Blog Archive: February 2012

Wed, 29 Feb 2012 20:00:00 UTC

Undocumented Territory

Posted By Tim Bray

What happened was, there was an irritating little bug in my LifeSaver app. Which turned into a real problem, since I was using an undocumented API. The story of the bugs death might be useful in giving a feeling for the 21st-century open-source world. Background LifeSaver reads your phone-call and SMS logs and pushes them into the cloud, where they stick around for a couple of hours; the idea is that when you get a new device, LifeSaver can also pull them back out of the cloud scratch-space and load them into the new phones logs . For the phone log this is easy, because theres an official ContentProvider you can read and update.

Wed, 29 Feb 2012 17:21:00 UTC

VC++11 Beta Available, Supported For Production Code

Posted By Herb Sutter

Earlier this month, I announced in my GoingNative talk C++11, VC++11 and Beyond that Visual C++ 11 Beta would be available in February. Todays the day: You can download Visual Studio 11 Beta here. Interestingly, VC++11 is being distributed under a go-live license, which means that Microsoft supports using this compiler to write production code. [...]

Wed, 29 Feb 2012 14:41:45 UTC

PR Night with the HEAT! Sunday, April 22.

Posted By Herb Sutter

PR Night with the HEAT! Sunday, April 22. Buy tickets early. Posted by oncallpr Back by Popular Demand&. Public Relations Night With the MIAMI HEAT  Houston Rockets vs HEAT Sunday, April 22 Buy Your Tickets Early so You Dont Get Shut Out (last year we closed out): 6 p.m. @ American Airlines Arena $55 [...]

Wed, 29 Feb 2012 14:39:12 UTC

ANNOUNCEMENT: PR News Welcomed as Newest SFPRN Sponsor

Posted By Herb Sutter

PR News, an excellent resource for our industry professionals, is the newest sponsor to help support the South Florida Public Relations Network. Our sponsors make it possible to continue to provide this free member service and our low cost events and networking activities, along with student study recognitions. Please visit our SPONSOR page and take [...]

Wed, 29 Feb 2012 13:11:17 UTC

FBI Special Agent and Counterterrorism Expert Criticizes the TSA

Posted By Bruce Schneier

Good essay. Nothing I haven't said before, but it's good to hear it from someone with a widely different set of credentials than I have....

Tue, 28 Feb 2012 12:43:08 UTC

"Cyberwar Is the New Yellowcake"

Posted By Bruce Schneier

Good essay on the dangers of cyberwar rhetoric -- and the cyberwar arms race....

Mon, 27 Feb 2012 23:16:11 UTC

New web site with old computer documentation

Posted By Greg Lehey

While looking for information about the UNIVAC 1108 Master File Directory today, stumbled across today. It's not new, andmost emphaticallyneither is the content. It includes documents that were old when I entered the industry 40 years ago. It looks as if there's a lot to explore there. My interest in the MFD was a supposition that it might have a relationship to the Unix directory structure. It doesn't. It is much more complicated, centralized, and has features that are rare today, such as file versioning at a basic level.

Mon, 27 Feb 2012 20:00:00 UTC

Network App Macroeconomics

Posted By Tim Bray

A friend of mine is working on a complicated publishing app; the data is XML, perfectly appropriate when your objects are documents. She told me they were thinking about automating some of the work by running XSLT transformations out there in the client with libxslt. I said Well yeah, as long as the clients a PC not a tablet. The category of things you can do on a PC but not a tablet is interesting. Anyone remember AJAX? Now we just talk about Web apps, with towers of JavaScript code (CoffeeScript for the ultra-hip) built on an ever-growing library substrate (yes, there is more than jQuery) making the browser look interesting.

Mon, 27 Feb 2012 18:30:37 UTC

Liars and Outliers: Interview on The Browser

Posted By Bruce Schneier

I was asked to talk about five books related to privacy. You're best known as a security expert but our theme today is "trust". How would you describe the connection between the two? Security exists to facilitate trust. Trust is the goal, and security is how we enable it. Think of it this way: As members of modern society, we...

Mon, 27 Feb 2012 11:49:52 UTC

U.S. Federal Court Rules that it is Unconstitutional for the Police to Force Someone to Decrypt their Laptop

Posted By Bruce Schneier

A U.S. Federal Court ruled that it is unconstitutional for the police to force someone to decrypt their laptop computer: Thursdays decision by the 11th U.S. Circuit Court of Appeals said that an encrypted hard drive is akin to a combination to a safe, and is off limits, because compelling the unlocking of either of them is the equivalent of...

Sun, 26 Feb 2012 21:59:16 UTC

James Hamilton on reliability

Posted By Herb Sutter

Dont trust hardware or software; then you can build trustworthy hardware and software. James Hamilton on how to write reliable software in a world where anything that can fail, will fail. Filed under: Hardware, Software Development

Sun, 26 Feb 2012 20:00:00 UTC

2012 Floral Drumbeat

Posted By Tim Bray

Nearly every year round this time, I run pictures of crocuses from our front yard. Each years batch looks pretty much like last years batch. Im not going to let that bother me. This is sort of like the Clash putting out the triple-album Sandinista in response to grumbling over the double-album London Calling, only different.

Sun, 26 Feb 2012 18:48:54 UTC

Observations on Errors, Corrections, & Trust of Dependent Systems

Posted By James Hamilton

Every couple of weeks I get questions along the lines of should I checksum application files, given that the disk already has error correction? or given that TCP/IP has error correction on every communications packet, why do I need to have application level network error detection? Another frequent question is non-ECC mother boards are much cheaper -- do we really need ECC on memory? The answer is always yes. At scale, error detection and correction at lower levels fails to correct or even detect some problems. Software stacks above introduce errors. Hardware introduces more errors. Firmware introduces errors.  Errors creep in everywhere and absolutely nobody and nothing can be trusted.

Sat, 25 Feb 2012 18:22:00 UTC

A Rose by Any Other Name...

