Friday, April 26, 2019

Bootstrapping your freedom-free/open source web of trust with Cygwin and GnuPG

[I've put together a better discussion of trust, in relation to downloading computer software, here:]

[I was confused when I wrote this. I expected certain files for download to be something they are not, and I wrote this based on those assumptions. I and replace it with a bit different discussion of how you establish a technological chain of trust using Linux or BSD operating systems, and a bit different discussion of the uses of cygwin, two separate posts.]

Why install Cygwin?

If you are stuck running a Microsoft OS, Cygwin gives you access to the basic GNU toolset, and a wide variety of tools from the freedom-free/open source world:
  • standard programming language compilers free from Microsoft distortion field wrappers
    • gcc (C, ForTran, Ada, et. al.)
    • clang (alternative to gcc)
    • BASIC (Gambas, etc.)
    • et. al.
  • and interpreters
    • Perl, Ruby, Python, et. al.
    • Clisp, Scheme (missing?), et. al.
    • GForth (Am I going to have to fix this?)
    • bc (somewhat dated arbitrary precision "Basic Calculator")
    • et. al.
  • office software
    • office suite (abiword, gnumeric, gnucash, et. al.)
    • mail (mutt, Evolution, etc., servers too)
    • text editing (gedit, geany, joe, et. al.)
    • typesetting (Tex and company)
    • et. al.
  • graphics
    • the GIMP (image/photo)
    • Inkscape (line/vector)
    • Krita (pixel free-hand)
    • ImageMagick (mass processing)
    • fonts and font creation tools
    • et. al.
  • audio
    • audio editors such as Audacious
    • players, mixers
    • midi tools
    • et. al.
  • database 
    • SQL servers (PostGreSQL, Mysql/Maria, others)
    • other kinds of database 
    • analysis tools
    • etc.
  • privacy/security software
    • gnupg GNU Privacy Guard (implements Pretty Good Privacy)
    • other encryption tools and libraries
    • et. al.
  • etc.
    • web servers
    • data analysis tools
    • astronomy and other scientific tools
    • Lots and lots of stuff
(Yeah that summary is a little much. The full list can be overwhelming.)

If you're like me, you'll look at that list and just give Microsoft's confining view of the world the boot -- Load a Linux or BSD distribution and don't look back. But even if you do that, you need some way to bootstrap your trust relationships in this larger, unfamiliar world.

(Cygwin is something of a McGuffin here. These principles mostly work for any other attempt to establish a chain of trust.)

I used a process similar to what I'll describe below when I bootstrapped my trust relationships in the larger world. I just used openBSD and freeBSD rather than Cygwin. Ubuntu or another Linux OS would serve as well, and I sometimes re-boot a web of trust for my workplace workstations using basically the same set of steps.

It's a fairly lengthy process, and it should be a fairly lengthy process. The time and effort you put into going through the process are a major part of the value of the process. If you don't take the time and go through the steps, you won't have properly bootstrapped your chain of trust when you start using it. Plan on it taking several weeks, at least.

The construction of a real chain/web of trust takes years, but you can't wait that long. If you wait forever, you never get started. A few weeks or a month or two should be a reasonable amount of time to get started.

(I know it seems like a downer, but this gives you a big clue as to why Microsoft software is so vulnerable. Too many people use it without thinking. It's worth the patience and the effort, and, if you don't give it both patience and effort, it will not be worth nearly as much to you. That's what experience costs and that's what it's worth. You cannot really trust without experience. If you make it a vicious cycle, it's vicious. Make it a virtuous cycle, instead. Dig in.)

Now, there are freedom-free and open source projects that Cygwin doesn't give you packages for. You noticed, perhaps, my comments on GForth and Scheme above? I asked on the general discussion list, and the problem there is simply a matter of getting somebody with a little free time and interest to maintain the packages at this time. Hopefully, within a few months, the situation will change relative to gforth.

(Interest is important. If you aren't interested, you don't do it right.)

You'll note, also, that they don't mirror all the Apache projects, or all of Oracle/Sun's Java. And, while the GIMP is closely tracked under Cygwin, that is because the GIMP project people have chosen to provide packages.

In other words, Cygwin should not be viewed as your source for all these. It can be your gateway to the larger world. (Nor should any OS distribution you use -- Ubuntu, Debian, Red Hat/Fedora, Cent, Scientific, Devuan, .... All should be considered gateway points, not sources. This is where Microsoft and Apple fail, really, in trying to be your God. Lately, Google is treading over the line on this, too.)

Hopefully, you noticed that I put a little emphasis on gnupg.

If you have Pretty Good Privacy or GNU Privacy Guard from some trusted source, or something similar, you have a technological root or basis for your trust relationships. You can download Cygwin from their website at, check the signature as shown in the install instructions at, and start the install process. (I'd move the discussion of the verification process up to the top of the page, but they put it down in the Q/A. Personal taste and strategy, I guess. But they do put the link to the signature file right next to the installer file, which is good. Don't overlook it.) (Oh, and there is a reason I'm not enabling linking from the URLs here. I'll explain below.)

But if you are like most people, you probably think of digital signatures as some sort of graphic picture of a signature, and don't have any idea why they would help verify a downloaded file using PGP or gpg. Microsoft is like that. They don't tell you about these things. They want you to trust them without knowing why, so you keep going back to them with your business. (That's their main product, you know, an unreasoning trust in their software. They want to be your God.) So they don't tell you how to get yourself loose from them. And they try to avoid even telling you how the trust relationship works with them, as well. You aren't supposed to think about such things.

If you are using Mac OS X or other BSD, or a Linux OS, you may have gpg available. If not, you probably have somewhat stand-alone commands like sha512sum (sha256sum, md5sum, et. al.) available. These will help, even if you can't directly use whatever packaging system the OS provides.

More importantly, with a Linux or BSD OS, you should be able to find gpg in your distribution's packages and just install it from there. But you really should know what's happening, so let's dig in.

Step 1: Go to the Cygwin main site. 

The URL is But don't trust me without verifying. Go to your favorite search engine, google, Duck-duck-go, yahoo, bing, etc., and type "cygwin" into the search form. Look at the URL reported and compare it to the one I am giving you. They should match (for the foreseeable future).

(And this goes more or less the same for Ubuntu or openBSD. Search the web. Read some of what you find. Check the domain names.)

Now you have two witnesses, but you can search on other search engines and in other browsers, just to be safe. The more witnesses, the more eyes, the broader the view, the better you can see.

And you need to know what you are looking at.

"HTTP" (or "http", it doesn't matter in the current Internet) is the name of the application level protocol -- the rules under which communication takes place. It is not part of the identity of the site, and these day it seems to be the universal set of rules but there are others, for example, "ftp" for basic file uploading and downloading, and "smtp" for simple exchange of e-mail messages. Look up "OSI Application layer" for more information.

"HTTPS" ("https") is a somewhat secured form of http. People depend way too much on it, but it does have some advantages.

"" is the domain name above. Again, capitalization (i.e., upper-case and lower-case) doesn't matter. But there are three parts to this one.

