Posts

Posted on

Global Warming opinions

There are many smart, rational people (and scientists) who believe in a dire future as a result of human-caused global warming, and that billions should be spent to reverse that trend. And there are many smart, rational people (and scientists) who see through the furor of faulty assumptions, faulty claims, and faulty conclusions. Here are several opinion pieces on Global Warming climate change.

[Time for a Smarter Approach to Global Warming: Investing in energy R&D might work. Mandated emissions cuts won’t](http://online.wsj.com/article/SB10001424052748704517504574589952331068322.html) by Bjorn Lomborg (who believes in global warming)

Mr. Lomborg says that spending money on reducing Malaria, HIV, etc. will help people, but spending money on lowering CO2 won’t help people.

[Inconvenient truth for Al Gore as his North Pole sums don’t add up](http://www.timesonline.co.uk/tol/news/environment/copenhagen/article6956783.ece), Dec 15, 2009

[The Climate Science Isn’t Settled](http://online.wsj.com/article/SB10001424052748703939404574567423917025400.html) by Richard S. Lindzen, Nov 30, 2009

Mr. Lindzen is a meteoroligist at MIT, and is one of the chief critics of the climate “catastrophe” claims being made by Al Gore and others.

[Fact-based climate debate](http://www2.ljworld.com/news/2009/dec/16/fact-based-climate-debate/) by Lee C. Gerhard, Dec 16, 2009

—-

Mankind does affect the environment. We are stewards over the earth, and we have been since the [time of Adam](http://scriptures.lds.org/en/gen/1/28e). We ought to be good stewards, and there are many ways to do that. Reducing man-caused carbon dioxide emissions on a global level won’t improve our lives. Improving air quality has improved our lives, and it makes sense to pursue cleaner air in the future. Pursuing safe, clean energy is also worthwhile.

Posted on

Users, Security and Scams

I read Bruce Schneier’s [Crypto-Gram](http://www.schneier.com/crypto-gram.html) monthly. It’s from there that I found most of these links, with the exception of the ones on social engineering. I found the first paper on scam victims to be especially thought provoking (although it’s long). The video clip demonstrating social proof was amusing.

*[Understanding scam victims: seven principles for systems security](http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-754.pdf)*

Summary: Scammers manipulate people with distraction, deception, herd mentality, greed, time pressure and by impersonating authority. If something sounds too good to be true, it probably is.

—-

*[Social Engineering](http://www.infosectoday.com/Norwich/GI532/Social_Engineering.htm)* [\[2\]](http://www.chips.navy.mil/archives/09_Jan/web_pages/social_engineering.html) [\[3\]](http://packetstormsecurity.nl/docs/social-engineering/aaatalk.html)

*Summary*: Social engineers exploit people’s tendency to trust and to be helpful. They do this with ingratiation, impersonation, diffusion of responsibility, urgency, appeal to conformity (aka “social proof” or herd mentality), intimidation, deception, and authoritative orders.

There’s an entertaining Candid Camera (http://www.social-engineer.org/framework/Influence_Tactics:_Consensus_or_Social_Proof).

—-

*[The Rational Rejection of Security Advice by Users](http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf)*

*Summary*: Security practitioners often dole out advice that is perceived by users as too time consuming. So users ignore or reject the security advice. However, “Advice that has compelling cost-benefit tradeoff has real chance of user adoption…. the costs and benefits have to be those the user cares about”. _Time_ is one thing users care about.

Posted on

Modern bug trackers

Five years ago, I started a new job and encountered the [JIRA](http://www.atlassian.com/software/jira/) bug tracking system, after having been subject to pathetic bug tracking systems at previous companies. JIRA knocked their socks off in terms of ease-of-use and multi-platform support (it runs in a web browser). I’ve been a pleased JIRA user ever since. Recently, I stumbled on this article about what’s new in some of the best quality bug tracking systems on the market.

