No one who has ever used gmail would think of competing against the google guys' JS skills, but it seems there's stuff to learn for people who thought they knew pretty much everything already:
There's a theory that says "if you put a million monkeys in front of a million typewriters, in a few years you can get the collected works of Shakespeare".
There's another theory that says the internet was invented precisely to test this :-)
"The Linux operating system has many times fewer bugs than typical commercial software, according to an upcoming report."
"It was painful, but he stuck to his guns and broke us free of the Excel drug," Baltrusch said. "We began to have one version of the truth."
We imagine that we now live in a "web" world. Java, JSP, EJB -- the COBOL of the internet. We imagine that things are more "standardised" now, we imagine that such vendor dependancy doesn't exist, can't exist.
But the more things change, the more they stay the same...
From: Sitaram ChamartyRead on for the entire letter I wrote. Nice of Bruce to not edit it even a little bit!
Subject: Electronic Voting Machines
While I agree with much of what you say regarding electronic voting and related aspects, there are a few things that you may or may not be aware of that I would like to add to the discussion.
"The key to modern computing is simple acceptance of the axioms. Fighting them will make your life miserable."We all have complaints against software/hardware, but Dvorak brings a biting sarcasm to it and makes the usual rants very funny.
"Sometimes it seems like Microsoft has a monopoly of just about everything, but it shouldn't have one on the facts."So... got a monopoly? here's how to keep it:
Gee I hope this doesn't happen to anyone I know... ;-)
"If you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong."
Can someone tell me what planet this guy is living on?
"The explosion of patent filing activity at Microsoft doesn't necessarily indicate an explosion of creativity; and many may be even more fatuous than the FAT patent. For example today (thanks TheoDP) Microsoft has applied to patent the IS NOT operator."Is there a legal limit to their silliness?
I suppose this is the way to package important information for the unwashed masses :-) It's funny if you're in the right mood, otherwise it sounds pathetic.
"I just can't continue with this relationship any longer. I know you say you'll fix things, that next time it'll go better--but that's what you said the last time--and the time before that. Each time I believed you."
"First off, I'd suggest buying "Seven Habits of Highly Successful People", and NOT read it. Burn it, it's a great symbolic gesture."And after a start like that, what else do you expect from one of my 2 "Gods"?
someone commenting on the slashdot article at http://science.slashdot.org/article.pl?sid=04/10/27/0147206 :
"Am I really supposed to believe that an OS started by a Finnish university student a decade ago and designed to run on a 386, is now running the most powerful computer ever built? I mean, come on!"
Honestly, are there any limits to how good this open source thing is? :-)
"Similarities between the Arabic and Hebrew languages have enabled groups of Israeli and Arab developers to assist each other in solving common problems developing local versions of OpenOffice.org software."[For those who may not know, OpenOffice.org is the open source version of Sun's StarOffice, which together aim to unseat the major cause of Microsoft's stranglehold on us!]
Most people in the security industry (and even many not involved in IT security) have heard of Bruce Schneier.
Schneier: I think it's foolish to use Internet Explorer. It's filled with security holes, and it's too hard to configure it to have decent security. Basically, it seems to be written in the best interests of Microsoft and not in the best interests of the customer. I have used the Opera browser for years, and I am very happy with it. It's much better designed, and I never have to worry about Explorer-based attacks.
A 1993 Yamaha RX-100. Bright and sunny Sunday morning. Wife and kids out of town for a week. No cell phone. Virtually no traffic on the roads at this time.
For a 42-year old guy with 2 kids and a sedate job, this is as much freedom as I'll ever get. Even if it won't last :-)
My "dog leash" (a.k.a cell phone) died this morning. And I'm certainly not about to shell out on a new one right now -- I've got my heart set on a Motorola A780, which isnt available yet.
So at least one of my new-found freedeoms will last a while :-)
Update 2005-07-24 16:23
I got my new phone, but haven't had much time to blog about it! :-(
The article is a little old, but it's a good read nevertheless. Explains nicely why Unix is more secure than Windows. Not as funny as usual articles from The Register, although the author clearly tried to redeem that by the time he came to the last para:
"So, while openness provides a couple of security advantages in itself, the chief reason why Linux and BSD offer superior security is not so much because they're open source, but because they're not Windows."
