e-Voting: Wired has an absolutely mind-numbing list of issues with the security of Diebold voting machine procedures, including passwords printed in manuals which the staff can take home, that same password being reused for multiple systems including the on-site machines at polling stations, tamper-resistance measures being omitted, poll supervisors hired without background checks, bicycle locks being used to secure voting machines, one shared key used to ‘secure’ the memory cards, etc.
Justin's Linklog Posts
Life: so myself and C took a one-night-only trip up to Idyllwild this weekend, hiking up to that rock formation and camping overnight. Great fun.
Software: A big-contract software dev horror story from the University of Cambridge. KPMG and Oracle come out of it with a lot of egg on their face. (found on Simon Cozens’ blog).
Linux: so it seems one of the GNOME guys wants to rewrite the rc.d boot script system in Python. Eek!
Comedy: some Spinal Tap snippets:
Astronomy:
APOD: A Daytime Fireball Over South Wales. Great picture
of a fireball disintegrating in the daytime sky.
APOD: A Daytime Fireball Over South Wales. Great picture
of a fireball disintegrating in the daytime sky.
I saw a similar daytime fireball streak through the sky when I was in Fraser Island in Australia last year; a little bit smaller than this one, mind you ;) Unfortunately, I didn’t get a picture in time. Very cool though!
Spam: A nasty new development — spammers are now exploiting closed relays to send spam, by brute-force attacking their SMTP AUTH interfaces. SMTP AUTH is a system used to allow legitimate mail server users to send outgoing mail securely, by authenticating them first. ( sample documentation here.)
A nasty new development — spammers are now exploiting closed relays to send spam, by brute-force attacking their SMTP AUTH interfaces. SMTP AUTH is a system used to allow legitimate mail server users to send outgoing mail securely, by authenticating them first. ( sample documentation here.)
This ROKSO file indicates one spammer’s modus operandi:
These relays were abused using SMTP AUTH. That is, the spammer supplied a valid username/password pair to the server, was authenticated, and therefore granted permission to send mail anywhere. Such attacks are therefore successful only when weak passwords are used. This spamhaus constantly scans the net to find abusable servers to use in subsequent spam runs. All brands of servers (sendmail, exchange, mdaemon, rockcliffe, etc) are equally targeted, as long as they support SMTP AUTH. The attacker tries several username/password pairs – such as with ‘admin/admin’ – following a certain pattern and hoping to find a combination that lets him in.
An analysis done in july 2003 has shown that a total of 276 combinations are attempted (of course new ones can have been added in the meanwhile): Usernames: webmaster, admin, root, test, master, web, www, administrator, backup, server, data, abc each with the following passwords: username, username12, username123, 1, 111, 123, 1234, 12345, 123456, 1234567, 12345678, 654321, 54321, 00000000, 88888888, admin, root, pass, passwd, password, super, !@#$%^&* as well as with a blank password.
MDaemon users beware! The account creation tool of recent versions of MDaemon defaults the password to the account name. If the default is accepted, the account will be open to be exploited by this spamhaus.
Incredible. There’s no way at the SMTP/IP level to tell that this relay was compromised; blacklisting will definitely cause collateral damage in response; so content analysis is pretty much necessary, as far as I can see.
And in another worrying development: it turns out that the latest Outlook worm, W32.Swen, doesn’t bother trying to randomly generate usernames etc. or send via SMTP directly. Instead, it asks the user for their username, password and SMTP server!
Bruce Sterling: 10 Technologies That Deserve to Die. I can’t disagree with any of these, really — except for manned spaceflight — I’m not giving up on that one dammit! ;)
Very informative details of what happened with the NY power failure, from an insider at one of the nuke plants supplying power.
Hooray — my new Gamecube’s arrived!
Neal Stephenson’s new book upends geek chic — Paul Boutin, Slate. Three thousand pages?! Yeesh.
find-hidden-word-text – a command-line UNIX tool to ease the task of discovering hidden text in MS Word documents.
More specifically, it is an implementation of Method 2 from Simon Byers’ paper, Scalable Exploitation of, and Responses to Information Leakage Through Hidden Data in Published Documents.
In other words, it’ll display just the hidden text (if any exists) in Word docs. Go forth and discover accidental leaks!
So a few months ago, I setup a cookie-producing mailto honeypot page at foojlist.php.
