thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)

Hello, especially to anyone reading me who is on LiveJournal. LJ have recently started purging accounts that are idle inactive/suspended (Edited for accuracy).

This means that those account names can be claimed by people other than the original owner. (ETA: This has already been the case since 2005 with deleted accounts and renames, apparently, but I failed to notice that.)

Unfortunately, this fundamentally breaks the trust relationship of OpenID - which is based around the URL of the logging in site. Essentially, I cannot trust that the OpenID user will remain to be the original user, without continuously checking that that is so. I can't do that for more than a few users, so essentially, my only effective solution is to be unable to trust any OpenID from

So, because I cannot trust OpenIDs from, I cannot allow those OpenIDs to access my DW content. This means if you are on LJ, you will be unable to see my locked posts on DW, even if you log in using OpenID.

Most of you will get to read the post anyway, because I will keep cross-posting to LJ, but as I will not be allowing comments on LJ, there will be no commenting.

In short, I'm sorry for the inconvenience, but due to the lack of security of LJ OpenID introduced made even worse by this new policy, I can't allow LJ OpenIDs access to Dreamwidth directly.

If you wish to discuss anything in my locked posts, then come to Dreamwidth. For further references, see:

thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
Hi. I keep seeing a lot of "Apple are stupid" comments going around the place.

Don't get me wrong - there are certainly a lot of rabid and stupid Apple fans out there. But there are a lot of rabid stupid Google fans, or Microsoft fans, or Linux fans out there too. There's plenty of stupid to go around for everyone, and it's not magically unique to Apple.

This "Apple is stupid" meme seems to primarily be based around the idea that Apple's latest product release doesn't have some common feature that "everyone else has", and therefore they must be stupid.

The lack of certain common features in a variety of their products is not stupid on Apple's part. It's an absolutely crystal clear, conscious, heavily researched, deliberate, end user tried and tested decision to keep the feature set and number of options down to a useful minimum.

The simple reason for that is that they do not wish to present the average consumer and user with choice paralysis. Most normal people open up a common application or system options dialog box and go, "argh, what the hell do I have to tweak, I see six million options none of which are what I care about?"

That's what Apple are avoiding. If you open up an Apple product, the odds are you'll be able to figure out how to use its basic functions without needing to read a manual or search for instructions. Contrast that with my latest recently work acquired Nokia phone, where I, a hardcore geek who has owned several Nokia phones, had to open the manual to figure out where the power button was.

This difference is precisely because they're willing to cut features that "everyone else has" when they are reasonably certain those features are not actually a common use case, and particularly so when there is some alternative method to get to that use case that isn't too bad.

Yes, that means that you (and me, and everyone) probably have some pet desired feature or features that don't exist in Apple Product Du Jour.

You know what? That's fine with me. And if you don't like the featureset offered by a particular product, nobody is making you buy it. There are plenty of options elsewhere.

That kind of gap is also what the third party software market exists to fill - whether it's the hundreds of thousands of apps on the iOS app store, or a similar volume of mac freeware and shareware apps, or the vast volumes of Windows and Linux applications out there, etc.

I don't know any geeks using any operating system who don't immediately go and install a bunch of third party stuff to make things go the way they want to. And the set of stuff they install? All different for each of them. Doesn't matter what OS you're using, everybody does that.

Essentially, the fact that some product doesn't have some features you desire doesn't make it stupid. If you need those features, then just get them elsewhere, don't complain that product is stupid, when those features are available from somewhere else.

So can we stop calling Apple (and anyone that happens to use their stuff) stupid now?


ETA: I totally don't mind if you call Apple annoying for what they're doing. That might even be true. Stupid is just not factual.
thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
Yo. Australian Citizens. Apropos of our sudden change of Prime Minister to Julia Gillard, and the fact that we'll have a federal election within the year, go check your electoral enrolment at, and please vote.

I feel pretty strongly that it's every Australian's civic responsibility to at least attend a polling booth on election day (or postal/pre vote as appropriate).

Not simply because it's required by law, but because I think it's your one chance to participate directly in the political system of this country. People have protested, fought, and died both historically and to the present day around the world to secure the right to vote. Don't waste yours.

You don't have to do anything other than get your voting paper on election day and then vote nothing at all - if that is a genuine expression of your actual political preferences.

