Long-, Short-, and Term-Term Memory

Much has been written about short and long term memory, but nothing I'm aware of about term-term memory, that phenomenon by which students, by the beginning of a semester, have forgotten everything learnt in the preceding semester. If anyone can point me to any references, I'd be obliged.

Kudos to XOHM's Treatment of the DNS

I'm not sure how long this will last with every corporation throwing ethics to the wind in order to wring every penny out of every customer, but XOHM isn't messing with the DNS. I previously mentioned my displeasure with CavTel's redirecting DNS lookup failures from the web browser to itemnotfound.com. XOHM's allowing the DNS to work as designed.

My Last Mile

This fall I've made major changes to the wires running into my house and thought I'd take a minute to discuss Internet provider options in suburban Baltimore. Right now I'm using XOHM 802.16 (WiMAX) service at home. I get good performance--better than my prior DSL--and the price is good. In a money-saving move, I no longer have a land line, so I had to ask Credo to boost my anytime minutes (now 450/month) and shift the beginning of my off-peak minutes from 9pm weeknights to 7pm.

 To quote David Byrne, "well, how did I get here?" I moved to Baltimore County in 2005. At the time, it seemed natural to go with Verizon for phone and DSL. I already had a Verizon cell phone. I chose Working Assets (now Credo) for long distance service. The Verizon DSL was poor from day one. I spent a lot of time on the phone with Verizon technical support that year, including much time on hold, with their IVR, and with actual support personnel. Their IVR said my line checked out fine, so it seemed the obvious thing to do would be to swap out my DSL modem or check theirs at the CO. I couldn't get them to take that simple step or to send a tech out to diagnose the problem. The DSL was so bad that I often dialed in to UMBC's 56kb/s modem bank (which I think is now gone). The land line service was exceptionally poor as well, very noisy.

 In the meantime, Verizon was unable to combine my land line and cell bills. They kept touting "one bill," telling me that they'd take care of it, and then a few weeks later I'd get a letter explaining that the bills couldn't be combined, with no explanation. Then I'd talk to customer service, a friendly rep would assure me she'd take care of it, and a few weeks later I'd get the same letter once again. I went through three iterations of this. I suspect the problem was that the cell phone had a Frederick, MD number, and Frederick's a couple counties over.

When my year with Verizon was up, I switched to CavTel for land line and DSL and Credo for cellular. CavTel uses Verizon's network, but charges customers less and has much better customer service. Credo uses Sprint's network, as of 2005 charged customers less, and has very good customer service. The CavTel DSL did not work--they use Verizon's lines, after all. But, after a call to CavTel customer service, a Verizon truck showed up in the alley behind my place, the line was fixed, and DSL worked reliably the rest of the time I was a CavTel customer. When they fixed the DSL, the noise on the land line cleared up as well. I was a happy CavTel customer, but paying $80 monthly for Internet and phone.

Enter Comcast, claiming $62 monthly Internet and phone. I'd heard bad things about Comcast's customer service and network reliability, but I decided to give them a shot. Note: this was about when XOHM started offering service in the area, and I think Comcast's lower prices are the result of competition, something that Comcast and Verizon don't have much of a history of. The Comcast tech came, did the install, and I was happy. The service was fast.

I wasn't happy for long, though. The Comcast Internet service worked for about 4 hours. I talked to technical support and they said it was a database problem that would be fixed in 24-72 hours. 72 hours later, still no Internet service. In the meantime, I noticed that the Comcast phone was noisy (not as bad as Verizon had been) and every time I picked the handset up, I got the staccato dial tone, indicating voice mail present. But there usually wasn't voice mail. So if they don't know how to install service and they can't fix what they claimed was a simple database problem, I don't want anything to do with them.

So I decided to disconnect Comcast service. A funny thing about disconnecting: when I went through their IVR and selected reduce or disconnect service, it put me on hold. I had stuff to do, so I hung up and dialed back in, but this time I selected add features. They picked up right away, and the woman I got was able to schedule the disconnect. But she said it would take about a week and a half. The next day I called back for a clarification of where I had to drop off their cable modem, and was told the billing would stop as soon as I returned the modem. It didn't but their customer service says they've taken care of it. Hope so.

 So everything about Comcast, and everything about Verizon in Baltimore County, was negative. I'd been okay with Verizon in the past, but hadn't really needed their technical support before, so maybe I'd just been lucky. So, no land line and no Internet service. What's a guy to do? The most economical approach appeared to be upgrading my cell plan with Credo and going with XOHM, $25/month now, going up to $35/month later. I decided to give this a try.

I'm happy with XOHM. I'm at the edge of their service area, which concerned me a bit, but I am getting around 2-4Mb/s consistently. My first XOHM modem/router stopped connecting to the network several days after starting the service, but the second tech support guy I talked to said "Your modem's acting weird. Take it back to where you got it and exchange it." This was NTI Wireless, a friendly little shop pretty close to my house. I exchanged the modem, and everything's been fine since. About XOHM customer service: this is Sprint, and one of the reasons I like Credo is that they isolate me from Sprint customer service. CavTel and Credo have the tremendous advantage of being larger customers than I am, and so have some voice with the actual network provider. So, XOHM is Sprint. Sprint has a very large investment in XOHM, and they're not making money off it yet. But they're rolling it out to other cities now, apparently DC and Annapolis recently. They need to make it work, and this isn't a great time to hunt down new customers. Anyhow, their tech support people seem inexperienced--XOHM is a new service, after all--but the wait times are short and they sound like they might really be in the Kansas City area as opposed to overseas.

As a loose end, part of why I was willing to go without a land line is that my current cell phone gets pretty good reception at my house. It's a Samsung m300, and really not a good phone (I've reviewed it at Amazon). But it's an upgrade over an Audiovox phone I had, much better than an LG piece-of-junk that I shipped back to Credo, and not really as good as the old Samsung phone I used with Verizon from '02-'06.

Mikulski on Paulson's Cash for Trash

Promising text from an e-mail I received from Sen. Mikulski's office this afternoon: "Congress must act promptly to restore confidence and stability in the economy. But I will not be stampeded into voting for the Bush Administration bill. During the last seven years, every time there's a crisis, they generate fear and they generate bad ideas. This three-page bill gives the Secretary of the Treasury unlimited power to intervene in our financial markets without any review by Congress, agencies, or courts. It cannot be rubber stamped by the Congress."

$700G Bailout

Secretary Hank Paulson's Cash for Trash Scheme.

1. From Tom Schaller, political science professor at UMBC, a Baltimore Sun editorial on liberal vs. conservative takes on government assistance, socialism, etc.
2. Lauren Weinstein's take on the mess.
3. From the Daily Kos: The Biggest Heist in World History

GNU Emacs: making the obvious difficult

Off and on it's really irritated me that someone on the GNU team decided to change the default behavior of tab in fundamental mode from insert ^i to indent-relative. I hate indent-relative. It makes lining things up in columns in text files difficult. So every few months I do a Google search, find other people making the same complaint, and see less than helpful suggestions. Tonight I got more frustrated than usual, and so spent more time than usual. It appears that the following shuts off indent-relative for the most part without messing up filename completion or indentation in various modes, e.g., java or html.

(setq default-major-mode 'text-mode)
(define-key text-mode-map "\t" "\C-q\C-i")

The above is pretty much alpha code at the moment. There's detritus in my .emacs that suggests that years ago I didn't like text mode for pnews or mail modes, but those are no longer issues. indent-relative is, IMHO, evidence of word processor-oriented thought processes, not text editor-oriented processes. As Linux grows to be more Windows like (e.g., bloated and buggy), there seems to be an undercurrent of making basic tools, e.g., emacs and wc, less Unix-like.

Installing Apache on Ubuntu

Addison Berry provides a very nice video walking the viewer through the installation of Apache/PHP/MySQL on Ubuntu: http://www.lullabot.com/videocast/install-local-web-server-ubuntu

Security Profiteering

Reducing the chances that we'll ever get away from security screenings is the new view of the security checkpoint as a profit center. Airports, and now football stadiums have security checkpoints, long lines, and now faster, low-security lines available to customers willing to pay. This may be less objectionable in a stadium than in an airport, since stadiums have more room for more checkpoints, but it still seems to be primarily a way to profit off security theater. First of all, what reason do we have to believe that the background checks of those willing to pay the fees are actually effective? Second, in an airport, there is limited space for security checkpoints, so adding express lanes reduces the space for other security lanes, so people willing to pay for the low security line slow the rest of us down. Finally, a new segment in the security theater industry creates a new group lobbying against change. Once these fees are in place, and being funneled to "entrepreneurs" profiting from them, there will be lobbyists fighting any attempt to do away with these trusted traveler/fan programs. And we'll have another example of congress following the money rather than listening to the citizenry--who, BTW, don't seem to care enough to stay informed or to vote. The odds of being killed by a terrorist is nearly zero, but the probability of being inconvenienced by, losing privacy and liberty to, and footing the bill for security theater is 1.

Diebold can run (as Premier Election Solutions[sic]), but they can't hide

No comment necessary.

If I Had a Hammer...

I have my new RFID passport. I considered whacking it with a hammer and hoping that would kill the RFID chip. A lot of people are doing this, or at least talking about it. Instead I've gotten a new passport holder that doubles as a credit card holder and a Faraday cage. Now I feel better with the not easily testable assertion that when the passport's closed, it can't be read. Apparently the chip's easily read if the passport is open just a bit, and not so easy if it's closed. The Faraday cage adds a layer of security. Using a Faraday cage rather than a hammer has the added benefit of not being illegal. The US government says it's illegal to try to maintain just a little privacy. Soon we'll have Real ID with RFID chips, and the game will be over, game set match to the shadowy overlords. I really should get and play around with an RFID reader.

Gnome Caps Lock, Insert Keys

Some time back I discussed disabling the caps lock and insert keys in gnome. In Hardy Heron (Ubuntu 8.04) the caps lock suggestion I made stopped functioning. Here's the new fix:

#! /bin/sh
# Kills the stoopid caps lock and insert keys.

file=/tmp/capsLockDisabled

if test ! -e $file ; then
        /usr/bin/xmodmap -e "keycode 66 = "
        /usr/bin/xmodmap -e "keycode 106 = "
        /bin/date >$file
fi

I'm still amazed every time a new release of Gnome comes out and they still don't give the user a way of getting rid of these. As a system staffer in the Ohio State CIS department (Frank Adelstein? Frodo?) once said: "The caps lock key shouldn't be right next to keys that are used all the time. It should be somewhere off in the next room." Ok, that was a paraphrase, not really a quote, and I don't remember who I'm paraphrasing. Anyhow, the above script does it. I call the script from my .cshrc. Those of you who use bash (yuck) would put it in your .profile.

Evince Bug Workaround

Evince has been a continuous battle for me ever since I switched from KDE to Gnome. Ok, more of an occasional annoyance than a continuous battle, and the various problems I've had with Evince convinced me to install and primarily use kpdf for awhile. Well, I've got a fresh Ubuntu install, and didn't want to litter it with all the junk that comes along with kpdf, so I've been using evince. However, evince wants to print everything in A4 format. Yes, my printer defaults are letter. Yes, the PDF documents are letter size. Yes, /etc/papersize contains one line, letter.

I remember wasting an afternoon on this sometime back, so the question became tell evince to use letter every single time I print, go back to kpdf, or waste another afternoon with no guarantee of better results than last time.

First tried the obvious thing:

man evince

Totally useless. Instead of placing everything in one place, the evince folks have decided to scatter documentation all over the place at their web site. But, unlike last time, Google found me a solution, a recent blog entry by Dominique Cimafranca at UbuntuLiving. He apparently uses bash, and so suggests a change to the user's .profile. I use tcsh, and so added this line to my .cshrc:

setenv LC_PAPER en_US.UTF-8@letter

UbuntuLiving suggests that after making this change, one log out and then back in. Not necessary. Any new xterm opened from that point will have the correct setting, or one can just type

source ~/.cshrc

in an existing xterm (or gnome-terminal, or konsole, or whatever) and LC_PAPER is set. Then the next time you type the evince command, it'll actually print correctly with no gyrations by the user. Imagine that.

Is this a bug within evince? The evince folks may think not, but Google is unable to find any mention of LC_PAPER at site:www.gnome.org/projects/evince/ and the man page is useless, so the documentation is woefully lacking. Yeah, I'm using an undocumented feature. It'll probably break with the next release.

Gnome's Messed-Up GLSlideshow

For some inexplicable reason, in Ubuntu 8.04, the screen saver GLSlideshow has no configuration options. There's a long discussion of this issue in the Ubuntu Forums, suggesting that a lot of people have found this perplexing. I think the best how-to on managing GLSlideshow is provided by Bits 'n Pieces.

Mark Berg Climbs Kilimanjaro

First, the Boston Herald article
The NHL has a day-by-day log of the trip:

• Day 1
• Day 2
• Day 3
• Day 4
• Day 5
• Day 6

[ Added 2011-12-30: the NHL seems to have deleted the day-by-day log, but they have a video, likely shot by Mark, at http://video.nhl.com/videocenter/console?id=22732 ]

Memorex: Explain This, Please...

I had need for CD-Rs and the only brand at the University bookstore was Memorex. I had very bad luck with their 5.25" floppies in the early or mid '80s, but that was a different item a long time ago. The cylinder's wrapping said "Cool Colors." Fine. Like I care. It turns out I do care. Several of the CDs are black. How exactly do I write on those? I don't think it matters what color Sharpie I use, it's not going to show up.

Considering Google AdWords?

A post at Securosis suggests that maybe it's really not worth it.

Privacy Naiveté

The State Department has placed RFID chips in the identity card usable for surface travel between the US and Canada or Mexico. On the page Where they describe this card they state have the following question and answer: Won’t this chip violate Americans’ privacy?

There will be no personal information written on the electronic chip itself. The chip will have only a unique number pointing to a stored record contained in secure government databases.

However the card will have a unique identifier--the number State is using as a database key--and this number can be used to track specific individuals and to detect the proximity of a US citizen. Carrying one of these outside a Faraday cage will threaten the bearer's privacy.

OpenOffice Calc 2.4.1 Read Only Mode

As long as I'm on the topic, another aspect of OO 2.4.1 Calc that can only be considered a bug is that when one opens a spreadsheet in read-only mode, it's not possible to select and copy parts of a formula from the formula box. The closest one can come, so far as I can tell, is to copy the entire formula out of a cell. Why can't I copy read-only text? This is a copy I'm trying to do, not a cut, not a modification.

Disabling OpenOffice's Stupid Autocomplete

[ An updated version of this information appears here. ]

With autocomplete, OpenOffice has managed to make a completely useless, very annoying behavior default. They've also done a good job of hiding the menu options to disable the "feature," and have hidden it in different places in different tools. This is a case where consistency would reduce the impact of a stupid default. Anyhow, as others have mentioned, whenever I'm using a freshly-installed OpenOffice (e.g., after installing a hopefully less-buggy version of Ubuntu), OpenOffice reminds me how much I dislike this "feature." And I spend too much time hunting down how to kill it.

First, in OO Writer it's not really that well hidden. Copied from http://nowacki.org/blog/2004/05/disable_autocomplete_in_openoffice.html: * Tools -> AutoCorrect/AutoFormat… * Word Completion tab * Uncheck “Enable word completion” 

Unfortunately, this doesn't disable the "feature" in OO Calc, and the OO Calc option is very well hidden. Today I really was having trouble figuring it out--it is, of course, not in what passes for help in OO--which led me to nowacki.org via Google. From their blog entry: Tools -> Cell Contents -> AutoInput

Of course, this is the root of the problem: we're supposed to magically know that in OO Calc they call it autoinput rather than autocomplete. What, if anything, are the OO folks thinking? This has been a usability problem and unnecessary time sink for a lot of people for a long time now. When will they disable it by default, or at least make it possible to find the option in OO Calc? Or maybe talk about disabling it in OO Help?

Charter Communications' Unethical Browser Hijacking

Tony Bradley at about.com has a very interesting article on how his ISP is hijacking Microsoft's Windows Live Search. This is a very good example of why we need strong net neutrality laws.

• June posting from Lauren Weinstein on net neutrality
• Recent post by Bruce Schneier on ISP's hijacking the DNS
• CavTel is also hijacking the DNS

What's Wrong With This Sentence?

Sentence: "Sequoia blamed the discrepancy on pollworker error and said the problem could be fixed with a software update, but state clerks wanted a third-party investigation." Context: A Computerworld article describing irregularities in the February NJ presidential primaries in which the electronic counts in Sequoia machines didn't match the paper log counts of votes.

According to Computerworld, the county clerks had asked Princeton's Ed Felton to look into the matter, but, hearing this, Sequoia threatened legal action saying that Felton's investigation would violate the terms of the licensing agreement. Upon asking the NJ AG for help in dealing with Sequoia, Sequoia chose an outside firm--one of their choice--to analyze the systems and deliver the result to Sequoia and the AG's office. The article closes Even if pollworker error was to blame for the voting discrepancy, the issue should still be addressed, Dressler said. "There should be a fail-safe measure so the election workers can't do that." "This is too important of an issue to be swept under the carpet," he added. "If there is any issue with the Sequoia machines, we should shed a light on it."

Oh, and what was wrong with the sentence? Fixing human error with a software update seems tenuous at best, and it totally ignores the issue of that particular election.

Irony

Just visited the Fortify home page. NoScript, as is its wont, defaulted to no scripts (default deny). Fortify responded with Please upgrade your Flash Player. I thought Fortify was a security vendor. They're asking me to open myself up to the myriad of Flash vulnerabilities?

itemnotfound.com

One annoying thing that's become a common source of extra revenue for ISPs is to damage the DNS. If a web page isn't found, rather than reporting it, the browser is redirected to itemnotfound.com or some such. Why does this matter? (1) The mis-typed URL is gone, so the user can't immediately see what the typo was. (2) It's a page of ads. Aren't we subjected to enough ads on a day-to-day, or minute-to-minute basis? Anyhow, in an effort to assert ownership of my computer and browser, I've added these lines to /etc/hosts: 127.0.0.1 wwwv.itemnotfound.com 127.0.0.1 www.itemnotfound.com 127.0.0.1 itemnotfound.com

Security Issues Solved!

From the CircuitCity.com review of the Yoggie Gatekeeper SOHO Network Security Server:

Features Complete protection: Yoggie Gatekeeper SOHO offers corporate-grade security for your small office or home network. Protect up to five computers with 13 built-in security packages packed inside a small, palm-size, Linux-based security server. No additional software needed: No need to purchase or manage additional security software for your PC’s—just plug the Yoggie Gatekeeper SOHO into your Internet router and your computers are completely safe. Parental controls: Yoggie Gatekeeper SOHO manages the security from outside the child’s computer. Through an intuitive remote management environment you can enforce web content filtering policies, and control on-line time, without actually accessing the child’s computer. Easy to install and use: With Yoggie Gatekeeper SOHO you don’t have to be a security expert to enjoy corporate-level security. All you have to do is simply plug the Yoggie device into your network router and you are completely safe. It even feature automatic security updates and upgrades, so you don’t have to worry about downloads. Not once, but twice this review says that the user is "completely safe." Additionally, Circuit City begins the review with the phrase "complete protection." Finally a security device that offers complete protection! I can discard any other devices, software, or processes I have in place--Yoggie has it covered! To be fair, it appears that this is a stateful firewall and a proxy for a number of popular protocols. It probably does a fine job, but it certainly doesn't completely secure a network. Indeed, if a naive user believes reviews such as the one at CircuitCity.com, it's likely to make the network less secure. Unfortunately, the Yoggie site itself says "Connect your laptop to any hotspot without security-related concerns." So now I can send personal information over unencrypted wireless LANs with no security concerns? Another troubling thing is that one of the review sites says that software updates are free for a year, and an eBay seller mentions a three-year subscription. That raises red flags, and I can't find any mention of subscription prices or durations on the Yoggie site. The Circuit City page gives essentially no information beyond the market-speak given above. Amazon's description is roughly the same as Circuit City's "review," lending credence to my impression that the "review" was written by a marketer. Yoggie also provides something called the layer 8 security engine [sic]...

OTA DTV in Catonsville

I've been transitioning to over-the air digital TV with my $12 converter box (the feds paid $40 of the cost). As of the weekend I had mixed feelings because stations were coming in well when the antenna was oriented correctly, but the antenna had to be reoriented for different stations, and sometimes it wasn't easy. I spent maybe 90 minutes online tonight reading about and shopping for antennas, and came close to buying a new one. A reviewer at Crutchfield said that he got much better reception when he moved his antenna away from the TV. My antenna--a several-year-old amplified Radio Shack model--was sitting on the TV. Made sense--this was higher than most anything else in the living room I could set it on, and my dad always put the rabbit ears on top of the set, at least up till when we got cable in the early '70s or so. So I looked at the setup, and moved the antenna into my bay window. I also visited antennaweb.com to get vectors to the various TV stations (most are at 56 degrees 5.2 or 5.3 miles, but a couple are at 291 degrees 2.1 miles, and MPT is at 174 degrees 19.7 miles. I can't say I used that info in a particularly deductive sense: my antenna's pointed vaguely NW and I'm getting good signal strength for every station I want. Stinking amazing. I'm getting the best picture I've ever gotten on that old RCA TV, and the lineup's pretty complete: ABC (2.1, 2.2, and 2.3), NBC (11.1 and .2), CBS (13.1), MPT (22.1, 22.2, and 22.3 in Spanish), Fox 45.1 and 45.2 CW 54.1 This is pretty good without cable, and with a clarity I'm not at all used to.

73% of All Statistics are Made Up

Gapminder (http://www.gapminder.org) is a wonderful little tool to allow one to plot a variety of different statistics for whatever set of countries one pleases. I don't know where they get their data, but it's interesting.

Google Web History

It turns out that Google saves all of one's search history at https://www.google.com/history/ . Google associates this with our GMail accounts, for those of us with GMail, so

• The search history is explicitly tied to the person, and not anonymized.
• We can delete it and "pause" it, which appears to be effectively an opt-out.

This is an opt-out service, not opt-in. How much of a violation of privacy is this "feature," collecting data unbeknownst to the user? That depends:

• How does Google use it?
• How good is Google's security?
• How good is any given user's password security?

Renaming a Pack-o-Files

A friend asked me a question that got me thinking that emacs must provide an easy way to rename a bunch of files in a directory from one thing to another. E.g., suppose I want to rename every file ending in .doc to a .tex extension. Point emacs at the directory, and type %m This fires off dired-mark-files-regexp, which selects files matching a regular expression. For the regular expression, try .doc$ Hit enter after each command. The '$' indicates that the pattern must occur at the end of a line. Now you can rename the marked files: %r This invokes dired-do-rename-regexp, which, for every marked file, asks what pattern to replace: doc$ It then asks what to change matching substrings to: tex ¡Voila! Much of the above is condensed from http://xahlee.org/emacs/find_replace_inter.html

Linux, Unix, and all That

"Those who don't understand Unix are condemned to reinvent it, poorly" --Henry Spencer "It seems few Linux developers understand Unix" -- me.

MD Funds Move Away from DRE Voting Machines

In a move that will both save Maryland taxpayers a considerable chunk of money and make voting in Maryland more secure, the general assembly just funded the replacement of electronic voting machines by machines with optical scanners. The move is expected to save the state $6M annually. The switch has been promised for some time, but there's always been the chance that it wouldn't be funded. Wired recently reported on a study on the cost of e-voting which outlined how the cost of the Diebold machines, though higher than the cost of other voting technology, is only the start since Diebold also charges for training, maintenance, software upgrades, etc. Other recent stories have centered about Linda Lamone, the administrator of the state board of elections appearing in a Diebold ad and the fact that the physical security of Maryland's machines lies in the hands of John Kane, former chairman of the MD Republican Party. Couple this with former Gov. Ehrlich's description of the SAIC study of the Diebold machines as a "positive report," though the report, commissioned by the state of Maryland said that the Diebold machines "do not, in many cases meet the standard of best practice or the State of Maryland Security Policy." SAIC went on to say they found "several high-risk vulnerabilities in the implementation of the managerial, operational, and technical controls for AccuVote-TS voting system. If these vulnerabilities are exploited, significant impact could occur on the accuracy, integrity, and availability of election results." In sum, there were always a large number of questions about how Maryland came to get electronic voting machines and how they were managed.

kcalc, gcalctool

A lot of people dislike kcalc, and a lot of people don't like the Gnome calculator. One feature I do like about the Gnome one is the insert ASCII value feature. I tend to use xcalc and am generally happy with it. IMHO it's more usable than either of the other two, especially since it has an RPN mode. OTOH, I tend to use spreadsheets for a lot of things that I used to use calculators for.

Is the iPod Shuffle Mode Really Random?

I don't have an iPod and have never used one, but the obvious answer is "No." I've recently heard this discussed on the Network Security Podcast and on NPR Weekend Edition. What's random on a digital device? A good example is Stephen Park and Keith Miller's minimal standard generator (see their 10/88 CACM article). This is (perhaps) the same generator, being based on a linear-congruential generator from Dr. Park's simulation course at William & Mary, spring 1986:

double Random(long *seed) {
  const int a     = 16807;       /* multiplier */
  const int m     = 2147483647;  /* modulus */
  const int alpha = 127773;      /* m div a */
  const int beta  = 2836;        /* m mod a */

  int    lo, hi, test;

  assert(*seed > 0);

  hi = *seed / alpha;
  lo = *seed - alpha * hi;
  test = a * lo - beta * hi;
  if (test < 1)
      *seed = test + m;
  else
     *seed = test;
  return ((double) *seed / (double) m);
}

This produces a stream of pseudorandom numbers, with the stress on pseudo. Random number generation is hard, and there are many, many bad generators out there--see the Park & Miller article.

The guys on the network security podcast discuss randomness in the context of human perception, which is also a big part of the NPR piece. One of the NSP guys (Rich) referred to people as pattern recognition machines since they will tend to see patterns in randomness. The guest on that episode, Mike Murray, instead refers to people as pattern creation machines: "People create patterns in their heads where randomness occurs."

This discussion is part of a larger one on the undersea cable breaks of early 2008 and, of course, the iPod. Bruce Schneier provides a good, non-technical, short description of pseudorandom number generation: What's a PRNG? It's a mechanism for generating random numbers on a computer. They're called pseudorandom, because you can't get truly random numbers from a completely non-random thing like a computer. In theory, true random numbers only come from truly random sources: atmospheric noise, radioactive decay, political press announcements. If a computer generates the number, another computer can reproduce the process.

An amusing quote from a comment in Schneier's blog: A (non-security/crypto) tale of PRNGs: When I was studying astronomy, a curious result was published: a very narrow (small area of sky), deep (includes very dim galaxies) survey of galaxy red-shifts had been done. (Red-shift corresponds to velocity, which due to expansion of the universe corresponds closely to distance.) The red shifts showed significant periodicity. (I.e. at regular intervals in red shift, there were more or fewer galaxies found.) One of my professors had been doing large computer simulations of large scale structure in the universe. He said "I know what causes this. I've seen it in my simulations. God used a bad random number generator." Posted by: Filias Cupio at June 14, 2006 10:36 PM Footnote: yesterday and today I had my first occasions in awhile to look at C code. One should do this periodically as a reminder of how awful C is. The generator above was originally coded in Pascal, which hasn't been particularly useful for a long, long time.

Emacs Incremental Search Highlighting

Sometime in the fairly recent past default emacs incremental search behavior was modified to underline every occurrence of the search string in the current view. This makes searching very difficult to use if one wants to just skip ahead, e.g., a few 'o' characters, because every 'o' is highlighted, with no way to know which one is at the cursor. To return to the original, more usable behavior add this to your .emacs file: (setq isearch-lazy-highlight nil) ⟨editorial⟩ Emacs more and more is acting less and less like a text editor, and trying to get cute about things. Default behavior keeps changing, and often for the worse. This incremental search highlighting is a good example. Another is that in text mode it's now hard to line things up consistently because tab is no longer tab. Instead tab inserts enough spaces or tabs to line the cursor up with the beginning of the previous line, or with the beginning of a word in the previous line. I'd rather tab be tab. ⟨lairotide⟩

Cold Boot Vulnerabilities

What, me worry? If encryption keys are vulnerable, then so is anything else in RAM. Various tools may keep user passwords in RAM for extended periods, e.g., kdesud and sudo. Any other sensitive data one can think of is in RAM at some time or another on some machine or another. Some have said the attack isn't practical. I think rather that it's not going to be all that common, but organized crime, law enforcement, and intelligence agencies will be the most likely to make use of it. Oh, and students. The only uncommon item needed for the exploit is Princeton's software to dump the RAM contents and find the keys, but this or similar software will be freely available, if it's not already. I don't think this reduces the value of encryption so much as it increases the motivation for good physical security.

About About.com Part 2: "Introduction to Security Tools"

Well, I've finished About U's Introduction to Security Tools, and I can't say I'm the least bit impressed. There was no depth to any of the sections of the course, and the "final exam" was largely random, insignificant memorization in which many of the correct answers could be guessed since the other choices were so obviously wrong. Should we care? Maybe not, but I'm always concerned about people thinking they know something about an area when they don't. And this Introduction to Security Tools will generate a few of those people. OTOH, I'd like to mention their Spanish Word of the Day as a worthwhile use of time.

Nice Firefox Extension

The Firefox RefControl add-on is a very nice little improvement to web browsing privacy. Why should a web server care what page I was last at? I think the reason is most often marketing, and thus the obvious preference is to not send referral information at all. RefControl allows one to do (or not do, that is) exactly that. It also provides some other options, but the most important thing IMHO is that one doesn't tell web sites exactly what Google search one came from, etc.

What web page are you coming from? This will tell you what one server thinks.

To install the add-on click tools, click add-ons, and then click get extensions.

About About.Com

I've signed up for a few lists at About.com's "About U" partly out of need, and partly out of curiosity. The Spanish stuff is out of need (sorta) and the network, web, and security lists out of curiosity. First, how do they present the material? Second, how reliable is their information? Third, I might learn something even from introductory materials. I'll comment on these from time-to-time, but overall my early impression is that they do a pretty good job. I just read the "Introduction to Security Tools" introduction to packet sniffing, and have a couple specific comments. First, they give the impression that a sniffer can sniff an entire subnet. This is likely an intentional oversimplification. With a wired network, e.g., Ethernet, sniffing beyond a subnet requires planting a tool (malware) on a host on another subnet. However, on Ethernet, a sniffer mostly sees frames on a single LAN segment, which is more local than just the subnet. Most Ethernets are switched, and so the switches learn where various hosts are, and then filter out frames that individual hosts have no need to see. A sniffer will still see various multicasts and broadcasts on the Ethernet, but will miss most unicasts not directed to the host running the sniffer. On 802.11, the situation's not so straightforward. Any particular receiver may be within range of multiple subnets, and if the WLANs aren't encrypted, multiple subnets could be sniffed at one time. The other issue is that the receiver may be within range of some nodes on a subnet and not others. This particular About U "course" includes quizzes at the end of each session. One of the questions is predicated upon the statement that "usernames and passwords are generally transmitted across the network in" cleartext. This may be true--it certainly was up to, say, the mid '90s--but I certainly hope it's not true today. Anyhow, I think About U is a valuable service for beginners.

David Wagner on E-Voting

A very nice article on e-voting: http://innovations.coe.berkeley.edu/vol2-issue3-mar08/electioncodes

Chase Website: Secure? Encouraging Good User Behavior?

In the past I've visited the Chase web site occasionally to pay my Mastercard bill, and I've always been struck by how difficult it is to get a secure login at their site. Here's the page one receives upon entry:

Note the pictures of padlocks, but no padlock in the lower right-hand corner of the Firefox window. So, it would be naive to assume they really encrypt the password as it travels from my browser to Chase. Some time back Amazon defaulted to non-secure login, but one could simply click a login button w/o entering any text, and be redirected to a secure login, from which user ID and password could be typed. Does Chase behave like this?

Nope, they insist upon forcing the user to use the insecure login. Or do they? I thought I should verify that Firefox really thinks this is an insecure login:

I don't think I'd suggest this to non-computer professionals, but I visited Google and searched for a secure Chase login:

They suggested https://chaseonline.chase.com, so I visited that page:

This looks better, but notice the slash through the padlock in the lower right. So, some of the page is encrypted, and some isn't. Presumably it's the fluff they send that's not, and my user ID and password, or at least my password, that is. However, a typical user isn't going to have a clue how to verify this, and so just has to trust Chase. Security is hard, and so I have little faith in a company's communications security solution when they decide to go their own way rather than making full use of established standards, e.g., SSL/TLS.

This last login is probably fine, but it's encouraging users--training users--to ignore the security information provided by browsers and just trust the web developers. This means they're training users to be susceptible to phishing attacks and trust the least skilled software developers out there. Maybe not a good practice.

WYPR has Canceled the Mark Steiner Show

One of the best local (Baltimore-Washington-Frederick) shows on public radio is gone (the other that comes to mind is the Diane Rehm Show). The president of WYPR has posted a letter addressing the issue, but provides no reason. Apparently the issue was ratings. Unfortunately they've replaced the Steiner Show with national shows, and so now WYPR (Your Public Radio) has no high quality local programming. To top that off, WYPR's The Signal today featured pseudoscience, a "ghost historian" who started the show off with a gauss meter. Give me a break. One has to wonder about the station management, and whether quality information is a priority at WYPR. Certainly quality local programming is not.

Secure and Easy Internet Voting

Giampiero E. G. Beroggi "Secure and Easy Internet Voting" IEEE Computer Volume 41 Number 2, February 2008 This is one of those articles that inadvertently provides examples of why computerized computing is a bad idea. Starting with the second paragraph, where Beroggi says "One reason for the delay in implementing more technologically sophisticated voting methods is the computer science community's almost unanimous wariness of Internet-based elections." Rather than addressing this, he goes on to list putative advantages of e-voting, and then starts the third paragraph "Fortunately, in light of these strong advantages, more countries are beginning to consider e-voting...." He has listed advantages, and just dismissed the computing community's reservations by simply not mentioning them. Is electronic voting really scarier than other methods? I think so. Any of a number of people can trot out problems with any voting technology, including paper. But I have yet to see an e-voting advocate address either of the following two problems except to say that computer security professionals are too obsessed with unlikely events. Of course, many popular, oft-successful attacks initially seemed unlikely, especially to non-security people. This is what scares me when I hear political scientists say it's safe, or usability experts say that if we address the usability issues, e-voting will be fine. If we address usability issues, the accuracy of unhacked machines is improved. Anyhow, the two issues:

1. The class break. With e-voting, there's the possibility that a small group of people could modify a large number of geographically disparate machines.
2. The technological sophistication needed to understand the hacks. Boards of Elections and state assemblies don't have the the ability to intelligently discuss attacks against e-voting, let alone detect them.

The author of this article dismisses these problems by simply not mentioning them directly. His attitude appears to be that computer scientists have issues, but we can ignore them. There are at least two troubling aspects to the author's section entitled "Security." First, is the repeated claim that the system uses SSL and 1024 bit encryption. If he's talking about RSA keys, this is a bit light. If he's talking about the symmetric algorithm, well, I doubt he is. So, for all we know they're just using DES or something like that. Then there's the statement that "The literature on e-voting emphasizes the danger of making source code available as a way to build trust in the system, since attackers with such access could modify voting and auditing records." I'll have to read his reference, but I don't see how a single 3-page CACM article equates to "the literature." Keeping the source code secret does, as the author suggests, reduce trust. Shouldn't voting be an open process? Shouldn't citizens be able to judge the quality of the voting system? As it is now in the US, the answer is no: corporations' proprietary "rights" trump voter confidence. And should voting systems rely upon security by obscurity? If so, then the first disgruntled employee to leave the manufacturer or a certifying body or whatnot can spill the beans, and then we'll all wish it had been open and enough people had cared to find the bug that Beroggi advocates covering up.

