Blog Archive: September 2011

Update: I can't make it to LOPSA-NJ meeting next week.

Posted By Tom Limoncelli

Due to traveling, I won't be there. However, John Wagner will be giving an excellent talk called "The !# site is down! Again!?"

Friday Squid Blogging: Interesting Squid Recipes

Posted By Bruce Schneier

Plus a slide show of pretty dishes....

With a Little Help now available to libraries

Posted By Cory Doctorow

Daniel Krause interviewed me in Booklist about my DIY short story collection, With a Little Help, on the occasion of that book being listed in the Ingram catalog, which'll make it easy for libraries to get copies.

3 years and counting

Posted By Greg Lehey

Three years ago, at least in UTC, I booted my external server: Wed Sep 28 23:00:13 UTC 2011 11:00PM  up 1095 days, 29 mins, 1 user, load averages: 0.00, 0.00, 0.00 USER      PID %CPU %MEM   VSZ   RSS  TT  STAT STARTED      TIME COMMAND root       11 99.0  0.0     0     8  ??  RL   28Sep08 1320690:02.75 [idle: cpu1] root       12 98.5  0.0     0     8  ??  RL   28Sep08 1337418:49.99 [idle: cpu0] I've spent my life with high-availability systems.

Android App Engine Client

Posted By Tim Bray

Recently I wrote a scary App-Engine back end for an Android app. I wanted it to be secure, which should be easy because Androids have Google accounts and App Engine knows about those. I got it to work, but the process irritated me enough that I decided to package it up as a public service. So now theres a little open-source library called App Engine REST Client. It offers GET and POST methods, includes an Authenticator class, and tries to be as simple as possible to use. When it comes to App Engine authentication, the factors that can trip up a literal-minded minded programmer with insufficient attention to detail, like for example me, include: The most obvious way of using the authent APIs can result in control jumping from one thread to another in a non-obvious way.

Insecure Chrome Extensions

Posted By Bruce Schneier

An analysis of extensions to the Chrome browser shows that 25% of them are insecure: We reviewed 100 Chrome extensions and found that 27 of the 100 extensions leak all of their privileges to a web or WiFi attacker. Bugs in extensions put users at risk by leaking private information (like passwords and history) to web and WiFi attackers. Web...

Next power failure

Posted By Greg Lehey

As if to prove Kevin right, had another power failure at 16:42, while I was watching TV. Once again the UPS on the projector cut out; I'm going to have to put something bigger there. And the one on Yvonne's computer also failed. It's over 4 years old, and I suspect the batteries have reached end of life. Still more expenditure required to protect ourselves from Powercor.

Post Sunset

Posted By Tim Bray

Part of the public pier by the Jericho Sailing Centre, one of the nicest things about warm Vancouver evenings. If you enlarge it, there are nifty cobwebs.

I'll be speaking at LOPSA-NJ in October

Posted By Tom Limoncelli

I'll be one of the speakers at the September LOPSA-NJ meeting Thu Oct 6, 2011. The topic will be "You Suck At Time Management (but it isn't your fault!)". This talk will have a lot of info specific to security engineers, so if you have a friend that does security for a living, please invite them. If you are in the area, I hope to see you there! Info about the event: On the LOPSA-NJ Website Info about LOPSA-NJ: http://lopsanj.org

The Brave Little Toaster, from TRSF

Posted By Cory Doctorow

Here's a reading of my short story Brave Little Toaster, which was just published in TRSF, the inaugural science fiction anthology from MIT's Tech Review. It's a short-short story on the "Internet of Things" and what happens when it all goes wrong. Mastering by John Taylor Williams: [email protected] John Taylor Williams is a full-time self-employed … [Read more]

Making Fake ATMs Using 3D Printers

Posted By Bruce Schneier

One group stole $400K....

Metz speaks

Posted By Greg Lehey

Nobody on the lists seems to know anything about Nickel-zinc batteries, but everything I've seen suggests that they're worth trying. Bought 8 batteries and a charger on eBay. I'll try them out on my power-hungry Nikon “Coolpix” L1, which wouldn't pose such a problem if it were to die. Also finally got round to sending an enquiry via their web form, which displayed about a quarter of the short text: Peter Jeremy has pointed me to the triangle at bottom left of the input field.

More USB disk problems

Posted By Greg Lehey

Yvonne into my office this afternoon to say that the cursor on her display wasn't moving. After confirming that she had tried a bigger hammer, checked and found that the system had frozen. After reboot, /var/log/messages showed lots of: Sep 27 13:47:11 lagoon kernel: (da0:umass-sim0:0:0:0): AutoSense failed Sep 27 13:47:11 lagoon kernel: g_vfs_done():da0p1[WRITE(offset=1318222561280, length=131072)]error = 5 Sep 27 13:47:11 lagoon kernel: g_vfs_done():da0p1[WRITE(offset=1318222692352, length=114688)]error = 5 That's from my USB-connected photo backup disk. I thought the USB problems were over and done. High time to debug the hot plug issues with the eSATA adapter that I bought months ago, but in the meantime needed to do a backup.

Links for Tuesday, September 27, 2011

Posted By Jeff Barr

HTML 5 Rocks: How Browsers Work “This comprehensive primer on the internal operations of WebKit and Gecko is the result of much research done by Israeli developer Tali Garsiel. Over a few years, she reviewed all the published data about browser internals and spent a lot of time reading web browser source code.“ Kickstarter: Teaguedino: Learn [...]

Problems with Mac OS X Lion Passwords

Posted By Bruce Schneier

Seems like some dumb mistakes. News article....

Science as Dance

Posted By Benjamin Mako Hill

The following selected bibliography showcases only a small portion of the academics who have demonstrated that while it may take two to tango, it only takes one to give a scholarly paper a silly cliche title: Briganti, G. 2006. It Takes Two to Tango-The CH-53K is arguably the first serious US attempt to open the defense cooperation NATO has been seeking. Rotor and Wing 40(7):6063. Coehran, J. 2006. It Takes Two to Tango: Problems with Community Property Ownership of Copyrights and Patents in Texas. Baylor L. Rev. 58:407. Diamond, M.J. 1984. It takes two to tango: Some thoughts on the neglected importance of the hypnotist in an interactive hypnotherapeutic relationship. American Journal of Clinical Hypnosis 27(1):313.

Talk on the privacy bargain, big data, and human sensors versus human barcodes

Posted By Cory Doctorow

Here's the video from the talk I gave last week at the O'Reilly Strata conference on "big data" in NYC. The talk is called "Designing for Human Sensors, Not Human Barcodes," and it talks about the philosophy underpinning the "privacy bargain" we strike online when we trade personal information for access to services. Strata Summit … [Read more]

Tor Arms Race

Posted By Bruce Schneier

Iran blocks Tor, and Tor releases a workaround on the same day. How did the filter work technically? Tor tries to make its traffic look like a web browser talking to an https web server, but if you look carefully enough you can tell some differences. In this case, the characteristic of Tor's SSL handshake they looked at was the...

