Happy 2015!

Look, it’s 2015. How’d that happen?

Blogging has been pretty much nonexistent this year, apart from a public service announcement about the Heartbleed bug and a public statement about boring encryption stuff.  (Which, if you’re actually interested in that sort of thing: I did finally get the requisite number of signatures and replaced my key in Debian just in time to avoid the Great Key Purge of 2014.)

It’s a new world.  Social media has made blogs obsolete, supposedly, except that they’re now too busy competing with each other (and, sometimes, their own fans) to be terribly useful.  I’ve tried to write a blog post about that a few times, only to delete it out of frustration and long-windedness.

So there’s a resolution for 2015: get past these social media issues and get back to regular communication.  Maybe what I need is a good social media rant.  I’m sure you’re all waiting on pins and needles for that one.

Lots has been going on.  I’m an empty-nester now; the youngest kid started college this fall.  I’ve been busy at work and busy at skill freshening, including getting on this funky Haskell bandwagon that seems to be all the rage among the cool kids.  And plenty of other things going on, some of which probably deserve their own blog posts.

Maybe those will get written in 2015.  Plan: write.  Journey of a thousand miles starting with single steps, and all that.

My Heart Bleeds (or, What’s Going On With Heartbleed)

One of the big news stories of the week has been “the Heartbleed bug“.  If you know a techie person, you might have noticed that person looking a bit more stressed and tired than usual since Monday (that was certainly true of me).  Some of the discussion might seem a bit confusing and/or scary; what’s worse, the non-tech press has started getting some of the details wrong and scare-mongering for readers.

So here’s my non-techie guide to what all the fuss is about.  If you’re a techie, this advice isn’t for you; chances are, you already know what you should be doing to help fix this.

(If you’re a techie and you don’t know, ask!  You might just need a little education on what needs to happen, and there’s nothing wrong with that, but you’ll be better off asking and possibly looking foolish than you will be if you get hacked.)

If you’re not inclined to read the whole thing, here are the important points:

  • Don’t panic!  There are reports of people cleaning out their bank accounts, cutting off their Internet service, buying new computers, etc.  If you’re thinking about doing anything drastic because you’re scared of Heartbleed, don’t.
  • You’ll probably need to change a lot of your passwords on various sites, but wait until each site you use tells you to.
  • This is mostly a problem for site servers, not PCs or phones or tablets.  Unless you’re doing something unusual (and you’d know if you were), you’re fine as long as you update your devices like you usually do.  (You do update your devices, right?)

So what happened?

There’s a notion called a “heartbeat signal”, where two computers talking to each other say “Hey, you there?” every so often. This is usually done by computer #1 sending some bit of data to computer #2, and computer #2 sending it back. In this particular situation, the two computers actually send both a bit of data and the length of that bit of data.

Some of you might be asking “so what happens if computer #1 sends a little bit of data, but lies and says the data is a lot longer than that?” In a perfect world, computer #2 would scold computer #1 for lying, and that’s what happens now with the bug fix. But before early this week, computer #2 would just trust computer #1 in one very specific case.

Now, computers use memory to keep track of stuff they’re working on, and they’re constantly asking for memory and then giving it back when they’re done, so it can be used by something else.  So, when you ask for memory, the bit of memory you get might have the results of what the program was doing just a moment ago–things like decrypting a credit card using a crypto key, or checking a password.

This isn’t normally a problem, since it’s the same program getting its own memory back.  But if it’s using this memory to keep track of these heartbeats, and it’s been tricked into thinking it needs to send back “the word HAT, which is 500 characters long“, then character 4 and following is likely to be memory used for something just a moment ago.

Most of that “recycled memory” would be undecipherable  junk. But credit cards, crypto keys, and passwords tend to be fairly easy to pick out, unfortunately.

And that, by the way, is where the name comes from: the heartbeat signal bleeds data, so “Heartbleed”.  There’s been some fascinating commentary on how well this bug has been marketed, by the way; hopefully, we in the techie community will learn something about how to explain problems like this for future incidents.

Does this affect every site?

No.  Only sites using certain newer versions of crypographic software called “OpenSSL” are affected by this.  OpenSSL is very popular; I’ve seen estimates that anywhere from a third to a half of all secure Internet sites use it.  But not all of those sites will have the bug, since it was only introduced in the last two years.

How do we know this?  OpenSSL is open source, and is developed “in public”.  Because of that, we know the exact moment when the bug was introduced, when it was released to the world, and when it was fixed.

(And, just for the record, it was an honest mistake.  Don’t go and slam on the poor guy who wrote the code with the bug.  It should have been caught by a number of different people, and none of them noticed it, so it’s a lot more complicated than “it’s his fault!  pitchforks and torches!”)

What should I do?

Nothing, yet.  Right now, this is mostly a techie problem.

Remember that bit about crypto keys?  That’s the part which puts the little lock icon next to the URL in your browser when you go to your bank’s Web site, or to Amazon to buy things, or whatever.  The crypto keys make sure that your conversation with your bank about your balance is just between you and your bank.

