Home » Archives for May 2005

Month: May 2005

Irish Oireachtas take care of their own

Published May 27, 2005

Net: Fergus Cassidy reports that ‘bandwidth-starved TDs and Senators’ in the Oireachtas will be taking a shortcut around Ireland’s woeful consumer broadband situation, especially in terms of deployment outside of the main urban areas.

There’s a tender up to implement ‘an enhanced remote access system, which will improve access from Members’ homes or constituency Offices to data and services on servers in Leinster House’.

No similar luck for their constituents, of course. That really takes the biscuit…

Backscatter X-ray ‘naked scanners’ in the news

Published May 27, 2005

Security: the use of backscatter x-ray scanners has hit the US press now that the TSA are taking an interest.

These are interesting devices; unlike normal X-rays, they effectively render clothes invisible. That’s obviously got big privacy implications.

Quite a few of the press stories include images that have been blurred or obscured, presumably to render them printable. However, this image seems closer to the real results (not work-safe).

They were trialled in Heathrow’s Terminal 4 last year. One slashdotter’s experience:

Every Nth person in the line had to go through. They take you to a seperate are which is blocked off, make you lift up your arms and then move, facing three different directions. There was one operator and the screen was blocked off. The operator is always the gender of the person being scanned. Still I felt very offended for two reasons. First, even though it was enclosed it still made me feel exposed and my personal space violated, second, any questions I asked the operator with regards to their data storage, or if I could see the images that had been made were met with ignorance and my questions were ignored. However, turning down a scan you would probably get a strip search which would be even worse. I disliked airplane security checks before, but now it is incredibly annoying.

The Times has some passenger’s reactions to images from their scans:

‘I was quite shocked by what I saw,’ said Gary Cook, 40, a graphic designer from Shaftesbury, Dorset. ‘I felt a bit embarrassed looking at the image.’
A female passenger, who did not want to be named, said: ‘It was really horrible. It doesn’t leave much to the imagination because you’re virtually naked, but I guess it’s less intrusive than being hand searched.’

If these are installed more widely, I wonder how long it’ll take before we start seeing backscatter images of supermodels being saved to floppy by unscrupulous staff, and leaked?

Also, SpyBlog notes that images of children scanned with this device would constitute ‘making, distributing or possessing child pornography’ in the UK, presuming the machine stores them internally in electronic form. oops!

I’m a new ASF Member!

Published May 27, 2005

Apache: It seems I’ve been elected as a member of the Apache Software Foundation! That’s a nice surprise ;)

Massive US bank breaches, and Europe

Published May 25, 2005

Security: Adam Shostack has been tracking the immense volume of recent bank disclosures of compromised customer data. Bruce Schneier has also commented, and an interesting question arose in his posting’s comments — why are there seemingly no similar problems with European banks?

One responder points to a WSJ article which broadly misses the point. It discusses the additional layers of security imposed by European banks above the usual username/password combo. This is true — Eurobanks generally have higher security at the ‘front gate’; for example, I recall Bank of Ireland even issued SecurID-type tokens in its earliest online banking system. However, that misses the ‘insider’ attack, as in the most recent case of these 676,000 accounts, so I think it misses the point.

Bruce Schneier’s take:

Personal data is 1) not collected as widely, and 2) much less valuable as a tool to commit fraud. The second reason is far more important.

I think he’s partially right. Access to new and existing accounts in the US often requires little more than an SSN or similar trivial, easily-discoverable, data which is used in common across multiple institutions, and can be performed online; whereas in Europe, one requires documentary proof of address, ID, and the act must be performed in person at a bank branch. (This is often exceedingly annoying, of course. ;) In general, identity theft seems to be at a greater level in the US, and this is one reason why, I’d guess.

Adam Shostack has another take: these disclosures have all arrived on the heels of California’s SB 1386. It’s very unlikely that these kind of breaches never occurred before this, and suddenly began recently — it’s more likely that they’ve always gone on, but are unreported in Europe (and of course were unreported in the US, pre-SB 1386).