Posted By Terry Coatta

  Actually, in coding names do matter. A few months back we moved our application from one hosting provider to another and everything worked except OpenID authentication. In fact, we had both applications running simultaneously and talking to the same OpenID provider, and one worked and the other didn't.   We were actually getting an error message that indicated a packet had been rejected due to a problem with a "nonce". Here's a definition from Wikipedia: nonce is an arbitrary number used only once to sign a cryptographic communication. That pretty much matches my notion of what a nonce is as well.

Sat, 25 Feb 2012 17:40:54 UTC

What I Learned Building a Software Product with Tcl

Posted By Robert V. Binder

Through Google Circles, I happened to see David Welton’s very interesting reflection on the Tcl programming language (posted in 2010): About ten years ago, after a lot of evaluation, I chose to develop a commercial automated software testing tool … Continue reading →

Sat, 25 Feb 2012 17:40:54 UTC

What I Learned Building a Software Product with Tcl

Posted By Robert V. Binder

Through Google Circles, I happened to see David Welton’s very interesting reflection on the Tcl programming language (posted in 2010): About ten years ago, I chose to develop a commercial automated software testing tool with Tcl and Tk. This post explains that decision and its consequences. Despite testing tools that tout ”visual programming” interfaces, the [...]

Sat, 25 Feb 2012 17:22:00 UTC

A Rose by Any Other Name...

Posted By Terry Coatta

  Actually, in coding names do matter. A few months back we moved our application from one hosting provider to another and everything worked except OpenID authentication. In fact, we had both applications running simultaneously and talking to the same OpenID provider, and one worked and the other didn't.   We were actually getting an error message that indicated a packet had been rejected due to a problem with a "nonce". Here's a definition from Wikipedia: nonce is an arbitrary number used only once to sign a cryptographic communication. That pretty much matches my notion of what a nonce is as well.

Sat, 25 Feb 2012 03:37:42 UTC

ALDI Set-top box

Posted By Greg Lehey

The third tuner on cvr2, my TV receiver box, has died. Yes, I can buy a new one, but a number of reasons speak for getting a set-top box, a modern word for tuner: the price isn't significantly different, you can use it to watch TV directly, it's a separate piece of equipment, so it probably won't fail at the same time, and it's kosher when calling up TV stations reporting reception problems: in the past when I've reported problems, they asked me what equipment I had, and when I told them it was a computer, they weren't interested in investigating.

Sat, 25 Feb 2012 01:45:15 UTC

DxO bug: found?

Posted By Greg Lehey

Yesterday's experiments showed that the EXIF data problem with DxO Optics "Pro" was limited to my images from my Olympus E-30. Even DxO's own images didn't trigger the problem. But why? What's the difference? Different firmware? That's hardly likely to change the image file format. Then it occurred to me: for each raw Olympus file that I read in, I perform (effectively): exiftool -overwrite_original_in_place -author="Greg Lehey" $i Could it be that? Tried adding an author entry to DxO's trial image and bingo! it (silently) didn't copy the EXIF data.

Fri, 24 Feb 2012 22:08:07 UTC

Friday Squid Blogging: Squid Can Fly to Save Energy

Posted By Bruce Schneier

There's a new study that shows that squid are faster in the air than in the water. Squid of many species have been seen to 'fly' using the same jet-propulsion mechanisms that they use to swim: squirting water out of their mantles so that they rocket out of the sea and glide through the air. Until now, most researchers have...

Fri, 24 Feb 2012 21:18:30 UTC

Liars and Outliers News

Posted By Bruce Schneier

The book is selling well. (Signed copies are still available on the website.) All the online stores have it, and most bookstores as well. It is available in Europe and elsewhere outside the U.S. And for those who wanted a DRM-free electronic copy, it's available on the bookstore for $11.99. I have collected four new reviews. And a bunch...

Fri, 24 Feb 2012 20:56:52 UTC

Press Mentions

Posted By Bruce Schneier

One article on me, and a podcast about my RSA talk next week....

Fri, 24 Feb 2012 19:37:50 UTC

Mention of Cryptography in a Rap Song

Posted By Bruce Schneier

The new movie Safe House features the song "No Church in the Wild," by Kanye West, which includes this verse: I live by you, desire I stand by you, walk through the fire Your love is my scripture Let me into your encryption...

Fri, 24 Feb 2012 13:06:19 UTC

Computer Security when Traveling to China

Posted By Bruce Schneier

Interesting: When Kenneth G. Lieberthal, a China expert at the Brookings Institution, travels to that country, he follows a routine that seems straight from a spy film. He leaves his cellphone and laptop at home and instead brings "loaner" devices, which he erases before he leaves the United States and wipes clean the minute he returns. In China, he disables...

Thu, 23 Feb 2012 23:50:28 UTC

Tracking the DxO bug

Posted By Greg Lehey

Right from the beginning using DxO Optics "Pro" I had a problem that it didn't preserve the EXIF data from the original images. Not that big a deal: I wrote a little script to copy the data from the source. But after all, this is commercial software, and I am entitled to support, so I sent in a problem report and got a very quick response: It works for me. That wasn't a case closed situation, though: they gave me the source of an image to compare with, and a lot more details of how to report the problem. Today I (finally) got round to downloading the image, which wasn't easy.

Thu, 23 Feb 2012 23:05:32 UTC

Three-paper Thursday: capability systems

Posted By Robert N. M. Watson

This week, my contribution to our three-paper Thursday research reading list series is on capability systems. Capabilities are unforgeable tokens of authority — capability systems are hardware, operating, or programming systems in which access to resources can occur only using capabilities. Capability system research in the 1970s motivated many fundamental insights into practical articulations of [...]