A use for smart phones after all?

Posted By Greg Lehey

I've mused about smart phones a couple of times recently, and I've had a pretty active discussion with various people, notably Tom Maynard. I don't need a smart phone, and others can't live without them. What are the real issues? On the positive side, they're an incredible amount of computing power, and particularly communication power, in a small package. People on the move can do all sorts of things with them. Tom uses them for navigation (of course), looking up bank balances, restaurant critiques, weather forecasts, and even for making phone calls. But I can do all except the last without a smart phone.

Facebook crash

Posted By Greg Lehey

I've had a browser running for some days now, displaying the Facebook home page. This afternoon I looked at that screen and saw: Nothing that unusual, I suppose, but it's the first time I've seen a web application crash.

Sheep

Posted By Tim Bray

I totally promise that this is not going to become a sheepblog. Having said that, here are two. Photogeek note: I note that the K-5 tends to produce unreasonably dramatic images when asked to capture a reasonable foreground against a brilliant background; another example would be this Flickr photo, which I really like.

Friday Squid Blogging: Sex Life of Deep-Sea Squid

Posted By Bruce Schneier

There's evidence of indiscriminate fertilization in deep-sea squid. They mate with any other squid the encounter, male or female. This unusual behaviour, they said, may be explained by the fact the squid is boosting its chances of successfully passing on its genes in the challenging environment it lives in. In the Royal Society paper the team writes: "In the deep,...

Cloud Lifesaving and Fear

Posted By Tim Bray

Last year I built (and of course blogged) this nifty little Android app called LifeSaver, which would copy your telephone-call and SMS logs onto an SD card, so you could move the SD card to another phone, run LifeSaver again, and get em all back. Calls and texts arent migrated by the excellent Android backup system. A few thousand people used it (I sure did, since I change phones all the time), and reviews are good. But its becoming less useful, because lots of phones these days dont have SD cards. A smart Googler suggested I put an App Engine back-end on it, so it wouldnt need anything but a network connection.

Man-in-the-Middle Attack Against SSL 3.0/TLS 1.0

Posted By Bruce Schneier

It's the Browser Exploit Against SSL/TLS Tool, or BEAST: The tool is based on a blockwise-adaptive chosen-plaintext attack, a man-in-the-middle approach that injects segments of plain text sent by the target's browser into the encrypted request stream to determine the shared key. The code can be injected into the user's browser through JavaScript associated with a malicious advertisement distributed through...

Big Data and privacy

Posted By Cory Doctorow

Earlier this week, I gave a talk on the way that "Big Data" is underpinned with a kind of myth about how users trade privacy for services. Ciara Byrne from the NYT's VentureBeat interviewed me afterwards about it. I think she did a really good job of condensing a hard, nuanced question into a brief … [Read more]

Supporting UEFI secure boot on Linux: the details

Posted By Matthew Garrett

(Update January 18th 2012 - you probably want to read this for details on why the technical details described below are not the difficult bit of the problem)An obvious question is why Linux doesn't support UEFI secure booting. Let's ignore the issues of key distribution and the GPL and all of those things, and instead just focus on what would be required. There's two components - the signed binary and the authenticated variables.The UEFI 2.3.1 spec describes the modification to the binary format required to produce a signed binary. It's not especially difficult - you add an extra entry to the image directory, generate a hash of the entire binary other than the checksum, the certificate directory entry and the signatures themselves, encrypt that hash with your key and embed the encrypted hash in the binary.

UEFI secure booting (part 2)

Posted By Matthew Garrett

Updated: Three things happened to defuse this situation:Microsoft mandated that it be possible to disable Secure Boot on any Windows certified systemsMicrosoft mandated that it be possible for the user to replace the original Secure Boot keys on any Windows certified systemsMicrosoft were willing to sign alternative OS bootloaders with their signing keysAs a result, the worst case scenario did not come to pass and it's still possible for users to install Linux on their systems.Original content follows:Microsoft have responded to suggestions that Windows 8 may make it difficult to boot alternative operating systems. What's interesting is that at no point do they contradict anything I've said.

Three Emerging Cyber Threats

Posted By Bruce Schneier

On Monday I participated a panel at the Information Systems Forum in Berlin. The moderator asked us what the top three emerging threats were in cyberspace. I went last, and decided to focus on the top three threats that are not criminal: The Rise of Big Data. By this I mean industries that trade on our data. These include traditional...

An Interesting Software Liability Proposal

Posted By Bruce Schneier

This proposal is worth thinking about. Clause 1. If you deliver software with complete and buildable source code and a license that allows disabling any functionality or code by the licensee, then your liability is limited to a refund. This clause addresses how to avoid liability: license your users to inspect and chop off any and all bits of your...

Installing the Friends' ADSL modem

Posted By Greg Lehey

Next off to the Botanical Gardens to set up the ADSL modem that I had picked up on Tuesday. There was really not much to set up: this appears to be a really bare-bones modem. Enter user name and (new) password as given to me on the phone, press Connect. Got a message saying Connecting in 30 seconds, counting down until 0, then the message You are ready to connect. Press Connect to connect. Same again. And again. Looking at the modem display, the PPP LED was out. Was this the modem's way of saying PPP authentication failed? What a pain!

Smart phones: first contact

Posted By Greg Lehey

I've already mentioned why a smart phone is nothing for me. But Chris Yeardley has just bought one, a Samsung <mumble>. I had lunch with her today (it's amazing how expensive the university cafeteria is) and she showed it to me. Talked about the complete lack of security in my contacts with TransACT, so decided to show her the whois entries. That's not easy, for reasons unrelated to the smart phone: getting plain whois information on line is not easy, as I discovered while writing yesterday's diary entry. The majority seems to be oriented towards selling domain names at three times the going rate rather than giving information.

Back to school

Posted By Greg Lehey

To the University today to attend my first lecture in decades, and possibly the first ever about Computer Science. Sasha Ivkovic is doing a class on Open Source, and Chris Yeardley suggested I came to listen. First, though, to Gays to buy some timber and shade cloth for the planned shade area in the garden. Paid a total of $75, which seems more than reasonable. Getting from there to the University proved much slower than I had expected. It's less than half an hour from Dereel, and I was expecting about 5 to 10 minutes, but in fact it took 25, and I was late (something I hate).

U.S.-Australia Cyberwar Treaty

Posted By Bruce Schneier

The long-standing ANZUS military treaty now includes cyberspace attacks: According to Reuters, the decision was made in discussions between the two countries this week. The extension of the treaty would mean that a cyber-attack on either country would be considered an attack on both. Exactly what this means in practice is less clear: practically every government with a connection to...

