Bruce Everiss who is famous for being threatened with legal action by Evony has been writing about the supposed losses from game piracy, in his latest missive he copies the text from a number of blog comments without citing the original authors [1]. He copied my text without citing me as the author (which is at best shoddy journalism and by a fundamentalist attitude such as his could be considered as piracy). He also copied my text in with a bunch of other comments which he attributes to The thieves . It s unfortunate that Bruce doesn t seem capable of understanding irony, he wrote There is no doubt whatsoever that downloading and playing a game that should have been paid for is theft and then copied part of the text of my comment where I provided a dictionary definition of theft that directly contradicts his claim. If he was at all interested in quality writing he would cite his references and then when a dictionary is cited which disagrees with his opinion he would at least try to find a dictionary with a more agreeable definition. It shouldn t be THAT difficult to find a dictionary that has multiple definitions of theft of which one is agreeable to the MAFIAA [2]. Now if Bruce had properly read my comment he would have seen I ve started watching content from sites such as blip.tv (in the little time I have for such things) and I only play games that are part of the Debian distribution of Linux (free software) which makes it very clear to any reasonable interpretation that I am not a game pirate and probably not even a movie pirate. I did mention in a comment on Bruce s blog that the DVD experience of being forced to sit through a whinge about piracy was a factor that made buying a DVD a worse experience than downloading it, a concept that I expanded into a blog post on the relative technical merits of DVDs and pirate MP4 files [3]. That post received a number of interesting comments including one from Josselin Mouette which had some useful technical detail about subtitles and audio track storage. I had believed that there were some real technical advantages of DVDs but Josselin corrected me on this matter. Also one thing that is noteworthy is that Bruce seems to use a copyright picture in almost every post but he doesn t attribute any of them. It does seem unusual for someone to use commercial artwork without any copyright or trademark notices attached. This usually isn t a big deal for a blogger, a liberal interpretation of copyright and trademark law is usually expected in terms of blogging corporations will tend to be hesitant to invoke the Streisand effect by suing a blogger (EG Bruce blog came to fame when he was sued by Evony). But when a blogger is writing about the importance of not pirating anything it would seem sensible to go to the effort of citing trademark and copyright references and also mentioning the licence agreements under which the IP was used. I believe that any loss of customers and revenue by the MAFIAA and the gaming industry is due to the actions of the companies involved. They should just try to make their customers happy, otherwise they lose the customers. The same goes for bloggers. I read blogs written by people who disagree with me, and sometimes by people who offend me on occasion. But Bruce is making baseless claims while deliberately ignoring evidence. He is calling for strong anti-piracy measures while doing what could be considered as pirating my work. He uses words in ways that conflict with dictionary definitions, and he calls for an end to our current legal system by demanding punishment based on three accusations rather than any legal process. I even pointed out to Bruce that if there was a three strikes law regarding accusations of copyright infringement then his blog would be offline after three accusations by Evony. Sorry Bruce, if I was looking for irrational rants about copyright then I would look at what the members of the Science Fiction Writers of America (SFWA) are doing [4]. The SFWA people demonstrate as much knowledge of computers and the Internet as Bruce does, but they are at least really good writers. If it was just me unsubscribing from Bruce s RSS feed then it wouldn t matter (I m one of tens of thousands of readers). But I expect that a large portion of the new readers Bruce acquired after being attacked by Evony will disappear when they see Bruce as the attacker and everyone who uses the Internet as a potential victim of the Three Strikes law.

• [1] http://www.bruceongames.com/2010/01/22/what-game-thieves-have-to-say-for-themselves/
• [2] http://mafiaa.org/
• [3] http://etbe.coker.com.au/2010/01/06/which-is-better-original-dvd-or-pirate-mp4/
• [4] http://etbe.coker.com.au/2007/09/23/dmca-and-sci-fi/

For a long time it has been obvious that in all cases anti-piracy technologies discourage purchases and in many cases encourage piracy. I first discovered the significance of this in about 1991 when I attended a public lecture by a senior employee of Borland and a member of the audience claimed that the Borland product he bought didn t function correctly due to anti-piracy measures. The Borland employee firmly stated that Borland did not use anti-copying technology on any of it s products, didn t have any plans to do so, and the problem in question must have been caused by something else. Of all the hostile questions that were asked, this was the only one that caused the speaker to appear agitated so it was obviously an issue that was considered to be important within Borland. In the late 80 s anti-piracy measures were mostly based around creating floppy disks that couldn t be easily copied (violations of various aspects of the disk formatting standards). This meant that you couldn t make a backup copy of the data, so it wasn t uncommon for people to seek pirate copies of their commercial software for daily use to avoid wearing out their valuable original floppy disks. Then the dongle was invented and people who bought software sometimes sought pirate copies so that they could use their printer and their commercial software without having to change plugs on their PC. But in those cases the benefits to uncrippled software to the users were small. Now a large part of the battle on copy protection concerns DVDs. If you had a DVD of a recent movie and an MP4 which would you rather watch? Would you prefer to be forced to watch some anti-piracy rubbish for a couple of minutes at the start of the movie (with fast-forward disabled) or would you prefer to just start watching it? Would you prefer to be able to pre-program the sections of the movie that you watch (as some parents desire to skip the sex and/or violence in movies for their teenagers) or would you prefer to be forced to watch the movie straight-through with only a manual fast-forward to skip sections? Would you prefer to have a DVD that can t be played properly on many (most?) computers because of the CSS encoding or an MP4 that plays on everything from PCs to mobile phones without an issue? Would you rather have 100 movies in the spare space on your laptop hard drive when you travel and 1000 movies on your desktop system or the much smaller number of boxed DVDs that you can store? I think that in most cases a pirate MP4 will give a better experience than a DVD. So the question is, why pay for a DVD when in most cases you get a lesser experience than you will get from a MP4 file downloaded by bittorrent? One reason for buying the DVD is to support the film industry. But I doubt that such a profitable industry will get much sympathy in today s economy. Another reason is the morality, some people consider piracy to be theft (it isn t by definition theft requires that for at least a moment the property be completely in the possession of the thief) and therefore avoid it. One technical reason for buying a DVD is the fact that it may have multiple languages supported, it will have subtitles, it may have an audio track with the creators giving a commentary, and it may have extra scenes that were cut from the main release. I believe that work on adding subtitles to the video file formats is a work in progress, so it s only a matter of time before the DVD rips include all this extra data. Really the content creators should focus on making a product that meets the needs of users and that they want to pay for. Pirating books is technically possible, but almost no-one does it. Some successful authors such as Charles Stross freely publish significant parts of their work and Cory Doctorow freely publishes all his work in electronic form. Books just work well, they meet the needs of users and people want to buy them. Sure they can sell them second hand, lend them to other people, and it s technically possible to pirate them, but they remain profitable. On my documents blog I have a page of links to free short stories that I liked [1] and a page of links to free books [2]. It seems to me that creators of other copyright content should consider how they can be of service to their customers. We are all familiar with corporations and misguided individuals who get whiny about the supposed losses due to piracy. Bruce Everiss has unfortunately joined this trend and demanded the disconnection of Internet users based on unproven accusations of game piracy [3]. I don t know whether the game buying experience sucks as badly as the DVD buying experience, but based on the reports of locked-down consoles that have to be cracked before they run Linux I expect that the modern game industry is doing at least as badly as the movie industry. They need to provide things that users want! One thing to note is that a Windows or console game player who uses pirate games will probably buy some games at some future time, while someone like me who uses free software both by principle and because it gives a better user experience will probably never pay for a game (I haven t got time to play all the free games so I probably wouldn t even buy a Linux game).

