Thursday 29 November 2007 at 11:25 pm
In the words of my namesake, I'll explain later.
First up, one of my fellow retrocomputing afficionados named Toni Westbrook has undertaken an amazing project:
Shredz64. Chances are, you've heard of the game
Guitar Hero, in which you use a controller shaped very much like an electric guitar to 'play' rock music as a character in a video game. I've never played it, but it looks like it might be neat. Anyway, Westbrook is designing an interface for the Commodore-64 called the PSX64 that will let you hook a Guitar Hero controller up. He's also developing a game that works very much like the Guitar Hero games (albeit with vastly simplified graphics) in which you'll have to hit the proper button on the controller at the right time to hit a scrolling image that roughly corresponds to a musical note on a vertical staff. Westbrook's planning on using .SID or .MOD files for the actual music that the player will hear during the course of the game, and an analysis component that will map notes in the song to scrolling objects?
Make sense? Good. I just re-read that, and I can't figure out what in the hell I just wrote.
In other news, a guy named Ben Lewry
worked his old laptop computer into the body of an electric guitar. The LCD panel is directly behind the strings, and the computer continuously runs a visualisation program against the sound produced, the output of which is shown on the display. v2.0 of the TVGuitar includes motion sensors, which add direction and velocity to the frequency analysis feature of the visualiser. Watch the posted videos on the page, it'll make more sense.
Thursday 29 November 2007 at 6:09 pm
Information Society's going on tour in 2008. Kurt, Paul, and James got back together after the release of
Synthesizer
and they're hitting the road. Word on the street has it that they'll be playing songs from all of their albums, and I do mean all of them. If rumour's to be believed, they might even play a song or two from their very early albums from the mid-1980's, like
Creatures of Influence.
Geekgasm. Pure geekgasm.
Lyssa and I have already bought tickets to the Philadelphia show on 5 January 2008. Interestingly, the schedule at Dancing Ferret (great job signing InSoc, Patrick) says that they'll be filming for a DVD release of some kind at that show. Could this mean that we'll finally get official recordings of concert footage and (hopefully) their music videos? Only time will tell.
As if that weren't enough, I've been keeping this particular tidbit of news under my hat until after the official announcement was made by
Saloncon's staff: The musical guest for 2008 will be the steampunk band
Abney Park.
Yes, that maniacal shrieking you heard about two weeks ago was me squeeing with delight.
Thursday 29 November 2007 at 5:30 pm
I think the USB v2.0 chipset in Windbringer is failing - all USB v1.0 and v1.1 devices I've used work fine, but now the bottommost jack is acting flaky. All storage devices plugged into the bottom are unreliable, and vanish (from the OS' point of view) randomly, leaving stale file handles and hung processes all over the place. I've seen this pattern of behavior before: Once USB fails completely, everything else tends to collapse like a house of cards during flu season.
Stopgap measure: Purchase a USB v2.0 PCMCIA card. Going to do that tonight.
Solution #1: Purchase a new mainboard for Windbringer on the open market because he's out of warranty. Far cheaper than a new laptop.
Solution #2: Purchase a new laptop. I don't have the cash for that right now, though.
Fuck.
Thursday 29 November 2007 at 12:14 pm
Things have finally slowed down somewhat in Austin, affording me the opportunity to write a long-overdue update. Workdays have been long (averaging thirteen hours out of every twenty-four), which is why I've been quiet lately.
From what I've seen of Austin, it's a pretty nice place. I"m situated a stone's throw from the airport, and within visual distance of the highway system, which has been both relaxing (coming from an urban background) and a pleasant change of pace from the places that I'm usually put up by my employers.
Two nights ago Tiffany (co-worker and fellow foot soldier fighting the good fight) and I found a couple of otherwise unallocated evening hours in our schedules and took the opportunity to visit the local Asian restaurant, named
Asia (1931 E. Ben White St.; Austin, TX; 78741; phone 512-445-5117), interestingly enough. It's a combination Chinese and Vietnamese restaurant about four miles as the crow flies from the hotel, a fairly easy trip in the rented pickup truck. Their prices are reasonable, which is to say expect to pay in the neighborhood of $8us for your entree, with a total outlay of $12us for a dinner for one. Their spring rolls were tasty and had an unusual texture (I've never had one before, you see, as I prefer egg rolls to spring rolls), which I greatly enjoyed. Their General T'sao's Chicken (my benchmark for a new restaurant) wasn't overdone, flavorful without a lot of sauce, and even had a slightly crispy coating, which are all positive points in my book. Oddly, they serve Earl Grey instead of green or oolong tea, which was a nice change of pace, and didn't detract from the rest of the meal, I don't think. Overall rating: One and a half flareguns out of four. Stop by this place if you're in Austin, or order takeout by calling them or going to their website.
