Skip to content

Month: December 2005

Allowing users to have steak knives

Published December 21, 2005

This post on the Wikipedia/Seigenthaler spat at Corante.com contains this excellent comment from Wikipedia’s Jimmy Wales:

Imagine that we are designing a restaurant. This restuarant will serve steak. Because we are going to be serving steak, we will have steak knives for the customers. Because the customers will have steak knives, they might stab each other. Therefore, we conclude, we need to put each table into separate metal cages, to prevent the possibility of people stabbing each other.

What would such an approach do to our civil society? What does it do to human kindness, benevolence, and a positive sense of community?

When we reject this design for restaurants, and then when, inevitably, someone does get stabbed in a restaurant (it does happen), do we write long editorials to the papers complaining that “The steakhouse is inviting it by not only allowing irresponsible vandals to stab anyone they please, but by also providing the weapons”?

No, instead we acknowledge that the verb “to allow” does not apply in such a situation. A restaurant is not allowing something just because they haven”t taken measures to forcibly prevent it a priori. It is surely against the rules of the restaurant, and of course against the laws of society. Just. Like. Libel. If someone starts doing bad things in a restuarant, they are forcibly kicked out and, if it”s particularly bad, the law can be called. Just. Like. Wikipedia. I do not accept the spin that Wikipedia “allows anyone to write anything” just because we do not metaphysically prevent it by putting authors in cages.

Irish MEPs on Data Retention

Published December 15, 2005

So, the bad news — it appears that the European Parliament has passed the ‘Data Retention’ Directive, introducing requiring EU states to introduce mandatory electronic surveillance of all European citizens.

Tuppenceworth.ie has looked up how the Irish MEPs voted on the Directive. I was appalled to discover that Proinsias De Rossa (Labour) was the only Irish MEP to vote for this surveillance.

I generally give a high preference to Labour when voting, and before that, Democratic Left, and I’ve voted for him several times in the past. However, I think this may be the deal-breaker. I’m extremely disappointed.

By the way if party line was the issue — that didn’t stop Gay Mitchell (Fine Gael), who broke party line on this, saying:

I do not know why this proposal was rushed. The extremely accelerated legislation procedure has meant that there was little time for discussion, and translations were sometimes unavailable. There was also no time for a technology assessment or for a study on the impact on the internal market.

Major credit to him.

My ApacheCon Roundup

Published December 15, 2005

Back from ApacheCon!

I’ve got to say, I found it really useful this year. Last year, I was pretty new to the ASF, and found that my expectations of ApacheCon didn’t quite match reality; it wasn’t a rip-roaring success exactly, for me, as a result.

However, many details of how the ASF works — and how the conference itself works and is organised — are much clearer after you’ve spent some time lurking and absorbing practices in the meantime. (The visibility one gets into the process as a member of the ASF makes this a lot easier.)

Result: it was much more of a success for me this time around. Plenty of networking, putting faces to the names, hanging out, and discussing many aspects of our work.

The hackathon really worked out, too; while we didn’t produce a hell of a lot of code per se, it made for a good ‘developer summit’ and I think we established solid agreement on SpamAssassin’s short-term directions and goals. (summary: rules, and faster).

On top of that, I got to meet up with Colm MacCarthaigh and Cory Doctorow for discussion of Digital Rights Ireland. Looks like I’ll be spending a bit of time on that next year ;)

Finally: Solaris. On Monday night, I got to sit down with Daniel Price, one of the kernel engineers behind Solaris Zones, work through a quick demo of a bug I was running into with chroot(2) and zones on our rule-QA buildbot server, and watch as he visually traced it through the OpenSolaris kernel source on the web. From this — and from talking to Daniel — it’s pretty clear that things have changed at Sun. Pretty much the entire Solaris operating system is now a full-on open-source project; it’s not just a marketing gimmick. The source is up there on the web, that’s the source for the code they’re running now, and there’s no half-assed ‘freeze it, cut out the good bits, and throw it over the wall’ fake-open-source tricks.

The concept of getting this level of access to Solaris source code and engineers, would have blown my mind when I was Iona’s sysadmin back in the 1990s ;) I’m very impressed.

Windows Live Local and Firefox

Published December 9, 2005

Windows Live Local, with its isometric, Sim City, “bird’s eye” view, is quite nice.

However, what gets me is — do MS do this deliberately? I’m referring, of course, to the way it’s broken on Firefox 1.5, requiring you to drag twice to get it scrolling around the viewport, and the jumpy, clunky UI on that browser.

Pretty lame — and lazy, too. By now, it’s essential for a new fancy website to work under Firefox; even if only 20% of your users will be using it, a good proportion of those are the bleeding-edge, ‘taste-maker’ types who’ll be blogging about it, writing reviews for newspapers and news sites, and generally generating buzz for you, and thereby attracting the other 80%.

I’m told it works great in IE, but there’s no way I’m starting Windows and opening up that app. If I want to be infected by 700 different malwares within seconds, I’ll ask. ;)

On top of that, coverage seems spotty — Ireland is AWOL, of course.

As a result, my one line summary would have to be: idea = cool, dataset = probably cool, execution = half-assed and crappy. I’m looking forward to Google doing a much better job with their implementation of the Sim City viewpoint.

Email Injection attacks in PHP via mail()

Published December 8, 2005

Apparently, spammers are now exploiting a hole, or holes, in multiple PHP scripts which use the mail() API.

The holes are described at the SecurePHP wiki; basically, the script author inserts CGI fields directly into a message template without stripping newlines, and this allows attackers to create new headers, take over the message body, and generally take over the mail message and destinations entirely.

Funnily enough, these are the same holes Ronald F. Guilmette and I found in FormMail 1.9, and described in our Jan 2002 advisory Anonymous Mail Forwarding Vulnerabilities in FormMail 1.9 (PDF) on page 10, Exploitation of email and realname CGI Parameters. Ah, plus ca change…

Worth noting that perl’s venerable taint checking would have spotted these, if it were used.

ApacheCon US 2005

Published December 5, 2005

In a couple of weeks, I’ll be going to San Diego for ApacheCon US 2005 (including the hackathon beforehand). There’ll be quite a few other SpamAssassin committers there, too, so if you’re working with SA, or interested in getting some face time with the developers, there’s no better way of doing so.

Digital Rights Ireland launch, next Tuesday

Published December 3, 2005

DRI’s formal launch is next Tuesday:

December 6th sees the formal launch of Digital Rights Ireland, with a press conference in the Conference Room, Pearse St. Library, Dublin 2 at 11.30am. We would like to invite to you to come along – we’d welcome your support, and the chance to chat with you about your concerns after the main conference. Please feel free to invite anyone else who you think would be interested in digital rights. To give us an idea of numbers, we’d appreciate an email to <contact AT digitalrights.ie> to let us know if you’re planning on coming along.