enjoying salad since 1978.

Thursday, October 31, 2002


Since googlism finds assertions, I thought I'd ask it what RDF is.

googlism loves me

Sunday, October 27, 2002

How could the Giants lose to Team Mickey Mouse? ugh.

Saturday, October 26, 2002

Blogger Hacked Redux

Yes, Blogger was cracked. It's true. It's been Slashdotted, LawMeme'd, Daypop'd, and News.com'd. Most of the commentary is completely rehashed crap on the danger of storing passwords on remote servers and people are, as usual, missing the big picture: operating system security is in a miserable state. The Blogger software didn't get hacked, we had an unpatched service running on a unix machine we barely look and some little shit noticed it before we did. People are making it out to be the end of the world, they're ready to crawl into their bunkers with their old Playboys and bottles of Wild Turkey. Should we have found it earlier? Of course. Did we own up to it instead of brushing it under the rug like so many other companies who have been compromised? Absolutely.

I wrote a letter to Anil Dash about his remarks claiming that the weblog developer community is nothing but a bunch of amatuers who have no knowledge of computer security:
From: steve jenson
To: Anil Dash

Quoting from your site:
"""But, with the exception of Mena and Ben Trott's work on Movable Type, which has been informed by Ben's background in cryptography and other security practices, there hasn't been a seriousness about the responsibility of developing these applications as weblogs move to being a critical communication tool for people. """


While I appreciate the mostly positive outlook you've taken in your coverage of the Blogger crack fiasco, I'm rather offended by the above paragraph. My own background in computer security is quite strong. I don't particularly feel the need to qualify that but I will if you want. Also, I take Blogger development very seriously. Ev's worked with me for over a year now, I think he could vouch.

I know you don't claim to be an expert in this area but a knowledge of cryptography is not a panacea when it comes to system software security. As often as not, misimplemented crypto is the catalyst of vulernabilities. This is exactly how DeCSS came to exist; a set top box manufacturer didn't fully appreciate the nuances of key management and the rest of us are pretty darn glad for it.

There's a bigger fish to fry here, I think. System software is still written in C, a 30-year old language with 30-year old security flaws. "Modern" operating systems still lack decent confinement mechanisms, stuff which has been understood for at least the past two decades (look at the KeyKOS operating system and it's modern ancestor EROS (eros-os.org)), PKI is a house of cards; your SSL'd credit card transactions only _seem_ secure through a faulty (and faulted) third party. Toolkits for creating trusted channels between parties are still not widely deployed; your IMs are unprotected and there's no way of even verifying that this email actually came from me.

Instead of the punditocracy rehashing the same "beware the ides of march and don't store your passwords on a remote server" line, maybe they could learn and talk about these issues instead? Perhaps you could start this trend.

best regards,
steve jenson

BTW, you're site is running with a remotely exploitable version of PHP. You should talk to your hosting provider about it.

Thursday, October 24, 2002

two hundred can play at that game.

I'm now also mirroring the Transcript of ERIC ELDRED, ET AL., Petitioners v. JOHN D. ASHCROFT, ATTORNEY GENERAL, No. 01-618, SUPREME COURT OF THE UNITED STATES. [thanks Coderman!]

Tuesday, October 22, 2002

An introduction to elliptic curve cryptography

An introduction to elliptic curve cryptography [via IV]

BTW, check out fyuze. Nice implementation. [via a referer to fyuze]

Monday, October 21, 2002

(How to write a 163-line program to compute 1+1)

Fun reading for last night: (How to write a 163-line program to compute 1+1). I disagree with some of his premises, as Perl has so many more side-effects than a clean LC should allow (I mean, just calling a function shifts internal state around much more than is obvious), but whatever, it was enjoyable. (I'm working hard to not end up like Wally in Dilbert: "Of all life's pleasures, I like nitpicking the best")

Saturday, October 19, 2002

"heh heh. You don't like it when Ray talks about the bonin'." "You ain't got no class." "6 times?"