Someone over at the
Puppy Linux project's forums has posted
.pet packages of
Truecrypt so that you can access your encrypted datastores from a Puppy Linux install on a bootable USB key (my preferred modus operandi) or multisession live CD. I've been testing it and I'm quite pleased with how well it works under Puppy v3.01.
Speaking of working, bad things are afoot these days with Windbringer, who's become my primary workstation in the past year or so. Not only does he run uncomfortably hot now, but I've run into problems with his USB ports conking out for no good reason (both Windows (a project requirement - bleh) and Linux report problems initializing USB v2.0 devices plugged into the uppermost port, though simple devices like keyboards and mice work as expected), which in my experience is never a good sign. This is when happened when Kabuki began to fail back in 2003. I'm considering pricing out a replacement laptop in the next couple of months, because I can't work without a laptop these days, what with all of the field work lined up. Windbringer's got one operational USB port at this time, and I have a USB v2.0 hub plugged into both ports (which I'm using right now to write this post - I've booted my magick USB key from the hub and my iPod's attached to the side, providing music courtesy of
GTKpod and
Xine). I'm planning on picking up a PCMCIA USB card when I get back to DC, but I've got a really, really bad feeling about this.
It figures that this would happen as soon as I got William Gibson to autograph my deck.
Monday 26 November 2007 at 11:09 pm
Short, sweet, and to the point because I"ve been out of touch for somewhere in the neighborhood of a week now. Also because I'm tired, jetlagged, and fighting back a nasty headache that seems to want to reduce my forebrain to a 386.
Last Wednesday night, Lyssa and I drove back to Pennsylvania to spend the Thanksgiving holiday with her family. We spent part of Friday with my folks after several misadventures in trying to find an open bank in the North Hills on Black Friday. We parted company briefly on Saturday, and I traveled back to PIttsburgh to visit my family on Saturday. While there, I retrieved a box of components for a long overdue project, sent the equivalent of a lawnbag full of old clothes to the local Goodwill, and returned with an artificial Yule tree and some clothes that a) I can still fit into, and b) couldn't bear to part with. On Saturday night I spent the evening at my usual table at Eat and Park on McKnight Road with 'lex Pendragon and caught up on old times while drinking far too much coffee.
We left early on Sunday for home, and arrived shortly before 1200 EST. I slept another three hours after unpacking the TARDIS, then got up and set about packing my stuff because I was getting shipped out early the next day. Went out to dinner with Lyssa and Laurelinde that night, and got to enjoy the beer sampler (five mini-pilsner glasses of various small-batch brews) at the restaurant.
I made a couple of fob watch chains which I'm quite proud of. I'll post pictures when I've got it together.
Windbringer's very, very unhappy that he has to run Windows XP for the duration of his project, which I think has something to do with my headache. I've got him booting
Puppy Linux off of my brand new four gigabyte USB key, which occupies a place of honor on my fob watch chains. I'm quite pleased with how well the modifications took to the storage chip, too.
Got to fly first class to Austin, Texas courtesy of $contractor{$one_step_above_us}. Forget being the first on and off of the plane, I'm happy that
I had enough leg room for a change. This is truly the only way to fly. To compensate, my flight was delayed 45 minutes due to a paperwork snafu somewhere and the 'premium TSA security queue' at Dulles was twice as slow as the usual line.
Bloody huge hotel room with a full-size corner desk. I could use this as a workbench if I had to. Will post pictures of the awesome digs later. Too bad setting the alarm clock's damned near impossible - the instructions on the clock don't work.
So far as I know Pretend To Be A Time Traveler Day festivities in DC are still a 'go', but I really need to hear from interested people. Reply to this post, if you will, so that we can plan better`?
My head's killing me. Off to bed.
Tuesday 20 November 2007 at 11:14 am
'Living documents' will undergo major revision immediately after all team members print it out.
