The [Nokia 770]( has gotten a lot of press in the last couple of days, but it deserves a little more. Nokia has always been hacker and homebrew friendly. Most of their consumer devices use [Symbian](, which provides good docs and runs a fairly useful developer site, and this attitute of openess is a large part of what has made so many Mac users–as well as Linux and other *nix users–loyal Nokia customers. The Symbian docs are what enable enable projects like [The Missing Sync](, and symbian integration with Konact, Evolution, etc. This time, though, Nokia has gone a step further. The 770 will not run Symbian, but instead, a Nokia OS named Internet Tablet 2005, a custom Debain distro based on the 2.6 (currently 2.6.11) kernel.

I know what you’re thinking: we’ve heard this before; and Zaurus was a miserable failure. Where Nokia really shines, though, is with [Maemo](, the 770 SDK and reference platform. Maemo is a Linux (GTK)-based SDK that provides bindings for 770 as well as a virtual machine for testing. This means that anyone can develop for the 770 (and IT2005 products to come) without investing in hardware for testing. It also means that programmers can bring familiar GTK techniques to the IT2005 table, and presumably that applications can be written in any language with GTK bindings and a Linux-based ARM compiler or interpreter. Usually as a developer you get either a virtual machine that speaks a non-standard dialect, or more often, an SDK that runs on the platform itself, which requires the expense of machine to test on. Maemo is a first here, at least when it comes to supporting opensource projects. Better still, provides extensive docs including a fairly well-put-together reference manual and a how-to specifically on porting GTK and Qt apps, featuring gaim as a test case. This is a fabulous resource.

It’s also a clever gimick: Nokia has announced an internet messaging client to be released in Q1 2006. The 770, though, is slated for Q3 2005, so if you want IM before that, you’re going to have to build gaim yourself (or download an rpm deb from somewhere), which should promote familiarity with maemo and the porting process, and spark some fairly rapid porting of critical and popular apps. If Maemo lives up to its potential, this has the potential to be the best example we’ve seen yet of a successful commercial/opensource venture.

I just wish PlamOne would manage the LifeDrive project this way. (via [darla mack](


To get back a little more into tech content:

If you’re like me, you spend a lot of time with a lot of xterms open: local session, ssh sessions, database connections, you name it. Keeping track of all those windows can get confusing, especially if you aren’t always at the same physical console. Different window managers, shells and OSs all suoort different naming conventions, and it’s easy to forget which window is which. Most admins and “power users” have some tricks to help them deal with the mess. The problem is that these solutions are almost always shell or OS dependant. Bash scripts that set KDE window titles. Csh scripts that query `/proc` for process information. That’s how I started out, too: with a bash script called `tl` that I picked up somewhere. I have no idea, now, what “tl stands for (“terminal load”?), but it’s a useful little program. It cats `/proc/loadavg` in a Linux system, and uses that, the neame of the computer, and the current time to dynamically set the titlebar of an xterm session. The problem is, it only works on Linux under bash.

So one day I rewrote it. The result was `tlp` (“tl-perl”), an OS independant script to help me keep organized. Run in the background, it sets the window title to display the name of the machine I’m logged into, the 3, 5, and 15 minute load averages on that machine, and the current time. This lets me take a quick glance across my desktop and get a feel for how my different machines are doing: if usage spikes, I’ll want to look into it, and if the times start drifting, I’ll want to check on NTP before internet apps start complaining.
Read the rest of this entry »

[BSDCan2005]( isn’t even in full swing yet–it kicks off in earnest in about 15 minutes–but the big news has already started to roll in: [Colin Percival]( has detected a potentially serious flaw in Intel’s Hyper-Threading, and his public announcement will be one of the first panels.

> Percival, a FreeBSD committer and security team member, has found a local exploit against the current implementation of Intel’s Hyper-Threading Technology. “Hyper-Threading, as currently implemented on Intel Pentium Extreme Edition, Pentium 4, Mobile Pentium 4, and Xeon processors, suffers from a serious security flaw,” Colin explains. “This flaw permits local information disclosure, including allowing an unprivileged user to steal an RSA private key being used on the same machine. Administrators of multi-user systems are strongly advised to take action to disable Hyper-Threading immediately.”

> More details in the KernelTrap announcement.

> [](

According to Colin, the bug affects current SMP-enabled versions of FreeBSD, NetBSD, and SCO OpenServer and UnixWare. OpenBSD is not affected because SMP support in general and HT support in particular is preliminary. The vulnerability may also affect at least some Linux kernels, but we sould know more when the full paper is posted after the talk. Since this is a chip issue, it probably affects several windows versions running on the affected platforms as well, but who’d notice.

On a brighter note, this is not a remote exploit; it allows a malicious user to steal a key from another user (possibly root), but will not actually help an intruder gain access, so while home users and single-user workstations may be affected, they hole is only of real concern for servers.

Yet one more reason to prefer RISC PPC or Sparc platforms, whatever your OS of choice.

