Thu, 27 Sep 2012
Censored on Facebook
For the first time in what feels like years, I wanted to share something with my friends on Facebook.
The background was that I read a note on Slashdot that Linus Torvalds thought a presidential candidate's remarks on a topic related to airline security were "moron"ic. So I did my own research, and I disagred. I figured this was a topic of general enough interest that all my Facebook friends might be interested in knowing my position, so I wanted to share that.
Facebook didn't let me.
I tried first with a link to snopes.com, which blocked me with the rationale that snopes.com/images/template/snopes.gif is "spammy or unsafe":
Then I thought I'd be clever, and I linked to the .nyud.net version of the snopes page on the topic. I earned the same message that my post included a blocked link.
So then I tried again, with a link to a video on YouTube of the same clip.
That's when I first got the extremely generic message that "The message could not be posted to this Wall."
Finally, I removed all the links, and kept the first bit of text. For this, I got the same generic error: "The message could not be posted to this Wall."
Update: Patrick points out I should link to the actual video. Here it is, embedded:
(BTW: The first thing I did was to click "let us know" to indicate that I think I'm seeing this by mistake. I filled out the form to indicate there was a problem in an honest, respectful way. I got back an email autoresponse that said, "Thanks for taking the time to submit this report. While we don't currently provide individual support for this issue, this information will help us identify bugs on our site.")
[software] permanent link and comments
Mon, 13 Aug 2012
Zooming in
A mis-quote of "Can Hospital Chains Improve the Medical Industry?".
[debian] permanent link and comments
Mon, 30 Jul 2012
RHEL 7 will (probably) have GNOME 3
While chatting with Greg Price earlier this evening about the coming Linpocalypse, I said something I wanted to research. Upon further review, it seems that Red Hat Enterprise Linux 7 will ship GNOME 3.
You can see a video of Jonathan Blandford talking about it, where he says:
"CubedRoot" on fedoraforum.org did take a look, and (s)he wries:
[software] permanent link and comments
Thu, 14 Jun 2012
Reactions to a public disaster
Quoth Laila Winter:
[me] permanent link and comments
Fri, 20 Apr 2012
Absurd Asheesh lunch: Friday April 20, MIT Media Lab, 1 PM
I'm visiting the Boston area for a few hours (like literally less than 24), and so I thought I'd stop by the MIT Media Lab's 5th floor lounge and have lunch there with Deb, and anyone else who wants to join.
Bring lunch from home, or buy food at the lovely MIT trucks, or just come for the company.
It's quite easy to get to; take the Red Line to Kendall, then walk to the end of the street with the food trucks. If you need help finding me/it, call my cell phone!
P.S. I'm in town just while in transit to Troy, NY, to run an open source teaching workshop there.
[event] permanent link and comments
Sat, 18 Feb 2012
Help a BSD developer bike across the US, and give hope to cancer communities
My friend Venkatesh, pictured above, is going to bike four thousand miles, all the way across the continental US, from Baltimore to Portland. He's doing it to raise money for the Ulman Cancer Fund for Young Adults. I'm writing this because I want you to donate money to his cause. He's a DragonFly BSD developer, loves bikes, and your donation could make a big difference.
I first met Venkatesh through the Johns Hopkins computer club, an ACM chapter. I was the head of the club, and he had just started his career at Hopkins. He was looking for advice on running Brickwiki, the LEGO encyclopedia. Quickly, I became his friend; in that time, I've learned the following things about him.
In the years since I graduated from Hopkins, I've been impressed by Venkatesh's ongoing curiosity and contributions to open source projects like DragonFly. I'm honored to have this chance to help him bike across the country for a good cause.
Here is a quick word about the 4K for cancer effort:
His fundraising goal is $5,000. Anything from $5 to $500 is a donation to an organization that helps young adult cancer surviers and their families get access to information and support resources. Can you help?
[debian] permanent link and comments
Mon, 26 Dec 2011
Short key IDs are bad news (with OpenPGP and GNU Privacy Guard)
Summary: It is important that we (the Debian community that relies on OpenPGP through GNU Privacy Guard) stop using short key IDs. There is no vulnerability in OpenPGP and GPG. However, using short key IDs (like 0x70096AD1) is fundementally insecure; it is easy to generate collisions for short key IDs. We should always use 64-bit (or longer) key IDs, like: 0x37E1C17570096AD1 or 0xEC4B033C70096AD1.
TL;DR: This now gives two results: gpg --recv-key 70096AD1
Some background, and my two keys
Years ago, I read dkg's instructions on migrating the Debian OpenPGP infrastructure. It told me that the time and effort I had spent getting my key into the strong set wasn't as useful as I thought it had been.
I felt deflated. I had put in quite a bit of effort over the years to strongly-connect my key to a variety of signatures, and I had helped people get their own keys into the strong set this way. If I migrated off my old key and revoked it, I'd be abandoning some people for whom I was their only link into the strong set. And what fun it was to first become part of the strong set! And all the eyebrows I raised when I told people I was going meet up with people I met on a website called Biglumber... I even made it my Facebook.com user ID. So if I had to generate a new key, I decided I had better really love the short key ID.
But at that point, I already felt pretty attached to the number 0x70096AD1. And I couldn't come up with anything better. So that settled it: no key upgrade until I had a new key whose ID is the same as my old key.
That dream has become a reality. Search for my old key ID, and you get two keys!
I also saw it as an opportunity: I know that cryptography tools are tragically easy to mis-use. The use of 32-bit key IDs is fundamentally incorrect -- too little entropy. Maybe shocking people by creating two "identical" keys will help speed the transition away from this mis-use.
