I have to go back into hospital tomorrow. Fluid has built up around my right lung (the second one to be operated on) and I've been short of breath and coughing. An X-ray today revealed the problem, and they have to drain it using a catheter. It's a local anaesthetic job, but I'll be in over the weekend.
See you all when I get out :-)
My latest article for The Times Online, called "Chip and SPIN", points out that the much-trumpeted switchover to using PINs rather than signatures for plastic card transactions in the UK may not have been as consumer-beneficial as the banks would like us to believe.
Since it was published, someone has emailed me the following additional information:
Here is an extremely cool way of looking at websites - it turns the HTML code tree into a graph, with nodes coloured according to tag type, and then lays them out in an aesthetically-pleasing manner. And, of course, modern clean HTML looks much nicer than old crufty table-based tag soup.
The applet which generates them is also online (requires Java). Put your favourite URLs into it, and post any here which make particularly beautiful pictures.
About nine months ago I remarked that it would be rather cool to track the performance of stocks recommended in spam. It seems that someone has beaten me to it - spamstocktracker.com ran throughout May and June of this year. He bought 37 stocks, of which only three were up at the end of the period, by 4%, 8% and 124% (hey, there's occasionally a good apple in the barrel. These are real companies, after all). His total loss was 45% - which isn't bad, I'd have actually expected worse.
Everyone knows that you can't use the literal text "</script>" inside a <script> block, because the web browser will interpret it as the end of the block. But do you understand why it was designed that way, or do you think it is just a bug that no-one has got around to fixing yet?
Raymond Chen has the lowdown.
Microsoft's Global Phishing Enforcement Initiative (GPEI), a crack team of sharp-fanged lawyers, has just managed to get a phisher convicted, imprisoned, and heftily fined.
<applause>
Let's give credit where credit is due, and hope this is the first of many.
Yngve has an interesting post about how to deal with the problem of banks etc. doing login by submitting from an insecure to a secure page.
The aim is not to protect each user's form submission when using the broken page; the aim must be to get the bank to fix the site. So we need to change the browser to inconvenience the bank's customers enough that they complain to the bank, but not enough that they try and change browsers to one which does not have this "feature". In other words, we need to carefully tune the level of user irritation ;-)
So how can you inconvenience the users? One option is Yngve's popup on submission; make the users press a big button marked "Submit Insecure Data". That should cause a few panicky calls to the bank's tech support line. Another option would be to delay the rendering of the next page by five seconds or so, while displaying some sort of warning in the blank space; banks like their sites to be snappy, and they don't like worried customers.
If we are going to make browser changes, we'd need to do it in a synced up fashion, so people didn't simply reduce their security by switching browser provider.
One last option would be to sponsor a 3rd party "major banks security assessment", which took in details like this, the format of emails they sent out, whether they used third parties for email delivery, and so on. Publicise the results, and try and shame the lagging banks into compliance.
Readers of my blog may already be bored of the subject, but my latest Times article, "the late '98" is about Microsoft's imminent withdrawal of support for the Windows 9x line of OSes.
As always, gentle taps with a cluestick are welcomed.
I'm sure you can all name someone with each one of the four maladies...
My contributions:
Can anyone think of any more?
I've always liked Jamie Zawinski's XMatrix screensaver, so when I updated to Ubuntu Dapper Drake on my laptop, and found that it had reset to "random", I went looking for it. It wasn't there; instead, I had a choice of "GLMatrix", a 3D version, or "MatrixView". I opted for the latter,
Sadly, it doesn't have the configuration options of the previous version, but it does have one new feature. It fades silhouettes in and out as the strange characters fall from the top of the screen. Mostly it's stills from the movie or other head shots, but one of the images just says "KNOPPIX.RU" in big letters! :-)
I asked:
Why shouldn't we intentionally disable Windows 9x support in that release [Firefox 2] as well, even if it's not necessary for technical reasons?
And people came up with several good reasons why we shouldn't :-) Among them:
So... how about the Firefox start page warns them that they are using an insecure and end-of-lifed OS? Or should we adopt the attitude that it's not our problem?
More quotations from recent reading. This is from "Don't Waste Your Life", by John Piper. It's the quotation he quotes which is the particularly interesting and telling point. It refers to America, but the same could also be said of the UK.
Television is one of the greatest life-wasters of the modern age. And, of course, the Internet is running to catch up, and may have caught up. You can be more selective on the Internet, but you can also select worse things with only the Judge of the universe watching. TV still reigns as the great life-waster. The main problem with TV is not how much smut is available, though that is a problem. Just the ads are enough to sow fertile seeds of greed and lust, no matter what program you’re watching. The greater problem is banality. A mind fed daily on TV diminishes. Your mind was made to know and love God. Its facility for this great calling is ruined by excessive TV. The content is so trivial and so shallow that the capacity of the mind to think worthy thoughts withers, and the capacity of the heart to feel deep emotions shrivels. Neil Postman shows why."What is happening in America is that television is transforming all serious public business into junk... Television disdains exposition, which is serious, sequential, rational, and complex. It offers instead a mode of discourse in which everything is accessible, simplistic, concrete, and above all, entertaining. As a result, America is the world’s first culture in jeopardy of amusing itself to death."
The entire book is available free online.
Google has released a new cross-platform Firefox extension - Google Browser Sync. Basically it allows you to use one profile on multiple computers, with changes automatically synced up.