Thu, 23 Feb 2012 20:56:50 UTC

Registration is OPEN! East coast LOPSA-PICC Sysadmin Conference, May 11-12, 2012, New Brunswick, NJ

Posted By Tom Limoncelli

Register now and avoid the rush! Space is limited! Registration is open for the 2012 LOPSA PICC conference, May 11-12, 2012 at the Hyatt Regency hotel in New Brunswick, NJ. Sysadmins and IT workers from Maine to Virginia are expected to attend the most talked about, community-driven, sysadmin conference of 2012! We're excited to announce our slate of speakers and world-class tutorials for 2012. Complete details at FRIDAY is all about world-class training: This 2-day conference starts on Friday with long-format tutorials on a wide variety of topics by world-class instructors: Topics include PowerShell, Puppet, Amazon Web Services, WordPress, DNSSEC, IPv6 and much, much more!

Thu, 23 Feb 2012 20:09:11 UTC

VC++11 Beta on Feb 29

Posted By Herb Sutter

Three weeks ago, I announced in my GoingNative talk C++11, VC++11 and Beyond that Visual C++ 11 Beta would be available this month. With Somas announcement this morning, Im now happy to add a few more details: VC++11 Beta will be available on Feb 29. It will be under a go-live license, which means that [...]

Thu, 23 Feb 2012 18:29:46 UTC

Another Piece of the Stuxnet Puzzle

Posted By Bruce Schneier

We can now conclusively link Stuxnet to the centrifuge structure at the Natanz nuclear enrichment lab in Iran. Watch this new video presentation from Ralph Langner, the researcher who has done the most work on Stuxnet. It's a long clip, but the good stuff is between 21:00 and 29:00. The pictures he's referring to are still up. My previous writings...

Thu, 23 Feb 2012 12:27:50 UTC

Mobile Malware Is Increasing

Posted By Bruce Schneier

According to a report by Juniper, mobile malware is increasing dramatically. In 2011, we saw unprecedented growth of mobile malware attacks with a 155 percent increase across all platforms. Most noteworthy was the dramatic growth in Android Malware from roughly 400 samples in June to over 13,000 samples by the end of 2011. This amounts to a cumulative increase of...

Wed, 22 Feb 2012 12:53:59 UTC

John Nash's 1955 Letter to the NSA

Posted By Bruce Schneier


Wed, 22 Feb 2012 08:01:01 UTC

Expanding the Cloud  The Amazon Simple Workflow Service

Posted By Werner Vogels

Today AWS launched an exciting new service for developers: the Amazon Simple Workflow Service. Amazon SWF is an orchestration service for building scalable distributed applications. Often an application consists of several different tasks to be performed in particular sequence driven by a set of dynamic conditions. Amazon SWF makes it very easy for developers to architect and implement these tasks, run them in the cloud or on premise and coordinate their flow. Amazon SWF manages the execution flow such that the tasks are load balanced across the registered workers, that inter-task dependencies are respected, that concurrency is handled appropriately and that child workflows are executed.

Tue, 21 Feb 2012 23:41:23 UTC

Communicating Data Beyond the Speed of Light

Posted By James Hamilton

In the past, Ive written about the cost of latency and how reducing latency can drive more customer engagement and increase revenue. Two example of this are: 1) The Cost of Latency and 2) Economic Incentives applied to Web Latency. Nowhere is latency reduction more valuable than in high frequency trading applications.  Because these trades can be incredibly valuable, the cost of the infrastructure on which they trade is more or less an afterthought.  Good people at the major trading firms work hard to minimize costs but, if the cost of infrastructure was to double tomorrow, high frequency trading would continue unabated.

Tue, 21 Feb 2012 22:37:44 UTC

wview: Mine is better than yours

Posted By Greg Lehey

About 2½ years ago I bought a Fine Offset WH-1081 weather station, which of course came with software only for Microsoft, and so even before I bought it, I had to find software that could talk to it. That was a set of patches to an old version of wview that ran only on NetBSD, an operating system that I no longer have running all the time, so I had a fair amount of work to do: apply the patches, migrate from NetBSD to FreeBSD, and update the patches to the latest version of wview. I never finished. Somewhere along the line I gave up and wrote my own software instead.

Tue, 21 Feb 2012 13:36:38 UTC

"1234" and Birthdays Are the Most Common PINs

Posted By Bruce Schneier

Research paper: "A birthday present every eleven wallets? The security of customer-chosen banking PINs," by Joseph Bonneau, Sören Preibusch, and Ross Anderson: Abstract: We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smartphone unlock-codes. We use a regression...

Tue, 21 Feb 2012 00:37:24 UTC

More Nickel-Zinc experiences

Posted By Greg Lehey

Changed the NiZn batteries in my flash gun today, and recharged them. Nothing unusual in thatalmost. I had forgotten to turn the flash gun off last week, and though it shuts down automatically after a while, it's a soft shutdown (it has a real mechanical power switch). But the voltages were interesting: before recharge, 3 of them were in a normal range, and the fourth was so low that the standards say it's defective. But they all recharged happily: Battery       Charge date       Before       After ...

Tue, 21 Feb 2012 00:25:49 UTC

Finishing Chris' photos

Posted By Greg Lehey

Spent much of the afternoon working on Chris Yeardley's photos. In principle there's no hurry, but it required significant uploadsthere were a total of 575 MB of photos, which also overflowed the tiny disk we have available on the serverand today was the last day of our monthly ISP billing period. We had 1.2 GB (out of 9 GB) over, so it was clearly the day to do things. Lots of experiences in the process, mainly related to resetting the camera times. I've seen this before with the Hackers barbecue two years ago, and I wrote a program to do that at the time.

Mon, 20 Feb 2012 23:58:25 UTC

Ballarat Library: another false positive

Posted By Greg Lehey

While in town, also dropped in at the Ballarat Library to pick up a couple of DVDs I had requested. One was The Italian Job, coincidentally (in 1969) one of the first films involving computer-related crime. The web site couldn't find one in the Ballarat library, but that didn't stop it offering me 13 irrelevant titles. Finally I found one, and of course it was wrong again: it wasn't fiction. That's two out of three DVDs in the last couple of weeks that, thanks to inadequate documentation. Now that I have a few more tricks up my sleeve, took another look (search all libraries).