I’d add another point — the US has a large population of targets, with banks sharing financial systems across the entire country. Europe, by contrast, has many individual countries which each have their own set of banks and banking systems, and less interoperability and cross-state data flow. The potential return from ID theft fraud is increased by the larger pool of candidate victims in the US, compared to what an attacker could achieve in each individual European country. This means both that (a) an attack will affect a smaller number of victims in Europe than the US, and (b) widening the scale of an attack becomes significantly harder when the attacker must deal with new systems. It’s the ‘security monoculture’ issue again, applied to banking instead of operating systems.

The Nokia 770 Internet Tablet

Published May 25, 2005

Hardware: Slashdot: Nokia’s Linux Handheld. It’s to be called the Nokia 770 Internet Tablet, and runs on an open source development platform called Maemo.

This looks really nifty. ARM processor, 800×480 pixel resolution, GTK+, 2.6 kernel, wifi, 3 hours of active battery life, and a clever panning system to get around the clunkiness of scrollbars on a touchscreen.

I note particularly that they seem to have planned to include an RSS reader based on Liferea.

The Maemo site looks interesting, in that it’s clearly a bunch of switched-on, open-source-comprehending developers who set it up; it’s built using Apache Forrest, they use Bugzilla for issue tracking, Mailman for lists, the terms of use for user contributions explicitly call out OSI-approved licenses as a requirement, there’s plentiful references to Debian’s apt as the preferred means of installing developer platform software, and Maemo apps are distributed as Debian packages.

There’s clearly been quite a lot of work going on behind the scenes. There’s already some third-party apps out there, such as those on INdT’s Maemo apps page, and the the SDK tutorial contains copious detail, suggesting it’s been seeing some use.

That SDK tutorial is full of tantalizing glimpses into Maemo’s operation.

It all looks very promising, and nicely hackable! I’m looking forward to a closer look at one of these. It’s especially good to see such a solid comprehension of the open source model by such a major company. (If only they could have a word with their patents department ;)

Update: They’ve ported WebCore to GTK+. Mobile Gazette has more info, too, including this worrying line:

And although Nokia hold several patents for (the Maemo development platform), they intent to open up access to their intellectual property to aid development.

(My emphasis.) That line is not encouraging, seeing as it seems to be a pretty typical cross-compilation platform as seen in embedded systems development. But hey, let’s see the patents first.

Threadless RSS

Published May 25, 2005

Clothing: I love Threadless. Unfortunately, they don’t have an RSS feed for new T-shirts. So I wrote a quick scraper:

Threadless New Tees (RSS)

with pictures, naturally. This is not going to help my Threadless habit. ;)

Here’s a preview of what the feed looks like:

Del.icio.us ranking systems

Published May 25, 2005

Weblogs: there’s been a few attempts to mine ‘trend’ data from del.icio.us:

trendalicious, a ‘near real-time view of website popularity trends as reflected by the del.icio.us social bookmarking service’
grafolicious, which is similar
hublog: gatherers of the month lists the ‘trendsetters’ who link to popular sites first

However, none consider how many links a user generates. A user who links to every single page on the web would quickly gain a good ‘trendsetting’ rating, and would also skew the website trends upwards, without actually providing useful data to others.

A look at the hublog top posters does seem to indicate they’re linking prolifically to any old crap that looks likely to be popular, which is a more humanly-possible way to do that. ;)

However, populicious new links is quite cool — popular sites that are new in the last 24 hours. Especially handy to find out where one could download Daily Show torrents these days. ;)

There’s also the venerable Hot Links, which unfortunately tracks a very small population, but still gets interesting stuff.

