I had my strong doubts as to whether the shipment would be allowed through customs, and was happily surprised by a smiling Graham today before noon. He handed me a smallish box that arrived to his office, containing... Our fifty C.H.I.P. computers, those I offered to give away at DebConf! The little machines are quite neat. They are beautiful little devices, including even a plastic back (so you can safely work with it over a conductive surface or things like that). Quite smaller than the usual Raspberry-like format. It has more than enough GPIO to make several of my friends around here drool about the possibilities. So, what's to this machine besides a nice small ARM CPU, 512MB RAM, wireless connectivity (Wifi and bluetooth)? Although I have not yet looked into them (but intend to do so very soon!), it promises to have the freest available hardware around, and is meant for high hackability! And not that it matters But we managed to import them all, legally and completely hassle-free, into South Africa! That's right We are all used to the declaring commercial value as one dollar mindset. But... The C.H.I.P.s are actually priced at US$9 a piece. The declared commercial value is US$450. South Africans said all their customs are very hard to clear But we were able receive 50 legally shipped computers, declared at their commercial value, without any hassles! (yes, we might have been extremely lucky as well) Anyway, stay tuned By Thursday I will announce the list of people that get to take one home. I still have some left, so feel free to mail me at gwolf+chip@gwolf.org.

Signal is a pretty amazing app; it manages to combine great security with great simplicity. (It literally takes two minutes, even for an unskilled user, to set it up.) I looked at the Wikipedia article, and the list of properties the protocol provides is impressive; I had hardly any idea you would even want all of these. But I've tried to decode what they actually mean:

• Confidentiality: Messages are encrypted, so they cannot be read by someone eavesdropping.
• Integrity: Messages are protected against corruption, whether random or malicious.
• Authentication: You know who sent a given message (although you'll need to verify this out-of-band, of course). Note that while this usually implies non-repudiation, see below.
• Participant consistency: In a group chat, everybody sees the same list of people.
• Destination validation: Messages you got were intended for you.
• Forward secrecy: If someone gets to your keys (including long-term and current session keys), they can't decrypt earlier messages.
• Backward secrecy (aka future secrecy): If someone gets to your keys, they can't decrypt later messages.
• Causality preservation: Messages cannot come out-of-order.
• Message repudiation: You cannot cryptographically prove to others that someone sent a given message, even though you know it yourself. (This is possible because at the same time you get a signed message, you also get what would be needed to fake that signature yourself.)
• Message unlinkability: Even if you could prove to others that someone sent a given message (e.g. by arguing only they had that information), that doesn't help proving it for any other messages.
• Participation repudiation: There's no way to cryptographically prove you were in a group chat, even if all the other members of it conspire.
• Asynchronicity: Clients don't need to be online at the same time to send messages.

(There are more guarantees and features for group chat.) Again, it's really impressive. Modern cryptography at its finest. My only two concerns is that it's too bound to telephone numbers (you can't have the same account on two devices, for instance it very closely mimics the SMS/MMS/POTS model in that regard), and that it's too clumsy to verify public keys for the IM part. It can show them as hex or do a two-way QR code scan, but there's no NFC support, and there's no way to read e.g. a series of plaintext words instead of the fingerprint. (There's no web of trust, but probably that's actually for the better.) I hear WhatsApp is currently integrating the Signal protocol (or might be done already it's a bit unclear), but for now, my bet is on Signal. Install it now and frustrate NSA. And get free SMS/MMS to other Signal users (which are growing in surprising numbers) while you're at it. :-)

The Netgear CG3100D-2 is the default cable-modem you get for Telstra Cable, at least at one time. Having retired it after changing service providers, I wanted to see if it was somewhat able to be re-purposed. In short it's hackability is low. First thing was to check out the Netgear Open Source page to see if the source had anything interesting. There is some source, but honestly when you dig into the platform code and see things like kernel/linux/arch/mips/bcm963xx/setup.c: there's a bit of a red-flag that this is not the cleanest code in the world (I guess it interfaces with some sort of cross-platform SDK written in some sort of C++). So next we can open it up, where it turns out there are two separate UARTs as shown in the following image. One of these is for the bootloader and eCOS environment, and the other seems to be connected to the Linux side. A copy of the boot-logs for the bootloader and eCOS and Linux don't show anything particuarly interesting. The Linux boot does identify itself as Linux version 2.6.30-V2.06.05u while the available source lists its version as 2.6.30-1.0.5.83.mp2 so it's questionable if the source matches whatever firmware has made it onto the modem. We do see that this identifies as a BCM338332 which seems to be one of the many sub-models of the BCM3383 SoC cable-modem solution. There is an OpenWrt wiki page that indicates support is limited. Both Linux and eCos boot to a login prompt where all the usual default combinations of login/passwords fail. So my next thought was to try and get to the firmware via the bootloader, which has a simple interface