Gnome Deficiencies

Two things that should be much more obvious in Gnome, if not actually defaults: xmodmap -e "remove lock = Caps_Lock" xmodmap -e "keycode 106 = " In other words, disable caps lock, and disable the insert key. Why these aren't even offered as choices in the keyboard configuration menu is simply befuddling, not to mention the time wasted by many, many people if Google search results are any indication.

Ubuntu Missing Traceroute??

Oddly, traceroute isn't part of the Ubuntu Gutsy distribution. See the discussion at http://geek00l.blogspot.com/2006/08/ubuntu-where-is-my-traceroute.html. I've installed it, but it seems that standard command line tools should be installed by default.

Data Recovery

I recently had to recover deleted photos from a digital camera's SD card. It turns out the MS-DOS undelete command is gone from XP, but I figured the card was most likely FAT32 format, and so asked google to find me a FAT32 recovery program. I tried three: (1) PC Inspector File Recovery from pcInspector.de crashed repeatedly, each time encountering an illegal instruction. (2) Active Uneraser Demo was pretty, but pretty useless. It found the files, but couldn't restore anything bigger than 64KB. All the photos were bigger than that. (3) Fast File Undelete v2.1 from dtidata.com worked perfectly, and recovered the photos. Interesting enough, I didn't see anything obviously useful among the Ubuntu packages, but was able to get it done in XP.

Good News on Electronic Voting

Recently Maryland announced plans to ditch the Diebold voting machines which, in the interests of open and trustworthy elections, is a tremendously good move. If the people cannot trust the election process--apart from whether elections really matter that much given all the money corrupting the system--how can the people have any confidence in government "by the people"? Now US Rep. Rush Holt has introduced the Emergency Assistance for Secure Elections Act of 2008, which would provide $500M to help states replace touch-screen voting machines. I think this helps get over a significant stumbling block for a number of states--it's hard to discard expensive stuff when that makes it necessary to buy more expensive stuff. Additionally, "Holt is also the author of the pending Voter Confidence and Increased Accessibility Act which would require a voter-verified paper ballot for every vote cast in the U.S. along with routine random audits. The bill was reported out of committee in May and awaits action on the House floor. It also requires the states to meet federal standards for ballot verification and auditing." ( see http://www.extremenano.com/article/Bill+Would+Help+States+Ditch+Electronic+Voting/223702_1.aspx ) This also would be a step towards increased confidence in the election process.

"Free" Online Security Check! Free!

One thing I don't get is companies that should know better, like F-Secure and Microsoft, encouraging users to follow poor security practices. Microsoft with it's update pages, and F-Secure with its free online security check, are encouraging users to allow ActiveX and the like. Bad. Bad. Blackboard does the same thing by requiring faculty to trust signed applets in order to use certain fairly basic features, e.g., sending e-mail to the class One thing that someone might point out is that they may be using signed applets or the scripts may be delivered over an SSL/TLS connection, so the user can be fairly confident of its source. I don't buy that. If one of these applets does bad things to my system or my data, I may not notice for weeks, if at all. When I do realize something happened, can I trace it back to a particular signed applet? At that point, would I care?

Gnome and Caps Lock

Gnome still (as of Gutsy Gibbon) doesn't have an option under "Keyboard Preferences | Layout Options | CapsLock key behavior" to simply disable the caps lock altogether. This is a common enough need that a number of people have provided solutions for a variety of environments. Some are collected here. KDE provides this feature, as opposed to the esoteric options provided by Gnome.

A related issue is that of disabling the insert key in emacs. Emacs is sufficiently powerful that the insert key is unnecessary--this isn't Microsoft Word--and so there should be an easy way to disable that.

TSA Ineffectiveness and Security Theatre

HomelandStupidity.us has another good article about how unpopular the TSA's security theater has become, how ineffective they are, and how their antagonistic attitude towards the flying public hurts security. It's interesting that TSA screeners in DFW refused to allow a woman to watch her daughter while going through screening. Exactly whose security is the TSA protecting? One nice thing about the article is seeing that the phrase "security theater," as applied to the TSA and other DHS operations, is catching on. Schneier's done quite a bit to popularize it (for all I know he coined it). Another is the point that the TSA is doing little to protect us. What is protecting us is the fact that, for the most part the terrorists aren't trying, and when they do they're often inept. I'm sure TSA has had its successes, but I'm even more sure people are able to smuggle whatever they want on board planes if they're willing to put forth a little effort and risk. TSA among most unpopular federal agencies

CustomizeGoogle Glitch

Some time back I mentioned the potentially useful CustomizeGoogle Firefox add on. I like it, but today it's been causing me grief in trying to upload images to this blog. I've disabled it and gone back to Ask.com, and the AskEraser, as my primary search engine.

St. Mary's Co, MD, to Test Voting Machines

The Washington Post reports that the St. Mary's County Board of Elections will test their voting machines the morning of January 18th. If the goal is to demonstrate to the board that there are no glaring logic flaws, then the test has some value. If the test is intended to allay public concerns about the accuracy and security of voting machines, it's of no value--actually negative value since that would be a misuse. Observing the behavior of the machines now does little to ensure the behavior of the machines in November.

• They could be compromised between now and then.
• Some fraction of the machines could be compromised now by a root kit or some such.
• There's still no way to do a recount in the presence of allegations of irregularities.
• Allegations of irregularities, even if false, have face validity because the process is closed.