seek­ing to hold protests to sub­mit that per­sonal in­for­ma­tion to city hall, which would then for­ward in­for­ma­tion to the po­lice of­fi­cers tasked with en­sur­ing the events are car­ried out in a safe en­vi­ron­ment.

But the dis­cov­ery that such in­for­ma­tion was also be­ing shared with re­pres­sive regimes — including Angola, Venezuela and China — has stunned and dis­mayed Lisbon-based dis­si­dent groups, who are now wor­ried that their lead­ing mem­bers might be in the crosshairs of for­eign gov­ern­ments.

And it’s called into ques­tion Portugal’s sta­tus as a place of refuge for po­lit­i­cal ex­iles, as well as its rep­u­ta­tion as a coun­try that de­fends the right of free ex­pres­sion. Already, Lisbon’s mayor is fac­ing calls to re­sign and in­ter­na­tional civil rights lead­ers in the coun­try are be­moan­ing the stain they fear this will leave on Portugal’s global per­cep­tion.

“I found out this morn­ing and I’m hon­estly in shock,” said Alexandra Correia, co­or­di­na­tor of Portugal’s Tibet Support Group, who told POLITICO that her per­sonal in­for­ma­tion was shared with the Chinese em­bassy in April 2019 af­ter she ap­plied for per­mis­sion to hold a rally in fa­vor of the 11th Panchen Lama, who has been de­tained by Chinese au­thor­i­ties since 1995.

“It’s es­pe­cially bizarre be­cause our protest was held on the Largo de Camões, which is nowhere near the Chinese em­bassy, so city hall can’t even ar­gue that they in­formed them for se­cu­rity rea­sons,” Correia said.

The ac­tivist said that the rev­e­la­tion had scared her and ter­ri­fied her daugh­ter, who is now wor­ried about what might hap­pen to fam­ily mem­bers in Tibet, where Chinese au­thor­i­ties still prac­tice cap­i­tal pun­ish­ment.

“This sit­u­a­tion can’t be writ­ten off as a bu­reau­cratic mishap,” Correia said, adding that she would join other dis­si­dent groups in pres­sur­ing city hall to re­spond for its ac­tions. “It’s a grave vi­o­la­tion of my pri­vacy, of my fun­da­men­tal rights as a European, and it’s un­ac­cept­able that this has been go­ing on in a de­mo­c­ra­tic coun­try within the European Union.”

In ad­di­tion to Correia, rep­re­sen­ta­tives for the Committee for Solidarity with Palestine told the Portuguese me­dia they had also dis­cov­ered their in­for­ma­tion was shared with the Israeli em­bassy. That group ex­pressed con­cern over how Israeli se­cret ser­vices might track their mem­bers, and cited a Haaretz ar­ti­cle re­port­ing on Mossad’s data­base of ac­tivists who speak out against the Israeli gov­ern­ment.

The scan­dal sur­round­ing Lisbon’s in­for­ma­tion shar­ing prac­tices has put Mayor Fernando Medina in a del­i­cate po­lit­i­cal sit­u­a­tion just four months prior to the city’s mu­nic­i­pal elec­tions.

On Thursday, the con­ser­v­a­tive op­po­si­tion can­di­date, Carlos Moedas — a for­mer EU com­mis­sioner for re­search and sci­ence — called for Medina to re­sign over the in­ci­dent. Portuguese President Marcelo Rebelo de Sousa called the dis­clo­sures “deeply re­gret­table,” and said that in a de­mo­c­ra­tic na­tion every­one de­served to have their fun­da­men­tal rights re­spected.

Medina took to na­tional broad­caster RTP on Thursday night to pub­licly apol­o­gize for what he deemed a “bureaucratic er­ror,” which he said was the re­sult of the city fol­low­ing “outdated laws.” Although he ac­cused the op­po­si­tion of us­ing the scan­dal to get “political lever­age,” the mayor ac­knowl­edged that city hal­l’s in­ter­nal pro­ce­dures needed to be changed in or­der to en­sure that the sit­u­a­tion was never re­peated.

Pedro Neto, ex­ec­u­tive di­rec­tor of Amnesty International’s Portuguese af­fil­i­ate, said that chang­ing pro­ce­dures was not enough, and de­manded that Lisbon go fur­ther to pro­tect those it had put in “grave dan­ger.”

“Protests have been held in Lisbon against the im­pris­on­ment of mil­lions of Uyghurs in China, and city hall gave the Chinese em­bassy not only the in­for­ma­tion to lo­cate the or­ga­niz­ers here in Portugal, but to go af­ter their fam­i­lies in China,” Neto said. “It’s un­be­liev­able that our gov­ern­ment has been com­plicit in that re­pres­sion.”

Neto said that the city of Lisbon now had the moral oblig­a­tion to do a com­pre­hen­sive re­view of all data shared with for­eign pow­ers, and to in­form all the outed ac­tivists. “Evidently, both our in­te­rior and for­eign af­fairs min­istries need to be in­volved so that the af­fected par­ties can have their pro­tec­tion en­sured within Portugal, and their fam­i­lies’ well-be­ing guar­an­teed abroad.”

The Amnesty International di­rec­tor called the af­fair a “national em­bar­rass­ment” and said that it re­in­forced the im­pres­sion that Portugal was just a “small coun­try that’s sub­servient to eco­nomic gi­ants.”

“In the same way that Lisbon has failed to de­fend hu­man rights here, our na­tional lead­ers have failed to do so dur­ing their turn in the pres­i­dency of the European Union,” Neto added, ref­er­enc­ing Portugal’s pe­riod as ro­tat­ing pres­i­dent of the Council of the EU, which ends in July.

“We could have been stan­dard-bear­ers for hu­man rights and the found­ing val­ues of the EU, but in­stead we’ve kept a low pro­file, and now we’re end­ing our pres­i­dency with this scan­dal at home.”