Gessel On…

Modern mice seem to think it essential to include a “bump this side of the mouse to delete your work” button, oddly configured as a “back” button in most browsers. Why? I have no idea. Personally I rarely actually need to navigate forward and backward while browsing. I suppose a lot of people have navigation remorse or something, but for me the button has only been a source of frustration.

There seemed to be only one option since the logitech mouse driver suite is inexplicably larger than most complete operating system installs and therefore unsuitable for any normal computer, taking apart the mouse and cutting the leads to the Stupid Switches.

Instead I found this little utility that lets you disable the buttons (you can also map them to something else you’d like to accidentally trigger if that amuses you). Now I won’t lose my work when creating a message in Gmail or working in redmine.

I used to love firefox, but then somebody decided that users were way too stupid to make it through web browsing without an endless parade of  warnings about SSL certs.  The premise seems to be that:

• Valid certs are meaningful.
• Self-Signed or expired certs are indicative of a problem.

Neither is true.

(To a statistical certainty.  Some user somewhere will be validly warned away from a phishing site someday.)

Valid certs mean next to nothing since the users that these warnings are targeted to (and me too) will never ever notice if they’re going to bankofamerica.com (or whatever BofA’s legitimate URL is) or bankomerica.com (assuming bankomerica isn’t a valid bank of america domain).  Thus bankomerica can dupe bankofamerica’s website and get a perfectly valid cert and if users were dumb enough to believe that a lack of warnings indicated validity as the huge scary warnings effectively convey, then they’d be easy prey.

The only valid purpose of SSL is to secure communication between a server and a client so you can check your web mail at a cafe without worrying about being snooped and a self-signed cert does that just as well as one issued by the cert mafia.  Sure, sure the giant cert authorities would love to take your $1,000 a year to give a your user’s some sort of guarantee that you’re really who you say you are, but that doesn’t make any difference at all in practice.

As for DNS hijacking so amazon.com goes to a spoof site where the transaction security is compromised (and in theory the self-signed cert would be a give-away) just mod-rewrite to http then redirect to amazoncheck0utservices.com and get a valid cert for it.

Besides, after users have been forced to dismiss a zillion intra-net “invalid” certs, they’ve learned to completely ignore the warnings and so automatically click through the scary and almost always pointless warnings FireFox generates. Or, like many people, users stop abandon the scary, irritating browser and go back to IE.  Win.  Oh wait… FAIL.

Secure DNSSEC is smart, but forget warning people into oblivion over self-signed certs, the net effect is to make the web less secure because site admins have to choose between absurd fees for certs or turning certs off.  Until FireFox fixes this counterproductive behavior, there are two things that help.  First, browse to about:config and set browser.ssl_override_behavior to “2″.

I’ve also found the Persepectives Plugin useful to reduce the number of pointless and irritating error warnings Firefox generates when it sees a cert that hasn’t fully paid up the protection racket extortion fees by using a polling mechanism, effectively saying (to a collection of referee sites) “ya’ll think this cert is ok?” and if they say “yeah…” then you get no error.

There fixes are helpful for those of us sufficiently skilled to use them, but unfortunately they won’t prevent users abandoning the endlessly “WOLF!” crying FireFox for IE.

Looks like the latest update of Motorola Phone Tools wasn’t quite ready to ship…

26c3 was a blast, as was Berlin. It’s a good conference in the olde school hacker style: mostly younger people, mostly wearing black. There weren’t a lot of women, but Carolyn, Isabella, and Meredith tried to even out the ratio a bit.

Some of the best lectures included one by some German engineers working on the lunar x-prize. They had their prototype rover with them and gave a great talk about the various challenges.

Another great one was Dan Kaminski’s talk on PKI. I don’t agree with the premise that SSL should be a reliable method for identifying the owners of websites as people just can’t tell the difference between bankofamerica.com and bancomerica.com and so it doesn’t make anyone safer if the bankofamerica site is super green if bancomerica.com is also super green, and so the complexities of getting an accepted certificate simply reduce the use of secure connections and the overall security of the internet. But he had some pretty great attacks on the security of SSL that causes problems no matter what.

We enjoyed fuzzing the phone as well. It was a very entertaining talk on attacking phones with crafted SMSes. The method of creating the attacks was very clever – rooting the phone, redirecting the radio to a wifi link to a CPU so they could try zillions of SMS and see what would happen. In the process they discovered they could remotely root the communications manager (which runs as root). And %n to specific windows phones and they’ll crash and fail to reboot until the SMS is cleared out of the inbox.

Berlin is a great city and it was fun working in the shadow of the TV tower.

We made reservations for lunch but we could tell it wasn’t going to be a great day. In the end it was a very intimate lunch with pretty clouds pressing against the glass.

The fog lifted but was replaced by snow, which is a lot of fun in a city when you don’t have to drive.

Hey, wow… sure, techdirt isn’t the WSJ, but for a blog it is somewhat authoritative and they’re actually noting that fact that we grant temporary monopolies to creators not as property (or to preserve jobs or to fund private jets for industry execs) but solely to promote the progress of science and the useful arts. Any IP law that retards the progress of science and the useful arts, no matter how many jobs or corporate jets it saves, is unconstitutional. Tell Victoria Espinel that she should be sworn to upholding the constitution, not the corporate profits.

