Category: Internet matters

Posts about the internet

A small request for those commenting

I would be much obliged if, when commenting, you would call yourself something other than ‘Anonymous.’ Anything at all that distinguishes you from other commenter who don’t want to leave names, aliases, or initials would be wonderful. At present, threads with multiple commenters, all called ‘Anonymous’, are likely to become rather difficult to understand.

With regards to the need to provide an email address, this is to help prevent spam comments. Using your real email address, will over, time reduce the probability of your comment getting eaten as spam. That said, I do have the ability to see which email addresses people have listed. If you really don’t want me to know who you are, you can always use something like “nottelling@history.ox.ac.uk” or whatever strikes your fancy. Doing so will somewhat increase the probability of your comment being marked as spam, but if you aren’t doing anything else dodgy – like linking to virus laden websites – you should be fine regardless. The system is also clever enough to learn, over time, that comments from a particular computer are safe.

I very much enjoy getting comments and engaging in discussion here. Along with other roles, the blog is a device through which I hope to refine ideas and positions, on the basis of intelligent criticism. As such, all substantive contributions are appreciated.

As always, any technical problems with the blog should be reported on the bug thread.

The awesome power of exponential growth

This blog now has 1/5000th as many registered users as Wikipedia. That may sound trivial, but it should be noted that at the present rate of growth (12.5% per day – welcome Mark), we should have one million in just 99.5 days (by November 13th).

In just 174 days or so, all 6.5 billion human inhabitants of the Earth should have signed up. Don’t be the last!

Apology for cursory treatment

Coming home to 900 blog posts, all laid out in BlogLines, is impossible. My apologies to you all, but your hard-earned thought committed to webservers have mostly been dismissed at a glance. It is a very concrete demonstration of the limitations of all human beings, and the hopelessness of capturing any significant share of human knowledge over the course of our lives.

Something to try over the weekend: cryptography by hand

For about three and a half hours tonight, I awaited essays from next month’s tutorial students in the MCR. Having exhausted what scaps of newspaper were available, I fell back to reading a copy of Dan Brown’s Da Vinci Code, abandoned by some departed grad student.

Two hundred and sixty pages in, and unlikely to proceed enormously further, I note somewhat pedantically that there have been no codes presented. At best, there have been a series of riddles. The book would be interesting for its historical asides, if I could consider them credible.

Rather than go on about that, I thought I would write an incredibly brief primer on how to actually encrypt a message:

Crypto by hand

In the next few paragraphs, I will show you how to use a simple cryptographic device called a transposition cipher. If you really want to learn it, follow along with a pen and paper. As ciphers go, it is very weak – but it is easy to understand and learn. For starters, we need a secret message. The following is hardly secret, but it will do for a demonstration:

“DAN BROWN IS A DUBIOUS HISTORIAN”

Next, we need an encryption key. For this type of cipher, we need two or more English words that do not use any letter more than once. It is quicker if they have the same number of letters, but I will use two with different numbers of letters to demonstrate the process:

“DUBLIN PINT”

Write the first word of the key onto a piece of paper, with a bit of space between each letter and plenty of space below:

“D U B L I N”

Now, add numbers above the letters, corresponding to their order in the alphabet:

“2 6 1 4 3 5
D U B L I N”

Now, add your message (hereafter called the plaintext) in a block under. If necessary, fill out the box with garble or the alphabet in order:

“2 6 1 4 3 5
D U B L I N
D A N B R O
W N I S A D
U B I O U S
H I S T O R
I A N A B C”

Note how each word of the first keyword now has a column of text underneath it. Starting with the first column in the alphabetical ordering (B, in this case) copy out the column, starting at the top, as a string of text. Make sure you understand what is happening here before you go on. The first column, read downwards is:

NIISN

Now, add to that string the other columns, read from top to bottom, in alphabetical order. You can leave spaces to make it easier to check:

NIISN DWUHI RAUOB BSOTA ODSRC ANBIA

Clearly, each column section should have the same number of letters in it. Make sure you’ve got the transcription right before going on. Note that the string above is the same letters as are in the original message, just jumbled. As such, this system isn’t smart to use for very short messages. People will realize fairly quickly that “MKLLINAIL” could mean “KILL MILAN.”