"Microsoft declined many opportunities to harden Windows XP in a meaningful way"
"The home user is the one most in need of good security configurations and tools, yet the one least served by SP2"
"...a steep price to pay to secure a browser that swept the market as a free, standalone product."Great business plan. Get the world hooked on a "free" browser riddled with security holes, wait for the internet to become truly dangerous, and then scare people into upgrading their entire OS! So now we know how "free" IE is...
As if you wanted any more reasons to switch to Firefox!
Other choice quotes from the article:
"...five incidents where aircraft broke separation guidelines were reported. In one case, a pilot had to take evasive action."
Read this article only if you care about collaboration software.
I once considered Faq-O-Matic (called fom in the rest of this document) as a replacement for my favourite web software, TWiki. So I installed fom on my home machine, and went through the entire documentation and assorted material to see what features fom has and how they compare to twiki.
Yesterday we had a discussion on these topics, so I pulled it out, reformatted it very slightly, and put it up on my website.
[there's a very ironic update to this -- see bottom of article]
"Security is really an industry-wide problem. Just this morning I had to install an update to Firefox to block a flaw that would've allowed an attacker to run a program on my system."I've been saying for a long time that people should not use IE unless you come to a site that insist on IE and you really, really need to access that site.
Here's a possible "open mouth, insert foot" comment from no less a person than Stephen Toulouse, Microsoft's security program manager, who essentially admits to using Mozilla Firefox.
Oh and by the way, he also says "We're two and a half years down a much longer road; it's more of a 10-year timeline", so dont expect serious security improvements in MS products for a while :-)
Hilarious update! The flaw that he was talking about applies only to the Windows version of Mozilla/Firefox. The irony is that, after mis-informed reporters made it sound like Mozilla screwed up, people realised that it was in fact a Windows problem, and that not only IE but even MS-Word and MSN Messenger were vulnerable!
Now, if only they could issue a patch as quickly as Mozilla did, and if it could be as small and quick to install...! (the Mozilla patch is just over 1 kilobyte, by the way!]
This is a detailed account of a security expert unravelling the trail of malicious changes that are forced on a computer, simply by visiting a site called yahoogamez.com.
IMPORTANT -- if you are running Windows, please do not attempt to simulate any of this unless you know EXACTLY what you are doing.
Unless you've wisened up and use Firefox, of course!
"0wned" -- hacker-speak for breaking into a computer permanently and being able to do whatever the hacker wants on it
"exploit" -- a known vulnerability that can be used as an entry point into a system
"UPX" -- a way to pack executable files
Follow the Bouncing Malware -- part I
I discovered that as far as the adware/spyware industry is concerned, you may be the one that plunked down a grand at your local consumer electronics store to purchase your PC, but THEY own it. They'll do whatever they want, whenever they want, and you don't get a say in the matter.Part I starts by visiting "yahoogamez.com". Even before the user actually clicks anything, ads and other content on the page cause a chain reaction of malicious downloads and a CHM (Windows Help system, I think) exploit, ending with the IE home page and default search engine getting changed, and a piece of spyware getting installed on his machine.
Then the user clicks on a link that requires Flash, which he doesn't have so he comes back to the main page. At this point a trojan (identified by AV software as Win32/TrojanDownloader.Rameh.C) is downloaded!
Go to http://isc.sans.org/diary.php?date=2004-07-23 for the gory details.
And remember that's just PART I.
Follow the Bouncing Malware -- part II
So, what's the upshot of this whole mess? Well, Joe has had five new software packages installed onto his machine, redirecting his browsing, his searching, and his online purchases to suit the desires of the (no-doubt ;-) fine, upstanding people at ATPartners. His Internet browsing will now be "Simple, Exciting, and Personal" (ezula), he'll always know that "The Best Downloads are Free" (abetterinternet), his computer will show him the "Smart way to put money in your pocket" (TopRebates) and he needn't worry about adware/spyware any more because Virtual Bouncer has been installed to... uh... bounce it (Spyware Labs). Oh, and his online purchases will earn money for... uh... um.... someone. (SAHAgent). Joe should be so very, very happy.Part II continues on the trail, showing exactly how all of the stuff described above happens! To add insult to injury, the "new" homepage installed in part I (see above) is a page that advertises... an anti-spyware program!!