Mon, 20 Feb 2012 20:00:00 UTC

No Iran War Please

Posted By Tim Bray

Back in 2002, this crazy idea of responding to 9/11 by attacking Iraq first started being floated. And now were getting stronger and stronger whiffs of Dorky Middle East War, the Sequel: Iran. Can the sensible people of the world please stand up and say Please, lets not do that. Its getting to the point where the New York Times has matter-of-fact articles like Iran Raid Seen as a Huge Task for Israeli Jets. On top of which, some of the particularly bloodthirsty members of the LikudAmerica fringe are pushing like crazy on that Overton Window, for example see Does AIPAC want war?

Mon, 20 Feb 2012 12:30:58 UTC

Covert Communications Channel in Tarsiers

Posted By Bruce Schneier

Marissa A. Ramsier, Andrew J. Cunningham, Gillian L. Moritz, James J. Finneran, Cathy V. Williams, Perry S. Ong, Sharon L. Gursky-Doyen, and Nathaniel J. Dominy (2012), "Primate communication in the pure ultrasound," Biology Letters. Abstract: Few mammals -- cetaceans, domestic cats and select bats and rodents -- can send and receive vocal signals contained within the ultrasonic domain, or pure...

Mon, 20 Feb 2012 03:13:48 UTC

Garden photos with new software

Posted By Greg Lehey

While Chris was doing her thing, I took my monthly garden photos. They're a particularly good test for the new software, since there are about 150 of them, and they have names like Petunia-1 and Petunia-2, but those names are interspersed with other images. Managed to get that sorted out, and also used my first-ever HTML5 feature: the autofocus attribute to tell the browser where to position the cursor. All worked surprisingly well, but it also makes clear that I'm like the man who only has a hammer: every problem looks like a nail.

Mon, 20 Feb 2012 03:02:42 UTC

More photo processing

Posted By Greg Lehey

Chris Yeardley over this morning for a Nasi Lemak breakfast, and to continue processing her photos with my new, super-duper web forms. She brought a book on JavaScript with her. I suppose the best thing we can say is that she found my software better than the previous attempt. In the end she finished naming the things and left the conversion to menot unreasonable, considering that my software is not just undocumented, but under active development.

Sat, 18 Feb 2012 01:18:00 UTC

Advice for Prospective Doctoral Students

Posted By Benjamin Mako Hill

There is tons of advice on the Internet (e.g., on the academic blogs I read) for prospective doctoral students. I am very happy with my own graduate school choices but I feel that I basically got lucky. Few people are saying the two things I really wish someone had told me before I made the decision to get a PhD: Most people getting doctorates would probably be better off doing something else. Evaluating potentially programs can basically done by looking at and talking with a program's recent graduates. Most People Getting Doctorates Probably Shouldn't In most fields, the only thing you need a PhD for is to become a professor -- and even this requirement can be flexible.

Fri, 17 Feb 2012 22:37:21 UTC

Friday Squid Blogging: Squid Desk Lamp

Posted By Bruce Schneier

Beautiful sculpture. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 17 Feb 2012 20:00:00 UTC

Brick Wall

Posted By Tim Bray

This one is in the bad end of Gastown, across the street from the Alibi Room where wed been for Valentines-day festivities. Yeah, the light really was that yellow.

Fri, 17 Feb 2012 20:00:00 UTC

Square Pictures

Posted By Tim Bray

I like square photographs and wish my camera shot that way. Recently theres been a flurry of good online talk about picture shapes. Back in January, Mike Johnson (AKA The Online Photographer) asked: Why Not Square Sensors? This struck a chord with me, and I echoed it on Twitter. Alex Waterhouse-Hayward emailed me an eloquent little essay, mostly in opposition. I asked him to blog it and now theres The Perfect Square. Mike Johnson brought in guest blogger Kirk Tuck to write They stole our choice of aspect ratios. Now were getting them back. If youre arguing about pictures, I think you ought to argue with pictures; so I offer Jon Ellis Tokyo Square.

Fri, 17 Feb 2012 19:45:41 UTC

What Is a Suspicious-Looking Package, Anyway?

Posted By Bruce Schneier

Funny comic....

Fri, 17 Feb 2012 12:25:49 UTC

Self-Domestication in Bonobos and Other Animals

Posted By Bruce Schneier

Self-domestication happens when the benefits of cooperation outweigh the costs: But why and how could natural selection tame the bonobo? One possible narrative begins about 2.5 million years ago, when the last common ancestor of bonobos and chimpanzees lived both north and south of the Zaire River, as did gorillas, their ecological rivals. A massive drought drove gorillas from the...

Fri, 17 Feb 2012 00:19:34 UTC

Another crash

Posted By Greg Lehey

dereel crashed today, out of the blue. There used to be a time when computer crashes seem to happen like this all the time, for no particular reason. But while that may still be the case for Microsoft-based machines (I really don't know), it's now very seldom on any of my BSD machines. I wonder if it's an indication of hardware problems (something that people love to blame software issues on). The thing that did get me was the time it took to fsck my photo disk. OK, it's 2 TB, of which 60% are in use, and it has over 400,000 files on it: Filesystem  1048576-blocks    Used  Avail Capacity iused  ifree %iused  Mounted on /dev/ada1p1        1907196 1137008 751115    60%  401226 688948   37%  /Photos It took 2 hours, 40 ...

Fri, 17 Feb 2012 00:14:16 UTC

Limits of DxO Optics Pro

Posted By Greg Lehey

I've found that when processing garden photos with DxO Optics "Pro", they generally come out best with the HDR Artistic preset. There are limits, though, apparently when the contrast is very low.

Thu, 16 Feb 2012 20:27:13 UTC

The Genesis of How to Test Mobile Apps

Posted By Robert V. Binder

A few months ago, the millionth mobile app was released. This is is an amazing milestone. It shows how important the mobile space has become and how rapidly it’s evolving.   I wondered, have any of these apps been tested? My guess: probably … Continue reading →

Thu, 16 Feb 2012 18:22:26 UTC

Cryptanalysis of Satellite Phone Encryption Algorithms

Posted By Bruce Schneier

From the abstract of the paper: In this paper, we analyze the encryption systems used in the two existing (and competing) satphone standards, GMR-1 and GMR-2. The first main contribution is that we were able to completely reverse engineer the encryption algorithms employed. Both ciphers had not been publicly known previously. We describe the details of the recovery of the...

