Justin's Linklog – Page 96 – (Things I found interesting recently.)

My ApacheCon Roundup

Published December 15, 2005

Back from ApacheCon!

I’ve got to say, I found it really useful this year. Last year, I was pretty new to the ASF, and found that my expectations of ApacheCon didn’t quite match reality; it wasn’t a rip-roaring success exactly, for me, as a result.

However, many details of how the ASF works — and how the conference itself works and is organised — are much clearer after you’ve spent some time lurking and absorbing practices in the meantime. (The visibility one gets into the process as a member of the ASF makes this a lot easier.)

Result: it was much more of a success for me this time around. Plenty of networking, putting faces to the names, hanging out, and discussing many aspects of our work.

The hackathon really worked out, too; while we didn’t produce a hell of a lot of code per se, it made for a good ‘developer summit’ and I think we established solid agreement on SpamAssassin’s short-term directions and goals. (summary: rules, and faster).

On top of that, I got to meet up with Colm MacCarthaigh and Cory Doctorow for discussion of Digital Rights Ireland. Looks like I’ll be spending a bit of time on that next year ;)

Finally: Solaris. On Monday night, I got to sit down with Daniel Price, one of the kernel engineers behind Solaris Zones, work through a quick demo of a bug I was running into with chroot(2) and zones on our rule-QA buildbot server, and watch as he visually traced it through the OpenSolaris kernel source on the web. From this — and from talking to Daniel — it’s pretty clear that things have changed at Sun. Pretty much the entire Solaris operating system is now a full-on open-source project; it’s not just a marketing gimmick. The source is up there on the web, that’s the source for the code they’re running now, and there’s no half-assed ‘freeze it, cut out the good bits, and throw it over the wall’ fake-open-source tricks.

The concept of getting this level of access to Solaris source code and engineers, would have blown my mind when I was Iona’s sysadmin back in the 1990s ;) I’m very impressed.

Windows Live Local and Firefox

Published December 9, 2005

Windows Live Local, with its isometric, Sim City, “bird’s eye” view, is quite nice.

However, what gets me is — do MS do this deliberately? I’m referring, of course, to the way it’s broken on Firefox 1.5, requiring you to drag twice to get it scrolling around the viewport, and the jumpy, clunky UI on that browser.

Pretty lame — and lazy, too. By now, it’s essential for a new fancy website to work under Firefox; even if only 20% of your users will be using it, a good proportion of those are the bleeding-edge, ‘taste-maker’ types who’ll be blogging about it, writing reviews for newspapers and news sites, and generally generating buzz for you, and thereby attracting the other 80%.

I’m told it works great in IE, but there’s no way I’m starting Windows and opening up that app. If I want to be infected by 700 different malwares within seconds, I’ll ask. ;)

On top of that, coverage seems spotty — Ireland is AWOL, of course.

As a result, my one line summary would have to be: idea = cool, dataset = probably cool, execution = half-assed and crappy. I’m looking forward to Google doing a much better job with their implementation of the Sim City viewpoint.

Email Injection attacks in PHP via mail()

Published December 8, 2005

Apparently, spammers are now exploiting a hole, or holes, in multiple PHP scripts which use the mail() API.

The holes are described at the SecurePHP wiki; basically, the script author inserts CGI fields directly into a message template without stripping newlines, and this allows attackers to create new headers, take over the message body, and generally take over the mail message and destinations entirely.

Funnily enough, these are the same holes Ronald F. Guilmette and I found in FormMail 1.9, and described in our Jan 2002 advisory Anonymous Mail Forwarding Vulnerabilities in FormMail 1.9 (PDF) on page 10, Exploitation of email and realname CGI Parameters. Ah, plus ca change…

Worth noting that perl’s venerable taint checking would have spotted these, if it were used.

ApacheCon US 2005

Published December 5, 2005

In a couple of weeks, I’ll be going to San Diego for ApacheCon US 2005 (including the hackathon beforehand). There’ll be quite a few other SpamAssassin committers there, too, so if you’re working with SA, or interested in getting some face time with the developers, there’s no better way of doing so.

Digital Rights Ireland launch, next Tuesday

Published December 3, 2005

DRI’s formal launch is next Tuesday:

December 6th sees the formal launch of Digital Rights Ireland, with a press conference in the Conference Room, Pearse St. Library, Dublin 2 at 11.30am. We would like to invite to you to come along – we’d welcome your support, and the chance to chat with you about your concerns after the main conference. Please feel free to invite anyone else who you think would be interested in digital rights. To give us an idea of numbers, we’d appreciate an email to <contact AT digitalrights.ie> to let us know if you’re planning on coming along.

[thx] HAM

Published November 29, 2005

flickr_IMG_7139.jpg
Originally uploaded by Andy Cadaver.

I was just emailing with Sarah Carey, and she correctly noted that my weblog has been tending towards the techie-incomprehensible recently. A brief look at the front page confirms this.

So here’s a remedy: a photo of the delicious ham which the lovely C cooked up for Thanksgiving, last Thursday. Just look at that, mmmmm!

When I get back to Ireland, I will be bringing Thanksgiving with me; a holiday based around eating cooked fowl, with no religious baggage whatsoever? I’m so there.

New SpamAssassin Rule Development Tools

Published November 23, 2005

Recently, I’ve been working on new systems to develop SpamAssassin rules faster, and with a lower ‘barrier to entry’ to the core ruleset. Some highlights seem bloggable, seeing as it’s all web-based and I can link to it!

The ‘preflight’ BuildBot:

This uses the fantastic BuildBot continuous-integration system to monitor changes to our Subversion repository.

Every time something is checked into SVN, this wakes up and immediately runs mass-checks using that latest code and rules, allowing near-real-time viewing of changes in rule behaviour. (A ‘mass-check’ is a massive run of SpamAssassin across a corpus of hundreds of thousands of emails, en masse, to measure rule hit-rates.)

The corpus it mass-checks is split in a certain way so that results will be available very quickly — typically in under 10 minutes — with increasing quantities of results becoming available as time elapses.

Progress of the mass-checks are visible at the BuildBot here; as they complete, their results become visible on the Rule-QA app (below). (More info, if you’re curious.)

The Rule-QA App:

To date, we’ve used the basic “freqs” table — output from the hit-frequencies command-line script — as the UI for rule QA and evaluation. This is fine for a small number of developers, but it scales badly and (like mass-checks) requires a pretty complex setup on the developer’s machine.

This new component is a web application, which takes the “freqs” table, and “webifies” it — demo.

Some major improvements are also made possible; the most important, that it can now display ‘freqs’ for multiple revisions during the day, and keeps historical data for comparison. It adds several new reports from ‘hit-frequencies’; a score-map, overlaps, a performance measurement, and a boolean ‘promoteability’ measurement.

