2008-09-20

(malware) please guys, be careful out there...

[This is for all my friends and relations whose primary skills are not in the area of information security!]

A few months ago a young security researcher called Dan Kaminsky found a serious problem in the way most DNS servers handle requests. [DNS is analogous to the "telephone" directory of the internet, and a DNS server is your interface to this global "telephone" directory]. Dan Kaminsky showed how a bad guy could fool any DNS server into giving out wrong numbers to your queries, so that when you thought you were logging onto citibank.com you were actually going to some Russian hacker site that mimicked citibank well enough to fool you.

The interesting thing about Dan's discovery was that a medium-term fix was easy -- all it needed was for most major DNS server software to be updated. However, they all had to be updated simultaneously, otherwise, by looking at how the first one was patched, hackers might figure out how to attack the others which were not yet patched.

The wonderful and amazing thing is that he actually managed this feat of co-ordination: all the major vendors of DNS software went into a huddle for six months, fixed their software, and all of them simultaneously released a patch on July 8th, 2008.

Sadly, July 8th is old history in internet time scales.

Now there is a problem that we are being warned about, which says that all web browsers, as well as other software such as Flash (Adobe is involved, so this is a good guess) have a fundamental flaw which cannot be fixed easily. Details are not available, except that you are safe if you block JavaScript by default.

Guys and gals, ladies and gentlemen, if you ever do anything on your browser that requires a password, please do the following:

(1) install Firefox -- http://www.mozilla.com/en-US/firefox/
(2) install NoScript (this is a Firefox "addon") -- https://addons.mozilla.org/en-US/firefox/addon/722

Yes, websites that depend on a lot of Javascript will look different. Enable JavaScript only for sites that you trust. When you open such a site, and things don't look/work as you expect, just click on the NoScript icon in the statusbar (looks like an "S" in a circle) and tell NoScript that you trust this site. That's it.

NoScript has been keeping me immune from many smaller attacks and security holes for years now. This hole is merely the latest and the most frightening, judging by the secrecy and the dire warnings, but even this does not worry me. And it should not worry you too, if you do this.

References:
http://ha.ckers.org/blog/20080915/clickjacking/
http://www.theregister.co.uk/2008/09/16/critical_vulnerability_demo_pulled/

2008-09-17

(ivory tower) General abstract nonsense...

Finally, an explanation of why, in attempting to learn Haskell, I couldn't grok monads!

http://en.wikipedia.org/wiki/General_abstract_nonsense

Yes, I know it's not meant to be insulting, but it's too funny to ignore the coincidence of "General Abstract Nonsense" being used to describe concepts in Category Theory, which is where monads come from. And yes, I know that the real explanation is that I'm too stupid (in math at least) to ever be able to manage the level of abstraction required to get it. But hey, I'm smart enough to know how stupid I am -- that's gotta count for something right?

[PS: On a related note, did you know there is something called Pointless Topology? I wonder if they get paid extra for coming up with this sort of stuff ;-)]

(PHB,funny) cleaning up the office...

You may need to read the whole article at http://thedailywtf.com/Articles/Office-Supply-Amnesty.aspx in order to understand the humour in the following comment that was posted in response, at http://thedailywtf.com/Comments/Office-Supply-Amnesty.aspx#217428
:

----- start quote -----

Dear all,

We spend a lot of money each year on managers - a lot of this is
unnecessary expenditure as they spend their time micromanaging
employees to no measurable savings.

Please check the office for any unused managers and dispose of them in
some appropriate way. This exercise should also help to tidy up the
offices which are starting to look trashy in some areas.

Hoping I will get you co-operation in this

Regards,

----- end quote -----

2008-09-15

(WEP,funny) accuracy in reporting

http://www.theregister.co.uk/2008/09/13/furse_lse_comment/

Quote: "To a Reg reader, Accenture will be associated in the context of technology with the words “screw up”, “late”, and “over budget”."

I need to find this reporter and take him to lunch. Or at least buy him a beer. The sad part is, no other mag will dare to make such a blunt statement :-)

2008-09-14

apple idiocy

two examples coming so close to each other... what's going on?

(1) http://www.roughtype.com/archives/2008/09/apple_declares.php

Quote: "Some people," the patent application observes, "have taken it upon themselves to remove the sensor from the special pocket of the [iPod-linked] Nike+ shoe and place it at inappropriate locations (shoelaces, for example) or place it on non-Nike+ model shoes." Oh my God: Geeks are ripping the sensors out of their sneakers and sticking them on their shoelaces! Unleash the shoe nazis!