Well, I just got the first bite — and it’s a live one. It’s our old
friends at artprice.com. They’re a French spamhaus, operating from
Saint-Romain-au-Mont-d’Or, France, and reports claim that it’s all the
work of one guy — Thierry Ehrmann.
There’s lots of reports in USENET, and here’s their SBL listing, noting ‘extremely intense french spam source.’
This posting to NANAE notes that Colt France are not responding to complaints about them, either — but notes that ‘in France collecting e-mail addresses with the intention to send commercial mails without permission of the holders can be punished by law (article 226-18 of the Code Pe’nal – up to 5 years of prison or 300.000 euro)’. Interesting!
Full details of the spam, and the access_log entries from their web-scraper’s accesses, are attached.
Boing Boing links to a paper on the design of the Google Filesystem, Google’s in-house redundant-array-of-inexpensive-PCs cluster filesystem.
It’s very, very nice — and full of interesting tidbits about Google’s architecture.
-
‘the system must efficiently implement well-defined semantics for
- multiple clients that concurrently append to the same file. Our files are often used as producer- consumer queues or for many-way merging. Hundreds of producers, running one per machine, will concurrently append to a file. Atomicity with minimal synchronization overhead is essential. The file may be read later, or a consumer may be reading through the file simultaneously.’
-
‘The workloads also have many large, sequential writes that append data to files. Typical operation sizes are similar to those for reads. Once written, files are seldom modified again. Small writes at arbitrary positions in a file are supported but do not have to be effcient.’
A perfect example of traditional UNIX system design!
Ishkur’s Guide to Electronic Music v2.0, via MeFi.
Not bad at all! It actually has 2 Congo Natty tracks listed — even if it gets the name wrong for one of them ;) I’ll nitpick, though; the categories around drum and bass, ragga jungle, jungle, and breakbeat are a bit randomly-connected together; they didn’t really tie together that way at all IMO. And he randomly decided that hardcore should be renamed ‘breakcore’, created a new category for all that gabba shite, then called it hardcore. But hey… if you’re going to try to make some kind of sense out of it, you have to break some eggs, and never mind — there’s lots of nice samples!
BTW I can’t believe he lists Rob Hubbard’s theme music to Zoids in the Techno/VGM category. Has someone really released that?
And in passing, I should note, the description for ‘Not Trance’ under ‘Trance’ is spot on. As are many of the other recent trance/house-related categories. And, alright, some of the recent d’n’b categories too…
20 years ago tomorrow, on 27th September 1983, the GNU project was announced:
Free Unix!
Starting this Thanksgiving I am going to write a complete Unix-compatible software system called GNU (for Gnu’s Not Unix), and give it away free to everyone who can use it. Contributions of time, money, programs and equipment are greatly needed. ……
So that I can continue to use computers without violating my principles, I have decided to put together a sufficient body of free software so that I will be able to get along without any software that is not free.
Thanks to Ciaran O’Riordan for pointing this out!
Great news from the European Parliament — the good amendments have been passed and it looks a lot better. James Heald of FFII is quoted as saying ‘the directive text as amended by the European Parliament clearly excludes software patents. It hangs together incredibly cohesively.’
Congratulations to our MEPs who grasped the highly technical nuances of the issue, and voted the right way, and to the groups who advised them so well. No congrats to me who went on holidays just before this vote. ;)
Now, all that remains is to ensure that the Council of Ministers also do the right thing; unfortunately FFII note that ‘in the past, the Council of Ministers has left patent policy decisions to its patent policy working party, which consists of patent law experts who are also sitting on the administrative council of the European Patent Office (EPO). This group has been one of the most determined promoters of unlimited patentability, including program claims, in Europe.’ Not encouraging.
Meta: still catching up and getting through the jetlag…
Back from a great week-and-a-half in Ireland. Lots of fun (and Guinness) was had, Luke and Lean were successfully married, Ireland is officially the most beautiful country in the world, weather was amazing, got to meet up with virtually everyone, and I’m now back at the computer catching up.
Of course, some git has joe-jobbed both myself and a mailing list I’m on, so there’s thousands of bounce messages as a result and the server is slow as a wet week. Argh. But at least the SoBig onslaught has died down a bit.
Interestingly, I reported some spam to SpamCop a week or two before the joe-job. I wonder if the two really are connected — ie. report spam, and the spammers will decode the listwashing tokens from their mails, figure out your email address, and add you to their ‘enemies list’?
This is the first time I’ve reported spam to SpamCop in a long time, and the first joe-job I’ve been victim of. It seems like more than a coincidence, IMO.