"com" is the top-level domain ("TLD"). It was originally supposed to be for international commercial entities like IBM, HP, the Mitsui Group, Dow Chemical, BP, and such, or, rather, for the sub-domains of the Internet that they would have assigned to them. But a lot of USA companies (which should have registered their subdomains under "", but that's a long story) jumped into that domain as well. ("", for instance, had international ambitions. "" was already international.)

Another TLD of concern here is "org", for international non-profit organizations like, well the Free Software Foundation (""), the International Red Cross (""), and many international churches, like the Church of Jesus Christ of Latter-day Saints (originally "").  Again, a lot of USA organizations jumped into this, especially family and family history organizations. (I am not involved in "", if you are curious. At least, not when I write this.)

New TLDs like "biz" and "name" have altered the landscape, but this should give us enough to bootstrap our understanding of TLDs and second-level domain names.

"" is the full domain name to the second level that we are primarily concerned with. "" is another domain we will be interested in.

Anything within the domain will be addressed with a period on the left, and a third level domain to the left of that. "" is the subdomain within Cygwin's domain which serves as the front door. "

Looking at the URL " for a moment, "" is a functional subdomain within is a document subdomain, kind of like a file-system folder, within the domain.

One last thought, when connecting with the http protocol, everything you do is plainly visible to the servers and lines your data passes through. The server admin on some connecting point can tap your datastream and eavesdrop. When connecting on https, two things happen -- well, three.

One is that everything is encrypted. Without a password-like decryption key of some sort, the admin on any connecting point can't read it.

The other, and more important, thing is that your computer and the server on the other end dance this little dance of words that allows them to trade those keys without the important parts of the keys themselves becoming visible to the in-between server admins and others who might tap the lines -- in theory. So far, the theory holds well enough.

The encryption uses what is called asymmetric encryption, where there are two keys, and one key is used to encode, the other to decode, and the two keys can't be computed from each other. And within the dance, these things called encrypted certificates are used. If your browser has the other guy's certificate, he has to provide the encrypted certificate to prove he owns the full domain he is serving to you.

It's this last thing, the certificate, that means that (again, theoretically) when the server for provides you the webpage to you, you can be reasonably confident that it is what the cygwin organization put up there for you.

(I'm not explaining everything. You can read more elsewhere. It's not a perfect protocol, but it's way better than no reassurance at all.)

Write the URL down on a piece of paper and bookmark this blog post and shut your browser down. Hit the close button on every window, so you don't have any open browser windows keeping unseen code alive and running. Maybe log out and back in, or even reboot the computer to kill off all background jobs.

When it boots back up and you are logged in as a non-admin user --

Oh. Okay. Back up. Step zero. 

If you don't have a a non-admin user account on your computer to do your browsing and downloading with, stop now and set one up. Write down the URL of this blog before you go, so you can find it again:

You'll type that into the URL blank in your browser window when you've booted back up and logged back in on the non-admin account, and your browser is up.

Yeah, it'll take a bit of time, an hour or so, but it's worth the trouble, so go do it.

Why do all this? It is very easy for sneaky bad guys to run programs in your browser, where you don't see them running, and change just about anything that you see, including displayed URLs, etc. But if you haven't gone to a website they've owned since booting up, logging in, and launching your browser, it's much harder for them to do so.

And if you aren't on the admin account, at least the sneaky stuff can't start playing with your application and operating system software behind your back (without finding a new hole to sneak through). It's not perfect, but it stops the amateurs.

And if the sneaky bad guys dump eavesdropping tools or worse in your non-admin account, if worst comes to worst and you can't clean the mess up with a good anti-malware tool (bleaugh), you can log out, go to the admin account, and just erase the non-admin account and start over. If you can't clean it up properly, you may lose some stuff, but not everything.

So you really should not be working in your admin account, ever, even if your company thinks they don't want you to set up a separate login. Too many things can go wrong, including accidentally going to a dangerous website (via one of those ads, etc.) and getting a sneaky app running in the background, monitoring what you type when you type passwords, etc.

Yeah, it means you have to log out and back in when you load new software or change system-wide configurations, etc. But consider the time and resources lost to one bit of malware. Look at what happened to Omega Engineering (the time bomb set by Tim Lloyd) when they failed to properly administer their stuff. And consider that similar stories have played out repeatedly on every operating system in common use, including the one you are using now, when systems are not properly administered.

I'll be happy to tell you how bad Microsoft software, including the OS, is, but it would not be nearly so bad if the users simply rejected Microsoft's fair winks and implied sweet promises, and did sensible things like not doing ordinary jobs when logged in with admin privileges. Any other OS is going to turn into a sieve if you let it, too.

(Yes, improper system administration was one of the reasons it was so easy for Lloyd to do so much damage. In a perfect world, Omega's management would have been tried for mismanagement of their computer systems and would have been required to pay a significant part of the government's costs in prosecuting the case. In a perfect world.)

(If you can't convince your company to let you use separate login accounts for your separate purposes, at least keep your on-line habits clean. And do the downloading and checksum checking with a freshly rebooted session.)

Okay, now you're back and running in a non-admin account. Hopefully.

Back to step one:

You've already done a couple of websearches for Cygwin and confirmed the URL. Type it into your browser URL bar:
Read through that page.

There are a couple of links to installation instructions, over in the index on the left, at the top, and also down in the Installing Cygwin paragraph. Either one will take you to something like
(Hopefully, that won't move.) Read through that page, especially the "How do I verify the signature?" paragraph in the Q&A section. It tells you how to use gpg (GNU Privacy Guard, or gnupg) to verify the download against its developers' fingerprint and signature. If you have gpg or Pretty Good Privacy, those instructions will be very useful, although you may still want to read the rest of steps here.

And, for instance, if you can download the setup file on a system where you do have Gnupg or Pretty Good Privacy, check it there, and move it from there to your MSWindows box, that's a pretty good way to get things rolling, too.

The next question on that page is "What's the hash of setup?" And answer takes you to something that looks like this: 
where there are a couple of long gobbledygook-looking strings of code-looking stuff called checksums, one for setup-x86.exe, and one for setup-x86_64.exe. (That one is likely to move when SHA512 is no longer too hard to crack, hopefully at least five years from when I write this.) I'm not going to repeat the checksums here because they will change, and I won't be able to post the new one after every change. (Checksums are not keys, by the way, and these checksums are not encrypted. That's just the way they look -- these are really, really long hexadecimal numbers.)

Take the time now to review the licensing terms. There is a link to those in the index on the left. At this point in time they're at
You need to have some level of understanding of the licensing terms there and the legal implications. (This is true of all software and all user licenses, and the GPL is one of the easier licenses to understand and to conform to.) Follow the link to the GPL and read through it. Don't trust my summary that it means you can use the stuff freely as long as you respect everyone else's freedom with it, at least not without reading it once or twice yourself.

(When you start understanding the GPL is when you start understanding Free-as-in-freedom software.)

Okay, that probably took several days to get through. Good. We're making progress.

Now we are ready for step three.

Look for the link to the mailing lists in the index on the left. The URL should look something like
Browse through the list archives. You should probably register for the general discussion list, or you may prefer to just read a few of the interesting topics in the archives.

Here is how to subscribe to the discussions list:

Follow the link to the mailing list FAQ under "Notes". The URL should look something like

Full stop!