BCM338332 TP0 346890
Reset Switch - Low GPIO-18 50ms
MemSize:            128 M
Chip ID:     BCM3383G-B0
BootLoader Version: 2.4.0alpha14R6T Pre-release Gnu spiboot dual-flash reduced DDR drive linux
Build Date: Mar 24 2012
Build Time: 14:04:50
SPI flash ID 0x012018, size 16MB, block size 64KB, write buffer 256, flags 0x0
Dual flash detected.  Size is 32MB.
parameter offset is 49944
Signature/PID: a0e8
Image 1 Program Header:
   Signature: a0e8
     Control: 0005
   Major Rev: 0003
   Minor Rev: 0000
  Build Time: 2013/4/18 04:01:11 Z
 File Length: 3098751 bytes
Load Address: 80004000
    Filename: CG3100D_2BPAUS_V2.06.02u_130418.bin
         HCS: 1e83
         CRC: b95f4172
Found image 1 at offset 20000
Image 2 Program Header:
   Signature: a0e8
     Control: 0005
   Major Rev: 0003
   Minor Rev: 0000
  Build Time: 2013/10/17 02:33:29 Z
 File Length: 3098198 bytes
Load Address: 80004000
    Filename: CG3100D_2BPAUS_V2.06.05u_131017.bin
         HCS: 2277
         CRC: a6c0fd23
Found image 2 at offset 800000
Image 3 Program Header:
   Signature: a0e8
     Control: 0105
   Major Rev: 0002
   Minor Rev: 0017
  Build Time: 2013/10/17 02:22:30 Z
 File Length: 8277924 bytes
Load Address: 84010000
    Filename: CG3100D_2BPAUS_K2630V2.06.05u_131017.bin
         HCS: 157e
         CRC: 57bb0175
Found image 3 at offset 1000000
Enter '1', '2', or 'p' within 2 seconds or take default...
. .
Board IP Address  [0.0.0.0]:           192.168.2.10
Board IP Mask     [255.255.255.0]:
Board IP Gateway  [0.0.0.0]:
Board MAC Address [00:10:18:ff:ff:ff]:
Internal/External phy? (e/i/a)[a]
Switch detected: 53125
ProbePhy: Found PHY 0, MDIO on MAC 0, data on MAC 0
Using GMAC0, phy 0
Enet link up: 1G full
Main Menu:
==========
  b) Boot from flash
  g) Download and run from RAM
  d) Download and save to flash
  e) Erase flash sector
  m) Set mode
  s) Store bootloader parameters to flash
  i) Re-init ethernet
  p) Print flash partition map
  r) Read memory
  w) Write memory
  j) Jump to arbitrary address
  X) Erase all of flash except the bootloader
  z) Reset
Flash Partition information:
Name           Size           Offset
=====================================
bootloader   0x00010000     0x00000000
image1       0x007d0000     0x00020000
image2       0x007c0000     0x00800000
linux        0x00800000     0x01000000
linuxapps    0x00600000     0x01800000
permnv       0x00010000     0x00010000
dhtml        0x00200000     0x01e00000
dynnv        0x00040000     0x00fc0000
vennv        0x00010000     0x007f0000

The "read memory" seems to give you one byte at a time and I'm not certain it actually works. So I think the next step is solder some leads to dump out the firmware from the flash-chip directly, which is on the underside of the board. At that point, I imagine the passwords would be easily found in the image and you might then be able to leverage this into some sort of further hackability. If you want a challenge and have a lot of time on your hands, this might be your platform but practically I think the best place for this is the recycling bin.

