September 2005 Archives
By Chris on September 30, 2005 12:10 PM
Michael Singer lists the five reasons he sees for Palm's descent and ultimate adoption of its rival's operating system
. I'll add a sixth: it has always been a pain to develop software for Palm devices. The development tools have always been sketchy, and the runtime architecture is extremely limiting. Segmented code and limited RAM partitions practically required that applications be limited in scope. This was fine when the Palm Pilot was first introduced and its guiding principal was to have small applets that performed only one task. As competition increased among PDA makers and among Palm software vendors, applications grew and became unwieldy for developers to work with. Meanwhile, Microsoft made it simple to develop large, powerful Windows CE applications. Now here we are, with Windows Mobile (née Windows CE), finally replacing the Palm OS. As a longtime Palm user (a Treo 600 is my current device), I rue the change; as a Palm developer, I say "good riddance."
By Chris on September 28, 2005 10:10 AM
The London police arrested and held overnight a man who met their definition of a terrorist
. Unfortunately, their definition of what constitutes a terrorist is pretty broad, and could include just about anybody taking public transportation. In this case, the man was "wearing a jacket 'too warm for the season'" while using a cell phone. I believe in relying on humans to catch suspicious behavior — the plot to detonate a bomb in LAX
was foiled by an alert customs agent who felt the suspect looked "hinky." The problem comes when you define suspicious behavior so broadly that you can't find the real terrorists for all the innocent people caught up in your dragnet.
This kind of overload of suspicious behavior is a problem for computer security as well. Windows system administrators are familiar with Event Viewer, the centralized, catch-all logging tool for Windows servers. It contains thousands of entries at any given moment, some important, most not. While there is the ability to flag entries as critical, the most useful information is in the non-critical entries. For instance, a critical error could be a message saying the a user tried to log in with an invalid password. This indicates that the system is working correctly — the system should
reject invalid logins. Real problems are caused when the system is working incorrectly. Information about this is frequently mired in the non-critical entries, if it is logged at all. One of the major features we are working on for the next major version of Elektron
is better reporting and management of the deluge of information that can be generated so that system administrators can access the server data they need when they need it.
By Chris on September 27, 2005 7:24 PM
Linus Torvalds talks about the patch system that comprises Linux kernel development
. It's interesting to me the way that open source and closed source development processes are similar, despite protestations from both sides. Our own closed source development process for production code (that is, imminent releases rather than early pre-release code, which has a somewhat more relaxed approach) includes a patch system where each submission is thoroughly reviewed before being incorporated into the main code stream. What's more, it's a single person who is the final arbiter of whether a patch is release-worthy. Regardless of whether a project is open source or not, there are best practices to be followed. Hopefully — since that final code arbiter is me — the burnout that Linus talks about is still a few years away (of course, having having only two other contributors rather than two thousand helps).
By Chris on September 26, 2005 10:30 AM
Following up on Google Secure Access
, it's worth noting the license agreement that comes with the Windows installer:
We have the right to monitor, intercept and disclose any transmissions over or using our facilities, and to provide user information, or use records, and other related information under certain circumstances (for example, in response to lawful process, orders, subpoenas, or warrants, or to protect our rights, users, or property).
Although unnerving on its surface, in point of fact any ISP can be forced to monitor your network traffic under court order — Google is no different. Still, I'm comforted to have a full private VPN here that encrypts my data end-to-end, not just halfway.
By Chris on September 23, 2005 10:29 AM
The new Google Secure Access
claims to require software that is currently available only for Windows. However, they are using PPTP, which is available for a wide variety of platforms, including Mac OS X. Here's how to configure your Mac OS X machine to use Google Secure Access:
1) Launch Internet Connect (it's in the Applications folder, or available from your AirPort menu)
2) From the File menu, choose "New VPN Connection..."
3) Select PPTP, and click the Continue button
4) From the Configurations pop-up menu, choose "Edit Configurations"
5) Enter the following values:
Description: Google <or something else descriptive>
Server Address: 188.8.131.52
Account Name: <leave blank>
User Authentication: Password <leave it blank>
Encryption: Maximum (128 bit only)
Advanced: <leave Enable VPN on demand unchecked>
6) Click OK
8) From that web site, you will end up with a line of data that looks like:
184.108.40.206 5417399273 n2QHcciMOuv5vvwiNTjZ
Three items: the first is the IP address of the VPN server, the next is your dynamic username, the third your password. Copy and paste the second value (5417399273) into the Internet Connect VPN Account Name field, and copy and paste the third value (n2QHcciMOuv5vvwiNTjZ) into the password field.
9) Click "Connect"
If you have problems, it may be because you are behind a firewall that is blocking outbound PPTP. That's the case here in our office &mdash connecting fails from our regular inside-the-firewall Wi-Fi network, but works from our outside-the-firewall guest Wi-Fi network.
Keep in mind that your data is encrypted only as far as the Google servers, so the wireless connection is secured (and that's probably the most vulnerable point), but beyond Google's servers, your data is out in the open. And of course, all of your data is traveling through Google, so you particularly have to trust Google to use this system.