Lexis-Nexis hacked through spam

Published May 20, 2005

Spam: WashPost: Computers Seized in Data-Theft Probe:

According to an account provided by the teenaged member of the hacker group — and confirmed by the law enforcement source who insisted on anonymity — the LexisNexis break-in was set in motion by a blast of junk e-mail. Sometime in February a small group of hackers … sent out hundreds of e-mails with a message urging recipients to open an attached file to view pornographic child images. The attachments had nothing to do with child porn; rather, the files harbored a virus (sic) that allowed the group’s members to record anything a recipient typed on his or her computer keyboard.
According to the teenage source, a police officer in Florida was among those who opened the infected e-mail message. Not long after his computer was infected with the keystroke-capturing virus, the officer logged on to his police department’s account at Accurint, a LexisNexis service provided by Florida-based subsidiary Seisint Inc. …
The young hacker said the group members then created a series of sub-accounts using the police department’s name and billing information. Over several days, the hacker said the group looked up thousands of names in the database, including friends and celebrities. The law enforcement source said the group eventually began selling Social Security numbers and other sensitive consumer information to a ring of identity thieves in California.

Justice Bradley on patent law

Published May 17, 2005

Mr. Justice Bradley, discussing US patent law in 1882:

The design of the patent laws is to reward those who make some substantial discovery or invention, which adds to our knowledge and makes a step in advance in the useful arts. Such inventors are worthy of all favor. It was never the object of those laws to grant a monopoly for every trifling device, every shadow of a shade of an idea, which would naturally and spontaneously occur to any skilled mechanic or operator in the ordinary progress of manufactures.
Such an indiscriminate creation of exclusive privileges tends rather to obstruct than to stimulate invention. It creates a class of speculative schemers who make it their business to watch the advancing wave of improvement, and gather its foam in the form of patented monopolies, which enable them to lay a heavy tax upon the industry of the country, without contributing anything to the real advancement of the arts. It embarrasses the honest pursuit of business with fears and apprehensions of concealed liens and unknown liabilities to lawsuits and vexatious accountings for profits made in good faith.

Well said that man! (via)

Virtualisation is good for the environment

Published May 16, 2005

Computing: mentioned in a Slashdot thread about green server farms — a page extolling the OpenVPS virtual-server software’s environmental benefits:

OpenVPS is good for the environment: a low-end server these days consumes no less than 200W. Given that typical servers run 24/7/365 this amounts (to) 1752 KWh per year. And because every joule of energy consumed by a server is transformed to heat, you need to at least double this to consider the air conditioning costs, which brings us to 3504 KWh per year. …
At some point this becomes an ethical question: If my CPU is 99.9% idle, is it environmentally (not to mention fiscally!) responsible of me to keep this server running?
Virtualization technologies such Linux VServer used by OpenVPS offer a very viable alternative. If the server acts and feels like a dedicated server, what difference does it really make if it’s actually virtual? Yet consolidating 30 physical servers into 30 OpenVPS accounts running on one (albeit power hungry) server would save over 100000 kWh per year. That’s as much energy as is consumed on average by 10 houses!

What an excellent point! The OpenVPS dev’s slashdot commment reveals another good demo of this —

  # cat /proc/uptime
  16000520.62 9482790.31

The first number is seconds of uptime, the second number is seconds spent in a CPU-idle state. So the server for taint.org, going by those numbers, has spent 59% of its time in a CPU-idle state — and converting fossil fuels to waste heat in the process…

UBE, not UCE

Published May 15, 2005

Spam: About this time last year, German neo-nazis launched a massive worldwide spam run with the aid of the Sober.H worm.

Well, it looks like they’re planning to make this a regular occurrence, because it’s on again, spamming nazi opinions linking to stories on reputable news sites, as well as pages on less reputable right-wing sites, Joe Wein has posted some samples. I’ve already received nearly a thousand since last night.

The good news — here’s a SpamAssassin ruleset that catches these nicely. thanks Raymond!

Using sound as a dead man’s switch

Published May 13, 2005

Software: a nifty trick in this Slashdot comment:

… This reminds me of an old trick we developed to use on the Amiga on a public-access cable channel. The software was under development and crashed occasionally, so rather than having a flashing guru meditation up on a local TV channel until it was rebooted the next day, we came up with a plan, that would probably work on a Windows machine as well (or just about any other system)
The idea was that while the software application was running, it drove a continuous 1khz tone out the audio port that kept a relay energized (that kept the signal on-air). When the system crashed, the audio output stopped, which meant the relay was no longer energized = video signal switched back to a stock SMPTE bars signal from a test generator.