Finally, a really useful new report is the graph of rule hit-rate, as it changes over time. Here’s a cached demo, or see the same data produced ‘live’. This gives a totally new insight into how the rule hits for various people’s corpora, how that changed over time, and allows a whole new type of rule analysis. (In fact, it also allows pretty good corpus analysis, too; can you tell which submitters bounce high-scoring spam at receipt time?)

(More info on these.)

Product idea: RAID Backup Enclosures

Published November 23, 2005

Cory Doctorow at Boing Boing links to an article at TechCrunch that lists Better and Cheaper Online File Storage as a product that needs to be made. However, Ben Laurie does the sums on online storage as a useful backup medium, and found them not exactly compelling (e.g. 100GB of data will take 75 days to upload over an 128Kbps link).

I tend to agree. An online host isn’t great as a backup host, since, in my experience, there are two types of backups required:

The important small files (for example: encrypted password lists, my address book, my ~/bin directory)
The massive big filesets (for example: MP3s, photos)

The first kind of fileset is amenable to an online backup-storage service, at first glance. However — in my opinion you’re better off going the whole hog for these files, and using the distributed, versioned backup method of putting it in a good networked revision control system, and checking it out everywhere, so you can also make changes and check in from any host; otherwise, you face the perils of syncing up a single backup from multiple “writers”, without conflicts. So far, none of the online file storage services offer SVN as an access method, so a shell account at a colo server still seems more useful on that count.

The second kind of fileset, as Ben notes, will take donkey’s years to upload and sync as a backup mechanism; and the economics are hardly compelling for the service provider.

I think I prefer Brad Templeton’s idea to deal with large-data backups —

I propose a software RAID-5, done over a LAN with 3 to 5 drives scattered over several machines on the LAN.

Slow as hell, of course, having to read and write your data out over the LAN even at 100mbits. Gigabit would obviously be better. But what is it we have that’s taking up all this disk space ? it?s video, music and photos. Things which, if just being played back, don?t need to be accessed very fast. If you’re not editing video or music, in particular, you can handle having it on a very slow device. (Photos are a bigger issue, as they do sometimes need fast access when building thumbnails etc.)

This could even be done among neighbours over 802.11g, with suitable encryption. In theory.

As a commenter notes, Linux has support for this already, in the form of software RAID and the network block device.

So: take an external IDE enclosure, add a GumStix board running Linux with software RAID, LVM, and nbd, and add wifi. Then add DAV, SMB and NFS export of the disk, and some decent UI code to organise the volumes into a single exported RAID volume (hopefully automatically!), and it’d be a pretty compelling product, in my opinion!

(hey Craig! I said GumStix! ;)

Wisdom Teeth — Complete!

Published November 21, 2005

On Friday, I got my lower-left wisdom tooth extracted. That’s the last one that should cause any trouble; there’s only one remaining, and it’s fully out so shouldn’t act up. After a few years of on-again-off-again twinges, and lots of irresponsible putting-off of surgery, I’ve finally taken care of it.

The downside: I’m totally zonked on painkillers, so I won’t be doing much for the next few days apart from what’s required for day-to-day day-job stuff.

Urban Dead HUD; added Inventory Sorting

Published November 14, 2005

I’ve updated the Urban Dead HUD Greasemonkey userscript; it now offers inventory sorting, inspired by Ikko’s userscript (albeit a little different in implementation). Here’s a screenshot:

Right now, UD is reasonably interesting — our team of plucky survivors have been helping out with the defence of Caiger Mall, a major mall towards the north-west of the city. We’ve repulsed the Church of the Resurrection‘s attempts to wipe us out, but that seems to have made us quite a juicy target; there are now no less than three separate Zombie groups ganging up on us. For now, we’re still holding out.

Mobile phone repair at Karol Bagh Market

Published November 11, 2005

I love these pictures:

I link-blogged that article ages ago, but I keep thinking of it, so it’s worth a proper post in its own right, to expand on that.

These guys work at an Indian mobile phone repair stall in Karol Bagh Market, in Delhi. The blog entry notes:

As in China, many of the mobile phone shops and street kiosks offer mobile phone repair service. Many of these guys can strip and rebuild a mobile phone in minutes. … a lot of the hyperbole surrounding western hacker culture makes me smile compared to what these guys are doing day in day out.

Also, a commenter notes: ‘in india, for about 1$, you can convert a CDMA phone to GSM !! also, they can unlock phones and do a veriety of hacks for little money.’

There’s so many lessons I’m getting from it:

I’ve had a shoe resoled in 5 minutes for next to nothing at a stall not too different from that — but this is a mobile phone. It’s amazing to think of that level of hardware hacking taking place every day at a back-street market stall.
Those phones were doubtless planned, as a product, with a ‘ship back to manufacturer’ support plan. That clearly isn’t going to fly without that developed-world luxury, Fedex. So this is the developing-world street finding its own uses for things, and working around the dependencies on systems that are optimised for the developed world.
It’s the flip-side of Joshua Ellis’ grim meathook future, where we’re not facing down the barrel of a New-Orleans-style descent into barbarity if the power suddenly cuts out; tech can go on. It may be a little chunkier, though, and with more duct tape, but hey.
It’s also a beautiful demonstration of how those of us in the developed world who assume that developing-worlders cannot find a use for high tech, are talking shit. (cf. Ethan Zuckerman as a good example of someone who gets this, more than almost anyone else I can think of.)

I think this is one of the most important lessons I learned while travelling through India and SE Asia a few years back — the developing world is using high tech, and it’s not using it in the same ways we do — or even the ways we anticipated, and we have plenty to learn from them too.

Found at Jan Chipchase’s site, which is full of great contemplation on this stuff. (The story on Seoul’s selca culture is nuts, too — it’s like Flickr^1000.)

(PS: I have a wisdom tooth extraction scheduled for next Friday… wish me luck. That’s another thing you don’t want to happen in the developing world, although I daresay it’d rock in Bangkok!)

(Update: clarification — my cite of Ethan Z was meant as a compliment ;)

IFSO Seminar In Dublin

Published November 4, 2005

Passing this on for readers in Ireland — this sounds like an interesting event. From the FSFE-IE mailing list:

On the morning of Friday November 18th, IFSO is organising an event hosted by MEP Proinsias De Rossa about preventing software patents in the EU. Topics covered will be:

An analysis of the software patent directive;
a discussion of Free Software and computer security;
an introduction to IFSO/FSFE and their work;
the future of legislative obstacles to the development and distribution of software.

The event will be held in the European Parliament Office in Ireland, and spaces are limited. Participants are therefore asked to register their intent to attend. See here for more details.

