Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!



Ask Slashdot: "Real" Computer Scientists vs. Modern Curriculum?

Frater 219 Computing is bigger than any one language! (637 comments)

I'm no fan of Java-based curricula, for the same reason I'd be no fan of Fortran-based curricula. Computing isn't about one language. Each language and system shows you one hyperplane of a vast multidimensional space. The best programmers know lots of languages, and choose wisely among them — or even create new ones when appropriate.

In the production world, there are times where some C++ or Java code is appropriate ... and there are times when what you want is a couple of lines of shellscript and some pipes ... and there are times when the most sensible algorithm for something can't be neatly expressed in a language like C++ or Java, and really requires something like Common Lisp or Haskell. If you need to exploit multiple processors without getting bogged down in locking bullshit and race conditions, you're much better off using Go than Java.

(Just last night, at a meetup, I was talking with two bright young physicists who reported that their universities don't do a good enough job of teaching Fortran, which is the language they actually need to do their job. Scientific computing still relies heavily on Fortran, Matlab, and other languages well removed from what's trendy in the CS department — no matter if that CS department is in the Java, Haskell, or Python camp. But if you want to learn to write good Fortran, you basically need a mentor in the physics department with time to teach you.)

And there are times when the right thing to do is to create a new language, whether a domain-specific language or a new approach on general-purpose computing. There's a good reason Rob Pike came up with Sawzall, a logs-analysis DSL that compiles to arbitrarily parallel mapreduces; and then Go, a C-like systems language with a rocket engine of concurrency built in.

(And there's a good reason a lot of people adopting Go have been coming not from the C++/Java camps that the Go developers expected, but from Python and Ruby: because Go gives you the raw speed of a concurrent and native-compiled language, plus libraries designed by actual engineers, without a lot of the verbose bullshit of C++ or Java. Would I recommend Go as a first language? I'm not so sure about that ....)

What would an optimal computing curriculum look like? I have no freakin' clue. It would have to cover particular basics — variable binding, iteration, recursion, sequencing, data structures, libraries and APIs, concurrency — no matter what the language. But it can't leave its students thinking that one language is Intuitive and the other ones are Just Gratuitously Weird ... and that's too much of what I see from young programmers in industry today.

about 6 months ago

Sons of Anarchy Creator On Google Copyright Anarchy

Frater 219 Doesn't pass the laugh test (381 comments)

But the big G doesn't contribute anything to the work of creatives.

You never use a search engine while writing? They're awfully handy for fact-checking, looking up sources, and so on.

But I suppose those sorts of activities are not required these days ....

about 10 months ago

Six Months Without Adobe Flash, and I Feel Fine

Frater 219 Sorry, but what about /^Homest.*/ ? (393 comments)

A few years back, I considered uninstalling Flash, but there was Homestar Runner. Now, I'd consider uninstalling it, but there's the animated segments of Homestuck.

If I uninstall Flash, won't I just miss out on the next awesome cartoon whose name matches the regex /^Homest.*/ ?

about 2 years ago

You're Being DDOSed — What Do You Do? Name and Shame?

Frater 219 Re:A more detailed proposal ... (336 comments)

Sure, I know and like DNSBLs including Spamhaus's, but this is a distinct application from XBL. Specifically, removal needs to be rapid in order for it to be useful for rejecting customer Web traffic. That's an engineering requirement that email anti-spam systems don't have, since SMTP is designed to retry for days if necessary to get a message through. Moreover, hosts that send any legitimate email are very few compared to hosts that send Web requests; and even though email admins are frequently dense, unresponsive, or victim-blaming, they're still a level above typical users in knowing what the fuck is going on with their computer.

One approach would be to have each DDoS victim continually (e.g. every hour) assert which addresses were attacking it, and only list those addresses which are currently attacking. This way, as soon as a host stops attacking, it will drop off the list. This has weaknesses — for instance, an attacker can use your host all night while you're not using it, without you noticing — but it's still an improvement over what we have today. And it still depends on each subscribing site having a good enough backchannel to the listing service to stay open during the DDoS. Back in the day we'd do it with a dedicated modem line — the bandwidth requirements are really quite minimal — but nobody knows what that is any more.

about 2 years ago

You're Being DDOSed — What Do You Do? Name and Shame?

Frater 219 A more detailed proposal ... (336 comments)

Sites under DoS attack should publish (through a channel not congested by the attack) a list of the IP addresses attacking them, through some trustworthy third party. Then, other sites should subscribe to that list and refuse service to those addresses until they clean up and stop attacking.

For instance, consider your uncle who uses AOL. His computer is infected with botnet garbage and is participating in a DoS attack against (say) Slashdot. Slashdot sends a list of attacking IPs, including your uncle's, to Team Cymru (the third party). Cymru aggregates these and publishes a list, updated every three hours. AOL subscribes to that list. When your uncle goes to check his AOL email, he gets an error: "We regret to inform you, your computer has been hacked, and is being used by criminals to break the Internet. You can't get to your AOL email until you kick the criminals off by installing an antivirus program and running a full scan. Click here to install Kaspersky Antivirus for free. Thank you for helping keep criminals from breaking everyone's Internet. Sincerely, Tim Armstrong, CEO, AOL."

Then your uncle gets mad and calls up AOL and complains. They try walking him through using the antivirus program, but he just curses them out and says he'll go to Hotmail instead. He tries ... but Hotmail also subscribes to the same list and tells him the same thing: "Your computer is infected with malware and is being used to attack other sites on the Internet. You cannot obtain a Hotmail account until your computer is clean. Click here to install Microsoft Antivirus." He gives up and calls AOL back, and they help him get his computer cleaned up. Within half an hour, it's off the botnet; and within three hours, it's off the list of attacking hosts, and your uncle can get his AOL email again.

about 2 years ago

John Romero's Doomy View On Android and Ouya

Frater 219 Daikatana (375 comments)

Well, I suppose Daikatana will be coming out for iOS but not for Android, then?

more than 2 years ago

IPv6 Traffic Volumes Are Low, But Nobody Knows How Low

Frater 219 IPv6 is all over BitTorrent (231 comments)

I have IPv6 through my ISP, Sonic.net. Whenever I use BitTorrent, I see plenty of IPv6 hosts. The reason is pretty obvious to me: if you're passing IPv6 through your home router, you have an externally-reachable IPv6 address ... but you may not have an externally-reachable IPv4 address thanks to your home router's NAT.

Presumably, this means that one incentive for home users getting IPv6 is to get a better-connected BitTorrent network. BitTorrent is pretty popular, but ISPs are never going to tell you "Get IPv6 so you can download movies ... er, I mean, Ubuntu Live CDs! ... faster."

more than 3 years ago

9 Features We May See In Ubuntu 11.10

Frater 219 Re:Killer App? (281 comments)

The easiest place to reach with the mouse is the current position. The second easiest is the four corners of the screen. The third easiest are the four sides of the screen. The hardest place is a square in the middle of the screen. Ancient UI guidelines are still relevant today.

Yep. This a corollary of Fitts's Law and while it's often associated with the design of the Macintosh menu bar, the underlying research dates to 1954, thirty years before the Mac.

Sadly, it hasn't been well learned on a lot of systems. Although Windows and Ubuntu both put a useful menu in a corner, few systems but the Mac make really effective use of the screen edge. Windows and many Linux desktops occupy much of one whole screen edge with a rarely used application switcher; but most users switch applications by pointing and clicking, or using keyboard shortcuts like Alt-Tab.

One big win that a lot of systems have benefited from, though, is contextual menus, which take advantage of the current position.

more than 3 years ago

Google Spends $1 Million For Throttling Detection

Frater 219 Re:Google (99 comments)

One problem is that as the size of a corporation increases, the influences on its behavior may become dominated by principal-agent problems and specific motivations of individuals within the corporation. It's easy for the members of a ten-person startup to keep "increasing shareholder value" in mind, but in a ten-thousand-person company, a middle manager or mid-ranking engineer may be much more interested in his or her next quarterly review or promotion.

Furthermore, the internal economy of a large corporation is a command economy, not a free market. In a free market, decision makers can count on prices to show them which goods are the most efficient choices, or which products may be the most lucrative. But within a large corporation, management is expected to know how best to apportion budgets, wages, investments, etc. â" all without the benefit of a pricing mechanism that accurately reflects (internal) needs. And as the corporation gets larger and more heavily capitalized, it becomes more and more different from the outside world, so external signals (such as the prevailing wages in the industry) become less relevant to internal decision-making.

more than 3 years ago

Tron: Legacy — Too Much Imagination Required?