That’s also the part which is making techies the world over a little more stressed and tired.  You see, we know that the people who found the bug were “good guys” and helped to get the bug fixed, but we don’t know if any “bad guys” found the bug before this week.  And if a “bad guy” used the bug to extract crypto keys, they would still have those crypto keys, and could still use them even though the original bug is fixed.  That would mean that a “bad guy” could intercept your conversation with your bank / Amazon / whoever.

Since we don’t know, we have to do the safe thing, and assume that all our keys were in fact stolen,  That means we have to redo all our crypto keys.  That’s a lot of work.

And because your password is likely protected with those same crypto keys, if a “bad guy” has Amazon’s key, they’d be able to watch you change your password at Amazon.  Maybe they didn’t even have your old password, but now they have your new one.  Oops.  You’re now less secure than you were.

Now, it’s important to make sure we’re clear: we don’t know that this has happened.  There’s really no way of knowing, short of actually catching a “bad guy” in the act, and we haven’t caught anyone–yet.  So, this is a safety measure.

Thus, the best thing to do is: don’t panic.  Continue to live life as usual.  It might be prudent to put off doing some things for a few days, but I wouldn’t even worry so much about that.  If you pay your bills online, for example, don’t risk paying a bill late out of fear.  Remember: so far, we have no evidence yet that anyone’s actually doing anything malicious with this bug.

At some point, a lot of sites are going to post a notice that looks a lot like this:

We highly recommend our users change the password on their Linux Foundation ID—which is used for the logins on most Linux Foundation sites, including our community site, Linux.com—for your own security and as part of your own comprehensive effort to update and secure as many of your online credentials as you can.

(That’s the notice my employer posted once we had our site in order.)

That will be your cue that they’ve done the work to redo their crypto keys, and that it’s now safe to change your password.

A lot of sites will make statements saying, essentially, “we don’t have a problem”.  They’re probably right.  Don’t second-guess them; just exhale, slowly, and tick that site off your list of things to worry about.

Other sites might not say anything.  That’s the most worrying part, because it’s hard to tell if they’re OK or not.  If it’s an important site to you, the best course of action might be to just ask, or search on Google / Bing / DuckDuckGo / wherever for some kind of statement.

What about your site?

Yup, I use OpenSSL, and I was vulnerable.  But I’m the only person who actually logs in to anything on this site.  I’ve got the bugfix, but I’m still in the process of creating new keys.

Part of the problem is that everyone else is out there creating new keys at the same time, which creates a bit of a traffic jam.

So yeah, if you were thinking of posting your credit card number in a comment, and wanted to make sure you did it securely… well, don’t do that.  EVER.  And not because of Heartbleed.

Old Keys Never Die

Encryption is in the news a lot these days for some reason.  I’ve been doing encryption using the PGP family of encryption systems for quite a while now, but hadn’t been paying close attention until a recent reminder landed in my inbox from the Debian project.  They warn about “1024D” GnuPG keys being weak, which is a fancy way of saying “the way all the cool kids created keys back in the late ’90s”.  Including yours truly.  Oops!

So, it’s time to replace my key.  I’ve uploaded the new one to the key servers and created a transition statement per the guidelines in this fine document, with some changes inspired by others doing the same.  The details are in the transition statement, so I won’t bore you with long strings of hexadecimal numbers here.

The next step is to get signatures for the new key.  I’ll be at the Linux Foundation Collaboration Summit next week, and would greatly appreciate meeting with people in person to do key signings.  If there are any key signing parties happening, please invite!

Sorry for everyone who’s wondering what I’m talking about.  We all have secrets to keep, and conversations we wouldn’t want spread around; encryption gives you a little more control over that.  Plus, encryption lets you “authenticate” people, which is a fancy way of saying “is that you, George?” when you get messages from people, and letting them say “is that you, Jeff?” when you send messages back.  If you want to learn more about taking control of your communication, post a comment, email me, or search for “PGP”, “GnuPG”, or “encryption” in your favorite search engine.

Linux Is Hard, Except When It Isn’t

Online tech news site Ars Technica (which I recommend, by the way) recently reviewed the Dell XPS 13 Developer Edition.  Its unique feature: it ships with Ubuntu Linux as the default operating system.  This preload deal had a few unique properties:

  • It’s from a major system vendor, not a no-name or third-party integrator.
  • It’s a desktop-oriented product, not a server.
  • Most notably, the vendor actually put effort into making it work well.

That last point deserves some explanation.  A few vendors have grabbed a Windows computer they sell and allowed the option to preload Linux on it, but without support; you’re on your own if it doesn’t work in some way, which is likely.  Essentially, they save you the time of wiping Windows off the box and doing a fresh install, but not much more.  But this laptop comes out of Dell’s Project Sputnik, a project to put out Linux machines for developers with a “DevOps” flavor, and they felt the machine had to work as well as their regular products.  So they actually put effort and testing into getting the laptop to run Ubuntu well, with all the drivers configured properly and tweaked to support the machine’s quirks, just like they do for Windows.

And so, the review is surprised to learn that Ubuntu on the XPS 13, well, just works!  It’s even in the title of the review.  Here’s reviewer Lee Hutchinson’s observations:

I’ve struggled before with using Linux as my full-time operating environment both at work and at home. I did it for years at work, but it was never quite as easy as I wanted it to be—on an older Dell laptop, keeping dual monitor support working correctly across updates required endless fiddling with xorg.conf, and whether or not it was Nvidia’s fault was totally irrelevant to swearing, cursing Past Lee, trying desperately to get his monitors to display images so he could make his 10am conference call without having to resort to running the meeting on the small laptop screen.

