My tweet of just now: New Year's Suggestion: do a computer backup today, before the alcohol starts. Start a habit. With decent software, it's easy. Seriously: with something like Time Machine, you just need to make sure the external drive is plugged in and turned on, it should happen automatically after that. If you're cautious, part of your reason for taking backups is to protect against system corruption, so you won't leave the backup drive turned on, or perhaps even plugged in.
As we end up with more and more devices being able to be constructed by personal manufacturing and it becomes more routine, it will be interesting to see the effect upon the medical analysis industry. A family member had a soft tissue injury to the knee; before the insurance company would pay for the MRI, they required an X-Ray, despite X-Rays not showing soft tissue injuries. It's bad enough that money and time is wasted on this, no matter who pays.
This grumpy troll has long been miffed by the state of the X.509 trust system and the power placed in Certificate Authorities. See, for instance, https://lopsa.org/SSLIntro from October 2006; written as a guide for LOPSA members, which goes into the trust models of Kerberos, PGP and SSL's Public Key Infrastructure (PKI). Also, a CA certificate can include nameConstraints, which restricts what names the CA claims authority over. Most CAs claim global authority and most clients don't appear to offer a way to impose name constraints by local policy instead of based on the certificate.
I'm getting tired of seeing the same old tired specifications lists for phones and for tablets. Various manufacturers lust after the sales figures of the iPad, and see Android as a good way to at least be part of a viable ecosystem of apps, making their devices sellable. Yet few seem to understand that if you're not “very cheap” then you need to make the potential customer go “Wow!” and actively want to hand over the money you charge, of wanting to save up money and forgo something else to be able to afford to drop $500 on a small computer.
A thought experiment. I'm not sure that I believe this, but I put it out for your consideration. That which lives is that which opposes the second law of thermodynamics. Life is the balancing counterweight to the second law. Creatures remain alive, instead of dissipating. Further, various creatures impose order on the world, where the non-living merely degenerates. Beavers create dams. All mortal living organisms reproduce and impose their pattern of structure upon the matter which makes up their forms, in the next generation as in the current.
There was a time when the Linux kernel was part of niche OSes, used only by a few hackers. Developers made much of the importance of porting to Linux in improving code quality, by running on more OSes. Now the systemd developers class any Unix that is not Linux as niche and not worthy of supporting. Swings and roundabouts.
Well that was an educational diversion. Aka, "I broke things and learnt by repairing them." After demonstrating that an OpenSSH ControlMaster problem was only an issue with the ancient OpenSSH shipped with MacOS (10.6.x), I aliased the ssh commands to be the 5.8 versions installed from MacPorts. After doing this, I decided that I should try to switch out the ssh-agent too, so that I can load ECDSA keys and use ECC to reach my colo box.
For those experienced with RPMs, this post will doubtless be hilarious in its naïveté. This troll has recently had to start dealing with RPM-based Linux systems. The .spec file system is "interesting", with documentation scattered and incomplete. Debian's and FreeBSD's systems are much cleaner and better documented, but RPM is what I have to deal with. One thing I've noticed when building site-local RPMs for software is that people tend not to worry about a future OS upgrade bumping version numbers of the upstream package to where a locally-built package is replaced, or how packages will be disambiguated if upstream has the same version number.
When I buy music online, I prefer to buy an .ogg or .mp3 from the artist's website, cut out the middle man. Note that this is not in contrast to getting music without buying it. I do not download music for which I haven't the right to have a copy, whether by license, public domain or purchasing it. No, this is in contrast to not getting new music. I am a boring grumpy troll.
[edit: per my comment, OpenSSH is apparently not vulnerable] Aris Adamantiadis posted something worrying to the OpenSSH developers' mailing-list today [MARC archive, Google Groups archive] referencing this paper, http://eprint.iacr.org/2011/232 by Billy Bob Brumley and Nicola Tuveri. In short, the authors manage to recover a TLS server's private ECDSA key because of a timing flaw in OpenSSL. Timing flaws are when an implementation takes different amounts of time to do different work, so by measuring how long certain operations take, you can glean information that you're not supposed to have about the private key.
