Frater 219 writes | more than 9 years ago
1. A word is not the same as the thing it describes.
There is an old dictum in mysticism: Ipsum Nomen Res Ipsa -- "the name itself [is] the thing itself." This is a rule for hypnotizing oneself or others to change our perceptions of the universe to fit our ideas. This rule is the opposite of the rule of science, which is to change our ideas (theories) to fit our perceptions of the universe (observations).
Corollary 1a -- Lincoln's Law: Calling a tail a leg doesn't make it one.
The practical conclusion of the above rule is that we cannot alter reality simply by changing the names by which we refer to things. There are good reasons for changing names sometimes, specifically when we find that the old names do not accurately reflect observations. However, when we change names out of wishful thinking (calling a dog's tail a leg) we set ourselves up for delusion and disappointment.
Worse, when we assent to others' redefinition of the words that describe the world, we are effectively under their spell. Who is doing Black Magick upon you? (What does the word "waffle" make you think of?) Reality is ultimately reality-based, not faith-based, and the credibility gap is a tension between the two. When it snaps, people do get killed.
2. There's always the chance the guy is lying to you.
This insight is famously ascribed to David Hume, but outside of credulous Christendom it may simply never have been needed: Whenever someone tells you that a miracle (or other unlikely event) has occurred, consider the following. There is a probability M that a miracle actually has occurred. There is also a probability L that the person who is telling the tale is lying or simply mistaken. As long as L > M, we have no reason to believe in miracles, wild advertising claims, or other unlikely stories.
3. Popularity and correctness are not strongly correlated.
Corollary 3a: Ten million people could be wrong.
Sometimes ideas are useful, but unpopular -- either because few people have heard of them or been convinced of them yet, or because they have gone out of fashion.
Corollary 3b: They laughed at Gandhi, but they also laughed at Bozo the Clown.
Being original is not, in itself, any guarantee of being right. Likewise, the fact of being rejected is no assurance that you're on the right track. Sometimes, first they ignore you, then they laugh at you, then you figure out you're being a dork and quit it.
4. People who sound totally sure might just be trying to convince themselves.
If a person is absolutely insistent on some point, it may well be that he (or she) is working under the rule of mysticism rather than that of science: rather than trying to come up with statements that accurately describe the world, he is trying to convince himself that the world is how he wants it to be.
It's not always the case, though. Sometimes we find that in order to prevent harm, we need to do some magic or politics -- same thing -- even for ideas that we have discovered by science. Otherwise we end up with creationism in the public schools and pi being declared equal to 3 by legislative fiat. Sometimes we do have to insist that we're right and the other guy is wrong. But we have to offer evidence, not just assertion -- and we have to be careful (not certain, but careful) that we aren't letting our ideas run away with us.
Why ethicists don't sleep with other people's wives
Frater 219 writes | more than 9 years ago
I live with a philosophy graduate student. It's contagious. Note, none of these are particularly meant to be offensive, except possibly the Peter Singer one. Sorry, Pete, I just couldn't resist a zoophilia joke.
The moral realist doesn't sleep with other people's wives because it would be wrong.
The Kantian doesn't do it because if everyone did that, someone would be sleeping with his wife.
The natural law theorist doesn't do it because it would be a violation of the marriage contract.
The emotivist doesn't because -- ew, yuck, sleeping with other people's wives!
The consequentialist doesn't because he doesn't want to sleep with a woman who would cheat on her husband.
The cultural relativist doesn't do it because the culture he lives in rather arbitrarily happens to value sanctity of matrimony.
The utilitarian doesn't because he figures that extramarital affairs cause more bad than good.
The moral skeptic doesn't for no particular reason.
The hedonist doesn't because he doesn't feel like it.
Peter Singer doesn't do it because there's nothing that makes other people's wives ethically preferable over, say, goats.
The virtue ethicist doesn't do it because what kind of a person would he be if he did?
The feminist doesn't because other people's wives are usually straight.
Frater 219 writes | more than 9 years ago
You might be a closed-source twerp if...
You've chosen a piece of software not for its features or benefits but because it is not open source.
Despite the numerous copyright- and patent-violation lawsuits that
have been filed, adjudicated, and settled against Microsoft, you
think it's more likely that Linux contains "stolen intellectual
property" than that Windows does.
When someone in your organization proposes use of an open-source
product, you've retorted, "Not everything has to be open source!"
You refer to a reasoned preference for open source software as a
"bias" or "religion".
Despite the existence of Red Hat, Digium, MySQL AB, Zope Inc., and
other open-source companies, you believe that open source software is
"non-commercial" or "anti-corporate".
You have referred to open source software as "communist".
You have referred to Eric S. Raymond as a "socialist".
You have conflated open-source licenses with "the public domain", or
claimed that open-source software is "not copyrighted".
You take Laura DiDio or Rob Enderle seriously.
You crack BSD/LSD jokes to imply that Unix or open-source programmers
are insane or unreliable.
You believe that Linux or Unix cannot be used "on the desktop", but
you have never tried it or asked anyone who does it about their
When someone points out that Mac OS X is a desktop Unix system, you
retort that it isn't "really" Unix -- despite the C shell, POSIX
compliance, BSD kernel, X11....