Thu, 16 Feb 2012 12:51:51 UTC

Lousy Random Numbers Cause Insecure Public Keys

Posted By Bruce Schneier

There's some excellent research (paper, news articles) surveying public keys in the wild. Basically, the researchers found that a small fraction of them (27,000 out of 7.1 million, or 0.38%) share a common factor and are inherently weak. The researchers can break those public keys, and anyone who duplicates their research can as well. The cause of this is almost...

Wed, 15 Feb 2012 23:15:14 UTC

Photo naming page: success

Posted By Greg Lehey

Today was the first day I used my new photo processing web page in earnest. It's still pretty bare-bones, but it includes one feature that makes life easier: a single , (comma) in a field tells the page to take the previous name (less trailing number) and append the next sequential number: after the image Bunnings-blockade-1, a comma will generate the name Bunnings-blockade-2. I can already see the use of a ! to say continue doing this until you find another specification. And I can see myself playing with this for some time to come.

Wed, 15 Feb 2012 22:22:33 UTC

Yet Another Useless Web Site

Posted By Greg Lehey

While in town, to the Ballarat Library, which had just informed me that the DVD that I had returned on Saturday was available for pickup. So was South Pacific, so I picked up that, and then discovered it was a BBC Documentary, not the musical I was looking for. This web site is really impossible! Last time I had spoken to them about it, they sang the praises of how good it was, so this time I asked to be shown how to do it and was helped by a Senior Librarian. First question: What is the PIN number of your library card?.

Wed, 15 Feb 2012 19:11:06 UTC

Dumb Risk of the Day

Posted By Bruce Schneier

Geotagged images of children: Joanne Kuzma of the University of Worcester, England, has analyzed photos that clearly show children's faces on the photo sharing site Flickr. She found that a significant proportion of those analyzed were geotagged and a large number of those were associated with 50 of the more expensive residential zip codes in the USA. The location information...

Wed, 15 Feb 2012 13:09:22 UTC

The Sudafed Security Trade-Off

Posted By Bruce Schneier

This writer wrestles with the costs and benefits of tighter controls on pseudoephedrine, a key chemical used to make methamphetamine: Now, personally, I sincerely doubt that the pharmaceutical industry has reliable estimates of how many of their purchasers actually have colds--or that they would share data indicating that half of their revenues came from meth cooks. But let's say this...

Wed, 15 Feb 2012 01:01:49 UTC

Usenix SAGE is now Usenix LISA

Posted By Tom Limoncelli

Nothing is changing except the name. I think this is a good thing. There's too much confusion over what is SAGE and what is LISA. Now people can focus on what LISA does, not figuring out which name to use when. Tom

Tue, 14 Feb 2012 22:57:44 UTC

More contact prints and HTML insights

Posted By Greg Lehey

Yesterday's diary prompted more response. In particular, Edwin Groothuis pointed at the HTML 4 specification, which says: An HTML form is a section of a document containing normal content, markup, special elements called controls ... That's not quite the same as what the w3schools document, but on re-reading that document, it doesn't make it clear that the listed elements are the only ones allowed. Still, that's HTML 4, and one day we'll have HTML5 (and save spaces in the process) What does that say?

Tue, 14 Feb 2012 18:36:11 UTC

SSL Traffic Analysis on Google Maps

Posted By Bruce Schneier


Tue, 14 Feb 2012 13:12:53 UTC

Trust Requires Transparency

Posted By Bruce Schneier

Adam Shostack explains to Verisign that trust requires transparency. This is a lesson Path should have learned....

Mon, 13 Feb 2012 22:47:32 UTC

Contact prints page

Posted By Greg Lehey

Got various feedback from people reading this diary about how to make a single form to include all my <input> tags. The one I looked at, from Peter Jeremy, included <span> tags inside the form. That appears to work, but according to the definitions at it shouldn't: The <form> element can contain one or more of the following form elements: <input> <textarea> <button> <select> <option> <optgroup> <fieldset> <datalist> <output> <label> This is for HTML 5, being the latest and greatest, but things aren't significantly different for other versions.

Mon, 13 Feb 2012 20:53:30 UTC

Liars and Outliers Update

Posted By Bruce Schneier

Liars and Outliers is available. Amazon and Barnes & Noble have ben shipping the book since the beginning of the month. Both the Kindle and the Nook versions are available for download. I have received 250 books myself. Everyone who read and commented on a draft will get a copy in the mail. And as of today, I have shipped...

Mon, 13 Feb 2012 20:00:00 UTC

LifeSaver 2.0

Posted By Tim Bray

Way last fall, I took my old LifeSaver app and re-wrote it to store histories in Google App Engine back-end as opposed to the SD card, mostly because lots of modern phones dont have SD cards. Then I had an attack of fear about deploying it, then I went on a world tour and got sick and took vacation and got distracted. I just published LifeSaver 2.0. No Fear The fear, of course, was of being the proprietor of a cloud database containing highly personal information. Lots of people had ideas on how to solve this, so I eventually picked the easiest: The data gets erased after an hour or so; see the Retention and Privacy write-up.

Mon, 13 Feb 2012 18:40:59 UTC

The Management Team

Posted By Joel Spolsky

The saddest thing about the Steve Jobs hagiography is all the young incubator twerps strutting around Mountain View deliberately cultivating their worst personality traits because they imagine thats what made Steve Jobs a design genius. Cum hoc ergo propter hoc, young twerp. Maybe try wearing a black turtleneck too. From The Management Team, my guest post on Fred Wilsons blog. Need to hire a really great programmer? Want a job that doesn't drive you crazy? Visit the Joel on Software Job Board: Great software jobs, great people.