By Chris on September 22, 2005 10:14 AM
By Chris on September 21, 2005 10:05 AM
By Chris on September 20, 2005 9:59 AM
By Chris on September 19, 2005 10:24 AM
By Chris on September 16, 2005 9:33 AM
A laptop containing personal information on more than 98,000 Cal students that was stolen in March
has been recovered after it was sold on eBay
. I suppose consumers can find a small amount of comfort in this, knowing that the real target of one of the larger ID thefts was really the laptop containing the data, not the data itself. The thief likely didn't know what was on the laptop, and it was sold on eBay with all of the data intact. Cal dodged a bullet on this one, but as far as I know, the lost laptop of the Cal professor which contained military secrets
is still at large.
By Chris on September 15, 2005 10:05 AM
According to ThinkSecret
, the latest release of Mac OS X for Intel breaks compatibility with applications built on earlier builds
. The speculation
is that Apple is doing this to prevent piracy. I have a less sinister theory: the Application Binary Interface (ABI) changed between builds, causing the break. Normally, the ABI (which defines at the machine code level how executables are laid out and how they communicate with the OS) is fixed between builds going back for years since it is unacceptable to users to have a new version of the operating system break their existing applications. However, since the Developer Transition Kit is available only to developers, breaking the build is less important than evolving the ABI to make sure that it is solid and well architected on the day that Mactel machines ship to end users. After all, once it ships, Apple can't change it.
By Chris on September 14, 2005 10:58 AM
It would be funny if it weren't true: Raymond Chen
describes some of the lengths that hardware vendors will go to avoid the warning Windows XP gives that their drivers may be untrustworthy
. The comments tell even more nefarious ways of getting around the warning dialog, like having the installation program take over the mouse to click the dialog's OK button before the user has a chance to read it. My favorite is the developer who describes how his former employer's installer disabled the dialog without re-enabling it, allowing not only their own driver to be installed without warning, but every subsequent driver, regardless of its source.
By Chris on September 13, 2005 10:18 AM
Marcus Ranum describes what be believes to be the six dumbest ideas in computer security
. Some make sense, others don't. For instance, his "Hacking is Cool" rule says that you shouldn't hire hackers, because that just encourages more hacking. Sure, hacking is a social problem, but that makes it a problem that IT can't fix. If you are a system administrator, you can't eliminate hackers — all you can do is protect your network against them. That's a technology problem, and that kind of problem can be solved by hiring people who understand hacking.
By Chris on September 12, 2005 10:11 AM
found political message
in his list of available wireless networks. What's even more interesting to me is the number of networks that showed up: there's six in the list, and the scrollbar indicates more lurking offscreen. Still, not all of Berkeley is quite so political (or technically savvy): from my desk here
, I only see three other networks, two of which are still set to the default SSID factory configured on the access point.
By Chris on September 9, 2005 9:56 AM
There's a new exploit in Firefox
that allows arbitrary code execution by simply having a user click on a URL in a web page. Fortunately, it's an easy fix and there should be a patch available very shortly.It's yet another browser bug, but what really caught my eye was the cryptic sentence:
However, in an example of the uneasy alliance between security researchers and software makers, he decided to publicly disclose the flaw after a run-in with Mozilla staff, he said.
I'm curious as to what exactly happened. A lot of developers are very sensitive about their code, and get angry when you point out its flaws (which it invariably has, but that's another story). Personally, I get embarrassed about my own bugs, and when a user reports one, I'm apologetic to the point of obsequiousness.
By Chris on September 9, 2005 9:49 AM
It's time for me to get a new phone, and the new ROKR E1 iTunes phone
looks nice: it's small, has Bluetooth, plays music, and works with Cingular, the only provider to have decent coverage at my house. The only thing that disappoints me is that it is tri-band, not quad-band, GSM (it's 900 MHz that's missing). This means that there a number of GSM countries in which it won't work. I don't know the reason for the omission — it's not as though Motorola can't make a small quad-band phone. After all, the sexy V3 RAZR
is quad-band. Fortunately, I'm not traveling to any 900 MHz GSM countries anytime soon, so I don't have to let that be a deciding factor.
By Chris on September 8, 2005 9:48 AM
One possible good to come out of Hurricane Katrina is that more radio spectrum might be opened up for use by emergency services. You may remember back when digital television was first appearing, the government agreed to give broadcasters new spectrum for free for use with digital television signals. Broadcasters would would transmit new digital services over the free spectrum, while continuing to transmit analog services over their existing spectrum. Once the transition to digital was complete, broadcasters would return the analog spectrum to the government. Now, that time is almost here
In the wake of 9/11 and Hurricane Katrina, legislators are pushing for that spectrum to be used for public safety purposes
. The current proposals calls for the spectrum to be divided into two pieces: one set aside for emergency workers, and another to be auctioned off to private interests. The auction is worth billions, so there is a temptation to sell off the whole spectrum. Fortunately, some we do have some public officials who can see past the short term and understand that retaining some of the spectrum for public use has an incalculable value.
By Chris on September 7, 2005 1:14 PM
Simply by knowing the phone number of a Verizon Wireless subscriber, you could view their monthly usage, general location, and make and model of their phone
. Fortunately, it is highly unlikely that this information could be of use to identity thieves, but the man who discovered the flaw says that it could be used to clone users' phones. As a result of the report of the flaw, Verizon has begun a detailed review of their website security. That's good, but it should have been done before
the website was deployed.
By Chris on September 6, 2005 9:00 AM
It's a holiday here in the US, see you on Tuesday...
By Chris on September 5, 2005 10:11 AM
By Chris on September 2, 2005 7:21 PM
By Chris on September 1, 2005 9:21 AM