11 Aug 2006

news flash! keylogging hackers may steal your password

i have no idea what this story is about regarding researchers saying that "a machine compromised with a key-logger would quickly reveal all the information a criminal would need to gain fraudulent access to an account."

hang on a second, if a keylogger was on my system, that wouldn't be the only thing it could compromise. and why are they singling out HSBC? isn't any online banking websites that use passwords vunerable? then there is no way in the world that you will be able to keep your password away from a keylogger unless you use one time pads/passwords.

i am an HSBC customer, and their login system isn't the best in the world, but it is better than a simple username password system. the system relies on you remembering a 6 to 10 digit number, and then you have to type in permutation of those numbers. for example, you are requested to type the second, third and sixth number. now it isn't rocket science to know that if there was a keylogger, then you only have to monitor a couple of password entries and the challenge it gives you to figure out the whole pin number.

so either bbc and the guardian are jumping the gun here and sensationalising some non-event or that the researchers have found a systematic flaw that is specific to HSBC's implementation. i don't know, but i believe researchers aren't that stupid, especially ones that are called professors.

[UPDATE: so it looks like there's a good explaination of the statistical flaw here. the flaw boils down to the fact that HSBC requests the numbers in order rather than in random order, (eg. FIRST THIRD SIXTH instead of SIXTH FIRST THIRD.) i suppose they are going after HSBC because they should know to fix it. then again, maybe that is not the whole story?]

... Read More


09 Aug 2006

pybugz: command line interface to bugzilla

Finally, after about 3 weeks of testing, I think pybugz has reached a point where it is usable every day. It is now in portage under www-client/pybugz and the command-line executable name is 'bugz'.

Just to recap, pybugz is a command line interface to bugzilla, geared specifically for Gentoo, but works on other bugzillas like XenSource bugzilla and GNOME bugzilla (use --base to set your bugzilla base url.)

For some examples on how to use it, check out the pybugz page.

... Read More


07 Aug 2006

wwdc candy

(note: wwdc = apple's worldwide developer conference) there's going to be enough snarkiness about what apple didn't release, and how bluetooth and airport isn't standard on a mac pro. but there are some really cool things that was announced:

first off, why aren't the rumour sites scouring webkit changelogs

there are at least three things in the keynote that were actually hinted at in the webkit changelogs, dashcode, web clips and mail todo. not that those two things are huge, and not that i follow webkit's development closely, except once in a while i like to see the code. slightly on a tangent, there's a branch or fork of code that has been ported to S60 (nokia phones) and also apparently a win32 and linux port of the code. so that is interesting enough for me to follow.

virtual desktops (spaces)

spaces? anyway, since desktopmanager and virtue, it was pretty obvious that apple had hooks to implement virtual desktops. i mean these open source projects were practically just giving a UI to hooks and implementation already in dock.app's code. the presence of the code there means they were always thinking of putting in an interface to it, but never got around to doing it until now. i won't be able to see this in action until i hop on to a mac, but i'm predicting it will exceed virtue and desktop manager in ease of use.

btw, this is one thing where apple has had to play catch up to the linux/unix x11 world!

screen sharing with ichat

this is pretty exciting. imagine helping you family on the other side of the world configure their mac or setup their printer on their home network. if they're behind a NAT, then apple remote desktop ain't gonna do you any good. what better than screen sharing plus ichat to be able to fix your parent's computer problems plus show them how to do it themselves next time. i'm looking forward to this one.

oh and the fact that ichat now has tabbed windows like adium? that's the end of chax then.

making backups look sexy

for 30 years, ever since computing, administrators have been looking at backups. just like these plusnet guys learnt a 700GB lesson about it. but backups are not sexy, and no one really understands them. but all it takes is some fancy animation from apple and now it looks like they invented version control. slap on a funny name like "time machine" and you've just taught mum and dad how to view backups. compare the way apple presents backups:



and the way windows vista presents backups:



and then the linux way of presenting backups:

rsync -avr

xserves

this was not really talked about in the keynote, but look at the awesome stuff in the intel xserves is going to bring in. my favourite is the remote administration via ethernet, meaning you can monitor the hardware, network and reboot the machine all through the ethernet cable, without the OS running and supposedly, anywhere in the world.