I’m in Ireland for my friends’ wedding for the next week and a half, so blogging will be infrequent. ;)
In this article by Salam Pax, about how he got into weblogging, he says:
While the world was moving on to high-speed internet, we were being told it was overrated.
Heh, sounds like an Eircom quote ;)
Leni Riefenstahl dead at 101 (CNN). Riefenstahl’s Triumph of the Will, the 1934 Nazi propaganda film, is rightly famous — it’s technically excellent — but became a millstone around her neck for the rest of her life. To my mind, this lesson illustrates that an artist (or scientist) can never divorce the work one does from that work’s implications to society.
Music: 12-year-old sued for downloading music. ‘ ‘I got really scared. My stomach is all turning,’ Brianna said last night at the city Housing Authority apartment where she lives with her mom and her 9-year-old brother.’ Way to go, RIAA.
Spam: Paul Graham: a spam filter that fights back. Basically auto-spidering URLs found in spam messages as a form of anti-spam DDoS.
Just received a mail from a bunch called ‘microtution’, looking to write a collaborative political weblog. More details here.
But hold on there — this was an out-and-out spam, sent via an open proxy, using a spam tool, with faked headers, to a spamtrap address they scraped from one of my sites. Anyone considering helping out on this collaborative weblog might like to consider who they’re helping.
The mail was sent from 213.176.81.230, direct to my MX, from ‘Fredericka’ <promiseman@promiseman.com>, Subject ‘need help with political blog’.
Good interview with Samba’s Tridge. He explains where the penguin mascot came from — I never knew the linux penguin was in fact a fairy penguin! All those trips bringing visitors to Phillip Island while I was in Melbourne were not wasted then. ;)
Some time later Linus was looking for a mascot for Linux, and apparently the incident at the National Aquarium helped influence him towards choosing a penguin. If you go there now you will see a little plaque commemorating the fateful day when Linus caught ‘penguinitis’ from one of the fairy penguins in the enclosure (the 6ft one, of course).
ThisIsLondon: ‘David Blaine thought he was ready for anything. The US illusionist suspended in a glass box over London had prepared himself for 44 days of starvation, loneliness and boredom.
But there was one thing he had not planned for – Londoners.
… the prize for invention went to golfers who teed up with clubs on Tower Bridge and tried hitting the box with golf balls.’
So I’m back — I was up in Sunnyvale last week, on a work trip. Met up with Dan Kohn for the first time, which was great, and also had an impromptu SpamAssassin summit with Craig and Dan Quinlan — and got to meet the newest arrival in the Hughes family, the very cute Evan Alice.
I was hoping to meet up with a few more people, but didn’t quite organise it in the limited time there. Maybe next visit!
ObLAvBayAreaComment: Amazing how much better the drivers are up there, too. ;)
Still averaging about 68 SoBig.F virus mails, at about 100Kb each, for a total of about 7Mb per hour. That means my ‘reject’ mailbox is at 412 megs since Friday afternoon. Beats Charlie Strosser’s figures ;)
It’s all getting quietly bitbucketed, but the side-effects are still nasty. Take a look at this, for example; someone at adjv503ry3ec.ab.hsia.telus.net (142.59.69.220) has been spewing SoBig.F’s at the FoRK list, using my address, non-stop for weeks. Argh.
Patents: Richard Allen MP tackles the thorny software patents issue. It’s great being able to follow his thinking on these lines — more politicians should consider starting a weblog along these lines. True transparency.
Much better than Arlene McCarthy’s railing against ‘The Misinformation Campaign … by the Free Software Alliance’, whoever they are… I particularly like this statement from her PR:
If we were to follow the demands of these lobbyists then we would be handing over inventions to US multinationals and getting no return on our R&D investments in the field of computer implemented inventions. This will sound the death knell for our brightest and best European inventors, whilst the US and Japan will demand licence fees from European companies for the use of their patents. Without patent protection there will be no financial incentive for our most creative industries to develop genuine inventions.
… but — given that (a) software patents cannot currently be enforced in Europe, and (b) that 77% of the (currently-unenforceable) EPO software patents are registered already to non-EU companies, the only way for the US and Japan to ‘demand licence fees from European companies for the use of their patents’ would be if McCarthy’s proposed directive was passed, allowing those patents to be enforced in the EU. Oops — own goal!