> Bug (issue) tracking systems have become a standard tool for any organization that develops software and have evolved greatly in the last years. InfoQ has conducted a virtual panel with people from JIRA, FogBugz, Basecamp and MantisBT about this evolution and the future developments in this field.

The virtual panel discusses integration with IDEs, project planning, story-boarding, and social networking integration.

[Read more…](http://www.infoq.com/articles/bug-trackers)

Posted on

Safety from patent threats via membership in OIN?

Here’s an article that I think is worth reading. It details how the Open Invention Network (OIN) keeps open source software safe from patent threats. It also explains about patent troll companies and their financial motives. It sounds like it’s worthwhile for companies that rely on OSS to become affiliated with OIN.

[http://lwn.net/Articles/353823/](http://lwn.net/Articles/353823/)

> Bergelt described Microsoft’s patent suit against TomTom as being a part of the software giant’s “totem strategy”. By getting various companies to settle patent suits over particular patents, Microsoft can erect (virtual) totem poles in Redmond, creating a “presumption of patent relevance”. According to Bergelt, Microsoft tends to attack those who try to create parity with it in some area, which TomTom did…. But, Microsoft was surprised to find that TomTom had allies in the form of OIN and others. Originally, Microsoft had asked for an “astronomical” sum to settle the suit, but after TomTom joined OIN and countersued Microsoft, the settlement number became much smaller.

OIN was started by six companies: Sony, IBM, NEC, Red Hat, Philips, and Novell.

Posted on

Best technologies and productivity

I tend to wonder about the “best” technologies for a given problem. Recently, I’ve wondered why Wicket is reportedly better than Java Server Faces (though I’m using neither). Perhaps it’s human nature to look for the Next Big Thing or for silver bullet solutions that supposedly increase productivity while offering robust features.

Here’s a [blog post](http://www.jroller.com/kenwdelong/entry/my_framework_is_more_productive) that ponders whether a new framework or a programming language can really offer better productivity benefits over an ocean full of alternatives. The author asserts that the real time cost on a project is not in writing code, but in the following activities:

– Communication
– Understanding preexisting code
– Debugging
– Refactoring

Tools or languages that make any of those activities easier are to be coveted. Java refactoring tools outshine those available for Grails. Java is easier to read and comprehend than terse bash scripting. Some frameworks/platforms make debugging easier than others.

Posted on

Using rsync with SELinux

Last week, I needed to move /home from one Fedora computer to another, and I used rsync over ssh move the data.

On the new system, I noticed that procmail didn’t seem to be working, and neither did Dovecot. Nor could apache serve up my files. This had all been working on my previous Fedora system, which was running SELinux, as was my new system. What had happened?

I hadn’t told rsync to bring across the SELinux file contexts, which are stored in extended attributes. Here is the rsync option I should have used:

-X, –xattrs

I could have used ‘tar’ to move my home directory as well. In that case, I would have needed one of the following options: `–selinux` or `–xattrs`

I resolved my SELinux issues using the excellent [SETroubleShoot](https://fedorahosted.org/setroubleshoot/), which explained what commands to run to restore the proper SELinux contexts on various files.

SELinux requires time to tune, and I use it because it enhances the security of my linux system, which serves up content over HTTP (Apache), IMAP (dovecot) and CIFS (Samba).

Posted on

XML for documents, not for large data streams

I like XML, and I hate XML. XML is great because robust parsers already exist for nearly every programming language, thus saving work for programmers and reducing bugs. XML stinks because it’s not always the right tool for the job — it’s ugly, and it’s bulky. So when I read Michael E. Driscoll’s [comparison of documents (including XML) to trees and data to streams](http://dataspora.com/blog/the-rise-of-the-data-web/), it struck a chord with me:

> Trees are rooted and finite: you can’t chop up a tree and easily put it back together again. Streams can be split, sampled, and filtered. The divisibility of data streams lends itself to parallelism in a way that document trees do not. The stream paradigm conceives of data as extending infinitely forward in time. The Twitter data stream has no end: it ought have no end tag. Conceiving of data as streams moves us out of the realm of static objects and into the realm of signal processing.

