Stephen Laniel’s Unspecified Bunker

Adam Kessel asked me the other day, in response to some idea or other that I had for an open-source package, whether I really want to be fixing Microsoft Outlook problems and expunging spyware in five years — point being, “If you have an open-source package to develop, develop it. Get a better gig than Windows stuff as quickly as you can.”

That’s been rattling around my head for days now. Here I am at a Windows-using client’s office  . . .  expunging spyware and configuring Microsoft Outlook. And indeed, this seems like possibly the world’s worst use of my talents. Windows in general has passed in my mind through the “dangerous monopolist” stage, past the “buggy software” stage, and well beyond the “insecure computing hurts us all” stage into the “I’m just really bored” stage. It pays the bills, but Windows is bad for me and bad for my clients. They all ought to be using Linux, or at least OS X. That would make my life more fun, and would save my clients a ton of headaches.

Until they do, I’ll just work on my corner of the computing world and try to make my own career more fun.

This may be the dumbest idea I’ve heard all month:

(Posted from the Finagle A Bagel on Winter Street in Boston. Thank you to whoever runs the access point whose ESSID is “0pal”.)

Someone on my friend’s message board posted a hysterical Car & Driver review of the Cadillac Escalade in 2002, and I had lost the link — until now. I happened to be looking through old email, and I found that link; I apparently sent it to someone else and happened upon it randomly. The above link is, unfortunately, dead, but the severely awesome Internet Archive has a copy. Read it and laugh; it’s a hilarious review.

Copyfight links to an article about civil-liberties activist John Gilmore that’s worth reading, but this sentence is just  . . .  um  . . .  wrong: “He was employee No. 5 at Sun Microsystems, which made Unix, the free software of the Web, the world standard.”

1. UNIX was free for a while, but my understanding is that it was only really free — in the sense of “freedom” — when it was within the Bell Labs community whence it sprung. Hence item 2.
2. Sun manufactured a version of UNIX, but didn’t invent it. People could be forgiven for misreading the sentence to infer that Sun did invent it.
3. The version of UNIX that Sun puts out is decidely not free-as-in-freedom. Though they’re moving in that direction, I gather.
4. Sun’s UNIX is very much not free-as-in-beer.
5. What does “the free software of the Web” mean? Is it the software that runs servers? That’s largely Apache, which is unrelated to Sun. Are they talking about Solaris, the OS that Sun makes? I don’t think it runs many web servers, but I could be wrong. Do they take the Internet in general as synonymous with “the Web”? So do they mean routers? Most big routers are from Cisco.
6. UNIX is the world standard for what? For server software? Maybe. But it’s not even really clear what standard they’re talking about.

Sorry to focus on one tiny detail, but reading that sentence nearly made my anti-obscurantist mind explode.

For those not in the know, the “secure” way of getting on the web wirelessly is to use “WEP” or “WPA.” The former stands for Wireless Equivalent Privacy or any number of other acronyms, and the latter stands for WiFi Protected Access; WPA is a fix to WEP, serving as a stopgap until the full 802.11i standard (also known as WPA2) rolls out. As far as I can tell, both are based on a password: you either specify a password and generate a WEP key from it, or (in shared-key WPA) specify a password and use it directly. It makes using laptops a little bit more of a hassle: it’s un-neighborly, and every time you come into a “protected” hotspot you have to bother with authenticating yourself. If you’re anything like me, you’d much rather just come to a random spot, open your laptop, and be on the Net.

More to the point, WEP and WPA seem like very prettily dressed security mannequins. Unless I misunderstand, they’re both based off passwords — the great bane of Internet security. More specifically, WEP is based on passwords and so is the WPA Pre-Shared Key system. I’m not sure how the other WPAs, including those based on RADIUS servers, work. I gather they’re much more secure. But as long as WiFi is largely deployed by naïve users who overwhelmingly leave the ESSID set to “linksys” or “belkin54g” and leave the password set to “admin” (Linksys) or blank (Belkin), Pre-Shared-Key WPA is what we’re stuck with. And it’s based on passwords. Passwords don’t work, and people use bad ones. If that’s all that your security’s based on, then the protocols are worthless.