[Warning: quite a bit of pics in this post] [Edit: changed the post title, while I love the music, the actual lyrics of "Shake Rattle and Roll" made me facepalm. Ronnie Dawson's song is better :)] Last weekend I've been in Senigallia for the 15th edition of Summer Jamboree.
It was my first time there, and it was epic. Really.
If you are into roots music and early rock'n'roll and/or into vintage 40s and 50s clothes, go there.
You won't regret it! (You have time until August 10th, hurry up!) If you follow my identi.ca account (whooo! shameless plug!), you may know that I love music in general and Blues, Jazz and Rockabilly in particular.
If you read my blog, you may know that I make clothes - particularly reproductions of 50s and retro clothes.
So, it's not much of a surprise that going to the Summer Jamboree has been a mindblowing experience to me.
What surprised me it's that I've felt the very same wonder of my first Debconf: the amazing feeling that you are not alone, there are other people like you out there, who love the same things you love, who are silly about the same little details (yes, I equally despise historically innacurate pin up shoes and non free software), who dance - metaphorically and not - at your same beat.
Same wonder I felt when I first read some authors - Orwell and David Foster Wallace, just to mention a couple - or when I first delved in anarchist thinkers.
By nature I'm not much of a social person, and I tend to live and love alone. But that sense of being part of something, to find like-minded people always blows me away. I'm not much of a blog writer, so I won't probably be able to give you a good impression of the awesomness of it.
But hey, watch me trying. The Vintage Market I spent most of the morning travelling by train to reach Senigallia (and met the most beautiful French girl ever in the process, who sketched me in her notebook because, hey!, I was already in full Rockabilly gear).
The hotel was pretty close to the station, and to the part of the city where the festival was taking place, so I spent a couple of hours sleeping, then started the adventure.
The festival takes place mostly near the Rocca Roveresca, a beautiful fifteenth century castle, and on its gardens, but the all the other venues are in walking distance.
All around the Rocca there is a market with vintage clothes, records, shoes, retro jewelry. A special mention for two fantastic dressmakers: Laura of Bloody Edith Atelier from Rome and Debora of The Black Pinafore from Sarzana. I bought just a piece from each of them, but I was able to do that only with a huge amount of self restraint. Guitars! Tattoos! Yes, I may have spent a bit drooling on the Gibson Cherry Red, and I tried (without amp, though) that beautiful orange Gretsch Electromatic. And Greg Gregory of the Travel Ink Tattoo Studio from UK was there, with his shiny Airstream. I also spent a while among the records in the Bear Family Records booth. They are a Germany based independent record label specialised in reissues of country and 50s rock'n'roll. Couldn't resist, and I bought a beautiful Sun Records' tshirt. Just Rockin' and Rollin'. Aka: dance time After that, it was time to dance. I missed the dance camp of the afternoon, but the DJ sets were fantastic, all 40s and 50s stuff, and I fell in love with Lindy Hop and Boogie Woogie, and well, obviously, Jive. I could have spent hours watching the people dancing, and clumsily trying the most basic moves myself. People And the people, did I mention the people?
They were cosplaying the 40s and 50s so wonderfully I couldn't help but take some photos (and find a new fetish of mine: men in 40s clothes. Sexy as hell). For instance, Angelo Di Liberto, artistic director of the festival with the beautiful burlesque artist Grace Hall. Or the amazingly dressed German couple I met in via Carducci. And this couple too, was pretty cool. The Prettiest Smile award goes to these lovely ladies! Cars Who knows me, can tell that I don't love cars.
They stink, they are noisy, they are big.
But these ones where shiny and looked beautiful. Also, the black Cadillac had the terrible effect on me of putting "Santa Claus is Back in Town" in my head (or, more precisely, Elvis tomcatting his way through the song, singing "Got no sleigh with reindeer / No sack on my back / You're gonna see me comin' in a big black Cadillac"). Music! Sadly, I missed Stray Cat's Slim Jim Phantom but I was just in time for Ben E. King.
It was lovely: backed by the house band (The Good Fellas), he sang a lot of old Drifters hits, from On Broadway to Save the Last Dance for Me to - obviously - the great Stand By Me. Then a bit of hillbilly country, with Shorty Tom and the Longshots, a French combo consisting of a double bass, a rhythm guitar and a steel guitar. And, well, more dancing: the dj sets on the three stages went on until 3 am. Day 2 The next morning I took advantage of the early opening of Rocca Roveresca to visit it. The Rocca itself is beautiful and very well maintained, and hosts various exhibitions.
"Marilyn In White" shows the incredible photos taken by George Barris on the set of "The Seven Year Itch" as well as some taken in 1962. Beautiful, really, especially the series on the beach. But the ones moving me were the pics from "Buddy Holly, The Day The Music Dies": a collection of photos taken by Bill Francis during the (sadly brief) career of Buddy Holly from the very beginnings to his death. After that, it was time to come back to year 2014, but really I felt like I've walked for a while in another decade and planet. And the cool thing is that I could enjoy the great 40s and 50s music and dances (and clothes!) without the horrible stereotypes and cultural norms of the time period. A total win. :) So, ehm, that's it. I'm a bit sad to be back, and to cheer myself up I'm already planning to attend Wanda Jackson gig in Aarburg (CH) next month.
And take Lindy Hop and Boogie lessons, obviously.