Moving right along…

Take the strong you generated a moment ago, and put it into a block just like the one you made with the first keyword, except with the second keyword. This time, if you need letters to fill out the rectangle, make sure to use the alphabet in order. You will need to remove the excess letters when working backwards to decrypt, so you may as well make it easier.

“3 1 2 4
P I N T
N I I S
N D W U
H I R A
U O B B
S O T A
O D S R
C A N B
I A A B”

Now we have the message even more jumbled. The final encryption step is simply to copy each column in that grid out, from top to bottom, in alphabetical order according to the second keyword:

IDIOODAA IWRBTSNA NNHUSOCI SUABARBB

Note: the shorter the key, the longer each column will be. The above string is your encrypted text (called cyphertext). This final version is a jumble of the letters in the original message. Remove the spaces to make it harder to work out how long the last keyword is. If you like, you can use that put that string through a grid with another word. Each time you do that, you make the message somewhat harder to crack, though it obviously takes longer to either encode or decode.

To pass on the message, you need to give someone both the cyphertext and the key. This should be done by separate means, because anyone who has both can work out what kind of cipher you used and break your code. The mechanisms of key exchange and key security are critical parts of designing cryptographic systems – the weakest components of which are rarely the algorithms used to encrypt and decrypt.

To decode it, just make grids based on your keywords and fill them in by reversing the transcription process described above. I am not going to go through it step by step, because it is exactly the same, only backwards.

If anyone finds out about the credibility of Mr. Brown’s historical credentials, it won’t be my fault.

One word of warning: this system will not keep your secrets secure from the CIA, Mossad, or even Audrey Tautou. This cipher is more about teaching the basics of cryptography. If you want something enormously more durable that can still be done by hand, have a look at the Vignere Cipher.

PS. It is rumored that this very blog may contain a tool that automates one form of Vignere encryption and decryption. Not that it is linked in the sidebar or anything…

[Update: 27 July] Those who think they have learned the above ciper can try decrypting the following message:

BNTAFREEHOOI-LTOSIRISOTWD-FTNWAOEYSOXT-ERASEAAAKGVE

The segment breaks should make it a bit easier. The key is:

SCOTLAND HIKE

Good luck, and please don’t post the plaintext as a comment. Let others who want to figure it out do so.

Strange and annoying WordPress bug

I am abandoning the What You See is What You Get (WYSIWYG) editor that is built into WordPress (they call it the ‘visual rich editor’). It has the extremely nasty habit of randomly inserting literally hundreds of [em] tags and [/em] tags into pages with complex formatting, such as my academic C.V. Usually, it closes every tag that it randomly opens, so the formatting isn’t visibly affected. As soon as you try to change some small thing, however, everything goes insane. Going back through and fixing all of these mangled pages is a big pain.

WordPress also has serious trouble dealing with [p] tags and line breaks.

I hope the cause behind this was identified in the recent bug hunt and will not trouble people after the next major release.

Essential free Mac software

After a year of using a Mac primarily, I have come to appreciate this excellent operating system. I have also come to understand some of the gaps in it, particularly insofar as the software and tools that it includes are concerned. The following, then, is my short list of essential (free) Mac programs. Naturally, they are geared towards the kinds of things I personally do all the time.

1) Adium – instant messaging program

The MSN Messenger client for Mac is quite terrible. It is unstable and badly out of date. The freeware program Adium talks not only to MSN, but to AIM, ICQ, Google Talk, and many other instant messenger services. You see one contact list for people on all the services you’ve listed and the software works well and in a stable fashion.

Make sure to get the Hobbes icons. The one of him dancing, to indicate the presence of a new message, is especially endearing.

One word of warning, all the different preferences can be a bit daunting when you start out. Leave them on the defaults and don’t worry about them.

2) Fetch – FTP client

An FTP program essential to anyone who runs websites. This one is much less temperamental than Cyberduck, which I used for many months before being introduced to this superior alternative. You can apply for a free educational license on the Fetch homepage.

3) Firefox – web browser

Hands down the best web browser for any platform, the Mac version of Firefox is an essential item. I hang on to Safari because it sometimes runs complex Java more reliably than Firefox does (I am thinking specifically of the photo upload script for Facebook). I hang onto Opera because the built in bittorrent support is very useful. With those caveats, Firefox is what I use 99% of the time. At a later point, I should write a list like this of the essential Firefox extensions (SessionSaver, AdBlock with Filerterset.G, and Flashblock come to mind instantly).

