Wednesday, June 27, 2012

Sarah Donner

An e-mail from EFF led me to The Oatmeal (http://theoatmeal.com) which offers much thoughtful humor and content from Sarah Donner, a video and free song download called "The *otherf*ing Pterydactyl." Anyhow, Sarah Donner has music, including several other free downloads, at her web page. It's good stuff, and mostly not just 128 kb/s sample rate.

As an example of the humor (please note the word 'extremist') I'll present this:



Okay, I Might Turn the AC On

Tuesday, June 26, 2012

Orbitz Treating Mac and Windows Users Differently

An interesting piece on All Things Considered today, explaining that Orbitz pitches higher-priced options to Mac users than to Windows Users. Apparently Orbitz has data showing that Mac users are willing to spend more on their trips. Interesting. Another interesting thing was that the NPR reporter, Laura Sydell, was surprised that Orbiitz knows what kind of PC a visitor is using; nice to get occasional reminders of how naive many users are. The NPR piece is here.

There was a shorter piece tonight on Marketplace as well.

[ Note added 21:00: BTW, no knock on Laura Sydell--I'm glad she reported the piece and she did a fine job. It's more that developers and privacy advocates need reminders like this that most people have no idea how much data their browsers are sending to corporate servers. ]

Still Happy to Not Have a Facebook Account

This morning facebook changed their users' contact information to Facebook addresses. Lovely. So now non-Facebook-users will have their e-mail addresses captured by Facebook if we respond to mails from those addresses. Probably in itself not a big deal. But it's just another example of Facebook knowing they can treat their users with no respect and few of the users will leave.

Another issue is that as people start responding from their Facebook addresses, will others trust that the sender really is who it seems to be? Will people open bogus Facebook accounts to spoof other people? Clearly yes, but that happens with most providers. Again, probably not really a big deal.

Of course, current Facebook users are annoyed because they have to either change the contact info in their profiles back to their preferred e-mail addresses or start checking e-mail in multiple places. Do you really want e-mail between your financial institutions and yourself going through Facebook? I don't think so. Do you really want work-related e-mail going through Facebook? I don't think so.

It'll be a little while before I respond to e-mail from Facebook accounts. Hopefully others will resist this power grab.

Saturday, June 23, 2012

Skype Insanity: No Longer Worth It

Tonight I noticed that I didn't have Google Voice or Skype installed on my primary desktop, which I recently upgraded to Linux Mint 13, so I decided to remedy the situation. Installing Google Voice was painless, easy, an quick. Installing Skype appears insane, I don't remember it being so bad in the past. Anyhow, to install Skype, I need to install 240-some additional packages. No frigging way:

The following NEW packages will be installed:
  bluez bluez-alsa:i386 gcc-4.6-base:i386 glib-networking:i386
  gstreamer0.10-plugins-base:i386 gstreamer0.10-plugins-good:i386
  gstreamer0.10-x:i386 gtk2-engines:i386 gtk2-engines-murrine:i386
  gtk2-engines-oxygen:i386 gtk2-engines-pixbuf:i386 gvfs:i386 gvfs-libs:i386
  ia32-libs ia32-libs-multiarch:i386 ibus-gtk:i386 lib32asound2 lib32gcc1
  lib32stdc++6 libaa1:i386 libacl1:i386 libaio1:i386 libao-common libao4:i386
  libasn1-8-heimdal:i386 libasound2:i386 libasound2-plugins:i386
  libasyncns0:i386 libatk1.0-0:i386 libattr1:i386 libaudio2:i386
  libaudiofile1:i386 libavahi-client3:i386 libavahi-common-data:i386
  libavahi-common3:i386 libavc1394-0:i386 libbz2-1.0:i386 libc6:i386
  libc6-i386 libcaca0:i386 libcairo-gobject2:i386 libcairo2:i386
  libcanberra-gtk-module:i386 libcanberra-gtk0:i386 libcanberra0:i386
  libcap2:i386 libcapi20-3:i386 libcdparanoia0:i386 libcomerr2:i386
  libcroco3:i386 libcups2:i386 libcupsimage2:i386 libcurl3:i386
  libdatrie1:i386 libdb5.1:i386 libdbus-1-3:i386 libdbus-glib-1-2:i386
  libdrm-intel1:i386 libdrm-nouveau1a:i386 libdrm-radeon1:i386 libdrm2:i386
  libdv4:i386 libesd0:i386 libexif12:i386 libexpat1:i386 libffi6:i386
  libflac8:i386 libfontconfig1:i386 libfreetype6:i386 libgail-common:i386
  libgail18:i386 libgcc1:i386 libgconf-2-4:i386 libgcrypt11:i386
  libgd2-xpm:i386 libgdbm3:i386 libgdk-pixbuf2.0-0:i386 libgettextpo0:i386
  libgl1-mesa-dri:i386 libgl1-mesa-glx:i386 libglapi-mesa:i386
  libglib2.0-0:i386 libglu1-mesa:i386 libgnome-keyring0:i386 libgnutls26:i386
  libgomp1:i386 libgpg-error0:i386 libgphoto2-2:i386 libgphoto2-port0:i386
  libgpm2:i386 libgssapi-krb5-2:i386 libgssapi3-heimdal:i386
  libgstreamer-plugins-base0.10-0:i386 libgstreamer0.10-0:i386
  libgtk2.0-0:i386 libgudev-1.0-0:i386 libhcrypto4-heimdal:i386
  libheimbase1-heimdal:i386 libheimntlm0-heimdal:i386 libhx509-5-heimdal:i386
  libibus-1.0-0:i386 libice6:i386 libidn11:i386 libiec61883-0:i386
  libieee1284-3:i386 libjack-jackd2-0:i386 libjasper1:i386 libjpeg-turbo8:i386
  libjpeg8:i386 libjson0:i386 libk5crypto3:i386 libkeyutils1:i386
  libkrb5-26-heimdal:i386 libkrb5-3:i386 libkrb5support0:i386 liblcms1:i386
  libldap-2.4-2:i386 libllvm3.0:i386 libltdl7:i386 libmad0:i386
  libmikmod2:i386 libmng1:i386 libmpg123-0:i386 libmysqlclient18:i386
  libncurses5:i386 libncursesw5:i386 libnspr4:i386 libnss3:i386 libodbc1:i386
  libogg0:i386 libopenal1:i386 liborc-0.4-0:i386 libp11-kit0:i386
  libpango1.0-0:i386 libpciaccess0:i386 libpcre3:i386 libpixman-1-0:i386
  libpng12-0:i386 libproxy1:i386 libpulse-mainloop-glib0:i386 libpulse0:i386
  libpulsedsp:i386 libqt4-dbus:i386 libqt4-declarative:i386
  libqt4-designer:i386 libqt4-network:i386 libqt4-opengl:i386
  libqt4-qt3support:i386 libqt4-script:i386 libqt4-scripttools:i386
  libqt4-sql:i386 libqt4-sql-mysql:i386 libqt4-svg:i386 libqt4-test:i386
  libqt4-xml:i386 libqt4-xmlpatterns:i386 libqtcore4:i386 libqtgui4:i386
  libqtwebkit4:i386 libraw1394-11:i386 libroken18-heimdal:i386 librsvg2-2:i386
  librsvg2-common:i386 librtmp0:i386 libsamplerate0:i386 libsane:i386
  libsasl2-2:i386 libsasl2-modules:i386 libsdl-image1.2:i386
  libsdl-mixer1.2:i386 libsdl-net1.2:i386 libsdl-ttf2.0-0:i386
  libsdl1.2debian:i386 libselinux1:i386 libshout3:i386 libslang2:i386
  libsm6:i386 libsndfile1:i386 libsoup-gnome2.4-1:i386 libsoup2.4-1:i386
  libspeex1:i386 libspeexdsp1:i386 libsqlite3-0:i386 libssl0.9.8:i386
  libssl1.0.0:i386 libstdc++5:i386 libstdc++6:i386 libtag1-vanilla:i386
  libtag1c2a:i386 libtasn1-3:i386 libtdb1:i386 libthai0:i386 libtheora0:i386
  libtiff4:i386 libtinfo5:i386 libudev0:i386 libunistring0:i386
  libusb-0.1-4:i386 libuuid1:i386 libv4l-0:i386 libv4lconvert0:i386
  libvisual-0.4-0:i386 libvisual-0.4-plugins:i386 libvorbis0a:i386
  libvorbisenc2:i386 libvorbisfile3:i386 libwavpack1:i386
  libwind0-heimdal:i386 libwrap0:i386 libx11-6:i386 libx11-xcb1:i386
  libxau6:i386 libxaw7:i386 libxcb-glx0:i386 libxcb-render0:i386
  libxcb-shm0:i386 libxcb1:i386 libxcomposite1:i386 libxcursor1:i386
  libxdamage1:i386 libxdmcp6:i386 libxext6:i386 libxfixes3:i386 libxft2:i386
  libxi6:i386 libxinerama1:i386 libxml2:i386 libxmu6:i386 libxp6:i386
  libxpm4:i386 libxrandr2:i386 libxrender1:i386 libxslt1.1:i386 libxss1:i386
  libxt6:i386 libxtst6:i386 libxv1:i386 libxxf86vm1:i386 mysql-common odbcinst
  odbcinst1debian2 odbcinst1debian2:i386 oss-compat skype xaw3dg:i386
  zlib1g:i386
0 upgraded, 246 newly installed, 0 to remove and 14 not upgraded.
Need to get 105 MB of archives.
After this operation, 288 MB of additional disk space will be used.
Do you want to continue [Y/n]? n
Abort.

It appears that many packages listed are specifically 32b--this on a 64b version of Linux Mint. I went back and checked, and I did click the 64b Ubuntu link and the .deb downloaded has a 64 in its name. So, WTF, Microsoft?

Monday, June 11, 2012

Illiteracy at Zoho

Okay, 'illiteracy' is a bit too strong for what I just noticed, but the file upload dialog at Zoho contains a comma splice:


Is it that hard to find employees who have passed high school English?

Saturday, June 9, 2012

Manually Configure Your DNS Settings in Linux

Using your ISP's or employer's DNS servers may or may not be a good idea. Are they configured properly? Are they monitoring your lookups? Note that some employers may have policies regarding what DNS servers clients use, so you may want to look into those policies.

When visiting a Wi-Fi hotspot, do you really trust their DNS settings? By default client machines using DHCP will get their DNS settings as well as other addressing information from the DHCP server, which would be the router at a wireless hotspot. Trustworthy? Why would anyone think so?

First, don't bother with the Gnome/Mate/Cinnamon networking applet. It will let you make the change, but doesn't successfully change the system configuration. Instead, find the Network Settings. In the Mate menu it's at System|Administration|Network. It should something look like this:


Click on the padlock where it says "Click to make changes" and enter your root password. Click on the connection you want to configure. For this example I'm using a desktop on a home network using Verizon FiOS. Feeling neither trust nor love for Verizon, I'd rather not trust their DNS servers. Instead, I'll use OpenDNS. Here's a little piece at the bottom of their home page:

Note the two IPv4 addresses, 208.67.222.222 and 208.67.220.220. Enter these addresses in the DNS Servers box under the DNS tab. There are other choices for a public DNS, e.g., Google.










One unfortunate aspect of the GUI management of DNS settings is that with wireless connections, the settings must be made for each access point, which means that the first time you connect to a new access point, the DNS server address will default to the access point or its DNS server. Fix it as above and then restart networking.

At the Google page there is a link to a nice little introduction to DNS security.

Wednesday, June 6, 2012

Geez, Guys, Salt Your Hashes

LinkedIn confirms that they have had a breach, and PC World has a good discussion. Linkedn has certainly not been following best practices, though we've all seen stupider.
  • Stupider: storing the user passwords. Any site that can come up with your current password is run by  bozos.
According to the PC World article, LinkedIn lost a file containing 6.5M hashed passwords. They used SHA-1 to hash the passwords. SHA-1 is not a great hash algorithm, with NIST recommending it be phased out, but that is not the problem here. The problem is that the the hashes were unsalted. This means that a brute force password guessing program can guess a password, hash it, and see how many hashed passwords it matches. People are bad at choosing passwords, so many passwords are used by multiple people.