And remember, part III is yet to come :-)
Very nice article... simple, easy to read and understand.
Most crypt-analyses is very mathematical in nature, and I can hardly understand the individual words in it, let alone whole sentences :-(
As a result, I've always had trouble explaining to people how proper analysis can break a system, because to the untrained mind, even XOR would seem unbreakable!
For me, therefore, the real value of this article is that I can probably use it to give ordinary people exactly such an insight.
"Why is it that I can meet with the president of India, who spent an hour with me talking about how he was going to use open-source software ... to move his educational system to the 21st century, yet I struggle in my town just to get an appointment with the local school committee to introduce them to this thing called ... Linux?" Szulik asked.I wonder what's the more important news: the US being left behind because of their policies, or the Indian president having the vision to recognise what open source can do?
Both are "old news" to me, but perhaps one or two of the three or four readers I have may find something new here ;-)
"The programs also slurp up system resources, leaving your PC sluggish. Often, that's the only way you discover they're there."
"What sounds really hard to digest, is the fact that a body as 'red-taped' as the Indian government has jumped on to the Open Source bandwagon both quickly and efficiently."Another quote:
"Until a few years back, Linux was simply branded as an 'experiment' in government circles, and now its not. Period."However, the rest of the article is somewhat mixed in its euphoria, I am sorry to note. And then there's the dark side of governance in India:
"Also, we face resistance from a certain section of the society that opposes the influx of technology, primarily because of the transparencies that it introduces into the system."
Psychologists need to get a life. Look at this:
"Got your own homepage? Then you are probably shy, sensitive to criticism and suffering from low self esteem. Chances are, you are male too."Well, I suppose 25% is not a bad score in this field, poor guys :-)
"So says the psychologists of the Chemnitz University of Technology (CUT) in Germany, who interviewed more than 300 webpage owners."
I know India and China have been traditional adversaries, but this article evoked some (grudging?) respect from me.
wait, don't go away... this is not about Linux, even though that is how the article came to my attention! Read the article, and you will see...
"If Alford is right, the real reason why the Chinese government and software industry are so supportive of Linux could be because Linux is, instinctively, much more in tune with ancient Chinese philosophy."China hasn't been a model "world citizen" in many respects, and although I don't care much for politics, I can't but dislike such systems of governments.
But it seems to me, after reading the above article, that a common mistake most people (including myself, of course) make must surely be that of judging a people by the actions of their governments!
Even if you are not in the IT industry, or don't care two hoots about open source, you may still find that you enjoy the basic premise of this article, and -- for people who are not habitually cynical, who knows, it may even give you some warm fuzzies!
"...but it was enough to make me ditch Explorer in favor of the much less vulnerable Firefox browser."The best part is that this quote/article come from a site owned by Microsoft!
For more details, see CERT says "dump IE".
Of course, I knew this already, since I was actually at the event mentioned (yours truly presented a paper, hem hem!) but I figure once a non-Indian, non-slashdot, site talks about it, it's time to blog it!
"In another public-sector boost to open-source software, Indian President A.P.J. Abdul Kalam called for his country's military to use such nonproprietary technology to ward off cybersecurity threats."
"CAcert's resourceful Australian originators took a hard look at the infrastructure that's really necessary to operate a Certificate Authority, and found that it was fairly small."Hmm...
[P: this is for you. Until now, everyone who asked got this file by email, but now that I have this site, I figure I just paste it in here so I have a URL to send instead of the file. You're already the 6th guy asking me for this info so this will reduce my "support costs" :-)]
Note to all: this post has lots of <pre> text, and is completely useless on blogspot. Go look for it on my real blog, link somewhere on the left...
