May 19 2012

pure bubble

El Reg reports that facebook share dealing opened at $42 per share (up $4 on the opening IPO price of $38). As they wryly point out, the Telegraph reports that that price makes the company “worth” more than Boeing.

That is nonsensical beyond belief. Boeing actually make things. Big things, that other companies pay a lot of money to buy. Facebook’s sole revenue source is advertising.

A small prediction. This time next year, facebook’s shares will be trading at less than $5 each – tops.

Update – added 19 June 2012 – this Nasdaq daily quote page for Facebook may be useful.

Permanent link to this article: https://baldric.net/2012/05/19/pure-bubble/

May 13 2012

disappointing satnav

One of my hobbies is motorcycling. I have travelled extensively by bike in central and southern europe over many years, but oddly, I have never visited scotland before. I intend rectifying that shortly. When travelling in europe I have always made do with the excellent Michelin range of 1/1000000 (1 cm to 10 km) maps. These maps are of sufficient detail to aid serious navigation and they also fold quite neatly to fit in a motorcycle tank bag top. Never before have I felt the need of a GPS satnav device.

My wife, however, has a TomTom in her car and I noted that the device has two distinct advantages over a static map. Firstly it is immensely useful in the “last 5 mile stage” when you are hunting for a B&B in an unfamilar town, and secondly (of most use when in trouble) it has a “where am I” function that pinpoints location so that you can give your co-ordinates to a rescue service. This latter function is reassuring to someone travelling alone (or to someone left behind by someone travelling alone). So, since I shall be travelling alone in Scotland over some wild and windy expanses where the weather is notoriously less predictably friendly than it is in southern europe at this time of year, I saw the sense in getting a satnav. I bought a garmin (small, light and cheap). Mine even came with a free lifetime subscription to map updates. The device itself is a doddle to set up and works very well. But it has a fatal design flaw – all software and map updates assume that you have a microsoft windows or apple OSX desktop at home. Well, guess what. I don’t.

The garmin update mechanism uses a plugin to IE, firefox, safari or chrome. But only if you are using a “compatible” operating system. No matter how hard I tried to fool the site using a user agent switcher I couldn’t get the plugin to work. I even tried using wine (which according to one or two sites on-line) should have worked, but no, garmin refused to play ball. I can happily mount the satnav as a removable drive on my linux desktop so copying maps (or even software) to the device should be easy.

Now this is more than just a little irritating. I have paid for a device with a “lifetime map update licence”. But I can’t update the maps without a PC running a particular OS. I’m pretty sure that garmin satnavs run a version of embedded linux so the company cannot pretend they have no linux expertise. Worse, they can produce a plugin for OSX machines (which is BSD based) but not something which is debian based.

Garmin, I am disappointed. And annoyed as hell.

Permanent link to this article: https://baldric.net/2012/05/13/disappointing-satnav/

Apr 24 2012

cheap?

Michal Zalewski (aka lcamtuf) has just announced that google is changing the terms of its vulnerability purchase program. The google announcement says:

Today, to celebrate the success of [the program] and to underscore our commitment to security, we are rolling out updated rules for our program — including new reward amounts for critical bugs:

  • $20,000 for qualifying vulnerabilities that the reward panel determines will allow code execution on our production systems.
  • $10,000 for SQL injection and equivalent vulnerabilities; and for certain types of information disclosure, authentication, and authorization bypass bugs.
  • Up to $3,133.7 for many types of XSS, XSRF, and other high-impact flaws in highly sensitive applications.

Interestingly, the earlier part of the announcement says that the existing program resulted in:

“over 780 qualifying vulnerability reports that span across the hundreds of Google-developed services, as well as the software written by fifty or so companies that we have acquired. In just over a year, the program paid out around $460,000 to roughly 200 individuals.”

So, depending upon how you do the arithmetic, over the last year google paid out around $590 per vulnerability, or around $2300 per researcher. Whatever your views on the merits or otherwise of paying for vulnerabilities, that strikes me as pretty cheap, in all senses of the word.