And they’re superfluous to begin with. If you’re doing anything that really needs security on the Net, you ought to be — and probably are — using encryption at a different layer. E.g., your bank and every reputable online commerce site uses the Secure Sockets Layer to encrypt your traffic. When I download my email, I use fetchmail to connect over the Secure Shell (an encrypted protocol) to my mail provider; fetchmail then downloads the mail to my disk securely. When I send mail, it’s sometimes encrypted with GNU Privacy Guard (and would be encrypted more often if more people used GPG). Which is a long way of saying that anything important is probably encrypted anyway.

So WPA and WEP seem to me to be deadweight losses of convenience with no compensating gain in actual security. The only speedbump that hackers will hit is that they’ll need to use a password cracker or something more sophisticated on the wireless traffic coming their way. I’m looking into how to do this now, and I’m having some troubles because my Centrino drivers apparently don’t support “monitor mode” as well as they should. But once I’ve figured that out, my naïve understanding of the problem suggests that my computer will just need to grab some wireless traffic out of the air and start trying passwords against it. Airsnort is supposed to be the tool of choice here.

My friend Chris is some sort of sublime genius. Gaze upon that post lovingly.

The Bookslut’s Michael Schaub predicts that “high school seniors will be applying to Boston University in record numbers this year,” on the basis of a news story about Boink Magazine at B.U. A little googling yields the Fleshbot story about Boink, in particular the cover of the first issue, which I’ve  . . .  um  . . .  cached. (For science, people.) It’s decidedly not safe for work.

Forget about high-school seniors; I’m going to be applying to B.U. I always wanted a second bachelor’s degree.

So much love. (Via Crooked Timber.)

I don’t read Fablog! regularly anymore; I wait for people to point me to the best ones, because a lot of the time it feels like a one-trick pony. That one trick is quite good, but it does tire me out.

Really there ought to be a humor best-of on the Net. This would help make The Onion that much more enjoyable; I feel like it loses a lot by working on a once-per-week publication schedule — quite often it doesn’t have any material, but it feels like it must publish or perish. Saturday Night Live has suffered acutely from this problem for 30 years. If SNL only went on the air when it had something interesting to say, it would be worth a lot more.

It must be because the Boston Globe baseball section had nothing to write about. Somehow they still managed to post a few stories every day to their RSS feed during the offseason. Apart from news about trades and bargaining, a large portion of the stories were about 1) a war of words between the Red Sox and Alex Rodriguez and 2) who would get the ball that led to the final out between the Cards and the Sox. Today’s story about Randy Johnson’s wisecracking at spring training is a good crystallization of this scandal-mongering.

All the tough talk between the Sox and A-Rod seems to have been manufactured by the press itself. (“So A-Rod: how do you feel about the Sox saying some bad stuff about you?”) As for who got the ball, that got blown way out of proportion — eclipsing even Doug Mientkiewicz’s very real and very valuable contributions at first base. All the Globe could talk about was Mientkiewicz’s hoarding the ball; in one article, the Globe claimed that The Ball might be the only thing that anyone remembers about Mientkiewicz now that he’s gone. That seems ridiculous to me; as someone who watched basically every game Mientkiewicz played, what I’ll remember most is his insanely good sense of timing and high-jumping abilities, which at one point allowed him to get an out off a batter which would have been a double or a triple had any other first baseman been playing. Mientkiewicz leapt into the air, caught the ball, fell onto his keister in the dirt, held up the ball to prove that he’d caught it, and sat there with a faintly confused look on his face — like he himself didn’t understand his own gymnastics. I’m sad that he’s gone; I wish we could have kept both him and Millar at first.

I can’t wait for the 2005 season to begin. Looks like the first game is April 3rd at Yankee Stadium.