And thence comes the astonishment: on this Linux laptop, everything just works.  Most of the review is spent on the kinds of hardware features that distinguish this from other laptops: the keyboard is like this, the screen is that resolution, it has this CPU and this much RAM and so on.  Some space is devoted to impressions of the default Ubuntu 12.04 install, and some space is given to the special “DevOps” software, which helps the developer reproduce the software environment on the laptop when deploying apps.

But before all that, Hutchinson has to put in a dig:

It’s an impressive achievement, and it’s also a sad comment on the overall viability of Linux as a consumer-facing operating system for normal people. I don’t think anyone is arguing that Linux hasn’t earned its place in the data center—it most certainly has—but there’s no way I’d feel comfy installing even newbie-friendly Ubuntu or Mint on my parents’ computers. The XPS 13 DE shows the level of functionality and polish possible with extra effort, and that effort and polish together means this kind of Linux integration is something we won’t see very often outside of boutique OEMs.

Of course, Windows is actually worse than Linux on the hardware front–when you don’t get it pre-installed.  Imagine if more vendors put as much effort into preinstalled Linux as they did into preinstalled Windows.  In that alternate reality, I imagine people would react more like this:

“Isn’t that what you’re looking for in a mainstream product?” Rick chided. “In 1996 it was: ‘Wow look at this, I got Linux running on xxxxxxxx.’ Even in 2006 that was at times an accomplishment… When was the last time you turned on an Apple or Windows machine and marveled that it ‘just worked?’ It should be boring.”

Which was, of course, the reaction Hutchinson got when discussing the review with a Linux-using friend.

With Microsoft being less of a friend to the hardware vendors every day, here’s a case study more of them should be paying attention to.

Time Flies

18 years ago, I carried a baby out of a delivery room. MY baby.  What a rush.

Looking down on him in the baby warmer, amazement and fear dominated my thoughts, clamoring for my attention. I was a father. What would I do now? My life was REALLY not just my own anymore; I had this little one that was counting on me.  Was I up to the challenge?

And what about when he wasn’t a little one anymore? What would he be like as an adult? Would he be a good person? What would he care about? When he turned 18, what would we do, and what would his plans be for the future?

That day was something I thought about often in that nursery all those years ago.  And now, that day has arrived.

Jon is now a young adult.  And looking at the ultimate result of the last 18 years of worry, I feel immeasurably proud.  He has made his mistakes, and no doubt will make more mistakes in the future.  But he has not let those mistakes dampen his confident optimism, or drag down his sense of what’s right.  More importantly, he has a heart for others that expresses itself with everyone he’s around.  Often, the topics of our disagreements center around his fierce protective instinct, and on more than one occasion, he’s challenged me to improve myself.

I have not been a perfect father.  At times, I’ve been far from perfect.  But I am grateful that I’ve been a part of raising a young man I can admire and, yes, even learn from.

Happy 18th birthday, Jon.  Have an excellent life.  I’ll cherish the rest of the time you’re still at home, miss you when the time comes for you to leave, and always be there for you as long as I live.

Your mom and I are your biggest fans; never forget that.

Triumphant Return

“When you don’t update a blog, it gets stale fast.” — Tim Bray

Of course, I didn’t intend to violate this basic rule of blogging.  It just happened–one thing leads to another, and pretty soon you notice just how little your front page has changed in the past two-and-a-half years.  So, I shall begin again.

Quite a bit has changed:

  • It’s especially ironic, given the previous post, that our family has given in and replaced the main television with a HDTV.  Not that I’ve changed pmy mind much; it’s just that I’ve decided to live with the limitations of the technology, and have figured out how to work around some of them.
  • Although my suspicion of the cloud remains, my participation has greatly increased.  I’m now on Twitter, Facebook, LinkedIn, and piles of Google services.
  • There’s been a major health scare in the family, which is now behind us.

All of these will get their own posts in the very near future.  In the meantime, enjoy the new look.  (Especially on mobile!)

HDTV Still Not Ready Yet

So you put off buying a high-def TV for years, because you weren’t sure they had gotten all the standards right.  You recently gave in, thinking that the coming shut-off of analog broadcast TV in February meant that they had to have their technology figured out by now.

Of course, you were wrong:

CableCARD devices have generally supported only one-way access to cable systems, but their long, winding journey toward full two-way communications is finally coming to an end. Panasonic has announced that it is at last shipping new HDTVs enabled with tru2way technology to the two US markets where they can actually be used.

So what’s the main thing you’re supposed to get with tru2way?

This means that you can walk out of a retail store with a tru2way-enabled HDTV, plug it in at home, and have immediate access to basic features like an on-screen guide and on-demand content.

In other words, we are just now starting to see HDTVs that can just plug into the cable jack and work, without an add-on cable box and all the limitations that implies, right?

Well, not really.

