Posts by Philip Hands

when Sunsite DoS-ed JANET

I was the person that created the Debian ISO images for a while, which was done at the time on a machine that was in an ISP near Bracknell, and which had a 10Mbit network interface.

Previous releases had demonstrated that that _really_ wasn't enough, so I asked the people I knew at Imperial's DoC (doc.ic.ac.uk) if they could mirror the image on Sunsite for me.

Just after the Debian release, the folks at JANET in London noticed that their backbone was completely flooded, and the cause was coming from the I.C link, so they pulled the plug, and I.C. was off the air for (IIRC a couple of days) while they worked out how to limit the link, which was something like twice the bandwidth of the 100Mbit backbone.

Oops!

Creative Outsourcing?

Imagine the scene:

Wide-eyed intern gets assigned their first task at Paragon: "Just get that lot to compile with the latest kernel will you?"

... some time later, a rather dejected intern reports that they cannot understand what's wrong, and having asked around it seems everyone that knew anything about the code left some time ago, so asks if it would be OK to bundle up all the GPLed bits and lob them over the fence at the kernel devs in the hope they might have some ideas how to fix it.

That way Paragon gets to carry on charging people for the proprietary bits without having to spend money maintaining obsolecent code.

I guess we'll see if that's got any truth to it by how closely they manage to track the versions of kernels they support as new versions come out. (the FAQ currently mensions "up to 5.6.x" ... was there anything in 5.7+ that breaks their code, I wonder)

Sombody in there understands something about Free Software...

given that the API is under the Apache license:

https://github.com/hmrc/vat-api

so there are clearly some people with some sort of clue involved, but apparently the higher-ups don't understand that requiring a secret developer key is a show-stopper when it comes to a Free Software client implementation.

I also find it pretty odd that they appear to have written an API without a reference client to go with it -- how are they testing this stuff? (or is there a secret in-house client for testing? If so, shouldn't taxpayers get access to that too, having paid for it?)

This seems to amount to something akin to illegal state aide of the proprietary vendors to me. The cheapest that one seems to be able to get bridge software for is about 75 quid, and the cloudy offerings are charging a tenner a month or more. If one multiplies that by the number of VAT registered folk that need to comply one is talking about a vast cash injection for the accountancy industry for what amounts to almost no gain and often quite a lot of pain for the people that are actually doing something productive.

Couldn't conceivably have anything to do with MS moving their HQ, of course

MS moves HQ ... to Munich (Sep 2016)

I'm sure the local government wouldn't have indulged in some sort of tit for tat arrangement to make sure that's where they ended up, would they?

And the honorable politicians would never do something like ask a Microsoft partner to assess the wisdom of switching back to Windows now, would they? No, no, of course they wouldn't do something so transparently corrupt.

GPG? on Debian say?

If one were paying attention at all to these matters (and I think they do so in parts of GCHQ), you'd know that things like Debian come with full source, and that includes GPG which can deal with OpenPGP messages just as well as PGP.

I guess that sort of special knowledge is only shared on a need to know basis (or perhaps it took whoever it was who failed to get the licenses paid for four months to pluck up the courage to ask anyone what they could do about it).

Re: Cat among the pigions but...

I'm puzzled by people that raise the bogey man of "binary logging"

It's really not _that_ hard to discover that the command 'journalctl' will spew out the contents of those log files, as text, with the added bonus of having the opportunity to add options that give you the logs from this boot, or any previous boot, or only logs associated with particular binaries or services (if you can work out the not very memorable options required).

You can pipe that into the grep command that you were going to point at your logs, and get the same result, with the added bonus that you don't have to guess the right log file, or wonder if some of the messages you were looking for went elsewhere, or decompress the older compressed (and hence binary) logs, and then sod about stitching them back together with cat if you want to grep back across several of those log files.

Not that any of that's particularly relevant to Debian, which still defaults to running rsyslogd, with its normal text files, and will only do binary logging if you choose to create the /var/log/journal/ directory.

Ick

I didn't think much to the old thing with the changing content at the top of the screen that's just a repeat of the stories listed in a sane order below, but at least it was easy to ignore.

This is much less easy to ignore -- although I guess I'll manage it by not bothering to look at the site.

I'll check back in the new year to see if you've regained your sanity.

GPS training seems like a great idea

As long as the GPS used for the test is programmed to suggest a route that will make them fail the test if they trust it blindly (e.g. entering a busses-only road, or against the flow on a one-way street).

RSA==tossers ... How is that news?

I used to maintain ssh for Debian back in the day when one was supposed to use librsa (from RSA) in order to comply with their patent, so we had the real version of ssh in non-us, and the librsa-linked one for US based users that felt the need to comply with the patent.

librsa was a piss poor implementation of "their" algorithm, so when it also caused some build failures I just forgot to produce the US patent friendly version.

Nobody complained, because anyone with any sense had already decided to ignore the patent.

I've had no respect for RSA ever since -- they failed to fix reported bugs for ages too IIRC -- I had chalked that down to lazy incompetence founded on having the patent to protect them from proper competition, but it seems that there might have been a spot of corruption in the mix too.

On the other hand, having a product that appeals to the clueless is a great way to get rich, so I don't suppose most of their customers will take the slightest notice, or even realise the implications of this.

Would that 15% be the salaries of the staff that they can now fire?

Extrapolating from what I've seen a few times in the comms side of things, I'm guessing that the story so far is:

A manager wanting to furthjer inflate his reputation, worked out that techies are expensive, and only ever came to him with problems, so why not kill two birds with one stone, push the things they look after into "the cloud", then fire all the people that can diagnose who's to blame in case of failure, thus making sure that it takes as long as possible for the sevice providers faults to come to light.