Producing Open Source Software

Published November 2, 2005

Plug: Producing Open Source Software, a new book by Karl Fogel (of the Subversion and CVS projects), readable online as HTML or in ground-up wood formats.

It’s got a whole load of solid-gold good advice on open-source development best practices, and even includes a section on dealing with the dreaded Reply-To munging issue.

Looks excellent — this is definitely one to read.

Urban Dead HUD

Published October 29, 2005

I’ve been playing a bit of Urban Dead recently. Urban Dead is a very low-key, web-based MMORPG — you play a 3-minute turn once every 24 hours. It needs some rebalancing and some new features, especially given the organised nature of some of the bigger marauding zombie hordes, but I’m still finding it fun.

To scratch a couple of itches, I’ve written a Greasemonkey user script for UD called the Urban Dead HUD. It adds several nifty features to the user interface:

keyboard accelerator access keys for the action buttons, and your inventory — very handy when you’re attacking an enemy repeatedly;
an on-page long-distance map of the surrounding squares;
a distance tracker, which tracks the distances to “important” locations for you

There’s screenshots on the download page, so you can see what I’m talking about.

Greasemonkey is a fantastic tool, as is Mark Pilgrim’s Dive Into Greasemonkey, which has repeatedly turned out to be an excellent, well-written reference while hacking this. Thanks guys!

trueColor() bug in GD::Graph

Published October 28, 2005

Hacking on a new rule-QA subsystem for SpamAssassin, I came across this bug in GD::Graph. If:

you are drawing a graph using GD::Graph;
outputting in PNG or GIF format;
and the ‘box’ area — the margins outside the graph — keeps coming up as black, instead of white as you’ve specified;

check your code for calls to GD::Image->trueColor(1);, or the third argument to the GD::Image->new() constructor being 1. It appears that there’s a bug in the current version of GD (or GD::Graph) where graphing to a true-colour buffer is concerned, in that the ‘box’ area continually comes out in black.

(Seen in versions: perl 5.8.7, GD 2.23, GD::Graph 1.43 on Linux ix86; perl 5.8.6, GD 2.28, GD::Graph 1.43 on Solaris 5.10.)

False Positive ‘Reports’ != FP Measurement

Published October 26, 2005

John Graham-Cumming writes an excellent monthly newsletter on anti-spam, concentrating on technical aspects of detecting and filtering spam. Me, I have a habit of sending follow-up emails in response ;)

This month, it was this comment, from a techie at another software company making anti-spam products:

When I look at the stats produced on our spam traps, which get millions of messages per day from 11 countries all over the world, I see our spam catch rate being consistently over 98% and over 99% most of the time. We also don’t get more than 1 or 2 false positive reports from our customers per week, which can give an impression of our FP rate, considering the number of mailboxes we protect.

My response:

‘Worth noting that a “false positive report from our customer” is NOT the same thing as a “false positive” (although in fairness, [the sender] does note only that it will “give an impression” of their FP rate).

This is something that I’ve seen increasingly in the commercial anti-spam world — attempting to measure false positive rates from what gets reported “upstream” via the support channels.

In reality, the false positives are still happening — it’s just that there are obstacles between the end-user noticing them, and the FP report arriving on a developer’s desk; changes to the organisational structure, surly tech support staff, or even whether the user was too busy to send that report, will affect whether the FP is counted.

Many FPs will go uncounted as a result. As a result, IMO it is not a valid approach to measurement.’

I’ve been saying this a lot in private circles recently, so in my opinion that’s a good reason to post it here…

Wired on the Motorola ROKR iTunes phone

Published October 26, 2005

Via Cory at Boing Boing, here’s a great Wired post-mortem on how all the corporate vested interests (including Apple!) turned a nice concept for a new, music-playing mobile phone, into a useless, DRM-hogtied, designed-by-committee turd.

That’s worth a read, in itself. However, what really blew my mind was this:

Anssi Vanjoki, executive vice president of Nokia and head of its multimedia group, has bad news for the [music] labels. … He pushes a couple of buttons on the [phone’s] keypad. Up pops Symella, a new peer-to-peer downloading program from Hungary. As the name suggests, Symella is a Symbian application that runs on Gnutella, the P2P network that hosts desktop file-sharing apps like BearShare and Limewire. It was created earlier this year by two students at a Budapest engineering school that for four years has been exploring mobile P2P in conjunction with a local Nokia research center.

Symella doesn’t come installed on the N91; Vanjoki downloaded it from the university Web site. “Now I am connected to a number of peers,” he continues, “and I can just go and search for music or any other files. If I find some music I like and it’s 5 megabytes and I want to download it – the carriers will love this. It will give them a lot of traffic.”

I had no idea the platform was that open, at this stage. It’ll be interesting to see what happens next…

Ouch!

Published October 25, 2005

my new ipod.jpg
Originally uploaded by jmason.

Yep, they really are that easy to scratch, it seems.

UK ATM fraud in the 1990s

Published October 24, 2005

The Register: How ATM fraud nearly brought down British banking. This story is mind-boggling; it claims that UK ATM security had two major issues that have been kept secret since the 1990s:

An insecure data format used for the data on the magnetic stripes in one bank’s cards;
Another bank’s computing department “going rogue”, “cracking PINs and taking money from customers’ accounts with abandon” as the story puts it. Yikes.

The latter problem is scary, but in my opinion the former problem is more interesting from a computer security point of view.

This is a classic example of bad data format design, as it left the PIN and the account details individually rewritable — in other words, an attacker could (and did) change one while keeping the other intact.

This British Computer Society abstract provides more details on the who, how and where:

… it was revealed that UKP 130,000 had been stolen from Abbey National cardholders during 1994 and 1995 with counterfeit cards. Andrew Stone, a bank security consultant who had been advising Which?, the magazine of the Consumers’ Association, was jailed for five and a half years for the theft. This fraud involved spying on Abbey customers as they used their cards in automated teller machines (ATMs) or cash dispensers… [Stone] recorded card details and personal identification numbers (PINs) using powerful video cameras. The details were then encoded on the magnetic strips of other cards.

Finally, another quote from the Reg story:

why is he telling this explosive story now? Because chip and PIN has been deployed across the UK ATM network. “The vulnerability in the UK ATM network was still there to be exploited — if someone had chanced upon it.”

I wonder if other banking systems worldwide are still vulnerable, however? Did any other banks elsewhere license the vulnerable systems from UK banks, without knowing about these vulnerabilities? How long did it take for them to be fixed, if they were fixed?

Avian Flu, Health vs. IP Protection

Published October 22, 2005

Over at O’Reilly Radar, a question came up as to whether Roche’s patent on Tamiflu should be respected if, in the event of a pandemic, people were dying on a large scale due to an inability for Roche to produce Tamiflu in sufficient quantities.