TransACT support: the security

Posted By Greg Lehey

Called up TransACT support again today, starting at round 11:00, when you'd think that they'd be relatively quiet. Once again I progressed in the queue to the next available representative after about 1 minute of waiting. And once again I got the Due to an unprecedented influx of calls we cannot answer in a timely manner. Press 1 to leave a message. It took them 40 minutes to answer my call. That's clearly too long, and they apologized. It seems that the other support person is studying law and had to go for an exam But what's a reasonable time? I think that it would have to be under 10 minutes, probably under 5.

Déjà vu All Over Again  The Mobile Testing Nightmare

Posted By Robert V. Binder

I attended a great talk today about testing mobile applications, given by Lee Barnes of Utopia Solutions. It recounted the Rubiks cube permutations that affect mobile app quality and reliability: multiple stacks, multiple handheld devices/form factors, constrained battery life, constrained … Continue reading →

Hula Hoops and Shoelaces

Posted By Tim Bray

Well,those seem at the center of her show. Taken at some festival or other this last weekend on Vancouvers Main Street which isnt very Main but is very good.

LOPSA Columbus, Ohio Chapter Starting

Posted By Tom Limoncelli

Matt Simmons wrote me to let me know that the LOPSA Board has approved the creation of a Columbus, Ohio chapter! Times, places, and topics are still be worked on. It you are interested, join the mailing list at https://lists.lopsa.org/cgi-bin/mailman/listinfo/lopsa-us-oh-columbus Congrats and good luck to everyone in Columbus!

Shifting Risk Instead of Reducing Risk

Posted By Bruce Schneier

Risks of teen driving: For more than a decade, California and other states have kept their newest teen drivers on a tight leash, restricting the hours when they can get behind the wheel and whom they can bring along as passengers. Public officials were confident that their get-tough policies were saving lives. Now, though, a nationwide analysis of crash data...

TRSF: MIT Technology Reviews science fiction anthology

Posted By Cory Doctorow

TRSF is a new science fiction anthology of original stories commissioned by Technology Review, the tech magazine published by MIT. They commissioned a story from me, "The Brave Little Toaster," and the brief asked me to look at near future science and technology issues -- I tackled "The Internet of Things," and told a story … [Read more]

To the Friends again, with surprises

Posted By Greg Lehey

In preparation for going to the Friends of the Ballarat Botanical Gardens this afternoon, spent the morning removing birch seedlings (Betula pendulis) from the garden, in total about 30 of them. Also took a seedling of the Cathedral tree and both a seedling and a branch of another mystery plant: On the way into town, nearly drove into the back of the car in front of me when he suddenly stopped while leaving the roundabout in the middle of Sebastopol.

UEFI secure booting

Posted By Matthew Garrett

Since there are probably going to be some questions about this in the near future:The UEFI secure boot protocol is part of recent UEFI specification releases. It permits one or more signing keys to be installed into a system firmware. Once enabled, secure boot prevents executables or drivers from being loaded unless they're signed by one of these keys. Another set of keys (Pkek) permits communication between an OS and the firmware. An OS with a Pkek matching that installed in the firmware may add additional keys to the whitelist. Alternatively, it may add keys to a blacklist. Binaries signed with a blacklisted key will not load.There is no centralised signing authority for these UEFI keys.

Spot Instances, Big Clusters, & the Cloud at Work

Posted By James Hamilton

If you read this blog in the past, youll know I view cloud computing as a game changer (Private Clouds are not the Future) and spot instances as a particularly powerful innovation within cloud computing. Over the years, Ive enumerated many of the advantages of cloud computing over private infrastructure deployments. A particularly powerful cloud computing advantage is driven by noting that when combining a large number of non-correlated workloads, the overall infrastructure utilization is far higher for most workload combinations.  This is partly because the reserve capacity to ensure that all workloads are able to support peak workload demands is a tiny fraction of what is required to provide reserve surge capacity for each job individually.

Complex Electronic Banking Fraud in Malaysia

Posted By Bruce Schneier

The interesting thing about this attack is how it abuses a variety of different security systems. Investigations revealed that the syndicate members had managed to retrieve personal particulars including the usernames, passwords from an online banking kiosk at a bank in Petaling Jaya and even obtained the transaction authorisation code (TAC) which is sent out by the bank to the...

My two //build/ talks online

Posted By Herb Sutter

My two talks from last week’s //build/ conference are online. My personal favorite is Writing Modern C++ Code: How C++ Has Evolved Over the Years. The thesis is simple: Modern ISO Standard C++ code is clean, safe, and fast. C++ has got a bad rap over the years, partly earned, but that’s history. This talk [...]

My two //build/ talks online

Posted By Herb Sutter

My two talks from last week’s //build/ conference are online. My personal favorite is Writing Modern C++ Code: How C++ Has Evolved Over the Years. The thesis is simple: Modern ISO Standard C++ code is clean, safe, and fast. C++ has got a bad rap over the years, partly earned, but that’s history. This talk [...]

More firefox rendering strangenesses

Posted By Greg Lehey

I've only just come to terms with the strange way that one of my firefox profiles prints web pages, and now I find that the same profile has developed other issues: the display fonts seem to have changed. The larger fonts on my diary have shrunk. Here before and after: This isn't due to explicit differences in settings: the old version is the profile that I derived from what has now become the new version a week ago for teeveethus the difference in format.

More firefox rendering strangenesses

Posted By Greg Lehey

I've only just come to terms with the strange way that one of my firefox profiles prints web pages, and now I find that the same profile has developed other issues: the display fonts seem to have changed. The larger fonts on my diary have shrunk. Here before and after: This isn't due to explicit differences in settings: the old version is the profile that I derived from what has now become the new version a week ago for teeveethus the difference in format.

Ballarat Gardens in Spring

Posted By Greg Lehey

So finally the (PDF) brochure for Ballarat Gardens in Spring is complete, and it's up on the web site. And, apart from a brief mention on the home page, that was all. There's a general feeling amongst the that PDF documents are enough, but it's clear to me that the web is for web content, so set to writing a couple of pages. That's not as simple as it sounds. The current home page for the friends has a number of validation errors, and as an HTML file it needs to contain all its invariant markup as well.

Windows Cold Call

Posted By Tim Bray

Recently, its been happening over and over: the phone rings after dinner and a call-center pickup system switches in a person with a heavy South-Asian accent who tells us that there is a problem with our Windows system, and offers help. Dear cold-caller; Yes, there is a Windows problem: Windows is boring. Its entirely peripheral to anything in my profession thats interesting; has been for a decade. It adds no energy to the ecosystem, and traps millions of Enterprise workers in an environment that while visually appealing (Win7 at least) is pointing away from where the action is. But hey, Win 8 looks great, they say, and Metro is bold and different and may even partake of cool.

Use the Source!