Friday 16 November 2007 at 3:50 pm
Late in October of 2007, a story hit the news wires about
people getting raided by local SWAT teams because someone had called up the local 911 services and claimed that gang wars had broken out, heavily armed people on drugs had killed their families, and stuff like that. Some pretty bad things went down as a result, and as one would expect law enforcement doesn't take kindly to anyone monkeying around with their communications networks, especially when lots of heavily armed cops wearing body armor are called out as a result. A subsequent investigation revealed that
a group of phone phreaks around the country have been behind the so-called jokes that resulted in the homes of a number of innocent families being raided, and the police have repaid the favor in spades. As it turns out, they were using caller ID spoofing techniques to make the calls appear to come from different home addresses, which fooled the 911 call center staff into thinking that something was truly amiss. Interestingly, the group used a number of techniques to pull this off, from good old-fashioned social engineering over the phone to what appears to be cracking the switches that route calls from point to point. In some instances, systems were supposedly compromised so deeply that members of the group could listen in on phone calls elsewhere, probably by enabling and abusing the three-way calling functionality of those telephony switches. Another member of the group had access to
LexisNexis and was doing go-tos on at least some of the targets, either to figure out the address to spoof or to determine how best to fuck with the targets.
Friday 16 November 2007 at 2:01 pm
A major component of cryptographic systems are pseudorandom number generators used to pull values out of thin air for the purposes of generating session keys and the bignum components of crypto keys, among other things. This is done so that an eavesdropping attacker can't predict ahead of time what a particular key is going to be and decrypt traffic as it's transmitted. Another reason is that it's easier to generate a pseudorandom number and check it for certain properties all at once than it is to work up such a number by hand and check it against those properties every step of the way. For example, generating really big prime numbers is hard to do for a person, but easy if you start pulling 128 digit numbers out of your ear and testing them to see if they're really prime using various and sundry techniques that I won't bore you with here.
Incidentally, I say
pseudorandom because, by the strictest technical sense, the numbers thus generated aren't actually truly random because they are determined to a large degree by carefully engineered algorithms that are fed values from different parts of the computer they're running on. It is common for such a PRNG to be fed the current system clock time, number of packets received on all of the network interfaces, the number of interrupts logged by the OS' kernel, the number of processes running at that particular moment (down to the millisecond), and other stuff like that. The seed values would be damnably difficult to predict because they change faster than people can think. Still, they are close enough to being truly random that they are considered useful for cryptographic use.
Anyway, to keep up with the times,
NIST (National Institute of Standards and Technology) is working up a new standard designated 800-90, which describes four methods of generating pseudorandom numbers, which the document refers to as DRBG's, or deterministic random bit generators, each using a different method. One of those generators, called Dual_EC_DRBG (dual elliptic curve deterministic random bit generator.. who came up with that?!) uses a method of generating random values using
elliptic curves, a particularly arcane mathematical sub-field that involves points on a curve, a set of coordinates on a two-dimensional grid, and the equation defining the shape of the curve.
The problem is this: Two cryptographers named Dan Shumow and Niels Ferguson figured out that the equation and set of points NIST was thinking of ratifying as a standard (it's in the linked .pdf document at the top of page 58) is not just slightly biased toward one group of output numbers or another (this has been known since 2006), but that the constant values
Q on the elliptic curve defined in the spec (Appendix, page 74) are actually based upon a common secret number.
"But Doc," you're probably saying to yourselves. "What in the hell does it mean?"
Just this: Each constant
Q of the curve has a component that isn't immediately apparent,
e, so each
Q is actually some other number.... let's call it
charlie raised to the power of
e. This means that if you know value
e, you then have insight into the state of the algorithm at any particular step of the process (read the other linked .pdf file, Shumow and Ferguson's presentation - it's short), and thus can figure out what the input of the algorithm was by performing some computational magick on just 32 bytes of encrypted traffic (or about four typed characters, assuming 8-bit bytes) and determine the rest of the plaintext, or data before encryption. Decrypt-a-mundo.
Who knows what that magick value
e is? Nobody knows. Probably whoever came up with the constants
Q in the first place, because the name of the person or organization isn't anywhere in the document.
Friday 16 November 2007 at 08:56 am
If you've been watching the news these past few days, you've probably come across the bruhaha over
a fuel tanker crashing into the San Francisco Bay Bridge, dumping tens of thousands of gallons of petrochemical fuel into the water and forcing a number of beaches to close, to say nothing of the impact upon the environment. San Francisco, long a haven for the unconventional, unusual, and inventive, has birthed an unusual and effective method for cleaning up and disposing of the spilled fuel:
Pads made of human hair and oyster mushroom mycelia. The principle underlying the effort is a simple one: Human hair has an amazing capacity to absorb oil of all kinds, from the fatty compounds produced by the skin, which serve to keep hair supple and untangled to motor oil that happens to be sprayed in your face the first time you try to change the oil in your car yourself (don't ask). It's a simple matter to go around to hair stylists and salons and bag all of the hair that would otherwise be swept up and thrown in the trash. This then leaves the problem of disposing of the fuel after it's been sopped up, a task accomplished by the oyster mushrooms. Petrochemicals, toxic though they may be, are still organic compounds in that they're largely composed of the same elements as lifeforms as we know them (carbon, hydrogen, oxygen, nitrogen, phosphorus, et cetera). Mushrooms and fungi in general occupy the degenerative role in the planet's ecosystems, which is to say that they are responsible for the decay of dead organic material, which returns nutrients and simple chemical compounds to the soil for re-use.
