Come on! Are you kidding me? What century is this, anyway? This is an extremely basic feature. Seriously, I could write the code in under 1 day and I don’t even know C#.

Generally, yes, the Microsoft Office shared spell-check dictionary would probably fit the bill. It’s been a long time, but I remember nearly 10 years back that there was some COM or DCOM accessible spelling-dictionary facility documented in MFC coding guides that was more OS level “global”. That’s what was basically what I was thinking about. However, I’m not finding it with some quick Googling, so maybe I’m thinking of something else?

Yet another reason I continue to prefer Qt. Oh, and Linux where any app that wants spell-check just links in the GNU aspell (or other such) library, all of which can share common dictionaries. Lest we forget Mac OS X; they have a global spell-check feature that even works on a command prompt.

Why are Microsoft frameworks (especially .NET) always so far behind?

$ mysql -p database_name <filename.sql
Enter password: ***************
ERROR 1005 (HY000) at line 86: Can't create table 'database_name.table_name' (errno: 121)

A little googling lead to several totally different explanations, which are things that I tried. What finally fixed it for me was the advice that I found at [ http://thenoyes.com/littlenoise/?p=81 ]. The SELECT statement for listing the foreign key names didn’t work on MySQL 5.1.40-community on Windows (yes, I know that 5.1.41 is out, I’ll get to it later). However, I did have a couple of tables that were using the same name for a foreign key pointing at the same third table.

So, error 121 means a duplicate foreign key name somewhere in the database. Foreign key names must be unique across the entire database, not just within a given table.

1. Backup the DB ($ mysqldump -p dbname | gzip &gt:~/backups/$(date -iso-8806)-dbname.sql.gz).
2. Backup the existing directory (# cp -a current-directory directory-outside-of-the-web-space).
3. Extract the new version on top of the old ($ tar -zxf ~/wordpress-version.tar.gz).
4. Delete the wp-config-sample.php file.
5. Fix group ownerships of wp-content/ and sub-directories.
6. Visit the admin interface.
7. Fix problems, if there are any.

This time, there was nothing to do for the last two steps. It was all over in just a couple of minutes. Simple as pie.

I did experience some really odd screen flicker under X right after upgrading to openSUSE 11.2, but that’s already cleared up. Restarting X didn’t help, but there were a pile of updates in the official 11.2 updates repo, which I installed soon after finishing the upgrade with the DVD. I suppose that something in those fixed the flicker. Most of the time, it wasn’t bad enough to irritate me, but sometimes it was.

The upgrade process was pretty smooth. The only problem that I had was that in the middle of installing packages, YaST stopped and warned me that I didn’t have enough disk space to complete the upgrade. It sat there waiting for me to tell it to either bail-out or go on. I pressed <ALT>+<F2> to get to a terminal. From that shell I ran these commands:

# lvextend -L 10G /dev/reaver/suse-usr
# resize_reiserfs /dev/reaver/suse-usr

Those commands finished in less time that it took me to type them (and, yes, that is saying something). Back in the graphical installer, I clicked the Next button and it went on.

BTW, that LV was 7GB before.

Another odd thing is the the audio mute light keeps coming back on, even though the card isn’t muted. If I right-click the kmixer tray icon and select mute, it doesn’t toggle that light. I’ve got both in sync several times and a few to 30ish seconds later, the light is on again. Weird.

I was using the ATI driver repo to install the proprietary ATI driver. I’ve been using that up until now because that was the one that worked with the Radeon X1370 GPU built into this notebook (the X1270 is the X1250, but with both shared and dedicated RAM). I’m now using the fully open-source radeonhd driver, which finally has support for my chip. No 3D, though, even though the documentation says that I should have that. Perhaps I’ll have some downtime during the upcoming holiday to figure it out. I’m certainly noticing the performance drop without it.

Both Thursday night and again this evening, I’ve been working on getting all the development environments’ pieces back into working order. There’s always something that needs fixing when I upgrade the OS. This time, the big troublemaker has been Ruby on Rails. openSUSE 11.2 ships rails 2.3.2. I’m glad for the upgrade, but, sheesh; there’s been more than a few speed bumps to work out. At this point, I have WEBrick working, but dispatch.{f,}cgi isn’t happy, yet. The Apache 2.2 with mod_fcgid bits are working, it’s the dispatch scripts that are currently breaking. I’m thinking that I’ll write a separate post about all of that rigmarole.

I am finding that Konqueror is being a little frustrating. I’m using Firefox more than I ever have before on Linux. Firefox has been my preferred browser on Windows for a long time, but Konqueror has been the flat out best web browser for me for over a decade now. It’s mostly odd behavior with some JavaScript found in some apps, including this blog. I’m writing posts with Firefox for now. Don’t worry, though; I’m not giving up on Konqueror any time soon.

Overall, this has been a pretty easy upgrade. Considering that I’m making a major change in graphics drivers (for the better, overall), I’m amazed at how well that’s working out, already. Audio quality is great and all the features that I’ve tested are working flawlessly, but the sound does seem a bit quieter than before (at the same volume settings). That could be the particular media files, too.

HowManyOfMe.com

There are people with my name in the U.S.A. How many have your name?

There are only 19 of Monty Peterson in the U.S.

We’ve been getting movies and TV shows from Netflix for over a year. It’s been a great experience for us. We have the 3 discs at once plan, which lets us hang onto some TV series disc for a few days (a couple of weeks) and still keep a couple of movies going back and forth. It’s also possible for us to watch up to 6 different movies in one week, as their turn around time is so fast, it (almost always) only takes 2 days from when I put a disc in the mail until the next one arrives.

Netflix also allows their customers to stream movies and TV shows on their computers, using the Roku player, the LG BD370 Blu-ray player/Netflix streaming device, plus many more. Netflix recently announced that they would be releasing a version for streaming on the Sony PlayStation 3 (a.k.a. PS3).

I’ve added about 20 films to my Instant Streaming Queue in the time I’ve written this article. I think I’ll go watch something.

I got an email from Netflix the other day, announcing that the PS3 disc is now available. It’s free, I simply had to click a couple of links and they sent it out to me. That disc arrived in the mail earlier today. We popped it in, waited for the PS3 to say that it was ready for us to “watch” that disc, and a moment later, we saw cover art for movies and TV shows that are in our Streaming Queue. I selected Season 1 of Quantum Leap and started watching episode 4 (episodes 1-3 are only available on disc). It took about 35-40 seconds for the show to start playing. The playback was flawless. Zero audio or video glitches (I do have a solid 7Mbps DSL line)..

That’s enough! I’ve had it; I’m going to prevent this from bothering me again.

Well, the right way to fix this is to grab a clue-bat and use it on the Maildrop developer(s) who decided that hardcoding a 50 MB log file size limit into Maildrop was a good idea, until they change their mind(s). Seriously, though, I’m going to send them a patch for this lame duck.

In the meantime, I’ve written rotate-user-maildrop-logs, a shell script to place into your /etc/cron.daily/ (or similar) directory. I am releasing this under the terms of the GNU General Public License, version 3 (a.k.a. GPLv3).

I really like Maildrop. It’s great for me, but it’s not for everyone. For example, my wife isn’t going to sit down and use vi (or any other text editor) to maintain her very own ~/.mailfilter file. For this reason, I will be switching to Sieve in the near future, using the Cyrus IMAP server instead of Dovecot, which I’ve been very happy with.

Is that the time? OK, maybe I’ll have to write that patch for Maildrop on Saturday.

Also, system requirements were announced today.

That two battalions of Marines be raised consisting of one Colonel, two lieutenant-colonels, two majors and other officers, as usual in other regiments; that they consist of an equal number of privates as with other battalions, that particular care be taken that no persons be appointed to offices, or enlisted into said battalions, but such as are good seamen, or so acquainted with maritime affairs as to be able to serve for and during the present war with Great Britain and the Colonies; unless dismissed by Congress; that they be distinguished by the names of the First and Second Battalions of Marines.

Commandant Samuel Nicholas sat in the tavern, enlisting recruits for the Continental Marines, as they were known back then.

Today, all Marines celebrate November 10th as the Marine Corps Birthday. This year, the Marine Corps Ball of the Commandant of the Marine Corps will take place on Saturday, the 14th. Other posts will celebrate at differing dates throughout the week. One thing always found in common with any Marine Corps Birthday celebration, from the Commandant’s Ball to just two Marines in a foxhole, is the cake. The cake cutting ceremony is very dear to all Marines.

It’s said that it’s a small world in the Corps. Most Marines will serve with others they have known elsewhere at almost every duty station they are ever sent to. This tight-knit “band of brothers” take tradition and honor very seriously.

Semper Fi, Devil Dogs.

Visit http://www.oo-rah.com/store/editorial/edi52.asp for an explanation of the term, “Semper Fidelis,” and its true meaning to Marines.

Even if you don’t have a BD player, I would recommend going down to target to pick up this set. If you’re a fan, you’ll be glad you saved yourself the bones down the road.

The movies look great on my 42″ 1080P LCD TV, by the way.

This morning, at work, I’ve had a quiet moment so I thought I would open up my notebook and look at some code. When I woke it up, there was Konqueror (I was upgrading blogs last night). So, I thought, oh, let’s look at the list of plug-in directories. There was an entry for /usr/lib64/browser-plugins/wrapped/ which doesn’t exist, but not one for the /usr/lib64/browser-plugins/ directory, which does. I added an entry for /usr/lib64/browser-plugins/, clicked the Scan for New Plugins button and restarted Konqueror.

That’s all it took. It works.

Now, I just have to go file a bug report with a fix in their bugzilla. I love Free & Open Source Software.

This time, I decided to see if I could simplify the process a little bit. Instead of reassembling the content by moving the previous version out of the way and then cherry=picking the right files and directories to copy into a fresh extract of the new release, I decided to make a backup copy of he current directory (and the DB) and then copy the extracted files of the new release over the top of the existing install. In this case, there were no DB changes to process, so it didn’t even ask me to “Upgrade the Database.” In fact, after the copy command was done, that was it.

I like it simple.

Still, I need to sit down and work out just how to reorganize the layout of a few things, since there are features that now better support much of what I want to do to better secure and simplify the running of my blog. Perhaps a project for this weekend?

FYI … I took down the “keysigning” email address from my domain a couple of days ago (after I got an email from someone whom I was expecting to send me their key).

I’ve already asked the UTOSC folks to plan on me doing two (or more?) sessions for the keysigning party in 2010. For next year, I plan on doing a presentation session, where I will talk about the reasons why keysigning is so important, how the system as a whole (the web-of-trust, the keyrings, etc.) works and provide a brief introduction to the actual protocols and algorithms used. The idea is that someone can come away from that session able to do three things:

1. Make a well informed decision to participate in the web-of-trust.
2. Explain just enough to help their friends also understand it.
3. Understand it enough to trust it based on their own understanding, instead of just entirely on the word of us “experts” who have been using it for years.

The second session would be the keysigning party, itself. Perhaps there could be two of these? The main one would be in the second evening and the second keysigning party could be a family-day thing.

Anyway, we’ll all be much better prepared for next year.

I first remember hearing SQL mispronounced as “sequel” from Microsoft back in the 1990’s shortly after a release of Microsoft SQL Server. I can not say with certainty that Microsoft did this on purpose in order to spit in IBM’s eye, but if you search for IBM sequel database language (for example, on Google), you’ll see that Microsoft still advertises that you can “Learn Sequel”.

Please, people, can you pronounce SQL as S-Q-L? After all, IBM invented both SEQUEL and SQL and they said that this is the correct pronunciation. Thank you :) .

This year, I’m not doing any presentation. I have some ideas for next year.

I will be running the keysigning party on Friday, October 9 at 7:15pm at the conference. I’m stepping into doing this a bit last minute, so we’re going to provide some additional info and the instructions for the keysigning party on the UTOSC website should be updated very soon.

To participate, just show up. If you want help generating a key pair and getting started, there will be several people there who can assist you, just be sure to bring your own notebook computer. If you have keys, please, email me your full key ID (not a short or medium) at keysigning@openbrainstem.net. It is a good idea to digitally sign that email. If you have multiple keys, include them all. I actually have three separate keys these days and 2 of them have multiple IDs associated with them.

(and PGP) allow us to digitally sign messages (usually email, but can be used with other communications systems, too), code and other documents. It also let’s us encrypt files, emails and just about anything else. This is an extremely important technology for a lot of reasons, some of which I’ve discussed in past articles on this blog (and others). Defending our privacy and ensuring the integrity of our personal, family and business communications is vital. We sign each other’s keys to build a “web of trust.” This is the critical step that makes the whole thing usable.

If you have never used PGP or GPG (a.k.a. GnuPG, Gnu Privacy Guard) before, visit the GnuPG website for a basic description of how to generate your key pair.

If you have never participated in a keysigning party, check out the Keysigning Party HOWTO and/or [ http://keysigning.org/ ].

Immediately following the Utah Open Source Conference 2007 keysigning party, I wrote a simple script to help help you sign-lots-o-keys. You can download the script from [ http://www.openbrainstem.net/download/sign-lots-o-keys ]. If I have time before the keyparty in just two days, I have some little updates that I would like to implement in that script. But don’t hold your breath. Perhaps there will be time at the conference on Saturday?

So, please, plan on joining us on Friday. These are always good fun.

The reason that it took an hour was that I was forced to upgrade several plugins and fix a couple of configurations. No big deal. It went pretty smoothly. Here are the basic steps that I go through:

1. Backup the DB
2. Move he current install out of the way
3. Extract the new code base
4. Copy the wp-config.php file to the new code directory

So, for example, I will run commands like these:

$ mysqldump -p dbname | gzip -9 >~/backups/dbname.sql.gz
$ mv web-server-vhost-dir/docroot/wordpress-blog-dir/ web-server-vhost-dir/
$ cd web-server-vhost-dir/docroot/
$ tar -zxf ~/wordpress-version.tar.gz
$ cp web-server-vhost-dir/wordpress-blog-dir/wp-config.php wordpress/
$ mv wordpress/ wordpress-blog-dir

Obviously, you need to replace the italic parts above with filenames and directories that match your setup. Perhaps you structure your website differently and the WordPress code will be in the root of your webspace.

After the new code is in place with the wp-config.php file copied in:

1. Hit the admin page in a web browser
2. Click the “Update Database” button
3. Test
4. Fix plugins, theme, caching, etc. (mostly file and directory owners/groups and permissions)

If there’s a problem, simply move the new code out of the way (or delete it, if you prefer) and copy or move the old one back into place. If the DB update process was run, you will have to restore your database to its previous state. This is easily accomplished with a single mysql command::

$ zcat ~/backups/year-month-day-dbname.sql.gz | mysql -p dbname

You’ll be so glad that you had that backup file.

When I first built it in May of 2004, Fedora Core 2 was barely out and was the first Fedora to sport an AMD64 (x86_64) 64-bit version. That was the first and last time that I installed Linux on this box, from scratch. Since then, I’ve upgraded it to FC3, FC4, FC5, F6, F7, F8 and now F9 (I will upgrade to F10 in a week or so).

When I installed FC2, I used the ext3 filesystem for the root volume (I use LVM). I "converted" the root volume to the XFS filesystem on 2006/08/03. I also created a few volumes using XFS and reiserfs (v3.6) filesystems.

Over time, I’ve had a few minor problems with XFS. Recently, those problems grew in regards to the root volume to the point where I needed to convert it to something else, which I did the other day. The root volume is now on reiserfs. That leaves just 3 volumes that are still XFS.

After upgrading to F9 and installing updates, there were a couple of weird issues that I was dealing with. I also kept seeing some filesystem corruption messages (on the terminal, in the logs) for XFS volumes (but they don’t tell you which one). That’s it, I’m done with this XFS thing, so I’m going to convert those filesystems over to something else and get rid of XFS on this workstation.

The three volumes are for /usr/, /var/ and /var/log/. I could just drop to single user mode and convert /var/ and /var/log/ without any difficulty. For whatever reason, on Fedora and derivatives (including RHEL, CentOS, etc.), I have never been able to umount /usr/ successfully once it’s mounted. So, I’m using a rescue environment (to convert all 3) like I did for the root filesystem conversion, just so I don’t have to muck with it.

I haven’t had one problem at all with the two XFS volumes I have on my home file server (one for /music/ and one for /video/). That server is running openSUSE for a few years now. It’s also a much more complicated setup on that hardware, which I’ll talk about more in a later article.

For those who want to post comments that I’m an idiot for using reiserfs, please, don’t bother. I’ve heard every reason why this filesystem or that filesystem sucks and you should only use, “the other one,” instead. Look, it’s this simple: since the filesystem is the one piece of software where we just don’t tolerate buggy software, when something does go wrong the stories live on for years. I’ve heard horror stories of kinds that you might never be able to imagine describing data loss at the hands of ext2, ext3, reiserfs, XFS, JFS and many other filesystems. I’ve only experienced data loss with ext2 and ext3. XFS has given me problems, but thankfully not with files that I couldn’t easily replace. I haven’t hardly used JFS, but I do have a volume or two on my home file server that are JFS and there’s been zero trouble there.

Here’s my philosophy about filesystem type selection: use the right tool for the job.

It’s not always easy to say with perfect definitiveness that you should always use this filesystem here and that one there. Benchmarks show all 4 of ext3, reiserfs, JFS and XFS as having statistically equal performance for general use cases (like workstations). There are some rules by which I can say, from experience, that one of these will outperform the others for a particular use. I’ve been meaning to run another series of performance benchmarks on as many viable Linux filesystem types as I can. I’ll post results and talk about use cases then. For now, here are some basic tips from my experiences:

• Always check the “expiration date” on the horror stories that people tell you. It’s more likely to be old, as reiserfs, ext3, JFS and XFS have all been quite stable for many years now.
• ext3 will almost never outperform the others for a specialized task.
• reiserfs, JFS and XFS will almost always have roughly equal performance for most specialized tasks. This is primarily due to the fact that they share the very similar basic filesystem design concepts, though, obviously, the implementations vary. I’ve thought for many years that XFS was derived, in part, from reiserfs (due to some very hard to discount coincidences in XFS structures and code) but also shares some design elements in common with MacOS filesystems.
• If you’re going to have lots of files, big or small, then move away from ext3. Newer versions of ext3 (that are not backward compatible with older ext2/3 drivers) implemented some features (like hash-indexing) from reiserfs in order to improve performance in this area. Still, more than about one thousand files or so in a directory and ext3 starts to bog down quickly (when working in that directory). So, for example, ext3 is a really poor choice for spooling directories on busy servers or for proxy stores or any other application where tens if not hundreds of thousands of files will be created.
• ext3 has the worst file deletion performance of the group. Thus, for applications like print and mail servers, ext3 is a very poor choice. I have personally seen anywhere from 7 to 9 times better performance for print servers and from 10 to 23 times better performance for mail servers by simply converting the spool (and log, in the case of the mail servers) directories from ext3 to reiserfs.
• XFS and JFS have some specialized features that are very useful in high throughput applications. XFS has a bandwidth guarantee feature that is very useful with large media operations (like audio/video editing, compositing, etc.) and streaming. JFS has some sustained high throughput features that provide excellent performance for some types of databases (not database servers, but data operations by the servers).
• When it comes to databases, it’s very hard to predict which of these 4 will provide the best performance. It is very rare that ext3 is the winner, but it does happen. The only way to really know has been to create 4 volumes formatted with each filesystem type and run some benchmarks against the same DB on top of them. If you’re going to do this, make sure to use the database structures for the DB you want to test that you will be using in production. You don’t have to have “real” data, but make sure it is representative of the types and sizes of records that your database will be working with. Also, be sure the benchmarking test run “real” queries in the “right” ratios that you do (or expect to) see in your production environment. After all of that testing, you’ll probably see that one of the filesystem types outshines the rest.

Once, while I was consulting with a Fortune 500 company that will remain nameless, we saw that certain tables experienced huge performance benefits on one filesystem and other tables were significantly better on another. They actually reworked the application code to work with splitting the database into two databases, that were then stored on two different filesystems in order to take advantage of this.

Basically, each of these filesystem types have their advantages and disadvantages. There are other journalling and log filesystems available for Linux that are worth looking at for some applications. If you have a strong bias towards just one filesystem type and won’t even look at the others, then you are very likely missing out some benefits that you could have. If nothing else, it’s certainly an interesting topic … to some of us geeks.

Of course, it’s very important to have good, strong password security practices. If you have poor passwords, none of this will matter, as you’ve probably already been compromised whether you know it or not. This means that all users have to have strong passwords. Techniques for helping users to create and use strong passwords are beyond the scope of this article, but I will write about these things in the near future.

Here’s the configuration that I put into place. I’m showing this as the the iptables commands that you would run on the command line, adapt to however you persist your Netfilter configuration. Also note that these lines should replace anything that you now have in there for SSH. I’m also including the additional ESTABLISHED,RELATED rule here for completeness:

# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A INPUT -i $OUTSIDE_INTERFACE -p tcp --sport $UNPRIV_PORTS --dport 22 -m state --state NEW -m recent --update --seconds 10 -j REJECT --reject-with icmp-host-prohibited
# iptables -A INPUT -i $OUTSIDE_INTERFACE -p tcp --sport $UNPRIV_PORTS --dport 22 -m state --state NEW -m recent --set -j ACCEPT

These three rules mean:

1. Accept traffic for “conversations” that are already in progress. This rule works for traffic in both directions and will handle everything in the ongoing connection.
2. If an IP packet matches these criterion:
   1. “-A INPUT -i $OUTSIDE_INTERFACE” — coming in on the Internet connetion (I create a variable with the value “eth0” or whatever it is and use that in my firewalling scripts);
   2. “-p tcp” — carry TCP (for Layer 4) in the IP packet payload;
   3. “--sport $UNPRIV_PORTS” — coming from an unprivileged TCP port (legitmate clients should only come from source ports 1024 through 65535, inclusive);
   5. “--dport 22 — destined for TCP port 22;
   6. “-m state --state” — the state module doesn’t have a record of this packet as being part of an existing connection;;
   7. “-m recent --update --seconds 10” — the update module has a record of another connection attempt matching this one within the past 10 seconds.

   Take these actions:

   1. “-j REJECT” — throw the packet away;
   2. “--reject-with icmp-host-prohibited” — return an ICMP host-prohibited response to the client who tried to initiate this connection.
3. The last rule is essentially the same as the second, except for:
   1. “-m recent --set” — make a note of the time that this connection attempt occurs at;
   2. “-j ACCEPT” — if all criterion match, accept the packet (which will stop further rule processing here, BTW).

Basically, what we’re trying to do here is to limit the number of failed connection attempts that are allowed.

Let’s say that human being tries to connect via ssh lamont.example.com and they don’t have an account or the mis-type their password several times to the point where sshd cuts off the connection, so they re-run their ssh command to try again. It will probably work and let them in, as it probably took them longer than 10 seconds from the first packet of the first TCP connection until the first packet of the next TCP connection.

However, the cracker-bot-nets don’t work like humans. They automate the process of trying to connect as fast as they can, so they will try only 1 or maybe as many as 3 or 4 passwords before closing the TCP connection and starting another. Since they don’t have to be as slow as people, they’ll usually be coming back again in under the 10 seconds. Most of them actually try to establish multiple connections (2-20ish at a time) in order to try more passwords.

Once the crack-bot starts seeing TCP connection failures, they usually skip your IP and go on to try and find softer targets. If they can’t connect to SSH, then why bother wasting time trying.

After setting up this configuration and letting it run for a week, I can report that it works marvelously. I’m getting under 10 break-in attempts per day, now. If you’re going to have SSH visible to the world (and why shouldn’t you?), then I would recommend adopting these Netfilter rules in your firewall configuration.

The crux of the story is that the major U.S. airlines are shifting their schedules a little so that there will be fewer overall seats available throughout the U.S., despite stronger demand than last year. Such changes are not being made in their International schedules.

Part of the numbers come from switches to smaller aircraft, some are from schedule changes that will have a smaller total number of flights on some routes and other routes may be eliminated.

I also found it interesting that Delta Airlines, which I fly more often than all others combined, is the only major airline that is leaving their capacity and schedules virtually unchanged, with only a 0.6% overall U.S. routes capacity decrease planned for January 2008.

The biggest problem that could occur, whether you are flying with an airline that is making large changes or small, is that hiccups could take a day or two, rather than hours, to resolve. Such issues could bleed into other airlines, as cross-pollination can and does quickly fill the few available seats still open on all the other airlines. Given all of the problems that Northwest Airlines has been experiencing this year, I would hope that they don’t cut back too far. Granted, things are better at Northwest than they were in June of 2007, but the end of November continued to show larger numbers of cancellations than should normally be expected.

Obligatory quote:

At the strategic level, coalitions involving tens of thousands of players struggle for months over strategic objectives or simply to wipe out their enemies. For at least a year the most powerful group in Eve has been an alliance known as Band of Brothers, a self-appointed evil empire with the stated objective of taking over the galaxy. Against them is arrayed a motley batch of self-styled freedom fighters with names like the Red Alliance (mostly Russian), Tau Ceti Federation (mostly French), GoonSwarm (mostly obnoxious) and the Interstellar Alcohol Conglomerate (mostly drunk).

First, when I was updating my wife’s blog, I got all in a hurry and forgot to make a backup of the database first. Then, when I connected to the wp-admin/upgrade.php script and clicked on the Upgrade WordPress button, all hell broke lose. I had DB errors left and sideways (thankfully, not quite right, though). At that moment, I realized that, “I could really use that DB backup right about now.” Well, I didn’t have it, so I tried the export function from the admin interface and that worked. At least I had her posts (there was a brand new one, too, which wasn’t in the most recent backup file that I did have).

The fix was pretty easy, though. The main problem was that there were several changes that required creating new tables in the DB (MySQL) and dropping others, but because the DB user that WordPress uses doesn’t just have full access to the database, these statements failed and prevented others from succeeding, too. For security reasons, I use GRANT statements for the tables that the app needs, which keeps it from accessing other tables in the same DB (there’s one database per user), which are for other apps. However, trying to run the wp-admin/upgrade.php script again was a no-go, as it thought the DB was fully up to date. A quick glance at the code in the wp-admin/upgrade.php script showed that this decision was based on the value in the db_version option.

I connected using the mysql command line client (over an ssh connection) and ran a couple of queries against one of the other DBs which had the same (older) version of WordPress. Once I had found the correct old value for the db_version option, I ran a simple UPDATE query (the italics indicate information that may differ on your databases):

mysql> UPDATE dbname.wp_options SET option_value='5183' WHERE option_name='db_version';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0

I then re-loaded the wp-admin/upgrade.php script in my browser, which now thought that the database was out of date. So far, so good. But, before trying the upgrade again, I also added a new GRANT for the WordPress user for that DB, allowing them to run CREATE statements against that user’s database:

mysql> GRANT CREATE ON database.* TO 'wp_user'@'localhost';
Query OK, 0 rows affected (0.00 sec)

This time, there were far fewer errors. It was able to all the CREATE TABLE statements. However, as there were no GRANTs to permit the WordPress database user to access the new tables, other operations failed. A quick look allowed me to pick out which tables I needed to issue GRANT statements for:

mysql> SHOW GRANTS FOR 'wp_user'@'localhost';
+------------------------------------------------------------------------------------------------------------------+
| Grants for wp_user@localhost                                                                                   |
+------------------------------------------------------------------------------------------------------------------+
... snip ...
| GRANT SELECT, INSERT, UPDATE, DELETE, INDEX ON `dbname`.`wp_comments` TO 'wp_user'@'localhost'                 |
| GRANT SELECT, INSERT, UPDATE, DELETE, INDEX ON `dbname`.`wp_categories` TO 'wp_user'@'localhost'               |
| GRANT SELECT, INSERT, UPDATE, DELETE, INDEX ON `dbname`.`wp_postmeta` TO 'wp_user'@'localhost'                 |
| GRANT SELECT, INSERT, UPDATE, DELETE, INDEX ON `dbname`.`wp_usermeta` TO 'wp_user'@'localhost'                 |
| GRANT SELECT, INSERT, UPDATE, DELETE, INDEX ON `dbname`.`wp_posts` TO 'wp_user'@'localhost'                    |
| GRANT SELECT, INSERT, UPDATE, DELETE, INDEX ON `dbname`.`wp_linkcategories` TO 'wp_user'@'localhost'           |
| GRANT SELECT, INSERT, UPDATE, DELETE, INDEX ON `dbname`.`wp_options` TO 'wp_user'@'localhost'                  |
| GRANT SELECT, INSERT, UPDATE, DELETE, INDEX ON `dbname`.`wp_post2cat` TO 'wp_user'@'localhost'                 |
| GRANT SELECT, INSERT, UPDATE, DELETE, INDEX ON `dbname`.`wp_links` TO 'wp_user'@'localhost'                    |
| GRANT SELECT, INSERT, UPDATE, DELETE, INDEX ON `dbname`.`wp_users` TO 'wp_user'@'localhost'                    |
+------------------------------------------------------------------------------------------------------------------+
12 rows in set (0.00 sec)

mysql> SHOW TABLES IN dbname;
+-----------------------+
| Tables_in_dbname      |
+-----------------------+
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
10 rows in set (0.00 sec)

Comparing those two lists showed that I needed to run a few GRANT statements:

mysql> GRANT SELECT, INSERT, UPDATE, DELETE, INDEX, ALTER ON dbname.wp_term_relationships TO 'wp_user'@'localhost';
Query OK, 0 rows affected (0.01 sec)

mysql> GRANT SELECT, INSERT, UPDATE, DELETE, INDEX, ALTER ON dbname.wp_terrm_taxonomy TO 'wp_user'@'localhost';
Query OK, 0 rows affected (0.01 sec)

mysql> GRANT SELECT, INSERT, UPDATE, DELETE, INDEX, ALTER ON dbname.wp_terms TO 'wp_user'@'localhost';
Query OK, 0 rows affected (0.01 sec)

I then reset the db_version option, re-loaded the wp-admin/upgrade.php script in my browser and clicked the Upgrade WordPress button, again. This time, it worked perfectly. The database for my wife’s blog was fully repaired and upgraded for WordPress 2.3.1.

Now, I want to stress here that this would have gone a lot more smoothly, not to mention safely if I had only slowed down and made that backup of the her database before I started messing around with it. It’s very easy to do just that:

$ mysqldump -p dbname > ~/backup/$(date --iso-8601)-dbname.sql

Note, that this precise command line assumes that you are running from a user account who has a database account in MySQL with the same name as the username and that this user has access to the database in question. Adjust your usage appropriately. Also, if your server is fairly busy, you might want to use the mysqldumpslow command instead of the mysqldump one. mysqldumpslow merely takes its sweet time about things, so as to not put undue additional load on your servers, but otherwise its syntax and use is the same.

When I applied all this goodness to upgrade this blog, I ended up with just 3 errors from running the wp-admin/upgrade.php script, after I had gone through the process of adding new GRANTs for that dbuser to access my user’s databases. The errors were that 3 DROP TABLE statements had failed. These were easilly handled manually (I don’t want the applications to be able to DROP anything on their own):

mysql> USE otherdb;
mysql> DROP TABLE IF EXISTS wp_categories;
Query OK, 0 rows affected (0.02 sec)

mysql> DROP TABLE IF EXISTS wp_link2cat;
Query OK, 0 rows affected (0.00 sec)

mysql> DROP TABLE IF EXISTS wp_post2cat;
Query OK, 0 rows affected (0.02 sec)

That’s it. It only took me about 15 minutes to do all of this and to extract the files for the new version of wordpress and copy and move over all the little tidbits (mostly for things found in the wp-content/ directory) to get each of the blogs updated to the latest release. Interrestingly, it took me about 2 hours to write, sanitize and proofread/edit this post.

I’ve run into trouble here and there as the Livna folks keep pulling RPMs from their repos for older versions of the kernels. At the very least, they should leave the kmod-* packages in there for the original kernels that shipped with each release. Then, people can install a release and get a good driver. I had to wait for about 3 weeks after I first put F7 on my home workstation (dual AMD Opteron) before I could get the nVidia driver from Livna because they didn’t have one for the older kernel packages and the newer kernels weren’t booting (turned out to be malformed initrd files, which I later fixed).

Yes, I understand that they take up some disk space, but it’s not really that much perhaps 100M per release to keep all kmod-* packages and their dependencies around.

Livna, if you’re listening, please, give us all the driver packages and don’t remove them. You don’t know which kernels are working for people and which aren’t, so you could really be making things pretty difficult for people.

I have a Logitech bluetooth mouse that travels with me. I use it with my notebook computer, as I’m very, very not fond of trackpads. My favorite is the “TrackPoint” or “Eraser-head” mouse built into the keyboard, but this notebook didn’t come with one. Supposedly, I can buy a replacement keyboard from HP that includes the eraser-head pointer, but I have not yet done so.

When I wrote about installing Fedora 7 on this notebook (and now installing Fedora 8), one thing which I never documented was how I got the bluetooth mouse working with Linux (under F7). Now that I installed F8 from scratch, I need to set it up again.

When I installed F7, I spent hours dog-paddling through Google searches and horrible documentation and still hadn’t figured it out. Then, my friend and co-worker, Clint Savage (a.k.a. Herlo) popped into the office. It was him! He’s the one who has the exact same mouse as I do; I knew I’d seen it somewhere before I had bought mine. So, I asked him. He smiled and laughed, saying, “Not finding much useful documentation out there, eh?” He’d been through the same thing as me. He was impressed with how far I’d gotten through that process and estimated that I was probably 1-3 hours away from finding it myself, if I continued to follow the pattern he had. Well, he shared the information with me.

The good news was that it was pretty easy to get my bluetooth mouse talking with my bluetooth equipped notebook, just not really documented anywhere that one could point to just one thing (boy, I wish I’d documented those commands in a blog post; I’ll see if I can do just that next week, when I’m back at the office). The bad news was that one of them had to be run every time he started his computer. So, I put that command into a /root/bin/connect-to-my-bluetooth-mouse (or something like that) script. Then, a week later, I forgot to run that when I booted up and logged in, once, but was using the mouse anyway. I had discovered that it wasn’t necessary to run that all the time.

One of the reasons that it had been so difficult to setup bluetooth on Fedora 7 was that I was using GNOME on that installation. I stuck with entirely GNOME apps (except for Kdevelop) the entire time I had F7 on this notebook. Now that I have F8, I’ve gone back to KDE, which makes life so much better for me. GNOME still doesn’t have much bluetooth support and what is there is still very early half-baked and non-usable, for the most part. KDE’s bluetooth tools, on the other hand, seem much more comprehensive and “just work” for me.

It doesn’t stop with just anaconda installation and yum update commands, either. Almost every yum install command that I run decides to install both 64-bit and 32-bit packages. That is, unless I explicitly specify that I only want the 64-bit for each and every package. For example:

# yum install foo.x86_64 bar.x86_64

Why is yum doing this? It didn’t used to. I started experiencing this a little bit on FC6, but F7 and F8 both have horrific troubles with it. I need to do some more digging through Red Hat’s Bugzilla bug/issue tracking system, however, my first pass didn’t find anything to help explain the changes. After a little more research, I’ll file this as a bug.

In the meantime, here’s a quick-n-dirty hack I put together to run updates. The first step is to capture the output of yum update to a file (be patient, this command can take for-freakin-ever to run). Step two is to run the update itself. Here it is as a shell script:

#/bin/bash
# Get a temporary file to use.
TO_UPDATE="$(mktemp)"

# Populate the temporary file with the list of available updates.
yes n | yum update > ${TO_UPDATE}

# Composite an update command that does not include any 32-bit stuff.
yum update $(for i in $(sed '/i[3456]86/d' ${TO_UPDATE} |
         sed '/^Updating/d' |
         sed '/^Installing/d' |
         grep -v "^$" |
         grep -v replacing |
         cut -d" " -f2); do
      rpm -q --qf "%{name}.%{arch}\n" $i; done |
   grep -v "is not installed$")

# Optional cleanup.
if [ "${1}" = "-k" ]; then
   mv ${TO_UPDATE} /root/$(date --iso-8601)-$(basename ${TO_UPDATE})
else
   rm ${TO_UPDATE}
fi

You will have to run a separate yum update command for any 32-bit stuff you really do have installed and want to update.

I know this could be streamlined (especially the part that constructs the yum update command), but as I’m not planing on making this a permanent fix, I’m just not going to bother with it right now. Still, feel free to comment or trackback with other solutions or optimizations of mine.

My HP Compaq 6715b notebook comes with ATI Radeon X1270 video 128MB RAM dedicated plus 192MB RAM shared) and a 1680×1050 resolution 15.4 inch LCD (at 61Hz, it would seem). I’ve installed the proprietary ATI driver in order to get it working, as Fedora’s tools get really confused about widescreen setups, it would seem.

Here are the relevent package versions:

# rpm -qa | egrep '(fglrx|kernel)'
kmod-fglrx-8.42.3-8.lvn8
kmod-fglrx-2.6.23.1-49.fc8-8.42.3-8.lvn8
xorg-x11-drv-fglrx-8.42.3-7.lvn8.1
kernel-devel-2.6.23.1-49.fc8
kernel-devel-2.6.23.1-42.fc8
kernel-2.6.23.1-42.fc8
kernel-2.6.23.1-49.fc8
kernel-headers-2.6.23.1-49.fc8
xorg-x11-drv-fglrx-libs-32bit-8.42.3-7.lvn8.1

(As you can see, I haven’t removed the original kernel, yet. Maybe I’ll go do that now.)

However, I seem to be getting some fairly odd artifacts on-screen with this driver under F8, including some odd extra sprite garbage with the mouse cursor. I had experienced some oddities under F7, but they were confined to GNOME applications (no others exhibited any issues). It doesn’t matter if I enable or disable “Desktop Effects” either (they won’t successfully enable, anyway). A RAM test (memtest86+) shows that there’s nothing wrong with the system memory, but that doesn’t test the video card. There are ATI tools for testing the video card more fully, but I haven’t had time to try them out, yet.

Since FC6, Fedora systems rely on the X server detecting proper monitor and other configuration parameters every time it starts. This has been far less than reliable on a wide variety of machines that I’ve been running into over the past year. I’d like to get some more information about other people’s experiences with this, before I file a “bug” report about this. It’s really becoming an embarrassing problem as things worked much better when we would get a finished configuration file by default in FC5 and earlier.

First, I tried to do an “Upgrade Install”, which didn’t surprise me by not working. Upgrading from 32-bit F7 to 64-bit F8 isn’t something that anaconda knows how to do, and I didn’t expect it would. Still, I tried it and know we know for sure. So, I did a fresh installation. I removed the root Logical Volume (I’ve been using LVM for my notebooks and workstations since long before Fedora started to default to it) and created new LVs for / and /usr/ LVs. Previously, under F7, /usr/ was on the root LV.

The install phase itself went just fine. 1478 packages were installed, including 389 32-bit (i.e. i386, i486, i586 and/or i686 RPMs). I ran a simple command to find and then remove all of them:

# rpm -qa --qf "%{name}-%{version}-%{release}.%{arch}\n" | grep "\.i[3456]86$" | xargs rpm -e

If I need any 32-bit stuff later, I’ll just reinstall as few such packages as are required.

My next issue was the same video problem as I had when I installed Fedora 7. The graphical installer couldn’t run and the resulting system had no working X server configuration. This was very easy to fix:

# wget http://rpm.livna.org/livna-release-8.rpm
# rpm -qp --qf "%{name}-%{version}-%{release}.%{arch}\n" livna-release-8.rpm
livna-release-8-1.noarch
# mv livna-release-8.rpm livna-release-8-1.noarch.rpm
# rpm -Uvh livna-release-8-1.noarch.rpm

(NOTE: I renamed the package file back to what it should have been in the first place. Though rare, if they update it, I’d like to notice the difference and be sure I’m using the latest one on some other machine in the future.)

After setting up the Livna repository for Fedora 8, I was able to install and activate the ATI driver:

# yum install kmod-fglrx x11-xorg-drv-fglrx
. . . output omitted . . .
# fglrx-config-display enable

Notice that the command name changed from Fedora 7 to Fedora 8; it used to be ati-fglrx-config-display.

The next thing I need to fix is to re-associate my Logitech Bluetooth mouse with the notebook. I had a script in /root/bin/ that would have taken care of that very easily. Unfortunately, I forgot about that until after I had installed Fedora 8, thus obliterating that file. Oh, well. This time, I’ll also document it elsewhere (perhaps here?) once I get it figured out again. I hope that will be tonight.

One last thing; with Fedora 7, I did my very best to stick with an all GNOME system. It was very irritating using applications that just couldn’t handle lots of basic things that I take for granted using other apps (mostly KDE). For Fedora 8, I’m going back to KDE, where things work much better.

Though I haven’t had a chance to try it out, yet, this is exciting news. It’s wonderful to see a game like this take the step to providing Linux, and Mac clients. Given that Microsoft (MSFT) Windows Vista is such a horrible platform and provides terrible performance for games, it would be a very good for many game makers to put more effort into both Mac and Linux support. In case you hadn’t heard, Apple (AAPL) sold 2 million iMac systems in 2007Q3 alone. There is talk that they could top that number in Q4 with ease.

Blizzard, are you listening? How about providing a LInux version of World of WarCraft and StafCraft II (whenever it lands)? That would be awesome.

Take a look at http://www.overcomingbias.com/2007/09/926-is-petrov-d.html. This was probably one of the most important moments and one of the best decisions anyone ever made in the entirety of the 20th century.

Petrov decided to not destroy the world just because a bunch of flashing lights told him that five (that’s right only five) US missiles might be heading towards the USSR.

I’m posting the script, which is still very rough, as I didn’t both taking any time when I whipped it up last night to take care of everything that it really should be doing. Still, I’ll work on it here and there, I’m sure. You can download it from http://www.openbrainstem.net/download/sign-lots-o-keys. If you feel like makeing some fixes, either post your patches (please, create them as a unified diff file, if you wouldn’t mind) and put a link in the comments here and/or on your own blog.

Enjoy!

I’ve been needing to get a new notebook for the past two years, but I kept putting it off because of time, money and that one more feature that’s coming out in a couple of months. With the arrival of so many new notebooks in the office, I decided to look again and dream about a new one of my own, so I made the rounds looking at systems of interest, including a couple of HP notebooks, the ThinkPad and Apple’s MacBook Pro.

When I hit HP’s Small & Medium Business website, I noticed the one category of notebooks which I had always left unexplored (as they didn’t fit some of the criteria I look for) listed that there were models which had up to 16 hours of battery life. I was curious to see what they had in this “Balanced Mobility” category, so I took a look. Boy, am I glad I did.

I found the HP Compaq 6715b. They had (at this writing, I think it’s still on) a pre-packaged deal going for US$1,129 (Ed: The price is lower, now) with:

• AMD Turion64 X2 (dual core) at 2.0GHz
• 1GB RAM
• 160GB SATA hard drive
• ATI Radeon Mobility X1270 video chip (with 128MB dedicated RAM and using 192MB shared RAM)
• 15.4 inch WSXGA+ (1680×1050) LCD
• Broadcom Gigabit Ethernet NIC
• Broadcom 4321 802.11 a/b/g/draft-n wireless NIC & integrated bluetooth
• Fingerprint reader
• 4 USB 2.0, 1 IEEE1394 (firewire), 6-in-1 card reader (actually, all SD type form factors), 1 Type I/II PC-card slot

That’s a lot of notebook for the money. So I put in an order. HP estimated that it would ship on the 30th of August, but it arrived on Thursday morning (2007/08/23).

In fact, I believe it’s around half the price of what any of the other guys have paid for their ThinkPad notebooks and it’s almost the same. They got a wireless USB 2.0 capability which I don’t have, but they only have 3 USB 2.0 ports (I have 4). Most (if not all) of their screens are 15.4 inch WUXGA (1920×1200) with nVidia graphics (256MB), an Intel Core 2 Duo (2.0GHz or 2.2GHz, I’m not sure which in all cases) and they have a nice “eraser-head” mouse which I don’t have, but really love. I hate trackpads, so I just picked up a Logitech bluetooth mouse, Saturday.

Overall, I think I got a better deal. My processor is as good or even a little faster than the ThinkPads’, and otherwise there’s very little difference in the equipment between the two, but they paid quite a bit more than I did for the HP. Thanks to that savings, I also picked up a 12-cell “Ultra Capacity” battery for my new notebook, which attaches to the underside at the back, causing the system to sit at a slight incline. The Ultra Capacity battery mounts in addition to the standard battery that came with the notebook and gives this machine up to 16 hours of battery life, with only a small increase in weight but a little more comfort and room for airflow underneath. We’ll have to wait and see just how much life I really get out of this setup, but I shan’t fear attempting to watch 3-4 movies on an international flight.

I’ve installed Fedora 7 on it. When I booted up the box to do the install, anaconda couldn’t get X to run, so it offered me the choice of using the text-mode installer or of starting VNC for me. I went with a VNC install. The resulting system had a couple of things to fix up. I checked on http://linux-laptops.net/ but this model isn’t listed, yet.

I believe there must have been a bug (I didn’t bother to go looking in Red Hat’s Bugzilla for it) in the version of YUM that shipped with F7 (32-bit) as yum update kept corrupting the RPM db and then deleting the errata RPM files as it thought it had installed packages but actually hadn’t. I simply edited /etc/yum.conf and set keepcache=1 before re-running yum again. That way, the packages stuck around and then I installed as many as I could using rpm instead (including an updated YUM package), which required me to fix the RPM DB, first. This was easy to do by simply running rm /var/lib/rpm/__*; rpm --rebuilddb and waiting for just 1 minute for it to finish. After installing the updated YUM package, all yum commands have worked perfectly for me.

To “fix” the X server configuration, I simply added the livna YUM repo to my new system and ran yum install kmod-fglrx followed by ati-fglrx-display enable as root (that’s not the command mentioned in the Unofficial Fedora FAQ for FC6, but the F7 version of the UFAQ wasn’t up yet) and the X server worked perfectly, even running the screen at it’s full, native resolution by default. I’ll have to see about running Cedega for a couple of games.

Next, I tried to get the fingerprint reader working, but so far, I’ve had no luck. Honestly, I haven’t really tried all that hard, yet. Some quick Google searches have only found references to people who haven’t gotten other HP notebooks’ fingerprint readers to work, but I also found some “hints” that others have. The output of the lsusb command showed Bus 003 Device 003: ID 08ff:2580 AuthenTec, Inc., which is the fingerprint reader.

I haven’t gotten the Broadcom 4321 802.11a/b/g/draft-n working yet. Linux does come with a driver that supposedly covers the chip in this Mini-PCI card, but I do not have the firmware for the driver to load. The tools for these cards come with a program called fw-cutter, but I haven’t found a file for this card that it will work on, yet. I suspect that I will have to wait for an update to fw-cutter to be able to get this working under the Linuxdriver . Perhaps I can find time to try to help patch it. In the meantime, my good old Cisco airo 350 card works fine, but I could also use NDIS Wrapper to run it with a Windows driver.

I’ve only been using this notebook for less than a day (and only a small part of the day, at that). Even so, I’m very happy with it already.

I’m thinking of installing Ubuntu (or Kubuntu, probably) on here alongside of Fedora. I’ve been wanting to learn more about that distro and now I have a hard drive that’s more than large enough for me to play with such things.

I also added vga=0x31a to the kernel line in the /boot/grub/menu.lst file (yeah, yeah, I know how Red Hat/Fedora only folks are going to say the file is “supposed” to be /boot/grub/grub.conf, but it really isn’t so; so, please, don’t add comments telling me about that). That sets up a framebuffer mode for text that’s 1280×1024. I don’t know if the kernel can support a 1680×1050 mode or not (so far, I’m not finding anything that would make thik it does). If so, I’d sure like to find out the right code for it. If not, I’d like to figure out how to add wide-screen friendly modes to the kernel framebuffer driver(s), as more and more systems are going that way.

I’m going to post this system on the http://linux-laptops.net/ website. If anyone else figures out how to get the fingerprint reader working under Linux on this or any other notebook that uses the same fingerprint reader chip/device, please, either TrackBack to this post or leave me a comment.

The new law amends the “Foreign Intelligence Surveillance Act of 1978 to provide additional procedures for authorizing certain acquisitions of foreign intelligence information and for other purposes.” It was sponsored by Sen. Mitch McConnell [R-KY] and Sen. Christopher Bond [R-MO].

I haven’t had time, yet, to fully read the resulting text of the bill (there are always amendments to bills as they pass through Congress), so I will reserve any specific commentary for a latter time. However, it appears that this new law could seriously affect privacy under certain circumstances in the United States.

It seems that several TSA inspectors at several different airports were mistaking the laptop battery for a possible gun in Ben’s notebook bag as it went through X-Ray scanners.

The recent MSNBC story, “Computer security problems found at IRS,” discusses security problems found at the IRS. One of the more interesting items:

Sixty-one of the 102 people who got the test calls, including managers and a contractor, complied with a request that the employee provide his or her user name and temporarily change his or her password to one the caller suggested, according to the Treasury Inspector General for Tax Administration, an office that does oversight of Internal Revenue Service.

But even more disturbing:

Only eight of the 102 employees contacted either the inspector general’s office or IRS security offices to validate the legitimacy of the caller.

Matt Bishop’s comments on the nearly total lack of cooperation from the California Secretary of State’s office gave to the review process are utterly amazing. It’s good to see that Debra Bowen (California’s Secretary of State), has now taken the step of decertifying, dis-approving all previously approved eVoting systems.

Avi Rubin has some excellent comments on the whole eVoting situation.

The State of Florida is getting into the act, reporting on their own security reviews of commercial eVoting systems (PDF). In this letter to Diebold (PDF) which the State of Florida has published, they give Diebold an ultimatum:

Based on the report, the Bureau of Voting systems Certification has determined that certain vulnerabilities outlined must be corrected by August 17, 2007, to continue this certification. Failure to do so will result in a denial of certification.

There’s 3 pages of required fixes attached to that letter.

The U.K. Electoral Commission recently released their report detailing serious security flaws in eVoting systems.

Electronic voting is a hard problem, but that doesn’t excuse Diebold Election systems, Inc., Hart InterCivic, Sequoia Voting Systems and Elections Systems and Software, Inc. from their demonstrated complete lack of fundamental understanding of how to secure … well, anything and in particular, they’ve all shown that they have no one with even the first clue of how to either implement nor apply cryptography correctly.

Applause go to both Florida and the U.K. for recognizing bad vendor crap in the first place. An extra-hearty ‘atta-girl’ goes out to Debra Bowen in California for throwing out approvals and certifications of these seriously flawed systems.

This topic is far too important to leave in the hads of the proprietary, closed-systems mindset crowd. It must be open. The code must be open and available to everyone. All systems must be thoroughly tested by reputable, recognized, outside authorities. I hope we’ll see an open source/free software implementation of an eVoting system that could be used for governmental elections. Such a system wouldn’t be limited to only government use, either, but I believe it would find place in many corporations and other institutions.

Let’s see how this goes. If you would like to comment, you can’t post it on my site. Use your own blog and use a TrackBack to this article. Let me know what you think.

Personally, I’ve always preferred the idea of TrackBacks over comments. I just wasn’t quite sure how to explain (nor did I ever take the time to really think about) why I felt that way. So, thank you to Dave Winer for helping me quantify it.

Although I have configured this blog to not have the “Allow comments” option selected by default, existing posts which did have that option on should still permit comments. I will fix this by editing the DB directly. Hopefully, existing comments will still be visible once I do so.

It’s not very good
And, most certainly, is not
Quality Haiku

It was a piece of testing text that I placed in a text editor for an admin piece of a webapp I’m helping a friend meet a deadline for.

But a new problem has surfaced with 2.2.1 in the admin interface; when loading the Dashboard or the Write or other pages which include wp-includes/js/jquery/interface.js, it freezes up my web browsers. I’ve tried it with Firefox, Opera, Konqueror & Safari, some on both Linux and Windows. The browser eventually lets me kill it (but I have to stop it 2 or 3 times) and then the page will finally load. In browsers where I have debuggers for JavaScript, I find this error:

Error: https://www.openbrainstem.net/blog/peregrine/wp-includes/js/jquery/interface.js?ver=1.2: Error: Error

It’s pretty frustrating trying to use my blog when the admin interface has some buggy JavaScript. I’m going to try to debug it, though JavaScript isn’t my favorite language. I’ll keep you posted if I find a fix.

As with Harry Potter and the Half Blood Prince (year 6), we are reading it together. We’ve only gotten into chapter 7 so far, as I had to leave on another business trip (to Ohio) 10 hours after we got home and she left on another Women’s Trip (like most years her side of the family does). So, we’re on pause right now and both itching to continue the book.

On a side note, I did get the chance to see the 5th Harry Potter movie this week one evening in Ohio. I’ll probably write a short little review of that experience, soon.

If you have an OpenID account, you can now use it to comment and to register on this blog, without having to register on this blog. I haven’t required logins to commont on this blog since June of 2006, but still required commentors to fill in their name and email and optionally allowed them to include a URL for their own site. Now, these kinds of things can be done via your OpenID.

I didn’t activate the second WordPress plugin yet, as I haven’t registered an OpenID of my own, nor have I set up an OpenID server.

I’m thinking about standing up an OpenID server on OpenBrainstem. I’m not really sure about this yet, so I’m asking you, my readers, to weigh in on the idea. Post your views as comments to this post. Tell me why I should or shouldn’t run my own OpenID server.

I have previously written about terrorism and the true goals & motivations of terrorists (see my article, “What the Terrorists Want“). This latest article on the subject from Bruce takes the discussion a very important and valuable step further. I recommend you read that article.

In my past writings on the subject of terrorism, I’ve always stressed how terrorist attacks are not about the target of the particular attack, but are instead about inducing terror, typically in a large population. The point being that we need to not focus on the tactics used and we need to refuse to be terrorized.

Bruce’s new article talks about the reasons why the psychological impact of terrorist activities (especially attacks on innocents) lead us to infer and then associate the tactical target with the motivation and reason for the attack. We think, “Terrorists attack in order to kill as many of us as they can or disrupt as many of our lives as they can.” This isn’t necessarily incorrect, as the tactical plan a terrorist chooses to employ really is about just such goals, but those goals are also not the true motivator. The point of a terrorist attack isn’t to disrupt our lives or even as simple as inducing terror in the population; almost all terrorists actually have other, larger goals in mind.

We defeat terrorism by refusing to be terrorized, but we do not defeat the terrorists in that way. This is because they will still have their primary goals, and they will not have gotten any closer to them whether or not we refuse to be terrorized. Here are six of Bin Laden and al Qaeda’s goals (from former CIA analyst Michael Scheuer’s book “Imperial Hubris“):

1. End U.S. support of Israel
2. Force American troops out of the Middle East, particularly Saudi Arabia
3. End the U.S. occupation of Afghanistan and (subsequently) Iraq
4. End U.S. support of other countries’ anti-Muslim policies
5. End U.S. pressure on Arab oil companies to keep prices low
6. End U.S. support for “illegitimate” (i.e. moderate) Arab governments, like Pakistan

Terrorism is about terrorizing people. That terror is meant to be a political lever to induce changes desired by the terrorist(s). But terrorism just doesn’t work. In his article “Why Terrorism Does Not Work, published in International Security, Max Abrams analized terrorist attacks and concluded that they are successful at achieving the goals of the terrorists only 7% of the time. Abrams seems to have been rather generous in his measurement of success and failure, giving the benefit of the doubt to the terrorists, so in reality, the number might be closer to 3%.

To defeat terrorism is a very hard problem. It would be much easier if the terrorists realized that terrorism doesn’t work. The vast majority of the time, it does not bring them closer to their true goals. The best thing each of us can do is refuse to be terrorized and to not overreact.

It was obvious that there were a lot of cancellations on Northwest. Fearing that my newly re-booked flight might also be canceled, I asked if this was a likely possibility. “We have no reason to think that there will be any cancellations tomorrow,” was the response. Not quite fully reassured, I prompted them for details about the cancellations. Over 300 Northwest flights had been canceled so far that day (it was not yet 1pm MDT) due to “Lack of crew availability” (which they read directly from their screen concerning my flight, and others’ around me). I asked why they had such large crew shortages. “Because of the weather on the east coast; so many flights out of there had to be cancelled that we now haven’t got crews where they need to be. All flights out of MSP that head east are cancelled for today at this point.” I hadn’t heard about any serious weather, but I hadn’t really been looking in the past few days either.

Then the next problem hit. They were unable to print anything, it seems. They couldn’t print boarding passes for people who were going to be flying, they couldn’t print an itinerary for me (or other people, either). Finally, they hand wrote my flight numbers and departure times and gave that to me on a scrap of paper. While they were working that out, I called my ride (I had been dropped at the Boise airport this time) to get them turned around to come back and get me. While waiting for my ride to return, I made a couple of other calls to people who needed to know that I would not be there to start my class Monday morning.

After returning to the house, I phoned the hotel and rental car agency to push my reservations back for the next day. The hotel was no trouble at all, and I even got the 1 night refunded without any hassles (Marriott properties are great that way). But the rental car agency said that the price for changing my reservation would be an additional $200 for the (less than a) week. I phoned Expedia Corporate Travel, which had been used to book the trip in the first place. That’s when things really came apart.

Expedia’s agent was able to help me reschedule the rental car with Hertz (my first ever time renting from them, but I’m 100% convinced that they are the best now), which turned out to be a few dollars cheaper than the other alternatives now, though the price still did go up. They also double-checked with the hotel for me and things were fine there, but there were problems with the flights. Mainly, their systems now showed that I didn’t have any. They phoned the airline and called me back a couple of times and eventually got us all on a conference call together, where the airline representative told me that my flights were not canceled, that they were almost no flights canceled anywhere and that my flight was about to land at BWI. She also said that their system did not indicate that I was booked for the new Monday flights but that they showed that I had never shown up at the airport at all. This despite the fact that the BIO counter and kisok systems both had pulled up my information, which I pointed out and she said that their systems did, indeed, log such lookups and there were no entries showing that I had been there. I asked if they had any data about anyone being queried from Boise today, which she “couldn’t answer”. She tried to make sound like she couldn’t perform a query to find out, but it really sounded like she knew that I was right and their systems were currently partitioned. In any case, that was the triger that got her to lock me in for the next flight (the one the counter agents at BOI had given me) despite the fact that she had told me earlier in the conversation there were no seats available at all.

After all that conversation (which took about 25 minutes) it looked like I was solidly set to travel Monday morning. Still, Expedia’s computers couldn’t see the flights. After a few minutes asking the Expedia rep some questions, I ascertained that the flights were booked (originally) through Delta Airlines’s systems despite the fact that every single leg was with Northwest. So, I called the special Medalion Members only service line (gotta love some of the perks) and they were able to reconnect the dots, though they were very perplexed that Expedia had booked the flights through them to begin with.

But just for my own sanity, I spoke with the counter agents at both BOI and BWI on Monday. They both said that the flights had been canceled. When the agent in Boise looked up the flight I had been originally scheduled on, that system showed that it had been canceled and still showed the same reason. The same occured at the ticket counter in BWI. This left me feeling like Northwest’s “customer service” center wasn’t really trying to serve the customer but instead trying to cover up the whole thing.

Then, on Tuesday morning as I left my hotel room to head for the classroom I was teaching at, I had a copy of USA Today outside my door. I picked it up but didn’t look at it until lunch. The topmost story on the Money section for Tuesday, June 26, 2007 was titled “Northwest’s flight cancellations surge“. Basically, Northwest’s management is blaming weather from several days earlier for canceling 14.2% of their flights on Sunday alone. Their pilots are blaming it on bad planning by management.

It looks like Northwest is burning all of their pilot’s legal limit of flight hours (some on activies other than flying) so quickly that they can’t fly them towards the end of each month. In addition, Northwest’s management has reportedly refused to rehire furlowed pilots, despite the fact that they know there is heavier demand coming. The USA Today article goes into a little more detail regarding the situation.

The long and the short of it is, if you travel much, I would recommend avoiding Northwest flights in the last 7-10 days of the month, for now. We’ll see if management gets it together in the next couple of months or not. Until then, I know I’ll do my best to avoid a repeat.

BTW: I normally fly out of SLC, but am visiting family in Weiser, Idaho for three weeks centered around the 4^th of July holiday. did check and found that I would have had the exact same experience if I had been flying out of SLC, as there were no flights available on Delta either (those Medalion Member Service Center folks are very helpful and answer all sorts of questions). Apparently, due to Northwest’s high cancellation rates over the whole weekend, all the other airlines seats had been filled as Northwest moved them to other flights and Delta’s had all been filled the day before.

Well, the illustrious and all wise folks at the US Department of Homeland Security have apparently decided that they should have copies of the DNSSEC key-signing keys. Given that someone told them that these were the “cryptographic keys to the Internet,” it’s very understandable that they would drool over them.

I wonder how disappointed they’ll be if they succeed in commendiering a copy of the key-signing keys and then learn what they really are; merely the keys used to sign keys used by DNS servers which are authoritative for registered domains, and nothing more.

What’s next? Is DHS going to start demanding the key to every city, too?

I can understand parents wanting to protect their children. Security isn’t always about the actual security. Sometimes, the perception of security is more important than the value of the actual security itself. In this case, parents have a greater peace of mind so they feel more secure.

But what about the children? Do you think that they might be a bit more emboldened knowing they have the armour on? In that case, such children are actually at a much greater risk then they were before. Do you think some would take it off as soon as Mom & Dad are out of sight? After all, many kids have done the same with their clothing.

P.S. If the story was about body armor in the U.S., I would have spelt armour differently.

MiniDisc is an awesome technology. It holds just as much music as a CD on a 2-inch recordable magneto-optical disk in a thin, sturdy plastic casing. The audio quality is quite good.

I’ve had a MiniDisc deck for many years, but haven’t had it hooked up for the past 3 years or so. Last night, I came across my stack of discs while looking for (and finding) some LS-120 floppies. So I decided to dust off (literally) the deck and plug into my home workstation for playback. Unfortunately, I couldn’t find an audio cable to go from stereo RCA connectors to the line-in jack typical of compter sound cards. This afternoon, it occured to where I could look for the cables I kew that I had and, sure enough, I found them. Since then, I’ve been enjoying listening to my MiniDiscs.

The first deck that I had could do both component audio and fiber optic audio for both input and output. That deck went out and I got it replaced with this current model, but the new one does not have fiber optic input for recording.

It’s been nice to research some links for this article as I’ve learned a lot about newer developments in MiniDisc technology and available devices that have come out over the past couple of years. I think I’m going to have to pick up some of the new Hi-MD (my birthday is in May, in case you were wondering) disks and units. It’s also been fun to reminisce about the two years (from 1995-1997) that I was at that mobile DJ company. Good times.

Well, it irritated me enough a moment ago to actually take a look at the full headers of just such a message. Here are the headers added by SpamAssassin:

X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on
       dark-templar.lamontpeterson.net
X-Spam-Level: ***********************
X-Spam-Status: Yes, score=23.0 required=4.0 tests=BAYES_80,DRUGS_ERECTILE,
       DRUGS_ERECTILE_OBFU,HTML_MESSAGE,RCVD_IN_BL_SPAMCOP_NET,URIBL_AB_SURBL,
       URIBL_JP_SURBL,URIBL_SBL,URIBL_SC_SURBL,VIA_GAP_GRA autolearn=no version=3.1.8
X-Spam-Report:
       *  2.5 VIA_GAP_GRA BODY: Attempts to disguise the word 'viagra'
       *  2.0 BAYES_80 BODY: Bayesian spam probability is 80 to 95%
       *      [score: 0.8180]
       *  0.0 HTML_MESSAGE BODY: HTML included in message
       *  1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
       *      [Blocked - see <http ://www.spamcop.net/bl.shtml?201.83.176.249>]
       *  1.6 URIBL_SBL Contains an URL listed in the SBL blocklist
       *      [URIs: tersho.com]
       *  3.8 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
       *      [URIs: tersho.com]
       *  4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
       *      [URIs: tersho.com]
       *  4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
       *      [URIs: tersho.com]
       *  2.4 DRUGS_ERECTILE_OBFU Obfuscated reference to an erectile drug
       *  0.5 DRUGS_ERECTILE Refers to an erectile drug

(Now that’s one spammy piece of SPAM!)

OK, so I took a look at my ~/.mailfilter file on the server:

### SPAM
if ( /^X-Spam-Flag: *(yes|YES) / )
{
   to "$HOME/mail/.SPAM/"
}

Many of my readers may be eagle-eyed enough to spot the problem right away. If you said, “Hey, you’ve got a superfluous space after your closing parenthesis in your regular expression there,” then you got it.

That regex would match either “yes” or “YES” (they are case sensitive). I did this because at some point long ago, I had a rule on a system that used “yes”, but SpamAssassin today produces “YES” and I just didn’t want to have it missing stuff because of something like that.

I decided to further improve this regex so that it might be less likely I’ll have to “fix” it again:

### SPAM
if ( /^X-Spam-Flag: *[yY][eE][sS]/ )
{
   to "$HOME/mail/.SPAM/"
}

Problem solved.

BTW: the term SPAM originally came to be used in the computer world because of the Monty Python Spam sketch.

There were some databases changes that weren’t handled very cleanly by the update script. I had to drop and recreate the DB from my backup (taken just before starting the upgrade process).

One of things that changed was the way that links are managed. The wp_linkcategories table was “replaced” with a new wp_link2cat table. Unfortunately, the upgrade script didn’t complete the conversion process.

Most of the work required to fix up my links was done within the management interface in my web browser. Not hard, but it took a few moments. One of the categories didn’t make it through the upgrade. Several others (but not all of them) from the categories list now show up, too. Upon further examination I discovered that the only categories that appeared were those which were not assigned to any posts, though, it appears in the UI that they intend all categories to be simultaneously usable for posts, pages & links. However, when I tried to assign a category which is in use for several posts to a link, that link no longer rendered.

The change from a separate set of categories for links to a unified categories system was certainly the right direction. It merely appears that testing of that part of the upgrade code wasn’t very thourough.

Writing this post, I discovered what appears to be a new auto-save feature. Every couple of minutes while the focus is in the post body input field, the auto-save kicks in and a text marker next to the save/publish buttons updates to say “Saved at h:mm:ss” (the time on this notebook). Nice!

I remember (vaguely) when Mt. St. Hellens blew its top (we even have a jar of ash from our front yard that we kept). That one event released more “greenhouse gases” than all industrial and automotive emissions since man started industrializing. Yet, the environment overcame it (and fairly quickly, too). I read an article about a year ago about how man didn’t clean up all the ash (and the environment is still “self-cleaning”) in one valley.

Reading Fozz’s comments, the thought returned to me that any attempt to state that the quantity of greenhouse gases that man produces are responsible would require hard numbers on the total amount of energies across the spectrum that reach the Earth (reaching the upper atmosphere, penetrate partway and reach the surface). I’ve never heard or read about any good continuous measurements being taken on an ongoing basis. Maybe you have; if so, I’d love to hear about them.

In all the reading that I’ve done, I find it highly unlikely that the puny quantity of gases we produce could account for the observed changes. We just don’t have numbers going back long enough to determine whather this is just part of a normal cycle or not. We have some evidence that goes back a few hundred years that let us make some guesses, but not enough to really extrapolate a pattern with enough certainty to begin answering such questions.

In the 50’s & 60’s, there was a significant concern around the world about global cooling. It wasn’t until the mid 70’s and early 80’s that we reached the point where those fears were gone, only to be replaced with the current global warming concern.

Here’s my theory about man’s activities and global warming: I think that direct heating, thermal-punping and surfacing account for the vast majority of man’s contribution to global temperatures. Burning fuel to produce heat for the home, energy to move a car and so forth produce a lot of heat. Covering large areas with concrete drastically alters the thermodynamics of the Earth’s surface.

Another thing to remember is that almost all the data is about surface temperatures, as it should be. The temperatures at the surface are responsible for the climate that we have to live with. That’s the part we experience. Again, if there’s been a study with correlating data about temperatures aloft.

Overall, I just don’t think we have enough data or enough understanding of how the planet works to be able to properly asses the state of the Earth nor the true impact man has upon it. Scientists want to take the numbers and produce an equation that explains it all, but we can’t. We don’t have the data and even when we finally do, I think the equations will be far more complex than anyone today would ever conceive.

It seems that “global warming” is poised to become the next warm-n-fuzzy (no pun intended) political issue. I believe that we will be hearing a lot of politicians glom onto this “issue” over the next couple of years.

Taking a look at the bullet points in the article, the very first one jumps out and says to me, “I’m the #1 reason that Microsoft reimplemented their TCP/IP stack from scratch.” That one reads:

Dual IP layer architecture for IPv6

After all the embarasing failures to produce a workable IPv6 stack (I first remember seeing “beta” code from Microsoft in 1999), it would seem they finally realised that the whole thing would have to be rearchitected.

Most of the bullet points in the article are fluff with a little bit of BS thrown in there two (obviously, the marketing department is still in full control of the Microsoft’s website). Lest you think I’m only here to bash Microsoft, here are some things that looks like improvements to me:

The interfaces in the current TCP/IP stack for TCP/IP security (filtering for local host traffic), the firewall hook, the filter hook, and the storage of packet filter information has been replaced with a new framework known as the Windows Filtering Platform (WFP). WFP provides filtering capability at all layers of the TCP/IP protocol stack. WFP is more secure, integrated in the stack, and much easier for independent software vendors (ISVs) to build drivers, services, and applications that must filter, analyze, or modify TCP/IP traffic. For more information about WFP, see Windows Filtering Platform.

This isn’t exactly new. Windows has had hooks into some parts of the network stack. Windows XP Service Pack 2 added some more key hooks. But one of the problems with the pre-Vista implementations is that tools which used these hooks couldn’t be guaranteed to always be able to process traffic. Although I haven’t gotten in-depth details of WFP, what I have read about it’s architecture it looks like it’s much more robust and complete.

The Next Generation TCP/IP stack can offload the processing of TCP and other types of traffic to Network Driver Interface Specification (NDIS) miniport drivers and network interface adapters. Offloading TCP and other protocol processing can improve performance for high-bandwidth networks or high-volume servers.

Although some NICs (mainly 3Com) have offloading engines that can take much or most of the load of IP and/or Ethernet packet/frame contruction and processing from the main CPU, thus freeing it for other tasks, the networking configuration of a particular Windows machine often prevented such offloading from occuring. Although I do not know any of the details as to why this happened, I have been told (by people who would have such detail) that it was due to the networking architecture of Windows. Again, I don’t have much detail on the architecture of this new feature in Vista, but what I have read leads me to believe that the new stack will make these NICs more useful as well as being easier for driver writers to implement.

The architecture of NDIS 5.1 and earlier versions limits receive protocol processing to a single processor. This limitation can inhibit scaling to large volumes of network traffic on a multi-processor computer. Receive-side Scaling resolves this issue by allowing the network load from a network adapter to be balanced across multiple processors. For more information, see Scalable Networking with RSS.

This is a much needed improvement for some systems, like Data Center Server (which already had something similar) and some beefier Windows Server boxes, but will not benefit end users much. If you were running a game that only utilized 1 of your multiple processors, theoretically, having the ability for the other processor to take over the networking processing would improve performance. Realistically, I doubt you could see the difference. Still, this is another welcome improvement in design.

The Next-Generation TCP/IP stack has an infrastructure to enable more modular components that can be dynamically inserted and removed.

Welcome to the 21^st century! Linux has done that since kernel 2.0 was released (the first version that supported kernel modules).

The Next-Generation TCP/IP stack uses a new method to store configuration settings that enables more dynamic control and does not require a computer restart after settings are changed.

Of course, Windows 2000 supposedly eliminated almost all the code paths where networking changes that would require a reboot. I remember a Microsoft event where they told me that NT 5.0, as it was still called at that point, only had 6 remaining code paths (down from 27 or so) with the whole OS where a configuration change would require a reboot. However, in practice, most people experienced a need to reboot the system to make common networking configurations changes actually effective approximately 1 out of 2 times such changes were made.

One could also read, “We changed the configuration storage methods so you won’t know where to look anymore,” into that one.

From a security perspective, I’m very concerned about their new Inspection API (emphasis added):

The Next Generation TCP/IP stack exposes an Inspection API, which provides a consistent, general-purpose interface to perform deep inspection or data modification of packet contents. The Inspection API is part of WFP. The Next Generation TCP/IP stack provides access to the packet processing path at the Network and Transport layers.

So, it’s easy to hook into the Inspection API and use that to modify network traffic. It looks like it would also be trivial to inject any traffic you wanted to. Given the definition of the word inspection, I wouldn’t expect to find a modification mechanism integrated into the same sub-system.

Having a good set of instrumentation hooks into the entire network stack is important for certain types of software development, security research, auditing and a few other things. None of these should be taking place on production machines. However, it looks like Vista does not provide a way to disable the Inspection API. This could be used by a malicious program to monitor any network traffic it wanted to, or even to implement network communications that could possibly be entirely hidden from other programs (including security tools) and users. At the very least, the Inspection API should not be installed as part of the OS. Even the ability to disable it might not be enough, especially given Microsoft’s security track record.

Overall, however, I feel that I can agree with some of the reasons it appears were behind Microsoft’s decision to reimplement the TCP/IP stack from scratch for Vista and I feel that there are several valuable improvements.

That said, I still do not consider Windows networking stack, even the new one in Vista, to be remotely secure. There are too many unknowns and there is no proper, un-biased, third-party code scrutiny. Closed software simply can not be secure. Peer review by recognized outside experts is mandatory in order to build good security. That’s why burglar alarm companies invite ex-cons and security experts to do their best to penetrate their systems. That’s why insurrance companies do the same with all automobile security systems (as well as letting them asses the relative value of each system for their purposes). Microsoft doesn’t understand that and there’s no reason, from their perspective, that they need to; they’re in business to make money. Until the liability for bad security is placed on Microsoft (and other software vendors) there is no incentive for them to fix it.

So, I used KTorrent to download the DVD ISO for the x86-64 version of openSUSE 10.2, which I let run overnight (3.7GB takes a little while on a T1 line). I verified the MD5SUM on the ISO file and tried to use cdrecord to burn the image to a blank DVD. 865MB in, ka-blooey. A write error meant I had a Frisbee (or coaster, if you prefer). “OK, well that could just be one bad disc,” so I tried again. Same thing. “OK, perhaps if I turn the burn speed down,” but I now have 3 discs with ~865MB burned on them.

So, I installed k3b and tried to burn from the DVD image with that. It worked like a charm.

I’m not sure what switches k3b used, but it did run growisofs before starting the burn process. I’m not sure whether that was important or not. The cool thing is, this is an example of a frontend that is done right. With k3b, all sorts of burning situations are just handled. It will work with all sorts of disc burning and image related tools, can use transcode when creating audio or “MP3″ CDs, has DVD aware support and so much more.

What a sweet Christmas present for a 5-week old little girl to give to parents; the first time she slept through the night. :)

Merry Christmas, or whichever greeting is appropriate for you. We wish you all the best.

The IMMI phone randomly samples 10 seconds of room audio every 30 seconds. These samples are reduced to digital signatures, which are uploaded continuously to the IMMI servers.

But why would they do that? Money, of course:

IMMI also tracks all local media outlets actively broadcasting in any given designated media area (DMA). To identify media, IMMI compares the uploaded audio signatures computed by the phones with audio signatures computed on the IMMI servers monitoring TV and radio broadcasts. IMMI also maintains client-provided content files, such as commercials, promos, movies, and songs.

By matching the signatures, IMMI couples media broadcasts with the individuals who are exposed to them. The process takes just a few seconds.

Panel Members may sometimes delay watching or listening to a program by using satellite radio, DVRs, VCRs, or TiVo. IMMI captures these viewings with a “look-back” feature that recognizes when a Panel Member is exposed to a program outside of its normal broadcast hour, and then goes back in time (roughly two weeks) to identify it.

Now, let’s think about this just a little. If anyone in a given room has bought into this free cell phone scam (yeah, that’s right, I’m calling it a scam; you gotta problem wit dat?), then they have chosen to give up their privacy. But what they probably don’t realize or think about is that everyone else in any room they are in has just lost his/her privacy and they don’t know it.

Personally, I want to know what these “special” cell phones look like so I can recognize them. When I see one, I’m going to politely ask the “owner” of it to remove the battery. I’m sure they’ll look at me funny, but I’ll calmly, patiently and very briefly explain why. If they refuse, then I will ask them to leave the room or bury the phone in a purse, briefcase, coat or computer bag where it can’t hear anything.

I wonder what will happen when the first lawsuit is filed against the company for breaching other people’s privacy. I mean, since I haven’t signed their agreement, they are violating my privacy by placing the device with an irresponsible person who would allow it to be in the same room as me.

One of them built the tracker hardware (for only $250) which they interfaced with Google Maps.

Their paper has the details.

This is a great example of how even without any personal information stored on an RFID chip, privacy is easily violated (as long it has anything unique on it, like an ID).

Well, the crooks have found a way to rob you of your gift card balance. If you buy Gift Cards from a display rack that has various store cards you may become a victim of theft. Crooks are now jotting down the card numbers in the store and then wait a few days and call to see how much of a balance THEY have on the card. Once they find the card is “activated,” and then they go online and start shopping. You may want to purchase your card from a customer service person, where they do not have the Gift Cards viewable to the public. Please share this with all your family and friends…

Normally, that last line would be a sure giveaway for chain-mail. However, I’ve been looking into this one, and I think it’s legit.

The email originated with a Sheriff’s Deputy. I’m witholding his name for now, because I have not gotten his permission to publish it, yet. I have phoned him, but only left a message on his voicemail, so far. I’ll update this as I get more info.

Hilarious.

But there’s a great security point here, too. They wanted to reduce the incidence of “dine-n-dash” events, where people skip out without paying. Holding your driver’s license would surely help, or so they thought. But they didn’t count on the reaction to this violation of privacy or, more importantly, the inconvenience this was to their customers.

Security Rule #1: Security is only as good as the weakest link.
Security Rule #2: You’re weakest link will (almost) always be the users.
Security Rule #3: To users, security = inconvenience.

Observation of End Users in the Wild: Users will fight inconvenience.

Good security is invisible to users, or at least, it isn’t overtly present and doesn’t require them to do anything. That’s why supermarkets and convenience stores place monitors where customers can see that the front doors (and other high-value areas) are being watched. People make the assumption that the camera feeds are also being recorded (which is not always true, but often).

At least this IHOP incident wasn’t condoned by corporate management.

Bruce Schneier, CTO of BT Counterpane, author and world-renowned security expert & privacy advocate gave an interview regarding RFID passports. It is available as a podcast.

There isn’t any new information in there, at least, nothing that I haven’t talked about before. However, it is an excellent, easy to understand explanation of the key issues surrounding RFID chips being embedded in government issued IDs. It’s not very long, but is good information for everyone from the technically challenged to government officials and even security experts.

BTW, the high resolution versions chould look better than 35mm film when printing on 4×6 photo paper. However, as the optics on my little digital photo camera are rather simple, 4×6 prints will look about the same as 4×6 prints from a 35mm film camera.

I have also created a mailing list for baby related information and added about 50 people’s email addresses to it. There are probably another 100-150 people who have asked us to let them know when the baby came, etc. for whom I do not (yet) have email addresses. If you are not already on the list and want to be, visit the baby-announce mailing list page. You can also go there to unsubscribe.

Charlotte has been recovering very well. The staples were taken out this morning and both mother and child will be coming home this afternoon.

P.S. I will edit the existing photos and post more, soon.

She has arrived.

I have posted photos.

Abstract:

By failing to implement an appropriate security architecture, European governments have effectively forced citizens to adopt new international Machine Readable Travel Documents which dramatically decrease their security and privacy and increases risk of identity theft. Simply put, the current implementation of the European passport utilises technologies and standards that are poorly conceived for its purpose. In this declaration, researchers on Identity and Identity Management (supported by a unanimous move in the September 2006 Budapest meeting of the FIDIS “Future of Identity in the Information Society” Network of Excellence[1]) summarise findings from an analysis of MRTDs and recommend corrective measures which need to be adopted by stakeholders in governments and industry to ameliorate outstanding issues.

Thanks to Bruce Schneier for posting this on his blog.

There are a couple of things that I wanted to comment on (there is a lot of excellent information here, so read on):

The most obvious threat model is theft of hard drives. The solution to this is to encrypt all data on the drives.

Encrypting your data storage is an excellent defense mechanism, however, it is not a silver bullet that will magically make you secure. Russel doesn’t suggest that it is, but in my experience, most people will begin to think that it is.

The first level of this is to simply encrypt the partitions used for data, support for this is available in Fedora Core 6 and has been in Debian for some time.

I hadn’t noticed (yet) that Fedora Core 6 had added support for encrypted partitions. I’ll have to look into that support when I install FC6 on my notebook (look for a later article on that adventure).

As many of you know from my series of articles on my work blog on setting up encrypted partition support for Fedora, I’ve been using encrypted partitions for a long time.

Also, Debian isn’t the only distribution to provide this support. SUSE has had it in their installer for at least 7 years.

The more difficult feature is encrypting the root filesystem, …

SUSE’s support for encrypting partitions even works for encrypting root at install time.

… encrypting root means that important system files such as /etc/shadow are encrypted. Also if the root filesystem is encrypted then an attacker can’t trivially subvert the system by replacing binaries.

Excellent points.

Once the data is encrypted on disk the next thing you want to do is to make the machines as secure as possible. This means keeping up to date with security patches even on internal networks. I think that a viable attack method is to install a small VIA based system in the switch cabinet (no-one looks for new equipment appearing without explanation) that sniffs an internal (and therefore trusted) network and proxies it to a public network.

This can work so well because people still employ the crustacean model of security; a hard outer shell (border firewall) with soft, gooey innards (the internal environment).

The big problem with the crustacean security model is that firewalls have holes in them. They have to or else they would be useless. Also, the firewall only protects from things traveling through that particular piece of wire. So, if someone is on the inside, the firewall does nothing to them.

This isn’t just an issue of securing applications, it also means avoiding insecure protocols such as NFS and AoE for data that is important for your secrecy or system integrity.

When talking about insecure protocols, my first targets are usually things like FTP, Telnet & the “r-tools” (rsh, rlogin, etc.). But I’m glad that Russel chose to talk about NFS & AoE:

An option for using NFS is to encrypt it with IPSEC or similar technology.

This is a good option. IPSec (see also RFC2401) is very useful for a lot of places.

Another option that carries a larger number of benefits is to set up Kerberos on your network and use NFS v4 (see RFC3530 for all the gory details). Kerberized NFS is only supported in Linux for NFS v4. When Kerberized, not only is authentication for NFS operations protected, but everything going over NFS can be encrypted.

AoE can be encrypted with cryptsetup in the same way as you encrypt hard drive partitions, it doesn’t use IP so IPSEC won’t work but it is a regular block device so anything that encrypts block devices will work. I have been wondering about how well replay attacks might work on an encrypted AoE or iSCSI device.

AoE and iSCSI are both in the same boat, here. Neither protocol provides security mechanisms, which is a good thing. If they did, the additional overhead would affect their performance.

Russel has the solution exactly right, here: AoE and iSCSI devices are just block devices and can be utilized (including encryption) just like any block device.

Another important thing to do to secure your AoE and iSCSI systems is to isolate them onto their own dedicated networks, without interconnections to other networks. In other words, separate your storage networks from your communications networks. The main reason to do this is so that all of the available bandwidth is dedicated just to the AoE or iSCSI operations, but the security benefit is very important, too.

Security technologies such as SE Linux are good to have as well.

Probably more than 90% of the “solutions” found around the web for problems even remotely relating to SELinux, are to completely disable SELinux on your systems. It always goes something like, “In my opinion, SELinux is much more trouble than it’s worth, especially since it provides almost zero security benefit, so just turn it off. I do that first thing when I install [whatever].” This is so wrong!

The main benefits of SELinux come into play once someone breaks into a system. The observant reader may note that I said, “when,” not, “if.” With SELinux, even if they manage to get root access, they will still be limited to the bare minimum needed to allow the service they compromised to function normally and will be completely cut off from the rest of the system with no way out.

SELinux is an intimidating topic. I tell people that it looks much more complex than it really is. Once you wrap your brain around the basic concepts, it’s really quite easy to manage. Even if you don’t bother to learn how to write policy, troubleshooting and fixing 99.9% of the problems that actually occur with SELinux is very easy.

So, don’t turn it off. If you don’t know how to troubleshoot it, ask. Your local LUG mailling list should have plenty of people on it who can help you.

Prevent access to some hardware that you don’t need.

Great advice. Russel goes into some detail on this point in the article. I would recommend that you read it.

One thing that a commentor to Russel’s post mentions is the pam_usb.so PAM module. I’ve known about this module for some time and have even toyed with it a bit.

I’m not currently using pam_usb.so, but I want to be. It’s quite simple to use. I simply haven’t found the time to sit down and get it working with the various distributions that I have installed on my notebook. Sigh. Hopefully, I’ll get it done, soon. Maybe after I install FC6 on here.

Security monitoring systems are a good idea, unfortunately they can be extremely expensive.

Yes, they are and excellent idea and can be quite expensive. But, if you do a little shopping around and are a bit creative, you can put together a good monitoring solution on even a meager budget. I can recommend taking a look at Norther Video Systems for a great range of gear.

Don’t forget, though, monitoring systems do not only have to be comprised of audio/video systems. There are many other useful sensors available, too.

There has already been at least one recorded case of a webcam being used to catch a burglar. I believe that this has a lot of potential.

I agree, webcams have great potential to supplement physical security monitoring. In addition, they can be quite inexpensive while still providing acceptable quality. For example, I was at CompUSA just the other day and walked past the “webcam” aisle. There were several small, compact notebook models ranging from US$25 – US$99 each. Just remember, the hard part will be wire lengths with USB cables. powered hubs can help with that, though.

In conclusion:

• Use the tools available (encryption, firewalls, PAM, IDS, etc.)
• Never forget about physical security
• It’s all about risk management
• Even on a budget, there are simple things that can help out a lot

So, give it some thought. If you’re not sure what to do or how to do, find a good, security-conscious person to help you out, hire a real security expert (I can recommend BT Counterpane).

Today is Election Day throughout the United States. It is our duty and right to vote for those whom we select as our best representation to run our local, state and federal governments. The most important thing to do is to get out and vote.

However, you have to be very careful this year to ensure that your vote counts the way you want it to. Here are a few more references about the massive security problems within the commercially produced electronic voting systems being used around the country:

• The Problem with Electronic Voting Machines – Bruce Schneier
• How to Steal an Election – The Washington Post
• Black Box Voting
• National Election Archive Project (this one can be a bit preachy sometimes, but mostly is very level-headed, simple, excellent coverage of the situation)

This is a list of the 133 articles (at the time of this writing) by Bruce Schneier, one of the world’s most recognized and well regarded security experts, published regarding voting machine insecurities.

So, what are you waiting for? If you haven’t done it already, get out there and cast your vote.

Among Utah politicians, Orrin Hatch is a towering evergreen who, every six years since his election to the U.S. Senate in 1976, has been returned to Congress by voters who have seen what his conservative principles and growing seniority have brought to them and to the Beehive State.

With the choice committee assignments that come with that seniority, and the head-of-the-trough position he enjoys in bringing home federal pork…

Here we see what drives the Salt Lake Tribune: money. Why shouldn’t it? After all, newspapers are in business to make money. But the pork is a big part of the problem. By it’s very definition, it should not be happening. Pork is when taxpayer money goes to projects that line the pockets of those who make the largest contributions to the campaigns of those who bring them the pork. This is not a good practice and it isn’t good for Utah; only for a very select few individuals.

…to fund Utah projects, the 72-year-old Hatch…

72!? Isn’t it time for retirement, yet? Think about how old he would be if Hatch wins this election when it comes time to run again. 78. I personally know several people in this age bracket (and one gentleman who is 105) who are quite vital and who continue to contribute, but Orrin Hatch hasn’t been working for his constituents. In fact, he’s been working to make sure that the music and movie industries can seize control of everything you do with your equipment. He has advocated and fought for legislation designed to strip us of our civil liberties. He has consistently voted for measures that have increased government spending waste by nearly 10 times what it used to be.

…is right when he says he is well-positioned to keep helping the state prosper.

Yes, he is well positioned to help, there is no denying that. After all, his seniority in the U.S. Senate does give him extra powers. But, despite being “well positioned” for the past 3 terms, Orrin Hatch has not used that “positioning” to benefit Utahns.

That position would be further enhanced in January when a re-elected Hatch would be chairman, or vice-chairman, of the powerful Senate Finance Committee.

Perhaps. Still, there are no guarantees that he would make it into this committee. Even if he did get the chairmanship, how would it benefit the masses of Utah? It wouldn’t. Instead, he would be able to funnel more money into pork, instead of it going where it could do real good.

In short, replacing Hatch with his Democratic challenger, Pete Ashdown, would sharply and unacceptably reduce the effectiveness of the state’s congressional delegation in advancing Utah’s interests in Congress.

I entirely disagree. After all, how could anyone who replaces Hatch do less than he for Utah? It’s hard to less than nothing.

For that reason alone, voters should return the incumbent for a sixth term.

Oh, what a dangerous thought, as this Salt Lake Tribune editorial points out itself!

Regular readers of this newspaper’s editorials know that The Tribune Editorial Board is often critical of Utah’s senior senator over issues ranging from his pro-administration positions on Iraq, tax cuts and Big Pharma-friendly Medicare reform, to blocking FDA oversight of the nutritional supplement industry, to changing the Constitution to criminalize flag-burning, to rank partisanship in vetting nominees to the federal judiciary, etc., etc.

Did you catch that? The “Tribune Editorial Board” routinely criticizes Orrin Hatch on a huge range of issues.

Suffice to say that a complete list of Hatch’s negatives might exceed this space,

In other words, there are a lot more negative items about Hatch that they just don’t have room to mention. Sounds like a very long list.

…especially if it included some of Hatch’s more outrageous statements on public policy issues such as citing author Michael Crichton as an authority on the science of global warming, …

What!? They even include in their endorsement a reference that could be construed to say they think he’s a bit off his rocker?

…or suggesting that House Republicans’ failure to act on former Rep. Mark Foley’s sexually explicit e-mails to congressional pages may be attributable to their desire not to appear homophobic.

Now this I can understand. Read it closely, Senator Hatch suggested that some elected officials might have hesitated in reacting to the Mark Foley scandal because they didn’t want to come across as homophobic, or in other words, they didn’t want to appear “politically incorrect” because they were not prepared and/or in shock that this happened.

Sorry, but I have to agree that this could be possible.

That is not to say, however, that the conservative Republican hasn’t received the board’s well-earned praise for his efforts to block storage of high-level nuclear waste near the Wasatch Front, to remove radioactive tailings threatening the Colorado River, to expand the missions performed by Hill Air Force Base, to gain federal compensation for Utahns exposed to radiation from nuclear testing, and, perhaps most important, his unstinting support for biomedical and stem-cell research.

Mostly, I feel that these are good things. But is that all there is to show for 30 years work? Especially considering that the list of negatives couldn’t even fit in their newspaper.

There have been other good works, but this space would probably be ample to enumerate them.

Ah, did you pay careful attention there. They are saying that they didn’t list all the positives, either, but that it wouldn’t have been very hard to do so and to fit in all within this space, too.

Again, is that all Orrin Hatch has to show for 30 years work?

Yet, for all its many reservations, the Editorial Board believes Hatch’s seniority in the Senate is of overriding importance to a state that needs all the clout it can get in Washington, D.C.

This is a very, very hard pill to swallow. Do they honestly think that the fact that they feel that Hatch is bad for Utah is not important enough to merit his replacement? He’s had 30 years to prove that he is a danger to Utah and to the United States as a whole.

But, let’s just take this argument by itself for a second. If seniority were actually of any real value at all, then we should replace a failed 72-year old so that the next Senator can build up potential seniority as soon as possible. If we wait it will be just that much longer before Utah that “… needs all the clout it can get in Washington, D.C.” will start to get any. It certainly sounds like the editorial board is very short-sighted, here.

Ashdown is a bright, articulate voice for many sound solutions to the pressing problems facing the country.

I understand that much of bureaucracy exists to justify it’s own existence. But we have real problems in this world and we all need real solutions. Many of these solutions are so simple, if only someone would stand up and say, “Here is a good solution; let’s do it.” This is something that Pete Ashdown can do.

But on matters pertaining to Utah, Hatch’s voice is the one that would be heard.

Perhaps that is true. Perhaps Pete’s voice would be the whisper of a church mouse in Washington in his first years in the U.S. Senate. But, Hatch’s voice does not speak for Utah. This editorial even says so and says that they believe that Pete Ashdown would.

To wrap up, I will be voting for Pete Ashdown. I am a registered Republican, though mostly a Libertarian at heart.

I will be voting for Pete despite the fact that I vehemently disagree with his position on a couple of points that are very important to me. I do this with a clear conscience knowing that there will never be a candidate (probably not even if I ran) that will ever match my views 100%.

I would encourage you to take a real look at both candidates and ask yourself, “How does this candidate measure up to my needs?” Then, go and vote. To help you, here are the websites for both candidates that enumerate their respective positions on the issues (Hatch’s website requires flash, so many web browsers will not work with it):

Orrin Hatch
Pete Ashdown

I’ve made my choice and I’m voting for Pete Ashdown.

Since the electronic voting equipment manufacturers are completely incompetent when it comes to security, I and any other person with a working brain (when it comes to security, that is) have been expecting that we would be hearing an awful lot about machines “malfunctioning” in this year’s election.

If you haven’t caught any of the stories yet, check out Pete Ashdown’s recent post on some voting experiences that have been sent in to him, as well as this story on KFDM’s website.

There are other stories surfacing already.

Pay very close attention to your voting. Make sure the machine shows what you really wanted to vote for before you commit your vote. Double-check the printout from the voting machine and make sure that every one of the items marked is what you really wanted to vote for.

It’s your responsibility to ensure that your vote was recorded as you want it. The electronic voting systems adopted in the state of Utah are so insecure that it doesn’t matter how good the elections officials and workers are at their jobs; votes are going to be stolen this year and with greater ease than in any past year.

It’s up to you, the voter, to protect yourself and your vote.

There is nothing groundbreaking in this article, but it is a good collection and summary of these important and truly basic, programming principles. Some are easier to implement in an existing development pipeline and a couple could require some very large changes. Still, it’s worth considering.

I’ll quote the part he quoted and intersperse it with my comments.

Today Oracle announced that it would provide the same enterprise class support for Linux as it provides for its database, middleware and applications products. Oracle starts with Red Hat Linux, removes Red Hat trademarks, and then adds Linux bug fixes.

Sound like what CentOS and White Box Enterprise Linux (WBEL) do. OK, that’s fine.

Currently, Red Hat only provides bug fixes for the latest version of its software.

Wrong.

Red Hat provides seven (7) years of support from the release date of Red Hat Enterprise Linux (RHEL) release (since RHEL3, only 5 years for RHEL2.1), including the production of errata packages for both security and bug fixes. This means that support, including updates, will not be terminated until after October 2010 for RHEL3 and February 2012 for RHEL4.

This often requires customers to upgrade to a new version of Linux software to get a bug fixed.

Wrong.

However, it is true that Red Hat does not backport drivers or other new feature support to released versions.

Oracle’s new Unbreakable Linux program …

Oracle’s “Unbreakable Linux” program has been around for years. Perhaps, they meant to convey that this new incarnation of the (existing) Unbreakable Linux program, which now includes an Oracle branded Linux distribution.

… will provide bug fixes to future, current, and back releases of Linux. In other words, Oracle will provide the same level of enterprise support for Linux as is available for other operating systems.

Thus implying that Linux is backwater, until Oracle steps in and makes it acceptable. Sounds like big software company marketting people to me :) .

Oracle is offering its Unbreakable Linux program for substantially less than Red Hat currently charges for its best support.

Given that Red Hat has support option from nothing (no support contract is required) or pay-per-incident phone support up to 24×7 on-site Red Hat employees managing your systems with a couple dozen options in between, “best support” could mean a lot of things.

Of course, tons of people get confused easily by Red Hat’s “licensing” costs. No! They are not charging you for a license. Everything in RHEL is free and open. You can buy both a support contract and/or (a) subscription(s) to Red Hat Network (RHN).

“We believe that better support and lower support prices will speed the adoption of Linux,

Well, duh!

… and we are working closely with our partners to make that happen,” said Oracle CEO Larry Ellison. “Intel is a development partner. Dell and HP are resellers and support partners. Many others are signed up to help us move Linux up to mission critical status in the data center.

I’ve got news for you Oracle, Linux is already mission critical in lots of data centers, including yours. That’s right, Oracle has been using Linux as the platform for delivery of their hosted applications services for years. I am also personally familiar with enough Fortune 500 companies data centers to say that they all have at least one of their mission-critical applications running on Linux. But don’t take my word for it; almost all of them have made public statements in some form or another which indicate that this is the case.

Please, will you folks stop treating Linux like something you are coming along to save from “certain self doom”. You’re not. Most of you are, on the other had, making wonderful contributions, but all of our Linux are not belong to you.

Although this last one isn’t really that big of a deal, it’s yet another example of how marketing people in companies that should know better keep implying that Linux isn’t ready for “real world” workloads.

BTW: I’m sitting in a lousy hotel room in Austin, Texas with NyQuil in my system, feeling sick and extremely drowsy. Maybe I should post while in this state, but I’m doing it anyway (isn’t that one of the corollary definitions of “stupid”?). So, if I messed up a detail or a link, please, let me know, but bear with me. Also, I only have Internet access in the evenings, if it’s working (took a couple of hours to get a stable connection tonight). I’ve gotta go sleep now. I sure hope I don’t feel this crappy, tomorrow. Goodnight.

Rather than talking further about this, I’ll let you read the article. It’s very good. But I would like to point out that there are a lot of parallels in network & systems security that could be drawn here.

It’s about time! Too bad they are trying to tiptoe their way back to sanity. Like we’re not going to notice? But, that’s OK. as long as they continue to move in the right direction. Keep it up.

P.S. Nice timing; I’m in Massachusetts this week, without my toothpaste. Don’t worry, I bought some here, but it would have been nice to travel with mine.

Heck is where people go who don’t believe in Gosh

We’re still laughing.

I had read about TrackMeNot a little more than a week before on Bruce Schneier’s blog, and so I already knew TrackMeNot was a flawed idea. Peter also makes some very good points in his post, but, unfortunately, it falls short of pointing out some of the more serious problems with TrackMeNot.

I’ll just summarize the problems here. For further explanation, read Bruce’s post:

1. It does not hide your searches (they are still identifiable with you).
2. It’s far too easy to spot (and therefore, far too easy for AOL and others to defeat) and it’s schedule is regular & fixed.
3. Some of the generated searches are worse than what you would try to hide.
4. It wastes lots of bandwidth, while returning absolutely no privacy or security benefit.

I like this quote from Bruce’s post:

Yes, data mining is a signal-to-noise problem. But artificial noise like this isn’t going to help much.

As I’m sure most of my regular readers have already figured out, I agree with much (but not all) of what Bruce Schneier writes. His latest post, titled “\What is a Hacker?,” repeats some things he has said before about this and is an excellent description.

Well worth the read.

I hope and pray that those childrens’ mother will be found soon and that she is all right.

For those who may not be familiar with the Reiser’s, Hans runs Namesys and is a key figure behind the development of the reiserfs and Reiser4 (read about Reiser4 on WikiPedia) filesystems. Reiserfs was the first journaling filesystem for Linux.

In the story, the reporters point out that the police do not regard Hans Reiser as a suspect at this time.

This makes a lot of sense to me, since Nina dropped off the kids and they were with him, she went to the grocery store and never showed up at her friend’s, according to her plan for that day. Her vehicle was found with the groceries inside of it. Though the article doesn’t say anything about it, I have to assume that the police have already verified that she did make the purchase at the grocery store and I would, therefore, also have to assume that they have video of her shopping at the store and leaving it.

There also was no mention of a search warrant for Hans’ home, but I’m sure they had one. I think it was a very good idea of the police to take the precaution of searching his home early on and to use a cadaver sniffing dog.

Much of the investigative processes and police procedure is the process of elimination. They take each possibility one by one and seek to prove or disprove it and move on to the next. That’s the same proccess we computer folk use when troubleshooting a problem. Both investigation and troubleshooting follow this line because it works very well.

You really should read the whole article,even though I summarize it here.

The folks at FairUse4WM cracked Microsoft’s PlaysForSure DRM software in Microsoft Windows Media Player.

If you really want to see Microsoft scramble to patch a hole in its software, don’t look to vulnerabilities that impact countless Internet Explorer users or give intruders control of thousands of Windows machines. Just crack Redmond’s DRM.

It only took a couple of days for the FairUse4WM people to compensate. I’m sure it won’t be long before Microsoft tries to patch this again.

But the real moral of the story is that companies like Microsoft don’t actually care about security except when it embarrass them or directly threatens their strategic agreements (like with record labels).

This year, Charlotte and I were the only family that went. As I needed to spend monday getting some work on NeverBlock done, we planned our trip for Saturday & Sunday.

The weather was very nice on Saturday and I bit warmer on Sunday. we enjoyed some of the usual foodstuffs and tried a couple of new things, too. We decided not to buy Ginsu knives this time and saw that this year there were far fewer crossstitches entered than usual. Of course, we had to see some of the animals, too:

[Ed. originally, I placed a <!--more--> tag here, but WordPress didn't build the feed properly. My apologies to those who read the Utah Open Source Planet and ended up with the outrageous images. I decided to take the images out of the story and just provide links to the image files, instead.]

We found this guy at the petting zoo.

Dachshund up close.

A little Dachshund kiss for me.

Yup! I’m tasty.

He kept climbing higher to make sure he could taste my cheeks, chin, nose, eyes, ears and even my tongue (I didn’t let that happen on purpose). :)

Ah, a nice little portrait shot.

Although, we really liked this dog, we just couldn’t see ourselves shelling out $600 to take him home. Apparently, they did sell most of the dogs they had brought with them over the weekend. I guess that’s how the petting zoo stays free each year.

We also found some piglets:
Mama’s tired of you guys; take a break.

One of the babies was even a little curious:
Curious pig.

We even saw some rather curly tails:
Now, that’s a curl.

I’m looking forward to next year.

I also disable all SSL3/TLS encryption suites that provide less than 128 bits of key and all 3DES (a.k.a. triple-DES, DES EDE mode or TDES) sets. This is not just because 3DES is insecure, but also because 3DES is so slow. It consumes significantly more processing time and doesn’t really provide much better security than standard CBC mode DES. It’s just not worth the overhead. In addition, there are several vulnerabilities in both 3-key & 2-key 3DES that significantly reduce the complexity to brute-force them. 3DES is not considered a safe protocol.

In their paper titled, “Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES“, John Kelsey, Bruce Schneier and David Wagner describe one weakness found in 3-key 3DES that isn’t present in 2-key 3DES (among other interesting things).

From what I’ve read in the past about browser 3DES support, although nearly all browsers say they use 168 bit 3DES keys (3-key 3DES), many actually use(d) 2-key 3DES (112 bit). I’m not sure how true or false this is in modern browsers, I’ll have to do further research to find out.

Well, it’s just not true.

It’s only a thin wrapper around Microsoft’s Internet Explorer version 5.5 (or later). Since IE stores all sorts of stuff in places on your system without telling you, Browzar can’t deal with all of it. Scott Hanselman has actually shown that Browzar misses the mark on this point.

There are other problems with this, too. For example, this program will not affect any servers that you visit, or any caching proxy servers in between (like at work or a university).

Anonymity on the web is not just about the stuff that’s on your computer, though it’s an important part; it’s also about the things those servers you connect to keep track of and tell each other.

Web browsers such as KDE’s Konqueror, Mozilla’s Firefox, Apple’s Safari (built on/from Konqueror, BTW) and others already support local privacy features. These include Konqueror’s excellent cookie management capabilities and Firefox’s support for auto deletion of cached data. All of these browsers sport these privacy enhancing features, though they have differing approaches and levels of control.

A paper license tag, a salad and stories that didn’t make sense pricked the suspicions of a state trooper who stopped the car of a wanted fugitive polygamist in Las Vegas.

But it was the pumping carotid artery in the neck of Warren Steed Jeffs that convinced Nevada Highway Patrolman Eddie Dutchover that he had cornered someone big.

This is an excellent example of security “Done Right”. Dutchover correctly applied behavioral profiling. It takes a smart person with the right training to be able to correctly do behavioral profiling without it degrading into racial profiling or some other mostly ineffectual form of profiling.

Eddie Dutchover, I take my hat off to you and your expert application of such effective techniques. Bravo!

Also, in the same CNN story, you can read about how Utah is getting first crack at prosecuting Jeffs.

There are also a couple of interesting video clips linked within the article. They are linked via a JavaScript thingy, so I’ll refer you to the CNN article to view them (I could work out URLs to give you some direct links here, but I’m not going to take the time to do that, tonight).

First, they put spam up that includes links to their phishing sites on blogs they troll the net for. This part is very easy, thanks to services like Technorati and Blogger.

Next, “young” bloggers (i.e., those who are still fairly new to the “sport” of blogging), see comments. Either they naively authorize the spam comment, don’t moderate at all or decide to follow the links and check it out before authorizing the comment. If the comment gets posted to the blog, then others who read the blog can fall into the trap. If the blogger decides to visit the pages, they could get sucked in to all kinds of things.

But as I looked at a few of the links, they turned out to cause redirects to either www.abusepost.com or www.spamcop.net (I didn’t make those into links on purpose; DISCLAIMER: GO TO THOSE SITES AT YOUR OWN RISK, I’M NOT RESPONSIBLE FOR YOUR CHOICES). Of course, the vast majority of bloggers, both experienced and just getting started might think that those sites are providing a pretty good service. Looking a little more closely at the form and at the HTML itself reveals that these sites look suspicious. They require your name, email address and website address (which will be the blog that they hooked you at in the first place, for most people).

Were you paying close attention? They require you to provide the exact information spammers want in order to “report” a site that they are already “about to shut down”? Doesn’t make much sense to me.

Do you smell phish or am I the only one?

A word to the wise: Just Say No.

Here are some simple rules for Internet safety, though, they apply (with proper contextual edits) to any online communication:

1. Moderate — Whether it’s comments on your blog(s), forums (which I hate, BTW) or mailing lists. Moderation is currently the most consistently effective way to defeat all forms of SPAM.
2. Never give out your information if you don’t have to — Just because a particular website’s “form” says that it requires your information, doesn’t mean they should be given any. We all know not to publish our credit card numbers online, but it’s amazing how many people don’t understand that your name, email address, street address, phone numbers, websites, employer’s name, favorite color, mother’s maiden name, etc. are not needed by most websites. When in doubt, don’t give it out.
3. The only stupid questions are the ones you do not ask — In other words, ask someone you know who has lots of experience with the Internet, email, spam, security, etc., any questions about specific websites or other items in general. Keeping yourself safe is hard enough to do, but keep trying to do it without the right information and you just might make things much worse.
4. Don’t open HTML emails — If someone sends me an HTML email (and I think it’s worth this effort), I send it back to them with a simple, polite note explaining that for security reasons, I do not accept nor read emails that are not in plain text. Too many people are using stupid email programs like Microsoft Outlook and Outlook Express that have hundreds of severe security flaws when it comes to processing HTML email, alone.
5. Don’t Panic — It can be easy to let fear take over at this point and abandon your dreams of blogging and the “Internet lifestyle”. Don’t worry, it’s not that hard to keep yourself safe. Once you know how to recognize the dangers, it’s easy to avoid them.
6. Think — (OK, this one could sound kinda mean, but it’s not; it’s just a sad truth, so don’t take it too personally) The spammers and the Phishers keep doing what they do because it works. There are just too many people on the Internet who do not think for themselves. You have a brain and I’m sure it functions at least well enough to read this far. I’m sure you have a lot more capacity to figure things out than you might be giving yourself credit for. Being able to think is not enough on it’s own, but with a little bit of knowledge, your brain can be used to help keep yourself, and your loved ones, safe on the Internet.
7. If in doubt, bail out — You don’t have to go any further than you already have when visiting any website or continuing a discussion on IM in a chat room or on a mailing list. You can pull the rip-cord at any time.

I’m sure there are other things that we could put in that list. Perhaps some commenters will try to help me out in that regard. But I think these basics should be enough to get you started.

This is one of my favorite Turkish proverbs:

No matter how far you have gone down the wrong road, turn back.

Although I’m not a lawyer in Canada or anywhere else, but it sure feels like this guys rights were ignored. It is especially disturbing to me that his notebook was riffled after he was already cleared; after the authorities decided that it was a complete false alarm.

I also think that it’s both good and bad that these kinds of overreactions are being ignored by the mainstream media. It’s good because they’re not fearmongering as much as they did. It’s bad because they are not showing how the recent fearmongering is still affecting us and they are missing out on the civil rights/anti-privacy story. Then again, it would seem that the mainstream media doesn’t understand privacy. Perhaps it’s not in the “journalist’s Glossary”?

Thanks again go to Bruce Schneier for bringing this example to our attention.

The point of terrorism is to cause terror, sometimes to further a political goal and sometimes out of sheer hatred. The people terrorists kill are not the targets; they are collateral damage. And blowing up planes, trains, markets or buses is not the goal; those are just tactics. The real targets of terrorism are the rest of us: the billions of us who are not killed but are terrorized because of the killing. The real point of terrorism is not the act itself, but our reaction to the act.

And we’re doing exactly what the terrorists want.

Did you catch all that? If you’re not sure, then go back and read it again before continuing on here.

Terrorists do not attack their real targets. Terrorist attacks are designed to cause as much fear and disruption as possible amongst those who were not directly targeted by the tactic used.

Our politicians help the terrorists every time they use fear as a campaign tactic. The press helps every time it writes scare stories about the plot and the threat. And if we’re terrified, and we share that fear, we help. All of these actions intensify and repeat the terrorists’ actions, and increase the effects of their terror.

(I am not saying that the politicians and press are terrorists, or that they share any of the blame for terrorist attacks. I’m not that stupid. But the subject of terrorism is more complex than it appears, and understanding its various causes and effects are vital for understanding how to best deal with it.)

I completely agree. It is an unfortunate reality of our societies that many feel they must use whatever opportunity they can squeeze out of disastrous and painful events for their own personal gain. In one small way, I can understand how this happens; as events beyond their control unfold around them, some people seek to exert a measure of good into the outcome so they will feel better about having been through it. I’ll call this the “Silver Lining Syndrome” of disaster reaction.

Another thought experiment: Imagine for a moment that the British government arrested the 23 suspects without fanfare. Imagine that the TSA and its European counterparts didn’t engage in pointless airline-security measures like banning liquids. And imagine that the press didn’t write about it endlessly, and that the politicians didn’t use the event to remind us all how scared we should be. If we’d reacted that way, then the terrorists would have truly failed.

Look, it’s this simple: Yes, we deserve to know what is going on in the world, however, we need to be responsible with that information. We need to temper our reactions with uncommon sense.

It’s time we calm down and fight terror with antiterror. This does not mean that we simply roll over and accept terrorism. There are things our government can and should do to fight terrorism, most of them involving intelligence and investigation — and not focusing on specific plots.

Intelligence and investigation provide real security. What’s going on with TSA and friends at America’s airports today is little more than security theater. The sooner we stop wasting resources on that, the sooner we can spend some of those billions in places that will really work.

Remember how much criticism the Bush Administration received (mostly from the mainstream press, by the way) shortly following 9/11 when the stories broke about how much money was being poured into beefing up the CIA, NSA and other U.S. intelligence community members?

Bad security often looks good, good security works and great security does it without you realizing it’s there even though you can see it.

Here are a few more snippets from Bruce’s article, though I highly recommend you read the whole thing, yourself:

… our job is to remain steadfast in the face of terror, to refuse to be terrorized.

The surest defense against terrorism is to refuse to be terrorized.

… our job is to fight those politicians who use fear as an excuse to take away our liberties and promote security theater that wastes money [without making] us any safer.

What we all really need to do is take DNA’s advice from The Hitchhiker’s Guide to the Galaxy:

Don’t Panic.

I am not the least bit surprised; I (and many others) predicted that this overload would result from the rule changes “prohibiting an entire state of matter” (liquids) and prohibitting gels in carry-on luggage. For me, I have to now check my suitcase instead of just carrying it on because of toothpaste and the particular deodorant I was traveling with when these new rules were put into effect (I’ve since switched back to my usual traveling solid).

I don’t want to leave my toothpaste at home, but if these new and useless rules stick for long, I may just ditch it, instead making sure that all of my hotels can provide me with some. That way, I would again be able to take my suitcase carry-on and skip the check-in and baggage carousel entirely. However, when I travel, I prefer to have everything I need with me.

Saturday, after I was home I had tried to access some files on the file server and couldn’t. I tried to log into it via SSH and that hung. I logged in as root on it’s console without problems. A df worked fine, but trying to access anything mounted from the new drive’s LVs failed, hanging the command indefinitely. Trying to shutdown the box also failed as it hung on trying to unmount those volumes. I used the good-ol-power-switch to kill it, waited for everything to stop spinning and tried to start it up. The drive controller can’t even make sense of the drive. I simply powered the box down and left it that way for the weekend.

Tonight, I’ll be pulling the new drive out. I’ll hook it up to my home workstation (only other SATA box I currently have) and see if the drive will run. If so, I’m still not putting it back in the server. Instead, I’ll verify everything, wipe it and run it hard to try to fail it again. Even if I can’t get it to fail again, I’m still going to get an RMA and have it replaced. I think I’ll grab 1 or 2 more while I’m at it and set up either RAID 1 or RAID 5.

Let the hard drive games begin, I guess.

Because of the methods these individuals planned to use for smuggling explosives aboard, security restrictions on what passengers may carry-on commercial airlines in England are very stringent. Basically, you get to keep your wallet, keys, some money and the clothes you are wearing. No cell phones, computers, DVD players, audio devices or any other electrical apparatus are allowed.

I happened to be in Los Angeles at the time this happened. As the week wore on, I read and heard that some U.S. airports had adopted the same extra security restrictions now found at London Heathrow & Gatwick. On Thursday & Friday, I was told by several people that they had heard that LAX (Los Angeles International Airport) was not permitting any carry-on luggage at all. This worried me only because I have no desire to find out just how well this notebook would survive the tender, caring baggage handlers’ grasp. In other words, I never check my computer bag or the computer.

However, there was nothing to fear. When I arrived at the airport, it turned out to take longer to walk from the ticket counter to the security checkpoint leading to my gate than it took to get my boarding pass, check my 1 bag (suitcase with a week’s worth of clothes) and get through security, combined. I’m sure the fact that I have nearly three hundred thousand miles of flights with Delta didn’t hurt either. As it turned out, if I had been willing to throw away my deodorant and the little traveling tube of toothpaste I was carrying in my suitcase, I wouldn’t have had to check that bag, either.

For me, the “extra” security measures only amounted to my having to wait for my bag when I got to Salt Lake.

As I was at the airport at 3:45pm for a 6:08pm flight, I ended up standing around at my gate for just over 2 hours before boarding. I try to not spend too much time sitting in airports, since I’m going to be spending so much time sitting on the planes.

But that wasn’t the worst part.

The worst part was that there was a 4:50pm flight and they “couldn’t” put me on it. Was I there in plenty of time to switch to the earlier flight? Yes. Were there seats available? Yes. But only in First Class, there were no Coach seats left, so she couldn’t switch me to that flight. Given as much as I travel, I almost always get upgraded for free to First Class. In fact, I was upgraded for the flight there this trip. The agent was kind, she said they really should have a way to let me take one of those seats, which I would have gotten anyway (she could already tell by looking at her screen that no one else was going to get upgraded).

How ironic is that? Oh, well; I made it home that night and to me, that’s the most important part of these travels.

X applications do not open sometimes: this is caused because DHCP is set to “change hostname on DHCP” requests. For some reason X applications are not happy with changes in the hostname. I have no idea why. I personally have not experienced this, but I guessed that it was DHCP changing the host name.

Solution: Make sure that your network setting does not change the hostname. I have no idea why this happens, but this is what happens. Just do not let DHCP change your hostname.

He was right. The X server uses the machine name of the box it’s running on as part of the filename for some socket files (in /tmp/) that allow local apps to connect to the X server. If you change the systems hostname during a running X session, any X apps you launch thereafter will use the new hostname to look for an appropriate socket and not find one.

The fix for getting into this situation is easy; just kill the X session and log in again. Trying to “gracefully” log out of such an X session will probably fail, as the logout dialog box applet can’t be launched. Press <ctrl>+<alt>+<backspace> (all together) to kill your current X session. A new display manager should be started in it’s place.

I knew that I was very close to the beaches and the ocean, though I hadn’t seen them on the flight in (I was sleeping until just before we pulled into our gate) or during my drive to the hotel. But, hey, all I had to do was head west, right? So, I did.

At about 11:45am I finally found a parking place. It turns out that there are two local events going on at Manhattan Beach this weekend, so all the street parking was full. I simply slipped off my Mephisto sandals, walked 1 block west and I was on the sand. By the way, for those of you reading this from Utah, that’s not 1 Utah block (6-8/mile), it’s 1 block like most of the rest of world has them (12-13/mile).

I walked slowly north along the water’s edge, letting the inbound tide lap over my feet & around my ankles, listening to the sounds of the surf and wind. It was only about 73 degrees Faranheit (approximately 22 degrees Centigrade) with a lightly filtered Sun playing it’s light over the land and sea. The water felt as though it were only 5 or 6 degrees cooler. There were very few people among the sands in this direction, affording a peaceful, easy stroll with little distraction.

After about a mile of almost pristine beach, I turned back south, retracing my already vanished footprints. The tide continued to lull it’s way in, a little further with every other attempt. I walked a little faster on the return trip, as I had no sunscreen on and I do not wish to inflict a lobster impression on my students this week. The whole walk took merely 45 well-spent minutes. It was really quite relaxing.

I drove off to head back to the hotel and see if I could check-in, yet. However, a Fry’s Electronics caught me, instead. I spent about an hour perusing through all the wonderful treasures (and even more stuff I don’t really want). This has to be the smallest Fry’s there is. From there, I made it to the hotel, got into my room, unpacked my suitcase for the week and this notebook. A moment before I began writing this post, I awoke from a quick nap. This room is basically a studio apartment, with a full kitchen. I think I’ll have to do a little grocery shopping and cook all (well, at least most of) my meals for the week.

Though it occasionally happens, ’tis not often I have time for relaxation in my business travels.

Ah … lazy days.

We’re not the first in the family to have children. My sister Monica’s little boy, Ammon, was born December 2, 1999. The “middle” sister, Janine, has a son (Steven, born June 23, 2001) & a daughter (Robyn, born September 16, 2002), and my youngest brother, Lance, already has a son (Joseph, born May 28, 2002). So, the first little baby boom was in 2001-2002.

In case you haven’t been keeping score, there are 3 boys and 3 girls in my family (my siblings and I). I’m the eldest of the six and our parents now have 4 grandchildren (3 boys, 1 girl) with 2 more on the way (1 girl, 1 unknown).

Recently, my mother and I decided that a “baby boom” has begun in the family, starting with our first child. Kayla’s is the second in the new boom. We think it will not be very long before both of my brothers (with their wives, of course) start having kids, too.

My wife, Charlotte, has been able to feel the baby kicking for a few weeks now. Several times, she thought the kicks might be just hard enough to feel on the outside of her belly, but it wasn’t so … until tonight.

It’s such an amazing thing happening to us (well, mostly to her). I’m so excited. I wish it was November already and I could hold our daughter in my arms. It’s just 3 more months and even though the past 6 have flown by very quickly, it seems that the next 3 aren’t going fast enough.

Overall, I like Steve’s writting style and I think I’ll be reading more of his stuff in the future, even though he seems to be suffering from a complete lack of Vim.

There were several security fixes and over 50 bug fixes, according to the announcement on the WordPress website. However, I’ve also noticed a couple of irritating regressions. For example, when managing pending comments, it’s always been possible to click on the text next to the radio buttons at the bottom of each comment you are moderating. This makes it easy to select the action you wish to take for each comment, as you have a larger target for your mouse pointer. Unfortunately, this broke with 2.0.4 and clicking the text no longer selects the bullet.

There were a couple of other patches I had to reapply to the code. For example, if you look at the calendars at my blog, you’ll see that dates with a post are displayed very nicely. This is thanks to a small change I made to the template-functions-general.php file. You can download the patch file and apply it to your own WordPress installation, if you like. Then, I added the posted-day class to the style.css file for the theme that I am using.

There are also a few other tweaks I have made to that theme, and I’m planning a couple more. One thing is that when you view a dated page, the sidebars don’t get their background colors set. A minor bug, but I’ll fix it sometime.

Anyway, there were some other code patches I had to reapply, but it only took about 10 minutes to do. I’m going to get some of these patches packaged up and submitted for inclusion in future versions of WordPress.

The system “which could only be controlled from the ground would conduct the aircraft posing a problem to the nearest airport whether it liked it or not … [a] hijacker would have no chance of reaching his goal.”

I know I’m not the only who sees the potential for this new system to be abused. I think one of the most telling phrases in the announcement is:

The system would be designed in such a way that even a computer hacker on board could not get round it.

Sorry to burst your bubble, fellas, but there is no such thing as hack-proof. It’s a basic fact well known by anyone with any real security knowhow.

Besides, why would anyone want to hack such a system from on-board when they could hack the ground station? Why not hijack an airplane with as few risks as possible? Like the risk of your people being caught on their way through airport security (which is mostly a joke at this point, anyway); or with almost no risk of anyone on the aircraft being able to retake control; how about the risk of failure during the initial takeover. Gee, thanks 30-European-businessmen for making it so easy to hijack an airliner that there’s virtually zero risk in doing it.

Overall, I think it unlikely that the good part of this idea could be implemented without opening up other, far worse vulnerabilities.

So, this time, we decided to visit Lakeside Golf Course in West Bountiful, Utah. This course has a local nickname (some of you may even already know it); it’s also known as, “The Sponge” due to it’s usually rather wet state. It’s a very nice golf course, but we were surprised to find out that it was about 44% more expensive than the course we played last week. However, given the timeframe of some things we had to do in the afternoon, we decided to only play 9 holes.

We decided to take a 7:36am tee time. It was a beautiful morning, the air was clear, not too hot and not too cool, either. The sun was still a bit low over the east, which made the first couple of holes a little more difficult (playing towards the east), but it didn’t take long to get past that.

We had a great time. The course was a little wet in some spots, but overall, it wasn’t bad. Things were definitely greener than they had been last week. We didn’t keep too close a tab on our score, but we both noticed that I was significantly improved. I was hitting straight, solid shots one right after another. I even took par on a couple of holes and only double-bogeyed (or worse) on 3 of them.

There was one 530+ yard long par 5 (trust me, that’s a long hole, even for a par 5) I was about 30 yards short of the pin with only 2 strokes played. If I made the simple chip shot onto the green close enough to the pin, it could be an easy 1-putt for only the third birdie in my life. But, no, I had to nip the tip of my 9-iron on the ground before it reached the ball, rotating the club and sending the ball off to the right at a 35-degree angle to where I was aiming for. I just couldn’t putt it out from there, although I was only 18 yards from the pin. So, I chipped it on and my 1-putt ran out of steam about 2mm sort of dropping the ball (it was litterally sitting on the rim of the cup but didn’t go down). So, I ended up with a bogey.

Overall, I think I was about 16 over for the front 9. Considering how little golf I’ve played in the past few years, that’s not bad. I just really wish I could have made birdie on that par 5. It would have been nice. Oh, well. Better luck next time.

So, we went golfing.

After a quick bite of lunch at Bajio! (yummmmy!), we stoped at my house to pick up my clubs and then drove out to Eaglewood. It was a warm day, so I wore my Aussie hat, which I picked up about a year and a half ago while vacationing for Christmas & New Year’s in Australia & New Zealand.

Anyway, we didn’t really keep score, but I proved once more that I’m not just a hacker in computers, electronics and ham radio, but also in golf. Actually, I had a few good holes and even managed to win a couple. We took about 5 hours to cover the course (a little more than 4 is typical, but it was a hot day). The greens were excruciatingly slow, mainly due to having been aerated just three weeks before, but even worse was how long puts just would not break. There were several times that I had excellent puts that would have gone in if they had broken just a bit. It was a kinda strange thing to see, but it also made sense from the aeration.

My student thought that it was one of the most beautiful courses, mainly thanks to the views.

It was very nice to get back out on the links. The last time I played was nearly two years ago and it had been over a year before that, previously. It also didn’t hurt that I was able to work it into the schedule such that it made one of my students really happy. Boy, do I feel like one lucky guy.

Here are my 9 reasons why .mobi is a bad idea:

1. You can already serve mobile content from any subdomain or folder, like mobi.example.com or example.com/mobi
2. You can already use content negotiation. If the browser says “Accept: text/vnd.wap.wml”, then return mobile content.
3. You can already use the “handheld” media type in your CSS.
4. You can already create light-weight, semantic HTML that can be viewed on multiple devices.
5. Since “mobi” isn’t a word, it’s not likely to be in the predictive text dictionary on most phones. A good domain for phones would employ a real word. (Actually .com works.)
6. Without predictive text, typing “mobi” on a phone means pressing 6, then waiting, then 6-2-4. A good domain for phones would not use two adjacent letters on the same key.
7. Phones with QWERTY keyboards are likely to have full-fledged browsers that can view .com websites anyway.
8. Dot-mobi domains are expensive.
9. Browsers like Opera can rerender existing web sites to make them viewable on movable devices.

If you see value in .mobi that I’m not seeing, let me know, but I think it will be a failure. We should as soon introduce a .BestViewedWithInternetExplorerAt800by600 domain so we can keep track of all those web pages from the 90’s.

Number 8 on Richard’s list is the reason why .mobi is a good idea … from the perspective of the registrars who are the ones who pushed for the new TLD.

But why not just .mobil ? I mean, come one, it would be so much easier for people to pronounce, even in a wide variety of languages.

Anyway, I think the addition of .mobi is just dumb. Basically for all the other reasons you already stated. Especially number 6; how irritating.

I first read about this on Bruce Schneier’s blog.

We spent a couple of hours discussing many things PHP. We talked about and compared PHP and other languages like PERL and Ruby. We spent some time discussing the pros and cons of several PHP frameworks like CakePHP (a.k.a. simply “Cake”), qcodo and CodeIgniter, among others. I’m not going to waste time here describing them, as John did an excellent job of comparing the various PHP MVC frameworks already.

It was a good time and I hope to be able to do more of them. If you have any interest in PHP at all (this definitely doesn’t mean you, Stuart), then you should make the effort to join us next time. Also, check out the Utah PHP Users Group site for details on other events for Utah’s PHP community.

Oh what a fun time it was getting in for the ultrasound. We got up early and left to be a little early so that we could fill out paperwork (surely, you’re not surprised by that?). We had down that the appointment was for 10am, but when we got there, they told us the doctor had scheduled it with them for 9am. It ended up being almost 3pm before they got us in.

At least we didn’t have to sit there the whole time. They told us that they would phone if they could get us in earlier but to be back at about 2pm otherwise. Since we live in Centerville, we decided we would get some breakfast, do a little (mostly window) shopping and such so as to not waste $5 gas going back home and then down again. We also visited a couple of stores we hardly ever get to, while we were “down there”.

Here are some pictures from the ultrasound, many with annotations:

Well, I would post images, but they messed up the disc burn and I haven’t been able to read it. Hopefully, I’ll get that sorted soon. Sorry.

I would recommend this movie to any movie-goers out there. It was thouroughly entertaining, had a really good story that fits into the Superman universe just right and even fits with the older films, and the cast really can act.

Kevin Spacey as Lex Luthor. Excellent. I can’t think of anyone else who could have filled Gene Hackman’s shoes better. I’ve liked everything I’ve seen Spacey do and he still continues to impress with his range and talent.

Brandon Routh plays Clark Kent/Superman. He looked a little young for the part in the ads I had seen. If anything, this was the one thing I was concerned with going into the theater. But, that concern faded after only a couple of scenes (he didn’t interact much in the first scene, so it was hard to gauge at that point). He did an excellent job as the Man of Steel and absolutely on the money as Clark Kent. His voice even has some of the qualities of the late, great Christopher Reeve’s which, in my mind, help sell the character and the actor.

Kate Bosworth plays Lois Lane. In this story, the character of Lois has evolved quite a bit in the five years that Superman was absent. During the film, I had this feeling like something was missing from this character. It wasn’t until after the movie that I realized as I thought back on it that her character was 100% accurate and that Bosworth had played it perfectly. Sometimes, it was like Margot Kidder coached her.

Great performances were turned in by Frank Langella as Perry White and James Marsden as Richard White.

I don’t want to give anything away, so I won’t. I’ll simply sum up with this:

Superman Returns gets a 9 out of 10 in my book (which will only have one film at 10, ever). It’s a must see and with some of the very impressive shots in the film, you will want to see it first on the silver screen.

In a recent post by Scott Paul Robertson on his blog titled, Django with HTTP Authentication, he builds a workaround for Django’s lack of a proper hook to use the authentication system that he needs/wants to use (BTW, LDAP is a good choice and a secure one). I feel for you man, as I’ve “been there, done that and didn’t even get a lousy T-shirt!”

Since Django can not deal with LDAP on it’s own, he decided to use HTTP Authentication and tie Apache (or so it appears) to the LDAP store. Of course, his app still needs to know, at the application level, that a valid authentication is present, which user it is and perhaps some other information.

Unfortunately, this approach could lead to some little security problems.

Again, I don’t know if Scott has already worked around these or not, but I felt it would be good to publicly discuss the possibilities. For all I know, he already has this licked:

1. There is no way for the server to revoke nor enforce revocation of authentication once credentials have been accepted.
2. By having code rely on HTTP Authentication without the application being able to verify or validate the authentication, an app can be vulnerable to replay and spoofing attacks.

The solution Scott came up with is a common one, and as the potential security implications are non-obvious (that is, until they are, of course :) ), they often go unnoticed.

OK, now for some explanation. These are the things that occurred to me while thinking about Scott’s situation:

1. If Apache is not looking at LDAP, or there are subdirectories (or siblings) that are not also set up with all the necessary bits to have Apache look at LDAP, then you could be vulnerable. However, if you are doing all that extra work, you’ll be fine.

   There is nothing in the HTTP protocol that can be used to revoke HTTP Authentication once access is granted, but, this makes sense given the way that the HTTP protocol itself works. The only way to clear the authentication is to close the browser. Depending on which browser(s) visitors are using, they may have to close just the tab or window in question, or they may have to close out all instances of the program (though this is much more rare today than it used to be).

   Because of this, control over continuing validity of access is now in the hands of the user, not the system. This alone is one of those general great-big-no-no items in security. The user should be able to decide, “I’m done, log me out,” but the system should also be able to say, “Thank you, come again!” In addition, this situation can lead to all sorts of weird and unexpected problems in your application(s). Belive me, it sucks. I know because I’ve dealt with some of them before.

   At this point, one might start to think, “OK. So I can’t revoke access using HTTP. Why not set a flag in the DB when I authenticate and remove that when a user clicks on the ‘logout’ button?” First problem, there is no DB as far as Apache is concerned. Remember, it’s using LDAP, and the mod_authz_ldap module can only do the LDAP authentication. One could start creating a web of code here to compensate, but I think there are much easier ways. Second, what happens if the user doesn’t click “logout”? There’s a really good reason right there to build the authentication into the application rather than use HTTP Authentication.

2. There are two kinds of attacks this architecture could leave an application vulnerable to. However, if the webserver is successfully protecting every single subdirectory involved (i.e. issue 1 isn’t an issue), then these attacks should be quite a bit more difficult to mount:

   1. Replay attack: A replay attack is when one simply records the packets going by and then “replays” them back to the server, changing the source IP address (and probably the port, too). The attacker doesn’t have to know the magic incantation (password, etc.), they just get in.

      In the context that I’m talking about in this post, it might be possible to replay the HTTP headers that followed successful authentication, or the headers from the authentication step itself.

   2. Spoofing attack: A spoof is when one constructs packets that pretend to be what an application expects. In the case of web based applications, it is very common to see developers use the “Referrer” security model (which isn’t secure in the least). That’s where their pages assume, “you must have authenticated successfully, since you were referred here by the login page.”

      In this case, the entire authentication step could possibly be bypassed. This will depend on some other factors and even if it can’t be bypassed directly, then someone could use a replay attack or simply reuse someone else’s session by snarfing a browser that had a window (or tab) open to the app. Since the app can not verify that authentication actually took place (since it can’t get involved with LDAP or other verification), it can only assume that it must have been successful if you are getting “here” from “there” because it sees the browser presenting information that it should only have if it is coming from “there”. The problem is, that information is unreliable and easy to forge.

Here are some other ideas to help deal with it.

When it comes to web applications and the need for authenticated access, the only way to make sure that authentication is enforced is to wrap every protected page generation operation within a “blanket” of verifying the authentication. Here is a simple pseudo-code example:

if (logging_in) // In other words, we're processing the login page.
{
   result = login_function ();
   if (result)
   {
      already_logged_in = TRUE;
   }
   else
   {
      Redirect back to the login page, perhaps showing an error.
   }
}

if (already_logged_in)
{
   if (verify_authentication ())
   {
      Deal with generating/providing the requested page.
   }
   else
   {
      Go to the login page.
   }
}

As you can see from this sample, the same authentication system can re-verify that the user is still authenticated and that the connection is valid for each and every page generation. There is no other pathway to the meat. This kind of architecture is necessary with a stateless protocol like HTTP. Anything less and there will be other ways in.

I see six possible solutions for Scott’s specific problem of Django not supporting LDAP:

1. Wait for Django to get LDAP support
2. Write your own, separate authentication into your application (using the DB)
3. Use a Python LDAP “library” and hook your authentication into your app
4. Write the LDAP support for Django
5. Write PAM support for Django (or just your app)
6. Run

Number 6 means to abandon Django and use a framework which has already taken security seriously, or build one yourself.

I don’t know much about Django. Perhaps it’s just too new and is still missing a lot of key pieces. Perhaps the developers don’t think LDAP is a good way to work with authentication (they would be completely wrong). Whichever it is, it sounds to me like Django isn’t quite ready for prime time. Personally, I am very uncomfortable with it from both a security standpoint and as a framework, since it seems incomplete. I just know that if I were going to write a web app in Python (which I don’t), I would be looking elsewhere at this point. Who knows how many other problems you will run into with something like this.

However, if I were a big Python guy (again, I’m not) and I had some time I could dedicate to helping a project like Django out, I would look a little deeper to see if I thought this thing had real promise for the future. If so, then I would go with option 4 and contribute that back to the community.

Scott, whichever way you decide to take this response, good luck with your application and thanks for sharing your situation with us. For everyone else, I hope these rambling thoughts help.

Said one German pub owner, “Never have I seen so few [drink] so much in so little time.”

If you’re not laughing from that quote, then perhaps what you need is a history lesson.

1. Utah: 48%
2. Nebraska: 43%
3. Minnesota: 41%
4. Iowa: 39%
5. Alaska: 39%

When I bought the camera, I read in it’s manual that it should last much longer on lithium AA batteries that it will on alkaline, so I guess I’ll have to go get some and try it out. Either way, I should carry a spare set when I’m traveling. I already keep AAA batteries for my headphones and my bluetooth earpiece.

Oh, and the EFF gets mentioned in the article, starting from the second paragraph.

Oh, yeah, the House of Representatives is just the place to find a plethora of individuals who you would want designing security systems. Not!

Let me boil it down for everyone:

If you have two pathways to enter a secure area (in this case, the airports), one high security path (what passengers go through today) and one low security path (what SecureFlight and other registered traveler programs would do), which do you think terrorists are going to attack? If you said the low security path, you’re right.

It’s that simple. These programs will, if allowed to launch, completely undermine the rest of the security operations at airports.

As a frequent business traveler myself, I can relate to some of the things in the article. There are certainly times that all the traveling has left me feeling drained of all my energy. That’s when it’s not fun. However, as I have no children (yet), it’s (usually) not so bad.

Unfortunately, the subject I’m trying to photograph is so highly reflective, that only 4 out of the 14 photos I snapped today turned out well enough to be used.

Three were out of focus and 7 others had flash bulb blotches (do you think that’s the correct photography term for it?) on the images that obscured parts of the text. So, here are the first four. I’ll try to get the other 10 again, tomorrow and show them in another post.

So, with that in mind, I have filled out the “order some breakfast” door hanger and placed it on the handle the past two nights. Unfortunately for me, each morning, there was no breakfast. It never showed up.

Sometimes, stuff happens and so the first morning when I got no breakfast, I just figured it was a fluke and decided to let it go. When the same thing happened the next day, I certainly didn’t feel like it was a fluke anymore. When I got back to the hotel after the day’s work, I brought the problem to the attention of the hotel’s front desk staff. Strangely, they didn’t act all that amazed, but just handled things professionally and promised that they would make it up to me.

About a half hour later, I got a call in my room from the restaurant manager and got some more apologizing. She then told me that they were going to give me free breakfasts for the rest of my stay and one free dinner, too. Now that’s taking care of your customer.

A few minutes later, there was another call and the woman at the front desk asked me if the solution was to my satisfaction. Now that’s the right way to run your business, with good follow-up.

A few minutes after that, there was a knock on the door. It was the restaurant manager and she had an envelope with three complimentary breakfast “coupons” in it and a small box of chocolate truffles. Nice.

I haven’t tried it with any handheld browsers, so if you do, please, post a comment about the results.

Anyway, sites like that are yet another reason why I love Konqueror. It took just 10 seconds to tell Konqueror to pretend to be Firefox 1.0 (on Linux, of course) whenever it connects to “hilton.com”. Presto! No trouble at all. In fact, the whole site renders perfectly.

The work this week is to teach one of Linux courses for (and at) the U.S. Patent & Trademark Office. I’ve been here once before, as some of you may recall.

My hotel is only about a 4 block walk from the Patent Office. Following the first day’s class, I started back only to find that it was just starting to rain. As I completed the first block, I reached a point where I could see farther away between the buildings and knew I had to hurry if I didn’t want to get drenched.

I just love the rain. I normally don’t mind getting caught in it, either. But today, I was wearing a silk tie that my wife recently gave me (no, it wasn’t for Father’s Day, it was a few months ago).

Sitting here working on my notebook for the past couple of hours, I have been listening to Frank Sinatra and a lot of strange sounding thunder. Looking out the window, I can see the rain coming down in droves, pounding the cobbled streets, but I can’t hear it. I think the thick windows are mutating the sound of the thunder. It’s almost like some one is playing it through giant, blown speakers. It’s rather tinny. Weird.

Oh, but I am loving it. :)

Why would this be a problem for them? After all, they are in business to make money, right?

Sure, merchants who accept credit cards pay a small (or not so small, depending on which card we’re talking about) transaction fee plus a percentage of the transaction in order to offer their customers the convenience of card usage. With over 1 trillion such transactions per year, the card processing firms aren’t hurting. But, note that I said the processing companies. That would be companies like VISA, MasterCard and American Express. Card issuers are banks and other entities who actually back the cards. Yes, Amex has their own bank and issue cards, too, and processors like Discover and Diner’s Club only issue cards through their own banks. It’s the banks who receive card payments from consumers. They don’t get a penny from the card processing operations.

So, why would it be such a problem for a bank to get paid?

The banks actually make the vast majority of their credit card profits from the interest charged on card balances. But, as The Wall Street Journal reported, more and more people are paying down those balances. Lower balances equals lower interest payments equals lower profits.

Additionally, more and more Americans are waking up and not only paying down their cards, but keeping them down or getting rid of them altogether once they finish paying the card(s) off.

I say, go ahead; pay those balances off and don’t run your cards up. Especially given the outrageous interest rates people with excellent credit are now paying. Of course, if you know what you are doing, a quick phone call can cut your rates in half.

Call up your credit card issuer (bank, credit union, department store, whomever) and ask for a lower rate. They will almost always give it to you. They want you to stay with them, forever, and they know you’re not going to do it if the interest is bothering you. They would rather keep you for the long haul than see you go bankrupt and never pay on it again.

And remember this: it always pays to shop around for the best deal on anything you are going to buy. That includes money. I always shop for the best price on my money.

I’ll use myself as an example, I pay less than 3% on each of two car loans from my bank. There was no promotional offer or special arrangements through a dealer. I simply negotiated a reasonable deal for all. My bank loves to do business with me. Since they give me a decent price on the money I buy from them, they know I’ll come back. These two cars are number 2 & 3 that I have financed with them (used cars, too).

It’s always worth asking if you can get a better price. Spend one minute negotiating sometime. You might just be surprised at how much money you could save.

I love WordPress; it’s just so easy to deal with the SPAM. Still, it will be nice when open-source people finally create software that fully neuters all SPAM.

Privacy is a very important matter. Privacy is a central, core component to liberty and true freedom. If we (US Citizens) don’t pay attention to it, there are forces who would like to take it away. Most of the time, we call those forces terrorists, but there are other more subtle forces also at work in the world.

My good friend, Pete Ashdown has an exellent position on the issue of privacy, and I support him on these efforts.

I’m not the political activist type person. I’m not going to use my blog that way, either. But I do consider it very important to let your voice be heard in matters that affect basic liberties. I vote.

Privacy is the most priceless freedom of all. It underlies every human right. Without true privacy, there is no liberty.

That’s my view. I’m Lamont Peterson and I’m not running for any political office. But if I win as a write in, I’ll throw a good party. :)

As for those of you who don’t have your photos up there, yet: some of us (like Jayce^ and herlo and I) would have come over and taken your photo for you so you could get it up there, but we didn’t know what you looked like, so we couldn’t find you.

Next time we can’t find you like that, we’ll have to refer back to your photo…wait, um…

So, get your hackergnotchi in to Gabe (at gabe at gundy dot org).

I’ve seen people talking about the Linux version of Google Earth on the SLLUG Members mailing list. I found an entry on the Fedora SELinux mailing list titled, “Step-by-Step Guide To Creating SELinux Policy for Google Earth“. I’ve seen several other people talking about it already.

But, I was surprised to see that no one whose feed is picked up by the Utah Open Source Planet had yet posted on any of their blogs. So, here it is.

I heard about the new Linux version of Google Earth from my good friend, Evan McNabb via Jabber, yesterday. I downloaded the new Linux version and waited until later in the evening to try it out. Video was a bit scan like on my notebook, but I soon cleared it up.

I’d like to see people comment on their experiences with it, so far. I’ll write more about the things I hear later on.

For the time being, I have turned off the convert smileies to graphics option.

It turned out, that I had to also pull up the offending post(s) and resave them to get that setting to take effect in the db, which is strange, since it was dynamic for the site last time I fixed the bug. Oh, well.

As many of you who use WordPress know, it wasn’t until the 2.0 release that WordPress supported having your admin interface portion of the site encrypted. The way that they implemented this feature in WordPress 2.0 was to have two different URLs that you can configure, the blog URL (where visitors see your blog) and the site URL (where your admin interface lives).

The two URL idea was the right way to do it. I benefit from it, as the admin interface is on a different hostname from the blog. Unfortunately, the WordPress developers made a couple of small mistakes in implementing the use of the two URLs and that’s where the bug that has affected UOSP readers comes from.

But, I know how to fix these bugs.

I will be going through the code and cleaning up those bits that drop URLs into the output, making sure that the blog URL gets used instead of the site URL. However, that will not be quite enough. There are a couple of other things that should be fixed while I’m at it.

The code in WordPress 2.0 has two ways (different function calls) that URLs can be dropped into HTML output. The first is a poorly implemented if-else tree that maps to the parameters as set by the admin and stored in the DB (actually, there are several functions of this type). The second function is a wrapper around the first one and others like the first one. This is a very inefficient design, not to mention confusing.

Another problem is that the two functions in question (i.e. those that deal with the blog URL and the site URL) use the same parameters for different meanings, reversing the result from what one expects.

The right way to fix all of that is to use a set of simple indexed arrays to access those parameters (or a single two-dimensional indexed array). This will eliminate the overhead of the multiple, nested function calls and provide one consistent location for accessing any configured parameter.

His first sentance was:

I post this on my blog cause Peregrine doesn’t take comments unless I’m “logged on” and I had it all typed up.

Sorry for the inconvenience, Gabe. You’ll be happy to know that I have now “fixed” this. The “Users must be registered and logged in to comment” option in WordPress was checked.

I was going to add a trackback to Gabe’s article, but I couldn’t find any trackback URLs on his WordPress blog. Oh, well.

openbrainstem-announce:              "|/usr/lib/mailman/mail/mailman post openbrainstem-announce"
openbrainstem-announce-admin:        "|/usr/lib/mailman/mail/mailman admin openbrainstem-announce"
openbrainstem-announce-bounces:      "|/usr/lib/mailman/mail/mailman bounces openbrainstem-announce"
openbrainstem-announce-confirm:      "|/usr/lib/mailman/mail/mailman confirm openbrainstem-announce"
openbrainstem-announce-join:         "|/usr/lib/mailman/mail/mailman join openbrainstem-announce"
openbrainstem-announce-leave:        "|/usr/lib/mailman/mail/mailman leave openbrainstem-announce"
openbrainstem-announce-owner:        "|/usr/lib/mailman/mail/mailman owner openbrainstem-announce"
openbrainstem-announce-request:      "|/usr/lib/mailman/mail/mailman request openbrainstem-announce"
openbrainstem-announce-subscribe:    "|/usr/lib/mailman/mail/mailman subscribe openbrainstem-announce"
openbrainstem-announce-unsubscribe:  "|/usr/lib/mailman/mail/mailman unsubscribe openbrainstem-announce"

What I was missing was to add these kinds of entries to the /etc/postfix/virtual_alias file:

openbrainstem-announce@openbrainstem.net              openbrainstem-announce
openbrainstem-announce-admin@openbrainstem.net        openbrainstem-announce-admin
openbrainstem-announce-bounces@openbrainstem.net      openbrainstem-announce-bounces
openbrainstem-announce-confirm@openbrainstem.net      openbrainstem-announce-confirm
openbrainstem-announce-join@openbrainstem.net         openbrainstem-announce-join
openbrainstem-announce-leave@openbrainstem.net        openbrainstem-announce-leave
openbrainstem-announce-owner@openbrainstem.net        openbrainstem-announce-owner
openbrainstem-announce-request@openbrainstem.net      openbrainstem-announce-request
openbrainstem-announce-subscribe@openbrainstem.net    openbrainstem-announce-subscribe
openbrainstem-announce-unsubscribe@openbrainstem.net  openbrainstem-announce-unsubscribe

After running postmap and /etc/init.d/postfix reload, it works. :)

The really odd thing is that I wasn’t even looking at this stuff, I wasn’t working on my mail server and it just occured to me how to fix the error, out of the blue. So, I sat down and tried it. I only wish inspiration had struck me when I was first setting this up.

The one piece of “news” she got, was that according to the chemical analysis, they are 99% certain that our baby is a girl. Cool! Both of us have wanted it to be a girl.

For those non-software engineering types in the audience, perhaps a good “advertisement” (yes, it’s a bit of a spoof on Apple’s ads from a couple of years ago).

Basically, the Federal Excise Tax was introduced in 1898 to help pay for the Spanish-American War. At that time, a tax on phone service was a tax on only the wealthy. The US Department of the Treasury is finally ending this tax.

The result is that all phone companies (including cell phone carriers) must stop charging for the Federal Excise Tax on August 1st. Individuals and business can also file for refunds next year (on your 2006 tax return) to receive a refund for any excise tax paid on long-distance calls since March 1, 2003.

You should read the whole story on USA Today’s website (it’s quite short), as there are some interesting details. For example, there are some narrow circumstances in which you might have to still pay a 3% excise tax.

Here’s hoping you get some bones back next April 15th.

I haven’t used Dvorak layout for a few years now. This is not because I don’t want to, but simply because I don’t have any convenient keyboards for it at this time. By that, I mean I have been using my notebooks so heavily and just haven’t taken the time to brush up on the Dvorak layout.

However, I hope to fix the keyboard situation soon. I want to get the Kinesis Contour Keyboard, which I used for several months back in 2002. They are awesome! Pricey? Well, yes, but well worth it.

The Kinesis Contour keyboard is thicker than a standard keyboard, but has a slightly smaller width and only a little more depth than a standard keyboard. Basically, it has the same footprint as a standard keyboard with a reasonable wrist rest and is significantly more comfortable to use.

I started by using it in QWERTY mode, which let me get used to the feel of the keyboard and the layout of the keys. Things like the <BACKSPACE> and <ENTER> keys take a little getting used to. I found that it only took me about one day to get that down. At the end of a week, I was going so much faster with that keyboard that I had easily made up for the “lost” productivity during those first couple of days.

Then I switched the keyboard to Dvorak mode. The best way to learn the Dvorak layout was to print out the keyboard guide, tape it to the bottom of my monitor and never look down.

On a standard QWERTY keyboard, I can get up to around 115wpm typing and in some cases, I’ve even been faster. On the Kinesis Contour keyboard, I was doing a maximum of around 150wpm. Those were maximum numbers which, for me, only occur when I am writing original information, like a letter or blog entry. Still, for coding, I saw an average of 40% improvement in my typing speed.

So, to sum things up, for those of you thinking about trying the Dvorak layout, I can highly recommend the Kinesis keyboards, which make it very easy to switch back and forth, plus are simply exceptional keyboards. For those of you who want to stick with QWERTY, I still recommend the Kinesis keybards.

As you might know from reading my recent post, this past week, my wife Charlotte and I have cleared out our storage unit. One of the items that I have long been wanting to get out of there and get set up is my desk. It’s a not too large, but well shaped “half-C” desk, with a very deep center area (perfect for my 20 inch Princeton Graphic systems Ultra 20 monitor, which weighs in at something like 80 pounds).

My main system these days has been my notebook computer. I almost never leave home without it. But when I am home, I spend a lot of time working with both the notebook and the other systems I have. So, I set up synergy this afternoon. I’m using the keyboard and mouse for my Dual Opteron workstation and writing this blog entry on the notebook. This is so cool.

Synergy is very easy to get setup and running. If you’re thinking of using Synergy, I would encourage you to do so.

The Fedora Extras repository has a synergy package (simply run “yum install synergy” on FC4 & FC5 systems), so installation was a snap. I created an /etc/synergy.conf file (have to do it from scratch) on the server and was up and running in under 5 minutes, that is, after fixing a semi-colon that should have been a colon.

The next thing I’m going to do with Synergy is try to get it running on my sgi Indigo 2 & Sun SPARCstation 10 workstations. If I feel like taking on a real challenge, I’ll see if I can get it working on my Apple Mac Quadra950 which is running A/UX (Apple UNIX).

As this is her first pregnancy, Charlotte wanted to keep it under our hats until we were through the first trimester. You just never know, especially with the first one, as I’m sure those of you with children understand.

The baby was due on November 17th, but when Charlotte had an amniocentesis about two weeks ago, they revised that to November11th, based on the size of the skull and such.

This afternoon, I drove my wife to her third doctor’s visit. Well, technically, she’s a Midwife, not a doctor. Anyhow, it was a quick routine check-up. The Midwife found the baby’s heartbeat, which I got to hear for the first time. She also reviewed the results of the amniocentesis, which are perfectly normal. Although we are not certain, due to the way in which that report was laid out on the page, if appears that they may have determined the sex of the baby. There are several other indicators (heartrate, position & orientation of the fetus, etc.) that seem to correlate the apparent determination from the amniocentesis. However, it’s not certain, yet.

Although the doctor who performed the amniocentesis used a very low powered ultrasound in order to guide the needle, and he was able to get some picture of our baby, the first complete ultrasound will be on July 3rd. At that time, it may be possible to determine the sex of the baby with greater confidence.

In case you didn’t pick up on it, yet, I am very excited and looking forward to becoming a Daddy for the first time.

As you can see from that list, we didn’t have much extra stuff in there that didn’t make sense to keep.

Well, the situation with our house has recently allowed us to clear out a whole area of the basement. Because of that, we could now perform the juggling act needed to rearrange other rooms in the house and empty the storage unit. There are a couple of items that we will be storing at the house (beds, washer/dryer, etc.) but the rest will actually be put to use. In addition, the $70/month that we were spending on the storage unit is now staying in our pockets.

Of course, there is a downside to all of this. We ended up having to do almost all the work of hauling that stuff from the storage unit to our house, in the last two days of May (boy are we tired now). Also, it looks like the cardboard boxes have been replicating all over the house.

Still, it’s good that we’ll be getting all our stuff out. We anticipate that there will be several boxes of stuff we will take to Deseret Industries. In fact, a couple of weeks ago, we took 4 car loads of stuff (and we have a Saab 9000, so a car load is as big or bigger than many small pick-up trucks can carry) to DI. Yesterday, we took another 2 car loads worth to DI when we finished emptying the storage unit.

Now, for the next couple of weeks, we’re going to be very busy emptying boxes. Let the good times roll! eh?

But, for tonight, we’re going to make dinner, watch a movie and head to bed. After the last two days, we’re quite tired.

Last night, I got home from Washington, D.C., Virginia (a.k.a. Alexandria; hehe) at about 11:30pm. Before going to bed, I grabbed a small bite and watched a little TV (for 10 minutes or so) while eating. There was a Best Buy ad on TV for the HP digital camera, which is why I wanted to check it out.

I’ve only taken a couple of pictures, so far, but they’ve turned out quite well. It’s very easy to use, which is good since it doesn’t come with a “real” user’s guide (like I would need it, I mean, come on! :) ). It’s a 5MP camera, producing images at 2560×1920 resolution (quite a bit better than what you get with 35mm film). It also found all the photos that were on the 512MB SD card I’ve used with my digital video camera (it will take stills on SD or discs). I have almost 600 photos (at 1280×1024) on there already and the camera says that I can fit another 314 (at 2560×1920) on before I fill up the card.

My Dad recently bought an Olympus photo printer. I plugged the HP Photosmart E317 into the printer with the USB cable that came with the camera, surffed through (on the camera) and picked out 3 pictures and hit print (on the camera) and in about 2 minutes I had 3 photos on real photo paper. The quality is excellent, too.

Overall, I can definitely recommend this camera to others, especially while it’s on sale at Best Buy for only $89. It even comes with Lithium batteries and a carrying case that can be worn on your belt.

A word to the wise, though: if you have or are going to purchase a digital photo camera that uses SD cards (or similar) get the high speed kind. You’ll be thanking me later when you see how long other people have to wait before taking another shot. The 512MB SD card I am currently using is of the standard speed variety, and it takes about 8 seconds to finish writing a 5MP JPEG to the card. Thankfully, this camera has 16MB RAM, so I can take a few photos in a row and let it write them to the card in the background (if I’m not waiting for the flash to recharge). Still, I wish I had a faster card for these cameras.

Some other nice features:
- You can record audio
- You can record audio notes about a picture while browsing through them
- It can take video
- When plugging it into your computer, it can be configured to show up either as a storage device (SCSI disk, like an SD card reader), or as a camera which you could use with video conferencing software.

No, HP is not giving me anything for plugging this camera. The opinions expressed here are entirely my own. Blah, blah, blah.

This one in particular caught my eye, so I took a picture of it with the camera in my cell phone.

Elijah McCoy, the son of former slaves, worked for the Michigan Central Railroad as a fireman. His duties included lubricating engine parts. McCoy invented his automatic lubricator. Soon, long distance locomotives, transatlantic ships and factory machines were using his lubricating invention. His reputation spread, and users were wary of buying cheap substitutes. As a result they often asked for “the real McCoy.”

It was good. Charlotte & I both liked it. Some of the “plot twists” were completely predictable to me (I don’t know about her, I learned to not wreck it for her by asking, “Have you figured it out already, too?”), but I still enjoyed learning the details.

The only thing that bothered me was that it felt like the story ended a little too soon. I thought there were a couple of threads left hanging that shouldn’t have been left behind like that. They are not elements that hint at another movie or even seem to try to make a point. However, I won’t spoil the film for those of you who have yet to see it. I’ll say just this: the one big unanswered question at the end of the film is not on this list; I was not bothered by that at all. In fact, I thought it was a bit fun to never know.

So, I would say that if you enjoyed the first two movies, then it’s a good bet you’ll go for the third. There are a couple of great scenes that you really want to see on the big screen at least once, but not so many as in the first two films. However, if you felt that M:I2 was not as good as the original, then I think you’ll be pleased with M:I3; it brings things back up, though I still feel that the first film was the best of the three (so far).

Most of those who will read this already know the dangers of trusting the kinds of email messages like the one I just recently received with the subject line “Your account might be compromised!”, which prompted this post. However, many who read this blog are not of the “technically savvy” or “computer expert” types, so I thought these comments might be useful.

Rule Number 1: NEVER take any email message from a company that deals with money (like banks and credit unions) at face value. That simple rule will protect you from most Phishing attacks.

The Phishing scams use all sorts of tricks to make their emails look legit. This latest one even employed the technique of having someone who actually speaks English write the text. In the past, one very big indicator that an email might not be from the company it claims to be, was the bad translation from some other language to English before it was sent out.

Another common tactic is to send HTML email. This allows the Phishers to create links like [ http://en.wikipedia.org/wiki/Phishing ]. The link looks like it points to the correct website for your bank (for example), but actually goes somewhere else. Unfortunately, these can be hard to expose if you use Internet Explorer, Outlook, Outlook Express or some common web based email systems (like Hotmail & Yahoo!).

If you visit such fake links and you use Internet Explorer, there are several techniques the fake website can use to make it look like it is the real website. For example, there are dozens of still not patched bugs in IE that let a web page dictate exactly what you see in the address bar. So, while you are actually at “http://192.0.2.5/www.chase.com/login.jsp”, IE’s Address bar could show, “https://www.chase.com/login.jsp”, thus making it look more legitimate. Of course, you got there by clicking the link they gave you in that HTML email.

Rule Number 2: Don’t trust HTML emails. Too much stuff can be hidden.

HTML email has many other problems as well, like being able to pull in code or images that actually tell the sender that their email has been read while completely hiding this fact from you. That let’s the spammers know that you’ll read their SPAM.

I could go on and on about this, but I won’t. Instead, I’ll just leave you with a few, simple thoughts:

1. There is no Nigerian Oil Money waiting for you to transfer into your account (money laundering schemes)
2. That’s not Viagra they’re putting in those bottles (generic drugs fraud).
3. You do not need to buy OEM software. (pirated copies).
4. eBay & PayPal (or, for that matter, any bank or credit union) never need you to “verify” or “validate” your account (Phishing).

And, last but most certainly not least:

5. The world will not fall down around you if you don’t immediately forward that chain mail (viruses).

It turns out that WordPress, the blogging software we use for OpenBrainstem Member Blogs, had a bug in it. In the piece of code that finds and converts “smiley” text to icons, it was using the wrong URL. It should have used the URL for the blog site, but instead was using the URL for the admin and authenticated users access (like login) site.

I’ve fixed the bug and will be sending a patch (it’s a one-liner) to the WordPress developers. Hopefully, it’s included in the next release.

1. I burned a complete set of bad discs. It looks like the burner in that box might be bad. Retrying a couple of the discs also produced bad results. The built-into-YaST media check failed on all discs, and trying to use readcd failed. The MD5SUMS of the .iso files were all good.
2. I had Dax burn discs on his notebook (mine has no burner :( ). These (mostly) worked to complete an installation, but readcd failed at the 3rd to last sector on all three. This makes us think that SUSE may have bungled when spinning the CDs. Also, one package on CD3 could not be read (myspell-american). All other packages were good.
3. I had Dax burn another CD3. This one could not be read to install the qscintilla package, but myspell-american and all other packages were fine.
4. We burned copies of the first Dax burned CD3 (with a failing myspell-american package) and gave them to the students.

Total time for the whole process: 6.5 hours.

Ugh! There went a whole day and no time for me to get lunch, either.

Don’t get me wrong. Overall, I like SUSE distributions. Sure, there are warts, but that’s true of every distro I’ve ever used. hey, things happen; and this was just one more.

Full Disclosure: I use Fedora on my notebooks and workstations, today. I also use SUSE on my home workstation. Most of my servers are CentOS. I will be installing OpenSUSE 10.1 on my notebook and start using it heavily, but I’ll probably dual-boot that with FC5.

“…including, obviously, your so much coherent, logical, mandatory and
ultra-rational advices, criteria, demands, desires, doubts,
expectations, ideas, thoughts, intentions, objections, fears, worries,
preferences, priorities, proposals, requirements, suggestions,
questions, warnings or special needs:”

Well yeah, “OBVIOUSLY”. I mean it practically goes without saying…

You gotta love what spews out when a non-native English speaker smokes
crack while reading a thesaurus!

We had to go to Idaho for my youngest brother’s wedding over the weekend, so I asked Guru Labs to book my flight from Boise instead of Salk Lake City. No problem, but I’m flying on Alaska (they’re the ones who decided to loose my “checked plane-side” bag the last time I flew with them).

While driving to my folks house in Weiser, Idaho, I got Delta on the phone and reserved a seat for Charlotte using some of my 100,000+ miles (just a hint, I’ve spent 145,000 miles on tickets in the past 20 months). It wasn’t until Saturday night that I had an opportunity to pay the fees for the ticket, but I took care of it. We left my folks house at 9am to head to BOI, about an 80 mile drive.

My flight left first, so Charlotte saw me off at my gate. I actually flew on a turboprop aircraft! I haven’t been on one of these since October, 1997. I tried to call Charlotte’s cell phone when I reached Portland (to change planes) but she had it off. I had a 2+ hour layover (+20 they had added on since printing my boarding pass).

Later, Charlotte called and told me that she was sitting on the plane at BOI, still on the ground; there was a mechanical issue. Her flight out of Boise ended up delayed about 90 minutes. That meant that she had to be re-booked to another flight from SLC to SFO (San Fransisco). Since this is Delta, I knew there would be no problem; they have billboards that advertise around SLC that they have no less than 17 flights a day from SLC to SFO, and back.

So, I finally left PDX (Portland, Oregon), this time on a CRJ700. Those are very nice 70-seat “regional” jets. Once I got in to SFO, I found the baggage carousel that Charlotte’s bag would be coming out of (I never check, unless I have no choice). I sat around for 2.5 hours until she got there.

We took a cab to our hotel, which is right in the heart of the Financial District of San Fransisco; nice! it was about 7pm by then, so we got dinner at the Elephant & Castle Restaurant & Pub, attached to our hotel. It was very good food and a fun, English Pub atmosphere. Oh, and it’s smoke free, which is always a big plus.

Since Charlotte has been to San Fransisco many times, she’s just loving it. I have walked from my hotel to the training center where I’m teaching this week, each day. It’s a nice 7-8 blocks walk (for those of you who think that blocks come 6-to-a-mile, that’s only in Utah; these are about 10-12/mile). But, there’s going to be very heavy rain overnight and tomorrow, so I might take a cab instead.

I think we’re going to see Alcatraz Friday evening. If I want to do that, I had better get tickets tonight. Charlotte says we have to go to Fisherman’s Wharf and my students have told me about an excellent little pizza place called North Beach Pizza in Little Italy, which will be about a 7 minute walk from our hotel; I think we’ll go there tomorrow night.

She told me that my Grandmother had been found on the floor of her home earlier in the day. She had suffered a stroke, though we did not know (at this point) what the extent of it might be.

The next evening (2006/03/30), Mom told me that it had been determined that her stroke had been massive. She was completely unresponsive and there were no indications that she would make any kind of recovery. My parents planned to depart the following morning (Friday, March 31st) to drive down the hospital in Richfield, Utah where she was being monitored. All of my Dad’s siblings were already there.

I flew home from Phoenix Friday afternoon and my wife and I left about 45 minutes later to drive to St. George, Utah. We had already planned this trip so that our niece could dye Charlotte’s hair. Saturday, April 1st was the only opportunity to do so before my youngest brother’s wedding, scheduled for April 8th.

Saturday morning, while my wife’s hair was being done, I finally got in touch with my parents again. My Grandmother had always made it clear (and had her living will in writing) that she did not want to be kept alive by “extraordinary” means in such a situation. Respecting her wishes, the I.V. and breather were removed on Friday evening. She was still alive, but there was no telling how long it would be before nature took it’s course and she would be gone. It could be minutes or a few days, at most.

We decided to head to the hospital as soon as Charlotte’s hair was done. Unfortunately, I had been running like crazy and had slept only quite poorly all week long in Phoenix; I was exhausted and Charlotte can not drive my car (it’s a stick). So we decided to go back to the house in St. George and take a short nap before setting out. Better safe than sorry, we figured.

We left St. George just before 6pm. About an hour later, Mom phoned to tell us that Grandma had passed away.

We were too late. I did not get to say goodbye before she was gone. It’s OK, though … you see, I know that even if nothing bad happened in the process of getting there earlier in the day, Grandma would not have been happy if I had pushed myself when I was so tired. I knew it was OK with her that we were on our way, even we missed her departure.

When we reached the hospital at 8:24pm, we hugged my parents & siblings and 8-10 minutes later, we were all driving back to Loa for the night.

The next day, Sunday, April 2, 2006, the family got together in Grandma’s home in the afternoon. There was way more food than we needed, but the neighbors, family and friends in the church had provided it for us. We went through some photo albums that Grandma had. It was a nice, sunny day, though there was a slightly chilly breeze coming through the little valley all day.

When evening came, my parents and most of my siblings and I started to head back to our respective homes. We caravaned all the way to my sister’s apartment in Salt Lake City, where they all spent the night except for Charlotte & I. We arrived at home a little after 12am.

Charlotte was planning on driving down on Thursday, April 6th to pick Grandma up and bring her back to our house. We were then going to bring her with us to my brother’s wedding in Idaho this weekend. Charlotte had been looking forward to spending a little alone with Grandma and getting to know her better. She has not had many opportunities to spend time with my Grandmother. We will certainly miss her, especially this weekend.

We love you Grandma Peterson and we are happy that you did not suffer any in passing. Now that you are reunited with your husband, we look forward to the day, many, many years from now, when we, too, shall be reunited.

Delia Peterson, born Delia Oyler, April 24th, 1919 in Loa, Utah, died peacefully April 1st, 2006. She is survived by all four of her children, their spouses and almost all of her grandchildren and great-grandchildren.

Goodbye.

This past week was spent on a business trip in Seattle, Washington. I was unable to make a flight home on Friday evening. I tried to change from the 9:41am to the 6:00am (PDT) flight, which would have allowed my wife and I to reach Loa just a few minutes past 12:00pm, which is when the reunion started.

As it turned out, we could not get to Loa until about 4pm, by which time, the reunion had already ended. The good news, is that we were able to spend some time with my parents & siblings, as well as my Grandmother.

Today, we went to church at Fish Lake, which was an interesting experience, and then drove home. My youngest sister and her fiance rode with my wife and I up to my sister’s new place in Salt Lake City (she rode with Mom & Dad). From there, my youngest sister rode with our parents back home to Weiser, Idaho., and my wife and I went home, alone.

It was a very nice visit, but entirely too short. We will be heading up to Weiser, shortly after Labor Day, for my sister’s wedding. We are looking forward to this opportunity to visit with more of my family.

To date, we have read each of the Harry Potter books, together. It is a wonderful thing to spend time with your spouse reading a good book. It is one of the things that helps us grow closer together in our marriage. If you are married and haven’t read a book together, I would highly recommend the experience. Of course, do not be afraid to try a genre of book that your spouse enjoys, but which you have not had any (good?) experience with. You may find something that you can really enjoy, together.

Although it is not written yet, I am going to put up descriptions and “reviews” of books that I have read. My wife is planning on doing the same, maintaining a list of most every book she has read.

As for Harry Potter and the Half-Blood Prince, I am looking forward to reading it. Once, we have finished it, my wife and I will both be posting reviews. If you have not read any of the Harry Potter books, I would recommend that you go down to your favorite book store and purchase the first book, Harry Potter and the Sorcerer’s Stone, either in print form or on CD. If you enjoy it, then purchase a set of books (the least expensive way to do so) and give you superfluous copy of the first book to a friend or family member.

Each of the Harry Potter books is good fun for all ages. Sounds like marking copy, doesn’t it? Well, it’s true; children and adults of all ages will thoroughly enjoy each book. So, go out and get yourself a copy of your own and start reading.

However, it is not yet ready for use. The configuration of RT will take me a bit of time (especially since this is my first time using it). Take a look at the OpenBrainstem main website launch punchlist for more information on my progress in bringing some of the major services online.

The current line of site development is a sort of stop-gap measure. The code that will run the site is not meant to provide the kinds of features being planned. That will come when the StartPoint WMS reaches Alpha. We will move the main OpenBrainstem website to StartPoint by that time and will continue to work towards moving all OpenBrainstem sites & services as soon as the code is capable of supporting them.

I will place a progress punch-list on the main OpenBrainstem webserver to track the progress of version 1 deployment. Take a look there for the current status of development until the main website goes live.

Enjoy!

My wife was involved with a small party in our backyard when I arrived home. This is the quarterly Relief Society “birthday” party for all those Sisters whose birthdays fall within a specified range of dates (roughly 1-1/2 months before to 1-1/2 months after the party, I think).

The party is over now and everything is cleaned up. My wife is asking me to wrap things up so that we can play World of WarCraft together, which we do many evenings.

OpenBrainstem provides resources for “Intelligent Open Source Software Engineering.” More on that will be posted on the About page of the main OpenBrainstem website, once I put the site together.

Currently, the webserver is operational (content pending), the email server is working perfectly & is secured (I still need to add SpamAssassin & ClamAV), MySQL is working (obviously, or you wouldn’t be reading this blog) and other services are coming along. I will create a matrix page on the OpenBrainstem main website listing all the services that will be provided and their states as they are deployed.

What about the blog sites? Well, I have chosen WordPress as the blogging software for http://blog.openbrainstem.net/. Since WordPress does not support multiple blogs (yet?), this means that each persons blog will be a separate installation. I will dedicate a database on the server to each member, but WordPress will only have access to it’s tables in each member’s database. Another great feature of WordPress is that it provides light CMS capabilities, making it rather easy to create pages. Each OpenBrainstem Member will have their own blog.

This is my first entry in my own blog. I know you are expecting me to tell you about myself and my hopes and dreams for this blog, but, I’m not going to. Not here, anyway. Instead, I will point you to two other resources; my Personal Website and my Guru Labs blog, where I have been making entries for a few months now. Not to worry, though; both of those resources will continue to be used, in addition to this new site.

Now, to start building some pages for this site. Enjoy!