You think that software users should bear liability for copyright
infringement committed by software publishers, thus necessitating
"indemnification" -- even though you would never claim that readers of
the New York Times would be liable for a plagiarism committed by a
You think that Linux, in its present form, was cooked up by some
college student in a basement.
You think that Linux, since it is based on the design of Unix, is "30-year-old technology" and therefore inferior -- as if software designs were to be judged on their novelty rather than their reliability.
Despite the number of Linux systems that Dell, HP, IBM, and other major vendors ship to large corporations and other institutions, you believe that "Linux is not ready for the enterprise".
You note that only a small fraction of the computers in the world run Linux or BSD, and conclude that open-source software is of little consequence -- selectively ignoring the fact that 60+% of all Web servers in the world run the open-source Apache software.
You think that open-source software is likely to contain Trojan horses, because anyone can modify it.
Although you know that The SCO Group's legal arguments are unfounded and that they have presented no evidence of their claims, you hope that they will win anyhow, to show those irritating open-source upstarts that business should be about power rather than mutual benefit.
You think that Sun Java Desktop is a Java-based product, not a Linux
You think that the GNU General Public License (GPL) is an end-user license agreement, or that using GPLed software involves giving up rights you would otherwise have.
You think that open-source projects are each the work of an individual volunteer programmer, so that when the one programmer responsible for Linux or PostgreSQL or Apache gets bored with it, there will be no more support available.
A security vulnerability in mySQL is a "Linux security hole", but a
security vulnerability in Microsoft SQL Server is not a "Windows
security hole". That is, the fact that Linux distributors ship more
third-party software should be considered a problem, not a virtue.
Frater 219 writes | more than 10 years ago
From time to time in our nation, religion and religious faith have become contentious political issues. While we may prefer (as I certainly do) that religion remain a private matter and outside of politics, this is not always possible. Important political movements such as Abolitionism, Martin Luther King Jr.'s Civil Rights movement, and more recently the Religious Right have all sprung from the nexus of religion and politics. We cannot, therefore, ignore or set aside candidates' religious views and practices when considering them for the Presidency.
My question is this: What religious view were you and President Bush expressing -- what religion were you practicing -- when, as undergraduates at Yale University you both bowed downto an idol of the Prince of Darkness? As members of the Brotherhood of Death, or Order of Skull and Bones, you both participated in rituals explicitly Satanic in tenor and content. Does this fact leave you prepared to govern a nation whose populace is majority Christian, most of whom believe that the Devil is quite real and active in the world?
We can all see from every day's headlines the result of electing one member of the Brotherhood of Death to the presidency. Why in the world -- or in the underworld, perchance? -- should we suffer another to ascend to that seat?
Well, they'll sue you just to pump and dump their stocks And they'll sue you when you're hackin' on your box And they'll sue you for a secret they don't got And their filings all were written high on pot
But I would not feel so all alone
Everybody must get SCOed.
They'll sue you when you claim your copyrights And they'll sue you 'cause they just like startin' fights And they'll sue you when you're recompilin' code And they'll sue you when you tell 'em all to FOAD
And I would not feel so all alone
Everybody must get SCOed.
They'll sue you with their lawyer David Boise  And they'll sue you in Utah and in New Joisey And they'll sue you just for picking up the phone And they'll sue you over stuff that they don't own
And so I would not feel so all alone
Everybody must get SCOed.
They'll sue you over standard header files And their CEO's got sixteen smarmy smiles They'll sue you for a contract with Novell And they'll sue you when you tell 'em "go to hell"
But I would not feel so all alone
Everybody must get SCOed.
They'll sue you over errno and ls They'll sue you for just anything, I guess! And they'll sue you 'cause their business plan's no good And they'd sue us all together if they could!
So I would not feel so all alone Everybody must get SCOed.
 If the urinalists can't spell "Boies" right, why should I?
Frater 219 writes | more than 10 years ago
Warning: This is really extremely silly. I wrote it some years ago while punchy from a nasty spate of break-ins. The tune is, of course, the obvious song from "The Music Man".
76 port scans at the firewall
With 110 h4x0rz close behind
There were more than a thousand d00dz
With their black hat 'tudes
There was pr0n of every shape and kind!
76 FIN scans through the firewall
Whacked 110 (POP3 -- that's your mail)
They were Snorted by rows and rows
Of the finest sysadmofos
And all the cr4x0rz went to jail.
There were shellscript hacking lamers in the DMZ
Thundering, blundering, flaming on the IRC
There were triple-breasted porno sites
And spammers selling Vegemite
And mailbombing like a random jerk!
76 script kids whacked the firewall
And 110 bytes smashed through the stack
They were followed by piles and piles
Of rootkits out for miles
Trying Windows exploits on my Mac!
There were fifty mounted DDoS spewing UDPs
Someone told them we were the WTO
There was Hipcrime hosing USENET groups
And Sendmail bouncing email loops
And spam from a Russian teenaged 'ho!
76 SYN floods hit the firewall
And 110 seg faults dumped the core
I was doing an fs check
On a brand-new punch card deck
And they spilled it all over the floor!