[Perl Seminar New York]( sends the following:

> Our final official meeting for the 2004-05 season will take place on the third Tuesday of May at the usual location:

> Tuesday, May 17, 2005, 6:15-8:15 pm
> NYPC User Group
> 481 8 Avenue (Ramada New Yorker hotel)
> Suite 1560
> between 34th & 35th Sts, Manhattan, right near Penn Station

> Our agenda:

> “Higher-Order Perl”
> Mark Jason Dominus’s new work is one of the most eagerly awaited Perl books of recent years. We’ll have a roundtable discussion of HOP — which means get out your credit cards, order it and read it! And better still, bring in programs which you have written which employ the
programming techniques Mark discusses at length in HOP: recursion, iterators, linked lists, etc.

> Steven Lembark: “Little Languages in Perl”
> Steve will discuss Plugin modules that allow for run-time installation of little languages in Perl. Examples will include a generic installer and a Data Manipulation Language that filters the stack. This languague’s compiler is written in Perl and inherits the language tokens and their respective compilers as data objects.

SSH vulnerability?

May 12, 2005

There has been a lot of discussion in the OpenBSD community (and probably elsewhere, but OpenBSD has a special relationship to OpenSSH) over a paper published by some MIT students regarding a supposed SSH exploit. OpenBSD being the system of choice for the Practical Paranoid (as well at the pratically paranoid and plain old paranoid), the idea of an exploit in the secure transfer protocol of choice didn’t go over too well, especially since the first paragraph is enough to send chills down the spine of even the most oblivious Windows 98 user:

> Address harvesting is the act of searching a compromised host for addresses of other hosts to attack. Secure Shell (SSH), the tool of choice for administering and communicating with mission-critical hosts, security critical hosts, and even some routers, leaves each user’s
list of previously contacted hosts open to harvest by anyone who compromises the user’s account. Attackers have combined address harvesting with myriad mechanisms for impersonating a host’s legitimate users to obtain a remote shell via SSH. They have succeeded in breaching systems at major academic, commercial, and government institutions. In this paper, we detail the threat posed should attackers automate this mode of attack to create a self-propagating worm. ([pdf](

That doesn’t sound good at all. This morning, though, I finally got around to reading the paper. What they’re talking about here is reading the the user’s `know_hosts` file, and using that to harvest addresses.

So the attack looks something like this:
Read the rest of this entry »


May 10, 2005

I’m not sure why this didn’t make a bigger splash when it was announced. Maybe it did, and I just had my head under a rock. Either way, in case you missed it like I did, here’s the news: [Toshiba]( reintroduced an updated Libretto on April 20th. Actually, they introduced two: the 1.2GHz U100, and the inexplicably named–not to mention inexplicably configured–900MHz U105. At 8.3″ x 6.5″, these are full featured computers that take up only about twice the space of a Blackbery or Zaurus. Better still, they have Accupoints instead of the joint destroying trackpads most laptop manufactuers insist on shipping. Other niceties include bluetooth 2.0, accelerated (dualband 108Mbps) 802.11b/g (Atheros SuperG), 10/100 ethernet (Intel Pro/100 VE), RJ-11 modem jack, USB 2.0, IEEE-1394 (FireWire/iLink 400), fingerprint scaner, and a cardbus slot. The form facto means there’s no built-in optical drive, but a docking station provides DVD+/-RW.

Looking at the specs, I’m pretty hopeful OpenBSD, or at least FreeBSD or SuSE will run on it. Aside from the 108MBps wireless, the hardware looks pretty standard. And the ath(4) driver gets better every day.

Space-wise, it’s a little cramped. the 7.2″ TFT display means limited screen real estate, even at 1280 x 768, and with .5″ key pitch, the keyboard is only 73% normal size. That will make touch typists unhappy. But if you consider it as essentially a PDA or Franklin-covey alternative, it doesn’t look too bad. I hunt and peck, anyway.

As for design, it’s not all that impressive, except of course, that fitting everything in this case is impressive. The U100 and 105 have essentially the same form factor as the original Librettos, and not much has changed. The new brushed metal top/backplate looks nice, though, and just because it doesn’t have the sleekest lines doesn’t mean it’s too ugly to show off. It’s a charmer.

Color me impressed, and Jealous.

*Or Why You Should Stop Using Word.*

Don’t get me wrong, Microsoft makes a decent word processor, in fact a decent office suite. Office has unsurpassed functionality, isn’t really as bloated as a lot of open source types would have you believe, and crashes far less than it used to. If you’re like me, though, you keep word processor documents around for *years*. If you’re even more like me, a lot of the stuff you’ve kept over the years is in a variety of proprietary formats: WordStar, Word for Windows, Word Perfect from various vendors, not mention some lord knows what salvaged from 5.25″ disks and tape (FormatII? I don’t even remember FormatII, but I’ve got files from it), and Word files of varying versions and vintages written on different platforms. The problem here is that we keep this stuff for a reason, usually having to do with bibliographies or citations (and of course just all that brilliance). But binary data ages very rapidly. It’s difficult for even new versions of the same software to deal with files that are sufficiently old. Footnotes do strange things. headers disappear. Page numbers print in weird places. Trying to import files from one platform to another or one application to another is even worse, especially if the original application is no longer in use. There are however other options, and we’re going to talk about two of them: [Open Office]( and [AbiWord](

Read the rest of this entry »