Posted By Tim Bray

Im working on an Android app and the documentation didnt stop me making a stupid mistake. If it werent open-source, that might have been a problem. For the first time in my Android life, I wanted to use a Notification. The instructions are straightforward, except for I was worried about what size graphic to use in the pull-down notification (as opposed to in the status bar); it didnt seem like they could be the same size, and the nice list of icon sizes didnt have one labeled Notification pulldown. So I tried guessing but that didnt work out very well. Worse than that, the usual plan B, typing notification pulldown icon size into Google, didnt help much.

4G Performance Silliness

Posted By Tim Bray

I was scanning the mobile-tech news and saw a story on a performance shootout between the LTE implementations from Verizon and AT&T; I skipped by the link and cant find it now, but thats OK because Im here to debunk it. The study found that As LTE went to 45M/sec whereas Vs was only 35, or maybe the other way around, and maybe the numbers arent quite right. It Doesnt Matter As the user of a 50M/sec home network via my local cable company, I have found these things to be true: There are very few sources of interesting data on the Web that can reach double-digit MB/second.

Pretty Creepy Type of Cyberstalking

Posted By Bruce Schneier

Luis "Guicho" Mijangos, "sextortionist."...

The Effectiveness of Plagiarism Detection Software

Posted By Bruce Schneier

As you'd expect, it's not very good: But this measure [Turnitin] captures only the most flagrant form of plagiarism, where passages are copied from one document and pasted unchanged into another. Just as shoplifters slip the goods they steal under coats or into pocketbooks, most plagiarists tinker with the passages they copy before claiming them as their own. In other...

Browser Breakup

Posted By Tim Bray

For some years, Safari has been my default browser. I generally prefer its choices in framing and ergonomics and shortcuts over all others. But Ive had to stop using it. In recent releases, Safari has been re-architected, with some of the work farmed out to a thing called WebProcess. This doesnt seem to be working out that well. Specifically, I note that: Switching from tab to tab is sluggish, and when the system gets overloaded, you get a lot of gratuitous repaints. The WebProcess and Safari processes feature prominently in readouts of whats consuming the systems CPU and memory. When you have a few dozen tabs open, some of them for days, and some of them being full of dynamic code, the whole system gets increasingly slow and unstable.

Time Management for Sysadmins 50% off Ebook

Posted By Tom Limoncelli

Use code B2SDEAL http://bit.ly/b2sdeal to get 50% off Time Management for Sysadmins in eBook format part of the Back To School Deal from O'Reilly. At $9.99 it is hard to pass up this deal. Offer expires September 28th, and may not be combined with other offers.

Smart phones: just what I need

Posted By Greg Lehey

Mail from Tom Maynard today, suggesting a solution to my problems identifying plants in the greenhouse: use a smart phone and a web browser to display my diary in the greenhouse. At least it would get around the breakage with web browser print output. But why a smart phone? Because I will have some mobile coverage in the greenhouse. Theoretically I could use a laptop, but then I wouldn't be able to make phone calls with it. In fact, I don't have mobile coverage in the greenhouse, thanks to cranks like the Dereel Anti-Tower Alliance. I do have 802.11 coverage, and I did consider using a laptop.

D.F. From Above

Posted By Tim Bray

The letters stand for Distrito Federal which is (using Wikipedias felicitous adjective) coterminous with Ciudad de México or what wed call Mexico City. Im really fond of it. Not that Ive been there much; a few days in 1992 and then again last month. But something about walking its streets and riding its wheels and eating its food has filled me with smiles on every one of that small number of days. Its by any measure one of the worlds great cities; bigger than seems sane and striving against its boundaries; geographic, economic, political, and any other dimension you care to name.

Autumn Leaves

Posted By Tim Bray

Rain on the roof awoke me this September morning. Out and about later, I watched the leaves: green and working still, but starting to fall in waves and (we all know) not here for long. I thought of printed books and magazines. And silver disks. And cash.

Software Freedom Day Boston 2011

Posted By Benjamin Mako Hill

This year, Software Freedom Day in Boston is being organized by Asheesh and Deb and OpenHatch which means a focus on increasing involvement in free software communities. If you are all interested in getting involved in the free software community in any way and at any level -- or interested in hearing about how that might happen someday -- this is a great event to attend. For my part, I'll be giving a short talk on getting involved in Debian.

Firefox PDFs analysed

Posted By Greg Lehey

My article yesterday about printing out web pages from firefox aroused some interest. After some investigation, it proved that yes, indeed, there's something in my profile that causes this horrible distortion. With a vanilla profile, it produces legible output. It even fills the width of the page by enlarging the text accordingly: Now, instead of the tiny 7 pt text that I got from Apple, I get enormous 14 pt text.

PHP insights

Posted By Greg Lehey

One of the things that I haven't been able to do with PHP is to conditionally process page text. Part of this relates to the display of individual topics. For example, this entry starts with:       <?php pubdate ("2011-09-17T01:45:41+00:00"); ?>       <?php texttopic ("c", "PHP insights"); ?> texttopic() checks the topic ("c" in this case, for computers). If it isn't set, it suppresses the article. That could be simple: <?php if (ontopic ($topic))         print <<< EOF       <p>         One of the things that I haven't been able to do with <a href="http://www.php.org/">PHP</a>         is to conditionally process page text.

Friday Squid Blogging: Squid Street Art

Posted By Bruce Schneier

Nice....

Identifying Speakers in Encrypted Voice Communication

Posted By Bruce Schneier

I've already written how it is possible to detect words and phrases in encrypted VoIP calls. Turns out it's possible to detect speakers as well: Abstract: Most of the voice over IP (VoIP) traffic is encrypted prior to its transmission over the Internet. This makes the identity tracing of perpetrators during forensic investigations a challenging task since conventional speaker recognition...

python-gflags: version 1.6 released

Posted By Tom Limoncelli

The Google flags parser (available for Python and C++) is very powerful. I use it for all my projects at work (of course) and since it has been open sourced, I use it for personal projects too. While I support open source 100% I rarely get to submit much code into other people's projects (I contribute to documentation more than code... go figure). So, even though it is only a few lines of new code, I do want to point out that the 1.6 release of the Python library has actual code from me. One of the neat features of this flags library is that you can specify a file to read the flags from.

Lib Dems get a chance to vote on copyright reform

Posted By Cory Doctorow

The Guardian

LibDems get to vote on copyright reform, but who inserted the clause saying downloading should be a criminal act?

Posted By Cory Doctorow

My latest Guardian column, "Lib Dems get a chance to vote on copyright reform," discusses the new Liberal Democrat IT white paper that's being presented at the party conference this weekend, where members will get the chance to vote in favor of repealing some of the worst sections of the Digital Economy Act, dealing with … [Read more]

Domain-in-the-Middle Attacks

Posted By Bruce Schneier

It's an easy attack. Register a domain that's like your target except for a typo. So it would be countrpane.com instead of counterpane.com, or mailcounterpane.com instead of mail.counterpane.com. Then, when someone mistypes an e-mail address to someone at that company and you receive it, just forward it on as if nothing happened. These are called "doppleganger domains." To test the...

Should you launch at a conference?