• [1] http://doc.coker.com.au/fiction/free-short-stories/
• [2] http://doc.coker.com.au/fiction/free-books/
• [3] http://www.bruceongames.com/2010/01/05/304149300-stolen-from-activision/

Credit Writedowns has a populist interpretation of the latest Boom-Bust cycle [1]. It s an interesting analysis of the way the US economy is working. Bono writes for the NY Times about Rebranding America [2]. He praises Barack Obama suggesting a different reason to believe that the peace prize is deserved and describes what he believes to be the world s hope for the US. IsMyBlogWorking.com is a useful site that analyses your blog [3]. It gives some advice on how to improve some things as well as links to feed validation sites. Evgeny Morozov gave an interesting TED talk How the Net Aids Dictatorships [4]. I don t agree with his conclusion, he has some evidence to support his claims but I think that a large part of that is due to people not using the Internet well. I expect things to improve. The one claim that was particularly weak was when he mentioned radio stations in Rwanda as an example of technology being used for bad purposes the entire point about the first-world discussion about such things is the radio vs the Internet. Ray Anderson gave an inspiring talk about The Business Logic of Sustainability [5]. He transformed his carpet company, decreasing it s environmental impact by 82% and it s impact per volume of product by more than 90% while also significantly increasing it s profitability. He says that corporate managers who don t protect the environment should be regarded as criminals. Making his company more environmentally friendly reduced expenses (through efficiency), attracted more skillful employees, and attracted environmentally aware customers. Managers who don t follow Ray s example are not only doing the wrong thing for the environment, they are doing the wrong thing for their stockholders! Ray s company Flor takes carpet orders over the web [6]. They won t ship a catalogue outside the US, so presumably they only sell carpet to the US too. Marc Koska gave an interesting TED talk about a new syringe design that prevents re-use [7]. His main aim is to prevent the spread of AIDS in the developing world where even hospital staff knowingly reuse syringes. It will also do some good in developed countries that try to prohibit drug use. David Logan gave an interesting TED talk about tribal leadership [8]. His use of the word tribe seems rather different from most other uses, and I am a bit dubious about some of his points. But it is definitely a talk worth seeing and considering. Deirdre Walker is a recently retired Assistant Chief of Police who has worked for 24 years as a police officer, she describes in detail her analysis of the flaws in the TSA security checks at US airports [9]. Brian Krebs wrote an article for the Washington Post recommending that Linux Live CDs be used for Internet banking [10]. Windows trojans have been used to take over bank accounts that were accessed by security tokens, that could only be accessed by certain IP addresses, and that required two people to login. It seems that nothing less than a Linux system that is solely used for banking is adequate when a lot of money is at stake. The NY Times has an interesting review of the book Ayn Rand and the World She Made [11]. It seems that Ayn was even madder than I thought. Gary Murphy has written an interesting analysis of the latest stage in the collapse of the US Republican party [12]. The ABC (AU) Law Report has an interesting article about Evony s (of China and the US) attempting to sue Bruce Everiss (of the UK) in Australia [13]. The Guardian has an insightful article about the IEA making bogus claims about the remaining oil reserves [14]. It seems that the experts who work for the IEA estimate that oil is running out rapidly while the US is forcing them to claim otherwise. Dean Baker of the Center for Economic and Policy Research has written an interesting article about the economic effects of the war in Iraq [15]. Apparently it caused the loss of over 2,000,000 jobs considerably more than the job losses that could ever result from efforts to combat global warming.

• [1] http://www.creditwritedowns.com/2008/03/populist-interpretation-of-latest-boom.html
• [2] http://www.nytimes.com/2009/10/18/opinion/18bono.html
• [3] http://ismyblogworking.com/
• [4] http://www.ted.com/talks/evgeny_morozov_is_the_internet_what_orwell_feared.html
• [5] http://www.ted.com/talks/ray_anderson_on_the_business_logic_of_sustainability.html
• [6] http://www.flor.com/
• [7] http://www.ted.com/talks/marc_koska_the_devastating_toll_of_syringe_reuse.html
• [8] http://www.ted.com/talks/david_logan_on_tribal_leadership.html
• [9] http://www.hlswatch.com/2009/10/15/
• [10] http://voices.washingtonpost.com/securityfix/2009/10/avoid_windows_malware_bank_on.html
• [11] http://www.nytimes.com/2009/11/01/books/review/Kirsch-t.html
• [12] http://politicalmoderation.wordpress.com/2009/11/04/over-analysis-perhaps/
• [13] http://www.abc.net.au/rn/lawreport/stories/2009/2737300.htm
• [14] http://www.guardian.co.uk/environment/2009/nov/09/peak-oil-international-energy-agency
• [15] http://www.cepr.net/index.php/op-eds-&-columns/op-eds-&-columns/defense-spending-job-loss/