In this particular example, the oyster mushroom mycelia are seeded in layers with the oil-soaked mats of hair and allowed to develop. The mushrooms break down both the hair and the petrol to fuel their growth and fix the toxic compounds in such a way that they are no longer harmful (or at least are far less dangerous to the environment than before) as a side effect. As it turns out, oyster mushrooms have a knack for digesting petrochemicals like oil and various fuels, which is why they were selected. I'd call this a sterling example of grassroots
mycoremediation, or as Gibson once put it "The street finds its own uses for things."
Friday 16 November 2007 at 08:32 am
The Bush regime has been notorious from the beginning for violating a basic federal law, the
Presidential Records Act of 1978 (44 USC 2201-2207), which states that all presidential correspondence and communications must be permanently archived. Bush is interesting in that he is the first president to outright ignore e-mail from his constituents, which caused a minor scandal until
American Idol hit the airwaves back in the early years of this decade. At any rate, this matter keeps popping up like a bad penny, most notably
White House staff members using GOP e-mail servers to avoid the archival of their e-mail earlier this year. This became a major issue during the investigations of Jack Abramoff and the dismissals of eight US Attorneys from the Justice Department. The National Archives have put their foot down and demanded that
the White House start archiving all of its e-mails henceforth after a joint lawsuit filed by the National Security Archive and Citizens for Responsibility and Ethics In Washington made it to the federal level.
Sadly, this is a matter of too little, too late. If a message was never sent over the White House network, it's gone, and good luck subpoenaing the RNC's e-mail servers. They've got the clout to keep legal proceedings tied up for a very long time, certainly long enough for a batch of hard drives to conveniently go bad. Then again, given the way
most people back up their data, they wouldn't have to pull any dirty tricks to keep their e-mails away from the court.
Wednesday 14 November 2007 at 4:01 pm
Following battlefield tales that Hezbollah had compromised the IDF communications network during operations in Lebanon last year, defense contractors have developed
Meshnet, a hardware and software firewall appliance to protect the data networks of battlefield equipment, on the chance that someone would figure out how to infect them with malicious agents of some sort in the near future. Meshnet is supposedly based upon the
Sidewinder Security Appliance from Secure Computing, but includes specialized hardware that deals with the network protocols and connection gear used in the control systems of tanks, armored personnel carriers, or what have you along with anti-spyware and antivirus software. They've probably stepped up the development of such a device because a lot of gear in the field uses COTS (Commercial, Off The Shelf) hardware and software to accelerate development and reduce production cost. Why spend hundreds of millions of dollars to develop something entirely new, so the reasoning goes, when you can spend tens of millions of dollars to assemble a device from commodity components and known and documented software?
There's a downside to using COTS components in military gear, though: If it's on the open market,
chances are someone's been finding vulnerabilities to exploit in it, and the bugs in a desktop copy of Windows XP and a copy of XP running in a networked backpack computer in the Middle East are probably the same. There is also the hazard of outsourcing the development of military combat software to software development companies overseas, the possibility of the code you get back containing backdoors, boobytraps, or other logic bombs that could be remotely exploited by the other side (or whomever the development company sells knowledge of the logic bombs to). Or, there's always the possibility that the PDA issued to someone in the field was used to browse a porn site the last time they were off duty (don't laugh, it's happened) and the device wound up infected with an exotic form of poorly written malware that causes the device to malfunction. It's a paranoid thought, to be sure, but stranger things have happened, and the last thing anyone wants is a semi-autonomous drone aircraft going haywire and crashing headlong onto a military base in Iraq. It's all too possible.
What gets me about these articles is this: By designing a firewall/antivirus/anti-malware fitting for military field equipment, there is a strong implication that a) it is possible to connect foreign data storage media into the command mechanisms of said equipment (which is a huge no-no whenever the DoD is involved), and that b) it is possible to directly access the command mechanisms of said equipment via the communications module. Or, to use my generation's metaphor for this sort of thing,
they put a modem on the computer at NORAD that could start World War III, and a high school kid cracked it. It would be a horribly dangerous thing if someone did just that - hooked the radios directly into the navigational or weapons systems, providing a direct route of compromise into things that no one outside of the cockpit should have access to.