As an aside, I found it amusing that the first commenter on the google posting was one Andrew Wallace, who styles himself an “Independent Consultant”. Wallace has been making a nuisance of himself around various security related mail lists and web fora for a while now. He used to post as “n3td3v” or latterly, as “Andrew from n3td3v”. Back in July 2010, Wallace labelled the google researcher Tavis Ormandy a “cyber terrorist” following Ormandy’s rather public disclosure of a nasty vulnerability he believed Microsoft were trying to hide. Interested (or bored) readers are invited to search the ‘net for Andrew Wallace, n3td3v.

It is also worth recording that as a result of Ormandy’s (some may say “premature”) disclosure in June 2010, after an initial furious response from Mike Reavey, Head of MSRC, Microsoft went on to devise and publish a new “Coordinated Vulnerability Disclosure” policy (warning, MS docx format document) covering the disclosure of “zero day” vulnerabilities in other vendor’s products.

Permanent link to this article: https://baldric.net/2012/04/24/cheap/

Apr 18 2012

now switch it back on

Bugtraq can be an interesting list. Back in June 2008 I noted that one Craig Wright had posted an advisory about a vulnerability in an Oral B toothbrush. Well, just over a week ago a chap called Gabriel Menezes Nunes posted a proof of concept remote denial of service attack on a Sony Bravia television set. He had discovered that a packet flood attack to any port on his TV using the tool “hping” would cause a denial of service. In his post he says:

“After 35 seconds the TV stop working and back. This happens 3 times. At fourth time, the TV shuts down. In less than 3 minutes, the TV is off remotely. It is necessary to turn on the TV physically.”

I can’t help thinking that using the normal remote control would have been easier.

Permanent link to this article: https://baldric.net/2012/04/18/now-switch-it-back-on/

Apr 18 2012

stallman likes sharing

The guardian’s series on internet freedoms (or otherwise) continues today with an article by Richard Stallman on the kindle and ebook publishing. Stallman makes a point I’d missed in my own commentary on the kindle when he says:

“Many other habits that readers are accustomed to are not allowed for ebooks. With the Amazon Kindle, for instance, you’re not allowed to buy a book anonymously. Kindle books are typically available from Amazon only, and Amazon doesn’t accept cash so users must identify themselves. Thus Amazon knows exactly which books each user has read. In a country like Britain, where you can be prosecuted for possessing a forbidden book, this is more than hypothetically Orwellian.”

One obvious way around this is not to buy ebooks from Amazon (or anyone else). The only books on my kindle are those out of copyright which I have downloaded from sites such as project gutenberg or other sites listed on portals such as ireaderreview. Of course you have to be careful that you do not add such books to your personal document archive or Amazon will helpfully copy and list them in your “kindle library”.

And I still haven’t really used my kindle except when on holiday.

(Note that Richard Stallman’s article is Copyright 2012 Richard Stallman under a Creative Commons Attribution Noderivatives 3.0 license)

Permanent link to this article: https://baldric.net/2012/04/18/stallman-likes-sharing/

Apr 17 2012

battle for the internet

This week the guardian, my newspaper of choice, is running a week long series of articles under the theme “battle for the internet“. The reporting looks set to be interesting and is due to cover the following themes: “the militarisation of cyberspace”, “the new walled gardens”, “IP wars”, “civilising the web”, “open resistance”, and (doomladen prophecy) “the end of privacy”. Personally I find the terms “cyberspace/cyberwar/cyberjihad/cyberwhatever” a horrible americanisation, but unfortunately the labels seem to have gained some traction even here in the UK. Whatever, it is at least refreshing that a mainstream newspaper (the guardian is mainstream, right?) should be taking a look at the issues rather than leaving it to the specialist press.

Yesterday’s reporting though was a hoot. The paper led with a front page article reporting an interview with Sergey Brin. Brin is reported to have said:

“there are very powerful forces that have lined up against the open internet on all sides and around the world”. and “I am more worried than I have been in the past, it’s scary.”

OK – I can see how there could be a number of possible threats to the continued existence of the sort of open and collaborative ‘net that I so admire. But the guardian article went on to say:

“The threat to the freedom of the internet comes, he claims, from a combination of governments increasingly trying to control access and communication by their citizens, the entertainment industry’s attempts to crack down on piracy, and the rise of “restrictive” walled gardens such as Facebook and Apple, which tightly control what software can be released on their platforms.”

