* Posts by Ed

57 publicly visible posts • joined 16 Apr 2007


Boffins: Ordinary lightbulbs can be made efficient, cheaply


How long will these treated bulbs last?

Technically, if they've just found out they can do this, it's possible they haven't had time to put them through the durability testers yet. However, it seems likely to me this treatment will have a degrading effect on the lifespan of the bulb - I've seen several other treatments which made incandescents brighter, and they all had crippling effects on bulb durability.

Like several others here, I've seen that there's a great amount of variation in the quality of energy saving bulbs, including LEDs. The best LEDs I've seen appear to me to have *better* full-spectrum qualities than most incandescent lights, rather than worse. IMHO, it'd take actual spectrum analysis to compare them to the best incandescents, and I don't have that equipment.

As far as elemental "murcury" being harmless - if you're trying to convince people that something is bad, it's generally not a good idea to tell them lies so obvious that anyone with any knowledge of the world knows you're lying. Mercury is fundamentally toxic (yes, there are trace amounts in nearly everything, but trace amounts we can handle. *Everything* has an LD50.) Even back in the early days of florescent lighting, the light quality was only "horrible" for most people if either you bought the cheapest tubes or you tried to use them until they burned out completely. (Although, I admit, as someone sensitive to higher frequency flicker than most, it was pretty rare that people would change them early enough for me. They were still cheaper, overall, than incandescents, even changing them as soon as I did.)

GM Volt to get regular software-style updates


Re: GM Should know the market anyone remember the EV1

Personally, I'd hope that I'd never find myself out of juice for the motor, but the sound system still works great. Keep in mind that an additional battery for the entertainment system is going to weigh the system down more, and so will decrease the car's overall efficiency.

In any event, these same gadgets decrease your range in a gas-powered vehicle also - your car has more power generation capability in the alternator than it would need just for the engine, so that it can play your radio, run your headlights, and keep its passenger compartment comfortably warm/cool. Worse, it's balanced so that, on average, it's generating more electricity than the car is using, This is done so that your car won't possibly run the battery down because you wanted to drive with the lights on, the wipers on, the rear defrost on, the heater on, and the radio on. After all, it wasn't possible to design the car such that it could easily change the power generation based on any realistic potential power use change. Having one alternate setting (for if you want the A/C on, as it uses the most power) is the most I've heard of cars having.

The only real differences are that with a primarily electric car, you are much more aware of that cause and effect, and in the primarily electric car, shutting off the radio actually helps.

Still, it would be nice to be able to jack into the radio system, and turn off the big speakers.

Kaspersky breach: No user info lifted, auditor confirms


Re: Doublespeak

The only way I can parse that so that it makes some kind of semantic sense without being a contradiction is:

The attackers found out how to access the database, and were able to issue SQL commands to the database. However, they were not able to determine the (obfuscated?) table names or field names such that they were able to walk away with data. If this is true, it's apparently a case of security by obscurity working - which I find to be nigh inconceivable.

EFF wins request for reexamination of ringtone patent


You mean like the midi format?

While I didn't manage to produce anything worth saving, I was using something which declared itself MIDI format back in the early 90s. I haven't reviewed all of the claims, but the stuff that I did definitely made use of quite a few of them - and I wasn't doing this as a programmer; I was just futzing around with a program written by someone else.

For those who are curious, this experience taught me a valuable lesson: If I'm to enjoy music, I need to wait for it to be made by persons far more skilled in music than I am. On the bright side, there are very many of those.

Brazilian hackers blamed for aiding Amazon deforestation


If they were serious about protecting the environment

They'd also curtail the companies' logging activities until the forest/jungle had sufficient opportunity to recover from the additional logging.

Why port your Firefox add-on to Internet Explorer?


@Dr. Mouse

There are many real programming languages not on your list. This is not surprising, as computer language preference tends to be a personal thing - most of us prefer a language that works the way we think. Lisp, Forth, ML, and Scheme are all, from everything I've seen of them, very solid, real programming languages. The trouble with them is they work very differently from how I, you, and many other people think. But for those who do think like that, they're perfectly fine.

There are at least thousands of programming languages which are in use today, and probably tens of thousands. I've only personally encountered around a hundred enough to have any real opinion of them. Statistically speaking, there's probably at least another 10 real programming languages that I haven't encountered.

For what it's worth, there's even a Pearl programming language (not to be confused with the Perl language I write most of my stuff in. Note that I'm not advocating Perl as a real programming language, as I'm fully aware it has some design flaws. Only thing is, it really does work the way my mind does, so its insanity is a good fit for mine.)

FSF throws sueball at Cisco


Re: GPL @Peter Gathercole

As I recall, Linksys had been in some hot water with the FSF because they had modified code in their products and not released the code. Then Cisco bought them out, taking on that liability themselves. I seem to recall that Cisco has released *some*, but not all, of the custom code in question.

That having been said, I've heard people claim that distributing GPL binaries attaches a requirement to make the source code available, even if one hasn't modified the source code in question. This is normally fairly easy to do by setting up a mirror FTP site.

Spammers look east after McColo shutdown


Cloudmark's real reason for sour grapes

An associate of mine is postmaster at a major customer of Cloudmark. He reported that his reported spam metric did not waiver, nor did his perceived legitimate traffic (unblocked and unreported). Blocked spam, of course, plummeted, as the total volume plummeted.

Of course, he also uses an RBL service, but I'd expect most everyone uses those these days.

E-voting glitches hamper elections in seven states


Re: Not surprised

This problem is not the result of unwillingness to pay for a decent system.