Nowadays, I’d probably pay the money for a hardware watchdog timer. But this is a good, cheap way to implement a dead man’s switch. Very clever!

The Stag’s new owner: Louis Fitzgerald

Published May 12, 2005

Dublin: Sorry to the non-Dublin readership, I’m sure you all are getting quite bored of this by now. But anyway…

According to jd on the discussion page, the new owner of the Stag’s Head is Louis Fitzgerald, who picked it up for EUR 5.8 million.

Reportedly, he’s ‘the biggest publican in Dublin’ (sic), and owns The Quays in Temple Bar, The Palmerstown House in Palmerstown, The Big Tree on Dorset Street and The Poitin Stil in Rathcoole — and Kehoe’s on South Anne Street. Quite an empire.

I’ll have to leave the speculation on Fitzgerald’s pros and cons to more recent residents of Dublin, but I agree with jd’s comment: ‘hope he does half a good as job as the Shaffrys, and the bicycles are left outside rather than on the ceiling,’ Amen to that.

The Bayh-Dole Act and publicly-funded research

Published May 11, 2005

Science: in passing — this came up elsewhere, and it’s worth copying here, too (for reference).

The question was: how much should publicly-funded researchers be required to disclose – should they be allowed to generate ‘closed-source’ solutions at the taxpayers’ expense?

In the US and world-wide, there used to be a tradition that government-funded research should be made open to all, since if it was funded from public taxation, the fruits of that taxation should go back to the public. However, 25 years ago, the US enacted the Bayh-Dole Act, in which:

Universities were encouraged to collaborate commercial concerns to promote the utilization of inventions arising from federal funding.
It was clearly stated that universities may elect to retain title to inventions developed through government funding.
Universities must file patents on inventions they elect to own.

So in other words, the government has dictated since 1980 that government-funded research should not produce open-source or public-domain solutions, necessarily, as the results of research are to be considered private-sector profit-generating centers for the host universities. Naturally, cash-strapped universities have imposed internal regulations to maximise revenue from their research staff.

The implications for whatever ‘the next BSD TCP/IP stack’ may be are obvious.

Stag’s on the block today

Published May 11, 2005

Dublin: Lean forwards on this story from today’s Irish Times. Sadly, it’s behind their subscription firewall, so I’ll just snip out a few choice quotes from Philip Shaffry, the current owner:

‘(The Stag’s Head) has been part of my life for three decades and I’ve been running it for 10 years,’ he says. ‘I’ve two small children and I’m living 10 miles out of town, so I’m hoping to find a pub a bit out of the city centre. But of course I’ll miss this place. I have got really attached to the clientele and the crowd that comes in.’
Looking around at the Victorian bar, opulently decorated with mahogany panelling and a red Connemara marble bar counter, Shaffry is confident there will be no changes to the building.
‘They won’t be able to touch it. This is the crème de la crème, the jewel in the crown, of Dublin pubs. It has been here since 1760, although it was completely refurbished in 1895. This is a grade-one listed building.’

But the bad news?

There are no State laws regulating some aspects of the pub, namely his family’s refusal to allow music – live or otherwise – or television in the bar. Any new owner could change this tradition, says Shaffry, which is a source of concern for some regulars. (….)
A spokesman for CBRE Gunne, which will auction the pub this afternoon, says there had been ‘enormous interest’ in the premises from Irish and international buyers.

Eeek! The guide price is 5 million Euros, if you fancy a shot.

Thanks for Philip for his excellent stewardship — here’s hoping any new buyer will keep his approach. That approach made the Stag’s what it is today — the best pub in Dublin. (In my opinion, at least ;)

PVR Build Log

Published May 10, 2005

TV: I’ve taken a little time to throw up my PVR build log.