Frater 219 writes | more than 10 years ago
Update: I made a set of predictions New Year's Day 2004. It's now the end of the year. Some of them have come to pass. Others have been disproven. Here's how it goes:
SCO will lose, or drop its case and go out of business. However, no SCO principals will be brought to justice for abuse of legal process. Microsoft will pretend never to have been involved.
The trial shows no sign of going away soon. Sigh.
The U.S. dollar will continue to sink versus the euro and versus gold. Lack of confidence in the U.S. economy will be largely due to failures of corporate accountability and the continuing costs of the Iraq occupation.
Gold has risen from $415 in January to $438 as of December. The euro has risen from $1.15 to $1.36 in the same time frame. Not bad.
Microsoft and its allies will release increasingly tightly controlled end-user systems. They will be increasingly inappropriate for enterprise reliability and control needs.
Microsoft has been pretty quiet on the technical-control front, instead continuing legal "licensing" threats and FUD.
During the first quarter of 2004, a European nation will demand extradition of a ROKSO-level spammer from the United States.
Didn't happen. We did see the prosecution, conviction, and sentencing in the U.S. of Jeremy Jaynes, aka Gaven Stubberfield. Jaynes was the ROKSO-level spammer responsible for the "horse porn" zoophilia spam that my users are so glad to be rid of.
Red Hat's market share in the United States will decline somewhat as Novell's SuSE takeover yields a manageable enterprise Linux. As with the old SuSE, this will not be 100% Open Source. Red Hat will remain profitable.
Red Hat is still profitable. Novell has made SuSE more, not less, open source; and has released instead a desktop Linux system.
Armed conflict will continue in Iraq throughout 2004. A major new front will emerge between Turkey and the Kurds of northern Iraq, possibly including violence targeting civilians on either side.
Turkey and the Kurds seem to be a non-issue. The word "quagmire" came and went -- right now, it seems ''worse'' than just a quagmire. Perhaps a fireswamp.
The current Debian testing will be released as Debian GNU/Linux 4.0 by mid-year.
Didn't happen, and they're calling it 3.1 anyhow. Instead, more and more people seem to be treating testing as stable right now, including using it on servers.
At least two worm outbreaks of similar scale to Code Red, Slammer, and Welchia will attack Windows systems worldwide. The Linux, BSD, and Mac OS X platforms will remain free of widespread viruses and worms, despite rising popularity.
Not so far. Spammer viruses spread by email continue to be a big pest on Windows -- using social engineering and Microsoft vulnerabilities to propagate. Alternative platforms have gained in popularity but still not seen a widespread virus or worm.
A majority of the captives held at Guantànamo Bay will be released without charges.
Many have been released. Not most.
European and other non-United-States government agencies will increasingly migrate IT operations to Linux and other Free Software systems.
Several have, yes.
Electronic voting will be a debacle, and its current advocates in government will distance themselves from it.
It has been a debacle this year, although not as much as the general lack of transparency and accountability, with "national security" frauds kicking media observers out of vote counts in Ohio. The discrepancy between exit polls and reported election results remains unexplained.
Frater 219 writes | more than 10 years ago
My last essay here was rather insulting towards the nontechnical user. This one will, therefore, be more sympathetic, taking the user's lack of understanding and turning it to an opportunity.
Many end-users seem to lack a systematic grasp of the concept that programs are something that people write: that every piece of software
and every function of that software is something that someone designed and wrote out.
People understand far better the idea that software has owners than that it has authors. They readily accept the idea that some aspect of their Windows computer is owned by Microsoft, but have (understandably!) more difficulty with the idea that the component Microsoft owns is a writing, in its nature more akin to the text of an encyclopedia than to a kitchen gadget -- that it's the product of hundreds of people typing in things that look like math.
The metaphors of software as ordinary property (belonging to its owner, like a lawnmower or a house) and software as writing (created systematically and expressively by its author, like a book) lead one to different sorts of thoughts.
When something belongs to someone else, the everyday law-abiding person sees it as out-of-bounds. We don't mess around with other people's things without their permission! If something about your computer
belongs to Microsoft, but you're not sure what that something is, then the computer itself becomes a doubtful and border territory.
This has ill effects for personal computing. A borderland, where the line of demarcation is unclear, is a space from which the meeker and more certainty-seeking neighbor shies back, and into which the more powerful and aggressive neighbor advances. Thus, Microsoft has in many ways taken greater control over the user's computer and left less ownership and control to the user and to other stakeholders such as third-party developers.
At the same time, a borderland is a space where the respective neighbors can foist off assertions of fault onto the other. Flaws in Windows, which Microsoft created, are treated as the user's responsibility to patch rather than as Microsoft's liability for making in the first place. Again, the user, being the less powerful neighbor in the "software as property" metaphor, loses.
In contrast, when we recognize something as a writing, we understand many facts which apply usefully to personal computing:
The writing could have been written differently. The way it is, is not the only way it could have been. The wording of the text is the author's choice. It is the reader's responsibility to understand the text; but this does not absolve the author of responsibility for what the text says.
The writing could contain mistakes. The author is not the final authority on its disposition or correctness; the real world is. If the writing presents itself as practical, but contains errors which lead to those who depend upon it coming to harm, the author and publisher are liable (at least in part) for that harm.
The text before us is not the same as its subject matter. We could read some other author's words on the same subject, and learn many of the same things. Another writing might be more accurate, more accessible, and more worthwhile. Many authors can write on the same subject without wronging one another in so doing.
