Posts by Colin Guthrie

Policy can still let you down

I remember a while back that I found a several years old bug in the policy file for a tool called sectool which was a RedHat thing. It's policy file ultimately gave all users the right to do things as root. So install a package to audit security and it messes up your security! Fun times.

Polkit is handy overall tho'. Gives flexibility to run a restricted set of tasks very cleanly with defined API on the system/user buses (speaking to appropriate daemons running as other users etc). It's pretty clean (from a usage perspective) generally even if the JS interpreter might seem like overkill. Running commands via the CLI is just one use case for polkit - sudo certainly can't do 90% of what polkit can. The same policy mess up I found (which was pre the big polkit rewrite IIRC) could have just as easily been a file packaged in /etc/sudoers.d/ folder.

No 256GB SSD in the UK

It's really annoying as I have been waiting for this laptop for several months - one of the few that match my requirements for screen res and size etc.

Sadly the primary problem I'm seeing is that the SSD is just too small. 128GB is not bad, but I've been using 160GB for a while and it's a tight fit as it is, so dropping 32 gig is no mean feat!

While the 256GB SSDs are offered in other countries, you just can't get one in the UK model (I asked Asus directly and there are no current plans to offer a UK keyboard layout with 256 SSD). Such a shame :( I would certainly like to know if I can upgrade it in the future if I did opt for the smaller drive.

Quite nice...

... although I don't like the large keyboard... I'll use my lappy with an external keyboard for any kind of serious data entry. Hopefully the smaller version will have a smaller keyboard.

So it's maybe between this and the new ASUS UX21 then I guess.... :)

Can you point me to the Canonical commits....

.... that implemented ASLR in the kernel (or in userspace)? I wonder of those "Canonical commits" came from people with @redhat.com email addresses.... that would be weird if they did, wouldn't it.?

As a disclaimer, I have no idea who actually did implement ASLR in the kernel, just that I strongly suspect it wasn't Canonical.... their record of kernel contributions are shockingly low generally (David Henningsson's and other Canonical folk's recent sound related fixes in the kernel have been very much welcomed tho' :))

I'm getting a bit sick of all the "let's get annoyed about this" sheep...

I've been a pretty vocal privacy advocate for a while, but I'm really struggling here...

Google is doing something via Android, but (as shown above is ensuring the user is asked first.

Google used to do this via Street View cars but messed up and "accidentally" logged actual data. If they'd just tracked location+MAC I doubt it would be a massive problem.

Skyhook used cars to log location+MAC

So why is Google being berated for it's actions here? The wifi-slurp aside, I don't really see the big deal. I mean if they used a camera on their car to read the big numbers you carefully affix to your front door and map the location to the numbers would that be evil? These numbers are something you "broadcast" via visible light frequencies after all. Is that really any different to broadcasting your MAC's via non-visible frequencies?

If you are that privacy concious then either find a wifi system that doesn't broadcast a MAC or use wired Ethernet (and don't forget to remove the numbers from your front door too!).

I take privacy very seriously, but this is something you are consciously broadcasting. If you don't like the fact that someone is picking up that broadcast then don't do it in the first place.

I'm sorry but all the furore over this issue is just crazy and smacks of people getting annoyed because that's the cool thing to do these days, without really thinking about it for ten minutes.

I'd like to see all these uber-nerds who are up in arms about Google slurping data immediately stop their SETI@Home systems because, let's face it, it was slurped in the same way... what's the difference?

Peter Davison missed the.....

.... "I always wanted my daughter to marry a Doctor" line!

Couldn't vote

I couldn't vote as I don't have a landline. I complained to BT and the guy "talked me through" the process right up until the point where I had to enter a land line number which is when he went "Oh. Hmmm".

Sunspider cheating

I'm surprised an article about IE9 today does not cover the "sunspider cheat" controversy of yesterday.....

Memristors

When Memristors become reality, it will totally change "flash storage" (not sure it would technically still be "flash", but certainly it would be solid state.

Not only will the capacity increase dramatically for the same form factor end units, but the memristor itself can be "reprogrammed" as a "dynamic CPU" to execute discrete logic functions autonomously. Use it for long term storage, short term storage (it's quick enough) and for discrete calculations!

It will totally change PC architecture, from CPU through L1/L2 caches, through system RAM, through backing store.