Frater 219 I give it a "Sigh..." (429 comments)

I saw it about a week ago. Overall, my biggest impression was one of missed potential.

(Note, here I'm talking primarily about the story and the world-building, not about the cinematography.)

The overall structure was a weakness from the start. Sam Flynn turns out to be yet another Prince Harry character: the heir to the throne who goofs around and avoids his inherited position until he's handed a confrontation that forces him to prove himself, at which point he rises to the occasion as a True Prince. We've seen this before; it's the usual aristocratic nonsense: worth is not achieved, but inherited and then revealed.
      Contrast the original: Kevin Flynn was an honest working hacker who was forced to go rogue when he was screwed over by a yuppie coworker. Kevin's triumph was to prove himself as a creator. He set out with the aim of showing that he and not Ed Dillinger was the author of Space Paranoids; and in the end, he accomplished that goal, but in a way that -- through his creative "User power" -- changed the Programs' world for the better.
      Sam isn't a creator. He sets out with no particular goals of his own; he is handed all his goals by his inheritance. Kevin Flynn was a creative adult seeking justice; Sam Flynn is an irresponsible rich boy growing up. And that's a story that's been played out far too many times.

One of Legacy's few big world-building ideas is the emergence of the Isos: Programs evolved from the System itself, rather than being created in the image of a User. This could have been huge. But instead it is presented merely to give Sam's love interest a tragic backstory. The war is over; the Isos lost, here's the last surviving princess of a dead race. Give her a hug.
      The political vision of the System in Tron is more complex. There are old powers in the System that defy the MCP's regime at personal risk to themselves: Dumont at the I/O Tower. The MCP's assimilation of the whole System into itself is not complete; it can be resisted. In Legacy, CLU's genocide of the Isos is over and done with ... and nobody even bothers to say, "Sam, you dickhead, if you'd logged in yesterday, you could have stopped the fucking Holocaust."

Another new world-building idea is the possibility that a Program could use the laser terminal to escape into the real world: that the laser wasn't limited to objects that originated in the real world (oranges or Kevin Flynns), but could also play back a Program into human form. Thus Quorra's escape; thus CLU's threat to invade our world with armies of Programs.
      Well, Tron's MCP didn't need armies to take over the world. The MCP could just hack the Pentagon. In Tron, the deep entanglement of the real world and the System is made clear: the MCP can threaten Dillinger not with armies materializing in ENCOM's laser bay, but with the legal and political forces native to our world.
      Ironically enough, the 1982 vision has more in common with today's Internet-enabled reality than the 2010 version. As far as we know, the System in Legacy isn't even on the Net: it's a dusty minicomputer sitting in the basement of Flynn's Arcade with barely enough connectivity to reach Alan Bradley's pager.
      Ultimately, CLU is much less of a real-world threat than the MCP. The MCP had taken over the System that ENCOM used to do its business, and was extending tentacles into banks, major governments, and who knows what else. CLU's domain is that one minicomputer; the big threat would be shut off if Alan or Sam had just unplugged the laser terminal.

Both of the above two problems point at a bigger problem with Legacy: it ultimately doesn't take Programs and the System seriously as an independent sort of intelligent existence rather than a mere imitation of our world.
      Quorra longs to see the sun; CLU wants to get out into our world to "perfect" it; the Programs have nightclubs and sports arenas imitating human ones. The way it's presented in Legacy, the best thing that could happen to a Program is to get out of the confining, artificial System into the authentic, sun-blessed, material world.
      That notion is alien to the original. Tron, Yori, and Dumont may revere the Users but they don't want to become Users. They want to free their own world and live in it pursuing their own purposes -- not escape into the human world. They aren't imitation humans who want to grow up to be Real Boys like Pinocchio -- they're Programs, and they know what their purpose is in life: it's to fulfill the goals their Users set up for them.
      (Extra bonus for real sf nerds: Tron's Programs may have something in common with C. J. Cherryh's azi: confidence of purpose. As Grant would put it, self-doubt is for born-men. Azi do not wish they were born-men; azi take refuge in the certainty that born-men lack.)

And speaking of lost story potential, how about Rinzler? Anyone who'd seen the original knows that Rinzler is a hacked-up copy of Tron from his very first appearance, thanks to the "T" insignia on his chest. Kevin Flynn mentions it once in passing, and at the end it's clear that Rinzler is "rebooting" back into Tron. But Rinzler hasn't had enough character development for us to care: he's a literally faceless killing machine. And as killing machines go, he's got less character than Darth Maul, and that's saying something.

All in all, Legacy came across to me as too circumscribed of a world, and Sam Flynn as too much of a True Prince cardboard character. Movie-wise, I wanted to see more of the Isos and a lot less of Dr. Frank-N-Furter.

about 4 years ago

EFF Offers an Introduction To Traitorware

Frater 219 Your digital camera knows your location? (263 comments)

Your digital camera may embed metadata into photographs with the camera's serial number or your location.

Record your location? Sure, if it's a smartphone with GPS. For standalone cameras, GPS is not exactly a common feature. There are about two models of pocket digital camera on the market that have GPS, and not very many SLRs with it either ... go look. Those that have it make no secret of it; it's actually a big marketing point for people who want to record where they've been taking pictures.

As for smartphone models, I don't know about the Apple or Windows offerings, but Android's camera app exposes it as an option right on the main screen, next to the flash and focus settings ... and I'm pretty sure it defaults to off. People turn this on because they actively want it.

Rather than scaring people about what their devices might be recording, it would be a lot more useful to tell people how to find out what tags are on their photos. For instance, the Linux command line program "exiftags" will tell you this kind of stuff: (Picked from a random image file I had lying around on my laptop.)

Camera-Specific Properties:

Camera Model: C2500L
Camera Software: Adobe Photoshop CS Macintosh
Maximum Lens Aperture: f/2.6

Image-Specific Properties:

Image Orientation: Top, Left-Hand
Horizontal Resolution: 173 dpi
Vertical Resolution: 173 dpi
Image Created: 2004:02:27 18:52:21
Exposure Time: 1/5 sec
F-Number: f/6.9
Exposure Program: Manual
ISO Speed Rating: 100
Exposure Bias: 0 EV
Metering Mode: Center Weighted Average
Flash: No Flash
Focal Length: 20.70 mm
Color Space Information: Uncalibrated
Image Width: 736
Image Height: 767

about 4 years ago

Mr. Pike, Tear Down This ASCII Wall!

Frater 219 Re:Haskell (728 comments)

If your language actually uses the character U+23C7 "DENTISTRY SYMBOL LIGHT DOWN AND HORIZONTAL WITH WAVE" as an operator, your editor will let you type it with a simple keyboard combination, like Compose-T-~. If you're using U.S. Windows and have to resort to Alt+numbers to type things, you're silly.

more than 4 years ago

How Much Math Do We Really Need?

Frater 219 Re:What World Does He Live On? (1153 comments)

The problem isn't that math isn't important. The problem is that the math being taught isn't important.

Yes. Exactly.

Fuck calculus. You don't need it unless you're going into one of a few specific fields. But there are whole swaths of math that most folks completely miss, that are directly applicable to everyday life:

Probability and statistics. No, not for understanding the census, nor for gambling -- rather, for understanding what's meant by words like "evidence". Bayesian probability can be taught to anyone who can understand percentages and division, and it can be straightforwardly applied to reasoning about the everyday world.

Proof and logic. The notion of logical proof has been around since Aristotle, but symbolic logic is much newer. Nonetheless, the notion of logical validity of an argument, of conclusions following from premises, is directly applicable to all sorts of real-world decision-making. Logic is also an obvious point to dovetail math into the humanities, via the analysis of written arguments.

Abstract algebra. Not the proofs, nor the deep abstractions, but rather the notions of properties such as commutativity, associativity, etc. and the idea that these can be applied to any sorts of operations, not just "mathematical" ones. Does it matter if you mix the eggs in before the butter? Do you need to do X separately to A, B, and C, or can you put A+B+C together and then do X all at once? The notion that some situations or problems have the same structure as others is itself pretty powerful. (And lends itself to comparison with the literary idea of analogy.)

more than 4 years ago

Colleges Risk Losing Federal Funding If They Don't Fight Piracy

Frater 219 I used to work at a college ... (285 comments)

... a small one. Here's what our policy to prevent piracy would have been:

Please don't pirate stuff too much. If we get notices saying that you're pirating stuff and asking you to quit, we'll call you in to the office and give them to you. If we get court orders telling us to give them your name, we'll probably have to do that, since we can't afford lawyers much.