Do y’all know about the “reasonable expectation of privacy” standard? It tells you that you are safe from warrantless searches wherever you have a “reasonable expectation of privacy.” (Lawyers, please correct me if this is a misstatement.) The idea, I gather, is that you have a reasonable expectation of privacy in your house with the blinds drawn, but as soon as you have sex in front of the window, all bets are off. So then it becomes a game of definining the precise areas in which you have a reasonable expectation of privacy. The problem is that the standard (dating to the Katz decision) is inherently circular: the places where you have a reasonable expectation of privacy are defined by what the law tells you.

Enter a lovely decision in upstate New York decreeing that the police can put a GPS tracking device on your car without a warrant, because you don’t have a reasonable expectation of privacy on the road. It’s one thing to claim that if you pick your nose in plain view of your neighbor, the cops don’t need a warrant to use that as evidence; it’s quite another to claim that the position of the car is itself a public datum.

It seems to me that the police should be denied a warrantless search except in extreme cases — such as those times when going after a warrant would obviously destroy a case. (E.g., the suspect is flushing cocaine down a toilet in the cop’s sight.) If the cops have time to plant a GPS on a car, it seems that they probably have time to get a warrant. Not in all cases, of course, but the burden should fall on the cops to prove that they don’t have the time to do so. And if my understanding is correct, there’s already a well-established set of procedures for obtaining warrants quickly when necessary; why can’t these procedures be extended to GPSes?

Kevin Drum makes a good point:

THE NANNY STATE CHRONICLES . . . .ChoicePoint, a credit reporting company, said yesterday that hackers had infiltrated its database and stolen personal information about thousands of consumers. California customers were urged to check their credit reports for suspicious activity.

Why only California customers? Because no one else is being told:

A ChoicePoint spokesman said the number of victims nationwide could total 100,000, but the company could not be sure of the extent of the fraud and had no plans to contact people outside California.

There are about 65,000 of you elsewhere in the country who are at high risk of identify theft but don’t have a clue. Your state laws don’t require ChoicePoint to notify you, so they’re not going to.

Remember this the next time some corporate lobbying group whines about excessive regulation. If you don’t regulate them, they won’t act like nice guys all on their own.

This is a good synopsis of where my libertarian instincts — which are fairly strong — stop, and why they stop there.

I’ve meant to sit down and write a long article about how the Internet has made the law relevant to a lot of people in a way that it wasn’t before Napster, Clipper, and a host of other Internet-era issues came along. Someday I may write that. For now, I think this sentence is nicely pithy and provocative (if you’re the sort to be provoked by it):

[A]s I write this review, I’m listening to John Coltrane’s “My Favorite Things” — a melody that would be outlawed had it been recorded today.

That’s from EFF’s Deep Links, which you ought to be reading. (I think its name, by the way, might come from the deep-linking controversy mentioned recently.)

The Abe Vigoda Extension.

I spent a bit of time yesterday getting an encrypted filesystem to work overtop of a regular file, so I thought I’d explain how to do it here. Once again, it’s basically a process of stringing together a few atoms, rather than learning one large piece. So here goes:

• If you want to create a filesystem, there’s an easy way and a slightly harder way. The easy way is to create a separate disk partition. That’s really not so easy if you already have your disk partitioned the way you want it; you’d have to repartition. So maybe they should be called “the actually easy way” and “the pretend easy way.”

  If you don’t want to repartition, you can create a filesystem inside of a regular file that sits inside of your ordinary filesystem. To start this method, create a file that will simulate a physical disk. To do so, use the infinitely useful dd command to write raw bits to a file — which we’ll call cryptdev:

  dd if=/dev/urandom of=cryptdev bs=4096 count=1048576

  This creates a file called cryptdev featuring 2²⁰ blocks of 4K each, for a total of 4 gigabytes. Choose your size as you see fit, though I’m pretty sure the block size needs to be 4K to mimic an ext3 hard disk. (Though I’m unsure.)

