Identity and hypocrisy

September 20, 2007

I relaized today that I’m a hypocrite.

On the one hand, I’m a big proponent of OpenID. I think that tying identity to individuals, rather than services, makes sense and is the only sensible way to handle id management on the internet.

That doesn’t mesh well, though, with my general security policy and open derision for people who use the same password for everything. OpenID is essentially using the same password for everything, or at least it’s the same single point of failure security model. I guess I’ll have to lay off the single passworders.

People who use short, all-lower-case, dictionary words are still firmly in my sights, though.

Advertisements

As Ryan over at 27B/6 reminds us, it’s the World Wide Web’s birthday! 15 years ago yesterday Tim Berners-Lee posted a message to the alt.hypertext newsgroup announcing CERN’s W3 project and offering “a prototype hypertext editor for the NeXT, and a browser for line mode terminals which runs on almost anything” to anyone who was interested. Ryan sums up the past 15 years beautifully:

And on a more serious note — thanks Mr. Berners-Lee. Thanks.

Your gift to the world turned out to be more than just a world of data — WWW is the most thriving democratic and anarchic human artifact ever created.

WWW is the commons without the scarcity.

WWW is beautiful and boring and ugly and life-altering and mundane, dangerous in places and as banal as a strip mall in others.

WWW strikes fear into the hearts of dictators, prudes, law enforcement agencies, media conglomerates, fundamentalists, and self-appointed protectors and censors of children.

WWW made possible Wikipedia, online dating, Craigslist, the United States Geological Survey’s earthquake site, political satire, 500,000 bad blogs and 5,000 great ones, Mahir Cagri’s homepage, online maps, a million YouTube videos, Woot.com’s bargain of the day and TechMeme’s ever updating internet newspaper, among thousands of other innovations and flowerings of personal expression and political action.

He also gives us all a challenge. It’s not a difficult challenge. In fact most people reading this are already doing it. But if you stumbled in here (god knows how) from MySpace or another pay-to-play site with Terms of Service and a url you don’t own yourself, then I pass this along. You use the ‘net everyday. It’s time to give back a little. It’s time to feed the web:

Post a photo on your homepage, write in your blog, link to a friend or a good website or if you are a MySpace user without your own url (all your webcontent are belong to Rupert), go spend a few bucks at a place like Laughing Squid, and build yourself a homepage or install a blog that you own — where no one can censor what you say or what you post (at least, that is until you libel someone or your ISP gets served with a DMCA takedown notice).

And then email your friends and tell them to go look at your new stuff and this time, don’t forget to stick in that WWW after that http://.

[link]

NYCBSDCon 2005

September 7, 2005

In the mail yesterday; pretty much speaks for itself. :

> (REMINDER: There is no monthly September meeting at the Apple Store this month due to NYCBSDCon.)
>
>Speakers and topics are now set for NYCBSDCon 2005 to be held at Columbia University in Manhattan on September 17th 2005.
>
> The speaker list is impressive. Scheduled speakers and topics includes:
>
> Jason Dixon will speak on “Failover Firewalls with OpenBSD and CARP”
>
> Jeffrey Hsu of DragonFlyBSD will cover the “History, Goals, Objectives, and Structure of DragonFlyBSD”
>
> Dru Lavigne will provide an update on BSD Certification.org
>
> Michael Lucas will speak on “Network Management Tools to Make your Boss your Willing Slave”
>
> Marshall Kirk McKusick will address “Enhancements to the Fast Filesystem to Support Multi-Terabyte Storage Systems”
>
> Bruce Momjian will enchant attendees with “PostgreSQL in BSD Land”
>
> Phillip Moore will cover “Practical Enterprise Scalability: Case Studies of Infrastructure Software Deployed in Production”
>
> Already registered attendees include dozens of developers, systems administrators and end-users of the BSD operating systems. Besides the well-known speakers at the event, NYCBSDCon 2005 will also be an excellent opporunity for networking with others in the BSD community.
>
> NYCBSDCon registration is open online until September 10th at http://www.nycbsdcon.org.
>
> Registration by September 10th is only $20, payable during the morning of the conference. Onsite registration is $40. As the conference fee is quite low, only cash will be accepted.
>
> A light continental breakfast will be provided throughout the morning, while snacks and beverages will be available during the afternoon.
>
> After the conference concludes at around 5:30 pm, attendees will meet at >the West End bar, in a back room reserved for the conference, just across Broadway from Columbia University. The after-party is sponsored by OrgCom, the entity that held last year’s New York Technical Community Holiday Party.
>
> Sponsors, besides the hosting technical user group NYC*BUG, include USENIX and New York Internet.

If only Michael Lucas were going to open things out a bit more…

Big News for OpenBSD

August 23, 2005

Theo de Raadt publically announced yesterday that the 3.8 release will make possibly the biggest change in the changelog to date: they’re recongfiguring malloc(3):