The top-level domain is not the same as the cygwin top-level domain. That tells you lots of things, but I'm not going to explain all of them. Just one.

If you go back and forth, you'll see that the TLD is, in fact, different between sites, and that the site does link you to the site in many places.

Unless someone has been able to sabotage the site, we should be able to trust that the is officially related, since the link to it is on Cygwin's page, in the domain.

That's a big if, and it would also help to have some external confirmation.

My mention here is one form of confirmation, but not to be completely trusted.

One way to gain confirmation is to take the time to read through the archives a bit. Another is to subscribe and ask questions, but you may want to hold off on questions until you've done research. Anyway, hold off on subscribing until a day or two from the day you first read this paragraph, maybe even a week later.

Get information from other places. (This is called out-of-band information. I'll have to explain that some other time, but keep the term in mind. Out-of-band information is essential to establishing and keeping a chain of trust.)

See what changes occur to the site over the course of a week.

By this time, you will have noticed the subscription form on the page mentioned above. Use that form, or, if you want to be a geek, you can send the subscription request yourself, by interpolating the address from the information given on unsubscribing. (And your first guess will probably be wrong, as you'll see after you register.)

Just use the form:
Mailing list name: cygwin
Your e-mail address:
[ ] Digest version  subscribe   [Send request]
Click the digest version only if you want each day's conversations in a single bundle. It may help you mute the noise. I use mail filters, instead, myself.

Note the announcements archives. The URL looks something like this:
At the time I write this, I'm surprised that they don't announce the checksums for setup-YYY.exe in this announcement mail list, in the announcements for the new versions of setup. I hope they will change that policy, because every place the checksum is posted after it changes is one more place you can confirm the current checksum hash value, one more place the sneaky bad guy has to get his hands into to keep the illusion intact.

These mailing lists actually provide a significant piece of the trust puzzle for many reasons. Unless they are staged (and, yes, they could be staged, but that's a lot of work to go through), they provide proof that there are real humans behind this operation, real humans putting their heart into things and putting their reputations on the line.

This is the ultimate baseline of every chain of trust, 
if not the bottom line of meaning itself: 
Effort and experience,
records and community, 
and taking risks. 

(I need to write up a little analysis of that or three sometime.)

Now we are ready for step four:

Hopefully, you've noticed the link to something called mirrors by now, up there in the Cygwin pages index on the left. If you've wandered into those, through a URL something like this:
you may have found file directory lists, and in those lists you may have found checksums. For instance, if we look at the mirrors in Japan, we find iij:
(I activate the link there because I think it's okay for you to link into mirrors from this blog post.)
In the iij mirror for Cygwin, you see at the root something like this:
md5.sum       45 B    2018/01/31 9:00:00
noarch/                    2018/09/25 9:00:00
sha512.sum  138 B   2018/01/31 9:00:00
unsupported/           2015/02/05 9:00:00
x86/                        2019/04/23 9:44:00
x86_64/                   2019/04/23 9:44:00
If you look at that sha512sum, it is not what you've seen before. Why not? It's the checksum for something else, for this directory, to be specific.

If you click on x86_64 here, you'll find something odd. There are a bunch of setup files, but none are the setup-YYY.exe that you can download from the cygwin site.

(I'm going to try to convince them to find some way to get a checksum for setup-YYY.exe in that part of the mirror sites, so that the mirrors can become a more effective part of the chain of trust, but at this point they are not there.)

This is a little awkward for me, for this blog post, but I think we can overcome this problem. You probably want to install the x86_64 version of setup, so let's get the two checksum files from the x86_64 directory,

  • md5.sum
  • sha512.sum

Make a directory (new folder) inside you downloads folder and call it "cygwinstuff". Save these two files, or change their names after downloading, to
  • md5-iij64.sum
  • sha512-iij64.sum
inside your download\cygwinstuff folder. Don't download other files just yet.

Now go to three or more other mirror sites at random and get the same checksum files from them, renaming them so you know which is from where. Right-click and Save-as, changing the names as you save can speed the process up a bit. You'll end up with something like this:
  • md5-iij64.sum
  • sha512-iij64.sum
  • md5-hkk64.sum
  • sha512-hkk64.sum
  • md5-cymru.sum
  • sha512-cymru.sum
But don't pick these exact three, because they are the three I picked, and then you are no longer picking at random, or at least not sufficiently at random.

Now, use the command-line to compare them. Underneath the infamous start menu in MSWindows, you'll find the folder of accessory programs. In that folder, you'll find the command-line shell or prompt. Open one of those terminal windows and then open up a file manager prompt. Change directories ("cd") to the download folder with the gygwinstuff:
C:>cd C:\Users\me\Downloads\cygwinstuff 
You can drag the folder to the terminal window to save some typing on the path name. Check you are in the right place with dir. Mine shows the following:
2019/04/26  23:39    <DIR>          .
2019/04/26  23:39    <DIR>          ..
2019/04/26  23:39               367 md5-cymru64.sum
2019/04/26  23:35               367 md5-hkk64.sum
2019/04/26  23:31               367 md5-iij64.sum
2019/04/26  23:39             1,132 sha512-cymru64.sum
2019/04/26  23:35             1,132 sha512-hkk64.sum
2019/04/26  23:31             1,132 sha512-iij64.sum
Now do the file compare command like this:
fc sha512-cymru64.sum sha512-hkk64.sum
I also compared iij with hkk, but I could have compared cymru with hkk. You should make sure each file of the same information is compared with one other of the same information. Do the same for the md5 files, just to be thorough. It should tell you there is no difference in the three sha512.sum files and no difference in the three md5.sum files.

If it doesn't it's probably that the mirrors are in the middle of updating the files, and one is behind the others. Check the file dates for clues. If the dates are the same day you're trying to check, try again the next day. If they are still different after that, you'll need to ask on the general discussion list if anyone knows why. Please ask, as it could indicate tampering.

Why do I suggest this, and why pick, at random, three sites that are physically far apart? The idea is that it will be harder for more than one of the mirrors to be compromised, and even for a man-in-the-middle to capture and successfully spoof the responses for your requests to all three sites. 

It's going to cost a lot of time and other resources to do the spoofs and/or compromise the servers, and time is money, and if you are worth that much to someone with that kind of money, well, you should be taking extra precautions. For example, you can compare files from two more mirrors, and connect physically from some other location to do so. And avoid wireless connections, at home, anyway.

This checking information from multiple mirrors
is the principle of
multiple witnesses

It isn't perfect proof, but, combined with the above, it gets you pretty close, relative to what can be done in this world.

We are almost there.

Step five:

Windows does not include the tool sha512sum.exe by default, but it does include a utility called "certutil". You use it for this purpose like this:
C:> certutil -hashfile sha512-cymru64.sum MD5
So we should probably be able to check the checksum files we downloaded. Or, at least one of them. It appears that the SHA512 checksums are calculated first, so the entry in that file for md5.sum is different. The rest should match up.

Here's how to check the MD5 checksum for the sha512.sum file. Open the md5.sum file in a text editor. (Start->all applications->accessories->{ either notepad or wordpad}.) With notepad, you can just drag the file into an open notepad window, but then you'll have to add line endings, and that can be tricky.

With wordpad, open an empty document, then use "Open file" from the file menu to navigate to the downloaded files. Wordpad will get the line endings right.