At least that's what the marketing blurb says... Hope it will happen :D

Privacy settings are confusing

Hmm,

Privacy settings:

Places I check into * Friends Only.

* (and people nearby).

So, erm "Friends Only" in this instance means all the people "nearby" too? Not nice.

I propose...

...that we pass a local by-law in "Vultureville" that spell and grammar checks should be performed prior to publication:

"They has also been, as safety valve" : WTF?

The problem is not at the client side

The real problem here is not really with the client. Yes TB eats ridiculous amount of memory but it's serves me fairly well. The problem IMO is that the functionality it's trying to include is at the client side..... and that's wrong.

Yes, sync and store capabilities for offline access is fine too, but for me the it's the server side that should index and catalog my mails - the client side should simply download and cache that index rather than redoing the work.

The Google Mail approach to storage is IMO best. There is no such thing as "folders" really, just labels that can be exposed as folders. I think that this concept itself is a winner but MUAs need to be aware fo this so as not to download (and locally index) the same message twice).

Really views should be much smarter. My contact lists (and the cateogries I put my contacts in, work, family, friends etc) should be exposed as virtual folders. I should be able to click on my 'Family/Joe Bloggs' "folder" and simply see all the mails that were sent to or from (in a nice threaded manner of course). If I click on 'Family/Jane Bloggs' "folder" then this would show all the mails to or from Jane (whcih may also include some of the same messages that were in the 'Joe' "folder".

By making the client side dumber, the same virtual hierarchy can be presented to me via my thick MUA client I like to run on my desktop, or via the thin and reduced version I run via webmail etc.

Folders are dead, we need semantic storage at the server side, and clients that can leverage this to it's full potential.

When this happens, thunderbird and other MUAs will start to suck less.

SSID/MAC + Lat/Lng is OK in my book

I think the publicly broadcast bit of the WIFI snooping is perfectly acceptable. I mean I have these big numbers on my front door and there is this bit sign at the end of the road... I see it no different to that.

The logging of the actual data is a big no-no, but I can see how wireshark could have been set up in this way quite easily and provided they are held to account on this part, I'm perfectly happy.

But overall, I don't really see what the fuss is about.

Don't you mean that "nipples are *back* in"?

http://poorlydressed.com/2010/05/06/fashion-fail-different-times-the-70s/

CoreLocation

Didn't Apple buy a company that basically did *exactly* this when it developed it's CoreLocation technology? I though CoreLocation was able to use Triangulation, GPS, and WiFi hotspot MACs to try and work out where it was.

I fail to see why this venture by Google is bad mmm-kay whereas the system bought by Apple is somehow OK?

I'm not legitimising either company, but I personally do not feel that MAC+Location is something that is private. I broadcast it. I've chosen to do this. If I don't want someone looking at my TV then I have to close my curtains and the same is true of my wireless network. If I don't like it, then I'll turn it off and plug in instead.

I can't have it both ways.

What about the degrees of opposition to the opposition?

What you fail to point out properly is that the opposition to the opposition of clause 43 was several orders of magnitude less.

It's like saying that there was an eating contest where Bill had to eat a dozen cheeseburgers while Ben had to eat a dozen aeroplanes and then saying that Bill had won because of his better organisation and planning.

Why are there no Facebook groups *against* the button?

There are several pro-button groups but no anti-button, pro-education groups?

It'll take a well worded intro and group description to promote it, but perhaps someone from El Reg should step up to the plate and write such an opening gambit?

Plug-Off in 3.... 2..... 1. Go!

http://crave.cnet.co.uk/gadgets/0,39029552,49303764-1,00.htm

Jim Gamble is a nutjob

I've listened to interviews with him on the radio and he's a complete tosser. He is completely tunnel visioned about the effects this button would have and he completely misses the point about online security.

This button doesn't solve anything. It just gives parents some a completely false sense of security about their childrens' online activities.

A "panic" button? Who the hell would literally sit there in their own home, in front of their own computer and literally "panic" that the evil person is going to get them? If you are stupid enough to go meet them and they turn out to be a nonce, *that's* the time to panic. Where is your stupid button then Jim?

Honestly, stop peddling us this bullshit line and put your resources into doing something actually useful to protect children, like better education and training in schools.