if i had a business and needed to run some servers, i would be very inclined to choose an xserve over a cheap dell 1U rack just purely on the management stuff alone.

spotlight over the network

for the home user, this probably means nothing. but for businesses, this might be the equivalent to google's search appliance. although i doubt it has enough smarts and indexing capability, i think the spotlight server will be a pretty neat middle-class-man's small office search.

of course, there are some "what the..?" moments

out of all the features, if i had the choose one to rain down upon, it would be mail stationery. but i can understand that. mail todo and notes ain't much of a hooha, unless they actually sped up mail, then i might be tempted to go back to IMAP rather than gmail for high volume mail accounts. of course, the other thing that was not announced, but featuring heavily in the screenshots is the fact that mail is now a psuedo RSS reader, just like safari. so maybe it will just become one of those things that they do that is good enough for the average consumer (maybe for photocasts), but nothing really for real consumers of RSS feeds.

one more thing.. (updated)

no there wasn't a one more thing in the keynote, but subtly, people noticed that in the screenshot, iChat had lost its brushed metal. so we're probably going to see brushed metal banished from osx leopard. also, the finder was not changed at all, not even a tiny bit, which may hint that the top secret thing that steve jobs was saying is the finder. then again, we can speculate on all sorts of other different things, but i believe the spring 2007 release will mean it will come AFTER windows vista launches -- so maybe something cool revealed at Macworld 2007. (which according to the rumours will be a touch-screen phone with bittorrent running mac os x embedded.)

... Read More


07 Aug 2006

WWDC 2006 and Applecare Support Saga

WWDC 2006 Keynote is today! I'm very excited about what new stuff Apple is going to bring to the table. Last year, Steve Jobs announced the shocking revelation that Apple was moving from PPC to Intel chips. For those who don't know what that means, it just means Apple had moved all their computers to run on the same chips that run your Windows PC, and in doing so, means that all the software that was written for Mac had to be made to work with the new Intel chips.

This year, there are nearly no good rumours. Mac Pro is almost a certainty given that Apple outlined their product line for the whole year. So no suprises there. I hope there will be a speed bump or even Core Duo 2 (does that make it Core Quad?) for the Macbook Pros.

Anyway, this is nearly the fifth week that I have been sharing my Mac with PP, which means I've been on my Gentoo Linux laptop for over a month now. I occassionally go back to the Mac to test certain things and update my iPod. Since we came back from Germany, PP has been without her Macbook since 29th June 2006. So it has been over a month and still we do not have a Macbook in our hands. It is bordering on ridiculous at the moment, got the Macbook for 2 months and it's been out of our hands for over a month.

... Read More


02 Aug 2006

ebuild quality

Another week, another two flamewars on gentoo-dev.

This week, it is about gentoo-sunrise and a dev quitting because he disagrees with gentoo-sunrise being an officially recognised project.

You could say that I'm in the camp that thinks this is a good step in the right direction for Gentoo, since I support overlays. However, I have not read enough of the gentoo-sunrise manifesto (if they have one) or project aims and implementation to comment on whether I support it fully. What I will do is present some of the points that technical points between the two camps:

Those in favor of the gentoo-sunrise project:

1. Gets users involved with development
2. Allows users to get feedback on ebuilds outside of bugzilla.
3. Spotting of potential devs.
4. Allowing users to proxy maintain ebuilds which might be hardware specific that a dev does not have.

Those not in favour of gentoo-sunrise project:

1. Users ebuilds are generally of lower quality than is accepted into Gentoo.
2. Creates confusion in bugzilla when experimental ebuilds are used and not reported (eg. GNOME vs BMG in the days when I still was involved with Gentoo GNOME).
3. Questions about the standard of review that goes into ebuilds that are marked "reviewed" in gentoo-sunrise.

What I see if the benefit of something like this, is giving an accessible home to ebuilds where no developer has the time or desire to fix/test/integrate an ebuild into mainline portage. The problem is that, most of the time, ebuilds in bugzilla isn't just a matter of cvs add, repoman commit, alot of testing and assurances need to be met.