Go back to the command-line shell window and use right-click to select and copy:

  1. mouse right-click to start select mode, 
  2. select the text with the left button and drag, 
  3. right-click to capture 

(on current versions of MSWindows). Then paste it into the open text editor window, underneath the line for the sha512.sum file. On mine, it currently looks like this:
[... other files ...]
19a3348f30d4b718dc887f6dec0dd716  sha512.sum
19 a3 34 8f 30 d4 b7 18 dc 88 7f 6d ec 0d d7 16
Microsoft puts spaces in where you don't need them, but that's okay. Start at the left and delete the spaces, and watch the numbers line up. As you go, you'll watch them fall into place, and you'll know if they match or not:
[... other files ...]
19a3348f30d4b718dc887f6dec0dd716  sha512.sum
(Note that the actual values of checksums that you see above were valid on 27 April 2019, around 11:00 am JST, and will shortly change and not be valid.)

If you don't want to copy from the command-line window, or can't make it work, you can redirect the output:
C:>certutil -hashfile sha512-cymru64.sum MD5 > md5hash_sha512_sum.txt
(Keep it on one line: hit space, not return, after the ">", then hit return after "..._sum.txt".) Then you can open both files and to copy-paste from file to file.

open a text editor window and paste the checksums in.

What do we know from comparing the MD5 checksums for the sha512.sum file with the value we downloaded in the md5.sum file? We aren't absolutely 100% positive, but we are better than 99% sure that the sha512.sum file is identical to the file that the Cygwin folks generated of the checksums for the download files here.


One reason is that the files are identical across mirrors. There would really have to be some serious collusion, or a very coordinated and skillful attack, for the posted checksums to have been altered. Or, if deceiving you (or perhaps someone near you) is worth tens or hundreds of thousand of dollars to someone, there would have to be a very skillful man-in-the-middle attack on the route from where you are to the servers.

The other reason is that you have just matched the checksums. (MD5 is weak, but not on a file this small.) Yeah, if someone had pulled off an attack on you, they would have been smart enough to alter all the files together, but that also increases the odds of discovery, and makes the attack that much harder to pull off successfully.

You should be able to download the file you check from any server you've been to, or pick another mirror. Just make sure the dates are the same. Pick, for instance, setup.bz2.sig, making sure to save it in the cygwinstuff folder underneath Downloads, or to move it there after downloading.

[This is where my confusion comes in. I was expecting setup.bz2 and setup.xz to be the installer. But they are not the installer, they are configuration files, which are not really useful. So, this whole line of reasoning is undone.

If the good folks at Cygwin had published the installers, setup-x86.exe and setup-x86_64.exe in the files for mirroring, you could build a temporary case for trust like this, but that is not what they did. Perhaps they don't think it's as trustable as I think it is. Anyway, while I can borrow pieces of this post for other posts I want to put up, this post becomes specious reasoning at this point. Not a complete waste of time but definitely a wrong path.

Mea culpa.]

Let's do the checksums, redirecting the output:
C:>certutil -hashfile setup.bz2.sig MD5 > checksums.txt
C:>certutil -hashfile setup.bz2.sig SHA512 >> checksums.txt
Yes, the first is ">" and the second is ">>". This appends the second checksum into the first file, because I don't like extra files lying around. Copy the checksums between files and see how they line up. If they look good, let's go after one more file.

If you can decompress .xz format archives on your computer, you will prefer setup.xz. But go ahead and get the .sig file, too. We want it after we install Gnupg. If you can't decompress either .xz or .bz2 files, we'll be stuck with setup-YYY.exe.

I really wish the folks at Cygwin would make the setup-YYY.exe file they have on their main page available in the mirrors. And that they would post the contents of the sha512.sum and md5.sum files on their main site, as they have posted the checksums for setup-YYY.exe. Why? Although it is not 100% sure, it would give us two more places to check, and it would make the connections that much more clear. And it would make the setup-YYY.exe files that much less susceptible to man-in-the-middle attacks.

However, with all the out-of-band information we have been able to gather, we have a reasonably high level of confidence in the setup.bz2 or setup.xz installers from the mirrors. If we do the last check.

Download setup.bz2 or setup.xz and let's check it.
C:>certutil -hashfile setup.bz2 MD5 >> checksums.txt
C:>certutil -hashfile setup.bz2 SHA512 >> checksums.txt
Or setup.xz if that is what you are downloading.

Note something very important: if you don't already have tools for decompression .bz2 or .xz files on your computer, it won't help to load those tools from some random website out there. All that will do is shift your vulnerable points to some place even more vulnerable.

Winzip, 7zip, wherever, without some way to check full signatures, even publishing the checksums doesn't really help. All it tells you is that the file wasn't zapped by network problems or file system problems. The checksum by itself doesn't help you be sure that what you got is what the developer put up for downloading. Man-in-the-middle attacks are going to become more common in the future, so we need more than what they give.

That's why I am recommending cygwin if you can't go with a well known Linux or BSD distribution. There are mirrors, and the mirrors can give you quite a bit of reassurance.

You'd have more reassurance with the checksums for setup-YYY.exe in the mirrors and in the announcement lists. (Sorry to be so incessant on this, but the point must be understood. Checksums are not fingerprints.)

We'll use append mode for both this time, and keep the checksums.txt file around when we are done, just because we can. Pull the output into your text editor, delete the spaces, and watch the checksums line up. If they don't match, ask about it on the Cygwin discussions mailing list, please. If they do, you can now run the installer with a pretty high degree of confidence.

Not as high a level of confidence as using the fingerprints, but a reasonably high level of confidence at the time I write this. Until man-in-the-middle attacks become more common, it's a fairly reasonable level of confidence, even without the externally published checksums.

How do you get a higher level of confidence? Go to a Linux or BSD users' group meeting, exchange keys with ... wait. You don't have keys to exchange. If you didn't bootstrap your chains of trust when you were in college, you've still got the chicken-and-the-egg problem, and, if you did, hopefully, you aren't having to do this all over again. Other than something like what I have described here, the best approach you can take is to have a friend whom you trust burn you a copy of Linux or BSD distribution media, or perhaps the Plan 9 distribution or some such, and install a properly free-as-in-freedom OS.

Or buy a Mac. That'll work pretty well, too, just remember to get the developer tools when you do so.

Before you install Cygwin, save these files away, outside of downloads, say in C:\my\installers\cygwinstuff or something like that. You want the hashes for later reference. Copy the whole directory over, and, if you want to be as sure as possible, you can re-run the checksum checks after copying, to make sure there are no file system problems in your computer. Or use one of the MSWindows file comparison tools.

From here, follow the instructions on the Cygwin install page.

Launch the setup-YYY.exe the usual way, walk through the install guide, install the base system first. Once those are installed, start again from the front, walk through the initial screens, then when the packages screen comes up, view by category, type "gnupg" in the search field. You'll find gnupg in utilities. I've installed both 1.4 and 2.2.

This gives you tools to check checksums and digital fingerprints and such.

I should write a post about using gnupg, too.

Anyway, once you have gnupg installed, you can check out packages I've listed above for whatever tickles your fancy. And you can also download other stuff that isn't in Cygwin, like libreoffice, and you have the tools to check their fingerprints.