One could further postulate that requiring such a device to protect the internal command network of (for example) an M1 Abrams tank means that they don't have tight administrative control over their equipment. If you don't want people putting data onto or taking it off of your systems, control the access ports: Take out the floppy and CD-ROM drives and superglue the USB ports shut, as well as configuring the network-aware software to disallow ad-hoc data transfers. Or, don't even get equipment that has those I/O devices to begin with - you'd be hard pressed to make a convincing argument to a military engineer that you really needed a
miniature all-in-one memory card reader in a helicopter. If you don't want outside attackers messing with your data while it's in transit, strongly authenticate all connection attempts and encrypt the traffic. I other words, I don't like what this is suggesting.
It is also entirely possible, I hasten to add in the interest of fullness (as if a topic such as this could be discussed in its entirety in a single post) that this is a belt-and-suspenders countermeasure: The specifics of the technologies protecting military C&C (Command and Control) are classified, and this is one more defensive measure that would have to be overcome in the event of a security compromise, part of a strategy called
defense in depth by the information security industry.
I really hope that I'm just wondering idly, and that some of the bad scenarios up there really won't come to pass because someone in a lab someplace knew better.
Wednesday 14 November 2007 at 11:15 am
For years,
HERF weapons (high energy radio frequency) have been the stuff of science fiction and urban legends of the hacker underground. The underlying premise is simple: Integrated circuitry is vulnerable to various forms of radio frequency emissions, and such interference can either disrupt the functioning of or outright destroy circuitry. In theory, these weapons are relatively easy to construct with a decent grasp of electronics and high voltage electrical engineering with readily available parts, but actual examples of such are rarely verified. Personally, I've heard some tales coming out of a certain hacker con in the west (which was disproven) and one or two tales from some friends who are police officers on the eastern seaboard, but that's certainly not the same thing as watching such a device operate firsthand.
Until now, if reports are to be believed.
A company called Eureka Aerospace has developed under contract
HPEMS, High Power Electromagnetic System, which is a weapon designed to disable vehicles by interfering with the operation of the computers controlling the engine and electrical system. The HPEMS units are designed to be
attached to patrol vehicles and powered from the alternator and were designed primarily with land-based facilities in mind (namely, factories, government buildings, and military bases) though there is also a variant that can be worked into a helicopter and used to protect offshore assets, such as oil rigs. Testing is complete and full-scale HPEMS weapons will be released on the open market (with a hefty price tag, no doubt) within eighteen months' time.
The basic idea is that an oscillator that produces signals in the radio frequency spectrum (the online documentation says between 350 MHz and 1.35 GHz, which are then directed via a number of possible antennae (the examples given were horn, spiral, and impulse radiating antennae) toward lightly protected areas of the target vehicles. Because metal is an excellent shield for RF interference, you can't just blanket an area with a pulse and hope to take down a target; the user would have to aim at locations that permit access to the engine, such as the radiator grille, the windows, or a gap in the chassis of some kind so that the RF pulse could penetrate. Effective range at these power levels is in the neighborhood of 15 meters, though they're working on beefing up the range to 50 meters without impacting the usability of the HPEMS device.
Geeky pontification underneath the cut...
More under the cut...
Tuesday 13 November 2007 at 09:09 am
The past two weekends have been more or less non-stop running around so I haven't been writing about them lately. To make a long story short, Lyssa and I are fixing up the apartment a bit more and so are doing quite a bit of reorganizing. This weekend just passed we bought a new dresser from Ikea which wound up being an all weekend job of assembly. Last night we had to run back out there (and made it from Virginia to Maryland in record time on the beltway let me tell you, though most of it was due to Veteran's Day) to pick up some replacement hardware (as always, there were a few pieces missing from the kit) and mounting screws for the closet organizer. Hasufin was nice enough to lend us a power drill which, when coupled with the drill-to-power driver adapter kit from Home Depot made short work of the rack of organizer hooks.
Now it comes down to going through our respective sets of clothes, picking out the ones we don't wear anymore to donate, and swapping warmer weather garments for colder weather, as well as cleaning up the kitchen and library (the latter I think will wait until this weekend, actually). It's probably time to cull the contents of the bookcases and either take them to Goodwill for donation, or take them to the local coffee shop to leave them for others to read.