This is relevant now because the press was just kicked out of the anti-”piracy” summit at the white house (by “piracy,” they of course mean vigilante trust busting, not the corporate pirates of the public domain).

I just installed AWstats on a freebsd system from ports, version 6.95 and ran into some issues with the installer.

First, awstats_configure.pl has a mistake that leads to:

Error: Failed to open ‘(your awstats.model.conf’) for read.

This is because $AWSTATS_PATH is prepended to “/wwwroot/” instead of “/” throughout the script.  Search and replace config.pl to fix or try this one awstats_configure.pl (no warranties).

Second, there’s an error in the httpd.conf configuration that fails to provide sufficient permissions.  Add

Options FollowSymLinks

inside the <directory> directive to get the pages to load right.

Third, the icons dont display (or display as broken images) due to a small typo in the icons directory specification.  At line 222 in the yoursite.conf file that awstats_configure.pl generates, use

DirIcons=”/awstatsicons”

and make sure the httpd.conf directive reads

Alias /awstatsicons “/usr/local/www/awstats/icons/”

(not …/icon/”) .  I use setup an awstats.conf file in /apache22/Includes (see below) and take the directives out of httpd.conf myself.

Reminiscent of the apocryphal first “bug” I opened up my old laptop and saw some ants crawling out of it.

and then more.

and more.

So I got the vacuum and started sucking them up.

And more.

and more.

So I took out the battery and found something that actually startled me. Kind of like the Alien’s den in miniature.

Amazingly the computer booted fine.

For the first time in my computer history I used Raid ON my computer rather than configuring RAID in my computer.

I just installed Ecoli Hub’s TableEdit into MediaWiki.

It went moderately smoothly, except the update_schema.php script failed to prefix the tables, which meant that MediaWiki couldn’t find them.  It took me a little poking around to figure out what was happening, but I got an error that brtext_TableEdit_box couldn’t be found.  Now an unfortunate prefix choice in that it looked to me a bit like br text…  as opposed to brtExt, but once I figured that out I was on the way to a little editing with phpMyAdmin and everything worked.

TableEdit is a step in the right direction for interactive table editing, what I’d consider the biggest weakness of wiki’s at this point.  It seems most of the information I’d put in a wiki would be more efficiently formatted as tables, and as a result I have lots of non-interactive spreadsheets; something that gets confusing on frequently updated, collaboratively edited text.    WebDAV might be a solution for that, and maybe OpenOffice will get “open via sFTP” as an option soon, but until then EcoliHub’s solution is a step forward, though what I still really want is a viably speedy version of Dan Bricklin’s  wikicalc.

There are a number of ways to end up with a lot of duplicate messages in an IMAP folder, and while IMAP tends to handle very large stores gracefully, it is possible to hose things.  On my 32 bit server and with Mulberry as a client things get weird after about 15,000 messages in a single folder.

Google does some odd things and at one point a periodic check of my gMail account resulted in about 70,000 messages in a single folder, which definitely caused some chaos.

I thought that was pretty impressive, but my girlfriend just managed to get 144,000 messages in a single folder.  Woo Hoo!!!  High Score.

Anyway, things like the dedup plugins for Thunderbird can just make things worse at that point as they seem to fail gracelessly on very large message counts.

I found that Rick Sander’s perl scripts are the best way out of this difficult situation.  delIMAPdups.pl solves the problem without running out of memory or munging files.  I haven’t had any lost data and just tested by clearing about 1400 dups out of a directory of 15,000 messages (my 2009 store to date).
/.delIMAPdups.pl -S example.com:993/user/pass -m INBOX.2009 -p
-m is the mailbox to expunge
-p is purge
-S means use SSL

Tonight probably wasn’t the best night to try to configure logicmail to send via gmail.  I went through every permutation then found out that gmail is flaking out tonight.  Go Cloud Computing.  Brilliant idea to trust your business to the cloud. Anyway, I did get LogicMail to work.  It isn’t the fastest way to get your mail, but it connects via IMAP to my home server to read (never a problem) which means the client is synchronized with Mulberry (running on 3 computers) and Roundcube webmail and whatever else.

I also sync to gmail using procmail on my server to forward selected messages to my gmail account.  Google’s mobile mail clients are great, by gmail does not work as an imap client and so reply/read status doesn’t get updated on my server, which is the canonical reference.  I can remember for a quick reply, but I forget when I’m using my blackberry in some extended way and then when I get to a real client I sometimes double answer, which can be embarrassing…

LogicMail still has problems with certain TLS authentication schemes, which I use on my server, and so I can’t seem to send through my own SMTP, but thankfully gmail lets me send through theirs with the only penalty being the Return-Path: <youraccount@gmail.com> header.

I used:
Server: smtp.gmail.com
Use Secure Connection: SSL
Port: 465
Authentication: LOGIN
Username: youraccount@gmail.com
Password: *********
(don't use MDS proxy)