So far, our household has resisted any piece of the iPhone onslaught. Yes, I carry an iPod Classic, but that s different. Terah s old Palm m100 is becoming a problem. The platform is dead, and the desktop sync drivers for it are decaying rapidly in every operating system. Not only that, but we would really like to be able to share calendars between us. Terah doesn t need a phone or a mobile data plan. After thinking about it a bit and getting some advice, we decided to get her the $200 8GB iPod Touch. And it arrived Friday. I ve used portable devices plenty before. I had my share of PalmOS devices: III, V, Clie; an HP 200LX DOS-based err netbook; a Zaurus; and an N810. The first thing that struck me about the iPod Touch was beauty no surprise there. The interface exuded an air of stability, like it wasn t going to just crash when something went wrong. It felt solid and well-planned. Physically, it s thin. Really thin. That s perhaps the most impressive thing about it of all. Sometimes the GUI masked underlying performance issues. For instance, it may take awhile to draw a web page. On the N810, you get to watch as different bits of the screen appear. On the iPod Touch, you sit there staring at a white screen with a spinning wheel for awhile, and then suddenly poof, the webpage is there. I d have to say the Apple approach feels better. Terah and I decided to sync with Google Calendar, and that setup was easy and well-done on the iPod Touch easier than on the Blackberry with Google s own app, in fact. The only question was that Contacts was a bit counter-intuitive; select the Google account and nothing shows up, but everything is there under the generic Contacts bucket. The Calendar worked very well, even properly handling meetings and invitations. The mail app works well, though it takes a long very long time to scroll through a lengthy email to get to the attachment at the bottom. There s no go to bottom of message feature that I could see, and my idea of pinching the screen to make the text tiny to make scrolling faster didn t work. The mail setup, though, is a complete and utter pain. There is no way anybody that doesn t know a lot of details about SSL certs could have made this work. When you add a mail account, it requires you to have an IMAP and SMTP server defined. It would like to use SSL/TLS with these, which is great. But if it can t validate the cert, it pops up a dialog box asking if you want to continue. You can say yes, but it just sits there for a couple of minutes and then fails with a mysterious error. I had to put my cert up on a webserver, point Safari at it, and install the cert to the device before it would talk to it. That solved IMAP. SMTP was another matter too. Strangely, on the initial account setup, there is no way to put in the port number for SMTP server. Yet it won t save your account until it can connect to one. Of course, most ISPs block the smtp port, so this was bound to fail. Finally I pointed it at a server on my local network temporarily, then went in and edited the account to point it to the real server with the second non-25 port it listens on for just such situations. Safari works really well. It s probably the best mobile browser I ve seen yet (I haven t seen Android or Palm Pre yet.) It is far better than the N810 browser, both in terms of speed and in terms of ability to reformat pages to fit the device. The tabbed browsing is a lot faster switching than the N810 s separate windows, and nicer too. The app store essentially lived up to my expectations. It was very easy to use, and obviously a closed proprietary ecosystem. The free apps that existed there mostly were adware. I looked for a Jabber client, and wasn t happy with any option. Some of them required Apple Push Notifications, with a complex network of two servers between the device and the Jabber server. No thanks to that invasion of privacy. And that brings me to the topic of weird limitations. iPod Touch apps, in general, can t run in the background. You exit Safari, and when you get back in, it s reloading that webpage. Now many apps are good at remembering their state, but this feels very PalmOS to me. You can t use the iPod Touch at all until you first sync it with iTunes. That is incredibly weird. The device has Wifi, people. Plus, why should I have to register it with Apple anyhow? And then there s the lack of a file manager, or anything like it. I can t scp a file from my computer to the iPod Touch like I can my N810, nor the other way round. It is generally unclear how much of the 8GB is in use, and by what. Terah needs a password-keeping program. There are several in the app store. I d really like one that uses Bruce Schneier s standard Password Safe format which is supported on just about any platform you care to name. Couldn t find one. Even if I could, I guess it wouldn t do me any good, since you can t copy the file to a PC anyhow. Sigh. Overall, Terah is very excited with the device, and I must admit to being so too. Its faster web browser means it s probably a good replacement for the N810 especially if you want a calendar, which the N810 completely lacks. It makes an excellent PDA, perhaps the first PDA I ve seen that equals the usability of the old PalmOS. On the other hand, it isn t really a power user s device. There are a lot of surprising limitations and missing features that competing devices have had for years.

xor WNS - White Noise Signal with a TIME set of instruction , and a computational temporary set of instructions to produce a real one time PAD when every time

And obviously

this is a none mathematical with zero use of calculation algorithm
...
We use 0% of any mathematical calculation algorithm

I propose we replace the AES implementation in GnuPG by this revolutionary new encryption non-algorithm which will be open for all as an open source free for personal use only (Brought to us, you may have suspected this by now, by Bruce Schneier)

Yes, we're all doomed. Especially, Debian is doomed. We're relying too much on public key cryptography, which is based mostly on the factorization problem (getting the two big prime numbers that essentially make up a public key is hard.) And now they [Link to Bruce Schneier, where I've got the news from] have gone ahead and have built a working quantum computer, which can solve the factorization problem very quickly. So, will we have to re-check all Debian software that was signed with an RSA key in the last few months? The huge number that the quantum has successfully cracked was:

15

Something that has been annoying me recently with my bank has been that their website tells me that they will never ask for my password over the phone. And then their call centre asks me for my password. Over the phone. Of course the call centre doesn't mean my website password - they mean the special 'ultra-secure 5ekr1t code phrase', but they don't have a good, universally understood word to use for that. Hopefully they'll work one out, but they appear to have got the message anyway. This got me to thinking about how these phrases are used, and how insecure they are in reality. After all when I store a website password I go to significant lengths to ensure that the same password is not represented by the same string of characters in my database. How vulnerable are our secrets in the databases of organisations we do business with?
<!--break--> Simple Password Storage Surprisingly often people do store passwords in databases in plain text, so that should their website get hacked someone would quite possibly be able to download the whole password database. Please feel free to name and shame these organisations in the comments below. My own pet hate in this regard is the 'Mailman' mailing list software: by default on 'mailman day' - the first day of each month - it sends me my password. In plain text. Of course many developers recognise this flaw, and work around it by using a one-way hash to obscure the password. Usually they choose md5 for their hashing algorithm though, and they often fail to use a 'salt' to randomise the plaintext prior to hashing. This means that even though a password might seem obscure like 'Supercalifragilisticexpialidocious!', and no doubt it will hash to something that seems obscure like 'a7290d426b6a1764af6fd7fba5db214e', but you can often find it straighforwardly by looking it up through one of the friendly reverse hash lookup websites. There's even a Digest::MD5::Reverse perl module on CPAN to interface to a bunch of these in a more automated way! Oh dear. One way to go beyond this is using a 1-way hashing algorithm, with a random salt included into the plaintext before the hashing, so that if (god forbid) two users had 'password' for their password I might see two rows in my database like:

davical=# select username, password from usr;
  username                       password                          
-------------+------------------------------------------------
 user1          SSHA qCctCH5dirYCf29uxJiE68LvmLRDdnBkbldiWlE=
 user2          SSHA y8yOzjoh9fSkVwLaXGoVtWdiIYxmU2FCb2dOZXc=
(2 rows)

When the user wants to log in I apply the same transformation to their incoming password (appending the same salt) and compare against my stored hash. If they match then it must be the same password they used previously. Storing passwords in this way secures them from casual, or even reasonably determined access, although naturally they can still be logged at the beginning and end of the communication - or even in the middle, if we didn't encrypt that bit! The PHP function I use to salt and hash the password is as follows:

/**
* Make a salted SHA1 string, given a string and (possibly) a salt.  PHP5 only (although it
* could be made to work on PHP4 (@see http://www.openldap.org/faq/data/cache/347.html). The
* algorithm used here is compatible with OpenLDAP so passwords generated through this
* function should be able to be migrated to OpenLDAP.
*
* If no salt is supplied we will generate a random one.
*
* @param string $instr The string to be salted and SHA1'd
* @param string $salt Some salt to sprinkle into the string to be SHA1'd so we don't
*                     get the same PW always hashing to the same value.
* @return string  SSHA  followed by a base64 encoded SHA1 of the salted string.
*/
function session_salted_sha1( $instr, $salt = "" )  
  if ( $salt == "" )  
    $salt = substr( base64_encode(sha1(rand(100000,9999999),true))), 2, 9);
   
  return ( sprintf(" SSHA %s", base64_encode(sha1($instr.$salt, true) . $salt)));
 

What about Secret Code Phrases? The problem with these secret code phrases, apart from all of the forgetability and guessability problems that have repeatedly been identified elsewhere, is that they are much less likely to be stored in a one-way hash. Are you going to ask your call-centre staff to type in the customer's secret code phrase? Didn't think so. And if you did it's going to add pronouncability issues to the whole mix. So this means that those organisations who have our secret code phrases in their database will, in all likelihood, have them stored directly as plain text, displaying them to the random call-centre staffer along with all of our other account details, and especially making them vulnerable to accidental disclosure. Disclosure of a sort that doesn't necessarily involve knowing they have been disclosed. Proliferation of Use These things provide the appearance of security - 'Security Theatre' as Bruce Schneier terms it - and because of that they're taken up in a kind of a cargo cult of security: "if the banks do it that way it must be a really good form of security". This makes the problem much worse, because now I have to remember a secret code phrases not only for banks, but for ISPs, phone companies, online auction websites, and so on. How many mother's maiden names, favourite teachers and friend's phone numbers do I have? I'm sure I'm at well up whatever curve it is that measures the number of passwords a person has, because five years ago I had so many I started to store them all in an encrypted database - protected by a yet another password, of course. Now in order to get my story straight I have to store my 'secret code phrases' in there too. If I didn't store my secret code phrases in that database, I'd obviously be re-using them everywhere, from a very small set - perhaps the same one that everyone around me overhears, every time I have to ring my bank to authorise another payment from my account. Because the proliferation of use is not just the breadth of wannabe thespians hoping to climb on the stage of this latest play, but the way they want to use it all the time, too. In fact the only conversation I've had recently with my bank where they didn't want it was when they rang me. Obviously I was the only person who could answer a phone in my house, right? It isn't just security theatre: I think we can see that this analogy belongs much deeper into the sub-genre of 'Security Farce'. Is there a solution? I don't have any easy answers - other than the ones to my security questions, of course - but some improvements are possible. Other banks have quizzed me about stuff like recent expenditure or credit card limits from time to time, but I've usually passed those tests by reading my last bank statement - or failed them by not having it to hand! I don't really think that the answers can lie in that direction because the information is only quite loosely tied to my identity. For some parts of the call-centre handling of secret code phrases there are changes that could make them more secure, but in the fairly short term these organisations need to find a different way to perform these out of band identity checks. For the actual storage of the code phrases it would be a marginal improvement if the database did not contain the actual phrase. Perhaps it could be encrypted with some application-known key, so that it can be unencrypted when it needs to be displayed, but never stored in the clear. Of course there's still the problem with that key... Verification of the secret code phrase could be done by someone not involved in the transaction, so that the call could be temporarily passed into a 'verification stream' where a different person performed the verification step without the context of the account details or enquiry. Though this sort of complexity seems unlikely with call centres seemingly being outsourced to the cheapest supplier. One thing does seem likely to become increasingly true: there is less and less private data in our lives, and every time we share one of these little nuggets with our bank, or our electricity company, or our on-line associates-we-call-friends, is one more chance that it escapes into the hands of the foaming-at-the-mouth-terrorist-cracker-communist-nazi-right-wing-religious-fruitcake hordes. The highest bar for personal verification which any of my banks currently sets for me is a random choice from a set of personally entered questions, with a set of personally entered answers, for which I have to enter two randomly selected characters using my mouse. That's not bad for safe verification, and I'd have to be really impressed with their security if that was stored in the database by a passphrase-protected encryption key. With that bank I don't know what they do over the phone - I assume they've concluded they can trust my logged on persona enough that I can do what I want online, consequently I haven't had to call them and share those secrets with everyone in earshot. Maybe paranoid freaks like me will go back to a chequebook and close down on-line access to their bank accounts entirely when they find themselves having to supply a skin scraping in order to authorise their next $500 payment. "Please insert your finger in the AccuYou(tm) BloodSucker(tm) to proceed with this payment" - well, I guess it might cut down my spending! In any case, biometrics need to be understood before they can be used effectively and appropriately - and remotely over the phone is probably not one of the ways that they can be trusted to work.