Re: inluminent: Dan Moniz says that he just reads it for the articles.

Also, we saw Red Dragon tonight. A Daamn Decent Film. I recommend it.

I ran into the old LOD/H tech journals today and enjoyed the following excerpt from the textfiles.com page: The last issue of the LOD/H Journal (#5) is suspiciously Canadian.

Hey, I'm running a Renegade BBS right now on an old thinkpad (thanks tom!). It has no modem attached. guaranteed first post?. ~~~~NO CARRIER

Tuesday, October 15, 2002

Re: Overuse of the word Elegant.

Re: Overuse of the word Elegant.
"You use that word a lot. I do not think it means what you think it means." -Montoya

I had a vt320 terminal in my bathroom once but this takes the cake

Monday, October 14, 2002

IP stack in lisp. Why not? People have been doing it for 25 years.

source code reading for tonight: Luke Gorrie's IP stack in Common Lisp: Slitch. So far, he seems to be handling ARP pretty well. My common lispery is weak enough that I still have trouble following everything. No better way to brush up, I suppose.

This weekend I spent some quality time with my new Blogger client. Things are really coming together. I took care of lots of little things and also ripped out the old XMLRPC code and replaced it all with calls to the new Jaguar CoreServices.h stuff. I still have a few things to take care of before I'll feel like releasing it: Preferences and Services.

Bill Bumgarner was nice enough to send me the source to his RadioService code about 6 months ago so that's been useful, and Preferences really isn't difficult, I just need to get a non-horrible looking UI for storing Prefs.

In non-geek news, I had dim sum (plus American food) at Stacy's brother's house in Hayward this weekend. I had a pork bun and stacy's niece licked the fridge. A ridiculously cute child. Then we all ate cake and watched The Wiggles. Australian childrens television at it's most... australian?

Lawmeme is running a short story on Blender, the formerly commercial 3d application that was recently purchased by the new Blender Foundation for EUR$100,000. From the blender homepage: "welcome to the .org era".

I wonder where the board of directors came up with the 100k price tag? Overall, I think this is at least a marginally favorable outcome. It's certainly a lot better than the half-dozen or so products I've seen get permanently buried during my career. I'd like to see a breakdown somewhere of where the money goes after a sale like this.

Update: Dan notes that they paid 100k EUR, not 100k USD. He also gave me the exact USD price 100k EUR would be in USD: $98,748.00. I hear Dan plays a mean game of Trivial Pursuit.

Saturday, October 12, 2002

time to ditch the gui?

Time to ditch the GUI?:
However, traditionally user interfaces have always been thought of in spatial terms with the computer monitor used to represent information. In other words, they're virtual representations of a physical desktop. Gelernter feels this was a good way to get started in information management, but now it's time to evolve beyond it.
Ditch it already? I've only been using it a couple of years and I'm just starting to like it. (I was a console nerd and a vt320 terminal user before I had a video card worth a damn)

Thursday, October 10, 2002

I guess that means it worked. cool!

testing the webservices framework procedures builtin to Jaguar.

I have a massive backlog of email. :-( This is unusual for me and was exaberated by both attending the OS X conference last week and being head-first into heavy development (both at work and at home) this week. I promise I'll get back to people very soon.

MCL 4.3.5 is now Carbonized and they will soon be sending me an email with information on how to download it. Hot Damn! Expect a version of Blogger in Common Lisp any day now.

man, all geek weblogs should be this way.

My favorite referer. Thanks Organica!

The Shellen fixed my goofy CSS layout.

The Shellen fixed my goofy CSS layout. I definitely think it's time for a rework of some kind.

Monday, October 07, 2002

I've moved servers so if you notice anything funny, like a missing graphic et al, please feel free to drop me a line.

Saturday, October 05, 2002

What? Movie studios play dirty? No way!