James Love of cptech.org recently pointed out that the WTO made an exception for a situation like this, allowing importation of medicines from foreign countries in violation of local patent licenses in the case of an emergency, in a 30 August 2003 decision:

Your country would benefit from importing generic medicines produced under a compulsory license, in order to build up adequate stockpiles or to obtain needed medicines in the event of a crisis.

However, many developed-world countries have explicitly made a commitment never to use this limited TRIPS waiver, namely the following:

Australia, Austria, Belgium, Canada, Denmark, Finland, France, Germany, Greece, Iceland, Ireland, Italy, Japan, Luxembourg, Netherlands, New Zealand, Norway, Portugal, Spain, Sweden, Switzerland, United Kingdom and the US.

Another 10 countries about to join the EU said they would only use the system to import in national emergencies or other circumstances of extreme urgency, and would not import once they had joined the EU: Czech Republic, Cyprus, Estonia, Hungary, Latvia, Lithuania, Malta, Poland, Slovak Republic and Slovenia.

So there you have it; the trade representatives for many developed-world countries took some kind of ‘strong IP’ high moral stand, and gave up this ability. I’ll bet national health authorities are, right now, wandering government halls around the world, looking for trade representative asses to kick…

‘Internet Stamps’: ‘Sender Pays’ Is Back From The Dead

Published October 22, 2005

Jeremy Zawodny mentions that Tim Bray has proposed something he calls ‘Internet Stamps’ to solve the blog-spam problem; here’s Tim’s description of how it works:

An Internet Stamp is an assertion, signed by a Post Office, that some chunk of text was issued by someone who paid for the stamp. At least one major Post Office will be required by government statute to sell stamps to anyone in the world for either US$0.01 or EUR 0.01, and no stamp-selling organization will be recognized which sells stamps for less than this amount. For this to work, the number of stamp-selling organizations needs to be small and the organizations stable; another reason why Post Offices are plausible candidates.

It works like this: if you want to buy stamps, you sign up for an account with your Post Office; it works like paper stamps, you buy a bunch at a time in advance, in small amounts like $20 or EUR 10. Then the Post Office offers a Web Service where you connect to a port, authenticate yourself and send along some text; the Post Office decrements your account and sends back the stamp. There are a variety of digesting/signing/PKI techniques that could be applied to implement the stamps; a standard is required but should be easy.

Apparently himself and a few other guys chatted about it at the first Foo Camp, back in 2003. Funnily enough, in the anti-spam community, we were having our own chats about it, but it sounds like our paths didn’t cross for some reason…

We call this idea ‘sender pays’. Earlier in 2003, in June, John Levine published what I’d consider the canonical wrap-up of why it will not work, in ‘An Overview of e-Postage’.

That report demolishes the use of ‘sender pays’ for e-mail anti-spam, on three main counts:

Creating a transaction system large enough for e-postage would be prohibitively expensive. The nearest parallel is the credit card transaction system, which deals with 1% of the transaction volume per day, and with much larger profit margins to make it worth their while.
The true financial, administrative, and social costs of e-postage are completely unknown. What do you do when a ‘bad guy’ steals the e-postage stamps off Aunt Millie’s hard disk, without her knowledge? How much is the Fraud Handling Department going to cost? Is she just going to be out of luck when this happens? Will you need to use whitelisting and a content-based anti-spam filter as well, to filter out the messages sent using valid, but stolen, stamps?
Users hate micropayments. In short, see Andrew Odlyzko’s research.

Now, using it on weblog spam is a little more practical than e-mail spam, for one because it has a lower daily volume of transactions; but these objections still stand, in my opinion.

John Levine is one of the foremost authorities in anti-spam, and this report has been a mainstay of the anti-spam canon for two years. Anyone discussing a new anti-spam concept really ought to know this report backwards and forwards by this stage, and go into some detail as to how their proposal deals with the issues raised, if it’s to be taken seriously.

‘I Go Chop Your Dollar’, the video

Published October 21, 2005

Wow! videos.antville.org (via robotwisdom) came through with the goods. Go check out the video for Nkem Owoh (aka Osuofia) singing “I Go Chop Your Dollar”, which turns out to be pretty catchy!

Here’s the lyrics so all us oyinbos can sing along:

I don suffer no be small
Upon say I get sense
Poverty no good at all, no
Na im make I join this business
419 no be thief, its just a game
Everybody dey play am
if anybody fall mugu, ha! my brother I go chop am

Chorus
National Airport na me get am
National Stadium na me build am
President na my sister brother
You be the mugu, I be the master
Oyinbo I go chop your dollar, I go take your money dissapear
419 is just a game, you are the loser I am the winner
The refinery na me get am,
The contract, na you I go give am
But you go pay me small money make I bring am
you be the mugu, I be the master… na me be the master ooo!!!!

When Oyinbo play wayo, them go say na new style
When country man do im own, them go de shout bring am, kill am, die!
Oyinbo people greedy, I say them greedy
I don see them tire thats why when them fall enter my trap o!
I dey show them fire

Lyrics from here; there’s a few other funny comments there too:

just saw the “i go chop your dollar”……i am glad we are blessed with a natural comedian as good as Nkem Owoh…..thank God say oyibo (sic) no sabi pidgin if not dis song for give them small panic……..

Heh, looks like the ‘small panic’ is now underway ;)

‘I Will Eat Your Dollars’

Published October 21, 2005

An excellent, eye-opening interview with Samuel, an ex-419 scammer.

There’s even a theme tune:

Their anthem, “I Go Chop Your Dollars,” hugely popular in Lagos, hit the airwaves a few months ago as a CD penned by an artist called Osofia:

“419 is just a game, you are the losers, we are the winners.
White people are greedy, I can say they are greedy
White men, I will eat your dollars, will take your money and disappear.
419 is just a game, we are the masters, you are the losers.”

Reportedly, Lagos inhabitants paint “This House Is Not For Sale” in big letters on their homes, in case someone posing as the owner tries to put it on the market.

Regarding the workings of the scam:

[Samuel] sent 500 e-mails a day and usually received about seven replies. Shepherd would then take over. “When you get a reply [to a 419 spam], it’s 70% sure that you’ll get the money,” Samuel said.

(via Nelson.)

‘Life Hacking’ and Metacity

Published October 17, 2005

The NY Times story on “life hacking” is a pretty good one, and an excellent intro for anyone who hasn’t been religiously reading the changing transcripts of Danny O’Brien’s talk and so on.

This line:

Mann has embarked on a 12-step-like triage: he canceled his Netflix account, trimmed his instant-messaging “buddy list” so only close friends can contact him and set his e-mail program to bother him only once an hour.