“He said he was most concerned by the efforts of countries such as China, Saudi Arabia and Iran to censor and restrict use of the internet, but warned that the rise of Facebook and Apple, which have their own proprietary platforms and control access to their users, risked stifling innovation and balkanising the web.”

and moreover

“There’s a lot to be lost,” he said. “For example, all the information in apps – that data is not crawlable by web crawlers. You can’t search it.””

So: along with restrictive regimes and an entertainment industry fighting to retain a lost business model, according to the world’s largest infringer of personal privacy, one of the biggest threats to the internet is the fact that apple and facebook won’t let google search the data they have gathered.

Is it just me? Or is this bonkers?

Permanent link to this article: https://baldric.net/2012/04/17/battle-for-the-internet/

Apr 16 2012

rockbox rocks

Some time ago my wife bought me a Sansa Sandisk Clip+ music player. When she asked me “what kind of MP3 player” I would like, I specifically specified the Clip+ because it could handle ogg vorbis encoded audio files. All my audio disks are encoded in this format. Picky I know, but there you go.

The version she bought me was the 8 GB Black which comes with (you guessed it) 8 GB of internal storage – sufficient for a fair number of audio tracks. But this version also has a microSDHC slot which will take a maximum of another 32 GB. That should enable me to carry most of my music collection (which currently runs to around 47 GB) if I cut out some of the obvious duplicates and exclude some of my more embarrassing ’70s choices. The device is small, neat and light and also has a pretty good battery life.

But Sansa have not been entirely honest in their advertising. Sure, the device will accept additional storage, but it is largely unusable. Once you get past around 6 or 7 GB on the internal storage and even as little as 3 or 4 GB on the additional card, the device is not capable of building its database of the collection. The symptom is pretty obvious. As soon as you disconnect the Clip+ from the USB connection used to transfer files (and incidentally to charge the device) the display shows “Refreshing your media” and a progress bar which slowly fills from left to right. If you only use the internal storage, there is no problem, but as soon as you get past the 3 or 4 GB additional store on the external card, the clip+ will sit there, refreshing away, for hour after hour if you let it.

Even after a firmware upgrade, the device wouldn’t do what it was supposed to, so I turned to the FLOSS community yet again. This time in the shape of rockbox.

Rockbox is a free, open source jukebox utility which runs on a wide variety of devices. The website provides detailed instructions on how to install and use rockbox and even comes with an installer for most operating systems so that you don’t have to get your hands dirty installing it manually. Most impressive of all however, is that the rockbox firmware can be installed alongside the original player’s firmware without danger of bricking the device. If you find that you don’t like rockbox (and what’s not to like about a free product that outperforms the paid for original?) you can still boot into the original firmware because rockbox provides a dual boot facility. And if you really don’t like it, then you can simply remove it and go back to using the original.

Thoroughly recommended.

Permanent link to this article: https://baldric.net/2012/04/16/rockbox-rocks/

Mar 31 2012

this video is private

I have just tried to (re)view a youtube video I last looked at a couple of weeks ago from a link that a friend sent me in an email. On clicking the link I got the message: “This video is private. If the owner of this video has granted you access, please log in.” On clicking the link, I was taken to a google sign in page.

I suppose I shouldn’t be surprised at that. After all, the new google privacy policy, which covers all of its “services”, is now in place. But I must admit it did piss me off more than a little. What next? Must I sign in to watch pingu with my grandson?

No google, I won’t sign in just to view a youtube video. But walling off bits of the ‘net may yet be your downfall.

Permanent link to this article: https://baldric.net/2012/03/31/this-video-is-private/

Mar 29 2012

that didn’t take long

My last post contained two (non-existent) email addresses in my baldric domain in the extract from my postfix logs. As I said in the post, I had edited the log entry specifically to mask real details. Yesterday, only four days after that post, I received spam email attempts at those addresses.

As I have said in the past, if you don’t want spam, don’t publish your email address.

