Home » Archives for October 2004

Month: October 2004

NoSoftwarePatents.com, and Michel Rocard appointed to draw up EP swpat response

Published October 20, 2004

Patents: I haven’t been blogging much, as I’ve got the damn flu. I thought I was clear after a minor bout, then it came back around again for another run… urgh. Now I’m all hot, confused, achy, and (due to it affecting my ears and therefore sense of balance) clumsy. Damn you, influenza virus! :(

But there’s some good news — NoSoftwarePatents.com has opened, with a nice, clean, clear website full of excellent content. Not only does it cover the usual list of basics, with good examples like FFII’s web-shop example, it goes into more detail about parallels; here’s a great one:

Patents on software are just as wrong as expanding the patent system to literature. With patents on story elements, no movie could be published without having to firstly check whether there is any general idea in the storyline that someone patented during the last 20 years. Here’s an example: At first sight, Dirty Dancing and Titanic are two very distinct movies. However, if there were patents on story elements, then the makers of Dirty Dancing could have sued the studio of Titanic. Both movies have a scene in which a poor boy takes a rich girl from a party of her social peers to a dancing party of his group, and she enjoys it. Dirty Dancing came out only nine years before Titanic, so any patent would still have been in force. No one knows whether James Cameron had that Dirty Dancing scene in mind as he wrote the Titanic script. Maybe Cameron never saw Dirty Dancing but the patent (if it existed) could be used against him anyway.

That’s exactly the right parallel to make! Software patents cover the tens to hundreds of little algorithms you need to put together to make a software product, and comparing an algorithm in a software product to a scene concept in a movie, illustrates that nicely.

Each page has a little quote from heavy-hitters like Bill Gates, Oracle, Deutsche Bank, PriceWaterhouseCoopers, etc., coming out against swpats. There’s also a section dealing with the disinformation that the other side has been putting out.

Next time you need to send a URL over to educate someone about this issue, this is the one to reach for.

Some news on the EU Software Patents Directive — IDA eGovernment News reports that ‘the formal approval of the draft Directive on the patentability of computer-implemented inventions by the EU Competitiveness Council has been postponed due to translation delays’, and notes that ‘on 6/10/2004, the Parliament’s Internal Market Committee selected former French Prime Minister Michel Rocard to draw up its response.’ It goes on:

Unsurprisingly, the appointment of Mr Rocard — an outspoken adversary of software patents — was welcomed by opponents of the proposed directive and criticised by its supporters. That Michel Rocard is taking over the dossier reflects the fact that the wider economic, infrastructural and social implications for Europe are now seen more clearly. Also, in the Council a learning process has begun, and it will be supported by the Parliament’s move, Mr Holger Blasum of the Foundation for a Free Information Infrastructure told journalists. On the oher hand, Francisco Mingorance of the Business Software Alliance pointed out that Mr Rocard hasn’t shown any sympathy to the directive in the past. We can only hope he will be sufficiently open to the view of persons and groups which have a different opinion, he said.

Well, that sounds like good news to me ;)

Why implanted ID chips are bad for privacy

Published October 15, 2004

Security: The RFID vendors are clearly on a roll, with all manner of uses being proposed. The most recent story is that VeriChip plans to implant them subdermally in hospital patients.

The company line is that it’s privacy-safe, since it doesn’t expose health records per se — just the patient’s ID number. However, that’s missing the point, in my opinion.

RFID chips will broadcast their ID whenever they are within range of a compatible scanner, and the range (in this case) is several feet — although the story notes that their readers used to track farmed salmon work from 10-12 feet, and the Schmoo Group guys I met last month had no doubts that a high-powered directional antenna like their wi-fi sniper rifle could extend that. There’s no encryption, or handshaking, in these chips, it sounds like.

There’s no mention if the chip is removed after you leave hospital; some comments about the idea behind this is that it may help if you’re involved in an accident, and want your info available to healthcare users, in which case you’d have the chip implanted and broadcasting at other times, in other places, as well.

So, if you’ve got one of these implanted, it’ll broadcast a unique code to readers in range at all times. If an attacker can scan while you’re nearby, and picks up that code, they know that it’s you, and you only. They only have to match that ID code to a visual identification once, and henceforth you can be tracked by that ID code.