Posted By Joel Spolsky

Should you launch at Launch? (Or TechCrunch Disrupt? Or Demo? Theyre all pretty similar). This year I launched two major new products at conferences: Careers 2.0 and Trello, and both times, it was totally worth it. First, a little background. There are three popular conferences where you can launch new products: Launch, TechCrunch Disrupt, and Demo. They all work the same way: You apply. If you have a half-decent product that is genuinely new, youre likely to get a spot. That said, hundreds of companies apply for these conferences with unbearably awful products, so theres always a risk that youll get lost in the noise.

Gardening documentation

Posted By Greg Lehey

Over the last few weeks I have bought a number of plants and also planted seeds and propagated other plants. With spring coming, it's time to decide where to plant them. In the past this has meant going into the greenhouse, looking at what's there and deciding where it might go. The problem with this approach is that I don't have an overview: not all plants are in the greenhouse, and I don't have information about the conditions they want or how big they will get. I have all this information in my diary, for example for the plants we bought at the market at the end of last month.

Sharing Security Information and the Prisoner's Dilemma

Posted By Bruce Schneier

New paper: Dengpan Liu, Yonghua Ji, and Vijay Mookerjee (2011), "Knowledge Sharing and Investment Decisions in Information Security," Decision Support Systems, in press. Abstract: We study the relationship between decisions made by two similar firms pertaining to knowledge sharing and investment in information security. The analysis shows that the nature of information assets possessed by the two firms, either complementary...

Clockwork Fagin, free YA steampunk story

Posted By Cory Doctorow

My short story Clockwork Fagin, which will appear in the forthcoming YA anthology Steampunk! is available from today as a free file for Kindle, Nook, and other ebook platforms. The whole anthology comes out on Oct 11.

A Status Report: "Liars and Outliers"

Posted By Bruce Schneier

It's been a long hard year, but the book is almost finished. It's certainly the most difficult book I've ever written, mostly because I've had to learn academic fields I don't have a lot of experience in. But the book is finally coming together as a coherent whole, and I am optimistic that the results will prove to be worth...

Anxiety

Posted By Benjamin Mako Hill

  by  nffcnnr I am haunted by the nagging fear that I have mailboxes, tucked into a dark corner of an office somewhere, and perhaps even full of checks and important documents, that I don't know exist.

Usenix LISA registration is open...

Posted By Tom Limoncelli

http://www.usenix.org/events/lisa11/ (as of a few minutes ago)

Risk Tolerance and Culture

Posted By Bruce Schneier

This is an interesting study on cultural differences in risk tolerance. The Cultures of Risk Tolerance Abstract: This study explores the links between culture and risk tolerance, based on surveys conducted in 23 countries. Altogether, more than 4,000 individuals participated in the surveys. Risk tolerance is associated with culture. Risk tolerance is relatively low in countries where uncertainty avoidance is...

TSA Administrator John Pistole on the Future of Airport Security

Posted By Bruce Schneier

There's a lot here that's worth watching. He talks about expanding behavioral detection. He talks about less screening for "trusted travelers." So, what do the next 10 years hold for transportation security? I believe it begins with TSA's continued movement toward developing and implementing a more risk-based security system, a phrase you may have heard the last few months. When...

2011: The year of no fun

Posted By Greg Lehey

It's only been a couple of days since I noted that programming is no fun any more, and observed how bloated modern libraries are. That's nothing new, of course, but it seems that more and more people are sitting up and paying attention. Today the draft schedule for next year's Linux.conf.au was released, and I found a paper by Rusty Russell: Bloat: How and Why UNIX Grew Up (and Out). He takes the example of ls(1): in the Sixth Edition it was 4920 bytes, on the current version of Ubuntu it's 105776 bytesand he hasn't mentioned the dynamic libraries. Looks like a presentation worth visiting.

More reception issues

Posted By Greg Lehey

Why does turning the bedside light on improve the reception of the bedside radio? It can't be the light. So I checked that: remove the globe and try again. Yes, it still improves the reception. Why? About the only conclusion I can come to is that the active (live, phase) conductor runs through the house and acts as an antenna. When the power is on, this allows the wires to act like a secondary antenna. That's still a little confusing, since the switch is in the cable, not on the wall, but it seems to make sense. Maybe it's the lampstand itself which works like an antenna.

Ars: Searching Win8

Posted By Herb Sutter

Check out Ars’ choice of search term about 2/3 of the way down the page. Hi-res here. Filed under: C++, Microsoft, Software Development

Ars: Searching Win8

Posted By Herb Sutter

Check out Ars’ choice of search term about 2/3 of the way down the page. Hi-res here. Filed under: C++, Microsoft, Software Development

MOA Portraits

Posted By Tim Bray

That stands for Museum of Anthropology and Ive been before. I took pictures of a bunch of faces. My favorite I think being this crystal Bodhisattva. I could give you a description of where all these are from and what they mean, well that is if Id taken notes and not just pictures. If you want to know, go visit the place already.

Human Pattern-Matching Failures in Airport Screening

Posted By Bruce Schneier

I've written about this before: the human brain just isn't suited to finding rare anomalies in a screening situation. The Role of the Human Operator in Image-Based Airport Security Technologies Abstract: Heightened international concerns relating to security and identity management have led to an increased interest in security applications, such as face recognition and baggage and passenger screening at airports....

Announcing Trello

Posted By Joel Spolsky

Around the time of Fog Creek Software's ten year anniversary, I started thinking that if we want to keep our employees excited and motivated for another ten years, we were going to need some new things to work on. It occurred to me that we could easily afford to make four little two-person teams to launch four new products. That would give our developers more chances to move around from product to product when they got bored, which would make Fog Creek Software an even better place to work. Each team, we decided, would be guided by the spirit of lean startups.

Risk Perception and Terrorism

Posted By Bruce Schneier

I've been posting about a lot of academic articles of late, because that's what I'm reading. Here's another. Clinton M. Jenkin (2006), Risk Perception and Terrorism, Homeland Security Affairs....

Ironing out the wrinkles on teevee

Posted By Greg Lehey

More playing around with the configuration on teevee today. I'm getting there: firefox now works correctly, though it still keeps telling me that it's out of date. But I've run into something very strange: the fvwm move window function now latches. On other systems, and previously on teevee, I can move a window with the combination c-a-mouse-3. Hold button 3 down, move the window, release. But that no longer works on teevee: instead, it latches, and nothing happens until I release the button. Then I can move the window and click somewhere when I'm done. Why? I'm very sure I haven't changed anything this area.

More 9/11 Retrospectives

Posted By Bruce Schneier

Joseph Stiglitz on the price of 9/11. How 9/11 changed surveillance. New scientific research as a result of 9/11. A good controversial piece. The day we lost our privacy and power. The probability of another 9/11-magnitude terrorist attack. To justify the current U.S. spending on homeland security -- not including our various official and unofficial wars -- we'd have to...