1. 50% of the submitted ebuilds I see have incorrect or insufficient DEPENDs that need to be fixed before going into portage.
2. Stylistic checks, such as spacing, patching things in src_unpack, making sure FEATURES="test" work, etc. All of this takes a non-trivial amount of time.
3. I always ask, will I use this? If out of a scale of 5, I give anything less than a 4, then I do not touch it. If I will not use it, then I am doing a disservice to the potential users for committing this.

Even though I say a certain percentage of ebuilds are not of the standard that should be in portage (and believe me, there is no shortage of bad ebuilds in portage already), I believe it is wrong to just brush all user submitted ebuilds with the same brush and just say that they all suck.

All devs remember the time when they screwed up a dependency, forgot to attach a patch, keyworded something directly to stable. Don't lie to me, we've all done something that broke an ebuild and then get a bug report saying, "hey, did you just misspell src_compile?"

If we do not give users (and potential devs) feedback, how will they ever learn? Just like how we get feedback from dedicated users who give their time up to report bugs to us, why should we be so opposed to supporting a mechanism where by they can themselves put their work up for review.

How many steps does it take for an enthusiastic user right now to grab an ebuild of bugzilla for a package that they want to install that is not in portage, and then put it in their overlay, and then emerge it? Too many to count.

How many steps will it take for an enthusiastic user using gentoo-sunrise to grab an ebuild of a package that they want to install and emerge it? Probably two steps ('layman -a sunrise', 'emerge package name'). And if they find a bug, well, ok, gentoo-sunrise needs to get that sorted out (if they haven't already).

Anyway, my point really is that, we shouldn't discount user submitted ebuilds offhand, people who contribute are not dumb. All the devs right now started off from that point. I think either overlays, or the subset, gentoo-sunrise, is a step towards a better community distribution.

... Read More


27 Jul 2006

gentoo's public relations, community and innovation

Stuart's post about Gentoo's lack of organisation and ambition reads pretty much like the summary of the last 6 months of flamewars on gentoo-dev and gentoo-core mailing lists. I've read very little of any of the flamewars because I really just couldn't be bothered.

Stuart's observations are pretty much in line with what I see as well. There's been little innovation in Gentoo for the last two years, and it hasn't been able to pitch itself as a popular alternative Linux distribution that can compete with the binary ones around.

The PR Problem

Up until this month, the 12 months I've barely contributed anything to Gentoo. The main reason was the constant bickering (which has since subsided greatly) on the mailing lists. But apart from the flamewars on gentoo-dev, there was something else that was missing. I think Stuart is pretty close to the mark when he describes it as a PR problem, both internally and externally for the project.

The PR problem means innovative stuff in Gentoo does not get publicised internally, either because it gets bogged down by flamewars or people just don't know where to look. Developers do not know what is going on with other parts of the distribution. The solution here is not forcing each herd or team writing reports, but maybe a more encouraging attitude to blogging about new releases and cool stuff that you might be working on will be good. Things don't happen overnight, and I think initiatives like planet.gentoo.org is really helping communication both within Gentoo and outside of Gentoo. I personally learn more about the distribution from planet.gentoo.org than any other means.

One other thing that has annoyed me is the devmanual.gentoo.org (which I've only recently learned about), but really it needs a concerted push to get things up to date. I'm sure there are good graphic designers, web site designers in the community who wish to help, but don't know where to start.

Lack of innovation

Gentoo needs something more innovative, and something that engages people who want to contribute more. Instead of making the walls high to climb for people who want to make contributions, they should be lower and the development distributed.

That is why I reckon that the gradual acceptance of developer-orientated and user-contributed overlays will be the next "innovative" thing that Gentoo will see. I know, I know, all this overlay talk is just the same as apt repositories in Debian, but I think the official support for this model of development by Gentoo developers is a step in the right direction, bridging the gap between user submissions and hopefully be able to encourage people to share their contributions with other users more easily. Bugzilla really sucks for that.

Backing up a bit, I mentioned that this month I've started to contribute to Gentoo a bit more, because purely because I've been excited by a blog post (note, not the GWN) about overlays.gentoo.org. The basic idea is that developers and certain users can maintain an overlay which augments Gentoo's official portage tree. All this is managed by the nifty tool called app-portage/layman where you can select from a large number of overlays, for instance, gnome-cvs ebuilds, chinese support, etc.