Recently I purchased a Tenvis IP391W-HD camera. I would be unlikely to recommend it. The price is certainly right and the picture quality is quite good. The Android and iPhone apps do work to watch the stream live. However, the interface is terrible and almost useless without Internet Explorer. There is a RTSP stream (rtsp://admin:password@ip) which VLC can seem to handle, but not mplayer. The recording format (.h264) is not viewable by VLC or mplayer and all I could find is a Windows .exe to convert them to an .avi. The motion detection gets troubled by the dark. It would really only be useful for something permanently well-lit. It did send me emails via gmail. I have got it recording to a NFS server, but I don't have a lot of confidence in the reliability of it. I think I have it configured to record in 3600-second blocks (given the interface, it's hard to tell if I've set it up to the network, or to the internal flash, etc), but it seems to intersperse 60 minute recordings with random small recordings. Given the whole idea of a security camera is to record the unexpected, you want a lot of confidence you're actually recording, which you don't get with this. You can see below it recorded 3 hour blocks, then started going a little crazy...

-rw-r--r-- 1 nobody nogroup  69M Mar 11 01:25 0-003035.v264
-rw-r--r-- 1 nobody nogroup  69M Mar 11 02:25 0-013049.v264
-rw-r--r-- 1 nobody nogroup  69M Mar 11 03:26 0-023103.v264
-rw-r--r-- 1 nobody nogroup 5.9M Mar 11 03:31 0-033117.v264
-rw-r--r-- 1 nobody nogroup 1.5M Mar 11 03:40 0-034350.v264
-rw-r--r-- 1 nobody nogroup  17M Mar 11 04:02 0-035259.v264
-rw-r--r-- 1 nobody nogroup 306K Mar 11 04:10 0-041548.v264
-rw-r--r-- 1 nobody nogroup 4.9M Mar 11 04:23 0-042457.v264

There is a support forum, where I found the following files scattered in various posts. From what I can tell, they are the latest as of this writing. I can confirm they work with my IP391W-HD, which the system tells me is GM8126 hardware and came with firmware 1.2.8.3.

• 1.3.3.3.pk2 - firmware (b56f211a569fb03a37d13b706c660dcb)
• web.pk2 - a UI update that includes dropbox support. This is really for the model that has pan and tilt, so those buttons don't work. (0e42e42bd6f8034e87dcd443dcc3594d)
• V264ToAVIen.exe - converts the output to an AVI file that mplayer will play (with some complaints) (9c5a858aa454fed4a0186cf244c0d234)

www.modern.ie offers free limited-time Windows VM's which will work to upload this firmware. Just make sure you use a bridged network in the VM; I'm guessing the firmware ActiveX control tells the camera to TFTP the data from it, which doesn't work via NAT. Somewhat worryingly, you can telnet to it and get a login prompt (TASTECH login). So it has a built-in backdoor you can't disable. There have been some efforts to hack the device. leecher@dose.0wnz.at did an excellent job reverse engineering the .pk2 format and writing tenvis_pack.c (no license, I'm generously assuming public domain). I used this to recreate the firmware above with a telnet daemon listening with a shell on port 2525 (no password, just telnet to it)

• 1.3.3.3-telnet.pk2 (19cf63ca8f0928af8ef5a9eb8326aae6)

It's interesting to poke around, but it seems like the whole thing is really driven by a binary called ipc8126

/ # ipc8126 --help
*** TAS-Tech IPCAM/DVS
*** Version: 1.3.3.3
*** Release date: 2013-08-05 15:48:32

In general, I'd say hackability is quite low. Warning : any of the above might turn your camera into a paperweight. It worked for me, but that's all I can say...