Bruce Everiss has received two threatening letters from a NSW law firm representing the Chinese game company Evony. Here is the latest where they whinge about his publication of their first letter [1] (NB if threaten to sue a blogger you have to expect your letter to be published, it s not discourteous it s just the way things work). Here is the first letter from the law firm [2] Bruce has illustrated the post with one of the advertising pictures that Evony uses (apparently ripped from a lingerie catalog). I ve seen some of the Evony adverts on my blog, the ones with a provocatively dressed woman (lingerie advert?) and the title Come Play, my Lord . Ken has an amusing and insightful post on the issue [3] which also makes some amusing jokes about the Australian legal system. Bruce s blog has some good insights into the gaming industry and culture, I ve added his blog to my feed. It seems that Bruce will gain a lot of readers due to these legal threats, while Evony seems unlikely to gain anything other than bad PR.

• [1] http://www.bruceongames.com/2009/08/27/another-missive-from-warren-mckeon-dickson/
• [2] http://www.bruceongames.com/2009/08/25/evony-want-to-sue-me-for-telling-the-truth/
• [3] http://www.popehat.com/2009/08/25/evony-and-its-lawyers-rely-upon-act-like-boobs/

An interesting opinion post in the NY Times describes the research on early education and how it can affect IQ [1]. Among other things children from poor families who are adopted into upper middle-class families tend to end up with higher IQ scores. The article notes that half the population in 1917 would be regarded as mentally retarded by today s standards - finally we have an explanation for WW1! Two Dominos employees tarnish the brand s image with a prank video on Youtube [2]. The next obvious step is for activists to seek jobs at such companies for the purpose of influencing companies. The animal rights protesters outside KFC stores haven t achieved much, but if they worked for KFC and made some nasty videos they would really encourage a change of action. I predict that chain stores will be spending a lot more on security and background checks for their employees in the near future. Cory Doctorow has written an amusing article titled Big Entertainment Wants to Party Like It s 1996 about how the entertainment industry is killing itself by conducting back-room negotiations about new copyright laws [3]. Nate Silver gave a TED talk about racism in elections [4]. The most interesting point was demonstrating statistically that people who don t meet people of other races tend to be more racist. It seems to me that the use of the X-Face: header in email and the use of HackerGotchi in Planets can help reduce the level of racism on the Internet. Cory Doctorow writes about his Geeky writing [5]. His idea for an organised system for donating books to libraries will hopefully be fully implemented soon - it should be easy to do and the incremental costs will decrease as the scope increases. Cory Doctorow writes about the perverse laws that protect criticism of copyright works but stifle praise [6]. In a similar note he has documented a plan for trademark and copyright holders to allow fans to create derivitive works while preserving the original rights AND sharing the profits [7]. So if Cory s idea became popular someone who wanted to create some art work based on a Coke bottle (which is trademarked) could pay the Coca-Cola company a reasonable rate, include an appropriate disclaimer, and things would work out well for everyone. Also this would allow small artists to develop new products that could be used by the large companies (I m sure that anyone who legally released an artwork that turned out to be an effective advert for Coke would receive a lucrative job offer). Bruce Schneier s blog has an interesting article about the poor quality of software used for breath alcohol detectors [8]. It s a great concern that innocent people are being punished due to bad software, but it s only a small part of the problems with the legal system. Mary Roach gave a TED talk 10 Things You Didn t Know About Orgasm [9]. Not as insightful as the usual TED talk, but strange and interesting.

• [1] http://www.nytimes.com/2009/04/16/opinion/16kristof.html


• [2] http://www.nytimes.com/2009/04/16/business/media/16dominos.html


• [3] http://www.internetevolution.com/document.asp?doc_id=175415


• [4] http://www.ted.com/index.php/talks/nate_silver_on_race_and_politics.html


• [5] http://www.locusmag.com/Perspectives/2009/05/cory-doctorow-extreme-geek.html


• [6] http://www.guardian.co.uk/technology/2009/may/13/cory-doctorow-copyright


• [7] http://www.internetevolution.com/document.asp?doc_id=176353


• [8] http://www.schneier.com/blog/archives/2009/05/software_proble.html


• [9] http://www.ted.com/index.php/talks/mary_roach_10_things_you_didn_t_know_about_orgasm.html

Bruce Schneier has written about the foolish actions of Justice Antonin Scalia [1]. Antonin made some comments opposing the need for greater privacy protection, most people could get away with doing that, but when a Supreme Court Justice does so it gets some attention. In response to this Fordham University law professor Joel Reidenberg assigned his class a project to discover private information on Antonin using public sources. The class produced a dossier of such information which was then offered to Antonin [2], but which was not published. Now anyone who knows anything about how the world works would just accept this. Among other things Antonin now knows what is publicly available and can take steps to remove some public data according to his own desires. But being apparently unaware of the Streisand effect [3] Antonin went on to say the following: It is not a rare phenomenon that what is legal may also be quite irresponsible. That appears in the First Amendment context all the time. What can be said often should not be said. Prof. Reidenberg s exercise is an example of perfectly legal, abominably poor judgment. Since he was not teaching a course in judgment, I presume he felt no responsibility to display any. This is of course essentially issuing a challenge to the entire Internet to discover the information that the Fordham students discovered. Of course doing so would not be fun unless it was published. The meme of 2009 has yet to be defined, it might be discovering and widely publishing personal information about Antonin. Already one of the comments in Bruce Schneier s blog suggests that activists should do such research on all senior figures in the US government to encourage them to take privacy more seriously. I expect that the first reaction of the legislative branch to such practices would be to enact special laws to protect their own privacy while still allowing large corporations (the organisations that pay for the election campaigns) to do whatever they want to ordinary people. It s an interesting situation, I predict that Antonin will regard this as one of the biggest mistakes he s ever made. I m sure that there are many more LULZ to come from this.