I personally think that you should seek to be more informed about politics and thus have more complicated political preferences than that, but I'm really not going to argue with anyone who believes that that is their actual preference, so long as they still exercise a citizen's right and responsibility to obtain a ballot paper.
thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)

I don't normally do linkspam here, but this is worth posting. :-)

One of my regular swing dancing venues held a Jedi Jack and Jill swing dancing competition last night, starring a number of the local teachers. For those not in the know, a Jack and Jill competition is where you line up and have randomly selected partners... Then you have to swing dance to whatever music is played, making the whole dance up as you go. A true test of the madness that is swing dancing, essentially.

Jedi Jack and Jill, well, all competitors are blindfolded, then away you go...

Video of the final two songs with the final two couples are here:


I'm occasionally in shot clapping like a mad thing in the background, sometimes hidden by another audient, but if you can tear your eyes away from the potential death action to spot me, I'll be impressed. :-)

Recipe: Congee

2010-Feb-24, Wednesday 12:44
thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)

is an awesome food for when you're ill, or just feel like something hot and tasty and soft and nice. It's easy to make, and extremely easy to digest.

  1. Put about 2 cups of washed rice in a pot.
  2. Add a bit of olive or sesame oil and garlic (dried garlic is fine), fry it up for a few minutes. Skip this step if you don't want any oil.
  3. Pour in about 4 litres of water (substitute some chicken or vegetable stock for some of this if you like). Bring to boil, then turn down to low simmer.
  4. Leave for 15-25 minutes, stirring occasionally.
  5. Add some kind "stuff" for interest, one or more of the below:
    • Sliced white fish into it about 5 minutes out
    • Chicken cut into small bits and put in about 15 minutes out
    • Some random selection of chopped veges, e.g. carrots (10 mins out), broccoli (7 mins out), zucchini (5 mins out)
    • Minced pork + cornflour + white pepper, gently hand squeezed into balls (15 mins out)
    • sliced (already rehydrated) shitake mushrooms
    • Diced Century Egg
    • Whatever you may feel like adding that will poach well
  6. Serve with optional condiments:
    • good light soy sauce (optionally with sliced chillies in the soy)
    • fresh ground black pepper
    • fresh spring onions
    • dried fried shallots/onions
    • fried egg(s)
    • Chinese Donut

If you have time, you slow simmer the congee for about 4-5 hours, adding a bit more water, but I find that the above is a perfectly adequate shortcut.

Tastes good the next day, and it's all perfectly microwaveable, with the addition of about half a cup of water into a full bowl.

thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)

If you use a computing device that is not maintained by a corporate IT department, you need to know that your device is likely vulnerable to security issues. It doesn't matter whether it's a Mac, a Windows PC, a Nokia Phone, an iPhone/iPad, an Android phone, a Windows Mobile, a Linux laptop, an XBox or Playstation, all computing devices have security issues from time to time. What does differ a little is how quickly they get fixed, and how quickly you can find out about them and install the fix, and the type and scale of problems, but really, the take home message is that all computing devices have security issues.

If you own a device that connects to the Internet in any way (and pretty much everything does now), then you have a device that can be potentially be hacked by any random other person on the Internet. If that happens, you are really stuffed. Your computer (or phone, or whatever) will be used to conduct all kinds of illegal activities (like hacking other people, sending spam, etc), all your personal data can be made public leading to identity theft, online banking theft and worse,

Ultimately you, as the end user, need to be informed. If you don't even know that your computer/phone/games console/whatever might have a security problem, that means it is sitting there waiting to be hacked and controlled by someone else.

The first place you should be looking for timely information is a known security updates publisher. For normal people, I highly recommend the Australian Government's Stay Smart Online Alert Service (AusCERT funded by and the US CERT: Non-technical users page.

US CERT and AusCERT also have much more detailed alerts, which are more focused at professional systems administrators than for "normal" people. If you have the time and inclination, I recommend AusCERT.

I know those security updates may look daunting and confusing for many people, especially ones not involved in the IT industry. Please, really, really, take the time to learn enough to understand what the security updates mean and how to take appropriate action, and get informed about the computing devices you use, at least enough to know how to update your Operating System and any Software you use. Use Wikipedia to search out any terms you don't understand, ask around any computer geeks you know for help. We want you to stay safe, I promise.

The main things you need to care about on any given security alert is:

  1. Does it apply to you (does the Operating System match one you use, and/or is it about Software you use)?
  2. Do you need to do anything (is there an "update your software here" link in the update, or other instructions)?

If the answer to both of those is yes on any given security alert, then please, go and update whatever needs updating. If you don't, your computer will remain vulnerable to a known security exploit - which means that at some point in time, your computer will eventually be hacked by some bad person, leading to all the issues above.

So please, for your own safety, Be Alert, not Alarmed. The world needs more lerts.