Since 2004, I ve used the blogging software PyBlosxom. Over that time, the software has served me well and I have even written a series of patches and plugins. PyBloxsom is blog software designed for hackers. It assumes you already have a text editor you love and relies on features of a POSIX filesystem instead of a relational database. It s designed so you can keep your blog under revision control (since 2004 I ve used GNU Arch, baz, bzr and now git). It is also hackers software in the sense that you should expect to write code to use it (e.g., the configuration is pure Python). I love it. What PyBlosxom does not have is a large community. This summer, the most recent long-time maintainer of the project, Will Kahn-Greene, stepped down. Although the project eventually found a new maintainer, the reality is the project entered maintenance mode years ago and many features available in more popular blogging platforms are unlikely to make it PyBlosxom. The situation with comment spam is particularly dire. I ve written several antispam plugins but time has shown that I don t have the either the expertise or the time to make them as awesome as they need to be to really work in today s web. So, after many months of weighing, waffling, and planning I ve switched to WordPress a great piece of free software with an enormous and established community As you ll know if you ve read my interview on The Setup, I think a lot about the technology I surround myself with. I considered WordPress when I started my blog back in 2004 and rejected it soundly. Eight years ago, I would have laughed at you if you told me I d be using it today; If PyBlosxom is for hackers, WordPress is designed for everyone else. But the way I evaluate software has changed over that period. In the nineties, I used to download every new version of the Linux kernel to compile it it took hours! to try out the latest features. Configurabilty, hackability, and the ability to write my own features was after a point more important than the features the software came with. Today, I m much more aware of the fact that for all the freedom that my software gives me, I simply do not have the time, energy, or inclination to take advantage of that freedom to hack very often. Today, I give much more value to software that is not just free, but that is maintained by a community of people who can do all the work that I would do if I had unlimited time. Although I don t have the time or experience to make WordPress do everything I would like, the collective of all WordPress users does. And they ve done a lot of it already! The flip side matters as well: Today, I give more value to other people using my software. When WordPress doesn t do something and I write a plugin or patch, there are tons of people ready to pick it up and use it and perhaps even to collaborate on it with me. Want to guess how many patches my PyBlosxom plugins have received? None, if my memory serves me. In the past, I ve written about how free software is a victory even when it doesn t build a community. I still believe that. But the large communities at the heart of the most successful free software communities (the promise of open source ) are deeply important in a way that I increasingly value. In that spirit: If you want to make the jump from PyBlosxom to WordPress, I ve shared a Git repository with the scripts I used and wrote for the transition.

A couple week ago, during the last debconf (Debian Conference) in Managua/Nicaragua, I presented the latest developments about the inclusion of clang in the Debian architecture. To sum up (details are available in the slides and the video), the rebuild of the Debian archive with Clang 3.1 increased the number of failures from 8.8 to 12.1%. The main reason is that further checks have been added to clang. With Paul Tagliamonte as co-mentor and Alexander Pashaliyski as a GSoC student, we made great progress in bringing Clang as A new compiler in the Debian infrastructure. The various feedbacks that I had during Debconf were pretty good. It interests many people for reasons like Quality Assurance (more checks), performances, hackability or to decorrelate Debian and GCC. Build Debian with another compiler - Slides
Build Debian with another compiler - Video A nice resume of my talk has been made by Michael Larabel on Phoronix:
Decoupling GCC From Debian By Using LLVM/Clang

A couple week ago, during the last debconf (Debian Conference) in Managua/Nicaragua, I presented the latest developments about the inclusion of clang in the Debian architecture. To sum up (details are available in the slides and the video), the rebuild of the Debian archive with Clang 3.1 increased the number of failures from 8.8 to 12.1%. The main reason is that further checks have been added to clang. With Paul Tagliamonte as co-mentor and Alexander Pashaliyski as a GSoC student, we made great progress in bringing Clang as A new compiler in the Debian infrastructure. The various feedback that I had during Debconf were pretty good. It interests many people for reasons like Quality Assurance (more checks), performances, hackability or to decorrelate Debian and GCC. Build Debian with another compiler - Slides
Build Debian with another compiler - Video A nice resume of my talk has been made by Michael Larabel on Phoronix:
Decoupling GCC From Debian By Using LLVM/Clang

Now that the semester is done and now that I have compiled my crazy paperwork for Canada (wow, it is a lot), I will be heading in six days to the wonderful city of Montreal to settle down, at least for a few years. I am ready to leave but it is not an easy move, as I like NYC and my job. I came to New York City for the first time at the age of 19 after spending a year on a ship and I rather did not like the city for those 5 years, although loved my college years and all the time I spent chasing a Frisbee while running on grassy fields all over the east coast. When I left in 1998, I said, never again. But the future is impossible to predict so of course I came back when I got a job, my only job, at NYU MCC and headed quite happily here (incidentally from Canada). And NYC was much much much better the second time around, most likely as I had a salary, and here is what I <3 and loved about the city. 1. Not having a car (which will still be the case in Montreal)
2. The bike path on the Hudson, especially the gardens and the Irish famine memoriall
3. The farmer s markets (won t miss the prices though)
4. High walkability factor (and though I did not love my hood, I loved being 1.5 blocks from my office)
5. The music jam circles in Washington Square Park (I was always left wondering if they were spontaneously generated or long standing groups // prolly both) and the occasional but mighty impressive hawks in the park.
6. Coney Island especially under certain special conditions when you can rly enjoy the lights radiating out of the amusement park
7. Leaving the city for some nature time
8. 24 hour trains (despite not loving them cuz the noise robbed some life from me every time I took them)
9. Grand Central Station s ceiling
10. The gluten free options (this is going to be the hardest to give up as Montreal sort of sucks in comparison)
11. Being able to take your small dog on the train which is only a recent pleasure
12. My department
13. East Asian Starr library at Columbia University (still my favorite library in the world) and totally loathed NYU s Bobst, ugly on the outside, ugly on the inside
14. NYC sunrises which I have like only seen 3 times (sadly) but they have been stunning every time
15. Walking across the Brooklyn Bridge
16. HOPE
17. The Highline
18. The Strand
19. My favorite thing = Massive Snow Storms in the City (good thing I am moving to Canada, eh?)

Last Friday (11 November 2011), I was at the Cooperatives-SW annual conference at the Cube Cinema in Bristol, titled Growing Your Co-operative and sponsored by the Co-operative Membership South and West. It was another sold-out event, featuring headline talks from Co-op Party member and Labour MP Kerry McCarthy, Eli Sarre of Essential Trading worker co-op (pictured), Carole Theyer of Sparks Inc and Jim Pettipher from Co-operative Futures. There were also some great workshops I went to a finance workshop led by Ian Rothwell from Co-operative and Community Finance and a regulations one with Paul Martin of Kabin (details may appear on their event page) and a brilliant lunch from Runcible Spoon (and those of you who know me will know I have been livid with some co-op event lunches!) with some time to chat and network, although I also went to a fringe meeting about the RISE problems. The event concluded with the formal AGM of Co-operatives SW (electing a new chairperson and approving transfer to a new co-op corporation) as well as a bit more chat afterwards. I felt it was a great event and well worth my time being there. I m glad that some people from outside the co-op movement, from community businesses like the Strawberry Line Cafe and a few people considering joining or forming co-ops, were there and I hope it was good for them too.

I ve taken the plunge, and converted my blog from a venerable but largely unmaintain(ed able) blosxom setup that I ve had since 2005 (OMG!) into a new and shiny Jekyll-backed system. The main benefits are that I m more comfortable hacking away at Jekyll (being written in Ruby), and my blog post submission no longer requires me to e-mail my blog posts to myself to put them up (that was just an artifact of how I set it up all those years ago, but it had worked so I wasn t willing to change it just for the sake of it). Jekyll s superior (for me) hackability has reaped dividends already I ve put together a home-grown comments system, which fulfils my primary requirements of being as close to completely statically-generated as it s possible to be (about 10 lines of PHP is the only dynamic content), and doesn t involve JavaScript or putting my blog comments in the cloud .

I attended a workshop sponsored by the IAB, W3C, ISOC and MIT on Internet Privacy. The workshop had much more of a web focus than it should have: the web is quite important should certainly cover a majority of the time, but backend issues, network issues, and mobile applications are certainly important too. For me this workshop was an excellent place to think about linkability and correlation of information. When people describe attacks such as using the ordered list of fonts installed in a web browser to distinguish one person from another, it s all too easy to dismiss people who want to solve that attack as the privacy fringe. Who cares if someone knows my IP address or what fonts I use? The problem is that computers are very good at putting data together. If you log into a web site once, and then later come back to that same website, it s relatively easy to fingerprint your browser and determine that it is the same computer. There s enough information that even if you use private browsing mode, clear your cookies and move IP addresses, it s relatively easy to perform this sort of linking. It s important to realize that partially fixing this sort of issue will make it take longer to link two things with certainty, but tends not to actually help in the long-run. Consider the font issue. If your browser returns the set of fonts it has in the order they are installed, then that provides a lot of information. Your fingerprint will look the same as people who took the same OS updates, browser updates and installed the same additional fonts in exactly the same order as you. Let s say that the probability that someone has the same font fingerprint as you is one in a million. For a lot of websites that s enough that you could very quickly be linked. Sorting the list of fonts reduces the information; in that case, let s say your probability of having the same font set as someone else is one in a hundred. The website gets much less information from the fonts. However it can combine that information with timing information etc. It can immediately rule out all the people who have a different font profile. However as all the other people who have the same font fingerprint access the website over time, differences between them and you will continue to rule them out until eventually you are left. Obviously this is at a high level. One important high-level note is that you can t fix these sorts of fingerprinting issues on your own; trying makes things far worse. If you re the only one whose browser doesn t give out a font list at all, then it s really easy to identify you. The big question in my mind now is how much do we care about this linking. Governments have the technology to do a lot with linking. We don t have anything we technical we can do to stop them, so we ll need to handle that with laws. Large companies like Google, Facebook and our ISPs are also in a good position to take significant advantage of linking. Again, though, these companies can be regulated; technology will play a part, especially in telling them what we re comfortable with and what we re not, but most users will not need to physically prevent Google and Facebook from linking their data. However smaller websites are under a lot less supervision than the large companies. Unless you take significant steps, such a website can link all your activities on that website. Also, if any group of websites in that space want to share information, they can link across the websites. I d like to run thought experiments to understand how bad this is. I d like to come up with examples of things that people share with small websites but don t want linked together or alternatively don t want linked back to their identity. Then look at how this information could be linked. However, I m having trouble with these thought experiments because I m just not very privacy minded. I can t think of something that I share on the web that I wouldn t link directly to my primary identity. I certainly can t find anything concrete enough to be able to evaluate how clearly I care to protect it. Helping me out here would be appreciated; if you can think of fairly specific examples. There s lots of important I prefer to keep private like credit card numbers, but there, it s not about linking at all. I can reasonably assume that the person I m giving my credit card number to has a desire to respect my privacy.a