  Now you have a file that you can pretend is a hard disk. Note that it’s created with the pseudo-random number generator /dev/urandom in order to prevent chosen-plaintext attacks against the encrypted filesystem. I read this somewhere on the Net, and it makes sense to me, but it may also be nonsense. It takes quite a bit longer to create the filesystem using random data than it would if you used a string of zeroes (/dev/zero), but it’s a one-time charge and doesn’t seem like that big a deal.

• Now you need to lie to Linux, pretending that a regular file (namely the one you just created) is a block device (i.e., something like a hard disk or a CD-ROM drive). To do this, you create a loopback device. The loop device is still a bit like magic to me; all I know is that it makes a fake block device for you, and that it works. To create such a device, first make sure that the loop driver is loaded into memory via

  modprobe loop

  then create the loop device you’re interested in:

  losetup /dev/loop0 cryptdev

  Now /dev/loop0 is a pretend block device, and you can use it like a hard drive.

  (The observant reader might be asking, “What if loop0 is already in use — by another encrypted filesystem, say?” The only way I’ve seen to get around this is to use a hack: write a little command-line script to check the loop devices sequentially and use the first available one. Something like this will do:

  for loopdev in /dev/loop* do losetup $loopdev cryptdev 2>/dev/null && break done

  There should be a way around this, and I’m looking around for one.)

• Now you want to create an encrypted block device that sits on top of the loop device. You use cryptsetup for this. First make sure cryptsetup is installed. Then make sure that you have the appropriate encryption module loaded into memory; I use the Advanced Encryption Standard, because it’s been thoroughly tested; you get the AES module by doing modprobe aes. If that returns an error, you probably haven’t compiled the aes module. Compiling modules is beyond the scope of this little tutorial, but it’s not hard. You’ll also need the dm-crypt module (an updated version of cryptoloop) and the device-mapper. I’m pretty sure that the device-mapper is built into any 2.6-series kernel; to make sure, just look to see whether you have a /dev/mapper directory. If you don’t, there’s another module for you to compile.

  The device-mapper is pretty cool. It allows you to construct virtual devices on top of physical devices. You could, for instance, concatenate physical volumes together into one virtual device using the device-mapper; as soon as the first device filled up, the second device would start filling up. In this way, I’m pretty sure you could also do software RAID — which is like concatenation, but with more intelligence about where the bits are written. Then, of course, you could stack layers of intelligence atop one another: you could stack an encrypted device on top of the software-RAIDed device, all using the device-mapper. It’s a very clever way of constructing arbitrarily sophisticated devices that have only a distant connection to physical devices.

  Once you have the appropriate modules and programs running, do

  cryptsetup create cryptvol /dev/loop0

  You’ll now have an encrypted device sitting in /dev/mapper/cryptvol.

• Now you need to create an ext3 filesystem on that encrypted loop device:

  mkfs.ext3 /dev/mapper/cryptvol

• Finally, you can mount cryptvol like you would mount any other device — say, put an item in /etc/fstab that looks like so:

  /dev/mapper/cryptvol /mnt/cryptvol ext3 noauto

  Now you can cd into directories on /mnt/cryptvol, create and delete files there, etc. — anything that you’d be able to do with any regular filesystem.

When your machine reboots, all of this work will disappear — the loop devices will reset, cryptsetup will forget that it ever heard about /dev/loop0, and so on. You’ll be able to skip some of this work — for instance, you won’t need to recreate a filesystem atop /dev/mapper/cryptvol, because that translated into a filesystem on cryptdev, so your work is done. But you will need to do the losetup and cryptsetup steps again, and you’ll have to remount the encrypted filesystem. It’s best to put this all in a script. This will hopefully get easier in the near future, when cryptsetup gets some built-in options to handle the loop-device creation on its own. And hopefully we won’t have to write stupid logic to find an available loop device.