Permanent link to this article: https://baldric.net/2012/03/29/that-didnt-take-long/

Mar 24 2012

android mail client is broken

In January of this year I wrote about t-mobile’s apparent policy of actively looking for and blocking any TLS-secured SMTP sessions over their network. At the time I believed this to be a cockup rather than a deliberate policy. I still prefer to believe that, but the episode left a rather sour taste in my mouth. So this month I took the opportunity presented by the end of my contract to shift to another provider. Of course, in doing so I gained a nice shiny new ‘phone which meant that I could spend a fun few hours setting it up the way I wanted it and nailing it down as much as possible so that it didn’t leak all my data to google. This is unnecessarily difficult, and much harder than it should be (and I know that people like Peter H will simply tell me that I shouldn’t be using an android ‘phone in the first place). But that is not the point of this post.

Like most people these days, I use my ‘phone to pick up email. The standard email client on my last ‘phone was pretty uninspiring so I used K-9 mail in its place. K-9 is a pretty good application, but it has a silly little bug in it which is still not sorted properly. This bug manifests itself in a rather odd, and unpredictable way – K-9 seems to “forget” the X509 certificate used to protect the authentication process if that certificate is self-signed, or otherwise not verifiable by an external CA. The cure, such as it is, is to simply refresh the certificate by reloading the account settings and accepting the cert when K-9 warns you that “TrustAnchor found but validation failed”. The length of time between accepting the cert and K-9 “forgetting” it again seemed random to me, so I got into the habit of refreshing my account settings whenever I noticed that I hadn’t received any mail for a while. Annoying, but not ultimately a deal breaker for using what was otherwise a pretty good application.

So, the first application I looked at on my new mobile was, of course, email. The default mail client on this new phone looks a lot slicker than the old one on my previous phone, but then it is a much newer ‘phone, from a different manufacturer and the android version is much newer too, so no real surprise there. The setup seemed to have no problem with my self signed certs so I thought I might stay with the default to see if it would solve my annoying little problem with K-9.

Unfortunately not.

Whilst I had no problem with incoming mail over my IMAPS connection, all attempts to send mail failed. On checking my server logs I found the following (real details changed or obfuscated):

Mar 20 20:45:57 pipe postfix/smtpd[7594]: NOQUEUE: reject: RCPT from home.baldric.net[12.34.56.78]: 504 5.5.2 <localhost>: Helo command rejected: need fully-qualified hostname; from=<null@baldric.net> to=<noone@baldric.net> proto=ESMTP helo=<localhost>

Aha! My postfix configuration is set up to reject hosts which do not have valid hostnames or do not announce themselves with fully qualified domain names (i.e. names of the form “host.domain”). Now since I use SASL authentication in my postfix configuration the fix is relatively easy; just ensure that the stanza “permit_sasl_authenticated” appears in both “smtpd_sender_restrictions” and “smtpd_helo_restrictions” before “reject_non_fqdn_hostname” – thusly:

smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain

(In fact, this episode highlighted an error in my postfx configuration because my helo restriction was inadequate. By now checking the authentication before the helo restriction kicks in I am still well protected, but mail from valid authenticated users is permitted.)

I am in that (very) small minority of people who run their own mail servers and are able to change server side configurations. But, and this is a big but. I should not have to change the server side configuration to accommodate a broken client and the vast majority of people will not be able to do so anyway. Almost all well set up mail servers will reject mail where the client connection announces itself in the helo exchange as “localhost”. That is normally an indication of a spammer, indeed spamassassin will allocate a high score to any mail which is so flagged. This means that there will be a huge, and growing, number of people who cannot send mail from their android ‘phones.

If this is the default android mail behaviour, then google need to fix it now. Meanwhile, K-9 is looking attractive again.

Permanent link to this article: https://baldric.net/2012/03/24/android-mail-client-is-broken/

Mar 19 2012

unlinked

Today I received two (make that four now – must sort out my spam filters) phishing emails from a source new to me. Each email purported to come from “linkedin” and each invited me to login to respond to “invitations from your work colleague”. Since a) I have never been a member of linkedin, and b) am retired, the invitations immediately looked suspect, but the return address looked real at first sight. That is, until I looked more closely. The actual address used was linkedln.com (with a second letter “l”) rather than the correct linkedin.com.