Mon, 13 Feb 2012 14:09:24 UTC

Interview with WNIJ Chicago

Posted By Cory Doctorow

Here's a short interview I did last week in Chicago with WNIJ, an NPR affiliate. MP3 link

Mon, 13 Feb 2012 11:20:24 UTC

What Happens When the Court Demands You Decrypt a Document and You Forget the Key?

Posted By Bruce Schneier

Last month, a U.S. court demanded that a defendent surrender the encryption key to a laptop so the police could examine it. Now it seems that she's forgotten the key. What happens now? It seems as if this excuse would always be available to someone who doesn't want the police to decrypt her files. On the other hand, it might...

Mon, 13 Feb 2012 10:41:00 UTC

Quasi-Private Resources

Posted By Benjamin Mako Hill

Public Resource republishes many court documents. Although these documents are all part of the public record and PR will not take them down because someone finds their publication uncomfortable, PR will evaluate and honor some requests to remove documents from search engine results. Public Resources does so using a robots.txt file or "robot exclusion protocol" which websites use to, among other things, tell search engine's web crawling "robots" which pages they do not want to be indexed and included in search results. Originally, the files were mostly used to keep robots from abusing server resources by walking through infinite lists of automatically generated pages or to block search engines from including user-contributed content that might include spam.

Sun, 12 Feb 2012 23:43:42 UTC

ALDI GPS receiver: a step backward?

Posted By Greg Lehey

Took a first look at the GPS receiver I bought from ALDI yesterday. It uses different software, and so far I'm unimpressed. The maps are as bad as ever. The street where I live is still not there (it's only been here for about 100 years), and the fantasy streets that have been added to the east in the last couple of years are still there: My house is in Kleins Road, roughly on the l of the Please tear off foil.

Sun, 12 Feb 2012 23:00:04 UTC

Setting names for photos

Posted By Greg Lehey

Chris Yeardley has been on holiday in ViÇt Nam, and I'm helping her bring her photos on line. One of the (many) reasons I don't do this with commercially available software is that I want to give titles to my photos, not names like 100_4984.JPG or even (shudder) 36836231@N00/2423055893. Yes, you can do that. I've tried it with various products, and you'd think that they deliberately make it as complicated as possible. My current method works much faster: a little script that displays image name and details and prompts for a name. It uses GNU readline, so I can copy the name I apply to one image and apply it to the next with a different extension.

Sun, 12 Feb 2012 20:00:00 UTC

Illuminate Yaletown

Posted By Tim Bray

This is an event, a new idea I believe, an after-dark thing in an old now-fashionable brick-warehouse neighborhood. We went down to check it out, and before we got to the actual illuminations, ran across a hat shop party. This was in the Goorin Brothers shop, which isnt terrible; Ive bought a couple of hats there. There were some pretty sharp-dressed people there, looking good. They had a hat band; sort of like a hair band only different. If someone writes me the name of the band, Ill give them a plug, because they were excellent. They were giving away glasses of very decent gin and vodka punch to all comers, and I tell ya, Ill go to a hat shop party any time.

Sun, 12 Feb 2012 20:00:00 UTC

Now With Markup

Posted By Tim Bray

If youre looking at this in a Google+ link to its home on, the snippet describing it should be exactly the same as the paragraph youre now reading. This required the addition of three little chunks of markup to the HTML: On the <body> tag: itemscope=' itemtype='' Over at they suggest you just say itemscope itemtype='whatever', but screw that, its not well-formed. On the <h1> tag (which in this blog echoes the HTML <title>), itemprop='name'. On the <p> tag for the first paragraph, itemprop='description'. Of course, this is all done automatically; it doesnt appear in the upstream XML. Now that Im standing on the slippery slope, I could add all sorts of extra markup, because after all I do talk about books and music and movies and so on.

Sun, 12 Feb 2012 20:00:00 UTC

Safe Unlocking

Posted By Tim Bray

There are a bunch of ways to unlock your Android device. More or less all devices support swipe, pattern, PIN, and password. Which should you use? Not Swipe Ladies and Gentlemen: Your mobile device is exquisitely personal. It opens a gateway into your recorded correspondence with your colleagues, loved ones, and enemies. It quite likely allows you to spend money on books and music and movies with a few taps on the screen. Its a big, scary dangerous world out there. I sure wouldnt use swipe-to-unlock on any of my devices. An Official Answer? I dont know of one. There is lots to read on the subject in the DevicePolicyManager docs and the Device Administration guide, but Im not going to try to interpret; go read it yourself.

Sat, 11 Feb 2012 23:36:19 UTC

Perspectives on the Costa Concordia Incident

Posted By James Hamilton

Last week I wrote up Studying the Costa Concordia Grounding.  Many folks sent me mail with interesting perspectives. Two were sufficiently interesting that I wanted to repeat them here. The first was from someone who was actually on the ship on that final cruise. The latter is from a professional captain with over 35 years experience as a certified Ocean Master.   Experiences From a Costa Concordia Passenger   One of the engineers I work with at Amazon was actually on the Costa Concordia when it grounded. Rory Browne works in the Dublin office and he made an excellent and very detailed presentation on what took place that final trip.  He asked me not to post his slides but OK me posting my notes from his presentation.

Sat, 11 Feb 2012 22:36:02 UTC

More keyboard ideas

Posted By Greg Lehey

Mail from Ian Donaldson about my keyboard problems, suggesting I look at the Northgate Ultra Plus. I suppose the combination of the length of this thread and the description have obfuscated things. He found the information at, where the keyboard is really called Ultra Plus. But of course it's an OmniKey Plus, and it's identical to what I'm trying to replace: But he has a point.

Fri, 10 Feb 2012 23:43:01 UTC

Finding a new keyboard

Posted By Greg Lehey

Spent some more time looking for replacement keyboards today. The one must is a function key block on the leftas I discovered in Wikipedia, others agree with me: Early models of Enhanced keyboard (notably those manufactured by Northgate Ltd.) maintained the layout with function keys on the left side, arranged in two columns of six pairs. This layout was more efficient for touch typists but was superseded in the marketplace by that with F-keys along the top. But where can I find one?