Reminded me of something I ran into recently.

Last month, I switched from Sawfish, the venerable UNIX window manager, to GNOME’s Metacity, which is the new(ish) GNOME standard window manager. (I was tired of some long-standing Sawfish crashes, and didn’t want to be the last Sawfish user on the planet, which was seeming increasingly likely.)

One interesting UI change is that application windows no longer ‘pop up’ — if an app wants to notify you of some important change, it instead can only cause its taskbar button to subtly pulse in the corner of your screen.

Initially, this threw me for a loop, and I rudely (albeit accidentally) ignored my friends on IM and suchlike. But I quickly got the hang of glancing at the taskbar once in a while when I wasn’t concentrating on a task; it’s now second nature, and has significantly reduced the number of interruptions I find myself experiencing in a typical day.

BTW, in passing: switching WMs is a big deal, user interface-wise. One of the key gating factors, for me, was a feature I use to control windows without laying hands on the dreaded rodent — namely, a ‘move window to screen corner’ keyboard shortcut. This patch implements it for Metacity.

I implemented this last year for KWin, too, to resounding disapproval and bitchy comments about how I’m using the mouse all wrong. Meh. I fully expect the Metacity maintainers to throw it out, likewise, leaving me hand-patching WMs for a while yet ;)

Update, Nov 2006: they applied it! yay.

The Adelphi Charter

Published October 17, 2005

I’ve just finished Sir John Sulston’s inspiring book about the Human Genome Project, The Common Thread, in which he discusses how he found himself on one front line of the battle between intellectual ‘property’ maximalism attempting to grab ‘property rights’ over the human genome, and the common good, preserving such rights for all humanity and unfettered research. (Thankfully, he — and therefore the latter side — won.)

I’ve been meaning to post a few choice quotes here about it at some stage, but haven’t had the time — I’ve had to just limit myself to correcting the Wikipedia entry for the Human Genome Project instead. ;)

Anyway, Sir John is in the news again, as part of a new international initiative — the Adelphi Charter:

Called the Adelphi charter, it is an attempt to lay out those principles. Central among them are the ideas that policy should be evidence-based and that it should respect the balance between property and the public domain, not eliminate the latter to maximise the former.

Coverage:

Very encouraging to see something taking off at this level. I hope it does well, and I hope Ireland and the EU’s lawmakers take note, since I’ve been hearing a lot of IP maximalist party-line from there recently…

I Agree With Goopy

Published October 12, 2005

shiny do-dad
Originally uploaded by goopymart.

Daniel Cuthbert’s Travesty of Justice

Published October 12, 2005

The Samizdata weblog posts more details about the Daniel Cuthbert case, where a UK techie was arrested for allegedly attempting to hack a tsunami-donation site. Here’s what happened:

Daniel Cuthbert saw the devastating images of the Tsunami disaster and decided to donate UKP30 via the website that was hastily set up to be able to process payments. He is a computer security consultant, regarded in his field as an expert and respected by colleagues and employers alike. He entered his full personal details (home address, number, name and full card details). He did not receive confirmation of payment or a reference and became concerned as he has had issues with fraud on his card on a previous occasion. He then did a couple of very basic penetration tests. If they resulted in the site being insecure as he suspected, he would have contacted the authorities, as he had nothing to gain from doing this for fun and keeping the fact to himself that he suspected the site to be a phishing site and all this money pledged was going to some South American somewhere in South America.

The first test he used was the (dot dot slash, 3 times) http://taint.org/ sequence. The ../ command is called a Directory Traversal which allows you to move up the hierarchy of a file. The triple sequence amounts to a DTA (Directory Traversal Attack), allows you to move three times. It is not a complete attack as that would require a further command, it was merely a light ‘knock on the door’. The other test, which constituted an apostrophe (`) was also used. He was then satisfied that the site was safe as his received no error messages in response to his query, then went about his work duties. There were no warnings or dialogue boxes showing that he had accessed an unauthorised area.

20 days later he was arrested at his place of work and had his house searched.

(His actions were detected by the IDS software used by British Telecom.)

In my opinion, this is a travesty of justice.

His actions were entirely understandable, under the circumstances, IMO. They were not hostile activities in themselves — they might have been the prelude to hostility, in other cases, but, as his later activity proved, not in this one.

Instead of making parallels with “rattling the doorknob” or “lurking around the back door of a bank”, a better parallel would be looking through the bank’s front window, from the street!

If only law enforcement took this degree of interest in genuine phishing cases, where innocent parties find their bank accounts emptied by real criminals, like the unprosected phisher in Quebec discussed in this USA Today article!

Appalling.

Harpers: The Uses of Disaster

Published October 12, 2005

In this month’s Harpers — The Uses of Disaster contains a passages that rings bells, post-Katrina:

You can see the grounds for that anxiety in the aftermath of the 1985 Mexico City earthquake, which was the beginning of the end for the one-party rule of the PRI over Mexico. The earthquake, measuring 8.0 on the Richter scale, hit Mexico City early on the morning of September 19 and devastated the central city, the symbolic heart of the nation. An aftershock nearly as large hit the next evening. About ten thousand people died, and as many as a quarter of a million became homeless.

The initial response made it clear that the government cared a lot more about the material city of buildings and wealth than the social city of human beings. In one notorious case, local sweatshop owners paid the police to salvage equipment from their destroyed factories. No effort was made to search for survivors or retrieve the corpses of the night-shift seamstresses. It was as though the earthquake had ripped away a veil concealing the corruption and callousness of the government. International rescue teams were rebuffed, aid money was spent on other programs, supplies were stolen by the police and army, and, in the end, a huge population of the displaced poor was obliged to go on living in tents for many years.

However, there’s a happy ending there:

That was how the government of Mexico reacted. The people of Mexico, however, had a different reaction. ‘Not even the power of the state,’ wrote political commentator Carlos MonsivÃ¡s, ‘managed to wipe out the cultural, political, and psychic consequences of the four or five days in which the brigades and aid workers, in the midst of rubble and desolation, felt themselves in charge of their own behavior and responsible for the other city that rose into view.’ As in San Francisco in 1906, in the ruins of the city of architecture and property, another city came into being made of nothing more than the people and their senses of solidarity and possibility. Citizens began to demand justice, accountability, and respect. They fought to keep the sites of their rent-controlled homes from being redeveloped as more lucrative projects. They organized neighborhood groups. And eventually they elected a left-wing mayor — a key step in breaking the PRI’s monopoly on power in Mexico.

Photo Update

Published October 12, 2005

Photoblog! We recently ticked off another of California’s national parks with a trip to Joshua Tree, and saw this:

Scary desert people. Also, I got to be in a fractal:

Beardy progress continues, as you can see!