4) Google Earth – interactive atlas

Not essential, perhaps, but free and definitely great fun. The built in demonstration tour is worth a look. It shows off the terrain mapping nicely with Mount Saint Helens.

5) jEdit – text editor

Even with MS Office installed, there is no program in Mac OS that can cleanly edit files that must be text only, without formatting. I am talking about things like manually editing HTML files, PHP scripts, htaccess files, and the like.

6) KisMAC – wireless network detector

Particularly if you are running Tiger (OS 10.4), this free utility is helpful for dealing with wireless networks in more sophisticated ways than are possible using the WiFi implementation built into the OS.

7) MacJanitor – maintenance program

If you have a laptop that you leave closed or in sleep mode when you are not using it, chances are some of the timed maintenance scripts that are meant to run under Mac OS are never doing so. By default, they run in the early morning, but that will only happen if your computer is on. This program lets you run them manually, a good idea for maintaining system performance.

8) Password Safe – password utility

The Java version runs under Mac OS and is very helpful for keeping track of the passwords of things you use quite rarely. It is better than Keychain because you can install the Java version on a USB key and then use it on Macs, PCs, and Linux machines.

9) Remote Desktop Connection – system tool

I have no idea why this is not included by default in the operating system. Either this or one of the open source equivalents is necessary to connect to Windows based terminal servers.

10) Skype – VOIP program

Particularly if you have a Mac laptop with a built-in mic, Skype is an exceptionally convenient way to keep in touch with people inexpensively. I really wish more of my friends used it.

11) VideoLAN – media player

This open source video player can deal with the widest range of file types of anything I have used on the Mac. DivX files that simply will not play in Quicktime or Windows Media Player open without trouble, and it has fullscreen mode – a feature that is bizarrely lacking in other Mac video software.

One item that I won’t put on the official list is a third party MD5 hash checker. Only people who need to check the integrity of downloaded files will need one and it doesn’t really matter which one you choose. Just don’t trust the one built into Disk Utility (at least not for .iso files).

PS. The essential non-free software is basically MS Office (OpenOffice does not cut it when you need to collaborate with people using Office) and Photoshop 7, CS, or CS2.

Summer thunderstorm and Ubuntu Linux

Today’s thunderstorm was good news for the parched lawns of Oxford: deprived in past weeks as the consequence of a watering ban. I’ve always been an appreciator of thunderstorms. I like the drama. I like the sense of immersion in nature. Naturally, it is most poignant when you are out on the middle of the lake with a canoe. Not the most pleasant or safe way to experience one, but something that everyone should try at least once.

Another aspect of thunderstorms that I appreciate is how they psychologically empower me to hunker down and feel absolutely no guilt about doing so. They are a kind of free pass from all but the most pressing of obligations. Naturally, there isn’t a lot of appeal to going outside under such conditions, so I spent the time cooking and fiddling with some computer stuff I had set aside earlier.

Warning: computer jargon ahead

Continue reading “Summer thunderstorm and Ubuntu Linux”

Spelling, grammar, and public writing

Flowers in Woodstock

Talking to people about some of the essay editing I have been doing, in various capacities, I find that there are two general positions when it comes to grammatical and typographical errors. Most people fit pretty squarely into one or the other group, and a fair amount of animosity seems to fly between the two. Normally, my impulse is to call for restraint in in the prosecution of such campaigns. In this case, however, I think the argument in favour of the second position is quite clear-cut.

The first group feels that the important thing is just making clear what you mean. Misspelling a proper name, using the wrong homonym (its v. it’s), and similar errors are not of great consequence, because anyone can tell what you meant. I have some sympathy for this view, particularly because it can lay some claim to being anti-exclusionary. English is a weird language and it is hard to learn. A lot can be said for tolerating those who are in the process of doing so. The internet and other venues are richer for their contributions, and it is unreasonable to expect perfect use of language from those who are still getting used to it. Indeed, I would be extremely hard pressed to write a perfect post or comment in French.

