the next feature for a spy movie

September 16, 2006 | etbe

I have noticed that motion sensors on burglar alarms don’t detect small movements. Presumably they are also less effective at detecting small objects that move (otherwise they couldn’t be used if there were mice).

For an adult to move slowly enough to avoid detection by the typical cheap burglar alarms is quite difficult, and probably almost impossible to do reliably. For a small machine to move slowly enough that it’s combination of size and speed doesn’t get detected would be much easier.

So it should be possible to design a burglary robot that can open doors and crawl across the floor slowly enough that the alarms are not tripped. Such a robot could step over laser beams (which you always have in movies) much more easily than Catherine Zeta-Jones and then crawl up the wall to the motion sensor and disable it.

In a movie such a robot would probably be autonomous, but for constructing one in real-life 802.11 control would be the way to go.

If someone from Hollywood is reading my blog, please feel free to offer me an obscene amount of money for this idea. ;)

sendmail – the MTA for insecure systems

September 15, 2006 | etbe

Sendmail is the most prevalent Unix MTA. It is the oldest MTA and is still one of the most powerful ones that are available. However it has never been known for being secure.

http://lwn.net/Articles/176596/

Most of it’s bad reputation comes from regularly having serious security holes. The above URL has the most recent one. Neither Qmail nor Postfix has had a serious security issue. Dan and Wietse appear to have aggressively audited each other’s code in an attempt to find such a hole without success.

Sendmail was initially designed with a single process running as root which does everything. Any bug in that program and you lose. In recent times you have two processes, one of which doesn’t run as root. This alleviates the problem but doesn’t compare to the 10+ programs that may be run for different tasks on a Postfix or Qmail system, of which only two will have root access (the local delivery process and the master controlling process).

Another part of the Sendmail problem is the crufty old code. Exim has a similar design to Sendmail in terms of process duties, but has a much better security history due to being written more recently.

On many occasions over the last ~8 years I have had debates with Sendmail advocates regarding the security issues. The Sendmail advocates have consistently claimed that all the bugs are fixed now and Sendmail is only attacked because it’s popular. Given the track record it seems that it’s a bad idea to claim that the security flaws have all been fixed.

In regard to the popularity issue we have to keep in mind that fact that Windows has a much larger user-base than Linux. Any argument that you might make in favor of Sendmail over Postfix in terms of security flaws being a function of popularity is an argument in favor of Windows over Linux. I find it particularly amusing when BSD users claim that Sendmail only gets cracked because it’s popular. What does that say about the security of BSD given that BSD is much less popular than Linux?

On many occasions people have pointed out to me that you can run Sendmail as non-root. Almost 10 years ago I wrote a web page describing how to do this. Doing that has always been a hack, although it should work reasonably well for a machine that only runs Sendmail as an outbound relay.

Sendmail was a nice MTA in the early 90’s. But it’s time has passed. Let’s all upgrade to mail server software that doesn’t require regular security updates. Sendmail and Exchange belong in a software museum, not on the net.

mailing list culture

September 15, 2006 | etbe

There is currently a big debate in progress in Debian. I am not going to mention any specifics because too much of it has already been blogged (maybe in the same syndication in which you read my blog).

I think that the way things are going is more an illustration of the failings of mailing list culture than of failings of Debian. Maybe another mechanism would be more productive in leading towards a solution.

One option that occurred to me is debate via wiki. If each side had a wiki page that they could modify then in a small amount of time we should get a set of two main consensus opinions which would each be explained clearly and summarised well. Then with two options clearly expressed the people who have less strong opinions could decide which option they favor. For this to be a quick solution honorable behaviour would be required from all people involved, if people start trying to sabotage the other group’s wiki entries then it would significantly increase the time taken to achieve things.

Another possibility that occurred to me is debate via blog. The quality of blog postings is expected to be a lot higher than that of mailing list discussions as all posts are tied to the author’s public image. Writing content-free messages on a mailing list is easy, but every blog entry needs to stand on it’s own to a certain extent and anyone who writes flames in most of their blog entries will probably find that the readers like it less than the readers of a typical mailing list.

Maybe when an issue is recognised as highly contentious a few people could blog about it and then form groups to develop wikis to promote their views. A debate might start out with five or more different competing views, some of them would merge until there were only two main opinions being pushed. Then once the two remaining groups had sorted out their positions a vote would be easier to arrange.