ACLU Report on the War on Terror

Posted By Bruce Schneier

This report is really good: "A Call to Courage: Reclaiming Our Liberties Ten Years After 9/11."...

Great Big Beautiful Tomorrow ebook now available

Posted By Cory Doctorow

"Great Big Beautiful Tomorrow," the PM Press "Outspoken Authors" chapbook that includes my novella "There's a Great Big Beautiful Tomorrow/Now is the Best Time of Your Life," an original interview with Terry Bisson, and two essays, is now available in various ebook forms. Print editions coming very shortly!

Firefox: up to date or not?

Posted By Greg Lehey

Took another look at my problems with firefox on teevee today. Apart from this irritating double window opening, there are lots of settings that I don't want to have to change again, not to mention saved passwords. Possibly there's a point-and-click way to import them from another instance, but I don't know how, and I'm not sure I want to know. Instead took a look at the files that firefox maintains. They're in a directory ~/.mozilla/firefox, and include at least the file profiles.ini contains an overview of the available profiles. By default it contains something like [General] StartWithLastProfile=0 [Profile0] Name=display-0 IsRelative=1 Path=7v0n6ir5.horrible_broken_firefox_with_no_understanding_of_UNIX The Path starts with some random character string, in this case 7v0n6ir5.

The 9-11 disaster investigation website

Posted By Tom Limoncelli

National Institute of Standards and Technology (NIST)'s division of building and fire safety performed the scientific investigation of the World Trade Center (WTC) disaster. Much of the related video, audio and photographic evidence was released under FOIA. Just in time for the 10th anniversary of the disaster the FOIA'd data was released on their website: http://wtcdata.nist.gov Since FOIA requires the raw, unaltered, data to be released, many of these videos are at very high resolution. (Lower res versions are available for easier viewing, of course). If you go to the website, you can watch all the material. If you go to Usenix LISA 2011, you can see a presentation by the sysadmins that built the site, and learn the technical and non-technical challenges that threatened the project along the way.

Faking it

Posted By Diomidis D. Spinellis

This column is about a tool we no longer have: the continuous rise of the CPU clock frequency. We were enjoying this trend for decades, but in the past few years, progress stalled. CPUs are no longer getting faster because their makers cant handle the heat of faster-switching transistors. Furthermore, increasing the CPUs sophistication to execute our instructions more cleverly has hit the law of diminishing returns. Consequently, CPU manufacturers now package the constantly increasing number of transistors they can fit onto a chip into multiple coresprocessing elementsand then ask us developers to put the cores to good use.

Coming to Toronto, Ann Arbor, Brooklyn and NYC

Posted By Cory Doctorow

Hey, Torontonians, Ann Arborites, and New Yorkers! I'll be giving a free talk at the Art Gallery of Ontario in Toronto called "Can creativity and freedom peacefully co-exist in the Internet age?" on Sept 14 at 7PM, where I'll be reprising my SIGGRAPH talk from August. On Sept 15, I'll be in Ann Arbor, MI … [Read more]

Firefox: so nice, so nice, we do it twice

Posted By Greg Lehey

There's another new thing on teevee: firefox now behaves strangely. It's the latest and greatest firefox, release 6, and somehow I've managed to lose the old configuration. So I get the default, lots of unrecognizable icons and the Home icon way off to the right. And at least for the moment I'm putting up with tabs, because that way firefox doesn't crash nearly so often. But when I click on the Home icon, I get both the home page and another tab with, apparently, what firefox thinks I need. Here before and after a single click (this really needs to be enlarged): That's without the Ctrl key.

teevee upgrade reviewed

Posted By Greg Lehey

I'm still trying to understand what I've done wrong with the upgrade on teevee. Yes, it works, and I can watch TV somewhat better than before. The previous processor and graphics card had difficulties with 1080i material and sometimes with 720p as well: the images were sometimes jerky. I don't get that any more. But there are other things. It looks like every time I reboot the machine (daily for this one), I have to unload and reload the sound driver. If I don't, mplayer just hangs. Why? In general when I'm watching TV I don't feel like kernel debugging, so so far I'm just putting up with it.

Two Maps

Posted By Tim Bray

Im pretty relentless about adopting new technologies and usually unregretful about the ones left behind. In particular I have grave doubts about whether the book, I mean in its paper form, has or even deserves a future. But there are two sides to this story. Here we have two cartographic renditions of more or less the same piece of the planet; one via Google Maps on a Nexus S, the other on page 101 of the Ninth Comprehensive Edition of the Times Atlas of the World. The picture fails to convey the immense size of the Atlas; after dinner this evening, five people shared it comfortably for a lesson in New Zealand geography.

True Names in Polish

Posted By Cory Doctorow

"True Names," the Hugo-nominated novella that Benjamin Rosenbaum and I published in 2008, has been republished in a CC-licensed Polish edition, courtesy of Ireneusz DybczyDski.

No fun any more

Posted By Greg Lehey

A few days ago I woke up in the middle of the night with a realization: writing programs has become so complicated that it's no fun any more. I was about to write a comment at the time, then I discovered that Eric Allman had beaten me to it. At least it was a confirmation that I'm not alone. Once upon a time programming was easy. You had an idea, you wrote it down, you debugged it, and it usually worked. But those were simple, kiddie programs, right? To do anything serious you need lots of code, and what's easier than to use code that somebody has already written for this purposea library?

Friday Squid Blogging: Beautiful Squid Drawings

Posted By Bruce Schneier

From Italy. As before, use the comments to this post to write about and discuss security stories that don't have their own post....

Chip Experience

Posted By Tim Bray

Basically all the credit cards in Canada are now chipped, which is to say that there are visible microelectronics toward one end. To pay, you slip that chip into the reader, confirm the deal and enter your PIN. This allows for a surprising amount of variation in user-experience quality. Its a huge time-saver in restaurants because the little reader doohickey is wireless and they bring it to your table with the bill, thus avoiding one round-trip for the service person. [At this point, Europeans are wondering why Im treating this as news, theyve had it for years.] Anyhow, there is an amazing amount of variation in the amount of work you, the customer, have to do accomplish the business of paying.

ServerFault Scalability Conference (and DevDays 2011) Cancelled

Posted By Tom Limoncelli

DevDays 2011 is Cancelled Q: What about the ServerFault Scalability Conference? A: That has been canceled, also. Sigh. The full story here. If you had registered hoping to see me speak, my apologies. Please refer to http://everythingsysadmin.com for a list of my other appearances. People in the Princeton, North Carolina and Pittsburgh area should be particularly interested in that list. Also... soon I'll be announcing 3 half-day tutorials that I'll be teaching at the Usenix LISA conference in December in Boston. Start warming your boss up to the idea of sending you to a conference right after Thanksgiving. I'm really psyched about the new material.

