{"@attributes":{"version":"2.0"},"channel":{"title":"utf9k","link":"https:\/\/utf9k.net\/","description":"You are online and logged on to my personal site","generator":"Hugo","language":"en-us","managingEditor":"marcus@utf9k.net (Marcus Crane)","webMaster":"marcus@utf9k.net (Marcus Crane)","item":[{"title":"The Slow Death of New Zealand Film Ratings","link":"https:\/\/utf9k.net\/blog\/slow-death-of-nz-film-ratings\/","description":"Going outside should be classified R18 if you ask me","pubDate":"Sat, 04 Apr 2026 00:50:00 +1300","author":"marcus@utf9k.net (Marcus Crane)","guid":"https:\/\/utf9k.net\/blog\/slow-death-of-nz-film-ratings","content":"

About a year ago, I found myself learning more about film ratings than I ever cared to. At the time, I posted a Bluesky thread<\/a> but I still think it’s a pretty fascinating bit of trivia so this is my attempt at a slightly more long-form version.<\/p>\n

Before we begin, you might wonder why film ratings of all things and I remember it quite clearly.<\/p>\n

At that time, I had been lying to myself that I would get back into running1<\/a><\/sup> so I put all of my gear on and then… I started procrastinating. FYI<\/a>’s OIA categorisation game<\/a> was my particular addiction at the time as I had set a Beeminder goal to categorise about 10 OIAs per day.2<\/a><\/sup><\/p>\n

On that particular day, the categorisation slot machine gave me this OIA<\/a> asking for ratings information on Final Fantasy XVI<\/a>, which I had been playing around that time as well. I gave the response a skim, not really knowing what I was looking at, and on Page 21<\/a> I spotted the words “Film & Video Labelling Body”.<\/p>\n

That name (or entity) wasn’t familiar to me but it seemed a little off that it sounded official. I had a look at the address on Google Maps<\/a> and… it’s some sort of industrial warehouse? What’s going on there?<\/p>\n

Before we solve that mystery, let’s explain what the Film & Video Labelling Body actually is.<\/p>\n

Who rates your films?<\/h2>\n

Whenever you see a piece of media, whether it’s a game, a movie or even on a streaming service, it almost always carries a rating.<\/p>\n

That rating almost usually looks like one of these<\/a> stickers which older readers will recognise from physical media like DVDs, game boxes and so on but with streaming, they’re less and less common. You may even spot them on movie posters, although I can’t say I’ve personally looked too hard.<\/p>\n

The Film & Video Labelling Body<\/a>, or FVLB for short, is the Labelling Body for New Zealand that actually issues these labels.<\/p>\n

Isn’t that what the Office of Film and Literature Classification<\/a> (OFLC) for, you might be thinking? I had assumed that too but the process is a lot more kafkaesque than you might imagine.<\/p>\n

When it comes to films specifically, they are all submitted to the FVLB first who follow the process outlined on page 2 of this document<\/a><\/p>\n

If the film is unrestricted (meaning G\/PG or M material), or it has already been rated before, then the FVLB provides a label for a small fee without further viewing.<\/p>\n

If the film has not been rated in either New Zealand, Australia or Britain but does not have restricted content, the Labelling Body Community Representatives (who work for the FVLB) view the film directly for a fee.<\/p>\n

If, however, the film has not been rated in New Zealand and contains restricted content, it will be passed on to the OFLC to be rated.<\/p>\n

When it comes to videogame, they are actually entirely exempt<\/a> from requiring labels unless they contain restricted content<\/a>. They’re still submitted to the FVLB but are then forwarded straight on to the OFLC.<\/p>\n

Things get a bit more confusing when you realise that the Film and Video Labelling Body happens to be the current labelling body<\/a> but technically could be replaced by some other entity entirely, if the Minister for Internal Affairs decided for whatever reason.<\/p>\n

The FVLB is an incorporated society<\/a> and they’ve been strugging since 2016 for a couple of reasons.3<\/a><\/sup><\/p>\n

The Decline of Ratings<\/h2>\n

There are two main issues that have impacted the FVLB over the years:<\/p>\n

    \n
  1. Declining sales of physical media<\/li>\n
  2. Commercial Video on Demand Providers (CVoD) or streaming platforms in other words.<\/li>\n<\/ol>\n

    Physical media is fairly straight forward. When labels are applied for, a fee is paid to the FVLB. The less DVDs and blurays there are to rate, the less fees there are due to the FVLB.<\/p>\n

    The second, and probably worse issue, are the various streaming platforms<\/a> (Netflix\/Disney+\/Amazon Prime Video etc).<\/p>\n