Saturday, April 20, 2019

Q&D Prime Sieve in Color Computer BASIC?

Okay. So the post on writing a C program to check the time required to count N primes wasn't my best offering on the subject of primes.

This will be even more bizarre, although closer in spirit to the post in the Vintage {computers | microprocessors | microcontrollers } FB group on a Fortran program for counting primes.

Let's count primes less than 256 in Tandy/Radio Shack Extended Color Computer BASIC!

30 FINAL = MAX/2
40 PRIMES(0)=0
50 PRIMES(1)=0
90 PRIMES(J)=0
100 NEXT J
110 NEXT I
115 COUNT=0
120 FOR I=0 TO MAX
130 PRINT I;" IS ";
160 NEXT I

(This is essentially the same algorithm as in this post on a small sieve, which also points to some implementations of the same in Ada and Forth.)

(You can download this as a file on my OSDN Japan account, here. I was not successful in using imgtool to put it back in a DECB disk, however.)

And let's see how long it takes. (Counting seconds in my head.)

Constructing the sieve itself takes about ten seconds, printing the sieve (Not very meaningful when the list mostly ends up scrolling off the screen.) takes another nine.

54 primes less than 255. Yep. That other program says the same.

255 numbers in 10 seconds is about 25 numbers per second, average, although average here does not mean what it seems to mean.

Now this program is very easy to modify to count the first thousand or more primes up to something like 15,000 on a 32K Coco.

First, check your RAM:


 If it says something over 22,000, there should be plenty of room. Let's try 8,192, a nice round number. Edit line 10:

    EDIT 10
    10 MAX=8192


Byte arrays in BASIC aren't done that way. In fact, they aren't hardly done at all. We would have to go get BASIC09 to do byte arrays in a BASIC on the Color Computer, I think. (Or we could do it in BIF. Or assembler.)

(Would be faster. Maybe I need an excuse to fire up OS-9. Not Mac OS-9, Microware OS-9, which well predated the Macintosh itself. Tandy/Radio Shack missed serious opportunies on that. Tandy's stupid mistake of not letting the company's products compete with each other, as if there were only one prize to be won. Making money linear is the best way to lose. Put down the mike, I know, I know.)

Let's try again with only 1,024.

About 45 seconds to calculate the sieve, and another 35 to scroll the list off the screen. 

Says 172 primes less than 1024. That checks with that other program, too.

Checking 1024 numbers in 45 seconds averages 1024/45 numbers per second, or about 23 per second, which seems nearly linear to the earlier time.

And it looks like we have some memory left. In fact, it looks like our array only costs about 4 bytes per integer, which means we should easily be able to get away with 4,096. And time may be linear.

But I'm going to use the clock instead of counting for more than 3 minutes.

Expect, if the time is no better than linear, something like 4096/23, or 178 seconds, about three minutes.

Executing it. Yep. About three minutes to calculate.

Why should the time be nearly linear? The print loop is just a single loop, not nested, no branching. That makes sense.

But the sieve itself is nested, scanning the array and blocking out non-primes once for each prime it sees. But, first, the scan is only from the prime's double, skipping by the prime, so the later loops become really quick. And the loop ignores scanning on the non-primes, because those have all been picked up by the first loops. So the scans really don't take nearly as much time as we might think.

The scans after initialization will be half the count of the initialization, then a third, then a fifth, then a seventh, ...

Printing takes a rather long time. But that's always true. Almost three minutes to print the count.

564 primes less than 4,096. Check that? Yep. That other program agrees.

If we could extrapolate to 100,000,000 (which we can't, at least not this way), we would expect the Color Computer to take (100000000/23)/(60*60*24) days, or about 50 days. But the Color Computer would need about 500 megabytes of RAM, quite possible on modern desktop computers with multiple gigabytes of RAM, but not on the Color Computer.

Maybe a sieve array that big could be simulated on hard disk, but that would incur more time costs.

Left over memory with just 4,096 entries -- 1,850. If we want to do more on a Coco, we need a more sophisticated method.

Also, since the list scrolls off the screen, it would make sense to, instead of printing the list, write a loop that would allow the user to type in a beginning and ending number and list primes between the two numbers.

Those are left as exercises for the reader, for now. (There is a way to check whether a number is prime after this program ends. Do you know how?)

Sunday, February 24, 2019

Taking the Sieve Too Far

A post on a Fortran program for counting primes in the Vintage {computers | microprocessors | microcontrollers } FB group inspired me to dig an old post on small primes back up and refurbish it a bit.

(If you don't know how this works, refer to the post on small primes.)

/* Archetypical implementation of the sieve of eratosthenes in C
** By Joel Rees, Amagasaki, Japan, 2015, 2018
** All rights reserved.
** Permission granted by the author to use this code
** for any purpose,
** on condition that substantial use
** shall retain this copyright and permission notice.

#include <stdio.h>
#include <stdlib.h>

#define MAXSIEVE 100000000L

#define FINALPASS ( ( MAXSIEVE + 1 ) / 2 )

char * sieve;

int main( int argc, char * argv[] )
    unsigned long index, prime;
    unsigned long count = 0;
    unsigned long maxsieve, finalpass;
    char * unscanned;

    if ( argc > 1 )
       maxsieve = strtoul( argv[ 1 ], &unscanned, 0 );
       if ( ! ( unscanned > argv[ 1 ] ) || ( maxsieve > MAXSIEVE ) )
       {  maxsieve = MAXSIEVE;
    finalpass = ( maxsieve + 1 ) / 2;
    sieve = malloc( maxsieve );
    if ( sieve == NULL )
       printf( "Can't allocate %lu byte array, quitting.\n", maxsieve );
       return EXIT_FAILURE;

    sieve[ 0 ] = 0;
    sieve[ 1 ] = 0;
    for ( index = 2; index < maxsieve; index = index + 1 )
    {   sieve[ index ] = 1;

    for ( prime = 2; prime < finalpass; prime = prime + 1)
        if ( sieve[ prime ] == 1 )
        {   for ( index = prime + prime; index < maxsieve; index = index + prime )
            {   sieve[ index ] = 0;

    for ( index = 2; index < maxsieve; index = index + 1 )
        if ( sieve[ index ]  != 0 )
    printf( "%lu primes less than %lu\n", count, maxsieve );
    return EXIT_SUCCESS;

This version only counts primes, and it alows you to specify the largest number.

Execution time on this old 1.2 GHz single processor:

$ time ./primecount 100000000
5761455 primes less than 100000000

real    0m14.008s
user    0m13.733s
sys    0m0.196s

It uses the same sieve-in-array approach as the small primes example, so you probably should not run it at a hundred million if you don't have at least a gigabyte of RAM.

I hope there's no bug and that's the correct answer.

A note:

I had the array statically allocated at one point, and the compile actually took several seconds to write that big empty array. But the execute time was not quite a second shorter. The extra execution time for the dynamic array may have simply been the system thrashing after the previous version (because this box only has one gigabyte of RAM and a 100 Meg of a Gig is enough to push things around in virtual memory).

And here's how it runs under Cygwin on a much more recent 2.5 GHz dual core Intel CPU:
$ time ./primecount 100000000
5761455 primes less than 100000000

real    0m11.349s
user    0m11.107s
sys     0m0.062s

It's only using one core, but why doesn't the double clock speed halve the execution time? I dunno. You tell me.

I could use the second core by forking the process and having the second process lag behind the first one. The algorithm becomes semi-non-obvious:

First, the first processor sets the flags in the lower half of the array, and the second process sets the flags in the upper half. Maybe bus contention would not eat up the savings in halving the load.

We'll start the parent process on a single pass at multiples of 2, and it will quickly try to do this to the first part of the sieve array:

0123456789 10111213141516171819 20212223242526272829
0011010101 0101010101 0101010101

We'll start the child process on a single pass at multiples of 3, and it will quickly try to do this to the first part of the sieve array:

0123456789 10111213141516171819 20212223242526272829
0011110110 1101101101 1011011011

Note that the effects are independent of each other.

Now, if either the parent or child finishes its first single pass before the other finishes even starts its first, the only damage is an unneeded extra pass on 4, and maybe even 6, 8, and 9. For small arrays, trying to use both processors could end up being (slightly) slower. For large arrays, we can be pretty sure that there won't be more than a few unnecessary passes.

Ideally, by the time one or the other finishes its first pass, the other will have already made its way through the first 15 of its pass, and it will have

0123456789 10111213141516171819 20212223242526272829
0011010100 0101000101 0001010001

and this is good enough to let the process avoid wasting a pass on 4 and start 5.

But the next process to finish will also see 5. (Check for yourself why probing the second or third in the pass isn't sufficient.)

So it looks like we need a shared variable for each to store its current pass on. And there will be some non-zero probability of read-interleaved write, so we should probably protect it with some semaphore or other mutual-exclusion technique.

This shared variable will help at the end, as well, when passes become very quick.

Lack of such mutual exclusion won't make it give the wrong result, it will just result in wasted passes.

Maybe I'll do the code for multiple processes later on.

Saturday, November 17, 2018

Make a Crude Triangle in Forth

In programming related on-line communities, sometimes students come asking for solutions to their programming problems.

Sometimes we like to be very helpful.

Recently, in the Not Just Tiny-C Facebook group, we had a pair asking for help writing a C program to make right triangles using (monospaced) character output on a terminal console, something like this:

* *
*  *
*   *
*    *
*     *
*      *
*       *

Part of their assignment was to use a do while C loop.

Part of their assignment was to get the size of the triangle from the terminal input.

We gave them a few hints. And I refrained, at the time, from giving them the trivial tutorial solution in Forth. (This is a traditional tutorial problem, you see.)

Well, here is one typical version of the traditional trivial solution in Forth, with some tests mixed in to help the uninitiate.


Forth handles the conversion from terminal input to numeric for you. So that part of the solution is opaque.

And I used the traditional Forth counted loop instead of the Forth do while loop. (Forth do while loops don't translate to C do while loops unless you know both pretty well, anyway.)

(Tested in gforth and fig-Forth. Copy and paste, it should run as-is in quite a variety of Forths.)

: star ( --- ) ( Very traditional tutorial word! )
  42 emit ; 
: stars ( n --- ) ( Refining tradition a little. )
  dup 0 > 0= if
    0 do
  endif ;
0 stars
1 stars
2 stars
3 stars 
: bracket ( n --- )
  star dup 2 < if
    2 - spaces star
  endif ;
0 bracket
1 bracket
2 bracket
3 bracket
10 bracket
: triangle-bottom ( n --- )
  cr dup 1 > if
    dup 1 do
      i bracket cr
  stars cr ;
: triangle ( n --- )
  dup 0 > 0= if
  endif ;
0 triangle
1 triangle
2 triangle
3 triangle
4 triangle
10 triangle


Now isn't that just more fun than you've had all week?

Sunday, October 14, 2018

A Forth Program for Making HTML Multiplication Tables

Since Forth programs tend to be self-documenting when written carefully, there really isn't much to say. Remember that Forth expressions are postfix.


( Forth program for making HTML multiplication tables )
( Joel Matthew Rees, October 2018, Amagasaki, Japan )
( Copyright 2018 Joel Matthew Rees )
( Permission granted for private, non-profit use. )

( Runs in gforth. Should run in almost any Forth. )

: decout ( n --- )
  base @ swap
  10 base ! 1 .R
  base ! ;

: colheadout ( percentwidth n --- )
  over ." <th align='center' width='" decout ." %'>"
  1 .R ." </th>" ;

: hrow ( percentwidth limit --- )
  0 do i colheadout loop drop ;

: headrow ( percentwidth limit --- )
  ." <tr>" CR ." <th>×</th>" hrow CR ." </tr>" CR ;

: thout ( n --- )
  ." <th align='center'>" 1 .R ." </th>" ;

: tdout ( n --- )
  ." <td align='center'>" 1 .R ." </td>" ;

: row (  limit current --- limit )
  over 0 do dup i * tdout loop drop ;

: fullrow ( limit current --- limit )
  ." <tr>" CR dup thout row CR ." </tr>" CR ;

: htmltable ( base --- )
  CR ." <table border='1'>" CR
  base @ >R
  dup base !
  3 + ( limit )
  100 over 1 + / ( width in percent )
  over headrow
  dup 0 do
    i fullrow
  R> base !
  ." </table>" CR

: maketables
  1+ 2 do
    ." <br />" CR
    i 1 .R ." s table:<br />" CR
    i htmltable
  loop ;

The results of running "10 maketables" (copied from terminal window and pasted as-is into Blogger's HTML edit mode):

2s table:

3s table:

4s table:

5s table:

6s table:

7s table:

8s table:

9s table:

10s table:

Wednesday, March 21, 2018

LDSBR On-line Presenters

Topic: Writing process

Writing Accountability and Tracking Systems

Presenter: Katherine Cowley


One of the most difficult parts about creative writing is that you normally don’t have deadlines. Unless you have a book under contract, you don’t have a boss who is checking on how your writing is going and expecting a deliverable on a set date. In some ways, this is a good thing, but it can be easy to not achieve your writing goals if you don’t have accountability.
This presentation will address how to create writing accountability, first, through the creation of a habit-reward routine, and second, through using a tracking system, which can be low tech (a notebook) or a little more high tech (an app with time and project tracking). Ultimately, by using an accountability system, you can both write more and be happier with your progress.

About the presenter:

Katherine Cowley is an award-winning short story writer, who has been published in Segullah, the Mormon Lit Blitz, Steel and Bone, and Defenestration, to name a few. She was the guest editor for the 2016 Mormon Lit Blitz. She is a former English professor and radio producer, and lives with her husband and three children in Kalamazoo, Michigan. You can read many of her stories and learn more about her at
Video Link:

YA Fantasy:
Fall of the Dragon Prince, Forgotten Heirs Book 1 (Jolly Fish Press), Feb 2017
Blade of Toran, Forgotten Heirs Book 2, Feb 2018
Arachnomancer, (Dragon Scales Publishing), Sept 2018
Middle Grade Fantasy:
Super Dungeon Explore: Dungeons of Arcadia (Future House Publishing), June 2018
Science in Fiction: Gravity, Nanotechnology and Relativity chapters, edited by Dan Kobolt (Writer's Digest) Fall 2018

resource links:

-------------- | | -------------

Topic: Writing to Market

How to Write to Market

Presenter: Victorine Lieske


Learn what it means to write to market, and how to do it, and the benefits of having an audience hungry for what you're writing.

About the presenter:

Victorine enjoys commercial success through her writing, thanks in part to her ability to analyze and adapt to the constantly changing trends in today's publishing environment. She self-published her first book, Not What She Seems, in April of 2010. In March of 2011, Not What She Seems began its 6 week run on The New York Times best selling eBook list. By May 2011 she had sold over 100,000 copies. Victorine's first romantic comedy novel hit the USA Today Best selling books list in January 2015.
Video Link:

Too many to list now, but here's a link:

resource links:

-------------- | | -------------

Topic: Writing a Scene

Steaks and Stakes: Creating a scene with purpose and consequence.

Presenter: Ryan Decaria


In every scene, the focal character needs two things, a goal they are trying to accomplish (hmmm, steak) and consequences for failure (the stakes). In this class, we'll break down a scene and brainstorm how to improve the goals and stakes. Then we'll workshop scenes submitted by volunteers from the audience focusing on these two ideas.

About the presenter:

Ryan Decaria was raised on science fiction and fantasy novels and 80’s adventure movies. On rainy days, you can find him sulking on the window sill waiting for a treasure map, his future self, an alien buddy, and his own luck dragon. He lives in Northern Utah where he invents problems for invisible friends; he also writes fiction. Ryan approaches magic like a scientific field of study and science fiction as if were magic. Slam both together, and Mad Science is born, where anything is possible and it’s always a little gooey. His favorite parts are the monster always hiding in the closet, adventure around every corner, and a brilliant mind trying to set things right.
Video Link:

Devil in the Microscope

resource links:

-------------- | | -------------

Topic: Craft

Flash Editing

Presenter: Ali Cross


About the presenter:

Video Link:


resource links:

-------------- | | -------------

Topic: Break and Q&A

Presenter: HOST


About the presenter:

Video Link:


resource links:

-------------- | | -------------

Topic: General

Humor in Writing

Presenter: Shelly Brown


Learn techniques to bring humor and liveliness to your manuscript.

About the presenter:

Video Link:

Mustaches for Maddie

resource links:

-------------- | | -------------

Topic: Short stories

Short Stories

Presenter: John M. Olsen


Learn about various types of short stories, markets for short stories, and going through the editing process.

About the presenter:

John M. Olsen reads and writes fantasy, science-fiction, steampunk, and horror as the mood strikes, and his short fiction is part of several anthologies. He devoured his father’s library in his teen years and has since inherited that formidable collection and merged it with his own growing library in order to pass a love of learning on to the next generation.
He loves to create things, whether writing novels or short stories or working in his secret lair equipped with dangerous power tools. In either case, he applies engineering principles and processes to the task at hand, often in unpredictable ways.
He lives near the Oquirrh Mountains in Utah with his lovely wife and a variable number of mostly grown children and a constantly changing subset of extended family.
Video Link:

Crystal King

Some of my shorts in anthologies:
Protector of Newington (Storyhack Issue 1)
The Lure of Riches (Unbound, Clarion Call Volume 3)
Time to Think (Apocalypse Utah)

resource links:

-------------- | | -------------

Topic: Story Structure

Structure: the creation of a story skeleton

Presenter: C. Michelle Jefferies


Learn how to create a base structure for your story. Whether you outline or pants it, this structure is for you. Giving you the freedom of both a direction to go and opportunity for the story and characters to change.

About the presenter:

C. Michelle Jefferies is a writer who believes that the way to examine our souls is to explore the deep and dark as well as the shallow. To manipulate words in a way that makes a person think and maybe even second guess. Her worlds include suspense, urban fantasy, and an occasional twist of steampunk. When she is not writing, she can be found on the yoga mat, hand binding journals, dyeing cloth, and serving ginger tea. The author and creator divides her time between stories, projects, and mothering four of her seven children on the wild and windy plains of Wyoming.
Video Link:

Emergence Walnut Springs,
Latent, Ascension, Interlude, Convergence, Catalyst, Story Structure and Master Chapter Outline Workbook Meraki Books. . . . .
I was a “Writer of the Year” nominee for the League of Utah Writers for 2013 and 2014.
My short story “Broken” took third place in the 2008 short story contest for Life the Universe and Everything a SF/F symposium/writer’s conference.
My first chapter for ENCHANTED ETIQUETTE took third place in the LDStorymakers first chapter contest in 2012.
I won a song writing contest and had my song made into a video, also for the LDStorymakers conference in 2012.
I won a publishing contract with TM Publishing in 2012 for my manuscript ENCHANTED ETIQUETTE.

resource links:

-------------- | | -------------

Topic: Beta Reading

Speed "Beta"ing

Presenter: Jenny Rabe


Critiquing others and receiving and applying critique is a learned behavior. As writers we need it, strive for it, yearn for it. So how do we make the process easier? How do we find that niche of writers that knows our writing well, kicks our butt with a critique, but still inspires to stretch beyond what we think we’re capable? This class focuses on the art of beta-reading, critiquing others, and receiving that proverbial red pen without shutting down. After a small explanation of the art of beta-reading, the majority of the class will be a fun, hands-on application of supporting other writers in their writing through speed “beta”ing with multiple critique partners. Since this will be done online, whoever is online will be matched up with a partner and share a page or two of their writing, then they will be encouraged to have separate chats about their critiques. Each round will focus on a different skill. Looking at dialogue, theme, pacing, strong beginnings, etc. We probably will only have 2-3 rounds in that time...but enough to start a good conversation of what beta reading should be

About the presenter:

Jenny is an honest-to-goodness southern girl at heart. Other than her love for her husband, two boys, and her feline, writing, ballroom dancing, and public speaking are some of her favorite pastimes. She's an avid across-the-state traveler and spends her spare time running a beta-reading group online and serving her fellow authors.
Video Link:

Playground Treasures

resource links:

-------------- | | -------------

Topic: Live Q&A With Shadow Mountain Editor Lisa Mangum

Presenter: Lisa Mangum


Enjoy a conversation with Lisa Mangum, experienced editor and writer of fantastic and magical books.

About the presenter:

Lisa Mangum has loved and worked with books ever since elementary school, when she volunteered at the school library during recess. Her first paying job was shelving books at the Sandy Library. She worked for five years at Waldenbooks while she attended the University of Utah, graduating with honors with a degree in English. An avid reader of all genres, she has worked in the publishing department for Deseret Book since 1997. Besides books, Lisa loves movies, sunsets, spending time with her family, trips to Disneyland, and vanilla ice cream topped with fresh raspberries. She lives in Taylorsville with her husband, Tracy.
Video Link:


resource links:

-------------- For Lisa Only | | -------------

Topic: ""

Presenter: Lisa Mangum


About the presenter:

Video Link:


resource links:

-------------- For Lisa Only | | -------------

Topic: Craft/Dialogue

Who Said That? Crafting Character Development Through Dialogue

Presenter: Michelle Pennington


This class will cover the role that dialogue plays in character development, with particular emphasis on applying the concepts taught during the editing process.