If you really have to pirate stuff, please at least try to leech it off of your friends on the LAN rather than flooding our dinky little Internet uplink. Because if you do that, we'll probably end up blocking your IP address for a while so that email and our Debian updates can get in.

And while you're at it, here's the address of the porn server that some freshman set up. Get your porn over there, please don't mirror all of abbywinters.com over our connection.

more than 4 years ago

Falsehoods Programmers Believe About Names

Frater 219 Re:I don't know what the complaint is about? (773 comments)

Check out the huge regex at the bottom of the RFC 5322 compliant validator from CPAN:

Honestly, this sort of thing is an example of overusing regex when it's the only parsing tool they know. Regex becomes unwieldy when you put too much of it in one place -- but this is because regex is unwieldy, not because the problem of parsing email addresses is fundamentally hard. Parsing email addresses is a case for a modular parser such as Parsec (or any of its ports and imitators) ... which will give you the added advantage of useful error messages on invalid input, instead of just a match failure.

Moreover, isn't it kind of silly to point at an example of someone already having written the code to do something as a way of saying that doing it is difficult? In code, once it's already been done once, correctly, it doesn't need to be done again. If you think CPAN's huge regex (or any other implementation) is correct, and you've tested it to your satisfaction, you don't need to reimplement it; just use it.

more than 4 years ago

Police Officers Seek Right Not To Be Recorded

Frater 219 The Gandhicam Project (1123 comments)

For folks who want to record the cops (or anyone else) and be sure that the footage will get to the world instead of being destroyed when they steal your camera phone: check out the Gandhicam project. This is an app for your Android phone that lets you take pictures or video and automatically send it to the net, either by HTTP upload or by email.

This doesn't stop them from filing criminal charges afterward, but that's why you donate to the ACLU and the EFF.

more than 4 years ago

Novell Wins vs. SCO

Frater 219 Re:Seven years for eight hours work (380 comments)

Really, the only way that SCO was going to recover was with a court victory, and while the probability of that wasn't 0, it was as damn near to it as possible for practical applications.

There are people who believe things out of spite. Remember when the SCO case got started? There were plenty of folks -- chiefly in the "open-source haters" end of the trade press, but I met a few in industry, too -- who dearly wanted to see the "upstart" Linux smacked down hard.

It may be hard to believe it now that Linux is everywhere in the industry -- from the datacenter to the cell phone, from the Oracle database server to the displays on the backs of airplane seats -- but just a few years ago, plenty of people would have called you an "open-source zealot" if you said that it was worth using anywhere at all in business. And lots of traditional business people really wanted to see Linux dry up and blow away. Plenty of those people would have put hope, and a few bucks, behind the SCO suit.

more than 4 years ago

Memorizing Language / Spelling Techniques?

Frater 219 The only way to learn is to use it. (237 comments)

Having studied eight foreign languages (French, Spanish, German, Latin, Ancient Greek, Russian, Japanese, and Finnish) in my life, and after talking this theory over with friends who have attained fluency in some really different languages (e.g. Spanish and Bahasa Melayu), I feel safe in stating this here in pretty strong terms:

The only way to learn a language is to use it.

The only sort of "classroom" language class that works worth a damn is an immersion class, in which during the class period you do not speak any language other than the one you're studying. Even classroom instructions ("Open your book to page 23") are in the language, once you've learned numerals.

The worst language classes I've taken have been ones in which the foreign language being studied is treated as a matter of abstract grammar and vocabulary to be memorized, not used ... and in which the teacher spends most of their time telling anecdotes in English about their experiences in the culture in question. I took two years of Russian in high school and a year of it in college -- and forgot more Russian than I learned in that last year, since the teacher spent the class time telling stories (in English!) about run-ins with the KGB, instead of helping us practice speaking and reading Russian.

As regards Chinese: I've never studied Chinese, but I have studied Japanese including kanji, albeit only to the extent of a couple hundred kanji. The above applies fully to kanji, and I expect it applies to hanzi (Chinese characters) as well -- in order to learn them, you have to use them. Write them. Come up with silly sentences and write those. Don't just use flash cards and memorization; come up with things that you want to say in Chinese (even if just to be silly) and say those things with hanzi.

The other half of the equation, of course, is to get someone who is fluent to respond to your crude childish attempts at speaking and writing. That's the point of a good language class: you get to make the sort of errors that a little kid makes, and they correct you. That method of language acquisition works for little kids, and it works for adults too if they're willing to be childish for a while.

more than 4 years ago

Schooling Microsoft On Random Browser Selection

Frater 219 Re:What's the problem? (436 comments)

The point of the article is not to accuse Microsoft of wrongdoing. It's to use a highly visible example -- a screen that will be presented to every Windows user in Europe! -- to teach a computer science lesson to programmers.

more than 4 years ago

The 25 Most Dangerous Programming Errors

Frater 219 Re:Sanitization is a worrying term to use. (534 comments)

Unfortunately there are a few cases you can't do that. No way to use a prepared statement for an "IN" clause, for instance.

You could always use the technique the DBMS gives you for encapsulating complex query logic and passing parameters into it ...

... stored procedures!

Cue screams of terror; cue fist-waving and incoherent irate noises. These will be heard from people who never cared to actually learn how their DBMS works, or who think of the DBMS as some foreign thing that their application throws data at once in a while.

(Your application does not use a DBMS. Rather, a DBMS is one of your application's components. If your app contains a DBMS but you don't know what it's doing, you are in the same camp as "programmers" who do not know how their language's object model works, or who are a little rusty on whether a loop with a false loop condition executes zero times or once. That is: you are not a programmer; you are a burger-flipper who sometimes farts out bad code.)

Stored procedures are not the chapter of your DBMS manual that was put in there to pad it out so it qualified for the better binding at the publisher. Nor were they put in there just to entertain your DBA. Stored procedures let you simplify the interface between your DBMS and the rest of your application, and this can radically improve your overall security.

more than 4 years ago


Frater 219 hasn't submitted any stories.



Observations on Words and Things

Frater 219 Frater 219 writes  |  more than 9 years ago 1. A word is not the same as the thing it describes.

There is an old dictum in mysticism: Ipsum Nomen Res Ipsa -- "the name itself [is] the thing itself." This is a rule for hypnotizing oneself or others to change our perceptions of the universe to fit our ideas. This rule is the opposite of the rule of science, which is to change our ideas (theories) to fit our perceptions of the universe (observations).

Corollary 1a -- Lincoln's Law: Calling a tail a leg doesn't make it one.

The practical conclusion of the above rule is that we cannot alter reality simply by changing the names by which we refer to things. There are good reasons for changing names sometimes, specifically when we find that the old names do not accurately reflect observations. However, when we change names out of wishful thinking (calling a dog's tail a leg) we set ourselves up for delusion and disappointment.

Worse, when we assent to others' redefinition of the words that describe the world, we are effectively under their spell. Who is doing Black Magick upon you? (What does the word "waffle" make you think of?) Reality is ultimately reality-based, not faith-based, and the credibility gap is a tension between the two. When it snaps, people do get killed.

2. There's always the chance the guy is lying to you.

This insight is famously ascribed to David Hume, but outside of credulous Christendom it may simply never have been needed: Whenever someone tells you that a miracle (or other unlikely event) has occurred, consider the following. There is a probability M that a miracle actually has occurred. There is also a probability L that the person who is telling the tale is lying or simply mistaken. As long as L > M, we have no reason to believe in miracles, wild advertising claims, or other unlikely stories.

3. Popularity and correctness are not strongly correlated.

Corollary 3a: Ten million people could be wrong.

Sometimes ideas are useful, but unpopular -- either because few people have heard of them or been convinced of them yet, or because they have gone out of fashion.

Corollary 3b: They laughed at Gandhi, but they also laughed at Bozo the Clown.

Being original is not, in itself, any guarantee of being right. Likewise, the fact of being rejected is no assurance that you're on the right track. Sometimes, first they ignore you, then they laugh at you, then you figure out you're being a dork and quit it.

4. People who sound totally sure might just be trying to convince themselves.

If a person is absolutely insistent on some point, it may well be that he (or she) is working under the rule of mysticism rather than that of science: rather than trying to come up with statements that accurately describe the world, he is trying to convince himself that the world is how he wants it to be.