What do you think?

IT companies and toxic waste

September 13, 2006 | etbe

Greenpeace has an interesting article about how IT companies rank in toxic waste problems.

Dell rates quite well, I feel happier about my recent purchase of a large Dell TFT monitor now. HP does reasonably well, that’s fortunate as the Green party in Victoria has recently purchased a HP server. But next time we discuss such things I will suggest that more consideration be given to Dell servers because of this issue.

Lenovo does really badly, I’m surprised because I would have expected IBM to do reasonably well and I didn’t think that Lenovo would make significant changes. From now on I will refrain from purchasing Lenovo products. I will still purchase second-hand IBM products, but nothing under the Lenovo brand until they clean up their act.

Also it’s worth noting that computers manufactured with toxic chemicals will outgas some of the chemicals into the local environment (IE your server room, bedroom, or wherever else you have computers). Avoiding the computers manufactured with toxic chemicals is not only good for the environment, but also good for your health!

blogging software

September 12, 2006 | etbe

Previously I asked for advice about running an Intranet blog, and running an Internet blog with hosting for friends.

In response to the question about running a small Intranet blog the recommendations were strongly for WordPress, with a mention of Ikiwiki as well. One of the features that I consider desirable is for software to be reasonably popular which means that support is often easier to obtain. So WordPress is my main candidate at this time for Intranet use. I’ll install WordPress and probably won’t try anything else unless WordPress fails in some significant way (which seems unlikely).

In response to my question about a blog server for serious blogging again WordPress was well recommended. There is also a version of WordPress in beta called WordPress MU that supports blog server operations such as wordpress.com. Although I didn’t mention it before I have had some ideas of starting my own server along such lines so WordPress again does well.

Over the next few weeks I will start playing with WordPress and WordPress MU. If things go well I’ll move my blog away from blogspot and to a domain I own in the near future.

C – the suit and tie of programming

September 11, 2006 | etbe

I was watching some music videos recently and was amazed by how badly dressed most performers were by today’s standards. As far as I can recall the only musician from the 80’s who still looks good in their videos is Robert Palmer, a suit and tie doesn’t go out of fashion.

I started thinking about what the computer equivalent to the suit and tie is. It’s something that never goes out of fashion and that is generally used for work. I came to the conclusion that C is the best fit. Think of languages such as VB and the .Net environment as being skivvies and high-waisted jeans.

C is not a perfect language, it is often difficult to manage text in C and LDAP programming is particularly painful (compared to Perl where it’s trivial). But then it’s quite inconvenient to wear a suit sometimes, you can sit on grass while wearing jeans but not in a suit.

Pictures of you wearing a suit will not look daggy by the standards of next decade, and C code that you write now will be better regarded than VB or whatever other fad language might be used.

what’s a good blog server for serious blogging?

September 10, 2006 | etbe

I’m getting sick of blogger. The main thing is that I’m simply not a user. Taking what someone else gives me and just putting up with any failings doesn’t suit me at all. I can deal with bugs in things I control (such as Linux distributions) because I can fix the bugs I consider important at any time.

So now I’m looking for a serious blogging program. WordPress was strongly recommended to me after my previous post on the topic of blogs, but that was in regard to a simple blog program for Intranet use. I am now after a blog program that is designed for Internet use, it must have good security, support multiple users (some of my friends will probably want to use my blog server machine), and not be overly difficult to customise (I am resigned to the fact that I will have to learn another programming language – probably re-learning PHP or Java as that is where web programming is at nowadays).

One thing that I want to do is to have the main web page that displays all recent posts display each post in a frame with a separate Adsense section. The topics of my posts vary a lot so I want to have adverts that match.

Another feature I want is to have multiple RSS feeds with different settings. One use for this is to have tags for each post to specify which channel(s) the post will end up on, another is for Adsense for feeds functionality which I want on for some feeds but off for others. I also want to generate multiple feeds for different syndication services. Ideally a syndication service such as Planet Debian or Planet Linux Australia would use a unique feed for sucking it’s own data and also have a unique feed address advertised on it’s site for the users (if this isn’t supported or desired at the syndication level then I can do tricks in the web server to serve different content for different IP addresses). That way I can track use by the different services, work around bugs in syndication services that matter to me, and change settings for post summaries, etc to suit the syndication service.

