Hacking for Christ

Whereabouts

I'm off to spend a week on one of a convoy of four narrowboats (some pictures for those who don't know what one of those is) teaching some young people about Jesus and generally having a good time.

Normal service will be resumed briefly on Monday 7th of August; after that, I have to go into hospital again to remove a new lump they've found in my neck. Not such a big operation, but they may suggest radiotherapy this time, which would be both nasty and horribly inconvenient.

GoogForge

Greg Stein announced at OSCON earlier today that Google are going to be doing free software project hosting. They'll supply a Subversion repository, backed by their Bigtable storage engine (rather than BDB or FSFS) plus a new, simplified bug tracker which uses good search and tagging as a substitute for having lots of fields, and of course a clean, AJAX-y interface. No further details yet...

HTTPOnly For Firefox - Sort Of

IE implements a non-standard feature called HTTPOnly, which allows cookies to be set such that they are only sent back to the webserver, and are not available via JS. This mitigates cookie stealing using XSS.

Firefox hasn't got it yet; we're a bit held up by our legacy cookie "database" format, cookies.txt. However, Stefano Di Paola has come up with a way to implement the same feature, using the hackability of the Firefox JS engine.

Put the following line of code at the top of the first bit of JavaScript your page runs:

HTMLDocument.prototype.__defineGetter__("cookie",function (){return null;});

and, as long as the XSS injection hole is further down the page, cookie access from script will be impossible.

The Value Of Public Opinion

As I was sitting in Denny's this morning, eating approximately one half of my American-sized breakfast, two adjacent leaders in The Oregonian caught my eye.

The first was against Bush's decision not to fund stem cell research.

He opposes federally financed research on stem cells obtained from embroyos discarded by fertility clinics, insisting it's the same as taking human lives. That may be Bush's personal religious conviction, but it isn't shared by most Americans. Polls show broad support for such research, including up to 70% of Republicans in some surveys.

Summary: public opinion is for this measure, so why doesn't Bush listen?

The second, next to it, was against the Oregon Supreme Court's decision not to permit gay marriage.

And polls suggest that Americans increasingly share that dream [of a "just society"]. There is growing support for civil unions, growing support for equal treatment of gays and lesbians, and growing support for even for same-sex marriage. It takes longer to convince people one by one, and to convince state legislatures as well.

Summary: public opinion is against this measure; but we'd like the state legislature to ignore that.

Summer Of Code Project List

A bit late, but I don't think we ever officially announced this... Here's the list of projects and people accepted for the Google Summer of Code 2006 by the Mozilla Foundation.

Open Source Awards

I'm surprised and pleased to be able to tell you that last night, here at OSCON, I was given the 2006 Google-O'Reilly Open Source Award for Best Community Activist. :-) I now have a rather beautiful transparent multi-coloured perspex sculpture to put on my mantlepiece at home.

Thank you very much to both Google and O'Reilly.

Update: here's a nice photo of my award, taken by James Duncan Davidson for O'Reilly Media.

Desymbolizer

A friend of mine is learning Greek before he goes to theological college, and is getting in a mess over fonts. He keeps finding that if he copies and pastes some Greek, it magically turns into transliterated Latin letters. Guess what? It's the Symbol font problem again.

It's 4.30am and I'm awake and jet-lagged so, to help him out, and anyone else who doesn't have Symbol installed but may want to read some text written to require it, I've written the Desymbolizer. You paste some text designed for Symbol into the text box, and it gives it back to you as the correct Unicode codepoints (encoded as HTML numeric entities).

You can try it out with text from greekbible.com.

GPL v3 Allows Source Download For Physical Distribution

RMS has picked up the second point of my GPL v3 draft 1 comments (yes, I'm sure a lot of other people made it too), and it will now be permissible to allow source download for binaries distributed on physical media.

However, we're now considering a major change in this policy. The coming draft of GPL version 3 will propose a new alternative allowing, for the first time, distribution of binaries on physical media and providing the source code over the network. This will require a commitment to keep the corresponding source code version available on a network server for three years.

Wahey :-)

LUGRadio Live

I'll be at LUGRadio Live in Wolverhampton this weekend, giving a talk on "How To Destroy The Free Software Movement". Be there if you can; last year's event was excellent and this year's promises to be even better.