It's not always the case, though. Sometimes we find that in order to prevent harm, we need to do some magic or politics -- same thing -- even for ideas that we have discovered by science. Otherwise we end up with creationism in the public schools and pi being declared equal to 3 by legislative fiat. Sometimes we do have to insist that we're right and the other guy is wrong. But we have to offer evidence, not just assertion -- and we have to be careful (not certain, but careful) that we aren't letting our ideas run away with us.


Achy Breaky DOCs

Frater 219 Frater 219 writes  |  about 10 years ago

I don't think apologies to Billy Ray Cyrus are really necessary, but ...

Achy Breaky DOCs

You can send me spam
Or just fill up my RAM
With ancient cheesy forwards in my box
But if you give a screw
'Bout what I read from you
You'd damn well never send me DOCs!

Just don't send me DOCs
Those Microsoft .DOCs
I just don't want 'em in my mail
And if you send me DOCs
Those goddamn Word file DOCs
I'll have to send my answer back in Braille.

Just send me text/plain
It really is a pain
To see eight megs of binary to say:
"Good morning, how are you?
I'm doing lovely too,
I really must be going now -- good day!"

Or send HTML
I think it's really swell
And I can read it up in Firefox
But, sir or madam, please
I'm beggin' on my knees
Just lay off the Microsoft .DOCs!

Yeah, don't send me DOCs
Pro-pri-e-tar-y DOCs
Not everyone sucks Billy Gates's wang
And if you send me DOCs
Those freakin' Word file DOCs
Ya better know I'll just delete the thang.

Look, send me EXEs
Sure, give me Sobig -- please!
It won't even faze my Unix box
But if what you need
Is to send me stuff I'll read
Then don't bother sending it with DOCs.


Why ethicists don't sleep with other people's wives

Frater 219 Frater 219 writes  |  more than 10 years ago I live with a philosophy graduate student. It's contagious. Note, none of these are particularly meant to be offensive, except possibly the Peter Singer one. Sorry, Pete, I just couldn't resist a zoophilia joke.

The moral realist doesn't sleep with other people's wives because it would be wrong.

The Kantian doesn't do it because if everyone did that, someone would be sleeping with his wife.

The natural law theorist doesn't do it because it would be a violation of the marriage contract.

The emotivist doesn't because -- ew, yuck, sleeping with other people's wives!

The consequentialist doesn't because he doesn't want to sleep with a woman who would cheat on her husband.

The cultural relativist doesn't do it because the culture he lives in rather arbitrarily happens to value sanctity of matrimony.

The utilitarian doesn't because he figures that extramarital affairs cause more bad than good.

The moral skeptic doesn't for no particular reason.

The hedonist doesn't because he doesn't feel like it.

Peter Singer doesn't do it because there's nothing that makes other people's wives ethically preferable over, say, goats.

The virtue ethicist doesn't do it because what kind of a person would he be if he did?

The feminist doesn't because other people's wives are usually straight.


You might be a closed-source twerp if ...

Frater 219 Frater 219 writes  |  more than 10 years ago You might be a closed-source twerp if ...

  • You've chosen a piece of software not for its features or benefits but because it is not open source.
  • Despite the numerous copyright- and patent-violation lawsuits that have been filed, adjudicated, and settled against Microsoft, you think it's more likely that Linux contains "stolen intellectual property" than that Windows does.
  • When someone in your organization proposes use of an open-source product, you've retorted, "Not everything has to be open source!"
  • You refer to a reasoned preference for open source software as a "bias" or "religion".
  • Despite the existence of Red Hat, Digium, MySQL AB, Zope Inc., and other open-source companies, you believe that open source software is "non-commercial" or "anti-corporate".
  • You have referred to open source software as "communist".
  • You have referred to Eric S. Raymond as a "socialist".
  • You have conflated open-source licenses with "the public domain", or claimed that open-source software is "not copyrighted".
  • You take Laura DiDio or Rob Enderle seriously.
  • You crack BSD/LSD jokes to imply that Unix or open-source programmers are insane or unreliable.
  • You believe that Linux or Unix cannot be used "on the desktop", but you have never tried it or asked anyone who does it about their experience.
  • When someone points out that Mac OS X is a desktop Unix system, you retort that it isn't "really" Unix -- despite the C shell, POSIX compliance, BSD kernel, X11 ....
  • You think that software users should bear liability for copyright infringement committed by software publishers, thus necessitating "indemnification" -- even though you would never claim that readers of the New York Times would be liable for a plagiarism committed by a Times reporter.
  • You think that Linux, in its present form, was cooked up by some college student in a basement.
  • You think that Linux, since it is based on the design of Unix, is "30-year-old technology" and therefore inferior -- as if software designs were to be judged on their novelty rather than their reliability.
  • Despite the number of Linux systems that Dell, HP, IBM, and other major vendors ship to large corporations and other institutions, you believe that "Linux is not ready for the enterprise".
  • You note that only a small fraction of the computers in the world run Linux or BSD, and conclude that open-source software is of little consequence -- selectively ignoring the fact that 60+% of all Web servers in the world run the open-source Apache software.
  • You think that open-source software is likely to contain Trojan horses, because anyone can modify it.
  • Although you know that The SCO Group's legal arguments are unfounded and that they have presented no evidence of their claims, you hope that they will win anyhow, to show those irritating open-source upstarts that business should be about power rather than mutual benefit.
  • You think that Sun Java Desktop is a Java-based product, not a Linux distribution.
  • You think that the GNU General Public License (GPL) is an end-user license agreement, or that using GPLed software involves giving up rights you would otherwise have.
  • You think that open-source projects are each the work of an individual volunteer programmer, so that when the one programmer responsible for Linux or PostgreSQL or Apache gets bored with it, there will be no more support available.
  • A security vulnerability in mySQL is a "Linux security hole", but a security vulnerability in Microsoft SQL Server is not a "Windows security hole". That is, the fact that Linux distributors ship more third-party software should be considered a problem, not a virtue.


My question for John Kerry

Frater 219 Frater 219 writes  |  more than 10 years ago From time to time in our nation, religion and religious faith have become contentious political issues. While we may prefer (as I certainly do) that religion remain a private matter and outside of politics, this is not always possible. Important political movements such as Abolitionism, Martin Luther King Jr.'s Civil Rights movement, and more recently the Religious Right have all sprung from the nexus of religion and politics. We cannot, therefore, ignore or set aside candidates' religious views and practices when considering them for the Presidency.

My question is this: What religious view were you and President Bush expressing -- what religion were you practicing -- when, as undergraduates at Yale University you both bowed down to an idol of the Prince of Darkness? As members of the Brotherhood of Death, or Order of Skull and Bones, you both participated in rituals explicitly Satanic in tenor and content. Does this fact leave you prepared to govern a nation whose populace is majority Christian, most of whom believe that the Devil is quite real and active in the world?

We can all see from every day's headlines the result of electing one member of the Brotherhood of Death to the presidency. Why in the world -- or in the underworld, perchance? -- should we suffer another to ascend to that seat?


Rainy Day Lawyers #12 and #35

Frater 219 Frater 219 writes  |  more than 10 years ago

Well, they'll sue you just to pump and dump their stocks
And they'll sue you when you're hackin' on your box
And they'll sue you for a secret they don't got
And their filings all were written high on pot
                But I would not feel so all alone
                Everybody must get SCOed.

They'll sue you when you claim your copyrights
And they'll sue you 'cause they just like startin' fights
And they'll sue you when you're recompilin' code
And they'll sue you when you tell 'em all to FOAD
                And I would not feel so all alone
                Everybody must get SCOed.

They'll sue you with their lawyer David Boise [1]
And they'll sue you in Utah and in New Joisey
And they'll sue you just for picking up the phone
And they'll sue you over stuff that they don't own
                And so I would not feel so all alone
                Everybody must get SCOed.

They'll sue you over standard header files
And their CEO's got sixteen smarmy smiles
They'll sue you for a contract with Novell
And they'll sue you when you tell 'em "go to hell"
                But I would not feel so all alone
                Everybody must get SCOed.

They'll sue you over errno and ls
They'll sue you for just anything, I guess!
And they'll sue you 'cause their business plan's no good
And they'd sue us all together if they could!
                So I would not feel so all alone
                Everybody must get SCOed.

[1] If the urinalists can't spell "Boies" right, why should I?


76 Portscans

Frater 219 Frater 219 writes  |  more than 10 years ago Warning: This is really extremely silly. I wrote it some years ago while punchy from a nasty spate of break-ins. The tune is, of course, the obvious song from "The Music Man".