• [1] http://www.schneier.com/blog/archives/2009/05/googling_justic.html


• [2] http://www.concurringopinions.com/archives/2009/04/justice_scalias_2.html

<:LI>[3] http://en.wikipedia.org/wiki/Streisand_effect

Bruce Schneier writes about the risks involving children abandoned in cars and cites an article about the tragic deaths of children in hot cars [1]. One unfortunate error that he made was to not cite the following from the end of the last page of the Washington post article he cited [2]:
In hyperthermia cases, he believes, the parents are demonized for much the same reasons. We are vulnerable, but we don t want to be reminded of that. We want to believe that the world is understandable and controllable and unthreatening, that if we follow the rules, we ll be okay. So, when this kind of thing happens to other people, we need to put them in a different category from us. We don t want to resemble them, and the fact that we might is too terrifying to deal with. So, they have to be monsters. I believe that similar thought processes are used in relation to many other situations, and that such thought processes prevent people from taking appropriate actions to minimise the risk. If someone considers that forgetting a child in the back seat to be an accident that could happen to anyone then they would be inclined to take action to minimise the risk (such as spending some money on a sensor). If however they consider such forgetfulness to be proof of being a bad parent , then as they are a good parent they would have to avoid buying a monitor. I m surprised that Bruce didn t draw an analogy between this and the forgetful losses of laptops and guns by people who work for law enforcement agencies (which he has written about before). I wonder how expensive it would be to make a sensor for heart-rate, breathing, and temperature integrated with a GSM modem and a GPS? If it could be small enough to be attached to clothes then the child could wear it at all times. If such a sensor was to detect a sign of a problem it wouldn t matter whether the child was forgotten in a car, at day-care, or even being actively supervised. The data would be sent to the monitoring agency along with GPS data. The monitoring agency could then phone the parents. If the parents don t answer or don t know where the child is then the police could track down the GPS location. Probably most calls would be due to parents leaving a child too close to an air-conditioner or playing outside in the sun in summer which are unlikely to give a fatal result and a phone call would get a quick fix for what would only be a minor health problem. If the device was marketed as monitoring for sleep apnia then parents could buy it without admitting to the possibility that they might do anything wrong. The causes of SIDS are a topic of ongoing research and parents can admit to being worried about their children suffering from it without admitting any possibility that they might make a mistake.

• [1] http://www.schneier.com/blog/archives/2009/03/leaving_infants.html


• [2] http://www.washingtonpost.com/wp-dyn/content/article/2009/02/27/AR2009022701549.html

The next issue of Interzone, a british SF magazine, is due out soon. The issue features a story and interview with Bruce Sterling, plus a review of his new novel the Caryatids (which Cory Doctorow said was his pick for best book of 2009, already). The cover for this issue looks fantastic: modern covers seem to be placing most of the focus on the artwork and placing the graphics and text to suite each cover art individually. I've been reading IZ for several years after having seen it mentioned several times as the source of stories in SF anthologies and highly recommend that people who enjoy reading SF give it a try.

Michael Anissimov writes about the theft of computers from the Los Alamos nuclear weapons lab [1]. He suggests that this incident (and others like it) pose a great risk to out civilisation. He advocates donating towards The Lifeboat Foundation [2] to try and mitigate risks to humanity. They suggest pledging $1000 per year for 25 years. It s interesting to note that people in Pakistan pay $8 per month for net access that better by most objective metrics than that which most people in first world can get [3]. It seems that we need to remove the cartel for the local loop to get good net access, either deregulate it entirely or make it owned by the local government who are more directly responsive to the residents. Bruce Schneier wrote a post about a proposed US law to force all mobile phones with cameras to make a click sound when taking a picture [4]. The law is largely irrelevant, as it s been law in Japan for a while most phones are already designed in that way. One interesting comment from MarkH was: But if congress REALLY wishes to benefit the public, I suggest that all guns in the U.S. be required, before each discharge, to make loud sounds (with appropriate time sequencing) simulating the flintlock technology that was common at the beginning of U.S. history, including cocking, use of the ramrod, etc. This would give fair warning of an impending discharge, and would limit firing rates to a few per minute. ROFL Brief review of a Google Android phone vs an iPhone [5]. The Android G1 is now on sale in Australia! [6]. LWN has an article about the panel discussion at the LCA Security Mini-conf [7]. Jonathan Corbet has quoted me quite a bit in the article, thanks Jonathan! Peter Ward gave an interesting TED talk about Hydrogen Sulphide and mass extinctions [8]. The best available evidence is that one of the worst extinctions was caused by H2S in the atmosphere which was produced by bacteria. The bacteria in question like a large amount of CO2 in the atmosphere. It s yet another reason for reducing the CO2 production. Michael Anissimov has written a good article summarising some of the dangers of space exploration [9], he suggests colonising the sea, deserts, and Antartica first (all of which are much easier and safer). Until we gain the ability to create huge (miles wide or larger) air bubbles in space enclosed by rapidly self-healing transparent membranes, it will be cramped and overwhelmingly boring. You ll spend even more time on the Internet up there than down here, and your connection will be slow . A confined space and slow net access, that s like being on a plane.