All tru2way-compatible devices will have a CableCARD slot built into them to facilitate the decryption of protected content, though details are still sketchy as to how this system will work with devices like PVRs. Physical CableCARDs will apparently not be needed to access basic two-way services and non-encrypted channels.

Meaning that, in order to get anything you can’t get already with broadcast TV (“non-encrypted”), you still need a cable company tech to come out and install the CableCARD.  And they don’t know how all of this will integrate with the new video recorders like TiVo.

Why is this so hard?  It’s producer paranoia.  If they don’t play these games, you might watch some show for free, or share it so others can watch it for free, instead of… well, watching it for free live.  And you might cut the commercials out, instead of… cutting the commercials out by getting up for more chips during the commercial breaks.  (But that’s stealing, so you shouldn’t do that either.)

Our family keeps edging closer to deciding to get a HDTV.  But then I see stuff like this, and notice that the old tube TV still works fine…

Comment Policy Updated: No More CAPTCHA

The comment policy has changed; check the page links for the details.  The big change: I’ve turned off the CAPTCHA page that would be presented for comments judged to be “borderline” spam by the spam filter software.

For those not aware, CAPTCHA is the name given to the funny letters and numbers on weird backgrounds that you sometimes have to type in to do things on certain web sites.  The idea was that computers couldn’t read those letters and numbers, but humans could; thus, each solved CAPTCHA was proof that a human had done whatever it was that had been done.

CAPTCHA had issues even from the beginning.  They present obvious issues for the blind, and were often simple enough to be read by modern OCR software.  Because of this, I never turned it on for every comment, and any comment rejected because of the CAPTCHA just went into the moderation queue.  But I’m now convinced that CAPTCHA has reached the end of its useful life.

So when a commenter on my last post expressed his dissatisfaction with my CAPTCHA, I decided it was time to turn it off.  And so, references to it have been expunged from my comment policy.

The Esperanto translation of my comment policy has also been updated, in the hopes that I might someday post a little more often in that language.  It’s also been moved to a page.

Internet Speed Hype

Reportedly, the USA is falling behind the rest of the world in bandwidth:

The 2008 median real-time download speed in the U.S. is a mere 2.3 megabits per second. This represents a gain of only 0.4 mbps over last year’s median download speed. It compares to an average download speed in Japan of 63 mbps, the survey reveals.

US also trails South Korea at 49 mbps, Finland at 21 mbps, France at 17 mbps, and Canada at 7.6 mbps, and the median upload speed was just 435 kilobits per second (kbps), far too slow for patient monitoring or to transmit large files such as medical records.

But don’t tell Chris Blizzard’s commenters.  He writes about Comcast’s annoucement of a 250GB/month bandwidth cap, and gets an earful from commenters from Canada and Europe:

A boo hoo hoo. Major Canadian ISPs have had a limit of 60 GB for months, if not years.

Oh wait… probably the same way as most of the world manages on 10-20GB, for far more money than you’re paying for $250. Not a lot of sympathy from this corner…

Yep, no sympathy from here either — in Australia, with the only _independant_ ISP left, $280 AUD gets you 100GB.  $50 with a major telco (the rest of the ISPs here) gets you 5GB.

eg with my current ISP, a 8 MB line with a 300 GB monthly cap costs 20 GBP/month. A 8 MB line with unlimited bandwidth costs 160 GBP/month. Quite a difference!

I pay the equivalent of $40 a month for 30GB, and extra GB on top are $3 each. That’s with Plus Net (http://www.plus.net).

I’m in South Africa paying about $130 for a 10GB cap.

So who’s really better off?  By my calculations, if a Canadian ISP provides 7.8 mb/s with a 60 GB cap, that’s about 17.5 hours per month of sustained maximum bandwidth before you’ve blown your limit.  By contrast, an American ISP with 2.3 mb/s and a 250 GB cap gives you about 247 hours per month of sustained maximum bandwidth.

Perhaps part of the answer is that only one country–Canada–shows up in the list of “faster countries” and in the comments section of Chris’s post.  That could explain the apparent disconnect; maybe Great Britain and Australia are worse off than the USA, while Finland and Japan are better off.

Still, this does bring the question to mind: which is better, raw speed, or the ability to actually use it without fear?

Damned If You Do

JROBI, a chess blogger, on energy policy:

A large study in Europe concluded that it takes more gas and oil to produce a bottle of bio-fuel than it does to produce a bottle of gas. What does this mean? It means that Bio-Fuel is more damaging to the environment in the long run, and on top of that it is driving up the cost of basic food supplies. Millions and millions around the world in a number of countries are unable to afford the rising food costs for basic staples like Corn, and for what?

If Bio-Fuel is not better for the environment, why are politicians and environmentalists getting behind this growing industry? I think it’s because it seems to be the “trendy” thing to do, and we all know what happens when the media promotes a new trend. We get tons of media coverage telling us why it’s a good thing, and hardly any coverage of the negative impacts. Already people from the Bio-Fuel industry are getting on television shouting out that there are many factors contributing to rising food prices, trying to deflect the fact that their destruction of food to fuel vehicles is the main culprit.