Some texts are collaborative; they belong jointly to all of their authors.
Some texts are written clearly, so it is evident what the author means and whether his claims are correct. Others are written obscurely, in a way which is hard to understand, much harder to to verify. For practical purposes such as the conduct of business, clear and verifiable writing is often more valuable than elaborate or pretty writing.
It isn't right to take someone else's writing and claim it's our own. That would be plagiarism -- not the same thing as theft of ordinary property, but still wrong. Plagiarism is chiefly a problem that concerns other authors, not readers; reading or referring to an article that was plagiarized is not itself plagiarism.
Software as property; software as writing -- these are two different metaphors. Software itself is neither property in the same sense that a lawn mower is property, nor is it writing in the same sense that Homer's Odyssey is writing. It is something different from either of these.
However, we may ask: Which of these metaphors gives us a better grip on the subject? Which leads to greater practical understanding? Moreover, society's view of software is still nebulous, since the ordinary person has no good idea of what it is. As a result, we may ask further: Which is the way we want software to be?
Frater 219 writes | about 11 years ago
The Luser, on the FS/OSS Community: "Since I got this program for free, I should demand that I be personally
trained on it for free, too. My predecessors who taught themselves have
an unnatural advantage over me; therefore, they owe me. Rather than
being inspired by their example to enter into the struggle of learning,
I should instead demand that they cater to me."
The Luser, on Intuitive Design: "If I do not understand something, this proves that it is either: (a)
useless, (b) made deliberately complex so that nerds can lord it over
non-nerds like myself, or (c) made deliberately incompatible with my
Windows preconceptions out of malice towards Microsoft.
"There is no
legitimate reason that anyone would create anything beyond my present
ability or willingness to understand; therefore everything not obvious
to me is the product of hostile action."
The Luser, on Design Goals: "Every program aspires towards being a sleek, shrink-wrapped product
feeaturing a holographic license card, an obtrusive pseudo-AI 'office
assistant', and a user interface that carefully hides from me any
setting which would require that I know any fact about my computer or
"Any deviation from this goal is a failure on the part of the
programmer -- probably due to a character flaw on his part -- and it is my place to point out this failure."
The Luser, on Documentation and User Interface: "The ultimate form of program documentation, and of user interface, is the 'wizard', which leads me through my entire use of a program with a minimum of explanation on its part or choices on mine. Though once I typed in commands, and after that I clicked on pictographic icons and widgets, today the only direction my computer should require of me is as follows: 'Okay', 'I Accept', 'Okay', 'Okay', 'Finish'.
"Any interface which demands that I read for comprehension, or that I make choices which (a) depend upon specific knowledge or (b) have real consequences, is incomplete and inadequate."
The Luser, on Scripting: "God forbid that I ever have to write a script for any purpose. However, should that onerous task befall me, there is no reason for me to understand anything before I begin stringing software components together. I do not need to know the format of my input, the nature of components available to me, nor the desired format of my output.
"My goal is to transform ill-understood input into text which, to a cursory glance, resembles the desired output. Complaints from my coworkers -- including complaints about delimiters, spacing, dropped or shifted columns, folded or mangled Unicode, or the inability of other (and thus lesser) software to read my script's output -- are signs that my coworkers have unresolved personal problems."
(The first three sections above were written in response to a Usenet poster who whined particularly indignantly about being expected to read the manual to a piece of complex Unix software before deploying it. I didn't post it there, out of concern that another reader might misinterpret it as being about them.)
Imminent censorship of the Net predicted, film at 11
Frater 219 writes | more than 11 years ago
In the past few weeks, we have seen two high-profile cases where distributed denial-of-service (DDoS) has been used to obstruct controversial speech and punish the speakers. This is a growing threat to the freedom of the Internet, as people cannot feel free to speak their minds online when the threat of network destruction hangs over them.
In the first case, the litigious SCO has apparently been targeted for DDoS by someone (or, more likely, several) who thinks they're doing good for the open-source world. I personally believe that SCO is guilty of libel and other crimes. However, mob justice is no justice at all -- and as has been pointed out by wiser heads than mine own, cannot benefit the open-source community. SCO is crooked, but the way to handle a crooked company is with due process in the courts, not pitchforks and torches.
In the second case, the engineering firm Osirusoft has been attacked -- probably by spammers -- for its hosting of a number of DNSBLs, including one based on the SPEWS lists. (Contrary to urban legend, Osirusoft did not maintain SPEWS. Rather, it translated the SPEWS data set into a DNSBL and made it queriable on a nameserver. There are other SPEWS-based DNSBLs.) SPEWS is controversial because of three facts: it is anonymous; it has a policy of predictively listing network blocks of ISPs that fail to terminate spammers; and it has been for a time increasingly effective and widely used.
Some people (erroneously, in my opinion) believe that SPEWS practices censorship. Some people (correctly, in my opinion) believe that SCO practices libel and the perversion of justice. Yet the rise of denial-of-service as a means of speech suppression is both censorious and unjust. It is a tool by which anyone offended by a speaker can (with a modicum of technical knowledge) stifle that speaker and inflict upon him or her substantial costs. It is destructive both of property and of discourse.