Forging a Composite Viking-age Sword

Posted By Niels Provos

Forging a Composite Viking-age Sword

Posted By Niels Provos

Forging a Composite Viking-age Sword

Posted By Niels Provos

New Lows in Secret Questions

Posted By Bruce Schneier

I've already written about secret questions, the easier-to-guess low-security backup password that sites want you to have in case you forget your harder-to-remember higher-security password. Here's a new one, courtesey of the National Archives: "What is your preferred internet password?" I have been told that Priceline has the same one, which implies that this is some third-party login service or...

My C++ and Beyond Intro: C++ Renaissance

Posted By Herb Sutter

Channel 9 has just posted a recording of my intro talk at C++ and Beyond 2011 last month in Banff. Here’s the link: C++ and Beyond 2011: Why C++. It’s a keynote-y talk, not a technical talk, but we felt it was important to address an important trend involving the language. The goal is to share a [...]

My C++ and Beyond Intro: C++ Renaissance

Posted By Herb Sutter

Channel 9 has just posted a recording of my intro talk at C++ and Beyond 2011 last month in Banff. Here’s the link: C++ and Beyond 2011: Why C++. It’s a keynote-y talk, not a technical talk, but we felt it was important to address an important trend involving the language. The goal is to share a [...]

The Legality of Government Critical Infrastructure Monitoring

Posted By Bruce Schneier

Mason Rice, Robert Miller, and Sujeet Shenoi (2011), "May the US Government Monitor Private Critical Infrastructure Assets to Combat Foreign Cyberspace Threats?" International Journal of Critical Infrastructure Protection, 4 (April 2011): 313. Abstract: The government owns the entire US airspace­it can install radar systems, enforce no-fly zones and interdict hostile aircraft. Since the critical infrastructure and the associated cyberspace are...

The Drive by Night

Posted By Tim Bray

In Vancouver, the Drive means Commercial Drive; Hey look, a street with its own Web site! We took some visiting relatives out for gelati on a recent quiet Monday evening, and I brought the camera along. Dolce Amore is just an ice-cream shop, but Vancouver may not have a better one. I cant manage more than two scoops these days, but we were with three big twentysomething Albertans who flirted with the waitresses and inhaled three-scoop towers in gelato-flavor combinations that I found frankly perverted. In the old days, the Drive was our own Little Italy, and to this day you can get a damn good expresso while you watch Serie A on the satellite TV.

Outing a CIA Agent

Posted By Bruce Schneier

Interesting article on how difficult it is to keep an identity secret in the information age....

NetBSD under VirtualBox

Posted By Greg Lehey

Chris Yeardley is doing a university practical about contributing to Open Source projects, and I had an idea which would span the BSDs. It occurred to me that I don't have any NetBSD system running. Downloaded an ISO image and set up a new virtual machine under VirtualBox and tried to install under it. The nice thing is that you can define the image as the CD-ROM device, so there's no further messing around. Of course it has this horrible graphic tree-climbing interface, but that's modern. Installation was less that successful: the installer crashed into the kernel debugger, apparently as the result of a failed system call.

Optimizing Airport Security

Posted By Bruce Schneier

New research: Adrian J. Lee and Sheldon H. Jacobson (2011), "The Impact of Aviation Checkpoint Queues on Optimizing Security Screening Effectiveness," Reliability Engineering & System Safety, 96 (August): 900911. Abstract: Passenger screening at aviation security checkpoints is a critical component in protecting airports and aircraft from terrorist threats. Recent developments in screening device technology have increased the ability to detect...

Where Are All the Terrorists?

Posted By Bruce Schneier

From Foreign Policy: "Why Is It So Hard to Find a Suicide Bomber These Days?" And from Stratfor: "Why al Qaeda is Unlikely to Execute Another 9/11." Me from May 2010: "Where Are All the Terrorist Attacks?"...

Volume control problems revisited

Posted By Greg Lehey

A couple of days ago I had trouble with mplayer resetting the volume when I pressed any key. The suggested remedy was to set sysctl hw.snd.vpc_autoreset to 0. I set that, both immediately and in /etc/sysctl.conf, and it made no difference. But that was a couple of days ago. Since then I have rebooted teevee, and now the volume control works as expected. So: is this a thing that has to happen at boot time? Or at some other time which I didn't pass? I suppose it's too late to find out without investing a fair amount of effort to repeat the situation.

Interview with Renovation Podcast

Posted By Cory Doctorow

Here's an interview I recorded with the Renovation Podcast, the official podcast of the World Science Fiction Convention in Reno, NV. MP3 Link

Why Should Anyone Care?

Posted By Cory Doctorow

Locus Magazine

Advice for self-publishers: why should anyone care about your book?

Posted By Cory Doctorow

My latest Locus column, "Why Should Anyone Care?" looks at a hard question that many people interested in self-publishing ignore: "Why should anyone care that you've got a book out?" I get a lot of e-mail from writers starting out who want to know whether its worth trying to get published by major houses. The … [Read more]

Facebook: get modern

Posted By Greg Lehey

I've been on Facebook for at least two years, and I've never found any use for it. But then, in many ways it's like IRC, and lots of my friends use it, so today I decided to leave a window open and watch things go by. I still don't understand what it's good for. One of my objections to most web-based forums is that it's in reverse chronological form, which destroys just about any connection between the articles. If you're reading this in what appears to be reverse chronological form, it's not my fault. I write this diary in chronological order.

Moving files to teevee

Posted By Greg Lehey

A couple of days ago I did my first-ever measurements of file transfer speed from ceeveear, the TV tuner box, to teevee, the projector driver, using gigabit Ethernet. The results, about 47 MB/s, were only about 4 times as fast as using 100 Mb/s. There was also a significantly larger variation in speed. There are a number of reasons why this might be, including disk speed, buffering and encryption: I was using scp. Edwin Groothuis suggested that I would get faster results without encryption, so today set to to find out how to do that with Linux (which is what cvr2 runs).

More modem flakiness

Posted By Greg Lehey

Because of the weather I took my weekend photos yesterday, and was able to get the processing done by midday today. And again they went up to the external site at a snail's pace. Once again the modem had fallen back to HSDPA mode. Again, looking at the network stats, it's easy to guess that it started earlier in the morning (where the red peaks fall below the bar):

In Defense of Negativity

Posted By Benjamin Mako Hill

I often hear criticism of "negative campaigning" in the free software movement. For example, in reply to a blog post I once wrote about an FSF campaign, several people argued against, "negative campaigning of any sort, in any realm." Drawing an analogy to political smear campaigns, some members of the free software community have taken the position that negative campaigning in general is not useful and that negativity has no place in our advocacy. First, it is important to be clear on what we mean by a negative campaigns. I believe that there is a fundamental difference between speaking out against policies or actions and smear campaigns that employ untrue claims, ad hominem attacks, and that attempt to avoid a real conversation about issues.