If, like me, you've recently purchased a brand-new digital camera (hi RS, RN, CR, RK!!) you may have people tell you stuff like this:
"Asia's top mobile phone makers are rolling out handsets equipped with cameras so advanced many consumers may come to the conclusion they don't need a separate digital camera any more."However, the same article goes on to explain:
"Megapixels are anyway waning as the main factor influencing purchases as people become better informed about specifications like lens quality, zoom performance and data storage capacity and special features such as anti-shake protection."As a friend of mine who has a pretty decent camera phone knows, the fact that it is always around makes it more susceptible to wear and damage than a proper camera. The lenses on these are bad enough to start with; daily exposure to the elements doesn't help!
Updated 2005-07-24 13:51
But what's more important is the quality and number of lenses. Real cameras have multiple lenses in groups (you might see phrases like "7 lenses in 4 groups", for instance), and this is necessary to overcome various aberrations and distortions that a single lens or a smaller set of lenses cannot overcome. And then there's the lack of a proper autofocus mechanism, on most phone-cameras. Ultimately, it's the size of the instrument that causes the problem.
I've seen Sony T-3s and Casio Exilims suffer from the same problem as cameras added on to phones, although less severely. The pictures are fuzzy except for the ones shot in the conditions that are most ideal for this particular lens assembly (usually bright day, outdoors, medium distant object like a building or a tree). Anything else just sucks, when you compare it to a corresponding image taken with a real (even if it is compact) camera).
I myself now have a Motorola A780 Linux phone, with an integrated 1.3 MP camera, but I hardly use the camera except for emergencies or for fun. No photo from that camera can make me proud!!! w my Canon A80, on the other hand, is truly worth special treatment in the taking of photographs, and can handle a lot of variations (within reason).
The user interface is absolutely stunning -- if you've been using web-based email for a while, and have occasionally been frustrated by the UI, this will blow you away. Clearly, Google has done its homework. The interface is fast enough and slick enough to make it almost seem like a local email client like Thunderbird.
So... if you use web-based email frequently, beg, borrow, or steal an invite, because gmail is still in "beta" status and you cannot just sign on.
One interesting thing about this invite business: when I was first offered an invite, I declined. I already have 6 distinct email addresses, and having one more was not very appealing. Bad move. By the time I realised the interface was too cool to pass up, email@example.com was gone, and I had to settle for firstname.lastname@example.org!
Finally, for those who saw the brouhaha about the loss of privacy due to the targeted ads, which work by "reading" your email: yes it could be a problem. But if you think you have any privacy with any email where the server is not under your direct control, you can continue to live in your paradise ;-) Beside which, most people would trust google a lot more then they would trust the beast anyway; if google says "we wont look at it ourselves, only our computers will", then that is it. They have actually earned that level of trust from normally cynical people!
[Summary: until now, flaws in MS IE would affect you only if you visited malicious sites. Now, hackers can turn any site running MS IIS into a malicious one, so even a site you normally trust can hurt you; a backdoor program is installed on your machine that captures your passwords etc., and sends them back to the hacker]
Updated with various links and pointers to more info; see bottom of article. In particular, see http://slate.msn.com/id/2103152/ -- a site owned by Microsoft says "...but it was enough to make me ditch Explorer in favor of the much less vulnerable Firefox browser." :-)
There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser.This is actually linked as "additional information" from CERT's "current activity" page for July 2nd, at http://www.us-cert.gov/current/archive/2004/07/02/archive.html , which says:
Users should be aware that any Web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code.What is scary is the phrase "even those that may be trusted by the user". We've always known that visiting malicious sites can cause big problems, but if you generally stuck to the straight and narrow and did not access any pr0n sites or other shady stuff, you were safe. Not any more; a flaw in MS IIS (MS's apology for a web server!) apparently allows hackers to turn any website against its users, and visiting such a site installs a backdoor program that captures passwords and sends them to the hacker! This is bad.
Securityfocus has another, even more hard-hitting article that says it is Time to Dump Internet Explorer; this one is more fun to read :-)
The latest version of IE is 6, and it has certainly accumulated an impressive record of holes: 153 since 18 April 2001, according to the SecurityFocus Vulnerabilities Archive. There have been some real doozies in there. For instance, last August, Microsoft issued a patch that fixed a hole that the company described this way: "It could be possible for an attacker who exploited this vulnerability to run arbitrary code on a user's system. If a user visited an attacker's Web site, it would be possible for the attacker to exploit this vulnerability without any other user action." Oh, is that all? Well, that's super...