    In order to speed up their ability to import content, and to avoid flooding the FVLB\/OFLC, most streaming providers are allowed to perform their own self-rating of content<\/a>, which also means that the FVLB does not receive any fees. They do have to pay an annual levy to the OFLC<\/a> however.<\/p>\n

    With both of these things combined, not to mention the supposed never-ending death of cinemas, you do have to wonder where the FVLB is going to get its funding from.<\/p>\n

    Running out of money<\/h2>\n

    As part of this rabbit hole, I asked the Department of Internal Affairs<\/a> for documents about the financial health of the FVLB so we can actually tell the rest of the story in their words.<\/p>\n\n\n\n

    \n

    In October 2020, the FVLB advised, based on current and predicted costs, fee income and reserves would be sufficient to cover their operating costs for 2021, and potentially some of 2022. However, the FVLB’s financial situation has continued to deteriorate, and it has approached the Department for additional financial support.<\/p>\n\n <\/blockquote>\n\n\n\n

    \n

    The dramatic decline in physical media means the FVLB cannot generate enough fee income to cover its costs. Revenue from theatrical releases (which have been severely impacted by COVID-19) cannot cover the shortfall. The situation has been exacerbated by The Warehouse’s recent decision to stop selling DVDs and Blu-ray discs.<\/p>\n\n <\/blockquote>\n

    I can’t say I had realised that The Warehouse stopped selling DVDs or Blu-rays but it’s fascinating to think that doing so was slightly load-bearing for the FVLB’s survival.<\/p>\n

    While the Budget for 2020 declined to fund the FVLB, it was extended a grant to keep it afloat until a 2022 Budget bid could be entered.<\/p>\n

    Further down in that stack of documents, we can see a “Budget 2022 Initiative Summary”. On Section 2: Cost pressure information<\/a>, we get a fascinating glimpse at just how close New Zealand’s ratings system may have come to collapse.<\/p>\n

    Under “Cost pressure description”, we see:<\/p>\n\n\n\n

    \n

    The cost pressure is critical: the FVLB and its functions are critical to the operation of New Zealand\u2019s classification system. Its reserves are nearly exhausted, and if the Body becomes insolvent, there will be no mechanism to rate or label films, nor to submit films to the Office of Film and Literature Classification (the Classification Office) for classification.<\/p>\n\n <\/blockquote>\n

    and under “Case for funding”, we see:<\/p>\n\n\n\n

    \n

    Without the FVLB, the New Zealand classification system will be unable to function. Film importers and distributors will be unable to obtain the ratings, classifications and labels required to sell and screen movies legally. This will affect their revenue streams and have flow-on implications for cinemas and sellers of films and DVDs.<\/p>\n\n <\/blockquote>\n

    What’s the fix?<\/h2>\n

    A July 2021 memo titled “Film and Video Labelling Body funding” outlined<\/a> what the Department of Internal Affairs seemed to view as the only real option:<\/p>\n\n\n\n

    \n

    The transfer of the FVLB\u2019s functions to the OFLC would appear to be the only viable long-term solution to maintain the integrity of the classification system, including protecting minors from harmful content and providing guidance to parents<\/p>\n\n <\/blockquote>\n

    To my knowledge, this never passed the memo stage and the FVLB continued on as normal, being kept afloat with 3 installments<\/a> of $150,000\/year from the 2022 budget bid.<\/p>\n

    As part of that arrangement, the FVLB was required to provide<\/a> a financial report to the Department of Internal Affairs every 3 months up until the funding expired<\/a> on June 30th, 2025.<\/p>\n

    In a March 2025 cabinet paper<\/a>, it was suggested that perhaps the CVoD\/streaming style approach of self-labelling should just be extended across the board to include movies, DVDs and games.<\/p>\n\n\n\n

    \n

    I intend to review the arrangements for commercial content labelling under the Films, Videos, and Publications Classification Act 1993 (the Classification Act) as part of my 2025 work programme, which would consider extending the CVoD regulation approach to films for cinematic release, DVDs, and games. The levy would be reviewed as part of this work programme.<\/p>\n\n <\/blockquote>\n

    This would mean the death of the FVLB as we know but it seems that none of this has progressed in any meaningful capacity.<\/p>\n

    According to the latest annual return for the FVLB, it seems they’re still just barely trucking along, apparently with a new tranche of $150,000 grants from the government.<\/p>\n

    I suppose I’ll need to file another OIA to find out the latest installments in this very niche story.<\/p>\n