76 port scans at the firewall
With 110 h4x0rz close behind
There were more than a thousand d00dz
With their black hat 'tudes
There was pr0n of every shape and kind!

76 FIN scans through the firewall
Whacked 110 (POP3 -- that's your mail)
They were Snorted by rows and rows
Of the finest sysadmofos
And all the cr4x0rz went to jail.

There were shellscript hacking lamers in the DMZ
Thundering, blundering, flaming on the IRC
There were triple-breasted porno sites
And spammers selling Vegemite
And mailbombing like a random jerk!

76 script kids whacked the firewall
And 110 bytes smashed through the stack
They were followed by piles and piles
Of rootkits out for miles
Trying Windows exploits on my Mac!

There were fifty mounted DDoS spewing UDPs
Someone told them we were the WTO
There was Hipcrime hosing USENET groups
And Sendmail bouncing email loops
And spam from a Russian teenaged 'ho!

76 SYN floods hit the firewall
And 110 seg faults dumped the core
I was doing an fs check
On a brand-new punch card deck
And they spilled it all over the floor!


Predictions for 2004 [Updated Dec. 31 2004]

Frater 219 Frater 219 writes  |  about 11 years ago Update: I made a set of predictions New Year's Day 2004. It's now the end of the year. Some of them have come to pass. Others have been disproven. Here's how it goes:

  1. SCO will lose, or drop its case and go out of business. However, no SCO principals will be brought to justice for abuse of legal process. Microsoft will pretend never to have been involved.
    • The trial shows no sign of going away soon. Sigh.
  2. The U.S. dollar will continue to sink versus the euro and versus gold. Lack of confidence in the U.S. economy will be largely due to failures of corporate accountability and the continuing costs of the Iraq occupation.
    • Gold has risen from $415 in January to $438 as of December. The euro has risen from $1.15 to $1.36 in the same time frame. Not bad.
  3. Microsoft and its allies will release increasingly tightly controlled end-user systems. They will be increasingly inappropriate for enterprise reliability and control needs.
    • Microsoft has been pretty quiet on the technical-control front, instead continuing legal "licensing" threats and FUD.
  4. During the first quarter of 2004, a European nation will demand extradition of a ROKSO-level spammer from the United States.
    • Didn't happen. We did see the prosecution, conviction, and sentencing in the U.S. of Jeremy Jaynes, aka Gaven Stubberfield. Jaynes was the ROKSO-level spammer responsible for the "horse porn" zoophilia spam that my users are so glad to be rid of.
  5. Red Hat's market share in the United States will decline somewhat as Novell's SuSE takeover yields a manageable enterprise Linux. As with the old SuSE, this will not be 100% Open Source. Red Hat will remain profitable.
    • Red Hat is still profitable. Novell has made SuSE more, not less, open source; and has released instead a desktop Linux system.
  6. Armed conflict will continue in Iraq throughout 2004. A major new front will emerge between Turkey and the Kurds of northern Iraq, possibly including violence targeting civilians on either side.
    • Turkey and the Kurds seem to be a non-issue. The word "quagmire" came and went -- right now, it seems ''worse'' than just a quagmire. Perhaps a fireswamp.
  7. The current Debian testing will be released as Debian GNU/Linux 4.0 by mid-year.
    • Didn't happen, and they're calling it 3.1 anyhow. Instead, more and more people seem to be treating testing as stable right now, including using it on servers.
  8. At least two worm outbreaks of similar scale to Code Red, Slammer, and Welchia will attack Windows systems worldwide. The Linux, BSD, and Mac OS X platforms will remain free of widespread viruses and worms, despite rising popularity.
    • Not so far. Spammer viruses spread by email continue to be a big pest on Windows -- using social engineering and Microsoft vulnerabilities to propagate. Alternative platforms have gained in popularity but still not seen a widespread virus or worm.
  9. A majority of the captives held at Guantànamo Bay will be released without charges.
    • Many have been released. Not most.
  10. European and other non-United-States government agencies will increasingly migrate IT operations to Linux and other Free Software systems.
    • Several have, yes.
  11. Electronic voting will be a debacle, and its current advocates in government will distance themselves from it.
    • It has been a debacle this year, although not as much as the general lack of transparency and accountability, with "national security" frauds kicking media observers out of vote counts in Ohio. The discrepancy between exit polls and reported election results remains unexplained.
  12. John Ashcroft will leave office.
    • And there was much rejoicing. (Yaay.)


Software as Property and as Writing

Frater 219 Frater 219 writes  |  more than 11 years ago My last essay here was rather insulting towards the nontechnical user. This one will, therefore, be more sympathetic, taking the user's lack of understanding and turning it to an opportunity.

Many end-users seem to lack a systematic grasp of the concept that programs are something that people write: that every piece of software and every function of that software is something that someone designed and wrote out.

People understand far better the idea that software has owners than that it has authors. They readily accept the idea that some aspect of their Windows computer is owned by Microsoft, but have (understandably!) more difficulty with the idea that the component Microsoft owns is a writing, in its nature more akin to the text of an encyclopedia than to a kitchen gadget -- that it's the product of hundreds of people typing in things that look like math.

The metaphors of software as ordinary property (belonging to its owner, like a lawnmower or a house) and software as writing (created systematically and expressively by its author, like a book) lead one to different sorts of thoughts.

When something belongs to someone else, the everyday law-abiding person sees it as out-of-bounds. We don't mess around with other people's things without their permission! If something about your computer belongs to Microsoft, but you're not sure what that something is, then the computer itself becomes a doubtful and border territory.

This has ill effects for personal computing. A borderland, where the line of demarcation is unclear, is a space from which the meeker and more certainty-seeking neighbor shies back, and into which the more powerful and aggressive neighbor advances. Thus, Microsoft has in many ways taken greater control over the user's computer and left less ownership and control to the user and to other stakeholders such as third-party developers.

At the same time, a borderland is a space where the respective neighbors can foist off assertions of fault onto the other. Flaws in Windows, which Microsoft created, are treated as the user's responsibility to patch rather than as Microsoft's liability for making in the first place. Again, the user, being the less powerful neighbor in the "software as property" metaphor, loses.

In contrast, when we recognize something as a writing, we understand many facts which apply usefully to personal computing:

  • The writing could have been written differently. The way it is, is not the only way it could have been. The wording of the text is the author's choice. It is the reader's responsibility to understand the text; but this does not absolve the author of responsibility for what the text says.
  • The writing could contain mistakes. The author is not the final authority on its disposition or correctness; the real world is. If the writing presents itself as practical, but contains errors which lead to those who depend upon it coming to harm, the author and publisher are liable (at least in part) for that harm.
  • The text before us is not the same as its subject matter. We could read some other author's words on the same subject, and learn many of the same things. Another writing might be more accurate, more accessible, and more worthwhile. Many authors can write on the same subject without wronging one another in so doing.
  • Some texts are collaborative; they belong jointly to all of their authors.
  • Some texts are written clearly, so it is evident what the author means and whether his claims are correct. Others are written obscurely, in a way which is hard to understand, much harder to to verify. For practical purposes such as the conduct of business, clear and verifiable writing is often more valuable than elaborate or pretty writing.
  • It isn't right to take someone else's writing and claim it's our own. That would be plagiarism -- not the same thing as theft of ordinary property, but still wrong. Plagiarism is chiefly a problem that concerns other authors, not readers; reading or referring to an article that was plagiarized is not itself plagiarism.

Software as property; software as writing -- these are two different metaphors. Software itself is neither property in the same sense that a lawn mower is property, nor is it writing in the same sense that Homer's Odyssey is writing. It is something different from either of these.

However, we may ask: Which of these metaphors gives us a better grip on the subject? Which leads to greater practical understanding? Moreover, society's view of software is still nebulous, since the ordinary person has no good idea of what it is. As a result, we may ask further: Which is the way we want software to be?


The Luser Expounds His Philosophy

Frater 219 Frater 219 writes  |  more than 11 years ago The Luser, on the FS/OSS Community:
"Since I got this program for free, I should demand that I be personally trained on it for free, too. My predecessors who taught themselves have an unnatural advantage over me; therefore, they owe me. Rather than being inspired by their example to enter into the struggle of learning, I should instead demand that they cater to me."

The Luser, on Intuitive Design:
"If I do not understand something, this proves that it is either: (a) useless, (b) made deliberately complex so that nerds can lord it over non-nerds like myself, or (c) made deliberately incompatible with my Windows preconceptions out of malice towards Microsoft.