Edit: This post was originally written before the existence of the Stay Smart Online Alert Service, which was launched shortly afterwards. The post has been edited to recommend non-IT experts to go there first, rather than directly to US/AusCERT.

thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)

TLDR version

Most Internet traffic is not encrypted at the moment. It is trivial in cost and setup to use some form of encryption on all Internet traffic, which means that any Internet filtering solution will be unable to inspect that traffic and block sites.

Aside from that, if people access illegal content using non-encrypted communications, that is a good thing. Why? Because that means your ISP can actually detect them and send the information to law enforcement agencies. That sort of thing is common practice within the ISP industry already.

All that implementing a net filter would do is force people actually doing illegal things to get clever and use encryption technologies like the above, rather than leaving at least some of them out in the open as they are now.

Layer Cake

The Internet works on a layered communication method, where "protocols" are run on top of each other. I'm going to simplify some and leave out some things that aren't necessary to mention, but that's okay.

At the base, there exists "hardware" - wires, radio waves, that kind of thing.

Each type of hardware has a type of hardware specific communication that things use to communicate over it. (DSL, DSL2, 56k modem, wireless 802.11b/g/n, etc).

On top of that hardware specific communication is layered a protocol called "IP" (Internet Protocol), in which every device on the Internet has a numerical IP address.

At each endpoint of those bits of hardware are things called "routers", which essentially take traffic from one part of the network and "route" it to another part.

On top of IP is layered a protocol called "DNS" (Domain Name Resolution), which lets you look up a domain name (like and have it translated to some IP address.

In order to make a connection between one computer (e.g., yours), and another (e.g., a web server), your computer uses DNS to find the IP address, then connects to it on a "port" (another number) which is related to a particular service.

HTTP is a protocol that runs on top of IP. When you put a URL like into your web browser, your computer asks via the "DNS" protocol for the IP address to contact. It then contacts that IP address on port 80, and makes a "request" for the content that lives at /intl/en/options. The server then sends the content back to your computer, which feeds it to your web browser, which then renders it.

Because all of that traffic is not encrypted, your ISP (which controls the routers between you and the rest of the Internet) can inspect that traffic, and if it sees a request for the "wrong" sort of content, it can block the rest of the traffic. That is what is proposed under the net filtering trials that have been conducted.

Sounds good. The problem is that there already exist technologies in common use today that defeat this approach completely.

There is a protocol called SSL (Secure Sockets Layer), which is another protocol layered on top of IP. It actually provides exactly the same function as IP, in that you make a connection from your computer to the other side, but what it supports (that IP doesn't) is encryption and authentication. When your computer makes an SSL connection to another server, it can tell if the other side has a "certificate" which, when "signed" by the appropriate well known authorities (Thawte and Verisign are the primary providers), proves that the server in question is really the server that is supposed to live at that hostname. In addition to that, all data passing back and forth over an SSL connection is encrypted, so nobody in between can read it.

The analogy is that "IP" traffic is like postcards - they're being passed around readable by anyone. "SSL" traffic is instead like sending a sealed and signed and stamped envelope - tampering is obvious to the other end, and you in fact can't even tamper with the envelope without destroying the contents.

HTTPS is defined as being exactly the same protocol as HTTP, except that instead of making a connection using "IP", it runs over SSL. This is the protocol used by all of your Internet banking services, and indeed by many webservers that require login of some kind, because they don't want your password and details flying around the Internet for anyone to inspect.

If your ISP wants to "filter" HTTPS traffic, it essentially can't do that effectively. It can block access to specific hostnames (e.g.,, but it can't block say, without blocking all traffic to everything at

So, anyone wanting to host RC content under the proposed filtering system simply has to provide it over HTTPS, and that will defeat any filtering attempt.

There is another protocol called IPSec (Internet Protocol Security), which is IP tunnelled over IP. Sounds weird, I know. What use is it? It's the same deal as SSL - it's an encryption/authentication protocol. This is what your corporate road warriors use to connect to their corporate network via a VPN (Virtual Private Network). All the traffic leaving your computer is essentially encrypted and sent down the "VPN tunnel", to your VPN server, which then decrypts it and sends the "real" traffic out to the Internet at large. All the ISP sees is a bunch of encrypted IPSec traffic, which it cannot decipher.

Now, there are quite a large number of providers in the US and elsewhere, who are happy to sell you a VPN service. What does that do? It makes your computer appear to, as far as the Internet is concerned, be coming from the US. This is commonly available technology, costs you about USD5 a month at the low end, more than that for better services. Anyone using one of these VPN services is, essentially, totally immune to the filter, because their Internet connection effectively originates in the US (or elsewhere), instead of in Australia.

