sungate.co.uk

And so the annual pilgrimage to Wolverhampton for Lugradio Live happened. Excellent, as expected. The above photo shows me in the background, sat between Dave ‘Schwuk’ Murphy (yellow T-shirt) and Steve Lamb Of (Erm…) Microsoft. Some good talks, lots of interesting people to talk to: the Usual Crew, MrBen, Bruno, Neuro, Bryn, Oojah, plus the Lugradio presenters of course. Chatted with a few new people too.

During the Saturday evening party, I’m proud to say that karaoke was perpetrated. Until I can find an actual photo of me with the microphone, we’ll have to make do with this:

That’s right, I sang ‘Ghostbusters’. It went down quite well and had plenty of audience participation. Thanks for all your kind words, people If anyone has an actual photo of this, please let me know!

On Thursday evening last week just as I was about to leave work, I had a phone call from Jono Bacon to tell me that the Lugradio team had decided to call it a day. This is a great shame, but ultimately the guys believe that it’s the right choice. They’re probably right. The shows are still good and they won’t be able to go on for ever. As I said to Jono on the phone: “Remember Series VI, VII and VIII of ‘Red Dwarf’? They should have quit while they were ahead.” No-one wants to see it drag on and stagnate.

The official announcement was made today in this week’s episode and took many people by surprise: the crew had decided to give a “heads up” to long-time Lugradio ‘people’ in advance.

This means that Lugradio Live 2008 in Wolverhampton on 19-20 July will be the last recording and the last event (probably): we can go out with a shout. I will be there

Bruno describes this sad day very nicely.

Many thanks to all the presenters over the years: Jono, Aq, Sparkes, Matt, Ade, Adam and Chris. So long and thanks for all the fish. I mean, all the chin.

I can’t believe that no-one has told me about Hut 33, a radio comedy about codebreakers’ life at Bletchley Park. And I’ve missed more than a whole series.

I don’t suppose anyone reading this has a recording of the programme, or knows where one might buy such a thing? e.g an audio book?

Update: thank you for the pointers. Especially you, you know who you are.

When I was about 12 or 13, like all the other children with glasses I learned how to solve the Rubik’s Cube. I’d long since forgotten how to do so. However, I was given a new Rubik’s Cube for my birthday recently.

I decided that, if I was going to learn once again to solve the thing, I would need exactly the same book that I had originally. So I tracked it down:

Published in 1981, the then 12-year-old Patrick Bossert wrote one of the first books on how to solve the cube. Over the course of a few weeks or months, I learned his procedure.

Over the course of 20 years, I forgot it again.

However, upon reacquiring a copy of the book at the weekend, I reminded myself of most of the main moves in just a few hours. The algorithms were obviously just locked away in my memory, because I found myself “chanting” to myself the moves as I carried them out: “Up, round-at-the-back, Down, Along-right” etc.

I used to be able to finish the cube in around 2 minutes to 2 minutes 30 seconds, I think; yesterday I managed 3 minutes 40 seconds, which is not bad. And I’m sure I can do better…

Update 12.06.2008: Managed 2 minutes 24 yesterday

Today is my birthday. I am now N years old. You can work out N from the following:

• N is a prime number;
• The last time my age was a prime was six years ago (i.e N-6 is prime and no other numbers between N-6 and N are prime);
• N is not a member of any twin-prime pairing: see the definition of a twin prime if needed;
• You can assume that N is less than 50

There is only one unique solution to the above.

And Happy 40th Birthday to Kylie, too.

I bought an Eee.

(For those of you who have been living on a different planet for the last six months, or are technologically-challenged, the EeePCs are Really Small Laptops That Are Really Cheap. And for those of you who know about the full range, I got the 701 4GB Black version)

Good points:

• Cost just over 200 quid;
• Very small, very light (less than 1kg);
• Very clear screen;
• Wireless;
• Very cute for showing off with;
• Runs Linux, although in its default incarnation that might not be obvious.