If you’re hacking on one yourself, or curious about what it takes, or just like reading cut-and-pasted UNIX command lines — go take a look!

Tip: secure SSH tunneling for cron jobs

Published May 10, 2005

UNIX: a quick recap of a good tip combo picked up from ILUG recently. To paraphrase Conor Wynne’s original question:

What’s the best way to set up a secure connection between two hosts, possibly over the internet, using SSH, suitable for use from cron so that it can run via crontab without entering authentication manually?

Barry O’Donovan replied:

I suggested ssh keys without passphrases … in
http://www.barryodonovan.com/publications/lg/104/ and it includes instructions. … You can invoke rsync over ssh and specify a specific key with:
rsync -a -e ‘ssh -i /home/username/.ssh/id_rsa-serverbackup’

Colm MacCárthaigh followed up with:

You can restrict what commands an ssh account can run in the ssh public key. This is how some of our more important projects (like Debian, FreshRPMS, and a few more) push us updates. The key looks like (jm: all on one line, no space between ‘no-pty,’ and ‘command’):
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty, command=”/home/ximian/rsync-ximian-nolog &”
ssh-dss keydata username@blah
So, create a passwordless public key like so, and just change the command to whatver rsync runs.

Combined, that’s a useful tip — I knew about the ssh command restriction technique, but being able to use a specific single-purpose key from the ssh client is very useful.

(updated: mbp mailed to note some missing quotes in Barry’s command above; they’d been eaten by WebMake. drat.)

Tip: expand a bash commandline as you type it

Published May 3, 2005

UNIX: another useful tip. Bash supports a wide variety of command line editing tricks; you have the usual GUIish editing (backspace, insert new characters, delete, blah blah) through the GNU Readline library, and in addition to that you have the traditional csh-style history expansion (like ‘!!’ to refer to the previous command typed).

The latter are great, but they won’t actually be expanded until you hit Enter and run the command line. That can be inconvenient, resulting in the user being forced to reach for the rodent for some cut’n’paste instead.

Here’s a handy trick — add this line to ~/.inputrc (creating the file if necessary):

Control-x: shell-expand-line

Start a new bash shell. Now, if you type CTRL-X during command line entry, any shell metacharacters will be expanded on the current command line. For example:

% echo Hello world
Hello world

% echo Hi !$       (press CTRL-X)
           (current command line expands to:)
% echo Hi world

There’s a few more commands supported, but none of them are really quite as useful as shell-expand-line.

Update: ‘Smylers’ wrote to point me at this UKUUG talk from 2003 which discusses .inputrc expansions, and provides some insanely useful tips.

In particular, Magic Space clearly knocks this tip into a cocked hat, by performing the expansion on the fly as you type the command, with no additional keypresses — amazing! Bonus: it works if you use Emacs-mode line editing as well as Vi-mode.

I strongly recommend reading that paper — lots of other good tips there.

Sony coins new name for vapour

Published May 2, 2005

Patents: New Scientist: Sony patent takes first step towards real-life Matrix:

IMAGINE movies and computer games in which you get to smell, taste and perhaps even feel things. That’s the tantalising prospect raised by a patent on a device for transmitting sensory data directly into the human brain – granted to none other than the entertainment giant Sony.

It’s a very lame ‘first step’ though — Sony has done no research and development on this invention whatsoever, it’s just a patent form of the old ‘in the future, we’ll wear tinfoil suits! And here’s how they’ll probably work!’ speculation. Sony’s comment:

Elizabeth Boukis, spokeswoman for Sony Electronics, says the work is speculative. ‘There were not any experiments done,’ she says. ‘This particular patent was a prophetic invention. It was based on an inspiration that this may someday be the direction that technology will take us.’

That’s nice; I’m sure they have some in the pipeline for flying cars, too.

It’s good to know that if an inventor does eventually come up with an ultrasound-based human-computer brain interface, they’ll have to pay license fees to Sony so they can use their ‘prophecy’ in their invention. The USPTO’s high standards are being maintained, as usual…