"There is no legitimate reason that anyone would create anything beyond my present ability or willingness to understand; therefore everything not obvious to me is the product of hostile action."

The Luser, on Design Goals:
"Every program aspires towards being a sleek, shrink-wrapped product feeaturing a holographic license card, an obtrusive pseudo-AI 'office assistant', and a user interface that carefully hides from me any setting which would require that I know any fact about my computer or network.

"Any deviation from this goal is a failure on the part of the programmer -- probably due to a character flaw on his part -- and it is my place to point out this failure."

The Luser, on Documentation and User Interface:
"The ultimate form of program documentation, and of user interface, is the 'wizard', which leads me through my entire use of a program with a minimum of explanation on its part or choices on mine. Though once I typed in commands, and after that I clicked on pictographic icons and widgets, today the only direction my computer should require of me is as follows: 'Okay', 'I Accept', 'Okay', 'Okay', 'Finish'.

"Any interface which demands that I read for comprehension, or that I make choices which (a) depend upon specific knowledge or (b) have real consequences, is incomplete and inadequate."

The Luser, on Scripting:
"God forbid that I ever have to write a script for any purpose. However, should that onerous task befall me, there is no reason for me to understand anything before I begin stringing software components together. I do not need to know the format of my input, the nature of components available to me, nor the desired format of my output.

"My goal is to transform ill-understood input into text which, to a cursory glance, resembles the desired output. Complaints from my coworkers -- including complaints about delimiters, spacing, dropped or shifted columns, folded or mangled Unicode, or the inability of other (and thus lesser) software to read my script's output -- are signs that my coworkers have unresolved personal problems."

(The first three sections above were written in response to a Usenet poster who whined particularly indignantly about being expected to read the manual to a piece of complex Unix software before deploying it. I didn't post it there, out of concern that another reader might misinterpret it as being about them.)


Imminent censorship of the Net predicted, film at 11

Frater 219 Frater 219 writes  |  more than 11 years ago In the past few weeks, we have seen two high-profile cases where distributed denial-of-service (DDoS) has been used to obstruct controversial speech and punish the speakers. This is a growing threat to the freedom of the Internet, as people cannot feel free to speak their minds online when the threat of network destruction hangs over them.

In the first case, the litigious SCO has apparently been targeted for DDoS by someone (or, more likely, several) who thinks they're doing good for the open-source world. I personally believe that SCO is guilty of libel and other crimes. However, mob justice is no justice at all -- and as has been pointed out by wiser heads than mine own, cannot benefit the open-source community. SCO is crooked, but the way to handle a crooked company is with due process in the courts, not pitchforks and torches.

In the second case, the engineering firm Osirusoft has been attacked -- probably by spammers -- for its hosting of a number of DNSBLs, including one based on the SPEWS lists. (Contrary to urban legend, Osirusoft did not maintain SPEWS. Rather, it translated the SPEWS data set into a DNSBL and made it queriable on a nameserver. There are other SPEWS-based DNSBLs.) SPEWS is controversial because of three facts: it is anonymous; it has a policy of predictively listing network blocks of ISPs that fail to terminate spammers; and it has been for a time increasingly effective and widely used.

Some people (erroneously, in my opinion) believe that SPEWS practices censorship. Some people (correctly, in my opinion) believe that SCO practices libel and the perversion of justice. Yet the rise of denial-of-service as a means of speech suppression is both censorious and unjust. It is a tool by which anyone offended by a speaker can (with a modicum of technical knowledge) stifle that speaker and inflict upon him or her substantial costs. It is destructive both of property and of discourse.

My worry is that many have cheered these attacks, as a way of getting revenge upon unpopular targets. This trend of rising mob violence -- and violence it is, even if only against property and not persons -- threatens to destroy everyone's freedom to speak on the Net. Freedom is the freedom to be both unpopular and safe -- and it is as surely threatened by the lynch mob as it is by the government censor; nay, more so -- for the mob are more numerous and observant of that which offends them.

I ask those who have cheered these attacks -- is this the kind of Internet polity you want to have? Do you want criminal gangs of script-kiddies and spammers deciding what online speech is to be punished? For if you do not want this perpetrated against you, you are obligated not to countenance it when it is committed against others.


Physical security gone amuck

Frater 219 Frater 219 writes  |  more than 11 years ago It seems that Dell has found one solution to the problem of people writing down their passwords on sticky notes and sticking them around their monitors. They have made the cases of their current UltraSharp LCD monitors out of a plastic that sticky notes will not adhere to.


Rituals of Allegiance

Frater 219 Frater 219 writes  |  more than 11 years ago One feature of many forms of political and social power is to require subjects of that power to make gestures or proclamations of their submission. Those who refuse to perform these rituals of subjection are frequently persecuted.

In the time of the Maccabean revolt in ancient Judea, for instance, the Greek king Antiochus demanded of his subjects that they sacrifice to him as a god. The Jews were persecuted for their refusal: though they would willingly obey the king's civil laws and pay his taxes, they would not commit idolatry.

It is said that many could not understand why religious Jews would refuse something so simple as making a small sacrifice in the name of the king. It was only expected once per year, and would signify that they were ordinary, normal, law-abiding subjects just like their Greek neighbors. They could go on worshipping their own god on the other 364 days of the year. Why resist -- why be a freak? Come on, it's only one little chicken on the altar. It's not like we're asking you to go to the emperor's orgies every week, too.

In the Roman Empire in the early years of the common era, the same persecution came to Christians, who would not make sacrifices nor acknowledge Zeus nor the emperor as divine. As commanded by Jesus, they would "render unto Caesar what is Caesar's, but render only to God that which is God's." Again came the persecution, with whips and with lions.

When rituals of loyalty came to the American school classroom, it was the Jehovah's Witnesses who refused to comply. (Contrary to what you heard on Limbaugh or Bill O'Reilly, it wasn't the atheists or the Communists.) The Witnesses' faith teaches not to pledge allegiance to any power but the divine, so their schoolchildren would not pledge allegiance to the flag. It's only one minute out of the day -- why put up such a fight? Just say the words like you were a normal American. No lions this time, but many kids did get beaten up and a few thrown out of school for their beliefs -- even after the Supreme Court ruled that the schools couldn't require a loyalty pledge that went against some students' beliefs.

What is the function of rituals of allegiance? Perhaps it is that they show unity in subjection -- everyone pledging is equally submitted to the same authority, equally a subject and worshipper of the god-king. They constitute acceptance of the symbol of authority as part of the daily social order. However, they also draw the line between the willing, truly accepting subject, and those whose hearts and minds are fixed on some other star. They define by exclusion those groups who maintain reservations in their loyalty -- those who will render unto Caesar their tax, but will not render unto god-king nor flag their consciences.

It might be something to think about, the next time you click "I Accept".


Fallacies & Falsities of Security

Frater 219 Frater 219 writes  |  more than 12 years ago

"Securing systems or programs is basically about closing the holes and weaknesses that let hackers in." Rather, security is about correctly modeling in software and hardware the trust relationships that people have regarding their computing resources and data. It is about making computer systems behave in the way that their operators want and trust them to behave, with respect to such things as authorized use and availability. It isn't about patches; it's about correctness.

"A firewall is essential to keeping a network secure by rejecting attacks." A firewall is nothing more or less than a network bridge or router that selectively drops packets. It does not "block attacks" or "forbid unauthorized access" -- it drops packets. Sometimes this is a useful thing to do on a network segment in order to provide assurance as to what sorts of activity won't come in over that segment. This can be useful in modeling trust: if you block port 23 with a firewall, you can guarantee that nobody outside can send port-23 packets through that segment. That's not the same as saying that nobody outside can do unencrypted login to any machine inside ...

"If a program crashes, that only means it's unreliable, not that it's insecure." In fact, many forms of attack against programs are first discovered as ways to make the program crash with a piece of malformed input. If your FTP server dumps core when I send it an excessively long username, that's probably because it's overflowing a buffer. Breaking in is just a matter of overflowing that same buffer with the right data.

"All software has bugs, and bugs lead to holes -- so from a security perspective it doesn't really matter what software I use, since I'll need to patch it anyway." The fact of the matter is that some software projects release programs that are consistently more reliable than others. Some projects release software that is easier to patch than others. Some projects release software that is better documented, and its behavior better understood, so that you can more set it up with more accurate trust relationships. In short, some software is more correct than other software, and you can reduce the amount of time you spend fixing broken software by choosing software that is less broken. Anyone who tells you that all software is buggy is a cynic; anyone who tells you that all software is equally buggy is trying to sell you IIS.