Salting involves generating a random number for each password. Then the random number and password are concatenated, and then hashed. This means that 
  1. most likely hashes will be unique, and
  2. even if two hashes are the same, they almost certainly do not correspond to the same password.
For this to work, the random value (the salt) for each password must be stored with the hash, and then when a user logs in the hash and the salt are retrieved, the salt is added to the password the user types, and then the result is hashed. If it matches, the login attempt succeeds.

Thanks to NPR for reporting this and to PC World for explaining what happened.

Google's New Bugger, err, Blogger, No, Bugger Interface Logo









With thanks to Dynamoo.

Tuesday, June 5, 2012

My Least Favorite Spammer: the US Postal Service

The USPS is expanding their Every Door Direct Mail "service." This is the hopefully-recyclable trash that shows up regularly in our mailboxes. In essence, it is spam arriving in my snail-mail box.

The USPS will not stop junk delivery since that is their new profit model. We are no longer the postal customers--businesses of low ethical standards are the customers. I can't help but wonder whether this plan to stem USPS losses short-term will generate long-term ill will. Other than just having to go directly from the mail box to the recycling bin every day, I have to look through the incoming trash carefully, as I believe that one time I discarded the water bill with the junk.

I'm old enough to remember looking forward to the mail coming each day. I like our postal deliverer, and like the fact that she comes through the neighborhood regularly. In addition to being friendly faces who often learn the names of locals, postal deliverers spot things wrong in neighborhoods and occasionally call emergency services. Maybe we could shut the postal service down and the federal government could take some of the savings and send communities grants to be spent on police officers actually walking through neighborhoods, as opposed to speeding through neighborhoods driving while interacting with radios, laptops, donuts, etc.

Around the same time the USPS announced their intent to further promote junk mail, our local mail drop box disappeared, making it harder to bounce spam back to the USPS.
  • First class letters can be refused and returned to the sender.
  • Letters addressed to valued customer can be sent back addressee unknown. If I'm a customer, and they value me, I wouldn't be receiving such tripe. It's clearly not addressed to me.
  • Letters addressed to postal patron can be returned, because unless you are generating bulk mail, you're likely not really much of a postal patron.
  • Unaddressed mail might as well be dropped in a mail box in the hopes that it gets to someone who wants it. Okay, just recycling it is probably better.
Related Polico articleUSPS: We can't fail with junk mail.

Making OpenJDK 7 on Linux Mint 13 actually Work

I had a rude surprise last night after revising and recompiling some Java code: the compiler was, as intended, OpenJDK 7, but the interpreter was OpenJDK 6. So the program barfed.

OpenJDK 7 had previously been installed in the normal way (sudo apt-get install openjdk-7-jdk openjdk-7-source openjdk-7-doc), so that wasn't the problem. The problem was that in /etc/alternatives, some of the tools linked to JDK 6, and some to JDK 7. Blech. An obvious quick fix was to write a script to update all the soft inks, pointing all to OpenJDK 7. This seemed like a hack (in the original CS sense, where a hacker is a careless or unskilled programmer), so I decided to "do it right."

Uninstalling OpenJDK 7, uninstalling OpenJDK 6, and then re-installing OpenJDK 7 seems to have fixed things.

Monday, June 4, 2012

Libre Office Writer & Calc: Disabling Autoinput and Autocomplete

Some time back I wrote a quick how-to on disabling autoinput and autocomplete in Open Office. Libre Office 3 has the same problem: defaults that make the tools harder to use. The instructions there are still essentially correct but the wording on the menus has changed slightly, and I'm working with a fresh install, so I decided this is a good time for an update.

In Libre Office Writer click Tools|Autocorrect Options. Then select the Word Completion tab and uncheck Enable Word Completion. Also uncheck Collect Words, because there is no need to collect words for a feature that will never be used.

In Calc, click Tools and then Cell Contents, and uncheck AutoInput.

[ Note added 10 September 2012: above I should have written OpenOffice and LibreOffice as one word each, not two. Oh well. ]

Sunday, June 3, 2012

Zeitgeist Spyware Framework Installed by Default in Linux Mint 13

I thought I would take a moment to pull together information on the Zeitgeist monitoring system which has become a part of Gnome and is inexplicably included within Linux Mint. First, Zeitgeist is not itself spyware, but it collects much information about a user that would be one-stop shopping for any spyware that finds its way onto a system. It provides no discernible benefit, and is dangerous to keep around, so get rid of it. More information:
  1. My take on what Zeitgeist is.
  2. Zeitgeist was dropped as a component for Gnome 2.32 but the Ubuntu folks decided life wouldn't be complete without a spyware framework.
  3. Removing Zeitgeist.