Fri, 10 Feb 2012 22:04:47 UTC

Friday Squid Blogging: Squid's Beard

Posted By Bruce Schneier

It's an acoustic bluegrass band. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 10 Feb 2012 21:37:59 UTC

Interview with Suicide Girls

Posted By Cory Doctorow

Nicole Powers from Suicide Girls sat down with me at my office last month for a long, in-depth interview that's just been published: "You can't escape it anywhere. It's a race to the bottom all around the world right now. Canada, Germany, the US, and the UK, as well as the rest of the EU, … [Read more]

Fri, 10 Feb 2012 20:08:22 UTC


Posted By Bruce Schneier


Fri, 10 Feb 2012 12:21:14 UTC

Securing iPads for Exams

Posted By Bruce Schneier

Interesting blog post about locking down an iPad so students can take exams on them....

Thu, 09 Feb 2012 20:00:00 UTC

On Boats

Posted By Tim Bray

It was Cottage Life that drove us to it. We like being there but havent enjoyed getting there. The water taxis are friendly and efficient, but they run on strict schedules, and leave from places that require fighting through rush-hour traffic. So we bought a boat. Boating isnt really a geek thing, and Im struggling a bit trying to find words that are both interesting and nautical. But its taken a lot of our time and attention; write what you know they say, and I know a whole lot more about boats than I did a few months back. Key Findings What you might want to know if thinking about a boat: If you walk around a marina, youll notice a lot of the boats look neglected.

Thu, 09 Feb 2012 12:10:35 UTC

Security Implications of "Lower-Risk Aircraft"

Posted By Bruce Schneier

Interesting paper: Paul J. Freitas (2012), "Passenger aviation security, risk management, and simple physics," Journal of Transportation Security. Abstract: Since the September 11, 2001 suicide hijacking attacks on the United States, preventing similar attacks from recurring has been perhaps the most important goal of aviation security. In addition to other measures, the US government has increased passenger screening requirements to...

Thu, 09 Feb 2012 00:54:31 UTC

Going Native Sessions Online

Posted By Herb Sutter

Thanks to everyone who came to Redmond and/or watched online to participate in Going Native 2012, last weeks global C++-fest. It was a lot of fun, and generated a lot of useful and important talks that we hope will help continue disseminate understanding of C++11 throughout the global C++ community. All the videos are now [...]

Wed, 08 Feb 2012 12:46:04 UTC

Solving the Underlying Economic Problem of Internet Piracy

Posted By Bruce Schneier

This essay is definitely thinking along the correct directions....

Wed, 08 Feb 2012 00:18:04 UTC

Still looking for a keyboard

Posted By Greg Lehey

My current keyboard is a Northgate OmniKey keyboard manufactured in August 1989, 22½ years ago. It's no longer in the best of condition, but in all that time I haven't found anything that I would like to replace it with. Things are getting desperate, though. The r key, in particular, is bouncing badly. But it's not the only keyboard of that kind that I have, and in the past I've found that if I rotate between them, the bounce tends to recover. So today I went to see what I could find: two Avant Stellar keyboards, both with defective keys, and three other OmniKeys (I thought I had five, but I can't find the fifth), all with their own problems.

Tue, 07 Feb 2012 16:34:01 UTC

How to Decrupt "Secrets for Android" Files

Posted By Diomidis D. Spinellis

Secrets for Android is a nifty Android application that allows you to securely store passwords and other sensitive data on your Android phone. Your data are encoded with your supplied password using strong cryptography and are therefore protected if your phone gets stolen. Although the application offers a backup and an export facility, I found both wanting in terms of the availability and confidentiality associated with their use.

Tue, 07 Feb 2012 11:53:41 UTC

Error Rates of Hand-Counted Voting Systems

Posted By Bruce Schneier

The error rate for hand-counted ballots is about two percent. All voting systems have nonzero error rates. This doesn't surprise technologists, but does surprise the general public. There's a myth out there that elections are perfectly accurate, down to the single vote. They're not. If the vote is within a few percentage points, they're likely a statistical tie. (The problem,...

Tue, 07 Feb 2012 05:00:00 UTC

Driving Storage Costs Down for AWS Customers

Posted By Werner Vogels

One of the things that differentiates Amazon Web Services from other technology providers is its commitment to let customers benefits from continuous cost-cutting innovations and from the economies of scale AWS is able to achieve. As we showed last week one of the services that is growing rapidly is the Amazon Simple Storage Service (S3). AWS today announced a substantial price drop per February 1, 2012 for Amazon S3 standard storage to help customers drive their storage cost down. A customer storing 50TB will see on average a 12% drop in cost when they get their Amazon S3 bill for February.

Mon, 06 Feb 2012 19:23:27 UTC

The Failure of Two-Factor Authentication

Posted By Bruce Schneier

In 2005, I wrote an essay called "The Failure of Two-Factor Authentication," where I predicted that attackers would get around multi-factor authentication systems with tools that attack the transactions in real time: man-in-the-middle attacks and Trojan attacks against the client endpoint. This BBC article describes exactly that: After logging in to the bank's real site, account holders are being tricked...

Mon, 06 Feb 2012 18:31:50 UTC

Digital Lysenkoism

Posted By Cory Doctorow

Here's a podcast of my last Publishers Weekly column, Digital Lysenkoism : Talking with the lower echelon employees of publishing reminds me of a description I once read about the mutual embarrassment of Western and Soviet biologists when they talked about genetics. Soviet-era scientists were required, on pain of imprisonment, to endorse Lysenkoism, a discredited … [Read more]

Sun, 05 Feb 2012 20:00:00 UTC

Fog and Public Service

Posted By Tim Bray

It was super-foggy last night, so I went out to look at streetlights through tree branches. You could spend a lot of time fooling around with silly depth-of-field tricks. In both cases, the tree is my much-photographed magnolia which, as Ive written before, can never not be beautiful. This morning I was first up and discovered a couple of essential breakfast ingredients missing. As I walked five blocks to the store, I realized it had been a freezing fog, so the street generally, and the cars specifically, were pretty thoroughly iced. Someone, in the depth of night, had gone along the street and lifted each cars wipers off its windshield so they were pointing up saluting the morning.