Coming soon in the next exciting episode:

Our manager hero gets an award from SocITM for his cloudy prowess, and makes a quick exit to the next oportunity for an even bigger SNAFU on a larger salary, sortly before it becomes apparent that his supposed stroke of genius has resulted in nobody being able to access their data on occasion, and a casualty or two.

http://www.ted.com/talks/drew_curtis_how_i_beat_a_patent_troll.html

... so, it seems that one needs to ask the troll to demonstrate the infringement in discovery

I wonder how MS would respond to that.

I want one, but I want to own it

I'll cheerfully pay 350 quid for a device I own (i.e. Free firmware that I can at least examine, and ensure does not include a remote kill switch or other features that are not in my interests, and preferably also includes features to protect my privacy from leaking data).

I'm not wanting to be able to significantly twiddle with the readings, obviously, so they need a tamper-proof module that generates readings, along with a cryptographic checksum that allows them to confirm that I'm not tampering with that when I send readings in.

Having seen Ross Anderson ( http://www.cl.cam.ac.uk/~rja14/ ) talk about this subject, it seems inevitable that the way these meters are being funded will lead to them being cheap and nasty little security nightmares that will inevitably be abused, which could involve anything from theives looking for power usage patterns showing empty properties, up to hostile nations breaking the national grid by flicking the power in a few million homes off and on simultaneously.

Just out of interest

How is one supposed to tell the difference between bogus justifications for nuclear power that were touted in the past when we were in the cold war, and it had been decided that we needed reactors to make weapons regardless of any down side, and real actual scientific justifications that we might see today, that sound eerily familiar?

Also, I note that we don't have much in the way of tidal generation, despite it being a power source that surrounds this country. I would assume that that is because it's too difficult to extract and not close enough to where it was needed if I didn't know that those lobbying for nuclear had been sabotaging funding for alternative energy sources for decades.

My suspicion is that nuclear is something we probably need more of, but it's really difficult to trust any of the evidence from those on either side of the argument given the history, and extreme articles of this sort only serve to polarise opinion.

All it takes to kill the private sector's enthusiasm for nuclear is to suggest that they pick up the clean-up costs -- interesting that, eh?

It _could_ work ...

if it were done such that one could buy a key fob or similar token from one of a dozen manufacturers, depending on your needs, which device would generate a new key whenever one fancied, and would allow you to chose between one of several such identities.

Then you take your widget to the post office, or some such, along with your passport, a gas bill and your swimming proficiency certificate, and they sign your ID using public key crypto.

I believe that one of the ex-USSR countries has something pretty close to that in their ID cards.

If you think that one of your keys is compromised, you revoke the key, create a new one and go back to the post office for it to be authenticated. No enormous central database required.

of course, since no central database is needed, there is no chance of the civil servants supporting such a scheme, because of the lack of empire building opportunities.

One could imagine having a tamper-proof module built into phones for holding these keys.

at which point this becomes something like Dave Birch's psychic paper idea:

http://digitaldebateblogs.typepad.com/digital_identity/2008/06/its-crazy-but-i.html

shame it'll never happen

Here's the thread at the OSI ...

http://www.crynwr.com/cgi-bin/ezmlm-cgi?17:mss:1249:ggejdpdgpafafejbmion

Simon and the others seem to have missed the fact that clause 4 is optional, as it only applies to people who want to avoid distributing source, so the fact that some of the non-free users get discriminated against seems like an irrelevance to me.

The thing that is problematic to me is that it makes the chicken clause dependent on distribution of source, but doesn't really define which source we're talking about -- whether that was the source one got before any modification, or after any changes that went to make the binary being distributed. Even that doesn't seem to make it non-free, since if one behaved as though the software were under the GPL (except for linking it against real GPL software), it's clear that one would not then be obliged to dance, so it cannot be less Open/Free than the GPL.

It's a shame it's GPL incompatible though -- I could imagine using it for a laugh if it were not for that. Let's hope that this becomes another instance where the OSI and the FSF differ on their decisions -- it would be nice to have this as one in the grey area as being free but not open ;-)

or about 2k per MP's office

Which doesn't sound too bad...

except for the fact that my MP tells me that he couldn't get the IT folks to do anything useful with his mail for several days when the account to which he was forwarding his mail became inaccessible in a fumbled ISP move.

I'd imagine that many MPs are the worst combination of arrogant and clueless, so I'd probably want more than 2k/p.a. to support one of those, but the fact that they were unable to sort out an MP's mail for about a week, and so wasted a load of his time would seem to indicate that they're not earning the money.

@AC

What else can you do?

How about something constructive?

What have I done in response to the Wikileaks debacle?

I set up a Tor exit node:

http://tor-exit-readme.hands.com/

I could be devoting the 50 Mbit/s that machine is now consuming to taking down Mugabe's web site, but I think it's probably more important to allow dissidents and the oppressed unfettered access to the Internet.

If it was a little more runnable under Debian, I'd also be running a Freenet node. When the software wrinkles get sorted out, I'll almost certainly do that too.

Things like Tor and Freenet make the net much more resistant to authoritarian control, and can be tuned to use only whatever resources you can afford to spare. So when you get bored with running LOIC, please consider devoting the same effort to Tor and/or Freenet instead, and leaving that running long term.

http://freenetproject.org/

https://torproject.org/

That's not to say that I think that people shouldn't entertain themselves by attacking Mugabe and his chums. Having been to Zimbabwe a few years ago I'm fully aware of what sort of bastard Mugabe is, but I seriously doubt that he'll even hear about his web site being inconvenienced (not if the sysadmins want to be alive next week, anyway).

funny how a quick search on the contributors turns up...

http://blogs.computerworlduk.com/open-enterprise/2008/12/microsofts-tired-tco-toffee/index.htm

and

http://techrights.org/2010/10/14/msft-scorpion-and-the-tortoise/