Frater 219 Frater 219 writes  |  more than 12 years ago My workplace -- an internationally reputed research institution with about 1500 employees and 2500 Internet-connected computers (and a /16 network prefix) -- now has a firewall. Finally.

Oh, we had a firewall of sorts before. What we had was a default-allow packet filter, which we populated manually with rules blocking access from addresses which had portscanned us, and to machines we had discovered were insecure. See, a few years back, the head sysadmin at the time had asked to install a firewall -- but some of the scientists were concerned that such a thing would get in the way of innovative uses of the network. But he managed to get not a firewall, but a "filter" -- an early Netscreen firewall appliance configured in this default-allow mode.

Maintaining this system was very labor-intensive. Our intrusion detection system (IDS) was based on Snort and email -- meaning that every ten minutes, it would email us a chunk of logs. When we could, we'd keep the live logs in an xterm in the corner of the screen -- and put in firewall blocks against any remote node that portscanned, probed, or tried to Nimda us. Besides being a lot of work, this was also error-prone: we often found that we had accidentally blocked some legitimate traffic, since an automated set of FTP jobs can look a lot like a scan or a DoS.

And so it went for a few years. Then, last year, my boss (who is remarkably un-PHB-like for a guy who likes Windows XP) convinced the scientists' IT oversight group that we needed a real, default-deny firewall. The project was dumped in my lap as medium-range: not so time-critical that I should quit doing Linux systems support to implement it, but also in need of long-range planning and consensus gathering before we went forward with it. (He's trying to turn me into a manager. Really, he is.)

(I should note: Our IT department is very slow moving. We are not the sort of department that can push out a complete transformation of institutional computer use in a day -- or even a week. We like to think we are conscientious, methodical, and modestly refrain from shoving technologies on an unprepared user base, but the fact of the matter is that we are slow. The week I started working here, two and a half years ago, we started talking about replacing the aging and unreliable mail servers. We started building the new mail system a year later, and finished migrating users to it a year after that.)

Before we could put up a default-deny firewall, we had to establish clearly what services needed to be allowed through it. In our institution, anyone on staff can request an IP address and add a new computer to the network -- with whatever OS and services they want to run. It's not our job to tell them no -- it's our job to make their stuff work the way they want it. So I needed to extend this philosophy to the realm of firewall access rules. The result was a database-driven Web application which let people request firewall openings, and let us approve their requests and translate them into firewall rules understandable by our spiffy new Netscreen-500 firewall.

We gave our users a month to register their existing services. On this past Monday night, the network administrator and I switched our Internet link over to filter through the new firewall.

It's actually gone rather well. We had a few glitches -- our dial-up server is outside the firewall, but the RADIUS server it authenticates against is inside; we'd forgotten to give it a pass rule, and didn't notice until the next morning when we got the user complaints. A few people failed to register their services, or didn't realize that accepting raw X11 sessions from Norway involves allowing certain ports through the firewall.

And now I and the other network security team members find ourselves in a very different job. Instead of watching IDS logs like hawks, and scrambling to block the latest source of attacks, we're now building up information about what our previously inscrutable user base actually wants to expose on the network. With the new firewall, we now know for certain that no incoming SYN is going to a system whose operator doesn't want an incoming SYN. We have a valid list of exposed services, so we can run vulnerability scanners like Nessus with impunity.

And the worst complaint from the users? One paranoid is griping that we don't block pings.


Words to Grow On Part III: Electric Boogaloo

Frater 219 Frater 219 writes  |  more than 12 years ago bound variable n. A person who sometimes enjoys being tied up, and sometimes doesn't.

free radical n. 1. A GNU partisan. 2. An anti-war protestor not yet noticed by the Office of Homeland Security.

gnaked adj. The state of a commercial Unix system prior to the installation of useful pieces of free software.

peace officer n. A person employed to commit violence against peace activists.

pr0t n. A listening TCP socket harboring an insecure or buggy network service; the target of a pr0tscan.

processed imitation relational database flavored product n. mySQL or Microsoft Access, e.g.

realloc n. A piece of security infrastructure that actually works. Opposite of a fakeloc.

Satan's-ass pattern n. A commonly used design pattern in object-oriented programming, in which a class represents a hodge-podge of functionality and data storage uglier than Satan's ass.

shoujo-nai n. Of anime, contaning no lesbian content.

Zen erotica n. The sound of one hand diddling.


The part of the GPL that flamers didn't read

Frater 219 Frater 219 writes  |  more than 12 years ago

Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.

That's from section 0 of the GPL. Every person who has ever written that "the GPL restricts the use of GPLed software," or that the GPL is comparable to an end-user license agreement (EULA), thereby evidences having not read, or not understood, the GPL.

(This is not a defense of the GPL against critics who favor the BSD-style licenses on grounds that they are "more free" than the GPL. That is another argument for another time. It is specifically a defense of the GPL against those who consider it morally or legally equivalent to a Microsoft-style EULA.)

License to Use, with Copying Forbidden vs. License to Copy, with Usage Unrestricted

Take another look: "The act of running the Program is not restricted." For nonprogrammers, this is the chief practical distinction between the GPL and an EULA. An EULA asserts control over whether and how you may run the covered software, whereas the GPL explicitly denies such control. An EULA asserts that the copyright owner may revoke your right to use software you've legally obtained, whereas the GPL recognizes that copyright only affords the owner the right to control your copying of the software.

If you are a programmer or distributor, of course, the distinctions between the GPL and an EULA are much more distinct. EULAs such as Microsoft's don't just exercise copyright, i.e. forbid you from making copies. They typically order you to refrain from analyzing or learning about the covered software -- for instance, disassembling or tracing it -- even though these are user rights that copyright does not restrict. That is to say, EULAs claim to leverage copyright to gain control over actions which copyright doesn't itself cover. In contrast, the GPL permits you to do things which copyright normally disallows, viz. making copies and derivative works, albeit only under certain terms.

Terminable Subscriptions vs. Interminable Permission

As proprietary-software houses move increasingly towards subscription-based software licensure, we may see a new distinction for end users. Subscription software relies on the idea that I can sell you a piece of software with a time limit on your right to use it. Thus, the software may become unavailable for your use for any of several reasons, even though you have a copy in your possession. Since GPL provides no restrictions upon use of software -- only upon copying -- none of these can apply to its covered software:

  • Publisher withdraws software from licensure to promote another, more profitable product;
  • Publisher is forced to withdraw software due to lawsuit or regulation;
  • Publisher tactically withdraws software from your particular market in order to harm a specific competitor;
  • Publisher issues license renewals only under restrictive terms which exclude your uses -- for instance, by forbidding use in ways which compete with publisher in new markets;
  • Publisher goes out of business, and thereby becomes unable to issue license renewals.

It is fully possible that the author of a piece of GPLed software could be restricted from distributing it by a lawsuit or regulation. It is not nearly so likely that such restriction would deprive existing users of the right to use the software. Even the authoritarian DMCA does not forbid one from using a piece of infringing software -- only from distributing it.

Naturally, many programs both proprietary and free are used to store data in particular formats. Word processors and databases come to mind. Under subscription licensing, users end up paying for the privilege of accessing their own creations.

Innovating Freedom vs. Innovating New Kinds of Unfreedom

Aside from subscription-based licensure, EULA-covered software has of recent come to stand for the innovation of whole new categories of unfreedom. As time goes on, we may reasonably expect that this trend will continue.

For instance, a copy of proprietary software may by default be transferred, like any other piece of property: if you purchase one copy of a proprietary program, you may install it on your computer or give it to your mother to install on hers, but not both. If you want to give it to your mother, you have to erase it from your own system first. Older proprietary copyright notices were particularly fond of the phrase "This software is like a book," meaning that one purchased copy could only be used in one instance at a time. EULA-covered software, however, has come up with new restrictions to forbid this and other acts to which software users are accustomed.

It is the avowed purpose of the GPL to innovate a new category of freedom: a software commons to which all may contribute, but from which nobody may restrict others, with enforcement provided solely by the terms of copyright law. It is the self-evident purpose of EULAs to innovate new categories of restriction: to go beyond the statutory restrictions of copyright, engineering whatever restrictions upon users may be maximally profitable.

One may fairly argue that the GPL does not provide for maximal freedom for programmers, as do the BSD critics mentioned above. However, this is a far and faint cry from the parroted claim that the GPL is morally, legally, or indeed practically equivalent to an EULA.