Fri, 03 Feb 2012 23:00:12 UTC

The spammer's apprentice

Posted By Greg Lehey

Received another unlikely looking spam today: From  Thu Feb  2 06:00:06 2012 Delivered-To: Received: from ( [])         by (Postfix) with ESMTP id 7AFAB8FC18         for <>; Wed,  1 Feb 2012 18:47:11 +0000 (UTC) Received: by (Postfix, from userid 2077)         id 4429CAD823B; Wed,  1 Feb 2012 21:37:34 +0300 (FET) To: Subject: <? print $subject; ?> X-PHP-Originating-Script: 2077:helpus.php From: Frank Lincoln <> Does nothing get tested nowadays?

Fri, 03 Feb 2012 22:18:41 UTC

Friday Squid Blogging: Clothing that Keeps an Exercise Journal

Posted By Bruce Schneier

It's called Squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 03 Feb 2012 20:49:54 UTC

The Problems of Too Much Information Sharing

Posted By Bruce Schneier

Funny. Fake, but funny....

Fri, 03 Feb 2012 20:00:00 UTC

An Office

Posted By Tim Bray

For a while it seemed like I was going to lose my dingy but exquisitely-located office on The Main. So I was going around town, looking at offices for rent. This one was actually pretty nice, if too far downtown. I normally try to make pictures look like what I saw, but this is a product of egregious ex post facto manipulation.

Fri, 03 Feb 2012 16:49:08 UTC

VeriSign Hacked, Successfully and Repeatedly, in 2010

Posted By Bruce Schneier

Reuters discovered the information: The VeriSign attacks were revealed in a quarterly U.S. Securities and Exchange Commission filing in October that followed new guidelines on reporting security breaches to investors. It was the most striking disclosure to emerge in a review by Reuters of more than 2,000 documents mentioning breach risks since the SEC guidance was published. The company, unsurprisingly,...

Fri, 03 Feb 2012 01:15:00 UTC

GoingNative 2012: Day 2 Tomorrow (Friday)

Posted By Herb Sutter

GoingNative 2012 Day 1 is just concluding, and were getting ready for Day 2 tomorrow with more C++11 information and panels. Day 2 kicks off tomorrow at 9:30am U.S. Pacific time, with the theme C++11 Today and Tomorrow. Day 1s focus was entirely about C++11 as it exists today; Day 2 is partly about C++11 [...]

Thu, 02 Feb 2012 17:39:00 UTC

Reusable Domain Controls in MS MVC

Posted By Terry Coatta

Most of the example code for MVC that I have seen out there isn't well-suited to creating re-usable UI components -- in particular components that are application specific, but may want to be used in multiple contexts within the applications. For example, a component that displays a list of customers might be used on a number of different pages within the application. But it is possible to build re-usable components of this sort, you just have to follow a few rules which help ensure that the component is not coupled to the page that it resides on. So, the rules are: View models should always include a field for the ID of the target element Always use RenderPartial() - Links need to be rendered with Ajax.ActionLink() Forms need to be rendered with Ajax.BeginForm() Forms/Links need ...

Thu, 02 Feb 2012 16:39:00 UTC

Reusable Domain Controls in MS MVC

Posted By Terry Coatta

Most of the example code for MVC that I have seen out there isn't well-suited to creating re-usable UI components -- in particular components that are application specific, but may want to be used in multiple contexts within the applications. For example, a component that displays a list of customers might be used on a number of different pages within the application. But it is possible to build re-usable components of this sort, you just have to follow a few rules which help ensure that the component is not coupled to the page that it resides on. So, the rules are: View models should always include a field for the ID of the target element Always use RenderPartial() - Links need to be rendered with Ajax.ActionLink() Forms need to be rendered with Ajax.BeginForm() Forms/Links need ...

Thu, 02 Feb 2012 15:04:12 UTC

Prisons in the U.S.

Posted By Bruce Schneier

Really good article on the huge incarceration rate in the U.S., its causes, its effects, and its value: Over all, there are now more people under "correctional supervision" in America -- more than six million -- than were in the Gulag Archipelago under Stalin at its height. That city of the confined and the controlled, Lockuptown, is now the second...

Wed, 01 Feb 2012 23:00:15 UTC

Nickel-Zinc battery reliability

Posted By Greg Lehey

I've been quite happy with the Nickel-Zinc batteries I bought a few months back, and so I bought some more. They arrived yesterday: 8 AA size and 4 AAA size. It took me a couple of days to charge them: that's 4 loads (for some reason the charger handles only 2 AAA batteries at a time), and each takes 5 hours. And one AAA battery didn't charge properly. After the charge cycle was complete, one battery had 1.836 V, which is about normal, and the other only 1.699 V, which is definitely too low. In the course of time that dropped to 1.368 V.

Wed, 01 Feb 2012 18:47:34 UTC

GoingNative 2012: Minus 1 Day

Posted By Herb Sutter

GoingNative 2012 is a global live C++11-fest with unlimited free worldwide attendance  both live and on demand. The goal is to make it interactive, and weve asked the speakers to reserve time at the ends of their talks for questions. Tweet questions to #ch9live or #GoingNative and we’ll try and get them asked. To [...]

Wed, 01 Feb 2012 12:05:59 UTC

The Idaho Loophole

Posted By Bruce Schneier

Brian C. Kalt (2012), "The Idaho Loophole," Georgetown Law Journal, Vol. 93, No. 2. Abstract: This article argues that there is a 50-square-mile swath of Idaho in which one can commit felonies with impunity. This is because of the intersection of a poorly drafted statute with a clear but neglected constitutional provision: the Sixth Amendment's Vicinage Clause. Although lesser criminal...