As I said, most of you have heard me say this long, long, ago. Even during the days I had Windows as my main desktop, I used firefox for all my browsing. [I used IE only for the corporate website, which has an invalid X509 certificate, and so Firefox -- quite correctly, I might add -- refuses to load it!]
I repeat: if you havent installed firefox yet, please download and install it ASAP. AND START USING IT! By all means let me know if you need help, but please stop using IE.
Friends don't let friends use IE...
- http://slate.msn.com/id/2103152/"...but it was enough to make me ditch Explorer in favor of the much less vulnerable Firefox browser."The best part of that quote is that it comes from a site that is owned by Microsoft! Great!!
- http://news.com.com/2100-7349_3-5247187.html?tag=prntfr"There's a pretty wide variety," he said. "There are auction sites,
price comparison sites and financial institutions."
The Internet Storm Center, which monitors Net threats, confirmed that the list of infected sites included some large Web properties.
"We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched," the group stated on its Web site.
- http://linuxtoday.com/infrastructure/2004062501826OPDTSWThis is a piece of software--a closed source, and therefore supposedly (ha!) more secure piece of software, mind you--that is constantly having innumerable flaws exposed and taken advantage of. In the recent past, it was download this, and you're doomed. Open this, and you're in trouble.
Now, it's: open any page on a Web site running a Microsoft Internet Information Server, and you potentially could be infected.
- http://news.netcraft.com/archives/2004/07/05/browser_wars_to_recommence.htmlOne is the extreme gravity of the latest phishing scams: victims of
phishing attacks might conceivably lose their life savings. Some
people now perceive Internet Explorer and Internet Banking as a
potentially lethal cocktail that must not be mixed, with insiders in
the banking industry urging their families to switch if not operating systems, then at least browsers, while conversely some internet banking customers have adapted to the threat by forgoing convenience and moving funds back into accounts which require traditional telephone and fax instructions.
- http://www.eweek.com/article2/0,1759,1618052,00.aspJohannes Ullrich, a handler at the Internet Storm Center at The SANS Institute in Bethesda, Md., wrote, "A large number of Web sites, some of them quite popular, were compromised earlier this week to distribute malicious code."
Maybe this was just another massive Internet security prank. Maybe all that will happen is a DDoS attack. Well, you can hope that's all thereis to it and continue to use IE. But as for me, I'm done with it.
[R: this is for you. Thanks for you-know-what]
Update 06 Jul 2004: added "seemore" functionality into
siki. Now it looks like a real blog ;-)
In the beginning I had a home-grown program that did just one thing: change a plain text based notation into HTML, with certain rules. This, with a couple of shell scripts around them, "created" simple HTML. I'd written it a few years ago, and it has survived till now in my toolbox.
The problem with using this for a website was that it offered nothing in terms of adding and uploading content. Everything except the actual content-authoring was still manual! So, after the initial setup of the website in late Feb to early March, 2004, nothing changed till mid-June -- it was just too cumbersome.
Clearly, that's no use, even for a self-confessed "vanity" site that's not expected to be of any real use.
By chance, I came upon a comparision of various blogging software [URL lost -- looking...], and I quickly zeroed in on the only one that did not require a database or some other fancy pre-requisites, was written in perl (I may have to mangle it for my own use!), was free as in GPL or similar, and yet had a sufficient number of features.
Blosxom was the only choice!
The blosxom install page has 4 scenarios (blosxom on your ISP, or on your own Mac, Windows, Unix box). The one for the "ISP" and for "Unix" are the same. The basic pre-requisite is simply being able to run a perl/CGI program.
To start, we get blosxom.zip from http://www.blosxom.com/downloads/blosxom.zip . This is, as of today, a single, simple, Perl program of only 440 lines! The rest of the magic is via plugins and templates etc. (The templates are also small -- less than 200 lines -- but the plugins are almost 2000 lines!)