For instance, my overlay right now consists of experiemental ebuilds for potentially portage breaking packages that need to be tested amongst developers, new software written by me in which I provide an overlay for interested people to subscribe to, and also user contributed ebuilds that I have poached from bugzilla so that I can test them and show the submitters that I am looking at their work and hopefully encouraging more interaction with them. Too long have good ebuilds languished in the Gentoo Bugzilla purely because no one has had the time/tools to test it.

PyBugz

The second thing that I have done is to start working on a set of tools to improve the development workflow for developers, and also users. I've written pybugz which is a Python command line interface to Gentoo Bugzilla (although I've also started using it on other bugzillas as well) to provide easy access for searching, downloading and closing bugs. This means a normal developer's job can now all be conducted from the command line. Using pybugz, I've probably increased my bug closing rate three-fold by not having to deal with Bugzilla's horrible web interface. This is available from my overlay, and will end up in portage as soon as I've deemed it stable.

Users can also benefit from this, if they are keen on reporting bugs, maybe they hit a emerge problem with a particular package, and instead of having to go to bugs.gentoo.org, they can quickly search with a single command "bugz search bluetooth" and find out all the bugs that may have been reported about bluetooth. And if they do not find such a bug, then "bugz post" will allow them to submit a bug report from the command line with out opening their browser, even submitting their "emerge --info" to apease certain devs!

"Turning the corner"

I ranted a couple of times privately to friends about wanting to quit Gentoo development, but I haven't because I still want to influence the distribution that I use on nearly any Linux box I touch. But in G. W. Bush's words, we might be "turning the corner."

Hopefully, we're at a start of a new phase in Gentoo development, and reconnect with the community. As to catching up to Debian, Fedora and Ubuntu, well, if we take care of the community and suck in more great people to contribute, then it will only be a matter of time.

... Read More


24 Jul 2006

camping at the beach in southwold

last year, i went to southwold for andy's birthday with the main event being swimming in the north sea. this year, it was the same, but different.

last year, the ambient temperature was around 10C in the middle of july and was gusting chilled wind blowing across the beach. this year, it was a brilliant 30C day (well, at least the hour of it while we were in the water) and a pretty calm and enjoyable day, and very suitable for a swim in the sea.

we made our way up to southwold from cambridge which is basically 2 hours driving east towards the english channel. our journey tooker a little over 3 hours due to an unfortunate female driver navigation problem which meant we had to regroup at a pub for a half hour in a town called yoxford. no, i'm not joking, there is a town called, why-oxford?.

by the time we arrived into southwold, there was no food serving place open (not even a kebab shop), so we had to settle our stomachs with a three course quavers (a kind of crisp) meal plus a couple pints of adnams in a takeaway jug.

the next morning, initially turned out to be a foggy and cloudy day with little chance of sunshine. we had planned a barbeque and hoping it wouldn't rain. we even snuck in a round of putting golf that resulted in ali b winning by 4-5 strokes and three of us tying for second place. fortunately, the skies parted and we had sunshine for a couple of hours, enough to fulfil our mission to swim in the sea and also have a barbeque on the beach using a swiss army spork from muji and a disposable instant barbeque. the day ended with much more drinking.

the final day involved us flying a powerkite that andy got for his birthday, which i really sucked at playing. i think even a girl flew it better than me! also wondered into town to see what is called the adnams flying egg competition in which alot of interesting clocks were displayed and competed for a prize of 5000 pounds. the one that won, actually didn't even make sense, it was a plastic bag containing two paper mache angels and was called "before time" or something along those lines.

anyway, it was a great time, and i've got a nice tan, which i never thought was possible in england. i'll upload some pics later.

... Read More


19 Jul 2006

fighting piracy with children in hong kong

according to new york times (via slashdot), hong kong government is enlisting 200,000 youths to scour the internet for piracy and reporting them to the customs office.

Local news reports are unfair in suggesting that the government is recruiting young people to spy on others, Mr. Tam added. “We are not trying to manipulate youths and get them into the spy profession. What we are just trying to do is arouse a civic conscience to report crimes to the authorities.”


i can't think of a worse idea than that. there are so many things that can go wrong, the slashdot comments already hint at a few:

"it. I would be pretty concerned if the government asked my son to explore dark alleys at 3am, just to figure out if drug deals are going on in that part of town."