Solving the teevee volume control issue

Posted By Greg Lehey

On IRC, discussed the volume control problems that I reported yesterday. One possibility appeared to be the sysctl hw.snd.vpc_autoreset, which, I'm told, is new. To quote: <AlephNull> And FreeBSD now always resets sound volume on open to match leenux brokeness.    There's a sysctl to fix it but I don't recall the name. <callum> hw.snd.vpc_autoreset=0 <callum> I think <Darius> sysctl hw.snd.vpc_autoreset=0 <AlephNull> mplayer closes & reopens the sound device all the time. <Darius> depends if it closes the mixer device or not That sounded reasonable, and I confirmed that hw.snd.vpc_autoreset was set to 1, so set it to 0 to see what happened.

Programming Isn't Fun Any More

Posted By Eric Allman

A colleague of mine from the Britton Lee days (worth a post of its own) recently sent out a message that hit home. Repeated with permission: From: Jim Bradford <(deleted)@(deleted).com> Subject: programming isn't fun anymore Date: August 23, 2011 4:19:31 PM -0600 I used to enjoy writing programs. I could write lines of code, compile them, link them and run them and they would do things. Useful things. They would solve problems. Or they could take input and produce output. Now all that is ancient history. I don't write code. I learn tools. Or try to learn tools. Problem is, there are more tools than anyone can keep track of.

Programming Isn't Fun Any More

Posted By Eric Allman

A colleague of mine from the Britton Lee days (worth a post of its own) recently sent out a message that hit home. Repeated with permission: From: Jim Bradford <(deleted)@(deleted).com> Subject: programming isn't fun anymore Date: August 23, 2011 4:19:31 PM -0600 I used to enjoy writing programs. I could write lines of code, compile them, link them and run them and they would do things. Useful things. They would solve problems. Or they could take input and produce output. Now all that is ancient history. I don't write code. I learn tools. Or try to learn tools. Problem is, there are more tools than anyone can keep track of.

Programming Isn't Fun Any More

Posted By Eric Allman

A colleague of mine from the Britton Lee days (worth a post of its own) recently sent out a message that hit home. Repeated with permission: From: Jim Bradford <(deleted)@(deleted).com> Subject: programming isn't fun anymore Date: August 23, 2011 4:19:31 PM -0600 I used to enjoy writing programs. I could write lines of code, compile them, link them and run them and they would do things. Useful things. They would solve problems. Or they could take input and produce output. Now all that is ancient history. I don't write code. I learn tools. Or try to learn tools. Problem is, there are more tools than anyone can keep track of.

Friday Squid Blogging: SQUIDS Game

Posted By Bruce Schneier

It's coming to the iPhone and iPad, then to other platforms: In SQUIDS, players will command a small army of stretchy, springy sea creatures to protect an idyllic underwater kingdom from a sinister emerging threat. An infectious black ooze is spreading through the lush seascape, turning ordinary crustaceans into menacing monsters. Now a plucky team of Squids­each with unique personalities,...

The Efficacy of Post-9/11 Counterterrorism

Posted By Bruce Schneier

This is an interesting article. The authors argue that the whole war-on-terror nonsense is useless -- that's not new -- but that the security establishment knows it doesn't work and abandoned many of the draconian security measures years ago, long before Obama became president. All that's left of the war on terror is political, as lawmakers fund unwanted projects in...

A Professional ATM Theft

Posted By Bruce Schneier

Fidelity National Information Services Inc. (FIS) lost $13M to an ATM theft earlier this year: KrebsOnSecurity recently discovered previously undisclosed details of the successful escapade. According to sources close to the investigation, cyber thieves broke into the FIS network and targeted the Sunrise platform's "open-loop" prepaid debit cards. The balances on these prepaid cards aren't stored on the cards themselves;...

Completing teevee

Posted By Greg Lehey

Finally got round to the remaining work that needed to be done to install the new version of teevee, my projector driver (or front end in MythTV-speak). It wasn't much, but it was still irritating. First found a disk to put the production version on: I want to keep the current version for updates. It proved that about the only drive I had was the old photo disk, with 1 TB. That left plenty of space on the /home file system for videos, so moved all non-films to there. Now I have plenty of space, nearly 50% free: === grog@teevee (/dev/pts/5) /spool/Images 22 -> df -t ufs -c Filesystem  1048576-blocks   Used  Avail Capacity  Mounted on /dev/ad4p2           19832  16286   1959    89%    / /dev/ad4p4           19832      0  18245 ...

Tom @ LOPSA-NJ, Thu Sept 1, 2011, Lawrenceville, NJ (near Princeton)

Posted By Tom Limoncelli

Tom will be presenting a 1-hour talk titled Walk a kilometer in my shoes: What sysadmins wish developers knew and vice-versa at LOPSA-NJ (League of Professional System Administrators / New Jersey Chapter). If you are in the area, I hope to see you there!

The Android/GPL situation

Posted By Matthew Garrett

There was another upsurge in discussion of Android GPL issues last month, triggered by couple of posts by Edward Naughton, followed by another by Florian Mueller. The central thrust is that section 4 of GPLv2 terminates your license on violation, and you need the copyright holders to grant you a new one. If they don't then you don't get to distribute any more copies of the code, even if you've now come into compliance. TLDR; most Android vendors are no longer permitted to distribute Linux.I'll get to that shortly. There's a few other issues that could do with some clarification. The first is Naughton's insinuation that Google are violating the GPL due to Honeycomb being closed or their "license washing" of some headers.

Aspect Ratios

Posted By Tim Bray

On one side of the aisle, this fall will bring a new iPhone & iPad; on the other theres a steady flow of Android handsets and tablets and in-betweens. One thing about the Apple mobile line had been puzzling me till recently: There are only two form factors. The prognosticators think that the next iPhone will be about the same size and shape as it is now. The same is true of the iPad, except for maybe itll have a double-density Retina display. It couldnt be more different on the Android size, with devices of every size and shape imaginable, some of em real eye-rollers.

Unredacted U.S. Diplomatic WikiLeaks Cables Published

Posted By Bruce Schneier

It looks as if the entire mass of U.S. diplomatic cables that WikiLeaks had is available online somewhere. How this came about is a good illustration of how security can go wrong in ways you don't expect. Near as I can tell, this is what happened: In order to send the Guardian the cables, WikiLeaks encrypted them and put them...

Forged Google Certificate

Posted By Bruce Schneier

There's been a forged Google certificate out in the wild for the past month and a half. Whoever has it -- evidence points to the Iranian government -- can, if they're in the right place, launch man-in-the-middle attacks against Gmail users and read their mail. This isn't Google's mistake; the certificate was issued by a Dutch CA that has nothing...

Competent, Mediocre, or Dangerous?

Posted By Robert V. Binder

An article in todays Chicago Tribune recounts how a software bug in an infusion pump lead to brain-death for a patient in 2009 (Medical Industry Taking Hard Look at Software Faults, Christine Mai-Duc, Chicago Tribune, August 31, 2011, p. 19) … Continue reading →