Studios Ask Court to Name EFF a ''Competitor'':
The COPs (Copyright Owner Plaintiffs) in the ReplayTV case have asked the judge to have the EFF's lawyers barred from seeing a stunning 78% of the documents in the case. The justification? That the EFF is a "competitor" of the studios and shouldn't be allowed to see their trade secrets.[via LawMeme]
Pretty dirty even by movie studio standards. Time to boycott the film industry. (as if it hasn't been time to boycott it for the last 20 years. jerks)

BTW, I'm an EFF member now. I'm ready to strike fear into the hearts of ne'er-do-wells!

Friday, October 04, 2002

Tonight I spent about 20 minutes and finished making my site xhtml 1.0 transitional and css compliant. it really wasn't that hard when I set my mind to it, and when I decided to break all permalinks.

Wednesday, October 02, 2002

rendezvous talk notes

Hey, I took notes for the Rendezvous talk and put them here

Tuesday, October 01, 2002

South Park, the Con-Pontif, and hers truly.

Stacy's definitely invited to Pontificon:
Stupid Mongolians... More morning commute thoughts: so, is it really beneficial to have Asians represented in mass media as having perfect diction and pronunciation? Isn't it more accurate to have articulate, intelligent characters that have an accent, as do a good portion of the working middle class has? Is the City Wok guy on South Park the most forward Asian-American representation on TV today?!


I listened in on the Darwin Ports talk, which Jordan Hubbard is managing. I appreciate that he worked so hard against second-system syndrome.

I might have a spare x86 box here soon, so I'll try running Darwin/x86 on there for a while, to test KAME extensively under Darwin, to get a sense of kernel hacking on xnu, and check out darwin stability (which should closely correllate to OS X server stability)

Scott Anguish's talk on WebServices in Cocoa was fun. I have experience with the Mulle Kybernetik xml-rpc framework which is pretty solid and very mature compared to the all-C implementation Apple has put into the CoreServices Framework. The stub generator (which emits ObC/C/C++) WSMakeStubs was pretty neat. An incredibly tiny nitpick: Scott talked about Blogging tools and mentioned Radio and Moveable Type but didn't mention the Blogger API which they both implement. :-(

Speaking of Moveable Type, a bunch of us OS X nerds crawled into a few cars and drove down to a local indian restaurant. I sat across from the Trott kids (so you know, they're older than I am by a year or two). I didn't know Ben was also a crypto nerd. Super nice couple. I had briefly met them before at Cory's book-reading a few months back at Cafe du Nord. I also received a good lecture on Frontier's short-comings. Why is this product 899$ if db path's overflow after 256 characters and have no concept of a namespace (importing into a scope, I mean). I don't know if that's an old version of Frontier but if not, geez, throw that shiznit away and code something in Zope.

Speaking of Dave, he's supposed to attend the RSS BoF tomorrow night. People seem worried that he's going to yell at people like he did to Kevin or be rude and interrupt people like he did at ETCon. I hold out a belief that Dave's above that.

I was chattering about PyGame the other day so I whipped a simple side scroller in pygame the other night, just some rectangles and lines, no big deal, and realized something: PyGame really isn't meant for side-scrollers. Even with hardware acceleration (which, admittedly, my tiBook doesn't have much of) updating the entire screen with every frame is too slow if you have a bunch of Groups.

PyGame seems to really excel when you only have to redraw certain sections of the screen.

Tomorrow I'm on the alpha OS X desktop geek panel, that should be fun.


It's my second day here at OS X con and things are pretty damn interesting. I'm not getting nearly enough sleep and the food leaves some to be desired but the company is great and the discussions are solid.

I tried giving burton a hand with his talk earlier but we quickly learned some of the nastiness of Mozilla as a platform. Pathnames..

Paul Hoffman is about to give his talk on IPsec in Jaguar. should be good stuff.

Update: phoffman's talk was quite useful, reminding me of a lot I had forgotten about IPsec. Along with KAME, Racoon is on OS X. much nicer than isakmpd. I had forgotten how much IPsec stinks when you throw NAT into the equation. blah.