Terminally Incoherent

The news about Vista release is seeping through to the collective consciousness of the unenlightened masses. Usually when the common folk hears something about new technology thing, they seek out their local techno-magi to ask them questions about it. So lately I have been getting a lot of questions about Vista. This is usually what I tell people when they ask:

Vista will by shiny… It will look like a million bucks. Other than that it’s less stable, less secure, and less usable than WinXP. It is an operating system designed to let the user do less with multimedia. In Vista, content protection takes priority over stability, security, and robustness concerns.

If you have a computer running WinXP you should be fine for the next 3-4 years. Do not upgrade - it’s a waste of money.

Now I can just point people to Peter Guttmans Cost Analysis of Windows Vista Content Protection document to illustrate to them how bad does this OS really is. This is a slightly long read, but if you are wondering why your IT department absolutely refuses to deploy Vista on critical workstations, this is why. Consider this advice your Christmas present.

The Robert Davis vs SFX case might just be the dumbest, court case of the year.

Here is the skinny on the case. Apparently SFX has an inept, incompetent, and most likely retarded webmaster who can’t figure out how to add one line to the .htaccess file. Since their webmaster is a worthless sack of roting lard, the mentally challenged management monkies decided to sue Davis who was providing direct links to their webcasts.

Davis knew that the case was a joke, so he didn’t even hire a lawyer. He then proceeded to totally clown himself in the courtroom, and thus the idiot judge who clearly must suffer from some sort of extremely disabling mental retardation ruled against him.

This is like a trifecta of dumb!

SFX is dumb because they couldn’t figure out how to do a simple redirect, and instead opted to go the legal route. What could have been 5 minute job for a competent webmaster, turned out into a drawn out court case, and big lawyer bills.

Davis is dumb, because he lost a case that was almost impossible to loose - especially since the very similar Ticketmaster vs. Tickets.com case had exactly the expected results - judge ruled that linking is not infringement. This case was a no brainer. So just think - how bad was his defense to make the judge rule against him?

And of course, the judge is inexplicably dumb, because if he should have known that the SFX case was absolutely baseless. But then again, if all 3 parties, taking part in a lawsuit are just plain stupid, then the resulting ruling can’t be anything but.

Where do you draw the line here? Is Davis still allowed to post URL’s to the media files? How about partial urls (like go to example.com and then /whatever/media/webcast.mpg)? How about partial URL’s shifted with rot13?

Sigh… I wonder what does this ruling mean to the internet as a whole…

Public key encryption is awesome - it’s a fact. The only problem with it is that no one sans few security geeks ever wants to use it. Most people’s adventures with email encryption starts when they download and install gpg and generate themselves a key pair. It’s fun, and exciting until you realize that you don’t know a single person that you could exchange your keys with.

So what do you do? You generate another key pair, for your other email, and then send yourself few encrypted messages back and forward. Then you go and nag your friends to install it. Usually no one ever does - and if they do, they manage to loose their passphrase within a week. Then you forget your own passphrase because you are never using it, making this whole exercise a waste of time.

The other day my brother discovered obfuscation. He found one of these “convert text to binary” web apps and realized he can use it to post cryptic messages on people’s myspace that only few people would be able to decrypt. This led him to simple caesar ciphers and the infamous rot13.

So he asked me if I could write him a program which would do some kind of “for your eyes only” encryption. I briefly explained GPG to him and he thought it was relatively cool. I’m planning to show him how to use gpg4win suite which is probably the most intuitive windows based GPG frontend that I have tried.

I wonder if this is going to be to much PITA for him or will he actually be able to convince his friends to use it. I’m secretly hoping that maybe it catches on, and starts snowballing infecting the MySpace generation with a fascination for public key encryption. It’s not gonna happen or course. But if I can teach few kids to use GPG for encrypting personal communications then it is a success in and of itself.

Here is a tip kids. Go to the dentist before your teeth start hurting. Don’t do what I did, and wait till the last minute. Otherwise you are in for a fun ride.

I think the hole in my tooth somehow developed some extra mutated nerve endings. My tongue was essentially all numb, and the whole side of my face had no feeling but I could feel every freakin thing that the dentist was doing to my tooth. My whole jaw still hurts - I don’t know if it’s from the shots, or from the muscle tension or both. I may or may not have to have a root canal. It depends if it continues to bother me or not…

This whole thing got me thinking… Dental care is kinda like software engineering. Going to the dentist in some ways like refactoring. No, I’m serious. Badly designed code is essentially akin to tooth decay. You can ignore it for a while, because fixing it might be scary and it can potentially mess things up. But at some point it becomes such a pain, that you will be forced to do something about it. And the longer you wait, the worse it gets.

If you resolve it early in the development process - say the instant you realize that your design is flawed, the whole procedure might be relatively painless. You can use the built in tools in your IDE, rebuild and be done with it. You may need to spend some extra time testing it, or making sure that everything works properly.

If you wait till the last minute though you might be in for a real pain. Bad design will often force you to make more bad design choices, to overcome the inherent shortcomings, and quirks of your code. A wrapper class here, some glue code there, few ugly hacks to patch things together - these things accumulate and create layers of kludgey code which is neither easy to debug, nor easy to refactor. No IDE can automatically clean up your code, if what you wrote is a tangled web of workarounds, and dirty hacks built around a broken model.

Two factor security is great on paper, but often it turns out to be a major pain in the ass for the users. You wouldn’t think that carrying a small RSA token would be much of a problem. But for some people it is. It’s funny how they always find ways to somehow cheat the system, for example using a webcam like this dude:

screenshot of this blog

I found this on some tech blog, and my jaw just dropped. I immediately took a screenshot for posterity. This is how you take robust two factor security solution, and turn it back into one factor scheme. Now the attacker simply needs to know your password, and the URL of your webcam (and potentially the password to access the feed). This solution is completely vulnerable to a keylogger or various man in the middle attack whereas two factor RSA if used properly would not be.

It’s unfortunate, but security is really 1 part technology, and 4 parts user education. Two factor can be a nuisance, and users will likely hate it. But it is important that they understand why is it used for, and how does it work. If they do not understand it, or if IT is anal about replacing lost or broken dongles people will just start leaving them at home pointing live webcams on them.