Developing a Web app with mod_python and PostgreSQL

Frater 219 Frater 219 writes  |  more than 12 years ago Over the past few months I have been developing a Web interface to allow host operators at my workplace to request the opening of ports on the firewall. Requests are stored in a relational database; authorized personnel can mark them approved, or download new firewall configuration files based on the approved requests.

It's not really that complex of a project, but I am very glad that I chose the tools that I did to create it: specifically, the Apache Web server, the Python language, and the PostgreSQL database backend. All three have proven exceedingly pleasant and flexible to work with, and showcase one of the practical strengths of open-source software: these products from different organizations and with widely divergent data models and philosophies integrate seamlessly to allow me to get my work done.

Apache and mod_python

Apache provides a powerful yet fast Web front-end, and supports authentication against my workplace LDAP directory, meaning that my own code does not have to think about authentication at all -- all I do is read a username from the Apache request object. The mod_python interpreter (an Apache module that embeds Python into Apache, with dramatically lower overhead and better integration than CGI offers) seamlessly interfaces my Python application logic to the Apache front-end.

Python itself is fun to work with, flexible, and exceptionally easy to debug. There are three different modules for connecting Python to my database backend, each optimized for a different sort of task. All conform to the same API, though, so I can switch from one to another with minimal code changes. The fact that Python (unlike Perl or PHP) hosts an interactive interpreter allows me to test chunks of my code quickly -- and Python's accurate and informative error messages make my own foul-ups easy to find and quick to fix.

I will admit that Python is not the fastest interpreter around. Speed isn't one of my chief requirements, though, and the tradeoff between programmer time and CPU time becomes easier to make on fast systems. (Terrible, I know.) If I were to set out aggressively optimizing this system now, the first thing I would do would be to push various bits of processing into PL/pgSQL rather than Python, so as to cut down on the amount of time spent converting data formats. (I must admit, though, I haven't profiled it.)

Though I come from a Perl background, and though processing of entered text was a major part of this project, I never missed Perl's regular-expression processing in writing my Python application code. I didn't even use Python's regex capabilities: I found myself designing data formats (mostly in dynamic HTML forms) which would require minimal parsing easily accomplished with basic string operations.


I don't have a great deal of background in the world of relational databases, but I knew that I needed a stronger database back-end than Berkeley DB or GNU DBM for this task. Specifically, I needed to ensure that no front-end application session could violate specific data integrity rules for the stored host information, and that erroneous sessions could be rolled back cleanly.

These requirements led me to SQL databases, and soon to PostgreSQL. I'd heard of its more popular counterpart mySQL, of course -- but what I'd heard was from database experts pointing out its wrong behavior, limitations, and its advocates' lies and misstatements with respect to its capabilities. I also knew of several Web sites, such as E2, which in the past had serious database corruption problems with mySQL. These put a bad taste in my mouth regarding the more popular system, and I turned to its less well-known, but evidently more professionally designed, competitor.

PostgreSQL was as pleasant to work with as the other tools I've mentioned. I installed it on a Debian GNU/Linux system, which did the install with no problems. (I'd thought about building it from source, but decided against it on maintainability grounds -- I like to assume that I'm not going to be the last person to work on my project, and so I want to ensure that it is as uncomplicated to upgrade or otherwise maintain as is practical.)

I got some help from a database specialist in defining my tables and data integrity rules. By ensuring in the DBMS that no data could be entered that would violate these rules, I cut out what could have been a major source of ongoing bugs in my application code -- and of user errors. Twice during testing, data integrity exceptions alerted me to errors in my code or logic -- if I'd failed to define foreign key constraints (or used a DBMS that didn't implement them), those errors might have gone into production and allowed malformed data entry. I don't write very buggy code, but I don't believe anyone who says they don't make errors -- so I have great difficulty believing those who say they don't need data integrity checks in the DBMS.

In conclusion ...

I would strongly recommend that anyone developing database-driven Web applications look into these technologies. For me, they have helped make what looked at the start like a complicated project into something relatively painless. More importantly, their solid performance and reliability has given me the confidence that the application I have written will continue to perform reliably and correctly.


How to Make Yourself Look Stupid

Frater 219 Frater 219 writes  |  more than 12 years ago This is not a list of ways to be stupid. It is not about foolish or immature people trolling, flaming mindlessly, or pandering to one another's prejudices. It is a list of ways that moderately informed people frequently make themselves look as if they just stepped off the clue boat with an empty cart. Its format is to present the general form of a kind of stupidity, and to illustrate it with examples from matters both online and offline. And for the first:

Mistake negative experience for bias. This is a great way to look like a Rondroid: when someone disagrees with you, or criticizes something you participate in, presume that they are motivated solely by prejudice. When someone says they've had bad experiences with a product, a company, or a group of people, with which you are affiliated, dismiss what they have to say as "biased."

The term "Rondroid" comes from the name of L. Ron Hubbard, founder of the Church of Scientology. In the late '90s, a group of online Scientologists took to defending their church's criminal practices by accusing its critics (largely ex-members) of "bigotry". (When that failed, the Scientologists started using denial-of-service attacks and barratrous lawsuits.)

When a person has had consistently unpleasant experiences with a piece of software (one you use and admire!) and calls it "buggy" or "historically insecure", you do neither yourself nor the truth any favor to call him prejudiced. He is not -- he is the very opposite: "postjudiced", as it were; having made up his mind on the basis of experience. If you cannot accept the fact of another's experience, then you should examine your own biases.

Underestimate the importance of individual free choice. By doing this, you look like a Soviet planner. You presume that you, in your wisdom, know exactly how many people should produce toilet paper and how many should grow turnips. By sending all your people to produce toilet paper, you doom them to starvation; by sending them all to grow turnips, you doom them to wiping their asses with dried turnip leaves. Only when people are able to choose in the market which of these necessary trades to follow (by following the money -- when one resource is short, its price goes up) can a dynamic balance be achieved. Excessive planning produces cyclical shortages.

Truth be told, like many economic truths this applies outside the formal (money-driven) marketplace as much as within it. For instance, some have criticized the open-source populace for producing multiple programs to fill a niche -- or for failing to sign on en masse to a single favorite project. "If only everyone would quit making random weird stuff and work on Mozilla, since it is more important!" It is a glad fact that the people who whine thus have no power to make it so, for it is out of today's random weird stuff than the next success comes.

Assume that a perfect consensus exists, then criticize its "members" for inconsistency. This is how to look like a creationist. The method of stupidity here is to create a false stereotype of a diverse group -- making it out to be of one mind and belief -- and then to attack it as "hypocritical" for its internal disagreements, or for failing to live up to your stereotype of it. "How can you Slashdot people buy Lord of the Rings DVDs? I thought you all said DVDs were evil!" This particularly asinine form of strawman argument involves attacking person A for disagreeing with person B -- but only because you assumed that they would agree.

Creationists -- those who deny biological evolution for religious reasons -- often point to minor disagreements among biologists as evidence that evolution is "in dispute" or "under fire" within the scientific community. They claim, for instance, that since gradualists (such as Dawkins) and punctuated-equilibrists (such as Gould) cannot agree on the details of evolution, that the whole science must be impossibly flawed. No such thing is the case. Evolutionary biologists do not study whether evolution happens (a settled matter) but rather the particulars of how it happens (a matter still being discovered). To presume that a perfect consensus should exist, then sounding the alarm at "inconsistency", is to attack a straw man.


Security is like the Tao.

Frater 219 Frater 219 writes  |  more than 12 years ago You cannot make a stream run quietly by dumping more boulders into it. You cannot make a computer system secure by running more software on it.

The antivirus model, the software firewall model, and to a certain extent the NIDS model, are all built on the precept that running more software can make your system more secure, provided that it is the right software. If only you buy the right product -- install the right virus definitions file -- do the right upgrade, your system will be secure. Meanwhile, systems keep getting cracked and worms keep spreading.

"I eat lots of diet food, but I'm still fat." "I install all these security programs, but I still get cracked."

The insecurity of Windows default installs is not due to their well-known failure to install sufficient security features. It is due to their quiet installation of an excess of insecure features.

If you are in a position to need antivirus software, your problem is not viruses. If you are in a position to need a rootkit detector, your problem is not rootkits.

"Best practices" cannot improve "worst design".

When you receive virus spam in your email, do not blame the idiot who clicks on attachments. Do not blame the asshole who writes viruses. Neither of them put the feature to execute active content in the idiot's email program.

Slashdot Login

Need an Account?

Forgot your password?