I recently realised that there are very few views of computing and “the right way to do things” which I hold now as unchanged from when I started at University in 1994. One of them is “Ten years is enough time to pass after a C language standard before you can rely on it. If your system doesn't support the current C standard after ten years, then your system is unsupported by the vendor and other people should be hesitant to support it.
It's good when applications build on top of standardised components. For instance, Google Chrome stores most of its data in sqlite3 databases in the profile directory. When I started at $current_employer I had a tendency to type calendar.google.com rather than the relevant calendar.example.com to get to my work calendar. After a couple of mistakes, this became self-reinforcing, because the auto-complete would preferentially show the most common completion of "calendar" as I typed that, which would be the wrong completion.
Today I worked my last day at Google. On March 28th, I start at Twitter, Inc.
I am somewhat prone to using my computer late at night. Sometimes, this is before I go to bed. Other times, I am “oncall” for a service and get woken up at 2am, 4am, etc and then need to be able to get back to sleep after dealing with an issue. The best change I've made to accommodate this? Installing f.lux, which has binaries for MacOSX, Windows (7/Vista/XP) and “Linux” (by which they mean Ubuntu).
In an earlier post on SSH I described my experiences of deploying Elliptic Curve Cryptography (ECC) in OpenSSH 5.7. Over on the LOPSA tech mailing-list, Tom Perrine asked for peoples' opinions on ECC. I wrote a reply, which I then realised belongs here, since it clarifies why I would do something, whereas my previous post merely covered the mechanics of how I did it. I believe in algorithm agility and not being critically dependent upon any one system.
I send the announcement for the Exim 4.75 RC1 release candidate. I discover that a change in the build tools broke the doc/ directory population and that I'd failed to spot it before release. Mail a follow-up apologising. Fix the problem instead of heading to bed when Mrs Grumpy Troll wished me to. The next day, I take a couple of other fixes and put together the RC2 release. I send the RC2 announcement as a follow-up to the RC1 announce, so that there's context and I don't need to repeat everything I notice that I forgot to change the Subject: line
Those who read “Typing Weird Stuff” or “How long is a piece of string?” may have noticed that I like exploring the non-ASCII parts of the Unicode assignments. In order to actually view these characters, it's necessary to have fonts which support the necessary characters. Even on an Apple Mac, the default fonts don't have great coverage. So far, the best font I've found is the shareware “Code2000”, costing $5. [website has been down for a couple of weeks and my attempts to contact the author have failed].
When it comes to “who controls the DNS?”, passions start to run high, nationalistic sentiment comes to the fore and the noise level rises. I'd like to step back and point out a difference between the official nominal control of DNS and the actual, de facto, practice, and how things are changing. DNS is a federated system, whereby DNS operators own their own little corner of the DNS and can control and delegate as they see fit.
This grumpy troll occasionally hacks on scripts which use DNS in slightly unusual ways. As part of this, I was sending queries directly to authoritative DNS servers, which with dnspython necessitated sending UDP queries explicitly, rather than invoking an interface that would fall back to TCP. To test things, I created two DNS zones, “toomanyns.test.globnix.net” and “toomanyns-eth.test.globnix.net”; the label “www” exists within those. These are set up with, respectively 7 and 20 NS resource records (RRs), each with a leading label 63 octets long.
I've long been of two minds about Wikileaks and what it does. This is not an area of simple truths, but of competing demands and trying to find a balance. When Wikileaks released their Afghanistan documents, I wrote of my reaction to the political reaction. Then came Cablegate. On the predominant hand: the value of diplomacy and diplomatic immunity is so high that it's hard to overstate their importance. Cool heads prevent wars, save incalculable lives and generally preserve peace.