These are just the two most commonly used encryption and authentication protocols out there, that are in common use by a lot of people. They are both designed to be entirely secure and not breakable in a real-time manner, not even by governments.

No filtering technology can possibly block these protocols, because to do so would cripple Australia as far as the ecommerce world is concerned. Imagine not being able to use or or to do anything. Imagine the CEO of IBM visiting Australia and not being able to access corporate email. We're already considered an Internet backwater due to our slow bandwidth and terrible usage caps. Inability to use basic encryption would just be madness.

Aside from that, if people access illegal content using non-encrypted communications, that is a good thing. Why? Because that means your ISP can actually detect them and send the information to law enforcement agencies. That sort of thing is common practice within the ISP industry already.

All that implementing a net filter would do is force people actually doing illegal things to get clever and use encryption technologies like the above, rather than leaving at least some of them out in the open as they are now.

Relevant links

thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)

Microsoft .NET Remote Code Execution exploit

Similar class of problem as last time with the TCP/IP thing:


             AUSCERT External Security Bulletin Redistribution

           Vulnerabilities in the Microsoft .NET Common Language
                 Runtime Could Allow Remote Code Execution
                              15 October 2009


        AusCERT Security Bulletin Summary

Product:           Microsoft .NET Framework
                   Microsoft Silverlight
Publisher:         Microsoft
Operating System:  Windows 2000
                   Windows XP
                   Windows Server 2003
                   Windows Vista
                   Windows Server 2008
                   Windows 7
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2009-2497 CVE-2009-0091 CVE-2009-0090

Original Bulletin:

That list of Operating System: entries? That's every single supported version of Windows, from XP (which should be end-of-life but isn't), to Windows 7 (the supposedly new "much more secure" shiny thing). They forgot to put Mac OS in the list - if you have Silverlight installed on a Mac somehow (I don't know who uses it), then it's vulnerable too.

Seriously, if you are a normal person, or even a small business with no ability to pay serious tech-support (and I'm talking about a real network and systems administrator, worth at absolute minimum AUD90k p/a, or a regular contractor worth at least AUD90 per hour for at least a day every week) to make sure you're safe and securely firewalled and patched 100% of the time, don't run Windows, and don't run any Microsoft products if you can help it.

Unless, of course, you don't value about your personal information, anyone else's personal information you might have, your bandwidth, your sales data, your netbanking, and anything else that you might use your computer to access. No worries, have fun with that.

Microsoft Danger Sidekick: All your data are belong to bitbucket

For more fun in that space, late last week, Microsoft managed to blow away all the storage for all Sidekick mobile customers. As in, boom, gone, no backups, kiss all your contacts and anything else supposedly securely backed on their "cloud service" goodbye, unless you were sensible and had your own offline backup (which isn't an officially supported thing on that platform).

T-Mobile Sidekick Disaster: Danger’s Servers Crashed, And They Don’t Have A Backup. There's a rumour today that
Microsoft May Be Able To Restore All Of The Lost Sidekick Data, After All, but so far it's a rumour.

Even if they manage to recover some of the lost data, that's going to be due to heroic manual data recovery of the SAN disks, rather than routine backup restoration. And when I say "routine", I mean - everyone involved in Systems Administration at any serious level knows full well that you have to have a full backup of all data with a regularly tested and validated restore process before you commence any kind of important upgrade.

That is industry standard procedure, and has been industry standard procedure for many decades. Which Microsoft Danger obviously wasn't following. Of course you can play the "blame the subsidiary" card - but they've been a M$ owned company for long enough, with a high profile M$ exec moved in to be in charge for long enough, that basic disaster recovery processes should be in place. There isn't any valid excuse for that kind of data loss by a corporation. None.

ETA: Looks like there has been successful data recovery. Microsoft Confirms Data Recovery for Sidekick Users.
thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)

Some people are a little confused about why the Hey Hey "blackface" skit is being viewed as quite offensive, and why the controversy hasn't just blown over.

If you're a White Australian, and especially male, you probably don't understand the context. Women maybe understand it more - they have more direct experience of similar things.

So let's have a little story to illustrate the context.

Think of half a dozen or more direct insults that might be used if someone was seriously trying to pick a fight with you. As in, really really pick a fight, not the joking friendly kind of insult that Australians are famous for. I'm not going to list any here - but if you can't think of any, then you're not trying hard enough. And if you really can't think of any, I'll supply you with some, in person, if you like. I guarantee you I can find something that will offend you.