On other fronts, this marks my second week not in the field, not that I'm complaining any. If nothing else, it's cheaper to do laundry at home than it is in a hotel. On Sunday Lyssa and I visited Bronwyn and Laurelinde in Maryland, and spent the afternoon lounging around the house watching
Babylon-5 on DVD (we're trying to get Lyssa hooked) while I worked on squeezing a few more compute cycles out of Bronwyn's laptop computer (which is regrettably infected with Windows Vista) and making a few more pocketwatch fobs out of sundry odds and ends laying around the apartment. Laurelinde was kind enough to roast a chicken in the oven for dinner, and we'd stopped off to pick up pumpkin pie from Whole Paycheque for dessert.
It's finally starting to turn cold in DC. Temperatures were in the high 70's and low 80's all the way up to Halloween this year, after which things turned colder, wetter, and more grey in short order. It finally feel's like fall's come to the east. I was wondering how long the warm time would last, and what its possible effects would have been, but now it's academic.
As for two weekends ago (my first at home in a while) Lyssa, Laurelinde, Hasufin, and I braved DC traffic in the TARDIS to visit
Spellbound, a new gothic and industrial dance night every Saturday in the DC metroplex.
We've found a new weekend home. You have to love a nightclub where not only is there garaged parking a block away, but it's on the main drag of the city so it's easy to find, and where the people there don't take themselves seriously to a painful extent. Case in point: A selection of the music in a one hour period included Covenant, Underworld (old school trance), the Sisters of Mercy (
This Corrosion, of course), Siouxie and the Banshees, and
Dee Lite.
Yeah.
Groove Is In the Heart packed the mother lovin' dance floor (it was rescued from Nation before it closed in 2006; the parquet shows its age and needs repairs in one or two places, but it's the same wood). We like it there, we do.
The cover charge is reasonable, and $10us to park in a secure garage a stone's throw from the basement club is hard to beat. The bar also has a small kitchen, so you can grab a bite to eat while you're there if you so choose. They've also tuned the sound system so that hearing protection isn't required to have a good time, though of course I recommend that everyone purchase a baggie of disposable rating-29 earplugs at the drugstore for a couple of dollars American. There's no sense in doing any more damage to your hearing than usual, is there?
In short, if you happen to be in DC on a Saturday night and G/I is your bag, hit up Spellbound. You won't be sorry.
Thursday 08 November 2007 at 1:23 pm
For years, the webmail service provided by
Hushmail has been an example of weak anonymity and privacy: They don't ask for much to set up an account, they will happily auto-generate an e-mail address for you, users connect via SSL, and they will encrypt and digitally sign any messages a user sends through their service. They also claim that all messages are stored in encrypted form on their disk arrays, so that even if someone did demand a copy of a message from a certain address it would be worthless to them (ostensibly, public key encryption is used on the back end to store data, regardless of whether or not you asked for messages to be encrypted). They've been advocates of
PGP for as long as they're been around, in fact. Or, at least they were until
they were forced to find a way to decrypt 12 CD-ROMs worth of mail from three e-mail addresses and turned the data over to the courts. And find a way they did, to the satisfaction of the court.
Hushmail has two basic modes of operation: Either you connect to their webmail site, do your thing, and let them handle all of the encryption on the back end, or you connect to a page on their site which implements some degree of the encryption and digital signing process on the user's side through a Java applet running in a web browser (which, unless it's one of those times that Java fouls up, is also entirely transparent to the user). The problem with the former method is that the user's passphrase is used on their side of the link in the encryption and decryption processes - meaning that someone sitting on their servers could get hold of it and use it to decrypt your data on their disk arrays.* Presto: No more privacy, no more anonymity for that user. In the latter case (doing all of the cryptographic heavy lifting in the web browser), the user is dependent upon the Java applet provided by Hushmail. A Java applet that could be switched out for one tailored to get hold of your data and possibly location depending upon the needs of whomever is leaning on them. It is entirely possible that, for a subset of their users, they are served a modified Java applet that captures the user's passphrase and sends it back to Hushmail along with a copy of the encrypted message as part of the surveillance effort, or an applet that implements a compromised though still mathematically valid version of the encryption engine. Either way, their promise that they don't even know what's in your encrypted messages is no longer valid.
In short, Hushmail isn't so trustworthy anymore. Now deciding if you want to go with them as one of your webmail providers is a bigger, more important question.
* I'm simplifying things somewhat, based upon how public key encryption and digital signatures would have to be implemented in a web browser/web server environment, but essentially it would have to work in this manner.