"Sending oodles of kids out looking for music-sharing sites is kind of like sending angry, unattractive, middle-aged cops to "stop" prostitution"


"So now we are turning out 200k kids in to an enviroment ripe for molestation. And porn, lest we forget."


and of course an obligitory peter pan humour:

"So, basically, what we have here is children fighting pirates on an island? Where have I heard that before?"


the thing is, instead of educating them that stealing is bad, you're telling them to actively go look for people doing bad stuff. how many kids will you actually teach and say, hey, i didn't know it was THIS EASY to find all this pirated songs, movies and software. i'm going to quit the boy scouts and do this all day.

secondly, so what if the kids report every single reference to pirated software or media? are the customs people going to act on this or are they just gonna sit back and get DoS'ed by these kids. they're just going to report every search term under the sun which you can use on the baidu chinese search engine.

... Read More


16 Jul 2006

finishing super mario bros 3

oh yeah, another thing i did while i didn't have access to my powerbook was to play patricia's gameboy advance. when i was a kid i owned a super famicom (or SNES for you western people), and i had super mario bros 3, but i never finished it because i had to go to australia to study and left my console behind.

and i discovered that she had super mario bros 3 for GBA, so i played that non-stop for 3 days in place of when i would sit in front of the computer coding or browsing the web. i finally finished it! and that is another one off my things to do before i die list!

now i don't think buying a nintendo ds lite is such a good idea because i'll just get hooked on playing it. but i really want to try out the new super mario bros for ds! i've been twice close to buying it while walking around shops, the killer is that there is still no bundle with super mario bros + the console. i want to get mario kart, smb and brainage. and maybe zelda ... (stop ali .. stop thinking about it ..)

... Read More


16 Jul 2006

away from my powerbook

well, about 2 weeks ago, we sent off patricia's macbook because she had the discolouration problem that a lot of other people were having with their macbooks. since then, i've given her my powerbook to use while i've been using her pc laptop that has gentoo linux installed on it.

it's interesting using linux full time again, reminds me how fun making software work properly is. even though you can write correct code, making everything fit together in practice as much of an art as writing good code. however, there are some real differences:

things i really miss on my powerbook are:

1. ecto - i have to blog via the django admin interface rather than a separate app, which means there's been much more barrier to blog than just firing up an app writing to crazy rant, add a picture or two and sending it off all in 5 minutes.

2. adium - gaim is ugly as hell so i refuse to turn it on, that's why no one has seen me online on IM for the last week or so.

3. itunes - i get my ipod synced up once in a while on my powerbook, but i can't get banshee working as great as itunes does. i just want to play songs off my ipod and i have to jump through all sorts of hoops with mounting my ipod, and then use gtkpod to decode the songs and enqueue them on bmpx. very convoluted way of doing things.

4. textmate - i finally learnt a bit of lisp after years of using emacs just so that i could make some changes to debug some file-mode so files gets highlighted properly.

5. volume control hotkeys - i still haven't figured out how to bind these on linux yet, every time i need to adjust the volume, i need to move my mouse to the top of the screen and click on that tiny volume control.

6. dashboard - i never even knew i would say this, but it turns i look at my dashboard more times than i actually remember. i have to replace my F12 with asking patricia what the temperature is.

things that i don't miss on the powerbook:

1. mail - evolution does a pretty good job at handling my email and is heaps faster. only niggle is when you try to delete a whole thread, you can't just hit backspace but have to select all the messages in the thread, which is annoying.

2. netnewswire - thanks to newsgator online, i don't miss netnewswire that much. sure it is a little slower, but it is good enough for me.

3. safari - firefox on linux is a much better experience than firefox on the mac. given that all my bookmarks are online, there isn't really much i can't do on firefox except watch theshow with ze frank (which is in apple quicktime)!

4. vlc/quicktime - again, apart from not being able to play mov/wmv, playing divx and downloads from the net is extremely easy, just double click on the file from the gnome file selector. they even have neat picture thumbnails.

anyway, her macbook still isn't back yet, so i guess i might have another week of full time linux usage up my sleeve. in the meantime, i got back into some small time gentoo development by making myself close no more than 5 bugs a day. so instead, i've written a python bugzilla command line interface called pybugz to help me.

... Read More