Actually, I suspect the emphasis on biofuels in the USA and Europe has to do with the fact that it’s the only alternative to fossil-based motor fuels proven to be sustainable and scalable:

The success of FFFVs, together with the mandatory use of E25 blend of gasoline throughout the country, allowed Brazil to get more than 40% of its automobile fuels from sugar cane-based ethanol in 2007.

I see no link to the European study in question, but previous studies have suffered from various faults; for example, the assumption that trucks transporting fuel cannot themselves shift to biofuels. I’m sure better analysis of the study is on its way.

But that’s not the most interesting thing, to me. More interesting: my general impression that a lot of the climate-change hysteria is just that.

If we hear what science seems to be telling us about the environment, and we think that something needs to be done, then we should do things that will actually work. One thing that really works is conservation: use less of the bad stuff we’re using. But we’ve done quite a bit on that front, only to hear that much, much more is required to make a difference. I’m not sure there’s much, much more benefit for us to realize in conservation, at least in the short term.

So, to make a real difference, we have to make more radical changes. Can we change our motor fuel?  Sure; starting with something that pollutes less, and that even absorbs some of that same pollutant in its production, sounds like a winner.

JROBI, again:

It makes no sense whatsoever to create Bio-Fuel when there are much better options on the table – for instance Hydrogen vehicles. When was the last time you heard someone on the news talk about Hydrogen initiatives?

I hear it every so often. But most talk, today, focuses on the very real problems with hydrogen as a motor fuel. There are many; just look at the discussions of hydrogen fuel tank technology for a sample. But one of the biggest problems is that of developing an infrastructure for delivering fuel to the customer.

No one talks about the problems of setting up an ethanol infrastructure. We already have it. Brazil has demonstrated that the current gasoline infrastructure can easily be adapted to deliver ethanol instead, and that there is a viable migration plan for gradually moving people off fossil fuels.

Now, this isn’t to say that the world of ethanol is hunky-dory. It’s arguable that, while ethanol may be sustainable, the corn-based system the USA has adopted isn’t. Some people are talking about sensible tweaks that may solve the food problems while continuing to support biofuels–removing our silly tariff on Brazilian ethanol, for example, or developing alternative feedstocks for ethanol production.

The problem is that hysteria seems to be breeding hysteria. Global warming is so severe, we are told, that we need solutions, and we need them immediately. So we develop solutions we can use immediately. But no! These solutions cost; we need something else, and we need it immediately, and we need it cost-free.

Practically, this kind of insistence on perfection–that we deploy solutions with no drawbacks, only benefits–has the effect of dampening our enthusiasm for environmental solutions. We tried, our leaders will tell us, but nothing was good enough, so we gave up. And so, rather than do something that helps, or even something that lays the foundation for helping, we continue our use of fossil fuels.

Perhaps ethanol is the wrong solution. But if it is, we should resign ourselves to the inevitability of the future, as foretold by science, or fervently hope that the global warming deniers are right, because other solutions will arrive too late to do much good.

Christmas Gadgets: Creative Zen, LCD Monitor

So it’s a few days after Christmas, and like most of us tech-heads, I’ve got a few more gadgets to play with.

First up: the Creative Zen 4GB. This one was a little bit of a saga.

Last year, we got the kids no-name MP3 players, on the theory that we didn’t want to spend megabucks on something they wouldn’t use. They made valiant attempts to use them, but the little machines just weren’t up to the job. So, it seemed prudent to buy them iPods this year.

Well, except for Apple’s attempts to break all non-iTunes iPod software, which had the side effect of making the devices unusable under Linux. Still, this was what they wanted, and they had been good this year, and very patient with my ever-more-convoluted schemes to get the old players working. So, iPod Nano 3Gs for both of them. My heart sank as I watched some of my hard-earned money go to reward such behavior.

As part of the deal, I vowed to find a non-Apple player that would be good for when the iPods gave up the ghost or became “uncool”. And my dear wife, upon hearing this, went online, did some research, and bought me the aforementioned Creative Zen 4GB.

From a Linux perspective, it’s in the “not quite ready for prime time” mode. Rhythmbox and Banshee are working on support; I tried a prerelease of Rhythmbox, and found its support to be very unstable. The only usable app is Gnomad2, which has a terrible UI and also occasionally crashes, but can manage to upload audio, video, and photos without too much hassle. Still, this is a problem of fine-tuning, and not of a hostile hardware vendor; I’m confident that these devices will be well-supported in the near future.

The Zen is picky about what video files it will play, but I managed to figure it out: DivX or XviD video, 320×200 or smaller image size, encoded at a 480 kbit/sec video bitrate or less. Other video files might work, too, but you’ll have to find them on your own.

My Zen has a little problem with the button locking feature: after unlocking, the screen comes up to all-white, and you have to power-cycle it to get the display back. I’m assuming this is a firmware bug, as the screen is still visible for a short time after engaging the lock. Other than this, the Zen is a delight, and every bit as functional as the iPod.

The other nice gadget: a 24-inch LCD from Envision, bought after Christmas with a combination of gift cards, exchanges, and some of my own money. It was an open-box, and I saved about $80 for that; the only problem turns out to be a single dead pixel in the corner of the screen which is barely visible. It does 1920×1200 in very nice, bright color.