Now, imagine that every single day, you get at least one, if not several, random idiots come up to you, and yell one of those insults at you, actually trying to pick a fight with you.

Not people you know, of course. Random strangers, different ones every time, come up to you whilst you're walking along the street and yell something horribly insulting, and probably not even relevant to you at all, and try to pick a fight.

That's life every single day as a non-white person in Australia. Really.

That experience is what I grew up with, every single day of my school life in the 1980s in Sydney Australia, and most every day at University through the early 1990s. It happened a little less often once I got into the workforce in Sydney, and doesn't happen much now I live in inner city Melbourne, where people are sufficiently alright with Asians that we had John So as Mayor for years, and he barely speaks English. That said, even today, when I visit Geelong, the second largest Victorian city, I still get looked at as if I'm a freak show when walking down the street holding my wife's hand.

And as an Asian, I got it easy. Mostly people yelled from across the street, because the same kind of idiot has watched Kung Fu movies, so they didn't usually yell in actual kicking range.

For Indigenous Australians, Africans and other black skinned folks in Australia? That kind of thing happens up close and personal, and happens every day, even to adults. And often that includes physical assault, not merely verbal assault. Today. Not "in the past". Today.

So don't be surprised when people are a just a touch angry at a "joke", when the "joke" in question reinforces the idea of an entire group of actual people as being non-human idiots, and therefore reinforces the idea that you are allowed to yell at them and beat them up.

A couple of links to other relevant places:

Before you respond, read:

Karnythia: The Do's and Don'ts of Being a Good Ally

1. Don't derail a discussion. Even if it makes you personally uncomfortable to discuss X's really not about you or your comfort. It's about X issue, and you are absolutely free to not engage rather than try to keep other people from continuing their conversation.

2. Do read links/books referenced in discussions. Again, even if the things being said make you uncomfortable, part of being a good ally is not looking for someone to provide a 101 class midstream. Do your own heavy lifting.

3. Don't expect your feelings to be a priority in a discussion about X issue. Oftentimes people get off onto the tone argument because their feelings are hurt by the way a message was delivered. If you stand on someone's foot and they tell you to get off? The correct response is not "Ask nicely" when you were in the wrong in the first place.

4. Do shut up and listen. I cannot emphasize enough the importance of listening to the people actually living X experience. There is nothing more obnoxious than someone (however well intentioned) coming into the spaces of a marginalized group and insisting that they absolutely have the solution even though they've never had X experience. You can certainly make suggestions, but don't be surprised if those ideas aren't well received because you've got the wrong end of the stick somewhere.

5. Don't play Oppresion Olympics. Really, if you're in the middle of a conversation about racism? Now is not the time to talk about how hard it is to be a white woman and deal with sexism. Being oppressed in one area does not mean you have no privilege in another area. Terms like intersectionality and kyriarchy exist for a reason. Also...that's derailing. Stop it.

6. Do check your privilege. It's hard and often unpleasant, but it's really necessary. And you're going to get things wrong. Because no one is perfect. But part of being an ally is being willing to hear that you're doing it wrong.

7. Don't expect a pass into safe spaces because you call yourself an ally. You're not entitled to access as a result of not being an asshole. Sometimes it just isn't going to be about you or what you think you should happen. Your privilege didn't fall away when you became an ally, and there are intra-community conversations that need to take place away from the gaze of the privileged.

8. Do be willing to stand up to bigots. Even if all you do is tell a friend that the thing they just said about X marginalized group is unacceptable, you're doing some of the actual work of being an ally.

9. Don't treat people like accessories or game tokens. Really, you get no cool points for having a diverse group of friends. Especially when you try to use that as license to act like an asshole.

10. Do keep trying. Fighting bigotry is a war, not a battle and it's generational. So, keep your goals realistic, your spirits up (taking a break to recoup emotional, financial, physical reserves is a-okay), and your heart in the right place. Eventually we'll get it right.
thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
I Dumped LJ a little while ago. I got a bunch more invite codes for dreamwidth, drop me a line if you want one.

ETA: If you're coming from LJ, log in using DW OpenID Help then you can comment.
thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)

I bought a Drobo, and configured and formatted it last night. Copied the data from my previous external storage disk (which was failing with block errors). Plugged it into the back of the Airport Extreme, and voila, it's just working. Time Machine is happily grinding away doing its thing, and it's very nice knowing that we have 3TB of raid storage that is protected against single disk failure. I didn't have to install any drivers, work out any raid configuration details, or fiddle any settings - there essentially aren't any to fiddle.

This is essentially representative of what I'm enjoying about the current state of play in computer technology - quite a lot of things are falling out of the Corporate Price Point down into the Small Business / High End Consumer Price Point.