In terms of HTML editing I only need the most basic functionality. I would be entirely happy to write blog entries in raw HTML, my friends would probably desire line breaks to be converted to paragraph or break tags and basic linking functionality, but they could probably deal with entering bold and italic tags themselves (the few of my friends who couldn’t manage this would probably only want to write plain-text in paragraphs).

I also want to run my own syndication software. I guess I have to consider blog server and syndication server at the same time as there may be some dependencies (EG having them both written in the same language might be handy – I don’t want to re-learn BOTH Java and PHP). The syndication software would ideally automatically collect the feeds from other syndication services that I specify (although I’m sure I could write a simple Perl script to scrape them from the Planet web sites). Then I want to provide an RSS feed of that content for anyone who wants it.

Please let me know via email or comments if you have any suggestions about which software to use.

SE Linux is like a moat filled with sharks with laser attached head gear

September 9, 2006 | etbe

Here’s an interesting blog entry comparing SE Linux and AppArmor. It has some amusing comments, one of which I used for the title of this entry.

There are two things I don’t like about AppArmor. One is that it doesn’t label Inodes but instead bases it’s access control on file names. This means that renaming a file may change the access granted to it, and a file with multiple hard links may have different sets of access granted to each name. The hard link problem is a killer, imagine that name A grants execute access to the file and name B grants write access, therefore you have the ability to create an executable file.

The other thing I don’t like about AppArmor is that it’s goals are low. The current implementation of AppArmor can be compared to the SE Linux targeted policy. The difference is that AppArmor is currently achieving everything that it was designed to do while the targeted policy is intentionally providing less security features to give greater ease of use. There is a well defined transition path from targeted to strict, and from strict to MLS. There is no transition path from the current AppArmor implementation to something better.

Rumor has it that Suse have bought the rights to a MLS system and that they want to get LSPP certification. LSPP certification requires that access control be based on Inodes not file names (IE renaming a file may not change the access that is granted to it). It will be interesting to see how they integrate AppArmor and a MLS system.

communism and ticket “scalping”

September 8, 2006 | etbe

In the USSR the government fixed prices on all commodities, how desirable an item was merely determined the length of the queue not the price. Today in the same manner when purchasing tickets for concerts and sporting events the desirability of a ticket determines the length of the queue not the price.

It seems to me that the solution to the “scalping” problem that has recently been described in many newspapers is to have the companies that sell the tickets run a public auction. The current situation is denying fans the option of paying more money to guarantee a ticket, denying the musicians the best payment for their services, and not serving the best interests of anyone except the scalpers!

Internet auctions are easy to setup, ebay even has online store facilities that any merchant can use – it would be easy for any company that is running a concert to sell all the tickets at auction through ebay. People who don’t have the ability to access the Internet could pay an agent to bid for them so no-one would be excluded.

A well run ticket auction system would maximise revenue for the company selling the tickets and guarantee that fans can get tickets if they are prepared to pay enough. It would be best for everyone!

Some people with weird communist tendencies (the ones who want to emulate the least effective and useful aspects of the USSR) claim that the current ticket sales system (where all tickets are sold in 10 minutes to whoever queued for the longest time or phoned in at the right moment) allows poor people to purchase tickets at lower prices than an auction might deliver. What they fail to realise is that rich people pay others to queue for them, whether that is by paying scalpers who buy tickets in bulk or by paying one person to sit in a queue for them. There are people who are happy to sit in a queue for a few dollars per hour and people who pay them to stand in line.

Advice for speakers

September 7, 2006 | etbe

I am not an expert at public speaking. Attending Toastmasters to improve my speaking skills is on my todo list. However having given hundreds of talks over the course of about 14 years and being paid for giving talks (the minimum criteria to claim to be a professional speaker) I think I can offer some useful advice, at least in regard to giving talks for free sofware audiences. I will cover some really basic things in this post, so experience speakers will find some of them obvious.

The most important thing of course is to know your topic really well. You can skip every other piece of advice and still do reasonably well at any Linux Users Group meeting if you know your topic well enough. Of course if you want to talk at a conference then taking some of the following advice would be useful.