Here, too, an improvement on my life only came after some effort. Debian 4.0’s drivers for the Intel graphics chipset are not capable of driving a widescreen LCD; the best I could get was 1600×1200, a normal-width resolution stretched across the wide display. I booted an Ubuntu Gutsy live CD to verify that the problem wasn’t with the monitor, and then set to the task of backporting everything I needed from lenny. Happily, before I started, I found that someone (Holger Levsen, to be exact) had done the work for me.

Things are now about 90% there. The new drivers still don’t have everything figured out for running both Compiz desktop effects and XVideo acceleration at the same time, so I’ve had to turn XVideo off. My computer can render video without hardware support, but the quality isn’t as high. But, I have my nice wide screen, with crisp fonts and lots of room. I figure I’ll live with what I have until lenny releases, and then see what progress has been made.

Rest In Peace, CompUSA

I’m very surprised about the popularity of an old post of mine, regarding my experiences with CompUSA. It continues to collect horror story comments, the last one coming less than three weeks ago. While any company has its detractors (especially any company dealing directly with the public), it seems odd to me that people continue to be motivated enough to post to my blog, of all places, their tales of woe.

For me, life has been very CompUSA-less of late. Indianapolis now has a Fry’s, one of only two east of the Mississippi as of this writing, and for someone in the relatively tech-starved Midwest, it is a godsend. (People from the west coast: please stifle your laughter as best you can.) And evidently enough of these horror stories have been passed around that they felt the need to close over half their stores in February.

The Indy store was spared that time, but not for long.

The electronics retailer decided to finish what it had started earlier this year, announcing that it would sell or close the remainder of its stores in the US after the holiday season. The company, controlled by Mexican retail management company Grupo Sanborns since 1999, has been sold to Gordon Brothers Group, a restructuring firm that will be responsible for selling off the remainder of its assets.

In an abstract sense, less competition in the electronic retail business isn’t ever good. But it’s arguable that we’ve never had so much competition in the electronic retail business if you count the Internet stores that have sprung up all over. And I’m certainly happy to see an outfit that will slander people for profit go belly-up.

“This Is Not An Oops.”

Carver County, Minnesota, is in big trouble. (via buzz.mn)

Eric Mattson was not surprised that the small vacant lot he bought last year near the shores of Lake Waconia was increasing in value.

What shocked him was the $189 million market value the Carver County assessor’s office came up with for the 55- by 80-foot lot, making it the most valuable property in Waconia and possibly the county.

Of the resulting $2.5 million tax windfall, about $900,000 had already been spent by the time Mattson got the bill and came in to complain. They’re now looking at spending cuts and new taxes to pay for the shortfall.

“This is not an ‘oops.’ This is a major error that affects an awful lot of people,” said Mark Lundgren, director of the Carver County division that oversees the assessor’s office.

So how could someone make such an egregious error?

Lundgren said the trouble began in August when a clerk went into Mattson’s file to change the designation of the property, at 233 Lake St. E., from homestead to non-homestead to reflect its change in status after its sale.

The clerk filled in the $18,900 proposed valuation, but then mistakenly hit the key to exit the program. The computer added four zeros to fill out the nine numerical spaces required by the software, thus indicating the value was $189,000,000.

So many thing come to mind, most of which are probably too snarky. But a few observations come to mind:

  • Don’t just pin this on the clerk. The major mistake was with the programmers, whose software did such an unexpected thing, and on the auditors, who missed a $2.5 million mistake. (Oddly, given that audit failure was an issue, the only solution worth mentioning in the article was “more auditing”.)
  • Programmers, cherish your input. Do not auto-munge it without at least user review! And, I’d argue, don’t auto-munge it at all if the result is at all valuable. Validate it, sure, but don’t change it; force the user to fix his or her own mistakes. After all, if your program was so smart as to know what the user “meant”, why does it need manual data entry at all?
  • Use modern tools! What kind of data store today requires zero-padding? MySQL is a free download, and very popular; for all its perceived faults, it can at least store numbers of variable sizes correctly.

Another Long Hiatus

Wow. Has it really been that long since my last post?

It occurred to me today, as I upgraded to the latest WordPress and watched the ongoing security nightmares, that going through this effort is only useful if I actually use the darned thing.

And I’ve been busy; yes I have. I’m now the webmaster for my son’s Boy Scout troop, using MediaWiki as a CMS with an eye to encouraging more parent and Scout participation in the site. I’ve been to Montreal and Salt Lake City, among other places. And I’m preparing to upload a Debian package for virtualenv, a cool alternative to OS virtualization in the Python space.

More later.

When Censorship Is Good

The whole Kathy Sierra incident is coming to a close, with an NPR interview and a call for a blogger’s code of conduct. (Details at the links; basically, Kathy wrote an innocuous blog about software development, and was harassed into quitting her blog by a few nasty commenters.)

The latter item has touched off a rant by Teresa Nielsen Hayden, about the necessity of moderation:

Bloggers can ban anonymous comments or not, as they please. The problem isn’t commenter anonymity; it’s abusive behavior by anonymous or semi-anonymous commenters. Furthermore, the kind of jerks who post comments that need to be deleted will infallibly cry “censorship!” when it happens, no matter what O’Reilly and Wales say.