A neat stunt abusing --refresh-keys
Thanks to a GNU Privacy Guard bug, it is super easy to get my new key. Let's say that, like many people, you only have my old key on your workstation:
Just ask GPG to refresh:
You can see that it set out to refresh just 1 key. It did that by querying the keyserver for the short ID. The keyserver provided two hits for that query. In the end, GPG refreshes one key and actually imports a new key into the keyring!
Now you have two:
There is a bug filed in GNU Privacy Guard about this. It has a patch attached. There is, at the moment, no plan for a new release.
A faster attack, but nothing truly new
My friend Venkatesh tells me there is an apocryphal old Perl script that could be used to generate key ID collisions. Here in the twenty-first century, l33t h4x0rz like Georgi Guninski are trying to create collisions.
In May 2010, "halfdog" posted a note to the full-disclosure list that generates PGP keys with chosen short key IDs. I haven't benchmarked or tested that tool, but I have used a different tool (private for now) that can generate collisions in a similar fashion. It takes about 3 hours to loop through all key IDs on a dinky little netbook.
You don't have to use any of these tools. You can just rent time on an elastic computing service or a botnet, or your own personal computer, and generate keys until you have a match.
I think that it's easy to under-estimate the seriousness of this problem: tools like the PGP Key Pathfinder should be updated to only accept 64-bit (or longer) key IDs if we want to trust their output.
My offer: I will make you a key
I've been spending some time wondering: What sort of exciting demonstration can I create to highlight that this is a real problem? Some ideas I've had:
The last one would be extremely amusing, and would be a hat-tip to some work discussed in Raph Levien's Google Tech Talk about Advogato.
For now, here is my offer: If you send me a request signed with a key in the strong set, I will create a 4096-bit RSA public/private key pair whose 32-bit key ID is one greater than yours. So if you are 0x517DD4E4 I will generate 0x517DD4E5.
I will post the keys here, along a note about who requested it, and instructions on how to import them into your keyring. (Note: I will politely decline to create a new key whose 32-bit key ID would create a collision; apologies if your key ID is just one away from someone else's.)
P.S. The prize for best sarcastic retort goes to Ian Jackson. He said, "I should go and create a lot of keys with your key ID. I'll set the real name to 'Not Asheesh Laroia' so everyone is totally clear about what is going on."
[debian] permanent link and comments
Learning baritone again (for the Russian Nonsemble)
In fifth and sixth grade, I used to play the baritone horn. A few weekends ago, I played a show with the Russian Nonsemble. Look for me in a blue shirt and tie:
When I joined the Brighton public school system in fifth grade, other students had been playing musical instruments for a year. I tried a few different options, and I settled on the baritone. Maybe I really liked the sound, or how buzzing works with a mouthpiece and combines with the entire horn. Maybe I was suggestible and accepted something that the band needed.
I learned the instrument on bass clef, which was its own oddity. It was a little confusing to use bass clef in band and treble clef in chorus, but I managed. (Maybe this exercise taught me something about the concept of equivalence.)
There is something relaxing about playing the baritone: I am not keeping the melody. The tone quality I send out is not, at least in a fifth grade band, make or break the performance. One downside is that, with the highly repetitious lines, it can be easy to get lost.
Early in the sixth grade, our band director asked for volunteers to learn the French horn. Steve Marler picked it up for the musical challenge. I picked it up because I was willing to fill an institutional need.
It was a lot of fun to play French horn. Well, it was a challenge, at least. Every single group performance setting I had for the French horn -- from sixth grade through high school, through the Johns Hopkins concert band -- there was someone sitting next to me who was a full notch better at me. It was disheartening, to be honest.
I stopped playing horn somewhere in college. For a while I played mellophone in the Johns Hopkins pep band, but that wound down eventually.
About a year ago, my friend Irina invited me to be part of a band, for which she lent me a baritone.
Halfway through the concert you see above, I began to do more than just read the music. I listened to the sound of the band and looked at my bandmates, making bom-pom sounds on the horn while bobbing up and down with the rhythm of the song we were playing.
Thanks to Jess Schumann for taking the picture!
[music] permanent link and comments
Sat, 17 Dec 2011
Computer fraud and abuse by Universal Music Group
It seems that Universal Music Group willfully misrepresented its copyright interest and probably violated its service contract with YouTube. By my understanding of the Computer Fraud and Abuse Act, UMG likely took actions that exceed authorized access, subjecting it to criminal prosecution. (I am just a computer enthusiast and not a lawyer, so I welcome corrections from others.)
The emerging details, reported by Wired.com's Threat Level blog, are as follows:
In particular, Google created a system for antipiracy that is being abused by UMG:
I look forward to a speedy criminal prosecution of the employees or board of Universal Music Group. If that is not feasible, perhaps the organization itself should be put behind bars.
Even if Megaupload.com fails in its own lawsuit against UMG, I eagerly await the criminal prosecution of UMG as in another case where Federal prosecutors had to get involved.
[corporations] permanent link and comments
Mon, 12 Dec 2011
Twisted high scores
Living in the Boston area, I've had the chance to spend time with the lovely maintainers of the Twisted project.
Twisted is an event-driven network programming framework in Python. It's also a community of people for whom software is never good enough -- and they're right.
I visited the Twisted November sprint at the Smarterer.com office a few weeks ago and reviewed a ticket. So now I am on the Twisted high scores list for November!
It was one of the most rewarding short periods of time I've ever spent contributing to an open source project. I took someone's contribution and turned it into a patch, and also gave some feedback. This counted as reviewing a ticket, for which I was immediately and strongly socially rewarded: J.P. (exarkun) turned to me and say, "Thanks for contributing to Twisted."
An IRC bot pinged me with a note saying my ticket review was complete. And now I appear in the high scores list for November!
[software] permanent link and comments