The states which are using the old, cheap systems are not having these problems. These issues all involve states which are futzing with new, 'state of the art' voting machines made by companies who should, by and large, be eliminated from the bid for making voting machines due to poor track records, conflicts of interest, and probably other reasons as well.

And, for what it's worth, 'merikins most certainly *can* make decent voting machines - we have them in something like 17 states. We have another around 23 states or so with passable voting machines. And then we have the states that make the news every few elections.

Personally, I think the people who selected the voting equipment in those states should be investigated for voter fraud, along with the companies involved.

California train smash driver sent text seconds before disaster


freight train engineers?

I've seen freight trains stop in the US. Every time, the train traveled over a mile in the process. Having a mile of perfectly straight track appears quite rare to me. Given typical visibility less than the stopping distance, other than being there to stop the train if the remote control breaks down, what purpose does having a person on the freight train serve?

Oh, right. Person to take the blame for train wrecks. I guess it's fitting, then, that they tend to be union workers who've blocked the automation technology deployments which would allow the train companies to actually make them all redundant...

VMware renders multitasking OSes redundant


@Mark Honman

"Actually it's funny to see this band-aid being applied to the axe wound of Windows one-app-per-server mentality. That was certainly necessary in the days of Windows NT, but the sheer number of Windows boxes and accompanying CALs meant that at the end of the day the cost was similar to the single AS400/HP3000/Unix box it was supposed to replace."

Um, actually, in my experience, that was 'significantly greater than', rather than 'similar to'. Mind you, I was just a young pup, so I didn't know how much the old Unix box cost; I only knew the cost of the replacement kit suggested by the Unix vendor.

And that's before you factor in the power, the space, the cooling, and the staff.

Did the width move for you, darling?


Re: Freetards

I'd just like to second Daniel's comment. Noscript for the win.

I used to run adblocker as a poor man's noscript, before I knew of noscript.

Now, I run noscript, although I still have adblocker configured, with a minimized list of sites (basically, if an advertiser has ever opened up a new window to show me ads, they're in my adblocker list. Otherwise, they're not.)


Yet another fixed width comment

Overall, I think the new site look is ok - but the old look was fine, also. I come here for the content, not the look, and that's still good.

Fixed width tends to be problematic, however. As it happens, you've randomly hit my viewing situation well; I have just a bit of grey on either side (apparently, 64 pixels minus my scrollbar width, whatever that is.) But it's something that either works for someone or it doesn't work for them. People aren't going to go out and get a new monitor and/or video card just to be able to read el'Reg comfortably.

With the new layout, whenever my wife decides to nick my laptop, I'm not about to bother browsing in from the Linux box - it being limited to 800x600 and all.

Of course, I'm sure that particular stat doesn't bother you much, given that I mostly just come around weekly some time around Friday - especially since I'm states-side, and therefore not subjected to most of your ads.

MS products just too cool to comprehend, say MS geeks


The best way to do what I do

"... they [open source community] will be a bit perplexed when they see the best way to run what they do is on our infrastructure"

Actually, when that happens, I'll be more than a bit perplexed.

I mean, don't get me wrong: My hardware consists of an 1.3GHz Mac with 512M RAM and an 800MHz Via Eden with 256M RAM running Linux. Microsoft, on the other hand, has thousands of servers far beefier. Of course it would be faster for me to run my stuff on their infrastructure.

However, my problem is that he's saying it's the 'best' way, and, as I understand it, breaking into Microsoft and installing my Linux image on one of their servers has *got* to be illegal. At least, in my book, being illegal makes it right out for being the 'best' way.

Oh, wait. Sorry. Wrong frame of mind. Yeah, with Microsoft's attitudes to legal compliance, I'm sure they'd think that the best way for me to get my work done would be to install my stuff on their boxes on the sly.

Nice try, Microsoft, but I'm not going there.

The return of Killer Chlorine


Hydrogen Hydroxide, and other responses.

I am saddened to see that nobody has pointed out that Dihydrogen Monoxide is more properly known as Hydrogen Hydroxide, and, is, in fact, quite beneficial when used properly: http://www.armory.com/~crisper/DHMO/.

Personally, I always put my bike helmet on before putting on the riding gloves, as the riding gloves impaired my dexterity a bit. But otherwise - the helmet saved me from a number of nasty bumps. It never saved my life - I never allowed myself to get into any situations in which my life was threatened in that manner. It was always very obvious to me, with the number of ventilation holes in it, that the bike helmet was not up to real impacts.

If people had been responsible in their use of DDT, none of its environmental effects would have been anywhere near the levels they were. For reference, I had an uncle who swore by DDT. He had one bucket of the stuff, which he had bought a couple years before it was banned. That bucket lasted him for many, many years (I seem to recall it finally ran out sometime around 1995.)

And, finally, to say something on-topic, the form of chlorine in tap water may be its most lethal form, but it's also the form found in your stomach. And, last I checked, my stomach has a higher concentration. If that's the case, I have a difficult time understanding how the chlorine in the tap water is going to hurt me. In any event, it tastes a bit nasty, and that's fixed by a little filtering. Of course, the statistics do play out: the number of people saved by chlorinated water is greater than the total number of people who suffer from any of the complications that have been adversely associated with its use (even including those people who would have those complications regardless, and even including those complications which are not, actually, related). If my previous statement is accurate, anyone who contests the use of chlorinated water on safety grounds is a moron.

Canonical hippies spread Ubuntu Launchpad love

Thumb Up

About time

Since the days of Yggdrassil, users have been complaining about the bugs in various software packages to people who are not directly responsible for them. It's about time that someone produced a tool to allow some form of interoperation between the bug tracking utility that a distro uses and the bug tracking utilities that the various component software packages use.