Hacking last night on a Python (2.6) conversion of a Perl tool I wrote, I ran into a stumbling block. I couldn't figure it out then. I tried again tonight, after a couple of hours I finally tracked it down. The tool is verifying x509 certs from a TLS connection. To do this, I quickly discovered that Python's ssl module is horribly insecure until Python 3.2, not providing cert verification. pycrypto's OpenSSL package doesn't support using a ca_path directory-of-certs on MacOS.
One cited source of fuel for the middle-east regime changes is the US State Department cables, leaked by wikileaks. Turns out, when a people get to see honest assessments of the corruption in their own governments, it drives their determination. In light of this, I wonder if the US State Department will sponsor a campaign to nominate Julian Assange for the Nobel Peace Prize? I suspect not. But the thought makes me smile.
A couple of weeks back, I knocked together a short script “puny”, to let me give it a domain-name containing punycode or unicode and show me the conversions either direction. I opted to use Python 3 because it was a simple script and would let me practice using the newer variant of the language. Today, I decided I wanted to add automatic translation to the tool, using Google Translate's API. The problems which were resulted were all Pythonic in origin.
Last year I became an Exim Committer. I shepherded the recent 4.74 release, which was the first one not done by The Usual Victim. As such, there were some teething issues, but it went okay. Unfortunately, it was a security-fix release, which meant that it was done on a compressed schedule. I'd much rather my first Exim release not have been so constrained, but that's the way the dice rolled and I just have to suck it up.
When I was a teenager and I asked a teacher how long they expected an essay to be, I'd get asked in response, “How long is a piece of string?” — which I found infuriating as I was trying to establish expectations to, uhm, determine how little work I needed to do. cough Fast-forward to today and I'm banging my head against the way that in modern computing, where “string” has a specific meaning, there are three different answers to the question.
With the help of a friend who lives in Japan, I have registered an IDN domain, for working on improving the non-ascii support of some software I use; in particular, Exim. The domain is “グランピートロル.jp”, “grumpy troll .jp”. In order to do much with this, it's necessary to get the IDN format. Yet in testing basic Perl and Python to get the IDN, I was seeing values which I knew were wrong. The desired end result is "
Today, I updated OpenSSH. There's a longer tale of trials and tribulations involved in a requisite Heimdal update which I had wisely put off, but foolishly then embarked upon. A tale for another time. OpenSSH now (release 5.7) supports some elliptic curve cryptography! Excellent to have modern crypto, and something not based on prime number factorisation. I am put in mind of baskets, containing all of ones eggs. So, time to add ECDSA to my running OpenSSH setup, so that if there's ever a reason to disable RSA and/or DSA, I still have a way in.
The Troll was using Mrs Troll's iMac, with an Apple Magic Mouse, when the low-battery warning popped up on screen. The mouse is about a month old and comes with non-rechargeable batteries. Fortunately, being of a technical persuasion, this Troll keeps a supply of AA batteries on hand. Even today. Yes, a quaint Troll. What happened next? The mouse refused to work after the batteries were swapped. < Cmd-Space "bluetooth" down-a-few-times Enter > (a Spotlight search) pulled up the Bluetooth preferences pane.
My so-called "solution" in http://bridge.grumpy-troll.org/2011/01/macos-x-changing-argv-for-launched-apps.html has a serious problem. Changing CFBundleExecutable causes code signing to fail. Once code-signing fails (silently!), access to items in the Keychain is impeded. This led to problems using x509 client certificates for https, with a mis-leading error message coming out of Chrome. So, don't do that. Just … run the command manually from the command-line, if you want to enable flags. Is there seriously no way to enable features via the cmdline for apps on MacOS X without breaking things?
This is what I did, but it is wrong. Do not do this. See the follow-up post, http://bridge.grumpy-troll.org/2011/01/macos-x-changing-argv-troll-erred.html I just had to figure this out for the second time, since I forgot how I did it the first time, however many months ago that was. So, a post to record the results. Note that I'm a Unix person, not a MacOS person and have not yet invested the time that I should have into how my desktop OS functions.