At the same time, those who are capable of writing proper English have little excuse not to do so, whether online or in a different context. The second group – to which I belong – sees writing properly as a duty the writer owes to their audience. To just throw unedited text at people is disrespectful, because it shows that you don’t care enough about them to present them with something polished. I am not talking here about Joyce or e.e. cummings bending the rules – that is the privilege of anyone who knows them well enough to toy with them. A style deliberately different from standard English is not comparable to carelessly written English. I am talking about those people who can’t be bothered to check their spelling and read over what they wrote to make sure it accords with the basic conventions of English grammar. With built-in spellchecking and nearly effortless editing fundamental to modern word processing, there is really no excuse.

A secondary benefit is that taking the time to re-read what you’ve composed lets you better make sure that you aren’t about to put something malformed or uninformed into a public place, where it may embarrass you to many people, and where it may be hard to remove.

Movie physics

Apparently, the physics in The Da Vinci Code are no better than the history or theology. (Though this review is more about general plausibility than physics, per se.) Let it be known that Insultingly Stupid Movie Physics is among the greatest of all websites.

The review of The Core is funny enough to be worth reading, even if you haven’t seen that awful, awful film. People making films should probably take a careful look through their generic list of bad physics. Of course, scientific accuracy may not be terribly likely to put people in cinema seats, or sell DVDs.

On password security

I was talking with Kelly today about passwords, and how they are a fundamentally weak form of security. Supposedly, we are all meant to have different passwords for every site, so that one database being compromised by an external hacker or malicious insider won’t lead to our email and other sites being at risk. Also, we are supposed to use long and complex passwords with case-changes, numbers, punctuation, etc. (Think ‘e4!Xy59NoI2’) Together, these two requirements far exceed the capability of most human beings.

The real solution is to back up passwords with something else, so that they don’t need to be so strong. This is called two-factor authentication, and it could include something like a smart card that people carry and slot into computers along with a password so as to authenticate themselves. This is already used in cars. Inside the key or newer cars is a little chip with a radio antenna. When you try to use the key to start the car, a radio message is broadcast by the car. The chip detects it, does a bit of thinking to generate a response that authenticates the key, and re-broadcasts it. Using both the physical profile of the key and the radio challenge-response authentication system, attacks based on picking locks or freezing and cracking the cylinder inside them can be circumvented. The system obviously isn’t impossible to foil, but it is substantially more difficult in relation to the additional cost.

In the computer context, such two-factor authentication could take other forms: for instance, a little card that listens to a series of tones from an external source (over the phone, or from a computer), passes them through an algorithm and emits a series of tones in response to authenticate. This is just doing with audio what a smart card does with electricity. Ideally, the second factor would be like a credit card, in that you could have it cancelled and re-issued in the event that it is lost or stolen, immediately disabling the missing unit.

Until such a system emerges, it seems sensible to have tiers of passwords. I have two really weak passwords for things that I sometimes share with close friends. Then, I have a password for low-risk sites where there is no real harm that can come from my account being compromised. Then, I have a cascade of ever-stronger passwords. Something like LiveJournal has a pretty strong password, because it would be a pain if somebody took it over. The general vulnerabilities of passwords are:

  1. Someone could guess it (either manually or with a brute force attack)
  2. Someone could watch you type it in
  3. Someone could install a hardware or software keystroke logger on a machine where you enter it
  4. Someone could break into a database that contains it, then try using it on other sites you use
  5. Someone could extract it from a program on your computer that stores them in an insecure way (like Windows screen-saver passwords, which can be learned using a simple program)

Most of these require physical access to a machine that you use. I would guess that the most common of these is number four. Given that most people use the same password for everything, some underhanded employee at your ISP or webmail provider could probably grab it pretty easily, as well as information on other sites you use. (Hashing algorithms are one way this risk can be mitigated, on the server side, but that’s a discussion for another day).

At the top level, there are things that demand a really strong password: for instance, webmaster control accounts or anything connected to money. For these, I use random alphanumeric strings of the maximum permitted length, never re-using one and changing them every month or so.

Obviously, I cannot remember these for several banks and websites. As such, I write them down and guard them. I am much better at guarding little bits of paper than at remembering random strings of data. I regularly carry around little bits of paper worth tens of Pounds, and little bits of plastic worth thousands of Pounds, if only until disabled. Indeed, I have been guarding bits of paper for well over a decade.