There’s a possibility that they’ll fix this, by upping the CPU power and incorporating some decent public-key encryption — but then you need a PKI big enough to track every implanted citizen in the entire country, and the costs will go up and up. I’d find that doubtful. (Mind you, they seem to assume that having a centralized secure database of medical records is a fait accompli in most of the articles anyway, so…)

Cambodians Eager to Dine on Rats (fwd)

Published October 14, 2004

Funny: AFP: Cambodians Eager to Dine on Rats:

‘At first I just cooked them for my family to eat, but guests who tried them said they were tasty, so I started selling a few fried rats to the villagers,’ he said. Business boomed so he devoted his menu to them.
‘ We only eat the small rats — we dare not eat the big ones because they have too much hair.’

Big in Laos, too — although I don’t think I’ve heard of sit-down restaurants selling them. When I was travelling in Laos, one of the first tips I heard from other travellers was, ‘if you see something that looks like a fried rat — it is‘. urrgh.

(BTW, there’s actually good reasons not to eat rat-meat; wild rats and mice are truly filthy animals, vectors of all sorts of nasty diseases.)

Selves and Others now publishing RSS feeds

Published October 13, 2004

News: Selves and Others is a site that cropped up a couple of months ago, tracking the output of many of the left’s strongest voices, for example:

Well, one feature they were missing was RSS feeds, allowing users to track new articles by a specific author as they’re published. They’ve just added it; the good old orange XML button now appears on each author’s page. Excellent!

Playing US games on a European PlayStation 2

Published October 11, 2004

Games: when I moved from Ireland to the US, I brought along my PS2; I hadn’t had it that long, and I wasn’t going to leave it behind (despite many offers to give it a good home ;).

Of course, Sony include plenty of trade-restrictive features in the PS2; European games won’t play on a US PS2, and vice versa. So until now, I’ve been playing the few games I brought along from Europe, with the help of a YPbPr VGA converter, allowing the PS2 to display on a VGA monitor, and a transformer to transform 110V US current to 220V.

But that was before the superb japanese craziness of Katamari Damacy came along, and with GTA: San Andreas due out next month, something had to be done.

So — after a little shopping, I found the solution — rather than get into serious stuff like soldering, I got this — the Slide Card. It’s a 1.5-inch long piece of plastic, with a carefully placed notch. It requires one piece of PS2 modification — you first of all have to remove the front of the CD panel. This just requires popping out one screw and a couple of clips, painless. You can then leave it off — it’s purely cosmetic — or stick it back on if you really want to, at a future date.

Then, when you want to play an import game, the protocol goes like this:

put in the Slide Card boot DVD, power on the PS2
wait for the Swap Magic splash screen
insert the little plastic Slide Card, and slowly drag it left-to-right until it hits a piece of plastic internally
use it to pull out the CD tray, place the import DVD into the tray, and push it back in
use the Slide Card again, grabbing a little internal peg part with the notch in the card, and dragging the card right-to-left to load the CD into place.
hit ‘X’ on the PS2 controller, and the game boots!

So, this is a nifty solution; it basically works around the disc-replacement logic in the PS2, without any soldering or hackery required. And I’ve successfully used it after a night at the bar on several occasions, so that’s the true test of how twiddly it is ;)

Unfortunately, by now I’ve probably spent nearly as much on hardware to play US PS2 games with a European PS2, as I would have if I’d just bought a US PS2. But hey…

Indymedia cross-border takedown reaches Slashdot

Published October 10, 2004

Web: The slashdot story. The comments contain a massive amount of noise, but there are some highlights…

Some details of the backend; it appears Indymedia need more mirrors, and the imc-tech list and #tech channel are the best contact locations to get in touch. The comment also notes that the Mir CMS used by most IMCs generates static HTML — which is a good thing! I hereby withdraw my kvetching about server-side dynamic scripting in that case ;)

The techie who ‘had the contract with Rackspace’ comments, and provides a link to his weblog, which contains copies of the trouble tickets.

He also notes that the possible illegal posting was a newswire submission — therefore not ‘published’ per se, just uploaded in the same way an unmoderated-up slashdot comment is.

And finally — he notes that the EFF are offering to represent himself and Indymedia pro bono. Yay EFF!

The Electronic Frontier Foundation (EFF) is currently assisting Indymedia investigate possible responses to the seizure of its information. More than 20 Indymedia-related websites, along with Indymedia’s online radio, were hosted on the servers, which were dedicated machines provided by Rackspace.
‘This seizure has grave implications for free speech and privacy. The Constitution does not permit the government unilaterally to cut off the speech of an independent media outlet, especially without providing a reason or even allowing Indymedia the information necessary to contest the seizure,’ said EFF Staff Attorney Kurt Opsahl.