Bad points:

• Screen is quite small, but I didn’t buy this for the screen size;
• Keyboard is quite small: this would be a problem if I wanted to write a huge amount of text on it, but that’s not likely. It tends to be used for web browsing;
• Its Linux distro is Xandros, which is not ideal. However, other distros can be installed which I might investigate at some point;
• Its SSL installation is vulnerable to the previously mentioned SSL exploit and it hasn’t been properly patched yet. Changing distro would fix this, too;

When you consider that this is a almost-fits-in-your-pocket ‘proper’ laptop (unlike PDAs or mobile phones) that can do wireless, and cost a little as it did, this is rather nice. We were away last weekend and I connected it to the hotel’s wireless network, which was quite cool: didn’t do anything useful with it, of course, apart from updating my Facebook status with “Hey cool, getting free interwebs from the hotel!!”, but I believe that’s a traditional geek response.

Oops

It was revealed yesterday that there has been a great big security hole in the Debian-distributed SSL code, introduced in late 2006. This ill-advised Debian modification meant that all SSH and SSL keys were insufficiently random (the change removed part of the random seeding which normally takes place). This means that instead of there being a total of $BIG_NUM possible keys, there were only around 260,000 possible keys. This makes brute-forcing the key almost trivial.

Note that, unlike other security updates for your system, merely installing the updated packages is not enough. One must also remove and regenerate all affected SSH and SSL keys. Depending on your setup, this could be a massive task. It will also be very disruptive to end users if you’re changing host SSH keys for example.

What’s affected:

• Any SSH or SSL keys generated on Debian Etch or recent Testing/unstable;
• Any SSH or SSL keys generated on all Debian-derived systems corresponding to “Debian Etch and later”: for Ubuntu, this means Feisty 7.04, Gutsy 7.10 and Hardy 8.04
• Any DSA-style SSH keys used on a system with a vulnerable host key, even if the keys themselves are not vulnerable.

What you need to do:

• Get the updated openssl and openssh packages on to your system. Debian and Ubuntu’s openssh package includes a check on the SSH host key and also includes a tool to check user keys. Where possible, run ssh-vulnkey -a as root to check all users’ keys and authorized_keys for the vulnerable ones;
• If you generated any other SSL keys, such as for HTTP/SSL certificates, figure out when they were generated and whether the system was running Etch or later at the time. If so, these should be considered compromised and regenerated. As far as I can tell at the moment, there is no automated tool for checking SSL keys and ceritificates

The dust has finally settled on this one here, I hope, and this is what I found:

• At work, all our servers were originally installed as Debian Sarge and so none of the host SSH keys were vulnerable, even though the systems themselves are now running Etch;
• No vulnerable SSH user keys (apart from one that I created solely for the purpose of seeing whether it could be detected by the vulnerability scanner: it could), since hardly any of us use them and those of us that do had generated them during the Sarge era: being rather sluggish upgrading from Sarge to Etch actually helped here!
• No vulnerable SSL keys for our external sites: they were all made a while ago;
• About a dozen vulnerable SSL keys on internal servers: these will need to be replaced, but as exposure to these is limited, that’s less of a risk;
• At home: main PC has evolved from Ubuntu Dapper 6.06 and so has keys generated before this problem arose; my laptop was installed as a pre-release Ubuntu Hardy 8.04, but I never put openssh-server on it, so no vulnerability there. Also, the home partition was inherited from an earlier release and the user keys were not vulnerable either; the fileserver was installed as Etch and had a vulnerable host key, which has been regenerated. And my newly-acquired Asus Eee (more about that in a later post!), which is based on Xandros which is derived from Debian, appears to have a vulnerable version of the SSL code installed, because the key I generated on it was identified by the vulnerability scanner on another system.