Record your talk, it is useful to review the recording to learn from mistakes. Don’t worry too much about saying “um” or other common speaking mistakes – it takes a lot of practice and effort to avoid such things. When recording your talk record it from the start of the introduction (you never know when the person introducing you will say something particularly flattering ;) until after you have left the podium. It’s not uncommon to have question time, to thank the audience for their attention after the questions, and to then have another round of 15 minutes of questions afterwards. The only time when you can confidently stop recording at the scheduled end of your talk is when there’s someone scheduled next.

For recording a talk an iRiver is a good device to use. An iRiver will create and play MP3 files, and it’s not particularly expensive nowadays. Apparently some of the newer iRivers are polluted by DRM, I haven’t verified this myself though.

After your talk review the MP3 you made as soon as possible. You will always find mistakes in such a review, don’t be concerned about minor ones (everyone makes small mistakes when on a podium, unless you are famous enough to get media interest a few small slips don’t matter). If you make a significant mistake or if you were unable to answer some questions then you can send email or make a blog post about it later. You probably won’t remember most of what happens during your talk so your recording is the only way to follow up on questions (if you tell someone in the audience to ask you a hard question via email they won’t do it).

Summarise all questions during the Q/A part of the talk. This means that everyone in the audience will know what was asked, and also your recording of the talk will have a copy (usually an iRiver mic doesn’t cover the audience).

Before giving a talk learn as much about the audience as possible, and feel free to ask for advice from people who know something about the audience and people who are experts on the topic. The most important thing to learn is the expected skill level of the audience including the range of skills. Often when giving a talk about a technical topic it’s impossible to make all people in the audience happy. You will have a choice between making things too simple and boring the most experienced people or explaining the technical details and having the less experienced people be unable to understand. Sometimes due to the combination of topic and audience you will get 10% of the audience walk out regardless of which choice you make. You can’t please everyone.

Caffeine can help you stay alert enough for a talk. In email and even in IRC there is time to stop and think. When giving a lecture to an audience answers are expected immediately. In the space of about 5 seconds you want to compose an answer for any question that gets thrown at you or determine that it’s something that needs more consideration and has to be answered via email.

One of the problems you face when giving a talk is going through the material too quickly because of being nervous. If you feel that happening to you then drinking some water or your favourite fizzy drink is a socially acceptable way of taking a few seconds to compose yourself. Asking for questions from the audience is another way of getting a talk back on track if you have started going through the material too fast. Also if you are in the audience and observe this happening then try and interject some questions to get things back on track, it doesn’t matter what the questions are, ask lame questions if necessary, anything to stop the talk from finishing too soon. I was once in the audience for a talk that was scheduled for 60 minutes and ended up taking about 5, it finished before I could even think of a question to ask. :(

I find that questions help to estimate how well the audience is following the presentation, and I prefer to take questions during my talk. Some people prefer to give a talk to a silent room and then take questions at the end. I think that preferences in that regard are determined by whether your speaking experience is based in universities that strictly enforce a code of conduct for lectures, or whether your speaking experience is based in LUGs where heckling from the audience is common.

Go to the toilet before giving a talk. Speaking for an audience is stressful and you never know when you might feel more nervous than usual. If consuming a caffeinated drink then you will have even more reason to go to the toilet before the talk. This is not a joke!

Having a copy of your presentation notes on a USB device (preferrably in multiple formats) is handy. It’s also convenient to have the device formatted with the VFAT filesystem. One time I had a lot of hassle from a Linux conference (that I won’t identify) due to the fact that the organizers only used Linux for servers. They wanted to print my lecture notes for all members of the audience and were unable to get a Windows machine to read my ext3 formatted USB device and then had problems with the OpenOffice file.

All my advice in this post is based on personal experience. Don’t feel afraid about public speaking because of these things. Everyone makes mistakes when starting out and even experienced speakers have talks go wrong on occasion. Also keep in mind that a talk which seems to have failed when you are on the podium might get great reviews from the audience. The aim of a technical lecture is to impart information about the technology, you can achieve that aim even if you make some mistakes in the presentation.

PS Please give talks for your local LUG. They need speakers and it’s a good way of gaining speaking experience in a friendly environment. Remember, they heckle you because they like you. ;)

etbe – Russell Coker

Linux, politics, and other interesting things