VR: so I don’t lose this, Jaron Lanier’s 11 reasons why Virtual Reality has not yet become commonplace.
History: Came across the original SpamAssassin pre-release ‘try it out’ mail:
after quite of while of thinking about it, I’ve finally rewritten the spam filter I’ve been using for a while, and released it as free software.
It’s called SpamAssassin, and it’s a mail filter to identify spam using text analysis. Using its rule base, it uses a wide range of heuristic tests on mail headers and body text to identify spam, which it then tags for later filtering using the user’s own mail user-agent application.
via Boing Boing, Stating the bleeding obvious: if you drive instead of walk, you get fat. Well, duh!
But the alternative is, if you walk or cycle instead of drive, you’ll get killed. ‘American pedestrians are roughly three times more likely to be killed by a passing car than are German pedestrians – and more than six times more likely than Dutch pedestrians. For bicyclists, Americans are twice as likely to be killed as Germans and more than three times as likely as Dutch cyclists.’
However, Irvine has some of the best cycling infrastructure (and weather) I’ve ever seen — except nobody uses it, apart from the weekender recreational cyclists.
Can’t figure out why — I guess it’s just a cultural thing; everyone drives, and people cycling or walking near some cars seems to give the drivers heart attacks. (Seriously. The other night, a driver honked and slowed to a crawl after spotting myself and Catherine walking along — on the sidewalk, 10 feet from the roadway. And not making any sudden movements, either.)
As Kasia said, s/Connecticut//:
You can do all sorts of weird things in Connecticut suburbs, from walking your cat on a leash to painting tiger stripes on your car — but strap a camera to your back and take out the two wheeler for a spin and you’re the weirdest thing since the Keebler elves.
The EU Software Patent protest makes Indymedia. interesting intersection!
But I think they could have looked into the translation issues a bit more; ‘software patents kill efficient software development’ isn’t exactly urgent enough ;) Also — is the idea of the software patents song and mime a sort of ‘stop patents through Vogon poetry‘ thing?
meanwhile, back in C-land…
strlcpy() – a replacement for strcpy() and strncpy(), with some very nice performance figures.
I usually use snprintf() to do this, but even that has differint semantics between platforms which needs workarounds. Plus the perf numbers regarding strlcpy() are nice. Plus it’s BSD-licensed. (Found via Linux Weekly News.)
In passing, it’s worth noting that strncpy() imposes a pretty hefty performance hit (4x – 10x in tests there), due to a wierd specified behaviour; it NULs out unused parts of the buffer! ouch.
See also MS’ strsafe APIs. However, the code for that is available only on Windows, which makes it pretty much useless for most C code I’d be writing, and they note ‘performance hits’.
Good presentation by Anne Mitchell, ex-Habeas CEO, now of ISIPP — ‘False Positives: the Baby in the Bathwater’ and ‘Putting the Responsibility for Spam where it Belongs: The Case for Vendor Liability’ (PDF, 317KiB). Note this bit:
-
In June of 2003, ISIPP’s Anne Mitchell worked closely with Senator John McCain’s office to help develop and draft legislation which would hold vendors liable for advertising in spam.
-
This legislative draft was introduced as an amendment to the Burns-Wyden CAN-SPAM Act, and adopted by committee as part of the bill. Vendor liability is now part of the Burns-Wyden bill.
-
The proposed legislation makes liable any vendor who advertises in spam which violates the general provisions of the law.
-
Exceptions are made if the vendor truly did not know, and could not have been reasonably expected to know, that their information would go out in spam.
That could be interesting.
Wired: Turn Back the Spam of Time. An article about the time-travel spammer, now fingered as Robert ‘Robby’ Todino:
The anonymous e-mail offered $5,000 to any vendor capable of promptly delivering a collection of far-fetched gadgets for conducting time travel. Among the mysterious devices sought by the message’s author were an ‘Acme 5X24 series time transducing capacitor with built-in temporal displacement’ and an ‘AMD Dimensional Warp Generator module containing the GRC79 induction motor.’
He’s genuinely interested, it seems — but has a few psychological difficulties. (Thanks to Gary Stock for spotting it.)
2 history lessons today: Dervala writes about the Brehon Laws of ancient Ireland. Dervala’s weblog has become a great source of smart reading material, and is firmly on my daily list.
History: The Electronic Telegraph: Code-breaker reveals a diarist to rival Pepys (via forteana). Not quite as saucy as old Sam, though; he was a Puritan. Shame.