In other pics, Catherine cooked me an amazing birthday cake:

Also: I ate the most sacrilicious food ever — mochi that tastes like green-tea-filled Eucharist wafer!

Ah, the blessed sacrament of the (green tea) body and (red bean) blood. The textural resemblance really was phenomenal; I guess it never came up in product taste tests. Quite funny. Very tasty too, by the way.

Bruce Sterling on J. G. Ballard

Published September 28, 2005

Ballardian.com just posted an interview with Bruce Sterling about J.G. Ballard by Chris Nakashima-Brown. One of my favourite authors talks about the other — it’s amazing!

A couple of highlights:

… The assumptions behind The Crystal World were so radically different and ontologically disturbing compared to common pulp-derived SF. If you just look at the mechanisms of the suspension of disbelief in The Crystal World, it’s like, okay, time is vibrating on itself and this has caused the growth of a leprous crystal … whatever. There’s never any kind of fooforah about how the scientist in his lab is going to understand this phenomenon, and reverse it, and save humanity. It’s not even a question of anybody needing to understand what’s going on in any kind of instrumental way. On the contrary, the whole structure of the thing is just this kind of ecstatic surreal acceptance. All Ballard disaster novels are vehicles of psychic fulfilment.

….

My suspicion is that in another four to five years you’re going to find people writing about climate change in the same way they wrote about the nuclear threat in the 50s. It’s just going to be in every story every time. People are going to come up with a set of climate-change tropes, like three-eyed mutants and giant two-headed whatevers, because this is the threat of our epoch and it just becomes blatantly obvious to everybody. Everybody’s going to pile on to the bandwagon and probably reduce the whole concept to kindling. That may be the actual solution to a genuine threat of Armageddon — to talk about it so much that it becomes banal.

To me these late-Ballard pieces, these Shepperton pieces — Cocaine Nights, Super-Cannes and so forth — really seem like gentle chiding from somebody who’s recognized that his civilisation really has gone mad. They’re a series of repetitions that say, ‘Look, we’re heading for a world where consensus reality really is just plain unsustainable, and the ideas that the majority of our people hold in their heart of hearts are just not connected to reality’. I think that may be a very prophetic assessment on his part. I think we may in fact be in such a world right now — where people have really just lost touch with the ‘reality-based community’ and are basically just living in self-generated fantasy echo chambers that have no more to do with the nature of geopolitical reality than Athanasius Kircher or Castaneda’s Don Juan.

Kitty vs. International RFID Standardisation

Published September 27, 2005

So, I’ve just bought myself an RFID implant reader.

However, don’t jump to conclusions — it’s not that I’m hoping that possession will put me on the right side of the New World Order 21st-century pervasive-RFID-tracking security infrastructure or anything — it’s for my cat. Here’s why…

Many years ago, back in Ireland, we had an RFID chip implanted in our cat, as you do. Then 3 years ago, we entered the US, bringing the cat with us, and started looking into what we’d have to do to bring him back again.

Ireland and the UK are rabies-free, and have massive paranoia about pets that may harbour it; as a result, pets imported into those countries generally have to stay in a quarantine facility for 6 months. Obviously 6 months sans kitty is something that we want to avoid, and thankfully a recent innovation, the Pet Travel Scheme allows this. It allows pets to be imported into the UK from the USA, once they pass a few bureaucratic conditions, and from there they can travel easily to Ireland legally. (BTW Matt, this still applies; we checked!)

One key condition is that the pet be first microchipped with an RFID chip, then tested for rabies, with those results annotated with the chip ID number. Once the animal arrives in the UK on the way back, the customs officials there verify his RFID implant chip’s ID number against the number on the test result documentation, and (assuming they match and all is in order) he skips the 6 month sentence.

So far, it seems pretty simple; the cat’s already chipped, we just have to go to the vet, get him titred, and all should proceed simply enough from there. Right? Wrong.

We spent a while going to various vets and animal shelters; unfortunately, almost everyone who works in a vet’s office in California seem to be incompetent grandmothers who just work there because they like giving doggies a bath, couldn’t care less about funny foreign European microchips, and will pretty much say anything to shut you up. Tiring stuff, and unproductive; eventually, after many fruitless attempts to read the chip, I gave up on that angle and just researched online.

Despite what all the grannies claimed, as this page describes, the US doesn’t actually use the ISO 11784/11785 standard for pet RFID chips. Instead it uses two alternative standards, one called FECAVA, and another FECAVA-based standard called AVID-Encrypted. They are, of course, entirely incompatible with ISO 11784/11785, although, to spread confusion, the FECAVA standard appears to be colloquially referred to in parts of the US vet industry, as “European” or even “ISO standard”. I think it was originally developed in Europe, and may have been partially ISO-11784-compliant to a degree, but the readers have proven entirely incompatible with the chip we had, which is referred to as “ISO” in the UK and Ireland at least. They don’t even use the same frequencies; FECAVA/AVID are on 125 KHz, while ISO FDX-B is on 134.2 KHz.

(BTW, a useful point for others: you can also tell the difference at the data level; FECAVA/AVID use 10-digit ID numbers, while ISO numbers are 15-digit. Also, “FDX-B” seems to accurately describe the current Euro-compatible ISO-standard chip system.)

Now, a few years back, it appears that one company attempted to introduce ISO-FDX-B-format readers and chips to the FECAVA-dominated marketplace, in the form of the Banfield ‘Crystal Tag’ chip and reader system.

That attempt foundered last year, thanks to what looks a lot like some MS-style dirty tricks — patent infringement lawsuits and some ‘your-doggy-is-in-danger’ FUD:

what we have here is a different, foreign chip that’s being brought in and it’s caused a lot of confusion with pet owners, with shelters, and veterinarians.

(Note ‘foreign’ — a little petty nationalism goes a long way.) The results can be seen in this press story on the product’s withdrawal:

Although ISO FDX-B microchips are being used in some European countries and parts of Australia, acceptance of ISO FDX-B microchips is not universal and the standard on which they are based continues to generate controversy, in part due to concerns about ID code duplication.

FUD-bomb successful!

Anyway, this left us in a bad situation; our cat’s chip was unreadable in the US, and possibly even illegal given the patent litigation ;) . We had two choices: either we got the cat re-chipped with a US chip, paying for that, or we could find our own ISO-compatible reader.

We sprung for the latter; although the re-chipping and re-registration would probably cost less than the $220 the reader would cost, we’d need to buy a US reader in addition, since the readers at London Heathrow airport are ISO readers, not FECAVA/AVID-compatible. On top of that, this way gives me a little more peace of mind about compatibility issues when we eventually get the cat to Heathrow; we now know that the cat’s chip will definitely be readable there, instead of taking a risk on the obviously-quite-confusing nest of snakes that is international RFID standardisation.