An Even Nicer Little Improvement in Linux Mint 13

Mint 13, as is common in the Ubuntu world, includes a framework for spyware called zeitgeist. In the past it was challenging to remove since apt would then try to remove the entire gnome environment. So my reaction was to disable it to the extent possible, but it's still dangerous to have this stuff on the system. However, on a Mint 13/Mate system dumping zeitgeist is easy:

  sudo apt-get remove zeitgeist zeitgeist-core zeitgeist-datahub

Yippee!

This is a followup to Nice Little Improvement in Linux Mint 13.

Cloud Storage, Finding an Alternative to Google Drive

Last week I had issues with uploads to Google Drive failing. These uploads are encrypted tarballs (.tgz.cpt) of my incremental backups that I transfer among my home desktop, work desktop, and laptop. I tried out Zoho Docs rather than dropbox just because Zoho offers a lot of extra stuff that looks to be worth exploring, and so an account there could end up being useful. Anyhow, for the last week I've been shuttling these files to and from Zoho (as well as carrying physical copies on a thumb drive) and am mostly happy with Zoho.

Zoho provides 1GB free, but limits upload sizes to 50MB, which was an issue once. This also means I'm unlikely to archive recently-purchased or ripped music there, since those tarballs typically exceed Zoho's limit. So I expect to lean toward Zoho for most of my incremental backup needs, trimming them when they exceed 50MB. If nothing else, Zoho will provide an impetus to limit the size of each.

Question: why a 50MB limit on files when the overall space limit is 20 times that? I guess I can use split.

Saturday, June 2, 2012

Another Drawback to Cinnamon

When using Cinnamon, and downloading from a web page, the download window was immobile. If it was covering up a piece of information I wanted, perhaps to use for a directory or file name, unlike every other environment, I couldn't just move the download window over.

Nice Little Improvement in Linux Mint 13

In the past with Ubuntu and Linux Mint it's been difficult to remove some relatively useless packages,  since removing any of these would result in gnome or the like being removed. Not useful, and not logical. Why do I need thunderbird to use my desktop? But now with Mint 13 a simple sudo apt-get remove successfully removes all of the following without making apt think I want to throw away my desktop environment:
  • xchat
  • xchat-common
  • pidgin
  • thunderbird
  • bluez
  • bluez-alsa
  • bluez-cups
  • bluez-gstreamer
  • libbluetooth3 
Trying to remove libgnome-bluetooth8 still results in apt wanting to get rid of the desktop, but being able to easily delete all the above detritus is a big improvement, so I am not complaining.

So I just installed Linux Mint 13 last night on my primary desktop. This is the Mate 64b version. Last week I installed the 32b Cinnamon version on my laptop, and after a couple days, installed Mate and started using that instead. Cinnamon's a valiant effort and to be applauded, but has some significant usability problems.

As long as I'm detailing what I got rid of in Linux Mint 13, here's the initial additions I make and a complete list of what I remove. Additions first:
  • ccrypt emacs tcsh
  • ispell rhythmbox mirage
  • openjdk-7-jdk openjdk-7-source openjdk-7-doc
  • jflex
  • haskell-platform ghc-mod
  • texlive-latex-base texlive-latex-base-doc texlive-latex-extra
  • gftp
  • dia
  • opera
  • gparted
  • easytag
  • openssh-server
  • sound-juicer
  • xsane
  • alacarte
  • gtk-recordmydesktop
Now the removals:
  • banshee
  • tomboy
  • gthumb
  • avahi-daemon avahi-autoipd
  • vino
  • xchat xchat-common
  • pidgin
  • thunderbird
  • bluez bluez-alsa bluez-cups bluez-gstreamer
  • libbluetooth3
BTW, above I used thunderbird as an example of something to be removed. I like thunderbird--it's a good tool. But now I do all my e-mail through web-based interfaces, which is concerning in some respects, but until I decide to break this bad habit, I' do not need a mail client.