My worry is that many have cheered these attacks, as a way of getting revenge upon unpopular targets. This trend of rising mob violence -- and violence it is, even if only against property and not persons -- threatens to destroy everyone's freedom to speak on the Net. Freedom is the freedom to be both unpopular and safe -- and it is as surely threatened by the lynch mob as it is by the government censor; nay, more so -- for the mob are more numerous and observant of that which offends them.
I ask those who have cheered these attacks -- is this the kind of Internet polity you want to have? Do you want criminal gangs of script-kiddies and spammers deciding what online speech is to be punished? For if you do not want this perpetrated against you, you are obligated not to countenance it when it is committed against others.
Frater 219 writes | more than 11 years ago
It seems that Dell has found one solution to the problem of people writing down their passwords on sticky notes and sticking them around their monitors. They have made the cases of their current UltraSharp LCD
monitors out of a plastic that sticky notes will not adhere to.
Frater 219 writes | more than 11 years ago
One feature of many forms of political and social power is to require subjects of that power to make gestures or proclamations of their submission. Those who refuse to perform these rituals of subjection are frequently persecuted.
In the time of the Maccabean revolt in ancient Judea, for instance, the Greek king Antiochus demanded of his subjects that they sacrifice to him as a god. The Jews were persecuted for their refusal: though they would willingly obey the king's civil laws and pay his taxes, they would not commit idolatry.
It is said that many could not understand why religious Jews would refuse something so simple as making a small sacrifice in the name of the king. It was only expected once per year, and would signify that they were ordinary, normal, law-abiding subjects just like their Greek neighbors. They could go on worshipping their own god on the other 364 days of the year. Why resist -- why be a freak? Come on, it's only one little chicken on the altar. It's not like we're asking you to go to the emperor's orgies every week, too.
In the Roman Empire in the early years of the common era, the same persecution came to Christians, who would not make sacrifices nor acknowledge Zeus nor the emperor as divine. As commanded by Jesus, they would "render unto Caesar what is Caesar's, but render only to God that which is God's." Again came the persecution, with whips and with lions.
When rituals of loyalty came to the American school classroom, it was the Jehovah's Witnesses who refused to comply. (Contrary to what you heard on Limbaugh or Bill O'Reilly, it wasn't the atheists or the Communists.) The Witnesses' faith teaches not to pledge allegiance to any power but the divine, so their schoolchildren would not pledge allegiance to the flag. It's only one minute out of the day -- why put up such a fight? Just say the words like you were a normal American. No lions this time, but many kids did get beaten up and a few thrown out of school for their beliefs -- even after the Supreme Court ruled that the schools couldn't require a loyalty pledge that went against some students' beliefs.
What is the function of rituals of allegiance? Perhaps it is that they show unity in subjection -- everyone pledging is equally submitted to the same authority, equally a subject and worshipper of the god-king. They constitute acceptance of the symbol of authority as part of the daily social order. However, they also draw the line between the willing, truly accepting subject, and those whose hearts and minds are fixed on some other star. They define by exclusion those groups who maintain reservations in their loyalty -- those who will render unto Caesar their tax, but will not render unto god-king nor flag their consciences.
It might be something to think about, the next time you click "I Accept".
"Securing systems or programs is basically about closing the holes and weaknesses that let hackers in." Rather, security is about correctly modeling in software and hardware the trust relationships that people have regarding their computing resources and data. It is about making computer systems behave in the way that their operators want and trust them to behave, with respect to such things as authorized use and availability. It isn't about patches; it's about correctness.
"A firewall is essential to keeping a network secure by rejecting attacks." A firewall is nothing more or less than a network bridge or router that selectively drops packets. It does not "block attacks" or "forbid unauthorized access" -- it drops packets. Sometimes this is a useful thing to do on a network segment in order to provide assurance as to what sorts of activity won't come in over that segment. This can be useful in modeling trust: if you block port 23 with a firewall, you can guarantee that nobody outside can send port-23 packets through that segment. That's not the same as saying that nobody outside can do unencrypted login to any machine inside...
"If a program crashes, that only means it's unreliable, not that it's insecure." In fact, many forms of attack against programs are first discovered as ways to make the program crash with a piece of malformed input. If your FTP server dumps core when I send it an excessively long username, that's probably because it's overflowing a buffer. Breaking in is just a matter of overflowing that same buffer with the right data.
"All software has bugs, and bugs lead to holes -- so from a security perspective it doesn't really matter what software I use, since I'll need to patch it anyway." The fact of the matter is that some software projects release programs that are consistently more reliable than others. Some projects release software that is easier to patch than others. Some projects release software that is better documented, and its behavior better understood, so that you can more set it up with more accurate trust relationships. In short, some software is more correct than other software, and you can reduce the amount of time you spend fixing broken software by choosing software that is less broken. Anyone who tells you that all software is buggy is a cynic; anyone who tells you that all software is equally buggy is trying to sell you IIS.
Frater 219 writes | more than 11 years ago
My workplace -- an internationally reputed research institution with about 1500 employees and 2500 Internet-connected computers (and a/16 network prefix) -- now has a firewall. Finally.