Anyway, having decided to buy a reader, that wasn’t the last hurdle. Apparently due to the patent infringement lawsuit noted above, no ISO/FDX-B-compatible readers were on sale in the US! A little research found an online vendor overseas, and with a few phone calls, we bought a reader of our very own.

This arrived this morning; with a little struggling from the implantee, we tried it out, and verified that his ID number was readable. Success!

PRNGs and Groove Theory

Published September 23, 2005

Urban Dead is a new browser-based MMORPG that’s become popular recently. I’m not planning to talk about the game itself, at least not until I’ve played it a bit!, but there’s something worth noting here — a cheat called Groove Theory:

Groove Theory was a cheat for Urban Dead that claimed to exploit an apparent lack [sic] of a random number generator in the game, [so] that performing an action exactly eight seconds after a successful action would also be successful.

Kevan, the Urban Dead developer, confirmed that Groove Theory did indeed work, and made this comment after fixing the bug:

There is some pattern to the random numbers, playing around with them; “srand(time())” actually brings back some pretty terrible patterns, and an eight-second wait will catch some of these.

So — here’s my guess as to how this happened.

It appears that Urban Dead is implemented as a CGI script. I’ll speculate that somewhere near the top of the script, there’s a line of code along the lines of srand(time()), as Kevan mentioned. With a sufficiently fast network connection, and a sufficiently unloaded server, you can be reasonably sure that hitting “Refresh” will cause that srand call to be executed on the server within a fraction of a second of your button-press. In other words, through careful timing, the remote user can force the pseudo-random-number generator used to implement rand() into a desired set of states!

As this perl script demonstrates, the output from perl’s rand() is perfectly periodic in its low bits on a modern Linux machine, if constantly reseeded using srand() — the demo script’s output decrements from 3 to 0 by 1 every 2 seconds, then repeats the cycle, indefinitely.

I don’t know if Urban Dead is a perl script, PHP, or whatever; but whatever language it’s written in, I’d guess that language uses the same PRNG implementation as perl is using on my Linux box.

As it turns out, this PRNG failing is pretty well-documented in the manual page for rand(3):

on older rand() implementations, and on current implementations on different systems, the lower-order bits are much less random than the higher-order bits. Do not use this function in applications intended to be portable when good randomness is needed.

That manual page also quotes Numerical Recipes in C: The Art of Scientific Computing (William H. Press, Brian P. Flannery, Saul A. Teukolsky, William T. Vetterling; New York: Cambridge University Press, 1992 (2nd ed., p. 277)) as noting:

“If you want to generate a random integer between 1 and 10, you should always do it by using high-order bits, as in

j=1+(int) (10.0*rand()/(RAND_MAX+1.0));

and never by anything resembling

j=1+(rand() % 10);

(which uses lower-order bits).”

I think Groove Theory demonstrates this nicely!

Update: I need to be clearer here.

Most of the Groove Theory issue is caused by the repeated use of srand(). If the script could be seeded once, instead of at every request, or if the seed data came from a secure, non-predictable source like /dev/random, things would be a lot safer.

However, the behaviour of rand() is still an issue though, due to how it’s implemented. The classic UNIX rand() uses the srand() seed directly, to entirely replace the linear congruential PRNG’s state; on top of that, the arithmentic used means that the low-order bits have an extremely obvious, repeating, simple pattern, mapping directly to that seed’s value. This is what gives Groove Theory its practicability by a human, without computer aid; with a more complex algorithm, it’d still be guessable with the aid of a computer, but with the simple PRNG, it’s guessable, unaided.

Update 2: as noted in a comment, Linux glibc’s rand(3) is apparently quite good at producing decent numbers. However, perl’s rand() function doesn’t use that; it uses drand48(), which in glibc is still a linear congruential PRNG and displays the ‘low randomness in low-order bits’ behaviour.

Buying Music From iTMS in Linux

Published September 20, 2005

On saturday, I spent a little time trying to work out how to give Steve Jobs my money; more accurately, I wanted to get some way to buy music from the iTunes Music Store from my Linux desktop, and this isn’t as easy as it really should be, because the official iTMS is a mess of proprietary Mac- and Windows-only DRM-laden badness.

Here’s a quick walkthrough of how this went:

install iTunes in my VMWare Windows install
sign up for iTMS, and give Apple all my personal info, including super-s3kr1t card verification codes, eek
buy a song
find the DRM’d file in the filesystem; it’s an .m4p file, and xine doesn’t seem to like it
do some googling for ‘iTunes DRM remove linux’; that leads to Jon Lech Johansen’s JusteTune
download and run JusteTune installer
get obscure hexadecimal error code dialog. hmm! what could that mean?
download and run .NET runtime, link on JusteTune page
rerun JusteTune — it works this time
select Account -> Authorize, enter login info
drag and drop file — it’s decrypted!

So, that yields a decrypted AAC file, which I can play on Linux using xine. That’s the hard part done!

However, I want to play my purchases in JuK, the very nice iTunes-style music player app for KDE.

While the gstreamer audio framework supports playback of AAC files with the gstreamer0.8-faad package (‘sudo apt-get install gstreamer0.8-faad’), JuK itself can’t find the file or read its metadata, so it doesn’t show up in the music collection as playable. I don’t want to go hacking code from CVS into my desktop’s music player — possibly the most essential app on the desktop — so transcoding them to MP3 seems to be the best option.

Somebody’s already been here before, though — that’s one of the benefits of being a late adopter! Here’s a script to convert .m4a files to .mp3 using the ‘faad’ tool (‘sudo apt-get install faad’).

During this work, I came across Jon Lech Johansen’s latest masterwork — SharpMusique, a fully operational native Linux interface to the iTMS. Building on Ubuntu Hoary was a simple matter of tar xvfz, configure, make, sudo make install, and it works great — and automatically de-DRMs the files on the fly as it downloads them! Now that’s the way to enjoy the iTMS on Linux, at least until Apple’s engineers break it again.

Update, May 2006: Apple’s engineers broke it. Thanks Wilfredo ;)

End result: a brand new, complete, high-quality copy of Dengue Fever’s new album, Escape From Dragon House. Previously I’d only had a couple of tracks off this, so I’m now a happy camper, music-wise.

BTW, I was also considering trying out the new Yahoo! Music Store, but it too uses fascist DRM tricks and is platform-limited, and I’m not sure how breakable it is. On top of that, the prospect of not being able to try it out before handing over credit-card details put me off. As far as I can see, I can’t even look up the albums offered before subscribing. All combined, I’ll stick with iTMS for now.