Simply unzip into your cgi-bin directory, edit the top few lines where some self-explanatory parameters (mostly paths). Just be sure that the
$datadiris not under the web server's
After this, download the Blosxom Flavour Sampler and install it in Blosxom's
$datadir. A "flavour" in blosxom is what some programs call a "skin". Look and feel only. The sampler has 3, and the flavour registry has a lot more, with fancy colours and special effects. I neither have the time, nor the interest -- in fact, weird colours go against my philosophy of creating sites that are usable from even a text browser!
The default flavour is "html", so I changed the corresponding files to suit my taste.
head.htmlhad the most changes -- when you install yours, compare how the side bar looks on yours from mine and you will see. "View Source" if needed. Another small but important change is in
foot.html; I don't like date-based "permalinks", so I changed them to hierarchy-based ones.
Finally, download a few plugins from the plugin registry. Plugins allow extra functionality. For example, somewhere in my
$categories::categories. This invokes the
categoriesplugin, which shows the browsable list of categories you see below the "vanity disclaimer".
The plugins I use (with a one-line description of non-obvious changes I made, if any) are:
Read more about these plugins on the plugin registry page.
- categories (the
DATAsection also changed quite a bit to get rid of the unordered list and make it a "2-space indented" list)
- wikieditish (the actual submit button invokes an HTTPS URL rather than an HTTP URL, since a password needs to be transmitted. What can I say -- I'm paranoid!)
Apart from these, my text to HTML program was converted into a blosxom plugin called "siki". [I haven't submitted it yet, but I intend to do this sooner or later]. Naturally, this took the longest time. You can always write plain HTML of course, but it sucks!
Total effort for the important bits was around 8-10 hours (done over a few evenings, about one hour each time). As is common, tweaking the system after it was working "OK" took about the same time. It's like the old joke: the first 90% of the work takes 90% of the time, the rest 10% takes another 90% of the time ;-)
"It obviously says you should always use open-source Trojans," says Mark Loveless, a senior security analyst with Bindview Corporation. "That's the moral. You can't even trust Windows malware."I don't know if this guy was serious or tongue-in-cheek but it's a helluva funny comment!
It used to be a single custom script that did everything -- or at least everything I thought I needed.
Then I saw blosxom and I got greedy :-)
Now this is mostly blosxom+plugins; I only added one plugin, (called
siki), which allows me to write plain text and converts it to HTML on the fly -- quite like what wiki's do, but tailored to my tastes. None of the existing plugins appealed to me for one reason or other.
Actually, the only website maintainance software I really like is TWiki, but that would be somewhat overkill here!
And I really, really don't like HTML. I would much rather edit a simple text file, and not worry too much about bold, italics, etc. I also hate maintaining links, remembering exact locations, and -- heck -- even exact spellings!
Here are the main features:
- translating plain text to HTML.
- *bold* becomes bold
- /italic/ becomes italic
- _underline_ becomes underline
- an empty line following a non-empty line causes a paragraph break
- lists (
OL), as well
blockquotesections, are derived from indentation
- it is possible to create tables also, as you will see on some pages (one example is the set of image links on Joey and Geetha's wedding page).
- URLs are handled very nicely. You see, even though I felt TWiki would be overkill for a one-man site, I do like the "automatic" linking (a.k.a "accidental" linking) that all Wikis share.
So I just borrowed that feature, and in fact went one teeny step further. The program that converts the plain text to HTML will also create links by actually looking for the URL in the parts of the webtree that it is allowed to look in.
If the URL resolves to an image then there is a little extra smarts to it: if an anchor text was provided, that will be used; otherwise, a thumbnail version will be used for the anchor.
The best part is that the URL can be a regexp, and if there is only one match found, that's what gets used!
- Finally, I can just use HTML, anywhere in the file, if I need something more complex!
Yes, once it has moderately stabilised I will put up the
sikiplugin here. The rest of it is plain blosxom, plus the following plugins:
 My Python-ista friend Raj pulls my leg, saying, "Even perl people have to appreciate the beauty of indentation"