• [1] http://www.acceleratingfuture.com/michael/blog/2009/02/80-missing-computers-at-nuke-lab-watchdog/


• [2] http://lifeboat.com/


• [3] http://blogs.dialogic.com/2009/01/community-networks-the-robinhood-approach.html


• [4] http://www.schneier.com/blog/archives/2009/02/making_cameras.html


• [5] http://www.terdmonk.com/2009/02/16/yet-another-android-review


• [6] http://www.terdmonk.com/2009/02/15/android-here


• [7] http://lwn.net/Articles/315974/


• [8] http://www.ted.com/index.php/talks/peter_ward_on_mass_extinctions.html


• [9] http://www.acceleratingfuture.com/michael/blog/2009/02/space-that-boring-and-dangerous-place/

Michael Anissimov writes about the theft of computers from the Los Alamos nuclear weapons lab [1]. He suggests that this incident (and others like it) pose a great risk to out civilisation. He advocates donating towards The Lifeboat Foundation [2] to try and mitigate risks to humanity. They suggest pledging $1000 per year for 25 years. It s interesting to note that people in Pakistan pay $8 per month for net access that better by most objective metrics than that which most people in first world can get [3]. It seems that we need to remove the cartel for the local loop to get good net access, either deregulate it entirely or make it owned by the local government who are more directly responsive to the residents. Bruce Schneier wrote a post about a proposed US law to force all mobile phones with cameras to make a click sound when taking a picture [4]. The law is largely irrelevant, as it s been law in Japan for a while most phones are already designed in that way. One interesting comment from MarkH was: But if congress REALLY wishes to benefit the public, I suggest that all guns in the U.S. be required, before each discharge, to make loud sounds (with appropriate time sequencing) simulating the flintlock technology that was common at the beginning of U.S. history, including cocking, use of the ramrod, etc. This would give fair warning of an impending discharge, and would limit firing rates to a few per minute. ROFL Brief review of a Google Android phone vs an iPhone [5]. The Android G1 is now on sale in Australia! [6]. LWN has an article about the panel discussion at the LCA Security Mini-conf [7]. Jonathan Corbet has quoted me quite a bit in the article, thanks Jonathan! Peter Ward gave an interesting TED talk about Hydrogen Sulphide and mass extinctions [8]. The best available evidence is that one of the worst extinctions was caused by H2S in the atmosphere which was produced by bacteria. The bacteria in question like a large amount of CO2 in the atmosphere. It s yet another reason for reducing the CO2 production. Michael Anissimov has written a good article summarising some of the dangers of space exploration [9], he suggests colonising the sea, deserts, and Antartica first (all of which are much easier and safer). Until we gain the ability to create huge (miles wide or larger) air bubbles in space enclosed by rapidly self-healing transparent membranes, it will be cramped and overwhelmingly boring. You ll spend even more time on the Internet up there than down here, and your connection will be slow . A confined space and slow net access, that s like being on a plane.

• [1] http://www.acceleratingfuture.com/michael/blog/2009/02/80-missing-computers-at-nuke-lab-watchdog/


• [2] http://lifeboat.com/


• [3] http://blogs.dialogic.com/2009/01/community-networks-the-robinhood-approach.html


• [4] http://www.schneier.com/blog/archives/2009/02/making_cameras.html


• [5] http://www.terdmonk.com/2009/02/16/yet-another-android-review


• [6] http://www.terdmonk.com/2009/02/15/android-here


• [7] http://lwn.net/Articles/315974/


• [8] http://www.ted.com/index.php/talks/peter_ward_on_mass_extinctions.html


• [9] http://www.acceleratingfuture.com/michael/blog/2009/02/space-that-boring-and-dangerous-place/

Bruce Schneier is very sceptical about the new hard drive encryption standards released by a group composed of virtually all major storage vendors. He points out that the established software solutions have worked just fine, while this new standards adds complexity (and probably flaws, too) at the hardware level. I'm not so sure myself in which direction the balance goes:

• Encryption (without the key management, which I do not suppose the standard covers) is not that complex to get right and it can easily take advantage of hardware acceleration. (Yes, I don't quote numbers here. Schneier claims he hasn't had problems with encryption speed, but doesn't have numbers either ...)
• It should be a lot easier to subvert a software component than it is to subvert a hardware component.
• It is a lot harder to correct errors in hardware / firmware than in software and get users to apply the updates.
• In many cases the key management is the weak point, not the encryption itself. And key management is hard to get right regardless of where the encryption sits.
• I'm sure the abysmal track record of encrypted drives affects only the cheap USB drives and not the type of hardware we're talking about here. But, can I really be sure? (Serious) software solutions come from companies where security is the main business, whereas the hardware encryption will be implemented by storage companies which so far haven't had to care much about these issues.
• Finally: This standard should replace a number of proprietary solutions since some vendors already do offer encrypted drives anyway. Assuming the standard is sane, this should certainly be a Good Thing in any case.

Via this article in French (which I found a very interesting read, btw) I found out that the version of Woody Guthrie s song This Land Is Your Land that was sung in Obama s celebration was the unabridged one, and that Pete Seeger himself (aged 89 now) was on stage to sing it together with Bruce Springsteen. You can see in the video he was visible moved, and that rocks. According to the post in the Le Monde Diplomatique linked above, Obama also signed a couple years ago the petition to give the Nobel Peace Prize to Seeger.

Bernhard comes up with a few arguments in support of multiple filesystems which, in my arrogant opinion, make no sense. The first argument (about hardlinking a file to your homedirectory until something bad is discovered in one of the binaries) has been sufficiently debunked by Joey Hess. The second and third arguments are the same, really. Repeating your argument won't buy you any beer, sorry. Finally, all your arguments talk about server. I was talking about laptop. I don't know about you, but me, I'm not in the habit of loaning out my laptop to someone I don't trust. I'm not even in the habit of loaning out my laptop to someone I do trust, come to think of it. I do run some servers on my laptop, but I also have a firewall on my laptop that refuses incoming connections. This is a laptop. Not a machine in a data center. As such, the only person with access to my machine is me. Now I don't say I trust each and every bit of software that I run on my laptop, but I do trust myself. I won't start scanning my laptop's hard disk for rogue SetUID hardlinks in another user's home directory, because there isn't another user, stupid! Paranoid security is nice and dandy and totally useless. Security is all about trade-offs. Even Bruce says so: if the cost of a security measure (having to deal with with 73 filesystems) does not outweigh its benefit (protection against cosmic rays changing not only my firewall configuration, but also writing a suid CGI binary and installing that in /usr/lib/cgi-bin), then it's just not worth it. Now of course you might argue that 'having to deal with 73 filesystems' is no cost at all, in which case it would be worth it. But to me, it certainly is a cost, and one I'm not willing to take even if it did protect me against a real-life problem. And if someone were to break into my system, I'll just reformat it and recover from back-ups. I won't even have to revoke my GPG key, this time, since it's no longer on the disk.