Oh, we had a firewall of sorts before. What we had was a default-allow packet filter, which we populated manually with rules blocking access from addresses which had portscanned us, and to machines we had discovered were insecure. See, a few years back, the head sysadmin at the time had asked to install a firewall -- but some of the scientists were concerned that such a thing would get in the way of innovative uses of the network. But he managed to get not a firewall, but a "filter" -- an early Netscreen firewall appliance configured in this default-allow mode.
Maintaining this system was very labor-intensive. Our intrusion detection system (IDS) was based on Snort and email -- meaning that every ten minutes, it would email us a chunk of logs. When we could, we'd keep the live logs in an xterm in the corner of the screen -- and put in firewall blocks against any remote node that portscanned, probed, or tried to Nimda us. Besides being a lot of work, this was also error-prone: we often found that we had accidentally blocked some legitimate traffic, since an automated set of FTP jobs can look a lot like a scan or a DoS.
And so it went for a few years. Then, last year, my boss (who is remarkably un-PHB-like for a guy who likes Windows XP) convinced the scientists' IT oversight group that we needed a real, default-deny firewall. The project was dumped in my lap as medium-range: not so time-critical that I should quit doing Linux systems support to implement it, but also in need of long-range planning and consensus gathering before we went forward with it. (He's trying to turn me into a manager. Really, he is.)
(I should note: Our IT department is very slow moving. We are not the sort of department that can push out a complete transformation of institutional computer use in a day -- or even a week. We like to think we are conscientious, methodical, and modestly refrain from shoving technologies on an unprepared user base, but the fact of the matter is that we are slow. The week I started working here, two and a half years ago, we started talking about replacing the aging and unreliable mail servers. We started building the new mail system a year later, and finished migrating users to it a year after that.)
Before we could put up a default-deny firewall, we had to establish clearly what services needed to be allowed through it. In our institution, anyone on staff can request an IP address and add a new computer to the network -- with whatever OS and services they want to run. It's not our job to tell them no -- it's our job to make their stuff work the way they want it. So I needed to extend this philosophy to the realm of firewall access rules. The result was a database-driven Web application which let people request firewall openings, and let us approve their requests and translate them into firewall rules understandable by our spiffy new Netscreen-500 firewall.
We gave our users a month to register their existing services. On this past Monday night, the network administrator and I switched our Internet link over to filter through the new firewall.
It's actually gone rather well. We had a few glitches -- our dial-up server is outside the firewall, but the RADIUS server it authenticates against is inside; we'd forgotten to give it a pass rule, and didn't notice until the next morning when we got the user complaints. A few people failed to register their services, or didn't realize that accepting raw X11 sessions from Norway involves allowing certain ports through the firewall.
And now I and the other network security team members find ourselves in a very different job. Instead of watching IDS logs like hawks, and scrambling to block the latest source of attacks, we're now building up information about what our previously inscrutable user base actually wants to expose on the network. With the new firewall, we now know for certain that no incoming SYN is going to a system whose operator doesn't want an incoming SYN. We have a valid list of exposed services, so we can run vulnerability scanners like Nessus with impunity.
And the worst complaint from the users? One paranoid is griping that we don't block pings.
Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
That's from section 0 of the GPL. Every person who has ever written that "the GPL restricts the use of GPLed software," or that the GPL is comparable to an end-user license agreement (EULA), thereby evidences having not read, or not understood, the GPL.
(This is not a defense of the GPL against critics who favor the BSD-style licenses on grounds that they are "more free" than the GPL. That is another argument for another time. It is specifically a defense of the GPL against those who consider it morally or legally equivalent to a Microsoft-style EULA.)
License to Use, with Copying Forbidden vs. License to Copy, with Usage Unrestricted
Take another look: "The act of running the Program is not restricted." For nonprogrammers, this is the chief practical distinction between the GPL and an EULA. An EULA asserts control over whether and how you may run the covered software, whereas the GPL explicitly denies such control. An EULA asserts that the copyright owner may revoke your right to use software you've legally obtained, whereas the GPL recognizes that copyright only affords the owner the right to control your copying of the software.
If you are a programmer or distributor, of course, the distinctions between the GPL and an EULA are much more distinct. EULAs such as Microsoft's don't just exercise copyright, i.e. forbid you from making copies. They typically order you to refrain from analyzing or learning about the covered software -- for instance, disassembling or tracing it -- even though these are user rights that copyright does not restrict. That is to say, EULAs claim to leverage copyright to gain control over actions which copyright doesn't itself cover. In contrast, the GPL permits you to do things which copyright normally disallows, viz. making copies and derivative works, albeit only under certain terms.
Terminable Subscriptions vs. Interminable Permission
As proprietary-software houses move increasingly towards subscription-based software licensure, we may see a new distinction for end users. Subscription software relies on the idea that I can sell you a piece of software with a time limit on your right to use it. Thus, the software may become unavailable for your use for any of several reasons, even though you have a copy in your possession. Since GPL provides no restrictions upon use of software -- only upon copying -- none of these can apply to its covered software:
Publisher withdraws software from licensure to promote another, more profitable product;
Publisher is forced to withdraw software due to lawsuit or regulation;
Publisher tactically withdraws software from your particular market in order to harm a specific competitor;
Publisher issues license renewals only under restrictive terms which exclude your uses -- for instance, by forbidding use in ways which compete with publisher in new markets;
Publisher goes out of business, and thereby becomes unable to issue license renewals.