This is great news. Top-secret takedowns are not a good thing, especially when they span three national borders…

More on the Indymedia shutdown

Published October 8, 2004

Law: t r u t h o u t quotes this press release from Rackspace:

In the present matter regarding Indymedia, Rackspace Managed Hosting, a U.S. based company with offices in London, is acting in compliance with a court order pursuant to a Mutual Legal Assistance Treaty (MLAT), which establishes procedures for countries to assist each other in investigations such as international terrorism, kidnapping and money laundering. Rackspace responded to a Commissioner’s subpoena, duly issued under Title 28, United States Code, Section 1782 in an investigation that did not arise in the United States. Rackspace is acting as a good corporate citizen and is cooperating with international law enforcement authorities. The court prohibits Rackspace from commenting further on this matter.

(my emphasis.) I wonder which of those 3 Indymedia is supposed to have been infringing? It’s pretty clear how Rackspace feel about this situation, I think.

It seems MLATs have been used before to shut down Indymedia sites in the US; this cryptome mirror of Montreal IMC pages documents one such case. Here’s a summary from a quoted email there:

Heres a quite interesting story on the power of mlats and what we will have to look forward to with the COE treaty :
A cop car was broken into in Quebec and a security doc relating to measures for the Free Trade Area of the Americas summit protests was stolen and posted in the net in Seattle. At the behest of the RCMP, a magistrate judge issued an order to grab the records from a Seattle web site called the ‘independent media center’ using the US/CAN mlat. They were then visited by the FBI/Secret Service. They then had a gag order on this for several days before it was released today.
Great precedent. I wonder if when my car gets broken into again, I can use the cybercrime treaty to find my stereo again…

And snippets from the IMC press release of the time:

On the evening of Saturday, April 21, a day which saw tens of thousands demonstrate against the FTAA in the streets of Quebec City, the Independent Media Center in Seattle was served with a sealed court order by two FBI agents and an agent of the US Secret Service. The terms of the sealed order prevented IMC volunteers from publicizing its contents; volunteers immediately began discussions with legal counsel to amend the order. This morning, April 27, Magistrate Judge Monica Benton issued an amended order, freeing us to discuss the situation without the threat of being held in contempt.
The original order, also issued by Judge Benton, directed the IMC to supply the FBI with ‘all user connection logs’ for April 20 and 21st from a web server occupying an IP address which the Secret Service believed belonged to the IMC. The order stated that this was part of an ‘ongoing criminal investigation’ into acts that could constitute violations of Canadian law, specifically theft and mischief. IMC legal counsel David Sobel, of the Electronic Privacy Information Center, comments: ‘As the U.S. Supreme Court has recognized, the First Amendment protects the right to communicate anonymously with the press and for political purposes. An order compelling the disclosure of information identifying an indiscriminately large number of users of a website devoted to political discourse raises very serious constitutional issues. To provide the same protection to the press and anonymous sources in the Internet world as with more traditional media, the Government must be severely limited in its ability to demand their Internet identity–their ‘Internet Protocol addresses.’ A federal statute already requires that such efforts against the press be approved by the Attorney General, and only where essential and after alternatives have been exhausted. There is no suggestion that these standards were met here.
The sealed court order also directed the IMC not to disclose ‘the existence of this Application or Order, or the existence of this investigation, unless or until ordered by this court.’ Such a prior restraint on a media organization goes to the heart of the First Amendment. Ironically, the Seattle Post-Intelligencer learned about the existence of the order from ‘federal sources,’ suggesting that the purpose of the gag order was simply to allow the government to spin the issue its way.
The order did not specify what acts were being investigated, and the Secret Service agent acknowledged that the IMC itself was not suspected of criminal activity. No violation of US law was alleged.

Of course, cryptome is still chugging away as it always has been; simple HTML and no server-side dynamic scripting, means easy offshore mirroring ;)

How to turn a stale project site into a useful Wiki

Published October 8, 2004

Web: Almost every project and organisation has, at some stage, bemoaned having stale data on their website, and wished there was a better way to keep it up to date; or wished their FAQ was more complete; or wished they had the time to HTML-ize all their know-how and get it up there.

Well, here’s what we did in SpamAssassin to deal with this problem. (Seeing as I’ve talked about this three times in the past month, I’ll write it up here so I can just point at the URL next time!)

First off, we experimented with having the site checked into CVS, FAQ-o-matic, and the Python FAQ software (which was pretty good). All were OK, but very specific in format, using the traditional question-answer FAQ layout — that’s good for FAQs, but not so good for a lot of other stuff — and keeping it updated was still limited to a small group, therefore the info got stale again.

