Book Club 2025: Stone & Sky by Ben Aaronovitch

I’ve noticed that when authors run out of ideas, their books paradoxically tend to become longer. Not that the length is in itself a sign — sometimes the author is on a roll and just can’t stop writing. This is not one of those books — it really feels like Aaronovitch is idly typing, typing, typing away in the hope that finally he’ll get an idea for the book.

I first happened upon Aaronovitch’s books when I had a cold back in 2022, and I just wanted something easy on the brain to read, and his books certainly delivered — I gulped down eight books of his over a few weeks. This book is more of the same, but it’s just so listless.

Aaronovitch’s books seemed from the start to be based on looking at what the marked was clamouring for, so we ended up with a Harry Potter/police procedural thing, and the surprising thing was that it worked. I wonder if the sales are flagging, because in this book Aaronovitch seems to be side eyeing the lucrative YA romantacy market, and tries to shoehorn that into the series, too. It doesn’t really work.

Like most books that are this far into the series, it gets an absurdly high Goodreads score (because by this time, there’s only die hard fans that are reading). But this highly rated review pretty much sums up my feelings about this book:

The book finally starts for real after 200 pages, and I wish I could say that the rest is a rollicking fun adventure, but it’s kinda not. But it’s pretty OK from that point on.

One thing before I go:

Aaronovitch tries really hard to be witty, and sometimes he is. But it mostly takes the form of using impenetrable police jargon, and worse — youthful West-Indies language like the kids today use. So above we have a teenage girl describing being attacked by a wyvern (it’s like a dragon, but has two legs), and this is set in 2025.

Yes, it’s exactly this:

And:

Even I know that it’s gyaldem — it’s already plural, so gyaldems is like writing womenses. (This particular word stuck out for me because I bought a rather spiffy compilation from Soul Jazz Records a few days ago that’s called Queen Dem, so I looked it up… “dem” is of course “them”, but is used as a general pluralisation, as far as I can tell — “man dem”, etc.)

I have absolutely no idea why I randomly included a picture of the writer here! It surely has no relation to what I was just writing above! At all!

Stone & Sky (2025) by Ben Aaronovitch (buy new, 4.25 on Goodreads)

Don’t upload secret files to WordPress

I mean, that’s just common sense, so why even mention it?

Because of ?p=, which I think most people who use WordPress aren’t aware of. This mechanism allows anyone to trivially download any media files you upload to WordPress, even without knowing the names of the files.

To backtrack a bit before going into the details of this problem (or “problem”): Yes, yes, you should never upload something secret to the Internet. And especially not to a place that’s publicly downloadable. But we all do it, right? When we want to send a big file to somebody (especially a (small) group of people), we just bang it on a web server somewhere and then send the URL to the people concerned. This is “safe-ish”, because nobody else knows the URL, right? And besides, we’re going to delete the file after a while anyway. Except when we forget.

Personally, I do this all the time with stuff — I mean, funny screenshots, jokes, pics — I bang them onto my WordPress and then share the URL in limited venues (irc, mail, whatever). Of course, nothing here is “secret” secret, but on the other hand, in these days when giving a milquetoast opinion like “I think killing children is bad” can get you landed on a terrorist list, you may prefer to be a bit more careful with this sort of thing.

So here’s the problem: Say I took a pic of my bookcase and put it on https://lars.ingebrigtsen.no/wp-content/uploads/2017/09/p1340399.jpg, and then mailed somebody the URL, and they were mildly impressed and then forgot about it. Nobody else will ever see it. But did you know that you can access (most) WordPress media items via URLs like https://lars.ingebrigtsen.no/?p=43041? No?

If a nefarious institution is interested in getting info on the general WordPress populace (*cough* Palantir *cough*), then can just loop through all those ?p= (on all WordPress sites in the world) starting from zero and going up to however many things that’s been put into the media library — unedited versions of images or videos, for instance.

Now, if somebody were to target you especially, there are, of course, other methods:

Because media file names have a tendency to be pretty regular, so you can just try a lot of https://lars.ingebrigtsen.no/wp-content/uploads/2025/07/DSC02869.jpg etc, and you’ll probably find something. But a targeted thing like this is impractical for most things — a general ?p= could be part of a general “sentiment” analysis that I bet sounds very attractive to some organisations.

But the ?p= thing is, of course, also super useful if you’re doing a targeted sploit — you can find (for instance) all PDFs an org has uploaded to their WordPress (along with all the cat pictures) without much work. The fun thing about ?p= is that you just loop through the numbers sequentially, and then you get everything, no matter what the media type is.