Nice try.

Permanent link to this article: https://baldric.net/2012/03/19/unlinked/

Mar 14 2012

unplugged

A few days ago my sheevaplug died. Beyond the obvious lack of response either over the network or through the USB serial connection, the symptoms (single green LED rather than blue and green LED lit, ethernet LED light steady rather than flashing) were all consistent with a blown PSU.

This problem is well known and well documented on the Newit forum and the plugcomputer forum as well as plenty of other sites, so I was pretty confident in my diagnosis. The general consensus seems to be that the low quality components used by Globalscale in what is, after all, supposed to be a piece of development kit, coupled with its low power output, means that it can’t really cope with the demands placed upon it – particularly if you attach unpowered USB peripheral devices. Even so, I was pretty pissed off that it failed after only two years.

I use my plug as my NTP time source, network “apt-get” cache and local end point for my ssh proxy tunnel to tor. So it was quite important to me that I get it working again. Fortunately Newit now stock replacement PSUs. Mine arrived within a couple of days of order.

Newit have kindly placed a “howto fix your fscked plug” guide online. I found the process relatively easy, with the exception of replacing the new AC inlet plug back in the chassis. In the end I pushed hard and held my breath in case something snapped, but I got it in.

I have seen many pictures of the PSU on-line, but I confess I was pretty shocked at the completely amateurish look of the thing when I pulled mine out.


The picture above shows the PSU in its case as I pulled it out of the plug.



and this one shows the contents of the PSU when the case lid is removed. It looks like the sort of breadboard setup I last saw in a 1960s transistor radio built by my uncle. Certainly not of the quality I would expect from a major electronics company. Mind you, the new replacement unit (see below) is not /that/ much better.



This final picture shows the new PSU installed in what is actually the top half of the plug.


The plug is now back together, and to my relief it booted fine first time. But I’m now not at all confident that it will last. And since one of my earliest slugs is now becoming a little unstable, I’m looking for a replacement for both.

Permanent link to this article: https://baldric.net/2012/03/14/unplugged-2/

Mar 09 2012

steam locomotive

Most debian users will be familiar with the ASCII “moo” easter egg in apt-get.

I have just stumbled upon a more elaborate piece of ASCII art by one Professor Toyoda Masashi who wrote a joke program to reprimand those command line users who misspell “ls” as “sl” (it happens). I installed it on my desktop because my grandson loves “choo choos”.

Give it a try, it should be available in most distros. The animation is quite good.

And yes, I know I need to get out more.

Permanent link to this article: https://baldric.net/2012/03/09/steam-locomotive/

Mar 07 2012

iBomber Defence: Nuclear Option

Today’s G2 has a nice little article by Tim Dowling called “What’s on David Cameron’s iPad“. Dowling’s article says:

“David Cameron is about to take delivery of a specially programmed prime ministerial iPad, reportedly at a cost of £20,000 (3G contract not included). An iPad devotee already – he uses it to catch up on episodes of The Killing while travelling – Cameron will now be able to keep tabs on polling data, market fluctuations, unemployment figures, crime statistics and news feeds, all with the sweep of a finger across a special dashboard.”

Dowling goes on to list the applications he believes would be on the Prime Ministerial iPad. These include:

Nuclear Button

This secure application allows the PM to be in control of Britain’s nuclear arsenal at all times. For safety reasons, password must be at least eight characters long and contain both numbers and letters.

and

iBomber Defence: Nuclear Option

New game in which a world leader has just 12 hours to decide whether to launch a nuclear strike. Don’t worry – the icon is a totally different colour to the Nuclear Button.

Given what the iPad probably had to go through before Dave was let anywhere near it, I think £20,000 sounds pretty cheap.

Oh, and I quite like this little app….

rMail

A selection of hilarious private emails sent by UK citizens, delivered daily from GCHQ.

Permanent link to this article: https://baldric.net/2012/03/07/ibomber-defence-nuclear-option/

Mar 06 2012

banking stupidity

When I logged on to my new bank site this morning, I tried the “help” offered on the opening screen just to see what they had to say about the range of options available. I was not best pleased to be greeted by the message “Flash is not installed, is not enabled or is not up to date” together with a nice big button marked “Get Adobe Flash Player”. No – I don’t think so.