A few examples:

  • Mobile Broadband (Satellite, early GPRS/3G vs ubiquitous 3G/EDGE and wifi)
  • Compute Cluster (SUN, IBM, HPUX, etc vs Google Apps, Dreamhost, etc)
  • RAID/NAS (NetApp, iSilon, etc vs Drobo, lots of other manufacturers too)
  • Portable Computing (Blackberry vs iPhone, Android, Pre, Netbooks)

What's nice and interesting to note is that the Usability Fu really really matters in this zone. Corporates can afford to just suck it up and pay an expert to integrate a solution (and are almost invariably doing something weird and custom enough that they would have to even with "off the shelf" solutions). Small Business and High End Consumers don't have the time or the money to spend on Integration Experts and Solution Architects. It just has to Plug In And Work. If it doesn't work just like that, you can't sell it effectively in this price point.

Ordinary people are starting to expect computing technology to Just Work and be Easy To Use. And so they should. So, if you're in the industry at all, "It's a tricky computer thing" is not an excuse any more. It should never have been an excuse in the first place. If it's hard to use, find another supplier with a more usable product. They're starting to exist.

thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
LJ-news: Media embedding change - important notice
DW-maintenance: LJ web security exploit

In short, LJ had a "cross site scripting hack" which infected a bunch of people's accounts. Check the LJ news post and verify you're okay if you're on LJ.

However, Dreamwidth wasn't vulnerable.

Yet another reason to Dump LJ in favour of Dreamwidth.

ETA: If you're not running some kind of flash blocker, you probably want to be.

Safari - - (Was:

Firefox - - or

Opera - -

Chrome - - (run a local proxy) or switch to one of the above.

Internet Explorer - - (run a local proxy) or switch to one of the above.
thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
So, that TCP/IP issue I mentioned last time in " Computer Security - Anything But Windows. Seriously."?

Microsoft: No TCP/IP patches for you, XP

"We're talking about code that is 12 to 15 years old in its origin, so backporting that level of code is essentially not feasible," said security program manager Adrian Stone during Microsoft's monthly post-patch Webcast, referring to Windows 2000 and XP.

So, in other words, Microsoft has forgotten how to maintain the code for Win XP. Either they've dumped too much critical build infrastructure, or it's just "too difficult" to build a patch that goes that deep into the XP kernel.

Either way, it really doesn't speak well for toolchain maintenance, development process and their software architecture (or lack thereof).

Bear in mind, this is for a version of the OS that is not supposed to be end-of-life yet. I have no issue with inability to patch end-of-lifed OS versions - I wouldn't expect to see patches for Win98, for example.

Although the two bugs can be exploited on Windows 2000 and XP, Microsoft downplayed their impact. "A system would become unresponsive due to memory consumption ... [but] a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases."

In short, Microsoft's other excuse for why they aren't bothering to patch XP is that your Windows XP machine will theoretically hang if it's being attacked, so you're obviously perfectly safe from being hacked. Ahahah. Very funny. At least to me, anyway.

So: Computer Security - Anything But Windows. Seriously. Really, Seriously. Run, don't walk. Try something else.
thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
Amongst a swathe of other "[Win]" security alerts from AusCERT, this one stands out:

AusCERT Security Bulletin: ESB-2009.1267 - ALERT [Win] Windows TCP/IP: Multiple vulnerabilities

Product: Windows TCP/IP
Operating System: Windows 2000, Windows Server 2003, Windows Vista, Windows Server 2008
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Original Bulletin:

Why does this particular instance stand out to me? Because TCP/IP is the fundamental core of Internet communications - if your device does Internet, it does TCP/IP. The code to do it has been around for a few decades now, and pretty much everyone knows how to do it securely. Except, apparently, Microsoft.

This sort of security vulnerability can theoretically exist on other OS platforms, yes. That said, the only competing OS family these days is Unix - there are no extant OS platforms in common use that are not some type of Unix. Even Mac OS X is a version of Unix with a very shiny graphics layer on top.

Unix is designed from the ground up with a highly layered security approach, and in the layers where security is critical (i.e., the "kernel" - the part of the OS that deals with the computer hardware, and therefore can do things like snoop passwords, steal data from anyone on the machine, etc), the programmers tend to be very very careful, and most of the code is not actually new, and has been inspected heavily by many many people over the long decades that the technology has existed for, and tested by lots and lots of people who are pretty crazy about security, and think about it a lot.