Salty goodness

@Tom I don't think they are trying to login, but rather taking the encrypted hash of the password and ultimately working out what password would be needed to generate that hash.

If this is the case, they are suggesting the use of a lookup table here (which makes sense as seeking in the lookup table would be faster on SSD). Does that mean that the hashes they are trying to crack are not salted? Salting generally makes lookup tables useless due to the explosion of combinations needed.

Are you choking? Theres an app for that...

http://www.tuaw.com/2010/02/22/are-you-choking-yeah-theres-an-app-for-that-too/

Article fail!

Public outcry and perhaps a small dose of common sense means this "law" has already been repealed (or at least the promise to repeal retrospectively)

http://www.news.com.au/technology/attorney-general-michael-atkinson-vows-to-repeal-election-internet-censorship-law/story-e6frfro0-1225826176628

This was all known at the time of your article was published.....

Now do I post this scathing comment on El Reg's journalistic integrity under AC..... :p

A HEX on all your houses!

This is the work of witches I tells you!

The year of twenty 0x10 is upon ye!!!

Unfriend

So "unfriend" is meant as a verb here - i.e. the *action* of removing someone from your friends list... I worry that it will be come an noun: unfriend; an enemy. Once that falls into general usage, there will be no need for the word enemy any more... If you really dislike someone, then could become a plusunfriend..... and we can reserve a special phrase for global villains like Osama, Sadam or Blair: doubleplusunfriend.

I for one welcome our new doubleplusfriends.

@KoBus

Sounds like you were using Kbuntu rather than Ubuntu, which is quite widely known to be pants. If you really want a fair fight, like for like, then a Mandriva Gnome vs Ubuntu would be fairer... but then who wants to fight fair :D

@Tristan: Notifications

I'm not an Ubuntu user, but it was my understanding that the notification system was introduced last release? I have to agree with you overall tho'. While the graphics on notify-osd are really pretty (and macslow is one of the best graphical OS coders out there - following his blog is a treat and he's a very nice guy to talk to too), but the decision to not support the "actions" part of the notifications spec is IMO a seriously bad decision on Shuttleworth's part. Their guidelines on all the apps they now have to patch to support this (most libnotify clients incorrectly assumed that "actions" support was available to be fair) actually suggest rolling your own UI to handle the cases where you want feedback from the user. In a time when KDE is finally adopting this standard and we can hope for some kind of cross desktop consistency in this is totally bucking the trend and basically telling people to "do it your own way".... it laughs in the face of HCI guidelines :(

I wrote a longer tirade on this topic earlier in the year:

http://colin.guthr.ie/2009/02/desktop-notifications-and-user-interaction/

Small company experiences

As a small web development company (Tribalogic Ltd) VoIP makes sense for us. In fact I'm writing this note from the lovely island of Corsica where myself and a couple other guys from the company are currently enjoying the sunshine! We've moved the office here for a week (one of our merry band is French and has a family home out here). We've taken the phones with us and none of our clients are any the wiser. It's awesome :)

What Mike Judge was really thinking.

Butthead: huh-huh-huh. Coool.

Beavis: Shuttup buttmunch, he's taking the lords name in vein.

Butthead: Oh yeah. What a dick.

Beavis: Wow! Boobs! Sweet.

Butthead: This is even better than when Mel Gibson played jesus.

Beavis: He didn't look like Braveheart in that movie....

Butthead: Freeedom!!!!!!!!

Beavis: Shuttup douchbag, I'm trying to concentrate on the boobs.

Pwnage

You mentioned blackra1n, but pwnage tool has been updated also to work with 3.1.2 firmwares on Mac and Win, so looks like the current h/w batch is a free as ever for the time being.

Can't wait for the next Jean Claude or Steven Seagull movie...

"Denial of Service: The Peacemaker" in theatres now!

Our hero must block internet access so as to assassinate and evil drug lord/human trafficker/someone who pees in the shower/kitten murderer who has a network controlled pacemaker.

Seems to find me very easily...

I search for myself: firstname, last name, town/city.

Like others say it says there are multiple matches, and asks for more info, so I type in "Bullshit" into the company box and low and behold it says it found me!!!

So apparently I work for bullshit. Not wise in these troubling economic times. Anyone want to buy some bullshit? I've got loads..... come to think of it so does this new website....