Now, I'm certain that it will have a lot of room for improvement, and it will have a lot of bugs. But the move is a really good one. With any luck, in a few years, someone will have a bug tracking tool that actually does a good job at it. (Not saying that Canonical's will not be it - but judging by software history, revision 2.0 will not be the one.)

Researcher's hypothesis may expose uber-secret DNS flaw


Re: @righteous indignation from AC

Actually, most of the complaints about Kaminsky's behavior have not been about his attention whoring, but rather about the fact that he mentioned a problem without saying what it was.

I personally agree that private communications with vendors, vendor fixes, then full disclosure is best, but only because there are morons out there who don't understand how to not publicly speculate in order to demonstrate how awesome they aren't. (I say aren't, because if they really had a clue, they'd STFU. We really do not want to give the bad guys any more assistance on this than we need to.)

In a slightly less than ideal world (the ideal world wouldn't have this problem, and wouldn't have people attempting to exploit it), someone like Kaminsky would be able to give the warning to the rest of the world like he did such that those people who have a mission-critical dependence on a few IP addresses (which is to say, most companies) could put those addresses into /etc/hosts or the Windows equivalent until they get their systems patched.

For what it's worth, I've done this on my home system. My work systems don't have access to external DNS, and actually don't depend on the IPs of other systems (instead, they are systems that other computers depend upon.) My work systems do have /etc/hosts entries for all of the other systems in the cluster, however (one /etc/hosts file, maintained by cluster revision control). However, the work systems weren't tweaked in response to this; they are just set up like that as a convenience item.

BOFH: The admin gene


Common admin 'problems'

Aspergers, as noted.

Attention deficit disorder - when problems arise, one needs to be able to shift gears quickly. People with ADD generally do better at this than those without. Also, it appears to me that many people with ADD notice those little things a lot more - that's part of why they're so easily distracted.

OCD - depending upon ones exact compulsions, this can either help or hurt. But if an admin has both a clean desk and an organized filesystem, chances are good she has OCD (well, possibly 'he', but the odds are against it.)

The 'beta tester' syndrome, as noted above but not named. If you're an engineer and you want to ship a nigh flawless problem, you love having a few of these on your beta test team. Pretty much everyone else wants as little to do with them as feasible. (Unfortunately, that means that many managers actually *remove* them from beta test teams, to try and make their ship dates - and so the astounding problems happen more out in the field.)

The 'admin field' effect. This is a problem in the traditional sense, despite it not appearing at first glance to be one, because when ones mere presence makes things work, it becomes incredibly difficult to diagnose why they don't. Note: in my experience, the effect is very temporal: the field goes away almost as soon as the admin goes away; the biggest reason that the user stops complaining is that they feel increasingly stupid for having the problem, the more times the admin comes and the problem goes away. At one of my earlier jobs, I was assigned to share a cube with the strongest "beta tester" at the company, in an effort to counteract her syndrome. (Did not work at all - my field is apparently specific to unix OSes; she ran Windows.)

dyslexia - not sure how this helps, but it sure seems we collectively have a lot of it. (Note: has various forms: verbal, auditory, visual...)

I'm certain I've missed at least one, possibly more.


@Chris Hart

BTDT. Incidentally, it is entirely possible to have both ADD and Aspergers, as I understand it. (Fortunately for me, I'm a couple symptoms shy of Aspergers - plus many of the ones I have are mild enough I can compensate for them.)

The one that really grates on my nerves is just starting to fail fluorescents - when the flicker is barely noticeable, to the point that it takes me a few minutes to figure out why I have a headache. What's the most annoying is this is apparently several months before they've failed enough for an ordinary person to notice.

On the bright side, the company I'm working for has apparently showed some clues in this area: they've put all the people who complain early about the fluorescents failing in one area, and they replace our lights fairly promptly. Of course, that means I still get to dread going into luser land - but fortunately my social skills are lousy enough my management wants me to never go into luser land (and they say my social skills need work - HA!)

Spam DDoS assault cuts off south Pacific state


How to defend against this

There are two defenses, which I would personally use in tandem.

The first is identifying your known legitimate email sources - where do you get 90% of your good email from? Reserve a few TCP connections for just these hosts. With this, an attack like the above may degrade your service, but you can still get some mail from where it matters most.

The second is using a dynamic firewall, which updates itself based on connection activity. The specific rule here is that sites that connect and do not send email for the command timeout period get added to the deny rule for a day per time they do this. This rule will of course not stop the whole attack, because there will be too many IPs to gather in too short a time. To augment it, one could put in a rule that if greater than 50% of the allowable connections are engaged in behavior similar to this, dynamically reduce the command timeout period, until we either reach a configured minimum time (say, 10 seconds) or the situation stabilizes.

Of course, the real trick here is having a dynamic firewall product that lets one do this.

OpenSUSE 11 a redemptive OS with a Mactastic shine


If you don't know how to get root access in Ubuntu without always using sudo

especially after the last post on this subject, then you probably shouldn't *ever* have root access to any unix kit.

The only thing Ubuntu does to obstruct root usage is to not give it a password. You could easily give it one via a number of means - in addition to those already mentioned, the password management gui works just fine for that.

About the only thing sillier than claiming ubuntu forces one to use sudo for everything I can imagine would be to suggest one should use 'sudo su' - why this is is left as an exercise for Josef and Trix.

Economist: girls actually better than boys at maths


More statistically insignificant data

When I was in elementary school, the top performers during math were all girls, except when test time came around - during tests, I ranked up there with the girls, the only boy able to compete. (I didn't do my homework.)

When I was in junior high, the top performers in math were mostly girls, with a few boys in the mix. Come test time, I dominated. (I still didn't do my homework.)

When I was in high school, I was in honors math, and just being in my math class indicated high math skills. 2/3 of the class was male, 1/3 female. The girl who cared not at all for fashion was top, followed closely by the boy who was eventually valedictorian, then the school Feminist[1], followed by me (did homework, but bigger pond -> smaller fish.)

When I was in college, I was in double-honors math, and just being in my freshman math class was fairly ridiculous. Sixteen boys, two women. Neither woman cared at all for fashion, and neither woman admitted outside of our class that she was in double-honors calculus: one claimed she was in regular calculus, the other that she wasn't taking a math class (when pressed, she admitted, yes, she was in a math class, but it was only pre-calc, so it didn't really count.)

[1] My high school had many feminists, as it was rather large, but only one Feminist.

Brazil bitchslaps ratification of OOXML


Re: Title

Well, given the interest level Microsoft has indicated they have for supporting DIS 29500, I think I can safely say "nobody": only Microsoft can really implement it, and they're apparently not going to. If nobody implements it, nobody can use it. QED.

After Debian's epic SSL blunder, a world of hurt for security pros


Packager changes

Most of the changes I've personally seen package maintainers apply to their packages were not made by the package maintainer; the package maintainer simply reviewed the code, verified it fixed the issue in question, and either applied it, or in the case of source code distros, properly marked it for being applied at a specific time relative to other patches for that package.

It's quite rare for a package maintainer to apply a patch to move files around, because most packages contain provisions to specify alternate locations for files via a configure script. Of course, this does not stop some people; I've seen Gentoo packages which patched the upstream package to do what could have been just as easily done by giving the proper command-line arguments to configure, and I've seen other Gentoo packages which patched the upstream package to move related files into unrelated directories - the configure script only allowed for selecting where each related set of files went. (The latter move, by the way, was very annoying for those of us who understood why the upstream package maintainer felt those files were related...)

"It's ok if it helps debugging" means that a certain change is suitable for a debugging version of the package; it doesn't mean it's suitable for everyone to use.

Note that the OpenSSL maintainers aren't responsible for the Debian developer deciding to noose all of his users. They advised - and their advise was not understood, because the Debian developer assumed that their mindset was the same as his, rather than seeking additional clarification.

Also, the problem has not had a huge impact on *everyone*, although the impact is certainly beyond Debian-based systems. At work, we ran all our certs through the blacklist tool, and found we had not been hit - except, of course, for the two Ubuntu systems themselves. The impact would've been much bigger if they had been considered the stable systems to work from, rather than being new and experimental.

Is Vista ready for Business?



I realize there's a lot of companies out there that simply love paying high electric bills, but for the rest, I can't imagine any of them wanting to use Vista. I've seen a Vista system just idling chugging down more watts than the same system running XP and actually doing work (most likely, the 3d graphics card uses more juice while it's busy than the CPU; Vista loads down the 3d card, whereas excel 2003 doesn't.)

RIAA ordered to shell out $100k for P2P witch hunt


rare and exceptional multiplier

Note that the multiplier for attorney's fees was not for the client, but for the plaintiff. Basically, stating that the plaintiff provided a needlessly difficult case, because they were overly novel in their scam. I think the basic idea is, because the plaintiff had delved into an unusual area, they had a greater chance of succeeding despite their lack of merits, and to compensate for that, they should be penalized more. To encourage lawyers to take contingency cases in that sort of situation, pay that additional penalty to the lawyer who was brave enough to face that additional risk.

Yes! It's the sawed-off USB key!



For someone with the know-how and the parts, there's plenty of room for a few capacitors inside a 1m coaxial cable. Of course, feeding a bunch of tiny capacitors connected in parallel into the cable would be quite frustrating for most people, so I'm suspecting that there were just a couple; one in either end (where you have that nice, big metal fitting one could hide them in).

People *can* charge themselves; otherwise, you wouldn't get that shocking affect when moving around wearing fluffy sweaters in a reasonably dry environment, and then touching something metal. However, he'd feel the zap also - it's just as unpleasant to have the charge leave you suddenly as it is to get it suddenly. Furthermore, people don't make really good capacitors - too many opportunities for discharge, and if you try pushing it too far, you can have other problems, also...

EC probes OOXML standards-setting process


Re: Need a different approach

It's possible that ODF is more complicated than it needs to be. However, from what I've seen of the spec, it isn't that complex, most things only have one obvious way to do them, and it is relatively consistent.

There are a large number of elements which are not obvious needs for writing documents - many of them apply only to particular languages or to functions which are extraneous to printing papers. However, the first case of these are needed for any global standard - nobody can conscionably ask a nation to accept a word processing standard which does not support all of the primary written languages that nation uses. The second case is debatable - but you're going to have them in *any* international open standard, because there are people who care enough about them to show up to the standards meetings.

Further, there's quite a few different software projects which have not felt that ODF is too complicated.

All of that having been said, if you feel you can improve on the concept, feel free. ODF is an open standard, and anyone can participate. Furthermore, as I understand it, so long as you comply with their guidelines and processes, the IETF would probably not object to an RFC for Simple Document Format.

Microsoft makes final heroic grab for OOXML votes


OOXML will die within a few years

Microsoft changes their document format with every major revision of Office. Even if Microsoft wins the current struggle, they will make critical changes to the file format the next time they upgrade Office - enough that upgrading is required to stay compatible with the people who upgraded. At the current rate of major Office revisions, that sounds like 5-8 years - assuming, of course, that no major shake-ups happen.

The only formats which will continue to be reliable for the long term are TXT and ODF - and ODF is only going to be reliable for the long term because the group that maintains it is going to be ensuring that future revisions are compatible with older revisions. That is, the older documents, for the most part, will simply lack functionality allowed by the new revisions of the format.

IBM waterboards PA-RISC Superdome from HP

Dead Vulture

The racks will be filled

Anyone concerned that the IBM systems use 350% more power per rack slot? Since we all know that space on the computer room floor tends to be the real limiter on what new systems companies can add, it's only a matter of time before that freed space will be used by something else. And at that power usage density, that computer room will soon be generating a lot of heat...

BOFH: Impatience

Thumb Up


Personally, I like the idea that Energy is equal to Mass times two Carbon atoms. It makes things nice and easy.

Japanese bank sues IBM over 'difficult' system overhaul

IT Angle

A couple of scenarios

In scenario one, IBM promises to perform an upgrade over the course of three years, and at the four year mark, they've still not completed it, despite the customer working with them every step of the way, helping out in any way possible. In this case, I can see this law suit being valid.

In scenario two, IBM promises to perform an upgrade over the course of three years, and at the four year mark, they've still not completed it, due to the customer blocking every step of the plan, and added hundreds of additional features they wanted the new system to have. In this case, the customer's clearly at fault, and IBM is blameless.

In reality, the situation is probably somewhere in between these two extremes, and it's up to the courts to figure out exactly where in this spectrum it is and who is liable.

In any event, at this point, it's your basic he said she said, and we really don't have enough concrete information to judge who is correct and who is not.

Microsoft partners cosy up on interoperability


Who implements OOXML? Who will?

Microsoft certainly doesn't - they may have an application which is closer to OOXML compliance than any other, but it's certainly not even loosely compliant. Furthermore, there are Microsoft execs who have stated that Microsoft will not be incorporating any changes to OOXML made by ISO into their product.

Add to this the number of tags in OOXML which are not defined well enough for anyone to implement without significant help from Microsoft. *Can* anyone besides Microsoft develop a compliant product? Based on the amount of assistance Microsoft has given to competing interests in the past - for example, their infamous joint venture with IBM on OS/2 - I sincerely believe the answer is 'no'.

As such, all this interest in OOXML really mystifies me. No products currently support it, no products will support it in the future. Why make a converter that will translate ODF files into it, when nobody's going to be able to read any files written in it (apart from this converter - if it's actually even compliant. Which it won't be.)

Taking IT security to task

Thumb Up

Re: Start with people - and protect them

Agreed. I find it interesting the number of bad decisions that my boss has made verbally, but when I ask for the instructions in email, they never come - and the requests for status stop as well.

Note that I don't just ask for instructions for bad choices, although I don't do it with all of them. For example, when I was told my highest priority was to help some coworkers get their server code under revision control, I didn't request that to be in email. When it turned out they had no computer for the revision control repository, I made certain to get email authorization to make use of a related group's revision control repository server. The first choice was not, IMHO, a security related thing. The second, on the other hand, clearly was.

Now I just need to get a good filing system for these, and need to perfect my ability to tell *when* I need the email trail...

Et tu, Gmail? Simple hack defeats last barrier to decades-old attack

IT Angle

What fools these mortals be.

I am encouraged that people followed up the most egregious posts with corrections. But I decided to not trim these out of my long post, as a way of corroborating their points.

SSL puts a significant amount of processor load on both ends of the communication, except for those ends of the communication which have a competent crypto-card to do most of that computation in hardware. (Note that said card needs to support the form of encryption being used, and may not be very upgradeable in the face of new algorithms (that having been said, there are tricks to allow them to be upgradeable; I don't know how prevalent said tricks are, however, as I haven't looked into these since getting some upgradeable cards 4-6 years ago.)) Not only do crypto cards allow the server to offload most of its SSL overhead, but they also tend to do it significantly faster than the server would. (Note: a crypto card is not magic. The software needs to be compiled specifically for the card. If you're using a proprietary web server, that means you can only use crypto cards which are specifically supported. If you're using an open source web server, that means you can only use crypto cards which provide libraries usable by your web server.) As a personal anecdote, when we switched to using crypto cards, we spent enough we could have purchased one new server - and we got as much improved performance as if we'd added three new servers.

Many web browsers complain about unencrypted images on encrypted pages, so you have to encrypt your images also.

You need to retain the SSL session for longer (processor for memory performance tradeoff - to reduce the number of initial connections, we save connections between page fetches. But we need the memory to be able to do this.)

Most CAs are very reticent to giving out multi-named certs, so there's usually just one name on the cert. This limits the number of systems that can use the same cert, and if the name on the cert doesn't match the name on the webpage, the browser complains, as it can't distinguish legitimate variation from attacks. (That having been said, it is possible to get wildcard certs and multi-named certs; you just either need to be persistent (shopping around until you find someone who'll do it), or set up your own CA to do it.)

Two tier auth works great, so long as the transition from insecure to secure requires an authentication step. If the site just converts the cookie behind the scenes, then the insecure cookie is effectively a secure one, it's just easier to get. (That is, actual two tier auth is great, but I've seen sites that claimed to do two tier auth without doing it, in a misguided attempt to simplify things for the lusers.)

@Pie Man: Some sites have performance problems even after optimizing their scripts, because their management is too tight-fisted with the cash - unwilling to shell out $3,000 to get another server until the site performance numbers lag enough that their millions in profits show a dip due to low customer satisfaction. Of course, a few $100-$500 crypto cards would generally fix them up fairly quickly, since they're really only needed on the exterior proxy boxes anyway, and not having that security will cost them far more at some point down the road.

'Tofu' license pits open source against meat



IANALBILTPIA also. Imagine that. Anyway, assuming that you did not agree to the terms of their license, you would be violating copyright. However, since it is apparent that they've actually distributed it under a GPL, and merely added those terms and conditions to the front, rather than distributing it under a modified GPL, no, you would only be violating the DMCA.

Oh, and at least one other poster might be interested to know that a trademark need not be registered, and given the recent usage of the term, 'Open Source' would almost certainly qualify for being an unregistered trademark, if it were unregistered. Now, I wouldn't be willing to bet that the term is, in fact, unregistered, also given recent usage of the term.

Now, one bit of confusion I do have, as IANAJ, and most specifically, IANTJThatThisCaseWouldGoToIfItWereTakenToTrial, and, of course, said trial hasn't happened yet, is does the fact that the author of the code is attempting to add terms to the GPL modify the effect of the attempt? If that detail doesn't modify the attempt, then, as someone said above, the additional restrictions simply fall off. If it doesn't, then, well, as someone else above mentioned, none of us use it, because humans are animals, and we therefore all produce various animal products - whether software, cars, noxious gasses, or other...

'100% accurate' face recognition algorithm announced

Thumb Up

Re: That's less accurate not more accurate

What you're not factoring in is the bit where they average in a picture of you from ten years from now. Adding that pic in balances out the one from ten years ago, so it's all good. :)

Remembering the Commodore SX-64


no Linux for the SX-64.

Since 1.2.8, Linux hasn't been able to boot a standard (ie non-embedded) kernel without at least a full 2M of memory (1.2.7 could boot with 2M-384K, and it only took a minor hack to get 1.2.8 to boot with 2M-384K. 1.2.9, on the other hand - right out.)

Also, Linux fundamentally depends on having protected memory, which the commodore 2^[67] systems did not have. (I have not heard of any embedded version of Linux getting around this requirement. However, I'm not active in the embedded Linux world, so it's possible one has been developed without my knowledge.)

That having been said, there *was* a unix OS that was developed specifically for the C-64: LUnix. I've not tried this on a SX-64, but I know of no reason why it wouldn't work there.

Regarding the SX-64 monitor: this monitor was far from rubbish, as it actually handled the full 320x200x16 screen resolution of the C-64, despite only having 5 inches to do it. I realize modern monitors pull off significantly more impressive pixel density, but for the time, that was amazing.

AT&T to crush copyrighted network packets


@Steve Medway

For the last five years, my job consisted of intercepting email transmissions. This past year, my group intercepted and blocked around 98% of the email which was sent to addresses my company controls.

Was this illegal? I don't think so. I am actually quite popular at work for my success at blocking this traffic.

Note that, while the numbers are much less, we also redirect a certain portion of traffic, instead of sending it on to its original destination - and, again, I've received kudos for this work rather than being charged with crimes.

Admittedly, I am acting as a representative for the corporate entity to which 99% of the intercepted (blocked or rerouted) traffic was sent. However, other places, traffic is blocked by companies who are not representatives for the recipient. For example, I've so far thanked Google for every email they've blocked which was sent to me (at least, I've not been made aware of any false-positives yet.)

Thanks to the scourge of the modern internet, the precedent is out there: blocking traffic is not necessarily illegal.

Microsoft pleads ignorance on 'one interweb per child' pork barrel



I know at least one poster here has decried them as crap, but I personally think they may have some potential - I'll be able to say more about it when I finally get mine in the mail, of course.

Yes, it would be nice to have a better system, but for the low cost of those systems, if it's functional and responsive, I'd say you're ahead. While I realize commercial mock-offs of the OLPC are still vapourware, I'd expect that when they come out, they would probably have models with sufficient capability to satisfy those with more beefy requirements, yet still be compatible with the basic system, so requiring something compatible with that system shouldn't be a problem.

As far as games go - we're talking about educating kids. I personally don't think that there's any point to giving the kids systems designed to let them load up with any modern 3D shooter they want. Note: this comment is more about preferring a machine too under-specced to be able to play those games than it is the OS; over the next 5-10 years, I expect there will be a dramatic increase in the availability of games for Linux.

For what it's worth, I'm not a die-hard Linux-or-death advocate. However, I am unaware of any other mobile system which can be had for so little money. Furthermore, all of the other systems I know for comparable money *also* run Linux; around here, new Windows boxes can't be had for under about $399, and new Mac boxes can't be had for under about $599.

Oh, and if you can motivate the kid to work hard enough to get a real computer, you've basically won. (This is assuming, of course, that the kid is actually working for said money, rather than doing something illegal to get it.)

MS to bundle 'broken' random number tool in Vista SP1


Re:Re:Is it any wonder

Microsoft does not directly kill people.

However, they have managed to foist their software into places which are incompatible with their warranty - you know, the one that says it should never be entrusted with people's lives? Yet Microsoft's sold many site licenses to both hospitals and manufacturers of medical equipment, and Windows CE is the embedded OS for numerous medical devices. Microsoft *knew* what those companies did before they signed those deals. Personally, I feel the other party in each of those deals was more responsible, because they should have known Microsoft's record, and frequently (if not always) required to certify compliance periodically with regulations which read to me as 'Do not use Microsoft-grade software'.

For what it's worth, I do not know that anyone I know has died because of a medical device running Windows CE having an OS problem. The one case where I have a suspicion, it was really just a matter of time anyway. But I have talked with geeks in the medical industry who have had access to said devices (some of them even made said devices) who were able to attest that the version of Windows CE on them was no different than the version that they had on some other consumer device.

However, I've also seen a situation where hospital staff were presented additional difficulty in responding to emergency situations, because their computers had locked up. Nobody died in the situation I witnessed - but only because some incredibly good, incredibly skilled people violated the procedures they were supposed to follow to address the situation. (Note: one of them was one of the people who set up those procedures; the others did not violate them until he indicated that they needed to and it was appropriate in this case.) Actually, possibly the biggest issue I have with Microsoft in this case: they'd worked a deal with the hospital to get their software at a significant discount - but only if it was used for all of the systems. IMHO, a hospital should not be using the same software on its primary and backup systems; instead, they should be provided by competing organizations which follow the same standards, and certify their products to work with each other. (For those who may lack reading comprehension, just having an industry which has two such companies is not viable - if every hospital was a customer of both of those companies, the companies aren't really competing, are they?)

Oh, and finally, have you checked out Microsoft's investment portfolio? I've heard it's a killer... For that matter, so was the Bill and Melinda Gates Foundation, last time I checked.

Surprise: Ohio's e-voting machines riddled with critical security flaws


documented cases?

When you're talking about a device that includes no logs that could report anomalies that could indicate a security breach, it's really difficult to have a documented case.

When you have a device that records its data on a memory chip, and that data is just the sum for each of the various candidates, and there's either no checksum, or an obvious one (such as a simple sum of the numbers), it's really hard to detect a fake chip, substituted for a real one.

When you have closed-source software running on the machine, and it leaves no paper trail, it's really difficult to document when it's not doing what it's supposed to be doing. Note that testing before the election doesn't necessarily find the problems, because the hardware could contain a clock chip with its own power supply, and the software could change its behavior based on the date.

Having a paper trail on a mostly electronic machine doesn't necessarily do that much, because unsophisticated voters are known to not pay attention to things like that. (Personally, I feel that if you don't care enough about your vote to make sure it tallied the way you wanted it to tally, you shouldn't be voting - but that's just me.) Since there are districts where the vast majority of voters are unsophisticated voters, it could be possible to put machines running slightly different software there - or even to have a GPS unit in the machines, so the software can know what precinct they're in, so they know whether to work correctly or not.

I really like the idea of having the electronic portion of the system simply be a witness to the voting, but it cannot be done via camera. First, the person's hand could block the way, and second, if we're supposed to be anonymous, we can't have a record which might include a person's face or other distinguishing characteristic (for example, a unique ring or hand tattoo). If you have the ballot slid into a device with sensors around each of the holes, to detect which circle the voter punched, you can monitor the vote completely without having any compromise of the desired anonymity.

As far as the *need* for electronic voting machines... I concur, we don't need them. There are many ways in which the e-voting machines are neat, but the dangers they pose are too great. I especially feel this is true, because most of the attention has been placed on three states: Florida, Ohio, and California. California is in there only because they said no in a big way. What other states are using these machines, and who's to say that their votes weren't also compromised?

Sysadmin admits trying to axe California power grid

IT Angle

How to fire a sysadmin

At my place of work, we fire our sysadmins properly. That is, we get them off-site; preferably for an hour or so (lunch tends to work for us.) When the person exits the rotating door on the way out (i.e. finishes entering the big blue room), the person at the back of the line to go out remembers something, runs back to his desk, and sends a ping to the person doing the main deed.

Access is terminated by the time said individual gets to whatever transport is being used for lunch. This includes both computer access and physical access authority.

When they return from lunch (or whatever outing they were on), there is one or more boxes, containing all of their worldly possessions they had left on-site.

This way, they have no access to any systems, inside or outside the computer room.

(Note: back when we had the blackberry ssh program in testing, the software supporting that service would flake out every so often. Mysteriously, about 5% of the time it did this, someone was fired. Oddly enough, this equated to 100% of the time we were firing someone with sufficient access to be able to do anything with it - not that they could manage anything, with their access revoked, but we didn't want lunch disturbed by them realizing they were fired.)

BOFH: Balancing the budget...

IT Angle

Thank goodness this doesn't happen where I work.

Around here, the operative date is the invoiced date, rather than the delivered date. Faxes count. So there's a lot of faxed invoices come the last day of the last bi-week of the year (which generally means in the January 2-13 range, when most of our suppliers don't have their lines tied up with other customers - except, of course, those complaining because their budget's been cut due to shipping problems).

What's really fun is every so often, the last bi-week ends either December 31 or January 1, and not everybody's quick enough to realize it before the holidays start - and it's astonishing (at least to those people) just how many people take off Dec 25 through January 1. (Last time, something like 55% of departments wound up with their budgets cut. Thank goodness for the Sarbanes Oxley change freeze, or we would'a had ours cut, too. For the curious, we spied something interesting when we were studying the calendar trying to figure out when we could *do* stuff again.)

Random number bug blights FreeBSD


A bug in GNU tar is a BSD problem first and foremost *how*?

So GNU tar had a security flaw. Great. So why is this being reported as news for FreeBSD? On FreeBSD, GNU tar is a niche application, as many of the people there prefer to use tools that anyone can convert to proprietary, rather than ones with restrictive licenses that prevent that, and most, if not all of the rest, prefer tools with minimal code bloat; gnu tar's --help option *alone* could make the program too bloated for the average BSDer's taste. However, the fact that the FSF have extended their tar program to the point where it actually *supports* all of the options that its help option indicates it can handle basically puts it in the 'right out' category for every BSDer that I have personally talked to about GNU tar.

Microsoft wireless keyboards crypto cracked

Gates Halo

256 XOR choices requires a computer to break?

I'm sorry - I don't believe that. With only 256 possibilities for an 'encryption' key, the method of encryption being 'XOR', and the data being encrypted being single keystrokes not including modifiers (giving us less than 100 data potentials), I think I could decrypt that by hand without too much difficulty. That is, pencil and paper. Of course, this assumes that something electronic is capturing the stream; I personally can't scribble as fast as I can type, and I'm at a complete loss for parsing an electron bitstream that's fed directly into my skin. But give me a printout of that stuff, and it's so cracked it's not funny.

Ok, I lied. I'll admit it. It's absolutely hilarious.

As a final note, I'll just mention that this makes me very happy I decided years ago to boycott Microsoft - otherwise, I might have one of those things.

DARPA selects 11 robotic grunts to take driver's license test


@Geoff Mackenzie

Obviously, you haven't seen Ashley drive. I feel relatively confident that the expansion of 'merging' to 'merging with oncoming traffic' was merely due to the extreme driving skills of the author, and nothing to do with the actual contest, per say.

Of course, if I'm wrong, it will be a *very* interesting race to watch. :)

Cannon runs amok, kills nine fleshies


We *give* weapons to other countries?

I always thought we gave them the weapons because they paid so nicely.

I guess I was confused - apparently, these are gift exchanges, and the amount of money they give just happens to be about what the catalog indicates the price of the items we give them would be?

Ships pollute more than planes


CO2 mostly irrelevant

Of all of the greenhouse emissions, CO2 is apparently the most widely reported - and since it's what plants have evolved to process, the one which may be least problematic (so long as it's at land/sea level, rather than upper atmosphere.) There have been studies which have demonstrated, if you double the CO2 in a plant's environment, it'll be hardier and grow quicker, converting more CO2 to O2 + carbon compounds (it may not do double immediately, but since it's growing quicker, it will get to that point eventually, barring other constraints).

Now, ship fuel is nasty - I haven't seen studies, but I live in Boston, MA, USA, and when you're downwind of a freight ship, you know it. That having been said, if the number of units of goods doesn't change, one way to improve emissions is to use a transport method that has lower emissions per unit shipped - and that's what they're doing with all the shipping. I certainly agree that we should improve ship emissions, but I do not agree that they're an easy target.

Note that airplanes are replaced frequently partially because airplane companies make many improvements in airplane manufacture, and partially because airplane maintenance problems have a high potential (relatively speaking) of losing all hands on board. The same cannot be said for shipping.

Something I think could be useful for shipping efficiency is looking at alternative energy to power the ships - namely, solar. I doubt it'd be enough to get cargo where it needs to in a timely enough manner by itself, but a ship could use multiple power sources, and having solar be one would reduce the level of need for the other(s). (Wind would, of course, be right out, as we're hopefully moving faster than the wind, therefore thermodynamic laws state that wind would be a loss...)

Hydroplaning cargo ships sounds like an enticing possibility, but I suspect that one couldn't get sufficient speed efficiently enough while carrying the amount of cargo one needs to carry to get the job done.

Of course, when all is said and done - the real problem is the lack of a FSM icon (pirate outfits would help, but the FSM icon would go a long way to encouraging pirate outfits).

Why UML won't save your project


Why modeling?

I've been brought into two different projects where they basically summarized it saying, "So this 'six week' project's now a real mess, and at week twenty, they're way over time and budget. We want you to go in there and model what they have so that you can point out to them what their problem is." I agree, it makes no sense. I'm just saying, it's happened to me, and on two of the three disaster projects I've been brought in to fix.

In both instances, I figured out basically what was wrong within about 2 seconds of starting to look at their code. When the first 80x24 screen full of code is

- full of code - almost no unnecessary white space.

- less than 10 virtual lines long (i.e. average line length greater than 140 characters)

- written in three different languages

- more like line noise than any non-sed program has any right to be


- full enough of semantic ambiguities such that you can, within that first two second glance, spot at least two places where the way the language parser will read some code is probably different from how the programmer expected - and possibly even variable depending on which version of the language parser is used

you know you're dealing with a fairly special project. Modeling won't help. Additional fun can be had if one of the languages is perl, with half a dozen or more command-line switches being used, none of which were -w or -T.

Unit tests, as a general rule, will help. In my case, on one of those projects, we weren't able to get any unit tests to actually pass any of the existing program - that was fine, because management wasn't watching closely enough to ensure that we used any of the existing program, and so "we" (meaning I) had it working in less than three weeks. The original programmer was either clueless enough that he didn't notice that his files, while present in the directory, were not being used, or he was smart enough to not complain, as this would've indicated that I did in three weeks what he couldn't do in twenty.

In the second project, unit tests plus stringent version control enabled the project to go forward. The first step after getting the unit tests was removing all of the testing cruft they'd added in their feeble attempts to get the program working, and the second was to actually format the code - which showed almost half of the problem, as they had indented so inconsistently that they weren't aware of what the nesting level of each portion of code was.

This having been said - as I didn't actually try modeling, I can't really state absolutely that modeling wouldn't have helped. But I can't imagine getting either of those projects finished quicker without removing management obstacles to fixing them.

I also fully admit to having failed in both cases: I was unable to relate to the earlier staff exactly what went wrong. However, in both cases, I believe my reason for failure was a management thing: management had conveyed very clearly that I was to not, under any circumstances, explain to the original teams that they were fscking incompetent morons. Given this dictate, I found it difficult to relate to them that their problem was that they were fscking incompetent morons.

Oh, and one last comment: if anyone ever tells you the best design for something is to have most of the code written in a blend of awk and perl, with a Bourne shell wrapper around them to glue them together, they're wrong. Either write it in perl or in awk. Either language should be sufficient for the job. If the job involves processing multiple files, and you're not sure how to do that in awk, either write it in perl, or write the handling for each file in separate awk scripts, and have a common script invoke them. And having the in-line perl and awk bits of your Bourne shell script making subshell escapes is just right out.