It is fully possible that the author of a piece of GPLed software could be restricted from distributing it by a lawsuit or regulation. It is not nearly so likely that such restriction would deprive existing users of the right to use the software. Even the authoritarian DMCA does not forbid one from using a piece of infringing software -- only from distributing it.
Naturally, many programs both proprietary and free are used to store data in particular formats. Word processors and databases come to mind. Under subscription licensing, users end up paying for the privilege of accessing their own creations.
Innovating Freedom vs. Innovating New Kinds of Unfreedom
Aside from subscription-based licensure, EULA-covered software has of recent come to stand for the innovation of whole new categories of unfreedom. As time goes on, we may reasonably expect that this trend will continue.
For instance, a copy of proprietary software may by default be transferred, like any other piece of property: if you purchase one copy of a proprietary program, you may install it on your computer or give it to your mother to install on hers, but not both. If you want to give it to your mother, you have to erase it from your own system first. Older proprietary copyright notices were particularly fond of the phrase "This software is like a book," meaning that one purchased copy could only be used in one instance at a time. EULA-covered software, however, has come up with new restrictions to forbid this and other acts to which software users are accustomed.
It is the avowed purpose of the GPL to innovate a new category of freedom: a software commons to which all may contribute, but from which nobody may restrict others, with enforcement provided solely by the terms of copyright law. It is the self-evident purpose of EULAs to innovate new categories of restriction: to go beyond the statutory restrictions of copyright, engineering whatever restrictions upon users may be maximally profitable.
One may fairly argue that the GPL does not provide for maximal freedom for programmers, as do the BSD critics mentioned above. However, this is a far and faint cry from the parroted claim that the GPL is morally, legally, or indeed practically equivalent to an EULA.
Developing a Web app with mod_python and PostgreSQL
Frater 219 writes | more than 11 years ago
Over the past few months I have been developing a
Web interface to allow host operators at my
workplace to request the opening of ports on the
firewall. Requests are stored in a relational
database; authorized personnel can mark them
approved, or download new firewall configuration
files based on the approved requests.
It's not really that complex of a project, but I
am very glad that I chose the tools that I did
to create it: specifically, the Apache Web server,
the Python language, and the PostgreSQL database
backend. All three have proven exceedingly
pleasant and flexible to work with, and showcase
one of the practical strengths of open-source
software: these products from different
organizations and with widely divergent data
models and philosophies integrate
seamlessly to allow me to get my work done.
Apache and mod_python
Apache provides a powerful yet fast Web front-end,
and supports authentication against my workplace
LDAP directory, meaning that my own code does not
have to think about authentication at all
-- all I do is read a username from the Apache
request object. The mod_python interpreter (an
Apache module that embeds Python into Apache, with
dramatically lower overhead and better integration
than CGI offers) seamlessly interfaces my Python
application logic to the Apache front-end.
Python itself is fun to work with, flexible, and
exceptionally easy to debug. There are three
different modules for connecting Python to my
database backend, each optimized for a different
sort of task. All conform to the same API, though,
so I can switch from one to another with minimal
code changes. The fact that Python (unlike Perl or
PHP) hosts an interactive interpreter allows me to
test chunks of my code quickly -- and Python's
accurate and informative error messages make my
own foul-ups easy to find and quick to fix.
I will admit that Python is not the fastest
interpreter around. Speed isn't one of my chief
requirements, though, and the tradeoff between
programmer time and CPU time becomes easier to
make on fast systems. (Terrible, I know.) If I
were to set out aggressively optimizing this
system now, the first thing I would do would be
to push various bits of processing into PL/pgSQL
rather than Python, so as to cut down on the
amount of time spent converting data formats.
(I must admit, though, I haven't profiled it.)
Though I come from a Perl background, and though
processing of entered text was a major part of
this project, I never missed Perl's
regular-expression processing in writing my
Python application code. I didn't even use
Python's regex capabilities: I found myself
designing data formats (mostly in dynamic HTML
forms) which would require minimal parsing easily
accomplished with basic string operations.
I don't have a great deal of background in the
world of relational databases, but I knew that I
needed a stronger database back-end than Berkeley
DB or GNU DBM for this task. Specifically, I
needed to ensure that no front-end application
session could violate specific data integrity
rules for the stored host information, and that
erroneous sessions could be rolled back cleanly.
These requirements led me to SQL databases, and
soon to PostgreSQL. I'd heard of its more popular
counterpart mySQL, of course -- but what I'd heard
database experts pointing out its wrong
behavior, limitations, and its
and misstatements with respect to its capabilities.
I also knew of several Web sites, such as
in the past had serious database corruption problems
with mySQL. These put a bad taste in my mouth
regarding the more popular system, and I turned to
its less well-known, but evidently more professionally
PostgreSQL was as pleasant to work with as the
other tools I've mentioned. I installed it on a
system, which did the install with no problems.
(I'd thought about building it from source, but
decided against it on maintainability grounds --
I like to assume that I'm not going to be the last
person to work on my project, and so I want to
ensure that it is as uncomplicated to upgrade or
otherwise maintain as is practical.)