Still, look at what we’ve got: a file that looks to all intents and purposes like a hard drive, and is encrypted with a rock-solid algorithm. My understanding is that it’s actually easier to encrypt your entire hard drive, because you can skip the losetup step. Though offhand, I think you’d have problems encrypting your entire hard disk — the startup sequence is going to need to load some things before it loads the device-mapper, hence before cryptsetup can work. Probably encrypting all of /home would cause no problems, though.

When a company bans deep linking, that should be illegal, right? Please?

As far as I can tell from a WaPo article, the only reason people would stick with physical media is  . . .  album art. (Via Slashdot.) This suggests a lack of imagination on the author’s part: why not use iTunes itself or Optical Alchemy to get the album art you need? Given a sufficiently high-resolution image file, and a sufficiently wide monitor, you could have cover art that’s larger than what you’d get with the CD.

There seems very little reason to worry about the lost album art or any of the other adjuncts. People still haven’t really internalized the main message of the computer: it’s just bits. You can do whatever you want with those bits, and attach other bits if you so desire.

I’ve been doing occasional work for a local IT consultant for about a year, and there’s a good chance that he’ll take me on as his first full-time employee starting this summer. It’s very exciting, and will mean — among other tasty treats — health insurance for the first time in two years. I’m very happy about this, though I’ve learned not to count my chickens until the checks clear.

The one part that’s a little bit of a bummer for me is that I’ll have to do a lot more Windows consulting. It’s not just ideological for me anymore; it’s that I find Windows really boring and irritating to use. Windows doesn’t really make any sense. The other day we ran into a problem accessing some files on a Windows user’s machine, and after exhausting the usual suspects (permissions, etc.), my part-time employer (see above) said, “Try copying the files and then opening the copy.” I asked, “Why do you expect that to work?” He replied, “It’s Windows. It doesn’t make sense.” I did the copy, and it worked as he expected.

Or the day before that, I was copying the shared folder on one Windows machine to a new Windows machine. Two files within there stubbornly refused to be copied. I went to the command line (an action that, incidentally, got me fired from one brazenly stupid employer) and got rid of the hidden, read-only, and system attributes (attrib -h -r -s if you’re following along at home), then tried to see if the copy would work. No dice. Apparently the files were showing up in a file listing, but didn’t actually exist on disk. This suggested that the file index had somehow gotten corrupted, so I restarted the machine and performed a thorough disk check. That didn’t do anything; the files still refused to be opened. So I had to copy everything over, minus those few files.

The problem is that there’s a ton of needless complexity in Windows, and people build up a set of habits to respond to that complexity. No one should have to learn the trick of copying a file and then opening the copy; the OS shouldn’t force you to learn behaviors just to deal with its quirks. The OS should be stupid as much as possible. I wonder whether Windows’s problem is that it tries to be clever where it needn’t be.

Anyway, I’m hoping to drum up Linux and OS X business for my (hopefully) full-time employer. That way I can have the best of both worlds: working on systems that I enjoy, and getting paid consistently for it.

The fact that there is no Shockwave Player for Linux sucks. If there’s any irritant about Linux, it’s that fewer places support it than support Macs or Windows. This isn’t Linux’s fault, but it’s still annoying.

stevereads.com is now hosted on bostoncoop.net, which will guarantee higher stability and better bandwidth. There may be some problems until the DNS changes propagate, and probably some minor problems even after that. But I expect that this is a strongly positive change overall.

Two irritants this week:

1. First-line tech support is almost never valuable. I say “almost” because I had good luck years ago with the NT Workstation support line at Gateway; NT was an obscure-enough technology, used mostly by server admins, that anyone who supported it had to be fairly knowledgeable. But NT tech support was it; nowhere else have I ever run into valuable frontline techs.