Thursday 08 November 2007 at 10:01 am
After months of campaigning, pulling wires, writing letters, sending e-mails, and making telephone calls, we've managed to score a victory in the US House of Representatives -
yesterday they passed a bill that would make it illegal to discriminate against gays, lesbians, and bisexuals in the workplace. We've been working towards this for close to three decades now, and quite frankly it's about time. This is the twenty-first century, and the fact that it was ever possible to be fired because of whom you happen to fancy during off-hours is as antiquated a notion as serfdom. Unfortunately, and this is what I think makes the victory bittersweet at best, the bill probably would not have passed had 'transgender' been included in the list of people covered by the bill. The way American culture has developed over the years, more people can wrap their heads 'round being sexually attracted to people with the same bits as yourself, but feeling as if you've been born into the wrong body still doesn't make sense to most people.
One step at a time, I suppose. That's the only way anything ever changes without a forklift upgrade: One step at a time.
Speaking of steps, this isn't the last step in the process. The bill is now headed for Congress, where poltical analysts don't think that it stands much of a chance. Even if Congress were to pass it, George W. Bush has promised a veto of the bill (one of the few vetos that he'll have signed during seven years in office).
As if that weren't enough, the politically active side of the LGBT community has been debating ENDA for weeks. Dropping the transgender category from the bill made a lot of folks on all parts of the map angry, along with the realization that the United States isn't sufficiently evolved in consciousness or culture to handle such a thing. Supporters of the ENDA bill were also quite fatalist about the whole thing, chief among them representative Jerrold Nadler of the state of New York, who was quoted as saying "That would be a very difficult judgment to make if in fact this bill was going to be passed into law. ... But that's not our choice now. Because this bill isn't passing."
Way to be supportive, Jarrold. That gives your fellow representatives a lot of confidence, as well as bolstering their conviction that they're doing the right thing.
The only thing that we can do is start hammering on Congress to pass the bill. Remember, Congressfolk are elected by the people of the state that they're attached to - you are
their constituents.
They are supposed to represent the wishes of
you who voted them into office. If you're the sort to contribute to someone's campaign, keep an eye on how they vote and if they don't act in your best interests, for pity's sake don't give them any money. If you're the sort to volunteer as a campaign assistant, you're closer to them than a lot of us, so don't be afraid to make the wishes of the category you identify with known. Everyone should be voting, so keeping an eye on how your elected reps vote is crucial. I've said it before and I'll say it again: They're supposed to listen to the people who elected them. If they don't... don't vote for them.
There are only two things that politicians will listen to that come from our level, and that's campaign contributions and your votes. Hit 'em where it hurts if they don't listen.
Wednesday 07 November 2007 at 11:40 am
The Federal Bureau of Investigation is so hot to uncover dastardly plots of domestic terrorism in this country that, for at time at least, they were mining such fields of data as
who bought what from middle eastern grocery stores to determine who might be a religious extremist and terrorist. Yep - they thought sales of
falafel might help them generate the results that they're pressured to produce for the people on high. Thankfully, common sense prevailed (did they hire a four year old to check their logic or something?) and they spiked the plan in 2006. The article makes a point that is probably not going to get the airtime it deserves, and that is that many of the Iranians living in California have been there since 1979, when they left Iran after the Shah (who was friendly toward the United States) was overthrown. Not exactly the sort of people who would cause trouble in their new home one would think, though to play devil's advocate for a moment there would probably be one or two people who switched 'sides' (as They're fond of saying) if you look at things from a statistical perspective.
Makes you wonder what else our tax dollars are going to, doesn't it?
Wednesday 07 November 2007 at 10:47 am
A good bit of yesterday was spent monitoring Leandra as she upgraded her systemware and applications, which amounted to watching the output of various compilation batches (thank you,
Portage) and making sure that nothing went horribly wrong. However, something did, in the form of a major change between revisions of the
Apache web server, which had the net effect of making all of the config files obsolete and unusable. I discovered it last night while watching Leandra boot back up, but was too tired after work to do anything about it.
It appears that service is restored to all of the hosted sites (especially after recompiling
PHP) and restarting the web server. If something's broken, please let me know.
And now, here are some updates to
my .plan file. Some of the quotes are probably not safe for work, as usual.
One of these days I'll get the next batch of photographs up, as well as another "what I did last weekend" essay.