I got some help from a database specialist in
defining my tables and data integrity rules. By
ensuring in the DBMS that no data could be entered
that would violate these rules, I cut out what
could have been a major source of ongoing bugs in
my application code -- and of user errors. Twice
during testing, data integrity exceptions alerted
me to errors in my code or logic -- if I'd failed
to define foreign key constraints (or used a DBMS
that didn't implement them), those errors might
have gone into production and allowed malformed
data entry. I don't write very buggy code, but I
don't believe anyone who says they don't
make errors -- so I have great difficulty
believing those who say they don't need data
integrity checks in the DBMS.
I would strongly recommend that anyone developing
database-driven Web applications look into these
technologies. For me, they have helped make what
looked at the start like a complicated project
into something relatively painless. More
importantly, their solid performance and
reliability has given me the confidence that the
application I have written will continue to perform
reliably and correctly.
Frater 219 writes | about 12 years ago
This is not a list of ways to be stupid. It is not about foolish or immature people trolling, flaming mindlessly, or pandering to one another's prejudices. It is a list of ways that moderately informed people frequently make themselves look as if they just stepped off the clue boat with an empty cart. Its format is to present the general form of a kind of stupidity, and to illustrate it with examples from matters both online and offline. And for the first:
Mistake negative experience for bias. This is a great way to look like a Rondroid: when someone disagrees with you, or criticizes something you participate in, presume that they are motivated solely by prejudice. When someone says they've had bad experiences with a product, a company, or a group of people, with which you are affiliated, dismiss what they have to say as "biased."
The term "Rondroid" comes from the name of L. Ron Hubbard, founder of the Church of Scientology. In the late '90s, a group of online Scientologists took to defending their church's criminal practices by accusing its critics (largely ex-members) of "bigotry". (When that failed, the Scientologists started using denial-of-service attacks and barratrous lawsuits.)
When a person has had consistently unpleasant experiences with a piece of software (one you use and admire!) and calls it "buggy" or "historically insecure", you do neither yourself nor the truth any favor to call him prejudiced. He is not -- he is the very opposite: "postjudiced", as it were; having made up his mind on the basis of experience. If you cannot accept the fact of another's experience, then you should examine your own biases.
Underestimate the importance of individual free choice. By doing this, you look like a Soviet planner. You presume that you, in your wisdom, know exactly how many people should produce toilet paper and how many should grow turnips. By sending all your people to produce toilet paper, you doom them to starvation; by sending them all to grow turnips, you doom them to wiping their asses with dried turnip leaves. Only when people are able to choose in the market which of these necessary trades to follow (by following the money -- when one resource is short, its price goes up) can a dynamic balance be achieved. Excessive planning produces cyclical shortages.
Truth be told, like many economic truths this applies outside the formal (money-driven) marketplace as much as within it. For instance, some have criticized the open-source populace for producing multiple programs to fill a niche -- or for failing to sign on en masse to a single favorite project. "If only everyone would quit making random weird stuff and work on Mozilla, since it is more important!" It is a glad fact that the people who whine thus have no power to make it so, for it is out of today's random weird stuff than the next success comes.
Assume that a perfect consensus exists, then criticize its "members" for inconsistency. This is how to look like a creationist. The method of stupidity here is to create a false stereotype of a diverse group -- making it out to be of one mind and belief -- and then to attack it as "hypocritical" for its internal disagreements, or for failing to live up to your stereotype of it. "How can you Slashdot people buy Lord of the Rings DVDs? I thought you all said DVDs were evil!" This particularly asinine form of strawman argument involves attacking person A for disagreeing with person B -- but only because you assumed that they would agree.
Creationists -- those who deny biological evolution for religious reasons -- often point to minor disagreements among biologists as evidence that evolution is "in dispute" or "under fire" within the scientific community. They claim, for instance, that since gradualists (such as Dawkins) and punctuated-equilibrists (such as Gould) cannot agree on the details of evolution, that the whole science must be impossibly flawed. No such thing is the case. Evolutionary biologists do not study whether evolution happens (a settled matter) but rather the particulars of how it happens (a matter still being discovered). To presume that a perfect consensus should exist, then sounding the alarm at "inconsistency", is to attack a straw man.
Frater 219 writes | about 12 years ago
You cannot make a stream run quietly by dumping
more boulders into it. You cannot make a computer
system secure by running more software on it.
The antivirus model, the software firewall model,
and to a certain extent the NIDS model, are all
built on the precept that running more software
can make your system more secure, provided that
it is the right software. If only you
buy the right product -- install the right virus
definitions file -- do the right upgrade, your
system will be secure. Meanwhile, systems keep
getting cracked and worms keep spreading.
"I eat lots of diet food, but I'm still fat."
"I install all these security programs, but I
still get cracked."
The insecurity of Windows default installs is not
due to their well-known failure to install
sufficient security features. It is due to their
quiet installation of an excess of insecure
If you are in a position to need antivirus
software, your problem is not viruses. If you are
in a position to need a rootkit detector, your
problem is not rootkits.
"Best practices" cannot improve "worst design".
When you receive virus spam in your email, do not
blame the idiot who clicks on attachments. Do not
blame the asshole who writes viruses. Neither of
them put the feature to execute active content
in the idiot's email program.