So we moved to a Wiki. Here’s my tips for Wiki-izing your website so that the end results are better than what went in.

Use good wiki software: unusable software will be a pain to use, and the info will still go stale. We used Moin Moin – http://moin.sourceforge.net/ – partly because I like Python (it’s nearly perl! ;), it can produce RSS, and it was pretty easy to install.

Don’t worry: people won’t vandalise it (much). It turns out that vandalism and people throwing up crappy info isn’t a serious problem at all. You should increase the barrier, in the following ways:

Require user accounts: set the security policy so that a user account must be set up before editing is possible. This means you won’t get wiki-spammed, and also has the side effect of imposing a pretty big barrier to casual vandals.

Send changes to a list: set all changes to be mailed to a mailing list as diffs. This is the most important tip. If you already have a mailing list with the knowledgeable part of the community on it, use that list — because they’re the ones who’ll be able to recognise if erroneous info is put up, and will be annoyed about this enough to bother fixing it. There’s a bonus side-effect of this; even if some people didn’t like the wiki to start with, they’ll eventually be needled into using it by wanting to fix stuff they perceive as wrong. And then they get sucked in ;)

Use diff for the mailed changes: Moin by default will only send out change messages saying ‘something changed on this page!’. That’s not good enough, unfortunately — you want to mail out what the new text looks like, and highlight exactly where the change happened. Moin can do this nicely, with this patch, which adds a mail_commits_address, where all diffs on every page are sent, using the normal diff mechanism.

Ensure the wiki software can revert quickly: If someone does make a bad change, Moin supports one-click reversion of the page to what it was beforehand. That’s great for dealing with spam, or clueless vandalism.

Keep one or two static pages: If you’re worried about some script kiddie thinking that defacing a wiki makes them look cool, then keep one or two of the primary user-facing pages as static data. For example, take a look at the link-bar at the top of http://spamassassin.apache.org/ ; five of the ten links are to static pages, the other five are now wiki-ized. In particular, our front page and our downloads page are both static, but our docs are predominantly Wiki’d.

Publicize Mozex: most techie groups will have techie users, and we hate using browser text-boxes to edit text. Mozex — http://mozex.mozdev.org/ — saves the day here — it’s a godsend.

Shepherd new changes: in the early stages, you want one or two people who tidy up changes from Wiki newbies, as they go in. They need to keep it looking pretty, and perform Refactoring of stuff that could be laid out better or should become multiple pages. Eventually, others will get the hang of that (and do a much better job than you do ;).

That’s the lot. Most of these are to, essentially, migrate aspects of your already-existing and already-working community into this new outlet. In our experience, it’s worked really well — our Wiki is now the most reliable source of info about SpamAssassin, and is extensive and up-to-date.

Indymedia server drives seized

Published October 8, 2004

Politics: Indymedia’s hard drives in Rackspace UK seized by FBI order, seemingly as a ‘courtesy’ to Swiss police. There’s several morals to be learned:

Rackspace UK are happy to roll over for the US feds;
it appears the action was taken using powers granted under the USA-Patriot Act;
hosting in Europe is not safe from bad US laws.

However, the UK site is back on the air, and reportedly they’re recovering nicely; ‘All this goes to prove that Indymedia is decentralised enough (but not perfectly) to survive an attack and that as a cooperative international network, we rock!’

more on H5N1 Bird Flu

Published October 7, 2004

Health: A few hours after ( ;) I link-blogged this New Scientist article about a case of the H5N1 avian flu transmitting itself between humans, Boing Boing put up this entry titled ‘Bird Flu risk extremely low’, which concludes that the risk is effectively not worth worrying about.

It’s fundamentally wrong, and is well worth pointing out as a result. As Quinn at ambiguous.org says, it’s not the danger now that’s important here — it’s the potential.

I read New Scientist religiously, so I’ve been following it, and this search on H5N1 gives the perfect illustration of why this is well worth worrying about:

supplies of human flu vaccine in Thailand are very low, due to rich countries in the North taking up the excess; one route that flu strains pick up human-to-human transmission is through ‘co-infection’, where multiple flu strains infect the same person and swap genes.
H5N1 has developed the ability to infect mammals already, namely cats, and therefore has another vector.
the Chinese scientists studying H5N1 warn that ‘it is still evolving’, and the current ‘Z genotype has so far had difficulty infecting humans, but is lethal when it does. If it becomes more adept at this, it could cause a severe human pandemic.’
the virus may have evolved human-to-human transmission. This is the biggie; a flu that transmits bird-to-human is inherently much more controllable, but once it gains the ability to jump directly to other humans, the pandemic danger becomes much higher. If it gets better at this, we could be in big trouble.