Monday 05 November 2007 at 12:59 pm
CI Host, a professional colocation facility based out of Chicago, Illinois, is ostensibly paid by many small businesses to host servers for them, or provide managed hosting space for websites, e-commerce sites, and what have you. What they don't tell you on the Flash-enhanced frontpage of their website is that
they've been broken into four times in two years, and I don't mean that someone cracked their network, I mean that a team of burglars broke into the facility, took out members of the on-site staff, and stole thousands of dollars of equipment. A team of physical intruders cut its way into the building at least once with a power saw, tortured the night manager with a stungun (please keep in mind that stunguns and tazer guns are very different weapons; the former is a close-range contact weapon while the latter is technically a projectile weapon), and then walked off with twenty servers. As if that weren't enough, CI Host hid the fact that they'd been burglarized from its customers.
I don't know if they're lying through their teeth about their physical security, if their security sucks a lot more than they think, or if criminals these days really are that well equipped and putting that much time and effort into planning heists. Regardless, it's definitely time to think about the places you're paying to host your data because the stakes are now much higher than previously believed.
I can't shake the feeling that this feels like something out of the plot of a children's cartoon show from the 1980's.
Oh, by the way, someone leaked the police reports from the first three break-ins. Check it:
Monday 05 November 2007 at 11:46 am
I think that it's safe to say that everyone's been annoyed at one time or another by someone in a restaurant, on a bus, or in a store by someone who was carrying out a loud conversation on their cellular telephone and refused to make any effort to leave the area. Now, there are some of us who sometimes don't have a choice in the matter (like those of us who are on call for work, though many of us at least make the attempt to get away from everyone else in an attempt to not be rude), but there are others who simply don't care, and won't even try to go someplace away from others. As a reaction to this phenomenon,
people are designing and selling jammers that block all cell reception in a limited area to force those people to shut up. I suppose it says something about politeness and decorum these days that there are people who'll jump past "Could you please keep it down?" and go right to the heavily artillery. Right now, the jammers are produced overseas (outside of the jurisdiction of the FCC) but they've noticed the numbers with which they're being imported into the country, probably at the request of the cellular telephone industry, nevermind the fact that jamming for any reason is illegal in this country. Some of these devices are powerful enough to block out reception in an entire building; others are about the size of a pack of cigarettes and can create a 30 foot bubble without cellular contact as long as the power cells hold out.
Now, as much as I'm a fan of reclaiming space, I have a problem with this because, as the FCC so astutely observed, these devices have the potential to cause harm to people, in the form of emergency calls not getting through. I can't help but think back to the fall of 2001 when I saw a young woman on a bicycle hit by a car on the campus of the University of Pittsburgh. Needless to say, I and a number of other people within eyeshot called 911 within seconds, but we wouldn't have been able to do anything if someone had one of these jammers with them. Given the attitudes of some of the people who carried jammers with them, I can't help but wonder if they would have turned it off or not at that moment.
I don't know yet if anyone's developed a device that could take down the next biggest source of noise pollution in this country, iPods cranked up loudly enough that I can hear the music ten feet away.
Thursday 01 November 2007 at 12:05 pm
To scratch a frequently encountered itch, namely mounting and unmounting
Truecrypt volumes on USB keys and external drives on a number of systems in a day, I wrote a shell script that automates the command line arguments that I use most often as well as making it simpler to assume root privileges to do so. The script is designed to be kept on the key along with the encrypted datastore, though it could also be placed on each system in a publically accessible location (such as /usr/local/bin)
The script assumes that it'll be run on a UNIX (-alike) system with both Truecrypt and
sudo installed, and that the user accounts which have need of Truecrypt volumes have been configured to mount and unmount said volumes with a line similar to the following in the
/etc/sudoers file:
%truecrypt ALL=(root) NOPASSWD:/usr/bin/truecrypt
If the user account in question has sudo access but must supply their password to authenticate, the sudo utility will automatically prompt the user for it per usual.
It should work on pretty much any Linux system that meets these requirements (it was developed on Gentoo). If you keep copies of this script with the datastores, you'll either have to mount the key without the 'noexec' option (set in
/etc/fstab), or you'll have to perform some shell interpreter gymnastics (
/bin/bash /mnt/usb_key/truecrypt.sh mount /mnt/usb_key/foobar.tc /home/vector/mnt) to get around that.
Options passed to the Truecrypt executable are simple and hard coded. If you need anything different, you'll have to edit the script, which is a trivial exercise. The command
truecrypt.sh help will display the online documentation.
Download truecrypt-1.0.sh (
digital signature -
gpg --verify truecrypt-1.0.sh.asc to verify download; signed with
my public key)