> This release will bring a lot of new ideas from us. One of them in particular is somewhat risky. I think it is time to talk about that one, and let people know what is ahead on our road.
>
> Traditionally, Unix malloc(3) has always just “extended the brk”, which means extending the traditional Unix process data segment to allocate more memory. malloc(3) would simply extend the data segment, and then calve off little pieces to requesting callers as needed. It also remembered which pieces were which, so that free(3) could do it’s job.
>
> The way this was always done in Unix has had a number of consequences, some of which we wanted to get rid of. In particular, malloc & free have not been able to provide strong protection against overflows or other corruption.
>
> Our malloc implementation is a lot more resistant (than Linux) to “heap overflows in the malloc arena”, but we wanted to improve things even more.
>
>Starting a few months ago, the following changes were made:
>
> – We made the mmap(2) system call return random memory addresses. As well the kernel ensures that two objects are not mapped next to each other; in effect, this creates unallocated memory which we call a “guard page”.
>
> – We have changed malloc(3) to use mmap(2) instead of extending the data segment via brk()
>
> – We also changed free(3) to return memory to the kernel, un-allocating them out of the process.
>
> – As before, objects smaller than a page are allocated within shared pages that malloc(3) maintains. But their allocation is now somewhat randomized as well.
>
> – A number of other similar changes which are too dangerous for normal software or cause too much of a slowdown are available as malloc options as described in the manual page. These are very powerful for debugging buggy applications.

Sounds good, and hopefully others will follow OpenBSD’s lead here. The new malloc configuration will make exploitable buffer overflows almost a thing of the past.

Here’s the catch, though, if your code has an overflow or overread, even one that’s not particularly dangerous, it will break under 3.8:

> – When you free an object that is >= 1 page in size, it is actually returned to the system. Attempting to read or write to it after you free is no longer acceptable. That memory is unmapped. You get a SIGSEGV.
>
> – For a decade and a bit, we have been fixing software for buffer overflows. Now we are finding a lot of software that reads before the start of the buffer, or reads too far off the end of the buffer. You get a SIGSEGV.

This has the potential to cause growing pains for a lot of people. If all goes according to plan, though, everyone wins with this setup. OpenBSD itself is stronger, and programmers will be forced to rewrite offending code in ways that make it more stable and secure for everyone. For most big projects, the openBSD porters are undoubtedly already submitting patches back to the main development trees.

OpenNTPD 3.7 Released

June 8, 2005

Just received from Henning Brauer on openbsd-announce:

>OpenNTPD 3.7 has just been released. It will be available from the mirrors listed at http://www.openntpd.org/ shortly. This is our third formal release.
>
> OpenNTPD is a FREE, easy to use implementation of the Network Time Protocol. It provides the ability to sync the local clock to remote NTP servers and can act as NTP server itself, redistributing the local clock.
>
> OpenNTPD is developed as part of the OpenBSD project

A bit a follow-up to the earlier discussion of [opensource word processors](http://www.engatiki.org/2005/04/29/6): If one of the things that’s held you back from finally giving up on Office is the clip art–and lets face it, corny as it is, we all use it, and lack of it has been one of OpenOffice’s failings–help is here. Actually, help has been here for a long time, but no one seems to know it.

First, if you absolutely must have the original MS clipart that you use in Office, and you don’t read the OO.o forums, check out [this thread](http://www.oooforum.org/forum/viewtopic.phtml?t=7188) with directions for importing your default wmf libraries.

Second, the [Open Clipart Library](http://www.openclipart.org/downloads/index.php) is a new project (looks like they started in February) dedicated to providing free clipart. So far they have about 3,500 images (as of the May 4th release), and the archives look to be very high quality. The libraries can be used in any application, inclusing Office and openOffice.

The [Nokia 770](http://www.nokia.com/770) has gotten a lot of press in the last couple of days, but it deserves a little more. Nokia has always been hacker and homebrew friendly. Most of their consumer devices use [Symbian](http://www.symbian.com/), which provides good docs and runs a fairly useful developer site, and this attitute of openess is a large part of what has made so many Mac users–as well as Linux and other *nix users–loyal Nokia customers. The Symbian docs are what enable enable projects like [The Missing Sync](http://www.markspace.com/), and symbian integration with Konact, Evolution, etc. This time, though, Nokia has gone a step further. The 770 will not run Symbian, but instead, a Nokia OS named Internet Tablet 2005, a custom Debain distro based on the 2.6 (currently 2.6.11) kernel.

I know what you’re thinking: we’ve heard this before; and Zaurus was a miserable failure. Where Nokia really shines, though, is with [Maemo](http://www.maemo.org), the 770 SDK and reference platform. Maemo is a Linux (GTK)-based SDK that provides bindings for 770 as well as a virtual machine for testing. This means that anyone can develop for the 770 (and IT2005 products to come) without investing in hardware for testing. It also means that programmers can bring familiar GTK techniques to the IT2005 table, and presumably that applications can be written in any language with GTK bindings and a Linux-based ARM compiler or interpreter. Usually as a developer you get either a virtual machine that speaks a non-standard dialect, or more often, an SDK that runs on the platform itself, which requires the expense of machine to test on. Maemo is a first here, at least when it comes to supporting opensource projects. Better still, maemo.org provides extensive docs including a fairly well-put-together reference manual and a how-to specifically on porting GTK and Qt apps, featuring gaim as a test case. This is a fabulous resource.

It’s also a clever gimick: Nokia has announced an internet messaging client to be released in Q1 2006. The 770, though, is slated for Q3 2005, so if you want IM before that, you’re going to have to build gaim yourself (or download an rpm deb from somewhere), which should promote familiarity with maemo and the porting process, and spark some fairly rapid porting of critical and popular apps. If Maemo lives up to its potential, this has the potential to be the best example we’ve seen yet of a successful commercial/opensource venture.

I just wish PlamOne would manage the LifeDrive project this way. (via [darla mack](http://darlamack.blogs.com/darlamack/2005/05/nokia_nokia_lau.html))