Don’t Dumb Me Down

Published September 20, 2005

A great Guardian ‘Bad Science’ column by Ben Goldacre, Don’t dumb me down. An excellent article on how mainstream journalists fail miserably in their attempts to report science stories accurately, and how this fundamentally misrepresents science to society at large.

Being a geek (of the computing persuasion) who hangs out with other geeks (of various science persuasions), I would up discussing this problem myself a month or two ago. This paragraph sums up where I think the failure lies:

There is one university PR department in London that I know fairly well – it’s a small middle-class world after all – and I know that until recently, they had never employed a single science graduate. This is not uncommon. Science is done by scientists, who write it up. Then a press release is written by a non-scientist, who runs it by their non-scientist boss, who then sends it to journalists without a science education who try to convey difficult new ideas to an audience of either lay people, or more likely – since they’ll be the ones interested in reading the stuff – people who know their way around a t-test a lot better than any of these intermediaries. Finally, it’s edited by a whole team of people who don’t understand it. You can be sure that at least one person in any given “science communication” chain is just juggling words about on a page, without having the first clue what they mean, pretending they’ve got a proper job, their pens all lined up neatly on the desk.

I’d throw in the extra step of a paper in Nature. Apart from that, in my opinion, he’s spot on.

Other disciplines don’t have this problem:

Because papers think you won’t understand the “science bit”, all stories involving science must be dumbed down, leaving pieces without enough content to stimulate the only people who are actually going to read them – that is, the people who know a bit about science. Compare this with the book review section, in any newspaper. The more obscure references to Russian novelists and French philosophers you can bang in, the better writer everyone thinks you are. Nobody dumbs down the finance pages. Imagine the fuss if I tried to stick the word “biophoton” on a science page without explaining what it meant. I can tell you, it would never get past the subs or the section editor. But use it on a complementary medicine page, incorrectly, and it sails through.

Statistics are what causes the most fear for reporters, and so they are usually just edited out, with interesting consequences. Because science isn’t about something being true or not true: that’s a humanities graduate parody. It’s about the error bar, statistical significance, it’s about how reliable and valid the experiment was, it’s about coming to a verdict, about a hypothesis, on the back of lots of bits of evidence.

Fingerprinting and False Positives

Published September 19, 2005

New Scientist News – How far should fingerprints be trusted? (via jwz):

Evidence from qualified fingerprint examiners suggests a higher error rate. These are the results of proficiency tests cited by Cole in the Journal of Criminal Law & Criminology (vol 93, p 985). From these he estimates that false matches occurred at a rate of 0.8 per cent on average, and in one year were as high as 4.4 per cent. Even if the lower figure is correct, this would equate to 1900 mistaken fingerprint matches in the US in 2002 alone.

This is why I’m so unhappy about getting fingerprinted as part of US immigration’s US-VISIT program and similar. My fingerprints have been collected on several occasions as part of that program, and as a result will now be shared throughout the US government, and internationally, and will be retained for 75 to 100 years, whether I like it or not.

As a result, with sufficient bad luck, I may become one of those false positives. Fingers crossed all those government and international partner agencies are competent enough to avoid that!

Update: oh wow, this snippet from the New Scientist editorial clearly demonstrates one case where it all went horribly wrong:

Last year, an Oregon lawyer named Brandon Mayfield was held in connection with the Madrid bombings after his fingerprint was supposedly found on a bag in the Spanish capital. Only after several weeks did the Spanish police attribute the print to Ouhnane Daoud, an Algerian living in Spain.

eek! Coverage from the National Assoc of Criminal Defense Lawyers, and the Washington Post.

ToorCon

Published September 15, 2005

ToorCon this year looks good. I’m not going, but I wish I’d gotten it together. There’s a couple of spam/phishing-related talks, and a data-visualisation talk by Christopher Abad; hopefully he might diverge into some of this phishing data he talks about in this First Monday paper. Dan Kaminsky’s talk looks interesting, too —

Application-layer attacks against MD5

We will show how web pages and other executable environments can be manipulated to emit arbitrarily different content with identical MD5 hashes.

Sounds like fun!

TiVo Co-Opts Anti-Spam Terminology

Published September 15, 2005

This is pathetic. As noted in the link-blog a couple of days ago (as well as everywhere else), TiVo’s new DRM features have been spotted ‘in the wild’, protecting the valuable Intellectual Property that is Family Guy and Simpsons reruns.

The icing on the cake is that TiVo have come up with a hilarious hand-wavy explanation — apparently it was line noise. Marc Hedlund of O’Reilly and Cory Doctorow are having none of it, and rightly so; as a bonus, Cory asked a group of DRM experts, who ‘burst into positive howls of disbelief’ that line noise could corrupt the DRM bits and the corresponding checksums to match.

From my angle, though, there’s another noteworthy factor:

“During the test process, we came across people who had false positives because of noisy analog signals. We actually delayed development (of the new TiVo software) to address those false positives.” (– Jim Denney, director of product marketing for TiVo)

Interesting use of the term ‘false positive’ there. Sounds more like a good old-fashioned bug if you ask me ;)

Anyway, I’m glad I went for the home-built option. It was pretty obvious that TiVo are in the cross-hairs, and their product is only going to get worse as the DRM industry push harder…

SpamAssassin 3.1.0

Published September 15, 2005

‘ANNOUNCE: SpamAssassin 3.1.0 available!’ – MARC

Phew. That took a while, but it’s worth it ;)

Bart Simpson vs. Missing-Person Data Entry

Published September 13, 2005

Ka-Ping Yee notes that Google have launched Katrina People Search, using Ping’s speedily-created People Finder Interchange Format. This is good, especially since there’s still no sign of the FEMA/Microsoft effort.

In passing — it’s disappointing to note how many appearances are made by a Mr. Heywood J. Ablohmie…

DnsblAccuracy082005 – Spamassassin Wiki

Published September 11, 2005

Do you use anti-spam DNS blocklists? If so, you should probably go take a look at DnsblAccuracy082005 on the SpamAssassin wiki; I’ve collated the results from our recent mass-check rescoring runs for 3.1.0, to produce have up-to-date measurements of the accuracy and hit-rates for most of the big DNS blocklists.

A few highlights:

highest hit-rate of an IP blocklist: the Distributed Sender Blackhole List, with 39.84% of spam hit
most accurate IP blocklist: the Spamhaus Exploits Block List, with a miniscule 0.04% false positive rate
highest hit-rate network test, overall: the OB SURBL list, 51.93% of spam hit

We don’t have accurate figures for the new URIBL.COM lists, btw — only the rulesets that are distributed with SpamAssassin were measured.

Justin's Linklog Posts