About the presenter:

Michelle Pennington spends her days quoting movies with her husband and making messes faster than her four kids. She writes clean young adult, contemporary, fantasy, and regency romance. The genre might change, but her characters will always be falling in love.
She spends her spare time, what little there is, making designer sugar cookies, singing loud in church, and killing way too many house plants.

Michelle is an active contributor in the LDS and Clean Fiction writing communities. She is blessed to have the support of her family and amazing friends on this crazy journey, as well as the constant company of the characters who live in her imagination.
Video Link: PENDING


resource links:

-------------- | | -------------

Topic: Unrealistic Storytelling Techniques

Satisfying Stories, Unrealistic Expectations

Presenter: Alana Howlett


Warning: Following the advice in this video may lead to reader dissatisfaction. Writer discretion is advised. This class talks about what factors play into reader expectations and how some of these expectations have become more malleable or rigid over time. Writers have been trained to reject some elements of realism over the value of the story--which, while the reader enjoys the story more, can also become detrimental to the reader's engagement with the real world. A writer might do well to attempt breaking writing conventions to see whether we are wrong about what the reader actually wants.

About the presenter:

Ali Cross is a USA TODAY bestselling author of science fiction and fantasy for both middle grade and young adult readers. She's long had a passion for passing her knowledge on to others which has afforded her many opportunities, including co-founding the world's first global online conference for independent authors.
Video Link:

Become (Desolation #1) 2013 Hollywood Book Festival Honorable Mention
2012 League of Utah Writers (Silver Quill)

Desolate (Desolation #2)

Destined (Desolation #3)

Desolation Diaries (Desolation #3.5)

Blood Crown

Frozen Souls

Jump Boys: SOS 2013 League of Utah Writers Silver Quill Winner

The Swift

Sigils and Spells: a Limited Edition Urban Fantasy Collection USA TODAY Bestselling title. (link currently unavailable due to Pronoun's closure)

resource links:

-------------- | | -------------

Topic: Writing/Professional Development

Wibbly-wobbly Timey-wimey: 8 Simple Strategies for Making Time to Write

Presenter: Bree Moore


Presentation of 8 strategies for finding and making time to write, focusing especially on those who have a job, are parents, etc. Includes: 1) Setting Goals 2) Getting Support (Friends, Family, etc.) 3) Get a Writing Buddy/Accountability 4) When you can't write, think about writing 5) Easy Access / Writing Tools 6) Develop your Skill 7) Finish SOMETHING 8) Embrace where you're at

About the presenter:

Bree Moore has been writing fantasy since the fourth grade. She lives in Ogden, is wife to an amazing husband, and the mother of four children. She writes fantasy novels between doling out cheerios and folding laundry.
"Woven" is Bree's first published novel, the start of what she intends to be an epic writing career.
In real-life, Bree works as a birth doula and midwife's assistant, attending women in pregnancy and labor, which is huge inspiration for her writing.
Video Link:

"Woven" by Bree Moore
Whitney Awards Nominee

resource links:!Aorlo5cEOqCqhItnTKPhmCNC025hJA

-------------- | | -------------

Topic: Marketing books using social media

Connecting the Dots: Using Social Media to Create a Web of Content for Marketing Books

Presenter: Julie L. Spencer


What is social media? (Facebook, Google, Google+, Pinterest, Twitter, YouTube, Instagram, Goodreads, Snapchat, Tumblr, Amazon author page, website, blog, mailing list.)
Why use social media? (Connect with the world)
Which is the best social media platform to use? (depends on your genre)
What is the most important thing to do for long-term book marketing? (Get people on your email list)
Why can’t you just use groups, lists, hashtags, followers, subscribers, BookBub, etc. (They own your customers, they can change the rules anytime they want to, remember MySpace?)
What is the difference between content marketing and advertising? (with content marketing, you own the information, you created your content, most of the ‘cost’ is related to your time. With advertising, you are paying a person or company to get your message out. Either one is fine. You need to decide which avenue is right for you. Usually the answer is: use both)
Which social media platforms should you use? (all of them)
Which is the first platform you need (website, blog, email, email funnel to drive traffic from other social media sites to yours)
How do you drive their traffic to your website and ultimately to your email list? (smart URLs, links, bridges between the content you create on other social media sites back to yours)
Insider tips and tricks for each social media platform. What to do, what not to do, how to create a foundation on which to build.
Demonstrations for each of the main platforms and where to go to find more information for each platform. (this will have a module for each social media platform and could take awhile)
Affiliate marketing
How to think like Google (Search engine optimization, asking questions, smart titles and headings)
The words to use to make your content outshine your competition.
How to work with your competition to help both of you succeed more. (readers are voracious and no author can ever satisfy their readers. Find other writers like you and work together)
You must be in this for the long game. This is not a get rich quick scheme.
Where to find more information.

About the presenter:

Julie L. Spencer lives in the central Michigan area with her husband and teenage children. She has a very full life managing a conservation district office, writing grant proposals, newsletters, articles, and book reviews. Julie has been writing since she was in junior high, but prior to publishing her first novel, The Cove, her only published work was her master’s thesis. She loves to read and write New Adult Clean Contemporary fiction, is author of the Buxton Peak series, The Cove, The Man in the Yellow Jaguar, and has several more novels and non-fiction projects in the works.
Video Link:

Buxton Peak: The Early Years

Buxton Peak Book One: Who Is Ian Taylor?

Buxton Peak Book Two: Center Stage

Buxton Peak Book Three: The End of the Beginning

The Cove

The Man in the Yellow Jaguar

Buxton Peak: Silence from Nashville (featured in the Unspoken Words anthology)

The Phantom of the Chapel (featured in the Love Undefined anthology)

resource links:

-------------- | | -------------

Topic: Writing Craft

Adrenaline 101: Writing with Intensity

Presenter: Dan Allen


From the writing of blockbuster authors Orson Scott Card, Stephanie Meyer and James Patterson, learn the keys to writing with emotional intensity. From generating story momentum with backstory, foreshadowing, and character wants to creating tension with revelations in dialogue, this presentation teaches how to amplify the emotional response of readers to story action.

About the presenter:

After fifteen years in the lab designing lasers, nanoparticles and smart phone sensors, author Dan Allen roared onto the writing scene in 2017 with the fantasy epic Fall of the Dragon Prince. At home in the Rocky Mountains, Dan is CFO (chief fun officer) of his family and enjoys cosplay, escape rooms, game design, and general science mayhem. You can keep up with Dan’s latest fantasy and scifi on his website and send him random science questions.
Video Link:

YA Fantasy:
Fall of the Dragon Prince, Forgotten Heirs Book 1 (Jolly Fish Press), Feb 2017
Blade of Toran, Forgotten Heirs Book 2, Feb 2018
Arachnomancer, (Dragon Scales Publishing), Sept 2018
Middle Grade Fantasy:
Super Dungeon Explore: Dungeons of Arcadia (Future House Publishing), June 2018
Science in Fiction: Gravity, Nanotechnology and Relativity chapters, edited by Dan Kobolt (Writer's Digest) Fall 2018

resource links:

-------------- | | -------------


Presenter: Host


About the presenter:

Video Link:


resource links:

-------------- | | -------------