   This week I ran into the single most incompetent tech-support person that I’ve ever spoken with. I called Verizon yesterday to get a client’s SMTP password — a question that should take no more than 10 seconds to answer. So I said to the tech, “I’d like this client’s SMTP password, please.” She replied, “SMTP password?” My heart sank; I said, “Yes, SMTP password.” She asked, “Is that an Outlook thing?” My heart sunk further. I asked her whether she knew what an SMTP server was; she replied that she did not, then went off to talk to her supervisor. When she came back, she told me that she had gotten word from her supervisor, and that she had done all she could for me; for any more information, I would need to call Microsoft. I replied, “No. That’s false. This is a very simple question, and I’m just looking for an answer from you. Could you get me your supervisor, please?” I was on hold for a minute or two before I decided to figure it out on my own. Turns out that I couldn’t — the SMTP password had been lost to the mists of time — so I had to call back (this time speaking to a different tech who knew what she was talking about) and get the password reset. Problem solved.

   I don’t understand why Verizon hires these people. They’re an embarrassment to the company, and they lack the bare minimum amount of knowledge to get their jobs done competently: anyone hired as a Verizon tech should be able to parse the phrase “SMTP” so that he or she could then reset the SMTP password. There are lots of other places where “SMTP” would show up; to not know what it means is inexcusable.

2. I run into people fairly regularly who know only the tiniest bit about computers, but start lecturing me on how I ought to do my job. These people remind me of the Red Sweatpants Guy that a bunch of us ran into at Carnegie Mellon. My friends Brian Cooke and Jon Sung and I were sitting in one of the computer labs at CMU, doing some kind of editing on the song that we had just recorded, and the RSPG kept chiming in with helpful hints such as (most famously) “use some reverb!” He was scanning double-A batteries into Photoshop while two talented musicians (who were quite familiar with reverb, thanks) and I did editing. You’d think he’d know his place.

   It’s this same type of person who hears me say that the network is having connectivity troubles, and immediately asks whether I’ve checked it with Internet Explorer. Or who lectures me on the finer points of UI design after learning to use FrontPage. I run into these people all the time. The better ones realize their own inadequacy and say things like, “I know how to do what I need to get done,” but others don’t understand the kind of abstraction necessary to really get done what they need to get done — e.g., if Microsoft Word stops working, do they really know how to make it work again? Actual problem diagnosis takes a fairly abstract understanding of how the computer is working, and most people don’t have it.

   I’m not trying to fluff my own feathers. It’s just that there are certain things I know how to do well, and I like to think that I’m aware of the things that I don’t know how to do well. I at least hope that I’m not routinely lecturing my betters on how to do their jobs.

   A graphic-designer friend of mine notes that as soon as a lot of people learn the phrases “sans serif” and “serif,” then think they’ve been taught a shibboleth that buys them access to the Kingdom of Typography, and that they’re now allowed to speak in knowing tones about the beauty of Times New Roman (it’s serifed, you know). Anyone who’s ever used a PowerPoint template fancies himself a designer.

   I was surrounded by talented folks at CMU, and I learned there how to apply a few honorifics. An “engineer,” for instance, isn’t just someone whose job entitles him or her to use the word; I was officially a “performance engineer” at one of my previous employers, but I assure you that I didn’t call myself that. “Engineering” in my book requires deep understanding of an entire system, and how all of its pieces fit together. Likewise, the world contains “hackers,” “programmers,” and “software developers,” and rarely shall the three meet: a hacker is someone like me who can bang out code, and who likes to play with the innards of a system. A programmer takes a design spec that someone else has given him and writes code to implement that design. A software developer thinks very hard about how people will use his program, designs its various parts, specifies how they’ll interact, and writes very careful code that he’s not embarrassed to submit to others for review. The first two may be talented, but they’re not software developers. (A lawyer once introduced me to another lawyer as a “computer scientist.” That is yet another mislabeling of skill. People have to earn the label “computer scientist”; knowing Perl and a few other languages doesn’t cut it.)

Sorry for excessive laboring over labels. It’s just that a) I think what I do is fairly complicated, and dumb people piss me off; b) labels do mean something when people work for them, and I’d like to preserve the integrity of those labels; and c) one of these days I hope to be an engineer, and I don’t want anyone calling me that until I deserve it.