Anyone who’s read ML for more than a couple of months has watched this happen. Commenters who are smacked down for behaving like jerks are incapable of understanding (or refuse to admit) that it happened because they were rude, not because the rest of us can’t cope with their dazzlingly original opinions. It’s a standard piece of online behavior. How can O’Reilly and Wales not know that?

By coincidence, I got mail from Charlene Blake recently. Back when I bought my current van, I explained some of the reasoning behind my choice: poor customer service from Toyota caused me to decide to buy the Honda. In that post, I linked to a petition and some other information Charlene had put out there. Little did I know that Charlene had her own little “fan club” who liked to search for references to her and troll their little hearts out, trying to stifle any criticism of Toyota by lies, intimidation, fraud, and other nasty stuff. At first, I tried to be civil, but the stalkers got so vile that I was forced to do some “censoring” to keep my site from becoming an anti-Charlene haven.

Well, it’s two years later, and they’re still at it. As far as I can tell, she attempted to get some advice on cyberstalking from counsel.net, and got a lot of abuse instead. Here’s a sample:

If you can dish it out, you have to be able to deal with the
push back. Evidently you can’t. Whining about those who
don’t agree with you won’t get sympathy from myself, and
undoubtedly most other folks who read similar pathetic
moaning from anyone!!
It is clear you are the kind of individual who always blames
others for your problems.
My advice–get a life!

Interesting legal advice, that.

Now, it’s possible that the fine folks at counsel.net just take a dim view of Charlene. You’d expect, though, that if these people were regulars at counsel.net, they’d have more posts on the site than just posts attacking Charlene. So let’s take a look at some of the names of the people who replied to her: Dave Nightingale, Garnet Williams, Roger Francis, Cheryl Martell, Marisa Decker, Vincent Gagnier, Bruce Coristine, Walter Matthews, and Rick Fasan. Right now, not a single one of those searches returns a post that isn’t about Charlene Blake. (Just in case they try to obfuscate the point with irrelevant posts elsewhere: try to find a post by any of those people on counsel.net that was posted before April 24, 2007.)

By contrast, here’s one other poster on that thread: CK in Delaware. The person’s Charlene comment shows up, but so do a number of other posts, some of which predate Charlene’s initial post. That’s what a regular (or something vaguely close to a regular) looks like. If any of the names above really were regulars, they’d have search results looking like CK’s.

(For the sake of completeness, there’s only one poster left besides Charlene: T. Tonary, a defender of Charlene, also appears to be a one-timer. Ironically, “Bruce” above accuses Tonary of being a shill!)

It would be funny if it weren’t so pathetic.

Charlene comes across to me as a tough woman; certainly she has to have backbone to have pursued this for so long and with such opposition. But why do the Charlenes and Kathys of the world have to put up with this stuff? People talk about “censorship” in regard to deleting nasty comments, and I suppose it is. But Kathy is no longer posting, and Charlene can’t seem to post anywhere without vicious stuff following her. It seems to me that Kathy and Charlene are the ones getting censored.

And if we’re going to have censorship, of one stripe or another, better it be the pond scum than Kathy and Charlene.

Sadly, even I have been made to participate in the anti-Charlene campaign, even if by accident. If you search for Charlene Blake on Google, my blog is the second link, and Google’s excerpt from my initial post linking to Charlene’s petition is from one of the troll commenters. If you don’t actually click the link, you get the impression that I’m trashing her in the main article.

Oh, well. Time to make amends.

More On Copy Protection

AACS (the copy protection system for HD-DVD, Blu-Ray and other high-definition content) continues to crumble. In a nutshell, AACS adds layers to the process of decrypting movies on disc, and the layers are falling one by one. The previous cracks (see my report) opened individual discs and classes of discs; this crack opens all discs playable by a particular software-based player. It’s possible that the studios could revoke that player’s ability to play discs released in the future, but doing so now hurts customers who will have to update their copy of the player.

With all the news about copy protection failure, it’s worth reading some really good articles on why the efforts of multi-million-dollar companies continue to be cracked by smart teenagers. First, Cory Doctorow’s talk at Microsoft Research:

DRM systems are broken in minutes, sometimes days. Rarely, months. It’s not because the people who think them up are stupid. It’s not because the people who break them are smart. It’s not because there’s a flaw in the algorithms. At the end of the day, all DRM systems share a common vulnerability: they provide their attackers with ciphertext, the cipher and the key. At this point, the secret isn’t a secret anymore.

Cory references another paper written by Microsoft employees, now called simply “the darknet paper”. It’s a little more technical, but explains the problem well:

We investigate the darknet – a collection of networks and technologies used to share digital content. The darknet is not a separate physical network but an application and protocol layer riding on existing networks. Examples of darknets are peer-to-peer file sharing, CD and DVD copying, and key or password sharing on email and newsgroups. The last few years have seen vast increases in the darknet’s aggregate bandwidth, reliability, usability, size of shared library, and availability of search engines. In this paper we categorize and analyze existing and future darknets, from both the technical and legal perspectives. We speculate that there will be short-term impediments to the effectiveness of the darknet as a distribution mechanism, but ultimately the darknet-genie will not be put back into the bottle. In view of this hypothesis, we examine the relevance of content protection and content distribution architectures.

Finally, on the business side, science-fiction publisher Baen Books has been leading the charge away from copy protection in the world of electronic books. Editor and author Eric Flint explains why in a series of articles on their web site; here are the first, second, third, fourth, fifth, and sixth articles on that topic. The sixth article is particularly good, as it explains Baen’s (and Flint’s) experiences with publishing online without copy protection:

The titles are not only made available for free, they are completely unencrypted—in fact, we’ll provide you free of charge with whatever software you’d prefer to download the texts. We make them available in five different formats.

And . . .

The sky did not fall. To the contrary, many of those books have remained in print and continued to be profitable for the publishers and paying royalties to the authors. For years, now, in some cases. Included among them is my own most popular title, 1632. I put that novel up in the Baen Library back in 2001—six years ago. At the time, the novel had sold about 30,000 copies in paperback.

Today, six years after I “pirated” myself, the novel has sold over 100,000 copies.

If you’re curious, I encourage you to check out the Baen Free Library for yourself.

Copy Protection Broken Yet Again

Boing Boing (via Slashdot):

Arnezami, a hacker on the Doom9 forum, has published a crack for extracting the “processing key” from a high-def DVD player. This key can be used to gain access to every single Blu-Ray and HD-DVD disc.

Previously, another Doom9 user called Muslix64 had broken both Blu-Ray and HD-DVD by extracting the “volume keys” for each disc, a cumbersome process. This break builds on Muslix64’s work but extends it — now you can break all AACS-locked discs.

AACS took years to develop, and it has been broken in weeks. The developers spent billions, the hackers spent pennies.

My HDTV threshold has been inching lower and lower over time, as issues get resolved: lower-cost HDTV monitors, useful broadcast TV, the defeat of the broadcast flag, useful Linux support in hardware and software. Still, it’s clear that my standing advice–don’t do HD yet–has been vindicated.

How much longer? Some of the HDTV options for MythTV recording can do both standard-definition and high-def. If we accept that the HD stuff has to be watched on a computer, I might very soon move to HD recording for local TV channels.

But for now, it seems the major hurdle is HD cable, an area where the technology is still in transition. The current standard is largely a bust, the new standard being rolled out still doesn’t allow certain capabilities (menus, picture-in-picture), and the new standard is due to be eclipsed by yet another standard in a year or so. It’s also clear that reality has yet to set in; for all the consumer confusion and hassle, HD content doesn’t seem to be lacking at the BitTorrent sites.

So, continue to be careful. If you want to be able to do something with your new HD equipment, make sure you can before you leave the store. The HD powers-that-be have yet to honor any promise about future capability, and have broken some of those promises. So if it doesn’t work on the day of purchase, be ready to live without it forever.

As for me, current capabilities (and current prices) are almost at the level I’m looking for. But I haven’t bought yet.

UPDATE (2007-02-14): According to Ars Technica, this crack is still not complete; while all Blu-Ray and HD-DVD discs available today are cracked, the studios could protect future discs by revoking the keys of the software player used in the crack.  To translate that into non-technical English, users of that player would be required to update their player, and discs made after a certain date would not be crackable–until a new software player’s device key is extracted using the same method.

The Price of Success

Oh, the pains of being an early adopter: Google to charge businesses for Google Apps

But it’s not just small companies who have been champing at the bit to make use of Google’s services, as organizations such as Disney, Pixar, and the University of Arizona are eager to sign up to have hundreds of thousands of accounts managed online by Google. The service was offered for free to businesses during Google Apps’ beta period, but will apparently be going live with subscriptions “in the coming weeks,” according to BusinessWeek. It’s still murky as to how much Google will charge organizations for the service, but the fee will reportedly amount to “a few dollars per person per month.”

Now, it is true that all references to pricing refer to business use; there’s no word yet on whether they will charge noncommercial users. And even if they do, a few dollars per month per user isn’t bank-breaking.

But I wonder how well Google will handle the transition. Will some GAFYD customers get cut off if they aren’t paying attention? Will traditional domain hosting get a rush of new customers fleeing? Will Google’s competitors?

I’ve been slowly, slowly warming to this idea of hosted apps. Google Reader took over from Liferea for online news and blogs after I got tired of the latter’s bugs, and Google Calendar works a lot better than the various hack-fests I’ve tried to get local shared calendars working. But I think I’ll stick with hosting my own domain for now, at least until I get a better sense that the providers have the costs figured out.

My Own Single Point of Failure

I’ve been a bit difficult to reach recently. Part of that has been general busyness, including attending the FSG Printing Summit in Lexington, KY, but that wasn’t helped by my former employer switching offices. They had generously allowed me to continue hosting there after leaving, but I had been lax in searching for alternative arrangements.

This was made worse because I had centralized too much of my online presence there, with no backups, so when they took everything down to move to the new office, I effectively disappeared from the Internet for a time. So if I’ve seemed a bit uncommunicative lately, that’s probably why.

Ian has been filling my head with tantalizing visions of replacing my hosted boxes with online apps. I think I’m going to give some of these a spin, but I’m not convinced yet. It seems to me that the lesson to learn–don’t put all your eggs in one basket–argues equally well either way.