What About...

A FUSE loopback filesystem with COW semantics for hard links that could be used with a tweaked SVN client to remove the 2x disk space penalty you pay for keeping a pristine copy of everything and being able to do local diff?

Or a digibox which detected the "ad break beginning"/"ad break ending" signals that British channels send out for VCRs to use, and blanked the screen during the ads?

Or a law which said that patents were non-transferable? So that if a particular company or person invented something, they would be the only ones ever who could licence it, or sue for infringement? This would make patents more likely to be used to protect innovation and far less like a tradeable asset which let you sue your competitors.

Ubuntu Treo Woe

It seems that, unless I've misunderstood the situation, more than a month after release Ubuntu 6.06 "Long Term Support" Dapper Drake still can't sync with any form of Palm Pilot over USB due to a kernel bug. And I haven't seen any activity which suggests this situation might change any time soon. Are they planning to leave this device class long term unsupported, then?

My Treo 600 coordinates my life, so when it died (an unfortunate incident involving leaving a charger in a hotel room in Amsterdam, and trying to jerry-rig a temporary one; the sort of thing that could happen to anyone) I bought a new one and had to restore a backup ASAP using jpilot. But, having upgraded both my machines to Dapper a day or two before, I just couldn't get it to sync.

Fortunately, my flatmate's old machine hadn't yet been upgraded, and I copied the backup over and restored it from his machine. But I could have been completely stuffed.

Insecure PIN Mailers

I just sent the following email to Nominet, the UK domain registration authority:

Dear Nominet,

Today I received two "Confirmation of Registration" letters from you - one for a recently-registered domain, and one for a renewal. These had the "secure" PIN mailers in the bottom right hand corner, which are supposed to assure me that, if they have not been tampered with, no-one else knows the PIN to manage my domain.

You will be unhappy to hear that I was able to read the PINs from these PIN mailers in about 45 seconds using nothing more than a bright light at an oblique angle, and without tampering with them or peeling them back in any way. If you want to try this yourself, I can tell you that closing one eye helps.

This type of problem with PIN mailer technology was highlighted back in 2005 by Mike Bond and his research team at the University of Cambridge, who published a report (PDF). This was covered in the news at the time.

Unless your PIN protection is snake oil security, I hope you will consider upgrading it to a version which addresses the technical shortcomings outlined in the Bond paper.

Yours,

Gervase Markham

I read the Bond paper a few weeks ago; when the Nominet letters arrived I decided to try it - and it really works! Next time you get a PIN mailed to you with one of these things, give it a go. Find a nice bright point light source, shine it on the paper from a very shallow angle, and look with one eye from the equal angle on the other side.

Unified Licensing Plan

There are a few unsatisfactory things about the way licensing and credit information is presented in Firefox and Thunderbird (for Thunderbird, the first being that you can't actually view the licensing information!). The UnifiedLicensingPlan attempts to fix this. Comments welcome, here or in the wiki's Discussion page.

Inflatable Countries

More great data visualisation stuff. Imagine taking a map of the world, and having each country as a balloon. Then, inflate or deflate the balloon until the relative areas of the countries represent some statistic about them. You get a wonderful graphical representation of that data set which is much easier to understand than a long column of figures.

Here's the base site - some researchers at the University of Sheffield. Some pictures that I found particularly interesting were:

• Compare Net emigration with Net immigration to see where people are moving from to.
• Aircraft departures shows who is fuelling the greenhouse effect.
• Container ports is interesting just because it's surprising.
• Compare Alcohol and Cigarettes Exports to Imports to see who makes money from slowly killing other people.
• Computers exports shows you where your PC probably came from.

They are issuing new pictures regularly. There is some source code available for a related program implementing the same algorithm; however, there's no licence to modify. :-|

Gerv's Guide To Writing Good Propaganda

Today, boys and girls, we are going to learn some tricks to writing good propaganda, using the following example, printed in the Independent newspaper on the 29th of June 2006:

Move The Goalposts

See how the example talks about a 74% increase in "homophobic incidents", but then goes on to talk about "abuse" and "assault", thereby subtly equating the two - whereas no definition of what constitutes a homophobic incident is actually given. The large blood stain in the picture also helps to lead the reader into believing that what has risen by 74% is the number of violent physical assaults.