(Now, while it’s worth worrying about, it’s not us end-users who should be doing the worrying. It’s the politicians who need to ensure CDC and the WHO are funded well, the terrible state of vaccine development and production be sorted out, the lack of outbreak monitoring infrastructure be addressed, and research into these strains is funded and given a priority, in case things do go all pear-shaped influenza-wise.)

New fronts for patenting

Published October 2, 2004

Patents: Sun files for patents on per-employee software pricing plans (/.). ‘Method for licensing software to an entity, including determining a per-employee cost for the software, determining a number of employees of the entity, and determining a total licensing cost using the number of employees and the per-employee cost, wherein the total licensing cost comprises a software license for all employees of the entity and all customers of the entity.’

But, in my opinion, here’s the good news — this is a patent on a license agreement. In other words, this is a new front for patents — the field of law.

Once the lawyers start running into situations where trivial concepts in their license agreements are patented, you can be sure the situation will start to turn around. ;)

Firefox 1.0PR’s software installation UI

Published October 1, 2004

Security: Given the current prevalence of phishing attacks and spyware infestations, designing a good user interface that protects naive users against malware is now more urgent than ever.

Firefox is, of course, widely touted as more secure than MSIE. This is by and large true, due partly to MS’ emphasis in their UIs on one-step ‘easy’ installation and confirmation-dialog reduction (in my opinion) — but also due to the fact that spyware companies don’t yet see Firefox as a target to the same extent.

This changed recently — spyware ‘toolbars’ started to appear for Firefox as well. It was quite a surprise to see a dialog pop up when accessing an otherwise normal-looking (though advertising-heavy) page, using my Linux desktop, prompting me to install some ‘toolbar’ .xpi file!

Firefox 1.0PR now includes code to deal with this. Here’s how it works.

If a site I’m viewing attempts to install an XPI file, I get this prompt:

Note that it’s NOT a dialog. This is pretty handy, because it means that I won’t get annoying dialogs all the time if I do accidentally go to a unscrupulous site; it just appears like the part of the page. In the clueless user case, they may not even notice that they’ve been protected, which reduces the risk that they’ll install the extension anyway.

(However, I would have extended it by using an icon or look-and-feel that indicated that this was a ‘trustworthy’ part of the UI, rather than possibly part of the page.)

If I hit the ‘Edit Options…’ button, I get this:

A simple-enough dialog containing the list of sites permitted to install extensions. update.mozilla.org is in there by default, and I’ve added texturizer.net so I can install from their more extensive list of older extensions. The address of the current site has been dropped in automatically.

To permit the site, I have to hit ‘Allow’, then ‘OK’. So I do that, and hit the ‘install’ link on the webpage again:

And there’s the Software Installation dialog. Note the red Unsigned warning, the proportion of text that is a warning about installing bad stuff (fully half!), and — this is interesting — a greyed-out ‘Install’ button.

The button is on a timer — it becomes clickable after 2 seconds. This, presumably, is to ensure that people read the dialog! Reportedly, users no longer read dialogs, instead hitting OK on every dialog that appears. In my opinion, this is arguably due to ‘the boy who cried wolf’ syndrome: by default, MSIE and older Mozilla versions will ask all sorts of stupid questions about ‘are you sure you want to send stuff on the intarweb?‘ whenever you use Google. If anything is guaranteed to induce dialog fatigue, it’s that feature.

(Update: actually, that’s not the reason. Reportedly, it’s a workaround for a couple of social-engineering attacks, whereby an attacker could persuade the user to type a word ending in ‘Y’, and time the dialog to appear just before ‘Y’ is typed — causing the keyboard shortcut for ‘Yes’ to take effect; or persuade the user to double-click in the right spot, and similarly time the dialog to appear in the right place, in time for the second click. Still, I maintain the measure is useful to deal with the ‘dialog fatigue’ issue too. ;) Thanks to Smyler and Rod for pointing this out.)

I would have gone further:

the ‘a software install was blocked’ page element should have an indication that it’s ‘trustworthy content’
both dialogs should default to ‘Cancel’, to avoid users deliberately pressing ‘OK’
I would possibly require a ‘yes, I read this’ tickbox to be ticked before the software is installed.

Interesting though. This is the way internet-facing UIs are going to have to develop, in my opinion.