Adobe products have an unfortunate history of critical vulnerabilities. Indeed, only a couple of weeks ago they released a patch for a critical vulnerability in Adobe Flash Player 11.1 and earlier for Windows, Macintosh, Linux and Solaris. It wasn’t the first, and it certainly won’t be the last. There are probably a whole bunch of zero days out there primed and ready for use.

I do not want to see flash on one of the most critical sites I use. And I have told my new bank exactly that. Watch this space.

Permanent link to this article: https://baldric.net/2012/03/06/banking-stupidity/

Mar 04 2012

am I kidding myself

I have recently moved my bank current and short term savings accounts. Partly this is a political statement in support of the move your money campaign, and partly because I feel that my money might actually be a bit safer (if only slightly) in a small UK Mutual than with the UK arm of a large Spanish Bank. However, my reason for mentioning this here is that the move gave me the opportunity to compare the on-line mechanisms of both my old and new providers and it also got me thinking again about the way I actually do my on-line banking.

As you would expect, I do all my on-line financial transactions from my linux desktop. Given the prevalence of sophisticated banking trojans (PDF file) such as ZeuS, I really don’t see how anyone could comfortably use a windows based machine, even one fully patched, with up to date virus protection and firewall in place. But I go further than just using my desktop, I actually only log on from a second desktop within a virtualbox VM. Further, the browser I use in that VM is as stripped of functionality as is possible (no addons, no plugins, defaults to block cookies etc.) and only ever connects to my bank(s) and no other sites. Unfortunately, the banks insist on cookies and javascript so I have to enable those selectively.

The thinking here is that my browser is the least secure (and probably most targeted) application on my desktop. So if I use a browser which I know has not connected to anything other than the two or three financial sites I trust, I should be relatively safe. Shouldn’t I? (OK, DNS poisoning could have redirected the browser to fake sites, but you get the drift I’m sure). And the best way to be sure that the browser I use is nailed down, and uncorrupted, is to run that browser from a separate machine. However, separate physical machines are expensive and it is tedious to have to fire up another box just to handle my banking when I could do it all from a VM.

But if my main desktop is already compromised (with say a key logger) how safe am I? One of the nice features of virtualbox is its ability to capture both the keyboard and the mouse automatically whenever the guest OS is in focus. For example, on starting a new guest OS, virtualbox says “You have the auto capture keyboard option turned on. This will cause the VM to automatically capture the keyboard every time the VM window is activated and make it unavailable to other applications running on your host machine.” So theoretically, all keypresses will be intercepted by virtualbox and will be invisible to the underlying host OS and its applications. But does this apply to a keylogger trojan already in the host OS? I guess that depends on the trojan and where within the complex stack of kernel, kernel modules, virtualbox and applications it actually hooks itself. But after revisiting and pondering upon my previous assumptions during the move of my accounts, I can’t help feeling that my (rather elaborate) security mechanisms are actually no more than a nice warm security blanket.

But they do make me feel safer…..

Permanent link to this article: https://baldric.net/2012/03/04/am-i-kidding-myself/

Mar 04 2012

wordpress 3.3.1 bug update

Addendum to previous post.

On further experimentation, the problem seems to be caused by a combination of graphene 1.6.1 and wordpress 3.3.1, not just 3.3.1 alone. I’ll post to the graphene support site to see if anyone else has seen this.

Permanent link to this article: https://baldric.net/2012/03/04/wordpress-3-3-1-bug-update/

Mar 04 2012

wordpress 3.3.1 bug?

As part of the move to the new site I also upgraded wordpress to the latest release (3.3.1). Unfortunately I found a small bug in that version so I have reverted to the earlier version.

The bug is odd, and not particularly problematic but irritating nonetheless. It prevents upload of media (such as is used in embedding images) and also loses the html editor toolbar – the “visual” toolbar remains unaffected. Oddly though, the bug only manifests itself in the edit of “pages” as opposed to “posts”.

I think I’ll wait until the next full point release (to 3.4) before trying again.