This is the kind of guy they're targeting with this monumental stupidity: http://podophile.com/2006/07/14/shoe-hacker-nikeipod-sport-kit-shoe-mod/

I like the last line of this blog post, just before the comments: "It used to be cool to be an Apple fanboy. Now it's starting to be embarrassing."

On the slashdot thread about this (at http://apple.slashdot.org/article.pl?sid=08/09/13/2114214 ), I particularly liked these two comments:

http://apple.slashdot.org/comments.pl?sid=963229&cid=24996107 and
http://apple.slashdot.org/comments.pl?sid=963229&cid=24996553

(2) For those of you who like the iPhone, here's an example of how much of a stranglehold Apple has on what you can do with it (apart from all the things you cannot do, as in http://www.michaelrobertson.com/archive.php?minute_id=242 and elsewhere):

http://yro.slashdot.org/article.pl?sid=08/09/13/1924215

The slashdot summary is pretty brief:

DaveyJJ sends news of yet another rejection of an iPhone app by Apple, with perhaps a chilling twist for potential developers of productivity or utility apps. John Gruber of Daring Fireball writes: "Let's be clear: forbidding 'duplication of functionality' is forbidding competition. The point of competition is to do the same thing, but better." Paul Kafasis (co-founder of Rogue Amoeba Software) makes the point that this action by Apple will scare talented developers away from the iPhone platform. And Dave Weiner argues that the iPhone isn't a "platform" at all: "The idea that it's a platform should mean no individual or company has the power to turn you off."

(movies) not very good at this...

My personal boycott of the Bacchan family for rejecting the beautiful Rani Mukherjee (and marrying the one actress I totally totally can't stand) might have to go on a short vacation. If reports are to be believed I may have to watch The Last Lear.

So let's see... I bought a Sony product in December 2006, despite the rootkit boycott (there's an account of it somewhere on this blog; use the search box), I don't check if it's a Sony movie before going (and anyway my wife decides what movies we watch!) so I probably watch Sony movies all the time, I have already seen 3 movies in a Reliance-owned (motto: we don't even treat our own brother right; who the fsck are YOU?) theater and since it's the closest to where I live, I'm sure there'll be more.

And now this.

Damn it, I'm not very good at this boycott stuff... :-(

(funny) what exactly does beta mean?

Completely lifted from http://developers.slashdot.org/comments.pl?sid=962865&cid=24989951 (it's short enough, and funny enough, and I hope the author won't mind if he finds out!)

---- quote ----

When MS uses the word Beta, they really mean pre-alpha. Release is Beta. If you want a release quality MS product you need to look for the discontinued tag.

Google is simpler, they got beta, beta and beta. One works, one doesn't, the other works for everyone except you and just when you became totally dependent on it, they kill the project.

Linux has Beta and RC. RC is solid but out of date so nvidia doesn't have drivers for it anymore, beta is solid but nvidia doesn't have drivers for it yet.

Solaris has only one version, more solid and sensible then a rock, it is labelled "Giving your accountant a heart attack".

2008-09-11

(movies) "A Wednesday" -- absolutely awesome movie

I am half inclined to watch it again; if I manage to find the time I probably will. The movie shows you things which you wish would happen, although deep in your heart you know this is pretty difficult.

Some comparatively mundane comments:
- absolutely no songs, hero/heroine junk -- very nice
- Anupam Kher shines
- Naseeruddin Shar outshines :-)

And for anyone who thinks Amitabh has the best voice, listen to Naseeruddin Shah in this movie. The timbre of his voice, the diction/accent -- just terrific. Don't get me wrong, Amitabh is pretty good, but this guy has him beat.

2008-09-09

(open source,funny) film versus digital: nice analogy used to illustrate the open source model

http://advice.cio.com/bernard_golden/designing_a_new_software_distribution_process

"Honestly, if you proposed the film work-flow today, you'd be taken to the city square and hung. Imagine I told you we're going to shoot on superexpensive cameras, using rolls of celluloid made in China that are a one-time use product susceptible to scratches and that can't be exposed to light. And you can't even be sure you got the image until they're developed. And you have to dip them in a special fluid that can ruin them if it's mixed wrong. People would think I was crazy."
and
...imagine I told you "Someone is going to create a software product, spend as much selling it to you as you pay the first year, refuse to let you try it enough to determine whether it will really work in your environment, keep the internal code secret and not let you examine it, forbid you from publishing benchmarks so that its performance can be compared to other products, charge 20% of the initial price each year for maintenance whether you need it or not, and potentially pull it from the market due to internal business reasons with no possibility for you to do anything about it. Oh, and by the way, if they do keep in the market, they may come up with mandatory upgrades requiring additional fees." People would think I was crazy.