Microsoft, fairly clearly, don't organise their code and their programmers to work that way. Every time they release a new OS version, they say "now more secure!" Every time they say that, they're proven wrong. Again. With several different hacks that break into the kernel layer, not just surface compromises. A Linux blogger describes the experience best:Windows Users - The Charlie Browns of Computing. Go on, kick the football. We promise it's secure this time. Really.

Don't get me wrong: You absolutely need to take security measures on other computers too. If you've got a Mac, you should still be purchasing anti-virus software, and if you've got Linux, or FreeBSD, or Solaris, or any other UNIX, you still need to be securing your computer in a variety of ways.

But on Windows - none of that matters. You can run all the anti-virus software you like, but if the Windows TCP/IP stack is open to a remote hacker, the remote hack will disable your anti-virus software, and install a bunch of stuff that will keep your computer broken and hacked, permanently.

If that happens to you, you can expect your computer to use all your bandwidth sending out spam email, attempt to crash and hack other computers on the Internet, send all your banking details to people who might be interested in stealing your money, send anything resembling personal data to the same people, and so on. Not good, not fun.

So, if you care about having a secure computer, don't use Windows. Ever. Really.

If you really do have to use Windows, then don't connect it directly to the Internet. Ever. Put that computer behind a secure firewall of some kind. If you don't know how to do that, find out from a tech-savvy friend. For your own sake.
thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
Okay. I'm officially dumping LiveJournal - my paid account there will not be renewed, and my Dreamwidth account is now a paid account.

Crossposting to LJ will still occur, and you can comment from your LJ account in my DW account using OpenID.

The prompt for this is that LJ has quietly broken the comment exporter, which I was using to back up comments. If I can't retain an offsite backup off my journal, I'm not interested in paying for the service.

There's a number of indicators that have demonstrated to me that the quality of the software engineering around the LJ codebase has deteriorated quietly for some time, this is simply the last straw on the camel's back.

Dreamwidth, on the other hand, has a great set of principles and a functioning, diverse, high quality, developer community.

If you're over on LJ, here's: A Guide To Dreamwidth for LiveJournal users.

Also, here's a list of Dreamwidth compatible clients.

I have a few invite codes for free accounts, so if you want one, drop me a comment over there. (ETA: All gone for the moment.)

(ETA2: You can just pay for one month if you can't find yourselve an invite code and want to start cheaply - see the Dreamwidth FAQ: What are paid accounts?)
thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
This is one of the best programming talks I have seen, ever.

If you do any software development, programming, or even scriptwriting, you need to watch the whole hour of this.


ACM citation, including the great abstract:

Google Video:

Slides Scribd:

Slides PDF:

Alternate video, maybe:
thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
There seems to be quite a lot of confusion around the place about the Apple vs Google vs Microsoft ding dong three ring circus "battle" that's developing.

Here's why I don't think it's a real battle, even though they all appear to be playing in the same spaces (Mobile/Search/OS/Apps). They don't have the same customers.

Apple's customers are people.

Google's customers are advertisers.

Microsoft's customers are corporations.

Bear this in mind at all times when you are analysing their products and activities. It explains a lot.
thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
Australian Parliament House - Senate - Inquiry into the Marriage Equality Amendment Bill 2009

Australian Marriage Equality - how to make a senate submission

Equal Love Campaign - Australia

Equal Love Campaign - Online Submission Form

Equal Love Campaign - details for who in the Senate to send stuff to

I write to express my support for the Marriage Equality Amendment Bill 2009.

Although I myself am in a heterosexual marriage, my partner and I chose to do a registry ceremony in the morning with just ourselves and required witnesses, and then held what we consider our Real Wedding in the afternoon, in front of our relatives and friends.

A major factor in that decision to keep the "legal ceremony" out of sight is the required wording reminding people that marriage is an exclusive union of a man and a woman.

We both have a large number of non-heterosexual friends, and we felt that that required wording would be offensive to them, and offensive to us.

I wish that our friends who wish to be joined in marriage in Australia be allowed to do so, regardless of their sexual orientation.

Anything else is a blatant inequality - their relationships are not any less powerful or worthy than my own, so why are they not allowed to choose the union of marriage?

Thank you,

David Goh

iPhone Fu

2009-Jun-30, Tuesday 13:34
thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
There's a small spate of people around me obtaining the iPhone. A few pointers for those people:

Cloud Services

Google is an excellent cloud replacement for MobileMe. Google Sync Help has calendar sync tips. GMail Mobile Help has how to access GMail in a variety of ways (I recommend IMAP in the iPhone Mail client). Set yourself up a gmail account and google calendar, and that will work fine and dandy. Don't sync with Google Contacts, it does suck. Keep syncing to Address Book on your mac (not sure what the Windows equivalent is), or use MobileMe.
I do actually like MobileMe - in particular the Find My iPhone feature is excellent, and the Push email for my address I do find useful on occasion. (Push notifies you that you have mail immediately, whereas normal email relies on your device to contact the server every so often.)