Permanent link to this article: https://baldric.net/2012/03/04/wordpress-3-3-1-bug/

Mar 01 2012

we’ve moved (again)

Back in September 2009 I moved trivia from its original home on a cheap shared web hosting platform to one of my first VMs at Bytemark. However, in that move I left the design relatively untouched. (Having sat through more than my fair share of tedious powerpoint presentations I’m a firm believer in the power of content over bling). That said, trivia was overdue for an update so I have taken the opportunity of a move to another new VM (again hosted at Bytemark, but on their whizzy new platform called BigV) to change trivia’s theme.

One of the major limitations of the old theme was the loss of all sidebar navigation options when moving away from the home page. This meant that anyone arriving at a trivia page from a link elsewhere would have no sense of the (ahem) full depth or range of content available here. The new theme solves that problem and also allows me a to add just a little more bling. I think I’ve been relatively restrained, though I particularly like the scrolling random selection of old posts across the top of the new home page. I may play around with some of the minor options available in the new theme, but the overall layout is likely to stay broadly as you now see it.

Let me know what you think.

Permanent link to this article: https://baldric.net/2012/03/01/weve-moved-again/

Feb 20 2012

HMG goes cloudy

The UK Cabinet Office has announced the winning bidders to supply IT goods and services to UK Government under its new framework contract called “G-Cloud”. The winners are listed on a new website called the CloudStore which, supposedly, allows HMG procurement specialists to search for the goods and services they want to purchase. The new framework is supposed to break the old cosy relationships in HMG procurement circles between the big suppliers and HMG Departments. Politics and personal prejudice aside, I think Francis Maude’s intentions in setting the new services framework is actually quite honourable. But, frankly, the results baffle me.

I picked “Infrastructure as a Service” as my first choice and the list I was presented with gave several suppliers for which the description said “The supplier did not provide a description of this service, please click on the link to find out about this service.”. Of course, clicking the link merely confirms what the description says – no info. So I tried a search for “open source software” on the IaaS page and got no results. I also got no results when similarly searching “Software as a Service”. Excuse me? Am I expected to believe that not one supplier of the 255 successful companies even mentions open source software in their offering of IaaS os SaaS? Has no-one heard of the LAMP stack?

I then widened the search to include any and all service by any and all provider and got just one result – for some company called “Cloud Cache and Archive Limited”. The description says:

“Cloud Cache And Archive Limited is a privately funded software company with development based in London. Cloud Cache and Archive provides a game changing solution to allow the rapid integration of legacy applications and databases; and the deployment of new enterprise services and Web 2.0 applications on the Cloud. The solution leverages “big data” technologies; a 100% open source software; and cloud native platforms to provide Agile Information Integration and Agile Information Management all based on a cloud native platform. The proven solution is designed for Governments and large commercial organizations.”

I’m sorry, but that is just marketing drivel. WTF does that actually mean? What solution? To what problem? What is a “cloud native platform”? And how will this help a government procurement specialist (who, trust me, will not be an ICT specialist) choose a supplier?

Answers on a post card please.

Permanent link to this article: https://baldric.net/2012/02/20/hmg-goes-cloudy/

Feb 14 2012

Досвидания камрад?

From a peak of around 25,000 mail drops per month in the backscatter I was getting from the .ru domain to the non-existent address “info@baldric.net” I am now seeing virtually none. My logs show a distinct drop off from mid to late December last year to about 10-15 emails per day (when I had previously been seeing anywhere between 600 and 900 per day). Since then the trickle has slowed to a crawl. I now receive only a handful a week, with most days being completely clear.

I wonder where they have gone.

Permanent link to this article: https://baldric.net/2012/02/14/%d0%b4%d0%be%d1%81%d0%b2%d0%b8%d0%b4%d0%b0%d0%bd%d0%b8%d1%8f-%d0%ba%d0%b0%d0%bc%d1%80%d0%b0%d0%b4/

Feb 07 2012

perl programmer goes rabid

As a Guardian reader I find the Daily Mail distasteful and I would not normally refer to it in trivia. However, a friend of mine has just sent me a link to a random Daily Mail page generator which manages to lampoon the rag quite successfully.

image of spoof daily mail random page

Further investigation of the author’s blog reveals another random page generator which suggests he may have too much time on his hands.

Permanent link to this article: https://baldric.net/2012/02/07/perl-programmer-goes-rabid/

Jan 30 2012

tomorrow the world

A slightly breathless new post over at omgubuntu proudly boasts that the market share of Linux on the desktop jumped “from 0.96% in January 2011 to 1.41% by the year’s end.” (That could equally be be written as a close to 50% rise in Linux’ popularity). No doubt this will scare the pants off Steve Ballmer.

I can’t help being amused by the comments below this post which run like this:

1. Thanks to Unity!

2. Despite unity.

3. Despite unity & gnome shell.

4. Thanks to gnome & despite unity.

5. Thanks to Ubuntu.

6. Thanks to Linux Mint.

This sort of united, combined front in opposition to proprietary software is exactly what will drive free software to say, oh around 2% of the desktop.

Permanent link to this article: https://baldric.net/2012/01/30/tomorrow-the-world/

Jan 22 2012

moxie’s proxy

Moxie Marlinspike, a security researcher probably best known for his SSL proxy tool, likes google even less than I do. His googlesharing website says:

“Google thrives where privacy does not. If you’re like most internet users, Google knows more about you than you might be comfortable with. Whether you were logged in to a Google account or not, they know everything you’ve ever searched for, what search results you clicked on, what news you read, and every place you’ve ever gotten directions to. Most of the time, thanks to things like Google Analytics, they even know which websites you visited that you didn’t reach through Google. If you use Gmail, they know the content of every email you’ve ever sent or received, whether you’ve deleted it or not.

They know who your friends are, where you live, where you work, and where you spend your free time. They know about your health, your love life, and your political leanings. These days they are even branching out into collecting your realtime GPS location and your DNS lookups. In short, not only do they know a lot about what you’re doing, they also have significant insight into what you’re thinking.”

His solution to this problem was interesting. He came up with the idea of a proxy system which would intercept all google queries, strip off identifying material (such as cookies and UserAgent strings and other HTTP headers) substitute new identifiers and mix the requests up with those from other users before forwarding to google. Implementation depended upon a Firefox addon (nothing for other browsers) which identified google queries and forwarded them to the proxy. All other traffic was untouched.

image of googlesharing proxy

I stopped using google (except via scoogle) some time ago, and when Moxie’s new proxy first surfaced I thought it interesting but susceptible to the same problem I discussed in mid 2009 when writing about Hal Roberts’ experience of GIFC – all you are doing is shifting knowledge of your searches from google to a new intermediary. However, Moxie later addressed this problem with the release of version 0.20 of his addon so I thought I’d take another look at it. Unfortunately the addon won’t work with FF 9 (which I am using). Moxie’s proxy is not the only one out there however. Because he released the code under an open source licence, others have picked it up. I found one at gs.netsend.nl. They also provide an updated FF addon which will work with versions up to 15 (i.e. probably around next wednesday given the speed with which Mozilla is currently shipping new FF releases).

Once the addon is installed, it gives you two proxy options in the preferences settings – one is the original proxy.googlesharing.net, the other is gs.netsend.nl itself. In testing I found that the original googlesharing proxy seemed to be off-line, but when using the netsend.nl proxy I was reassured to see the message “Search results anonymized by GoogleSharing” added to the google homepage. I was even more reassured that my sniffer showed a connection to vps1101.pcextreme.nl on 31.21.98.201 and not to any known google network.

So, will I use it? Maybe. But the proxy mechanism seems to be unreliable. In many tests, the proxy connection seemed to be bypassed and the connection was obviously made direct to google (as evidenced by my sniffer). I think this failure is doubly unfortunate because it does not fail safe (i.e. the connection does not simply fail with an error message, it passes you direct through to google). This could lead the unwary to think that they are protected when in fact they are not.

I prefer not to use google at all. And in those cases where I do want to compare results with another search engine I prefer to do so via tor. But it is one more option in my toolkit if used carefully. And if using it pisses off google, then it is worth it occasionally.

Permanent link to this article: https://baldric.net/2012/01/22/moxies-proxy/