    \n
    \n
      \n
    1. \n

      By which I mean, I did some runs during covid but I have absolutely no stamina so I could never go more than a couple of kilometres. It’s really hard to pace yourself! ↩︎<\/a><\/p>\n<\/li>\n

    2. \n

      It’s a great way to learn stuff by skimming other people’s OIAs, and the underlying idea was to get inspiration on what novel things I could ask for. ↩︎<\/a><\/p>\n<\/li>\n

    3. \n

      You can view their financial statements on the Charities Register<\/a> but it’s also mentioned here on Page 2<\/a>: “The FVLB advised it has been recording deficits since 2016.” ↩︎<\/a><\/p>\n<\/li>\n<\/ol>\n<\/div>\n"},{"title":"Blogging with Obsidian Headless","link":"https:\/\/utf9k.net\/blog\/obsidian-headless\/","description":"Now I can write blog posts in bed","pubDate":"Sun, 01 Mar 2026 09:55:00 +1300","author":"marcus@utf9k.net (Marcus Crane)","guid":"https:\/\/utf9k.net\/blog\/obsidian-headless","content":"

      I woke up a nice surprise yesterday in the form of obsidian-headless<\/a>1<\/a><\/sup> releasing as an open beta.<\/p>\n

      To be clear, this isn’t to be confused with the also-recently released Obsidian CLI<\/a> which is for controlling the Obsidian desktop app.<\/p>\n

      obsidian-headless<\/code> is a headless client for Obsidian Sync<\/a> which allows both downloading and uploading files without the need to have the desktop app installed.<\/p>\n

      This is pretty great for a few use cases but I’m especially interested in using it for publishing to my website, as well as for continuously backing up<\/a> my vault.<\/p>\n

      For today, we’ll just look at the former use case. I know it works because this very post you’re reading was written and published on my phone without leaving Obsidian’s mobile app!<\/p>\n

      Headless Considerations<\/h2>\n

      Before we go into how publishing can work, there are a few things you should keep in mind.<\/p>\n

      Open Beta<\/h3>\n

      The first is that obsidian-headless<\/code> is only a few days old!<\/p>\n

      While some sync issues should be fixed now<\/a>, there may be other issues waiting to pop up so consider whether you want to wait for a more stable release.<\/p>\n

      The information in this post is almost guaranteed to be pretty quickly out of date as well, so you should defer to the official documentation<\/a> first.<\/p>\n

      Sync Footguns<\/h3>\n

      At the time of writing, sync is two-way with the default being to read and write.<\/p>\n

      This should be fine inside of CI pipelines, given you’ll be using a fresh setup each time but I already managed to footgun myself into deleting part of my vault through state shenanigans on my local machine.<\/p>\n

      I’ve suggested the addition of a read\/pull only mode as a result.<\/p>\n

      Vault Size<\/h3>\n

      At the moment, there is no capability to sync part of a vault.<\/p>\n

      You have to sync your entire vault or nothing. This will just be because the tool is at such an early stage.<\/p>\n

      Having said that, if you have an end-to-end encryption (E2EE) vault like I do, partial syncing would be technically impossible. Selectively choosing files based on filenames or metadata implies being able to read file contents and the Obsidian team wouldn’t be able to do this if you have an E2EE vault. This is a good thing!<\/p>\n

      I suppose it could be possible if the client just silently discarded everything you didn’t select locally and maybe it could be possible for the standard (non-E2EE type) but I’m not sure that the sync backend actually supports such a thing.<\/p>\n

      With all of this in mind, you’ll want to consider how long it will take to perform a full sync within a CI pipeline. Given that CI is generally stateless, this may take many minutes to do a fresh sync!<\/p>\n

      There are options such as caching but without a read\/pull only mode, I would be a bit wary of caching obsidian-headless<\/code>’s sqlite file (used to track state), only to accidentally push deletes up to your vault if a file were to somehow not cache properly.<\/p>\n

      The way I worked around this is I made a second vault called Writing<\/code> which just contains files for my blog.<\/p>\n

      It uses Standard encryption over E2EE as all of the files inside are intended for publishing online anyway but I generally recommend E2EE for anything else.<\/p>\n

      There are additional benefits such as having a minimal set of plugins, a minimal number of tags\/autocomplete fields to keep track of and it also supports the Obsidian team in exchange for a slightly bigger sync plan.<\/p>\n

      This brings me to the next point which is also an important footgun.<\/p>\n

      Vault Metadata<\/h3>\n

      You may be tempted to store your website in a subfolder of your vault and publish it that way, but it’s important to remember that all<\/strong> files are synced via obsidian-headless<\/code>.<\/p>\n

      If I were to sync my entire vault in the Github Actions pipeline<\/a> for this blog, the filenames for all of my personal files logged out, even though they ultimately get discarded.<\/p>\n

      Again, this tool is so early days that this may not be an issue soon but it’s worth mentioning for anyone experimenting.<\/p>\n

      It’s mainly for this reason that I opted for a second vault.<\/p>\n

      Sync Setup<\/h2>\n

      As mentioned earlier, this blog post was entirely written on my phone in one sitting to prove that this setup can work.2<\/a><\/sup><\/p>\n

      The way it works is that I have this pipeline<\/a> which only has the trigger type of workflow_dispatch<\/a>. That means it only runs if I explicitly trigger it, either by clicking a button in the UI or by hitting an API endpoint.<\/p>\n

      I had initially imagined a scheduled sync job but there is still a world where I would want to edit files via Git. The last thing you would want is to push a change via Git, only to have a slightly outdated Obsidian file push over the top of it again, so having an explicitly triggered workflow is the way to go I think.<\/p>\n

      Rather than try to resolve conflicts, I’ve opted to make this vault the source of truth so the pipeline can just delete whatever files are in Git, stage the files synced from Obsidian and then commit any differences.<\/p>\n

      If there are no differences to be found, you just get a no-op which works well enough.<\/p>\n

      Triggering this workflow manually every time would get boring fast so I “automatically programmed<\/a>” a plugin to handle it.<\/p>\n

      It adds a ribbon button with a status icon and clicking it triggers a new CI job. The status is displayed on the button and then eventually it displays a pass, fail or no-op icon.<\/p>\n

      It works well on mobile too which is how I published this very post!<\/p>\n

      Once the Github Actions pipeline commits any changes, that triggers my main deployment pipeline<\/a> which does a bunch of other stuff but all of that is an exercise left for the reader.<\/p>\n

      \n
      \n
        \n
      1. \n

        Not be confused with the also-recently released Obsidian CLI<\/a>! ↩︎<\/a><\/p>\n<\/li>\n

      2. \n

        I did make some slight edits shortly after on my desktop but they were written and published entirely within the Obsidian desktop app. ↩︎<\/a><\/p>\n<\/li>\n<\/ol>\n<\/div>\n"},{"title":"Another recap of the ManageMyHealth data breach so far","link":"https:\/\/utf9k.net\/blog\/another-managemyhealth-data-breach-recap\/","description":"The media cycle is mostly over now so it's probably a good time to take stock","pubDate":"Mon, 02 Feb 2026 23:20:00 +1300","author":"marcus@utf9k.net (Marcus Crane)","guid":"https:\/\/utf9k.net\/blog\/another-managemyhealth-data-breach-recap","content":"\n\n\n

        \n

        \n \n Disclaimer\n \n <\/p>\n

        As with my previous post<\/a>, I have no special insight or behind-the-scenes knowledge of the ManageMyHealth breach, nor am I affiliated with any of the entities that assisted in the breach investigation. While I’ve strived to be as accurate as I can be, I’m neither a reporter nor a cybersecurity professional by day. As always, carry out your own due diligence when trusting strangers on the internet.<\/p>\n <\/blockquote>\n

        It feels weird to think that my previous post<\/a> was just under a month ago because so much wacky stuff happened as a result, with the most important being that I learned a lot of new things!<\/p>\n

        For those who were only familiar with that earlier post, I had been keeping tabs on this whole saga over on Bluesky<\/a> (and still am!).<\/p>\n

        There are still a few loose threads that I haven’t seen anyone dig into, and I think they’re important to capture in a more permanent medium than Bluesky posts, but first we’ll do a quick recap of the events since the first post.<\/p>\n

        Recapping from January 4th<\/h2>\n

        Deadlines came and went<\/h3>\n

        At the time that I published my previous post, two1<\/a><\/sup> sets of breach samples had been published and the original deadline of January 16th was still looming.<\/p>\n

        By the morning of January 4th<\/a>, Kazu had announced in their Telegram channel that the ransom deadline was brought forward by 48 hours. They also included an FAQ<\/a> detailing their reasons for bringing forward the deadline.<\/p>\n

        \n \n \"\"\n <\/a>\n \n
        Kazu announces that they will 'leak everything' if the ransom is not paid within the next 48 hours<\/figcaption>\n<\/figure>\n<\/p>\n

        Going off of the timestamp of the deadline message, the exact time should have been 5:37am on January 6th, only for it to come and go with no explanation from either Kazu or ManageMyHealth.<\/p>\n

        Later on that same day, Kazu confirmed to The Post<\/a> that there was a new round of negotiations. I was able to clarify that there was a new deadline of 5am on January 9th.<\/p>\n

        \n \n \"\"\n <\/a>\n \n
        Kazu clarifies that the new deadline is Friday January 9th at 5am New Zealand time<\/figcaption>\n<\/figure>\n<\/p>\n

        January 9th also came and went with no acknowledgement of the deadline from either side.<\/p>\n

        It was around the afternoon of January 6th that Kazu also stopped responding to me except for a single “lol” the following day.<\/p>\n

        We’ll come back to this mystery later on.<\/p>\n

        Formal investigations were announced<\/h3>\n

        On Monday January 5th, Simeon Brown announced<\/a> that he had commissioned the Ministry of Health to conduct a review into both ManageMyHealth and Te Whatu Ora’s response to the breach.<\/p>\n

        By Wednesday January 21st, the Privacy Commissioner had also announced<\/a> that he would be carrying out his own investigation regarding the privacy aspects of how ManageMyHealth had been operating, such as what sort of contractual arrangements were in place for data sharing, and whether they were in compliance with the Privacy Act.<\/p>\n

        Since then, the Ministry of Health<\/a> and the Privacy Commissioner<\/a> have both shared the Terms of Reference for their investigations, which is a fancy way of capturing what they will (and won’t) be looking into.<\/p>\n

        Both investigations are expected to produce something resembling a final report by April 30th, with the technical assurance part of the Ministry’s review due on February 28th.<\/p>\n

        If you’re interested in this stuff, I recommend reading the Terms of Reference as they’re only a few pages and make for fairly accessible reading. They are still technical in nature so some parts might be a bit confusing to non-technical folk.<\/p>\n

        ManageMyHealth were granted an injunction<\/h3>\n

        A press release<\/a> from ManageMyHealth on January 6th announced that they had obtained injunction orders from the High Court, but as a relative layman, I found this all very confusing at the time so it’s worth breaking down.<\/p>\n

        An injunction is basically a court order telling someone to either do something, or to stop doing something.<\/p>\n

        The judge’s decision<\/a>2<\/a><\/sup> contains the text of the injunction on pages 9 and 10 but ManageMyHealth then need to get a “sealed order” which is a fancy way of saying a copy that is stamped with the official seal of the High Court<\/a>.<\/p>\n

        Personally, the term “sealed order” made me think they were referring to some sort of secret court order that was not available to the public. That would be silly of course because then how would you know what you’re meant to be doing (or not doing).<\/p>\n

        As far as using the sealed order, a lawyer3<\/a><\/sup> will then present the order to whoever it applies to, usually in the form of a PDF sent via email. If you read the injunction, it applies to “Unknown Defendants” so it can be presented to anyone suspected of holding data from the breach. Understandably, it’d be extremely difficult to have a complete list of who obtained a copy of the sample data at the time of filing.<\/p>\n

        I suppose most journalism outlets know this stuff, or at least their lawyers do, but I imagine some number of non-press people are reading their press releases so it would have been nice for their PR people to elaborate on what this stuff means for the average layperson.<\/p>\n

        Breach notifications started rolling out<\/h3>\n

        When a privacy breach occurs, Part 6 of the Privacy Act 2020<\/a> kicks in depending on the scope of the incident.<\/p>\n

        Specifically, a “notifiable privacy breach” is defined as:<\/p>\n\n\n\n

        \n

        [..] a privacy breach that it is reasonable to believe has caused serious harm to an affected individual or individuals or is likely to do so<\/p>\n

        – Part 6 Section 112 (1) (a) of the Privacy Act 2020<\/p>\n\n <\/blockquote>\n

        Given that over 100,000 New Zealanders had medical records caught up in this breach, it definitely meets the criteria for “notifiable”.<\/p>\n

        There are a bunch of things that an affected “agency” (ManageMyHealth) has to do, such as notifying the Office of the Privacy Commissioner<\/a> but most importantly, they have to notify every single person affected.<\/p>\n

        This isn’t always possible at first so Section 115 allows for giving a public notice as a temporary measure while they sort out who exactly needs to be notified, and for the first week or two we were in that “public notice” phase.<\/p>\n

        At the time of writing, we still have not reached 100% of individuals notified and progress seems to have crawled to a snail’s pace with increasingly vague wording.<\/p>\n

        Here’s a quick list of the various wording that I’ve seen:<\/p>\n