As Bruce Schneier once said (I think): “Bad crypto looks just like good crypto”

Updated 15 May 2008: It has occurred to me this morning that all systems which support SSH are potentially at risk here, not just Debian-based ones. For instance, any system which has an uploaded weak user key is vulnerable to that user account being easily cracked, regardless of the OS which that system runs. e.g. if I generate a (weak) key on a Debian system and then upload the public part of the key to an OpenBSD server, then that OpenBSD server is vulnerable. All systems running SSH should probably check for these vulnerable keys: Debian and Ubuntu have released patches to reject vulnerable keys: I trust we’ll see the same thing for other OSes too.

The article title refers to the third volume in Neal Stephenson’s trilogy “The Baroque Cycle”. As previously reported, I have been meaning to get around to buying and reading this for ages. It has taken me almost an entire year to get through the three books, each of which runs to around 900 pages. I’ve read other books in between volumes, but even so, it seems like a long time!

(There are some spoilers to the story and plot below: anything that can be read on the back cover of any of the books precedes the spoiler marker; plot that is only revealed as a result of reading the books is after that.)

The trilogy is comprised of three large volumes: “Quicksilver”, “Confusion” and “The System Of The World” (and in fact, each volume is itself broken into sub-books, but I bought the three main volumes). The story is set between the mid-1600s and early 1700s, and relates the tale of a small handful of fictitious characters set amongst the ‘real’ historical figures and events of the time. For example, the royal families of England, Scotland, France, Spain and the Netherlands, plus various German provinces all make an appearance. And so-called ‘Natural philosophers’ (what we’d now call scientists) play leading roles: particularly Newton and Leibniz.

As with Neal Stephenson’s “Cryptonomicon”, the historical backdrop to the story is - as far as I can tell - very accurately and carefully written. The events are real events and many of the characters are real people who, on the whole, take part in these events in the way that really happened: the fictitious characters play their parts alongside this, influencing what happens both overtly and covertly. The major events which take place during the period covered by the book include the Great Plague of 1665, the Great Fire of London in 1666 and all the various wars and royal successions of the time between England, France and the Netherlands.

Around the main storylines, there are a huge host of tangents and distractions, which is actually what Neil Stephenson’s writing is all about: this approach shows that the journey is at least as interesting as the destination. That’s what makes his books enjoyable.

(Here be spoilers: don’t read past here if you haven’t read the books, but intend to do so!)

The first thing you notice when starting the trilogy is that there are many links between characters which appear in “Crytononomicon” and those appearing here. For example, we meet ancestors of the Waterhouse family, the Shaftoes, Hackelbeckers and more. The family resemblences in behaviour between those of the 1600s and 1700s mimic very closely those of the 1940s and present day found in “Cryptonomicon”: the Shaftoes still behave as the “gung-ho” soldiers, the Waterhouses seem to be involved with every major event, whilst seemingly oblivious or bemused as a result.

The conflict between Newton and Leibniz (broadly-speaking over “who invented calculus first” and whose description of How The World Works is more correct) is interesting: in order to describe this fully, Neal Stephenson includes a large amount of detail of a very technical nature, which is nice to find in a novel. No Perl scripts, though, unlike in “Cryptonomicon”.

We also meet Enoch Root again. Here is my favourite character: very strange and mysterious. In “Cryptonomicon”, his nature was only hinted at very briefly and whilst Neil Stephenson’s books are often thought of as “science fiction”, Enoch Root is probably the only character in this story who behaves in a manner suggesting that something supernatural is going on. The fact that the same character “of undetermined age, but clearly of wide experience” appears in storylines ranging from 1650 to the present day is enough to raise an eyebrow or two. His nature is described in some detail but, infuriatingly, with a few missing details: references to him “dwelling with humankind” suggest he is of alien origin, for example. His ability to resurrect is evident in “Cryptonomicon”, although you have to read carefully to spot it: however, this is made rather more explicit as “The System Of The World” draws to a close, when it is revealed that Daniel Waterhouse was in fact resurrected during surgery that he thought he’d survived naturally.