Netscape 4.x had roaming profile support. The relevant Bugzilla bug to reimplement it was bug 124029, which was fixed by Ben Bucksch back in 2004, with bug fixes up to late 2005. There's even a Bugzilla component to track bugs in the implementation. I don't know if the capability is built into FIrefox, or if it still works. As far as I can tell, it seems to be Seamonkey only.
The features and function look really cool - the only sad thing is that Google Sync is not free software. :-( So I can't hack on it, or read the code to see if they are actually sending my "PIN" (the thing with numbers and letters that everyone else in the world calls a password, and which encrypts my stored information) to their servers, or set up my own server if I don't trust them. So I'm not sure yet as to whether I'll install it. Perhaps the release will inspire someone in the community to revive a free version.
There seems to still be ongoing discussion about the fact that the versions of Firefox 3 released by the Mozilla Project in 2007 will not support the Windows 9x family of operating systems.
To my mind, arguments about the exact market share of Windows 98, and the comparative release dates of the various OSes we support are irrelevant. The key point is that after July 11th, 2006, Microsoft will no longer be providing even critical security updates for any of the Win 9x family. And, because it's a proprietary operating system, no-one else can do so either.
I argue that continuing to support these operating systems in a browser or other Internet-facing product after vendor security support ceases is actually irresponsible, because it gives users the idea that they can continue to safely use those operating systems for surfing the Internet.
July 11th 2006 will be, if all goes to plan, around the time of the final release of Firefox 2. So if we have a strong commitment to the security of our users, why shouldn't we intentionally disable Windows 9x support in that release as well, even if it's not necessary for technical reasons?
I just got emailed by someone I'd never heard of; I replied. However, their mailbox is "protected" by ChoiceMail, and so I got back a verification challenge. However, Thunderbird marked it as junk mail so I nearly missed it. Had I done so, after four days my carefully-written email would have been sent to the bit-bucket and neither side would ever have known.
My beef: these systems suck. But, if companies must offer them, why can't they make them suck less by also offering an (authenticated) SMTP server which the customer could use? Then, when the communication was initiated by their customer, they could automatically add the recipient to the whitelist.
That would cut down the irritating "please authenticate yourself" email to the situations where the other party initiates contact - which, for an average random person, is probably about 50% of the time. And those 50% of cases are those where the other party is more motivated to jump through hoops - because they had a desire to start a conversation in the first place.
Even more smartly, if they find two ChoicePoint customers whitelisting each other, thereby establishing a simple trust network, then their whitelists could be merged. So if A writes to B, "email my mate C", and all are ChoicePoint users, there's no challenge email, because B is on A's whitelist, and A and C's whitelists are merged because they email each other.
Something fun for the weekend... In June 2004, I coined the neologism "antiheteronymerick", for a limerick containing one or more rhyming words that are spelled differently to particular other words but have the same pronunciation and meaning. (Read one and you'll see what I mean.)
I've finally got around to gathering the ones I know about together in a web page. Additions welcome :-)
While in hospital, I attempted to read "The Gagging of God - Christianity confronts pluralism" by Don Carson, where pluralism in this context is
the stance that any notion that a particular ideological or religious claim is intrinsically superior to another is necessarily wrong.
To be honest, I gave up - I found it extremely tough going. However, buried on page 415, I did discover a gem of a footnote. In the context, of a discussion about democracy, Carson says:
[T]houghtful Christians can never assign to democracy the same sort of value that a secularist might. Democracy for us can never be an ultimate good...The primary reason why Christians will want to support democracy is because in a fallen world it is usually* the best way to ensure long-lived freedom, dignity for the individual human being (who is, after all, God's image-bearer), forms of legislative and judicial redress, equitable taxation (or at least the means of reforming the system now and then) and above all freedoms of conscience and of speech.
And the footnote is:
* I say "usually" because the sad record of imposed democracies shows that when there is little heritage of freedom, little access to information and opportunity for open discussion and free debate, little experience at compromise and respect for law, little loyalty to promulgated constitutions, and deep tribal loyalties, democracies quickly break down, sometimes in barbaric, catastrophic fashion.
That was written in 1996.
My latest article for the Times Online is titled "Why software can't bridge the gaps". It talks about why we don't build software the same way we build civil engineering projects like bridges.
[So, it seems that when you put something into Post Status: Scheduled in Moveable Type, despite the fact that it puts a big yellow box around the "Authored On" date, and despite the fact that the icon in the entry list is now a little clock, it doesn't actually post the darn thing when the time arrives. Grr. Please pretend this appeared a week ago. I'm out now, and recovering; more from me as and when.]
I'll be away for the next couple of weeks, as I go into hospital today for the second of my two lung operations. As an experiment, I'm going to leave blog comments on and see if I can fight off the spammers on my return.
I'm starting to amass a collection of words which aren't so commonly applied to God or his attributes, and when they are they make you think about him in a slightly new way. The first is "detailed", as applied to his sovereignty - which reminds you that he's in control of absolutely everything. The second is "precise", which reminds you that he carefully engineers events in exactly the way he wants. Today, I think I'll also add "consistent". Given how he's supported me through the last operation, his consistency makes me absolutely confident that he'll do so again. Give praise to the wonderfully consistent, precise God who exercises detailed, loving sovereignty over my life!
Look for another Times article in the next day or two. Search their site for Gerv; that usually turns them up :-)