Assume Authority

The Gay Police Association exists to help gay people in the police service. They have no official role in collecting statistics about anything. However, the reader is not to know this - having them presented by an organisation with the word "Police Association" in the title gives the impression that these are official or government statistics.

Define Your Own Terms

One person's homophobic incident is another person's verbal expression of religious conviction. If you get to control the definitions, you can make the statistics much more impressive. If someone politely says they think that homosexual practice is morally wrong, you can easily class that as a "homophobic incident". Also, a usefully wide definition of "religious belief" can include white supremacists and neo-Nazis, who often mix a bit of pseudo-religion with their hatred.

Use Loaded Words

Make sure that your allies are "men and women", whereas those you are attacking are "perpetrators" and "criminals". (Even if they aren't; see "Move The Goalposts", above.)

Attack The Weakest Group

Christians have historically complained less about propaganda denigrating their beliefs than Muslims, who have a tendency to get rather angry (remember those cartoons?). Hence the wise use of a Bible, and a Christian quotation for the headline, rather than a Quran, even though the advert talks about generic "religious belief".

Using techniques like the above, you can lead your readers into thinking that there is an epidemic of Bible-wielding Christians violently assaulting gays while screaming verbal abuse, when in fact they've just discovered a few more elderly couples running Bed and Breakfasts who refuse to let a double room to two men in a civil partnership. Result!

[I should point out that Christianity teaches a) that any sexual practice outside of a marriage between a man and a woman is morally wrong, and b) that physical assault of anyone is equally wrong. For the hard of thinking: the purpose of this article is not to support assaults on gay people.]

Hollywood Stifles Creativity Again

The "creative" film industry stretches its cold, dead hand over some more derivative works. Various companies who edited DVDs to remove content their customers didn't like - and then swapped the original DVD for a burn of the edited version - have been told that it's illegal to do so. And it probably is - they are burning copies of copyrighted content.

That's OK, though - they can just write their own DVD player which implements a simple Edit Decision List file format. The customer plays the original DVD, and the software obeys the EDL file and seamlessly removes or reorders video and audio to provide a family-friendly experience. No copyright infringement there.

But hang on, no they can't, because you can only write software to play a DVD if Hollywood says so, as it controls the issuing of CSS decryption keys - and they are hardly going to allow companies they are suing to start shipping such a product which facilitates an action they don't like.

Fortunately, we have free software, which plays DVDs whether Hollywood likes it or not. How hard would it be to implement a simple EDL format for Totem? So the customer base for these companies would be reduced to only those people running Linux, but that's a temporary problem...

Update: Ooh, wow, it sort of exists - at least, as proprietary hardware. Presumably these people have a DVD key licence? Then either Hollywood talking about "artistic integrity" is hypocrisy, or ClearPlay are next in the firing line...

Mozilla Foundation Grantmaking

Frank has blogged about the Mozilla Foundation grantmaking program. We are actively looking for contributors ("Aarons") to come forward and suggest potential grant opportunities.

(Please read Frank's post in full before adding comments suggesting Bug Bounty programs or the like.)

Patch Maker 3.0 Released

Patch Maker is my software for quickening the process of making, testing, getting reviewed and generally managing patches to a bit of software stored in a CVS or SVN repository. It particularly helps when you are making multiple, possibly conflicting patches at the same time.

After two and a half years, I've just released version 3.0. The key changes are the addition of initial support for SVN as well as CVS, and removal of the old "build mode", which was used for editing Mozilla project products in-place. This required a file called chromelist.txt to map from installed chrome paths to CVS paths, and this is no longer shipped for size reasons. So it's not nearly as useful as it was. This and other feature removals has reduced the code size by 25%.

The Largest Web Page In The World

[I'm out, by the way. Normal service will be resumed shortly.]

The largest web page in the world is 9 quadrillion pixels wide by 9 quadrillion pixels tall. It's designed to give you a bit of an idea of the size of the solar system. Try scrolling across it using your wheel mouse ;-)

Apparently, only Firefox can cope with it properly :-)