Lucy left for England yesterday (OK, now it’s two days ago — last Friday). That means that I have unusual amount of free time at my hands, and yet even more things that could be done with it. But I suppose it’s time to update this little blog. It’s probably pointless to enumerate what happened, or what changed. Everything is fine and smooth over here — the wrinkles get worked out over time (with Lucy, without Lucy). Hobbies still take time and I still haven’t given up. My latest determination is to get myself a bassoon for next Christmas. (Now, that will be a year since we got Lucy a Marigaux 901, used, in great condition for a great price, lo and behold, on Austrian ebay. World is so weird sometimes…) And in the land of [LVM], I have finally started the process to merge code to improve LVM’s behaviour in presence of failed storage hardware (physical volumes gone missing). In the land of Adept, well… first things first. FOSSCamp I have visited Prague for the latest Ubuntu- (well, Canonical-) organised event, the FOSSCamp. I have met Johnatan (KUbuntu), Seli (KWin), Lidya (Amarok), Robert (Konsole), Jos (Strigi) and Inge (KOffice). See also Johnatan’s Blog (including a real blurry picture). So back to Adept — I had some hacking time over there in Prague, and I have almost brought Installer and Updater back to life for Adept 3. I unfortunately didn’t have as much time for it since then — but my current free time situation does open up some possibilities. First and foremost, I should really make a text interface to the underlying libraries for myself, maybe with fancy colourful UI, hopefully one that is comfortably close enough to apt-get and still offers advantages. Hmmmm… Intermezzo 1 Now zoom out and zoom in somewhere else, enough of coding matters. Our research group at the University had a (tool) paper accepted for ATVA 2008, meaning that I am not unlikely to visit Seoul, South Korea in October. Another piece of distant world to visit. FOSDEM Now, that reminds me… Since the last time, I have also been in Belgium — to visit FOSDEM — meeting Alasdair (of LVM) and Bart and Pino of Krita and Okular, respectively… although unfortunately, I didn’t spend nearly enough time with Pino… At least we have spend a day walking around Ghent with Bart (and Lucy, who visited Belgium with me, also having friends of her own there). Moreover, I have spent a lot of mostly productive time with Alasdair, discussing LVM2. And Belgium is nice and pretty, although I didn’t really get around to taste any beer. Maybe next time. And Antwerps were nice, too. Photos? Someday. LinuxTag And after that, I have visited Berlin again, for LinuxTag as usual — plus the accompanying LVM discussions, with Milan, Kabi and Mikul (Blek) of the Czech part of the team, and Heinz, John and of course Alasdair for the rest of the world… Also as usual, we walked around, had dinners, discussed non-work stuff, etc… a good event all in all. At LinuxTag, I have briefly seen Lidya again, as well as Ossi (whom I nearly didn’t recognise…) and Aaron who (for a change) didn’t recognise me (but to be fair, I didn’t quite stop by to chat and he’s been busy…) and Sebas, cordial as ever (and always a pleasure to meet)… reminds me of Paris two years ago, too. Intermezzo 2 Less than a month ago, I have finished my first semester of master’s study — two or three more to go (I have completed bachelor’s the semester before). Yes, I am a bachelor of computer science, or something like that, anyway, now. Or so I hope. I did not attend the whatever ceremony and I don’t really have the diploma (or maybe I do, but gods know where it is…). A short note on Debian with best intentions I am now sponsoring Trent Buck’s ?darcs packages, contributing a little on the go (making me wish that alpha buildd would make a little more progress…). With Enrico, we have uploaded new versions of wibble and libept, both of which I think make both of us fairly happy. (Although we again managed to hit a way strange compiler issue (only manifested on arm… what have I done that the gods punish me so?), as documented in Debian bug 487406…) I have packaged dzen2 and taken over haskell-mode (I am losing track of my own packages again — I really need to set up reliable watch files so I don’t miss out too many releases… apparently neither has new upstream versions, so I can sleep peacefully for a little longer). Intermezzo 3 I am not going to DebConf nor Akademy this year. That makes me a little sad, but it’s all my own fault (and laziness). Next time folks, next time. I haven’t seen K vin in aeons and he probably removed me from his memory by now… No matter, I’ll try a little harder next year, promise (oh, how many have I made to date?). Finale Nothing grandiose, just best wishes to everyone, I have to land in bed now it seems, as I am ever so sleepy. (Just So Stories, anyone?) There I go.

My latest music CDs (of course already ripped to my Ogg Vorbis player... CDs suck usability-wise, actually...):
Sing when you're Swinging Two CDs - the second is titled "(If you can't sing it) You'll have to swing it" - with recordings of the swing era. Some slow, some better for dancing. Rather cheap, and well worth the money unless you have many songs of that era already.
Pop swings This CD is a mixed bag. It's swing covers of well-known songs of the 70s-90s. Some work great, others don't. A lot is personal taste, depending on the memories you have of the originals or how you liked them. If you didn't like the original, you might like the swing cover. If you loved the original, you'll likely hate the cover, just like any cover. The funniest thing is that one artist, Paul Anka, is on the CD in both roles, as cover artist (Smells like teen spirit) and as original artist (Diana). This is a CD you can't really listen to on-block (thats why CDs suck) or play on a party. You'll usually pick some specific songs.
Perfect for parties The full title is

Bear Family
"Perfect for parties
Highlight Album

This CD was the surprise CD. Very cheap, but very convincing. It's odd and fun at the same time. Actually it's probably as much country as it's rockability and swing. But who cares when you can have lots of fun with it? The song I like currently like best is "Burn that candle" by Charline Arthur. Note: above amazon.de links will earn me a tiny commission. It would be nice if you'd use them if you plan to order some of these CDs. Thanks. It will certainly never pay off, but when I set links I can as well set some that might allow me to buy myself a CD from it sometime later, too. ;-)

Today I shall mostly be working on initrd images. We’ve got some software which will take a linux-kernel-vx.x.x..deb file and with one command turn that into a bootable initrd.img file complete with busybox-compiled tools, modules, and an init script. This is used for network booting with PXE. Pretty neat when it works. But the init script is a bash script which contains lots of code like:

mount -n proc /proc -t proc   abort \"Failed to mount proc\"

This all needs converting to:

• Run the command.
• If it fails and the error looks transient repeat say five times.
• If that fails drop into /bin/sh

This would be easy with perl/ruby/something else. But to keep the size and hackability of the image down its gotta be done in sh.