It’s still not clear who Enoch Root actually is: is he an alien? Or has he just figured out how to make use of alchemical regeneration in some way? I really rather hope that Neal Stephenson writes a sequel to either “Cryptonomicon” or The Baroque Cycle so that we can find out!

It became widespread news yesterday, April 1st, although it was only formally published today: Microsoft’s “Office Open XML” (OOXML) document format has, unfortunately, been certified as an ISO standard. There are many reasons why this is a Bad Thing.

• There is already an existing ISO-approved standard, namely Open Document Format (ODF). But obviously Microsoft doesn’t like that because they don’t control it. Microsoft likes controlling things. Microsoft’s reasons for seeking ISO approval for OOXML are at least partly driven by a desire to undermine ODF.
• Microsoft’s “Office Open XML” is not truly open. As part of the document format definition, it contains many references to how previous versions of Microsoft’s own software behave. Although some of these references have been removed in updated drafts of the format, this shows that Microsoft believes that their format should be the formal standard, regardless of how broken, incomplete or patent-encumbered it may be.
• An ISO standard is supposed to describe something which can be implemented independently by many different organisations. As far as I am aware, not even MIcrosoft themselves have an implementation of OOXML as per the written format that was submitted for ISO approval. Microsoft’s own implementation in Office 2007 is different. As with other standards in the past, such as HTML, CSS and perhaps even Java, Microsoft will no doubt be planning to utilise its famous “embrace and extend” policy. This means breaking the standard, but making use of their monopoly position to foist this bastardised standard on those who are victims of their monopoly.
• ISO, the organisation, loses an awful lot of credibility as a result of this process. There have been a multitude of reports of irregularities with the voting process from the national standards bodies feeding into ISO. Many of the them suddenly gained a lot of new members in the weeks leading up to the OOXML, with strong circumstantial evidence that Microsoft funded their membership fees.
• In most of the national standards bodies, the technical representatives were hugely against OOXML being adopted as a standard. This speaks volumes.

It is disgraceful that Microsoft has been allowed to garner supposed legitimacy to their broken document format in this manner. The fact that they even tried shows a certain desperation.

Oh, and remember that when Microsoft says something will be “good for business”, they mean good for their business.

A reinstallation of my laptop at the weekend allowed me to test out an encrypted installation. The point of an encrypted installation is to require a passphrase to be entered at boot-up in order to transparently decrypt the rest of the system. This means that if the laptop is lost or stolen, none of my information or personal details will be at risk. Note that this is not the same as simply requiring a password to login: the whole filesystem (except for a small unencrypted boot partition) is actively encrypted.

Using the Alternate Install CD of a pre-release of Ubuntu 8.04 (”Hardy Heron”), an “encrypted LVM” configuration is available directly as part of the installation. This creates two partitions: a boot partition which will be unencrypted, allowing the system to actually start and prompt for a passphrase; the second partition is encrypted and contains the rest of the system. The passphrase that is prompted-for is used to decrypt the second partition. It seems to work cleanly enough. I’ve heard some express concern that an encrypted system would perform sluggishly because of the continual encryption and decryption: I’ve not seen that at all. In fact, I’ve found the opposite: performance seems somewhat better than before. This may simply be the Brand New Clean System Effect (i.e. it’s running smoothly because the system hasn’t had a chance to get cluttered yet) or perhaps there’s some cunning caching or compression in place. The laptop has a dual-core CPU, which may help, of course.

The only drawback with the Install Encrypted LVM From The Alternate Ubuntu Install CD approach is that it uses an encryption key based directly on the passphrase you provide. This means that you cannot change the passphrase without a complete reinstall. A different approach would encrypt the partition using a stored key, and that stored key is protected by a passphrase: this allows one to have more flexible passphrase management, such as changing it or adding additional passphrases without needing to reinstall. This second approach can be done using LUKS, but the Ubuntu Install doesn’t use that. I found a HOWTO guide explaining how to hack this together, but it didn’t seem to work, which is a shame.

All done, all sorted.