Food: The World’s
Worst Food, courtesy of Joe McNally via NTK. A bit short of the
traditional brain/tongue/tripe
dishes however. (Relevant: low grade meat products, urgh.)
SCOvEveryone: Economist interview with Darl McBride of SCO. Interestingly, it notes ‘in 1998, Mr McBride himself won what he calls a ‘seven-figure settlement’ by suing his employer at the time, IKON Office Solutions (who, he says, had breached contract by urging him to move to an office outside Utah).’ Nice! However, the SCO management page doesn’t mention that, for some reason… (Link)
an SF free-sheet has applied the one test that really matters to the current SF mayoral candidates:
Is a particular candidate human or an insidious replicant, possessed of physical strength and computational abilities far exceeding our own, but lacking empathy and possibly even bent on our destruction as a species?
It’s the Voight-Kampff Test. No, not the band, this one. The results are hilarious:
TW: You’re in a desert walking along in the sand when all of the sudden you look down, and you see a tortoise, Tom, it’s crawling toward you. You reach down, you flip the tortoise over on its back, Tom. The tortoise lays on its back, its belly baking in the hot sun, beating its legs trying to turn itself over, but it can’t, not without your help. But you’re not helping. Why is that, Tom?
Tom Ammiano: That’s interesting. I don’t know. I’m a republican?
(thanks Ben!)
Patents: The W3C has set up a new list to evaluate ways to work around the Eolas patent on plugins, which, after all, are part of the HTML specification.
Good. I never liked plugins anyway, always playing loud music, halting the browser while they start up, or crashing the lot with their buggy spyware code. Good riddance! Now we can get back to the sensible ‘helper application in a separate window’ paradigm ;)
Many non-US-based broadband systems impose a download cap — a limit on how much data a customer can download in one month. In some of the Irish ISPs’ cases, it’s 3Gb of data per month, with hefty per-Mb charges after that.
Well, here’s something. I filter my mail for viruses and spam on my server, and divert the viruses off to a side folder. I just checked, and that folder contains 1 gigabyte of virus data, received since SoBig.F started up last week.
Given that most users don’t have a colocated server to divert their viruses on, and therefore would have had to download that 1 gigabyte of virus mail before their virus scanner got to take a look — that’s a hefty third of the download cap gone, due to a virus.
I wonder if Eircom, Telstra down under, and the other capping ISPs, will be giving their customers refunds as a result?
(BTW, by contrast, I only received 10 megs of spam.)
Apparently, the McCarthy report — which would have legalised software patents in Europe — has been withdrawn from debate for this EuroParl session.
‘It’s been sent back to the committee stage to be fixed because there was too much contraversy or too many amendments requested. It will go to plenary again after JURI do some more work on it. Possibly september 22nd, probably early October.’
This is absolute insanity. Let’s say you’re buying a car, and you’re checking out what will work out best, between an SUV and a fuel-efficient hybrid, money-wise. Let’s check the options:
- SUV: $86,000 in tax breaks
- hybrid: $2,000 tax break
Unbelievable.
But don’t worry — there’ll be plenty of gas to run the SUVs, since the US is checking the possibility of pumping oil from Iraq to Israel. (That’s assuming the entire Arab world doesn’t turn into a seething pit of ‘told you so’ hatred as a result, but hey….)
As Yoz says, ‘How To Blow Up The Middle East In One Easy Step’:
yozlet: They saved the game before they did this, right? Right?
Bilskirnir: Two US senators responsible for MPAA regulation may be up for lucrative $US1.15 million jobs as lobbyists with the same organisation:
‘It’s obscene for Tauzin and Breaux to be in the running for the MPAA, the fattest media lobbying job in Washington, while advocating in Congress on behalf of companies that control the MPAA,’ said Robert McChesney, Professor of Communications at the University of Illinois at Urbana-Champaign. ‘It tends to confirm what the vast majority of Americans have suspected – relaxed media ownership rules are an X-rated exercise in power and influence.’
As Nathan points out, an analogue of non-compete agreements, for would-be politicians-turned-lobbyists, would be a good way to deal with this one.
Tech: in more calming news: Dell Patents ‘Reboot and See If That Fixes It’ Technical Support Process (BBSpot via Craig).
Red Bull was made in Thailand — I never realise it went from Thailand to Europe instead of vice-versa. (link via the great 2bangkok.)
Also, via Ben — an amazing account of what recovering your vision feels like after 43 years of blindness…