As far as I can tell, there’s no way to disable the ?p= thing without breaking other functionality:

After digging around in the WordPress source code, this seems to be the relevant code. Following the code afterwards, there doesn’t seem to be any way to mark a media item as “unavailable” — the closest you can get is to attach the item to an unpublished post, and then the ?p= will lead you to a 404 page instead of the image. If you have the direct URL to the item, you can always see it, as far as I can tell, but then we’re over in “find out the URL” land again, which isn’t as interesting.

So what I’ve done is to write a snippet for ewp to find all unattached files, and then include them all in a draft post, thereby making ?p= stop working for them. If this sounds really clumsy and awkward to you, then you’re totally right.

What I wish WordPress would do is to 1) make the ?p= an option — especially for unlinked media items — and 2) default it to “don’t do that” for all installations. And then the few people who want this surprising behaviour can switch it on.

This is more important now than ever, when there are vast resources that can ingest all this “hidden” data and process it in an efficient manner (using AI or not) — and especially since WordPress apparently powers a sizeable portion of the Internet.

If you want to disable this manually, something like the following seems to work:

function custom_is_post_type_viewable( $is_viewable, $post_type ) {
  if ($post_type->name === 'attachment' &&
      (! empty( @$_GET['page_id'] || ! empty( @$_GET['p']))))
    return false;
  return $is_viewable;
}
add_filter( 'is_post_type_viewable', 'custom_is_post_type_viewable', 10, 2 );

It’s pretty gross, though — it basically adds a filter to the very general function that says whether a post type is viewable, and tests there whether we’re trying to view an attachment, and whether a ?p= is present (or ?page_id=, which is the same thing).

This disables ?p= for all attachments, not just the non-published ones, so it’s really not quite what one wants.

TSP2022: Pinocchio

OK, here we go with the final movie in this year’s Tilda Swinton Project refresh. I got this Criterion bluray only today…

WHAT THE FUCK!? Netflix!? Oh god.

But there’ll be practical puppets then, I guess?

Hm, this looks really odd. Everything has a woodey look (that’s a word), but it seems to stretch and move a bit… Is it CGI?

Yeah, this looks kinda horrifying.

If this is practical puppeteering, I have no idea how they’ve done this. But if it’s CGI, the low frame rate just kinda feels dishonest…

I’m gonna have to google this.

Hm:

Moving Picture Company worked on the visual effects, with Bot VFX and Mist VFX. Digital effects, like rain, snow, fire, explosions and water, were made to look like practical effects instead of real, to make them fit with the rest of the stop motion-world.

So it’s mostly practical. Impressive.

Ah, Swinton does the angel’s voice.

Well, that’s horrifying.

Oh, and it’s a musical? I’ve heard much worse musical songs…

These puppet designs are fantastic. And the animation, too.

If I remember correctly, the Disney Pinocchio took a lot longer to get started, so to speak — the first half is just fun stuff around the house? And that was the best part of the movie.

The plot part of this version seems better executed.

OK, this bit wasn’t in the Disney version, I think?

Heh heh.

Yeah, CGI water still isn’t a solved problem.

I don’t quite know how to roll the dice on this one. It’s a technical achievement, and the voice actors are good, and even the songs are pretty on point. (The CGI elements and the sometimes awkward compositing of elements not so much.) The plot makes a whole lot more sense than in the Disney version.

But I was mostly bored while watching this. (Except the last sequence, which worked very well on all levels.)

Would a twelve-year-old like this movie? Perhaps? The pacing may work well for them? On the other hand, aren’t all children hyper active these days?

Pinocchio. Guillermo del Toro and Mark Gustafsson. 2022.

This TSP catchup has been a lot more movies than most years, so Swinton has gotten a lot more roles the past few years than normal? Many of them have been voice-over parts, though. But as usual with Swinton, she keeps picking “interesting” projects — some are big budget things, some are no budget things, but they’re all somewhat out of the norm. (And some suck, but most are pretty good.)

So I guess it’s been a good catchup this time around? I guess I’ll do another in a couple years time.

This post is part of The Tilda Swinton Project.

Oh, there’s a “making of” on this bluray, of course. And it makes things less impressive, because they show how much they relied on painting out things in CGI afterwards.

Yeah, it’s a lot of greenscreen animation and compositing — which is what it looks like.