He also [explains why XML shouldn’t be used for large data streams](http://dataspora.com/blog/xml-and-big-data/):

> XML is a poor language for data because it solves the wrong problems — those of documents — while leaving many of data’s unique issues unaddressed. But many promising alternatives exist — microformats like JSON, Thrift, and even SQLite’s file format.

I wouldn’t have thought of using SQLite’s file format — it has become somewhat ubiquitous. I admire Google ProtocolBuffers and Apache Thrift for offering open source, multi-language binary encoding for data. Now programmers won’t be as likely to reinvent the wheel, and they can rely on robust libraries.

Posted on

Vim multi-line search-and-replace for wordpress comments

When I switched web hosting providers, I migrated my wordpress instance by exporting to wordpress XML format (as opposed to doing a SQL export).

I didn’t want the SPAM comments to be imported into the new wordpress instance, so I used vim multi-line search and replace to delete the unwanted comments from the XML.

:%s#\_.\{-}<.wp:comment>##

I gleaned that syntax from from [http://osdir.com/ml/editors.vim/2002-06/msg00468.html](http://osdir.com/ml/editors.vim/2002-06/msg00468.html)

Posted on

Palm T|X Security: Counterproductive

The other day, I was looking through the preferences on my Palm T|X, and I found out that I could enable “Intrusion Protection”. I set it so that it would destroy all data on the TX if I failed to enter my password 25 times. That seemed like enough grace period that I wouldn’t accidentally destroy my data, even if I mis-typed the password several times.

The next day, I let my three-year-old play “Bombel”, and draw on the “Note Pad”. Several minutes later, I noticed that she was pushing buttons willy-nilly at the password screen.

“Oh!”, I thought, “That’s not good.” She was well on her way to exceeding the 25-password attempts and wiping out my data. I knew I could get it back with a hot-sync, but I didn’t want to resort to that.

Palm “intrusion detection” became counterproductive when placed in the hands of a child.

—-

I also tried the Palm TX feature to “Encrypt data when locked”. First, I tried using [AES](http://en.wikipedia.org/wiki/Advanced_Encryption_Standard) encryption, since it would likely be “stronger” than the default of [RC4](http://en.wikipedia.org/wiki/RC4). AES was unusable — it took minutes to encrypt and decrypt my calendar and address databases. RC4 was barely usable, taking ten seconds or so to encrypt and decrypt my calendar. When I whip out my Palm, I want access to my data immediately, so I disabled encryption.

—-

I’ve chosen convenience over confidentiality for the data on my Palm TX, because I felt that the price to pay for confidentiality was too high. I’m not sure that it’s the right decision. I might feel differently if the Palm is lost or stolen. And so might some of the contacts in the address book. I would re-evaluate my decision if I were required to notify those contacts in the case of a lost Palm.

Posted on

Fedora 11 and Virtualization (KVM)

I’ve recently upgraded another computer from Fedora 9 to Fedora 11, and I’ve decided to try the built-in [KVM](http://en.wikipedia.org/wiki/Kernel-based_Virtual_Machine) (i.e. Applications -> System Tools -> [Virtual Machine Manager](http://virt-manager.et.redhat.com/)). I wanted a virtual machine that had bridged mode networking, but it wasn’t available by default. To get it as an option, I disabled SELinux (not sure if it was necessary), followed [some special instructions](http://wiki.libvirt.org/page/Networking#Fedora.2FRHEL_Bridging) to setup a bridged interface, and restarted my network and libvirtd.

Now I’ve got a working guest OS inside of KVM, and I like it. The guest OS feels snappy and responsive.

Update: KVM and the accompanying tools aren’t as mature as VirtualBox or VMWare. E.g. I didn’t see how to get my USB flash drive to be recognized by a KVM guest OS. At one point, I tried to use VirtualBox at the same time as KVM. VirtualBox told me I needed to disable the KVM kernel module before using VirtualBox.