Netatia has an interesting series of articles about running a computer for two people [1]. It is a bit of a kludge, they have a single X server that covers both displays and then use Xephyr to divide it into two virtual screens. The positive aspecct of this is that it shuld allow a single wide monitor to be used by two sessions as displays are getting wider regardless of the wishes of manufacturers and consumers [2] this should be useful. It’s a pity that no-one has solved the problem of having multiple video cards, sound cards, and input devices to allow a single desktop system to be used for 6 or more people. It seems that the problems that need to be solved are only the support for multiple video cards, mouse-wheel support, and sound support. Paul Ewald gave an interesting TED talk about changing the conditions for diseases so that they evolve to be benign [3]. The first example is Cholera which if spread by water will benefit from being as toxic as possible (to cause the greatest amount of diorrhea - killing the host not being a problem), but if spread by human contact benefits from leaving it’s host well enough to walk around and meet people. This and the other examples he cites seem like strong reasons for universal health-care provided by the government. If clean water is provided to all the poor people then cholera will evolve to be less harmful, and if a rich person (such as myself) is unlucky enough to catch it then the results won’t be so bad. He also notes that less harmful bacteria will often result in the victim not seeking anti-biotics and therefore less pressure for the disease to evolve resistance to anti-biotics. Therefore the people who really need them (the elderly, the very young, and people who are already sick) will find them to be more effective. Paul Stamets gave a great TED talk about fungus [4]. One of his discoveries was that fungi can be used for breaking down petro-chemicals (they can eat oil). It would be interesting to see this tested on a large scale with one of the oil spils or with the polluted land around an ooil refinery. Also he has patented a method for using fungus to kill wood-eating ants (such as the ones that briefly infested his home). Robert Full gave an interesting TED talk on robot feet [5]. I found the bit about leg spikes particularly interesting (I had always wondered why insects have spikey legs). Alan Kay gave a very interesting presentation on using computers to teach young children about science [6]. An OLPC is referenced. It makes me want to buy an OLPC for everyone I know who has young children. The start of the talk is a little slow. Dan Barber gave a very interesting TED talk about organic and humane production of foie gras in Extramuda [7]. Apparently it tastes a lot better too. Incidentally I don’t list all the TED talks I watch, only the better ones. Less than half the TED talks that I see announced seem interesting enough to download, and of those less than half are good enough that I will recommend them. The ones that I don’t recommend don’t suck in any way, it’s just that I can’t write a paragraph about every talk. Of recent times my video watching has been divided about equally between “The Bill” and TED talks. Here’s an interesting article about Sarah Palin and “anti-elitism”: The prospects of a Palin administration are far more frightening, in fact, than those of a Palin Institute for Pediatric Neurosurgery. Ask yourself: how has “elitism” become a bad word in American politics? There is simply no other walk of life in which extraordinary talent and rigorous training are denigrated. We want elite pilots to fly our planes, elite troops to undertake our most critical missions, elite athletes to represent us in competition and elite scientists to devote the most productive years of their lives to curing our diseases. And yet, when it comes time to vest people with even greater responsibilities, we consider it a virtue to shun any and all standards of excellence. When it comes to choosing the people whose thoughts and actions will decide the fates of millions, then we suddenly want someone just like us, someone fit to have a beer with, someone down-to-earth in fact, almost anyone, provided that he or she doesn’t seem too intelligent or well educated.[8] Sarah will be representing the Republican party in 2012, the desire for leaders of average intelligence (or less) will still be around then. It will be interesting to see how many votes she gets and amusing to see her interviewed. The proceedings of the “Old Bailey” - London’s Central Criminal Court have been published [9]. It’s interesting to read some of the historical information about the legal system at the time. It made me appreciate how civilised the UK (and other countries that I have visited) are now. Bruce Schneier writes about the feture of ephemeral communication [10]. He concludes with the point “until we have a Presidential election where both candidates have a complete history on social networking sites from before they were teenagers we aren’t fully an information age society“. Of course as he notes the rules are written by the older people, currently I don’t think that any candidate for high office (cabinet minister or above) anywhere in the world can have a good history on the Internet. During the course of a decade or more on the net it’s impossible not to write something that can be used against you and no reasonable person could avoid changing their views on some issues in such a time period. That’s enough to lose an election with the way things currently work.

• [1] http://netpatia.blogspot.com/2008/02/multiseat-computer-with-ubuntu-804.html


• [2] http://lenovoblogs.com/insidethebox/?p=155


• [3] http://www.ted.com/index.php/talks/paul_ewald_asks_can_we_domesticate_germs.html


• [4] http://www.ted.com/index.php/talks/paul_stamets_on_6_ways_mushrooms_can_save_the_world.html


• [5] http://www.ted.com/index.php/talks/robert_full_on_animal_movement.html


• [6] http://www.ted.com/index.php/talks/alan_kay_shares_a_powerful_idea_about_ideas.html


• [7] http://www.ted.com/index.php/talks/dan_barber_s_surprising_foie_gras_parable.html


• [8] http://www.newsweek.com/id/160080/page/1


• [9] http://www.oldbaileyonline.org/


• [10] http://www.schneier.com/blog/archives/2008/11/the_future_of_e.html

Meme from Jono:

• Grab the nearest book.
• Open it to page 56.
• Find the fifth sentence.
• Post the text of the sentence in your journal along with these instructions.
• Don’t dig for your favorite book, the cool book, or the intellectual one: pick the CLOSEST.

My result: “The term linear just means that each output bit of the mixing function is the XOR of several of the input bits.” - Practical Cryptography, Niels Ferguson, Bruce Schneier.