Physical Accessories

  • Contour Hardskin - you need this, or some equivalent. This is nice and grippy, and the raised edge on the screen front is well worth it. I literally dropkicked my iPhone under a car on the street, sliding it face down, and there is zero damage.

Free Apps

These are not linked to - just search for them in the app store.
  • Pkt Weather (Australian Bureau of Meteorology backed, includes radar views)
  • AroundMe (many categories of stuff)
  • Urbanspoon (specifically restaurants)
  • Take Me To My Car (parking location rememberer)
  • tramTracker (dingding!)
  • Metlink (a bit of a monolithic application, but comprehensive Melbourne Public Transport timetables)
  • Here I Am (quickly send a pre-configured email with google map link)
  • Google (everything google here)
  • Free Wi-Fi Finder (list of free wi-fi spots)
  • Wi-Fi Finder (list of non-free wi-fi spots)
  • Layar (3GS only - "augmented reality" nearby stuff overlay)
  • Twitterrific
  • Facebook
  • Fring (variety of chat clients, including Skype and VoIP)
  • AIM Lite
  • Skype
  • Livejournal
  • Whole Foods (recipe database - US based)
  • (Australian recipe database)
  • ShopShop (very simple and easy to use shopping list utility)
  • NetNewsWire (backed onto Google Reader)
  • Chronolite (configurable multiple timer utility)
  • Wikiamo (Wikipedia browser with cache)
  • AusPostcode
  • Stanza (ebook reader)
  • Shakespeare (the complete works)
  • Dropbox (if you are not already using then you should be)
  • Darkroom (take the shot once your hands are steady, there is a Premium version with more features)
  • Zen Piano (1 octave piano with loudness controlled by tap strength)
  • Tuner440 (instrument tuner, including "free mode" with different notes)
  • inTune A440 (strobe tuner for A440 specifically - only)
  • A Free Level (a bubble level)
  • Metronome (tick tock)
  • Units (conversion calculator, includes currency fu)
  • Convertbot (conversion calculator, includes currency fu)
  • Blizzard Mobile Authenticator (for World of Warcraft nerds)
  • Scan (in case you're curious what's running under the hood, or want to check your phone's RAM usage)
Silly Things
  • iStethoscope (badoump)
  • Banner Free (big scrolly banner)
  • Labyrinth Lite (rolling ball maze puzzle)
  • Lightsaber (vrwoomp)
  • Zippo Lighter (fsshwwomp)
  • iNeko (meow, purr, zzzZZZ)
  • PwGen (Password Generator, useful for normal users, not just techies)
  • TouchTerm (SSH client)
  • Net Utility (bunch of net utilities rolled into one)
  • Ping Lite (includes a handy ping-whole-subnet display)
  • RDP Lite (Windows Remote Desktop)
  • VNC Lite (VNC client - mac, linux, etc)
  • Speed Test (bandwidth speed tester)
Computer/Math Nerd Utilities
  • UNIX Epoch (you too can know the number of seconds since 1970-01-05T00:00Z)
  • cmpxRPN (complex number and reverse polish notation calculator)
  • GraphCalc (Polynomial Graphs Curve OK)
  • PCalc Lite (alternative calculator)

Non Free Apps (unsorted)

  • Darkroom Premium (take the shot once your hands are steady, guide lines, etc, good camera app replacement)
  • OzWeather (Another australian weather app)
  • BOMRadar (Just the BoM Radar)
  • WiFiFoFum (awesome WiFi scanner app - includes 2D radar view)
  • Fantastic Contraption (the game of website fame)
  • Flight Control (finger trace land the planes - quick and fun)
  • Cluck It! (chicken crossing road - very hilarious and fun, Frogger style but much better)
  • Sally's Spa (surprisingly fun "time management" genre game - there is a Lite)
  • Underworlds (basic Diablo type game - melee only)
  • Paper Toss (surprisingly fun game)
  • Strategery (hex based conquest game - there is a Strategery Lite)
  • Ocarina (an ocarina!)
  • Koi Pond (splash!)
  • Civilisation Revolutions (basic, but recognisable and still fun)
  • Catan (The basic Settlers of Catan game, no expansions)
  • Midomi (what's that song that's playing?)

April 2015

12131415 161718


RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags