sampablokuper_com

A question for Homakov

sampablokuper — Sat, 09 Jun 2012 18:41:16 +0000

Here's a comment I just posted on Egor Homakov's blog post about his famous GitHub hack. The comment hasn't shown up yet, but I'm curious about his reply, and in any hope it's a question that others may find interesting. The basic point is that I think the fuss about mass assignment in Ruby on Rails is a red herring.

I'm very grateful to you for having brought this issue to the Rails team's attention, but I find myself puzzled by the following.

Lots of commentators (e.g. ZDNet ) have suggested that the weakness in GitHub's case was that the model you discovered was vulnerable had mass assignment enabled for its attributes. However, I think the problem was not this, but was rather a failure to use a before_filter (or suchlike) in the controller to ensure that any given row in the table you updated could only be updated by an admin or by the user with the ID listed in that row. If such a filter had been in place in the controller, then it wouldn't have mattered if the model's attributes were mass assignable.

Do you agree?

Apple, I know it’s over

sampablokuper — Fri, 23 Mar 2012 06:23:55 +0000

I've never liked Apple's App Store. Its terms and conditions are draconian and - at least from a British perspective - legally ridiculous. However, today I bought a software package from it, grudgingly, because I needed to test whether that package would work for a particular task, and the App Store was - literally - the only place to obtain it. It was a software package from Apple, by the way, not from a third-party provider. Having fallen short from a consumer rights perspective even before I made a purchase, the App Store experience has now let me down on several other fronts, too.

The download speed was very slow. ~600MB took ~50mins. Every open source software repository I can recall downloading large files from over the last few years has given better download performance than that. (Plus, 600MB is insanely bloated for an application. C'mon Apple, it's not like you can't afford to pay for a code review!)
It gave me no say in how, or where, to install the downloaded software, and actually overwrote a piece of software that was already installed.
The software package, having installed itself, launched OK, but turned out to be faulty in at least a couple of show-stopping respects.
The interface for reporting problems had problems of its own.

This post isn't really about the App Store: it's just to note that the experience of using it to buy another piece of Apple software has confirmed for me that I want to migrate to using FOSS only. It'll take a while, sure - maybe a few years - to assemble a FOSS system that provides functionality that matches what I get from the proprietary software I'm still using. I might even need to learn C/C++ (no garbage collection? Yuck!), if I'm going to be able to get it all working. But I'm increasingly convinced it will be worthwhile. Apple: you and me, it's not gonna last - unless you become a lot more open and begin increasing, not reducing, the amount of control your customers can exercise over their own computers.

The “bundle” command’s default behaviour

sampablokuper — Mon, 26 Sep 2011 13:47:50 +0000

Bundler appears to be an increasingly popular gem. It's a good complement to rvm. However, one aspect of it that I find mildly irksome is its default behaviour when called from the command line without any arguments. I prefer command line programs to execute, when called without arguments, only if they are nullipotent. For instance, the command ls executes when called without arguments, and this is both useful and also, because ls is nullipotent, safe. If a command line program is not nullipotent, then its default behaviour when called without arguments should, in my view, be to behave as though it has been called together with its help option. For instance, rm, when called without arguments, instead of deleting anything (which is what rm is normally used for) lists the arguments it takes, much as if rm -h or rm --help had been called instead. The bundle command, by contrast, when called without any arguments, behaves as though bundle install has been been called. That is, Bundler treats the bundle and bundle install commands as synonymous equivalents. I'm considering filing a bug report about this, because if it's intended behaviour, then the intention is questionable insofar as it breaks the command line conventions I've outlined above, to little advantage (a terser way of calling bundle install) and an obvious disadvantage (the possibility for a user to invoke bundler install unexpectedly and thereby install or reinstall a bundle of gems on his/her machine without having wished to do so).

Plagiarism in comedy

sampablokuper — Fri, 23 Sep 2011 01:24:22 +0000

Unusually for a comedian, Stewart Lee has, for some years, devoted a corner of his website to reporting apparent acts of plagiarism among comedians. After I first encountered it, I became irked by the lack of attribution in comedy generally. Leafing through a book about Tommy Cooper some time ago, I learned that many of his jokes were based upon ones he'd bought from a joke service, and that Cooper had compiled detailed collections of others' jokes, from which he distilled much of the banter in his act. Importantly, if he was paying for the right to use these jokes, then he wasn't plagiarising them; but it was still disappointing to learn that many of the jokes I'd known him for might not, in fact, have been his. My understanding is that one of Lee's aims, in creating his Plagiarist's Corner, was to bring to public attention the derivative nature of comedy: to make people ask themselves how important originality is in a comedian. It prompted me to ask myself: would it ruin comedy if performances had to come with lists of references, like academic papers? Or would it benefit comedy, by affording the original writers a fairer share of the limelight? I was reminded of these considerations on Monday, when my friend Andrew O'Neill spotted a YouTube video of someone called Tom Hosker appearing to perform parts of his (Andrew's) act essentially verbatim, and again this evening when I watched The Letter, a 1982 sketch from the Cambridge Footlights starring Stephen Fry, which contains a very similar conceit to the Woody Allen short story Count Dracula from 1971. Perhaps Fry's sketch was written in innocence; perhaps Tom Hosker thought he could, like other stand-ups, get away with using someone else's material without giving them credit; perhaps Hosker did give credit, but I either missed that segment or he gave it off-camera. Perhaps, like folk songs termed standards or traditionals, the attribution should be considered less important than the piece, and the latter should become common property. There's a wide range of moral positions available, and to make sense of them, comedy must be seen as just one form (or perhaps a subset of forms) of the creative endeavours to which the wider intellectual property debate pertains. I'm still in the process of drawing my conclusions, but in the meantime, I'm glad of Stewart Lee's thought-provoking little corner, for improving the likelihood of those conclusions emerging well-informed.

The illusion of meaningfulness

sampablokuper — Sat, 27 Aug 2011 06:38:34 +0000

A friend of mine recently remarked that Paul Daniels, during a recent performance and interview in Edinburgh, was "Completely brilliant. Proper master of his art." I don't know very much about Paul Daniels. When my friend made this remark, I could recall only four occasions during which I encountered information about him:

I vaguely remember, at a very young age, seeing him perform an illusion on TV in which he pretended to pass a camel through the eye of a needle or some such, with, I think, the assistance of his wife.
I recall that a childhood friend of mine had a magic kit with Daniels's name on it, containing cups and balls, a plastic wand, and one or two other little inexpensive props.
I also vaguely remember having seen newspaper headlines mentioning his appearance on The Farm, an agriculturally-themed celebsploitation TV show in which David Beckham's alleged mistress demonstrated upon a live boar approximately how she might (if the allegations were true) have treated Beckham's penis, by bringing the boar to climax with her hand.
Much more recently, I saw him mentioned in the news during the UK riots a few weeks ago, as having called for rioters to be treated violently.

So far, so shallow. Entrepreneurial, sure, and in that sense successful - but moreover sensationalist and somewhat cynical. So, to better understand why my friend might have thought the man was "completely brilliant", I looked him up. I began by searching for the performance I vaguely remembered: the one in which he pretended to pass a camel through the eye of a needle. I couldn't find it online, but I did find a video of a 1981 broadcast in which he pretends to pass a lady through a hole in a giant coin. He was slick then, certainly: constant patter and activity to hold the attention; good diction; measured, purposeful movement; consummate showmanship. He's much the same now, as you can see in this interview and performance from earlier this month in Edinburgh. (The latter isn't, as far as I know, the same interview or performance my friend saw.) Next, I looked up The Farm. It turns out he didn't spend very long on the show, but before he left, he did entertainingly silence Vanilla Ice, who had been gibbering hawkishly about the behaviour of the US military. He did so with a quick, capable and surprising performance structured much like a magic trick: a deft feint - misdirection, in other words - and then a sudden counterintuitive outcome. But was it a masterful performance? In a narrow sense, yes: it challenged Ice's behaviour and made him pause, and it drew the audience's attention. But it didn't challenge Ice's dubious argument, and in that sense it was not masterful at all. This is precisely analogous with illusionism in general: it uses performances to challenge expectations and draw attention, but the only true assertions it makes are that many people can be manipulated with trickery, and that, regardless, many people crave distractions that pique their curiosity. These are important assertions: they hold powerful ramifications for human economic and social structures. But to spend an entire career making them over and over again is essentially masterful only of repetition. So much for the chimeras he creates onstage or onscreen; what of the man himself - or at least, what of him as an interviewee and as an individual responding to events in his own time, rather than as a paid performer? In this interview with Penny Broadhurst, I was forcibly struck by Daniels's emphatic expression, in essence at least, of two assertions that are obviously inconsistent with each other: at one point, he suggests that success results from the choice to apply oneself; but at another point, he claims it depends, instead, upon innate, hereditary abilities - which one obviously can't choose for oneself. Evidently, then, he can't be trusted to have thoroughly thought through what are apparently his earnest opinions; and this, I would say, falls short of completely brilliant. Perhaps he was more circumspect during the interview my friend witnessed. In his own time, like so many people, Daniels blogs on Blogspot and micro-blogs on Twitter. On Tuesday 9 August 2011, in response to the widely-reported UK riots, he used both mediums to expostulate on the topic. On Twitter, he suggested people who took part in illegal rioting, looting and violence against the police should be sent to Afghanistan or similar war zone where you will remain in that war zone [sic] for a period of 3 years without any reduction of sentence. He declined, though, to state why he thought this would be constructive. He also proposed the reintroduction of National Service as a sort of universal panacea for society's ills, presumably in ignorance of the fact that National Service was cancelled because it was found to cause more problems than it ameliorated. He tweeted two more unsupportable pronouncements that day. One was, Human rights? They haven't earned them. This suggests that either Daniels does not understand what is meant by the concept of a human right (i.e. a right which is earned by being a human), or he believes the rioters were not humans. Maybe he thought they were mutant poppy seeds, and that sending them to Afghanistan for three years would let them be nurtured into cash crops. The other was, I hate Communism and what it does to people. I watched their soldiers shooting women and children. I told [my wife] that [the Tiananmen Square massacre] would happen! This is a strange trio of sentences. Perhaps they were intended to be unrelated to each other, but their being bundled together suggests otherwise. Is Daniels asserting that when troops shoot women and children, it is necessarily the Communism of those troops' leaders that is to blame? If so, then a massacre like Tiananmen would indeed have been somewhat predictable, but so, too, would several quite different things have to be true that are not true: America under George W. Bush would have to have been Communist, because its troops shot women and children; the Mormons of the Utah Territorial Militia in the 1850s would have to have been Communist; General Custer would have to have been a Communist, as would the leaders of the Nazi party; etc. Clearly, this is nonsense. The shooting of women and children may be reprehensible, but it is not a behaviour that can be rationally attributed to Communism. Bizarrely enough, on Blogspot, Daniels said, I thought 'outlaws' were OUTSIDE the law and therefore not party to it, and expressed frustration that people had not been allowed to shoot the rioters with rubber bullets, despite the facts that the rioters had been widely reported to include women and children, and that Daniels, as mentioned above, seems to hate the prospect of shooting women and children. Rubber bullets may have a lower risk of lethality than conventional bullets, but can injure and kill nonetheless. From the information I've presented above, it seems fairly clear that Daniels is intolerant of law-breaking. It's also clear, though, that he's inconsistent. As such, it shouldn't come as a surprise to learn that despite the harsh treatment he wants to see meted out to strangers who he believes have broken a social contract, he's applied what seem to be rather different standards to the criminal activities of two of his sons. After Daniels's son Gary Daniels instigated a fraud that cost the NHS £20,000 to investigate and a further £12,500 in wrongful charges, instead of letting him go to prison, Daniels intervened, persuading the court to give Gary a softer sentence, and letting Gary move into his mansion. For perspective, let us note that many of the people who have been prosecuted for looting or rioting - some of whom received substantial prison sentences - were found to have caused comparably tiny values of damage, and in some cases no damage at all. Yet I don't see Daniels offering to write to courts to try to reduce their sentences, nor accommodating them in his home. Daniels also previously defended Gary after police found that Gary had wasted police time by faking a burglary. This is a rather remarkable case, in that because Gary admitted to the police that he'd wasted their time, they decided not to prosecute him. Perhaps if a rioter in their district simply admitted to that police force that he or she had run riot, they would be similarly lenient? Another of Daniels's sons, Paul Jr, was not quite so fortunate: Daniels either chose not to or was unable to prevent him being sentenced to twelve months' imprisonment after he was found guilty of insurance fraud and securities fraud. This isn't Paul Jr's only conviction, either; he's also been convicted of dealing illegal drugs, drink-driving and selling illegal pornography, although Daniels did at one point forgive him his crimes and help him to set up a business; which, again, seems at odds with Daniels's attitude to criminality in the wake of the riots, especially his remark about outlaws. Reading about these two sons of his, I began to wonder if Daniels's desire for the reinstatement of National Service mightn't stem from a subconscious theory that had those sons been engaged on National Service, it could have compensated for his fathering and kept them out of trouble. Over the course of writing this blog post, I've come to the tentative conclusion that my friend's comment, if taken out of context and applied to Daniels in general rather than Daniels in the specific performance and interview my friend saw, was half right. Daniels is a master of his art, and that art consists of misleading at least some people into believing that he has, with ease, achieved something difficult or impossible. He can make audience members believe - at least on some level - that he has slipped a lady through a coin, or that he has falsified another person's argument about military ethics; and he can convince himself, and perhaps one or two others (to judge from the replies he received to the blog post and tweets I mentioned above), that there are simple solutions to complex problems like criminal disorder. His mastery of this art, or rather, his exploitation of it, has brought him fame and fortune. But his hypocrisy and his unfounded proclamations show him to be not merely short of completely brilliant, but far from it. Too bad.

Food for aught in Cambridge, UK

sampablokuper — Mon, 14 Feb 2011 18:38:25 +0000

A friend of mine in Cambridge recently told me she routinely buys more food than she needs for herself. She enjoys entertaining, so she's usually able to use up most of the excess in this fashion, but on weeks when her friends are all busy, that excess food goes to waste. I doubt she's alone in doing this. Now, wasting food is always a travesty, but in a city where 15,000 people are estimated to be living on the edge of poverty, it seems especially inexcusable, so I had a think about how to solve this. The obvious solution would be to give the food to people who need it. But who, and how? It's important that donating excess food should be convenient and flexible: it shouldn't require the logistics of making prior arrangements or of journeys of more than a few minutes, and it should be able to accommodate a wide range of different foodstuffs. That rules out the Cambridge City Foodbank, because they will accept only a limited range of foodstuffs. What about soup kitchens, or homeless shelters? A quick Web search revealed two homeless shelters in Cambridge. One of them, Jimmy's Night Shelter, is close to the centre of town, has staff available most hours of the day, and explicitly mentions on its website that it accepts food donations. The other, WinterComfort, is a little further from the city centre, is staffed shorter hours, and does not mention on its website whether it accepts food donations. I've left them a voicemail about the latter point, and if they reply, I'll post an update accordingly.

Using a USB CD/DVD drive to boot a Macbook Air with a faulty screen

sampablokuper — Tue, 18 Jan 2011 18:31:55 +0000

I've been meaning to write this up for some time. Given a Macbook Air with a faulty display, how does one boot it from, say, the Snow Leopard DVD-ROM, in order to access, for instance, Disk Utility to repair the system hard drive? The only way I've found to do this requires first getting Mac OS X running using an external monitor, mouse and keyboard. If you're not sure how to do this, here's how. You'll need a USB hub to connect the mouse, keyboard and USB CD/DVD drive to the Air, and you'll probably need a micro-DVI to VGA adapter or similar to connect your external monitor to the Air. Boot the Air by pressing the power button, then close the lid. Press the shift key periodically on the external keyboard to ensure that the Air discovers its existence. After a minute or two (really, this can take a while), the OS X login screen should show up on the external monitor. Now that you've got this out of the way, you're ready to boot from the DVD. Put the Mac OS X DVD into the CD/DVD drive, and then click the Restart icon on the login screen. When the external monitor goes blank, hold down the 'C' key on the external keyboard. Keep it held down until you see or hear the OS X DVD being read in its drive. At this point, your Macbook Air should boot up from the OS X DVD. Hurrah! NB. I haven't managed, yet, to get this to work by booting from the DVD directly, i.e. without first booting from the HDD and using Restart en route to booting from the DVD. When I tried booting from the DVD directly, the external monitor simply stayed blank.

Hacking the IronKey

sampablokuper — Fri, 14 Jan 2011 13:48:09 +0000

Especially since the Gawker debacle, I've been thinking about password management. Reasonably long, randomly-generated strings of alphanumeric characters (and punctuation marks too, if supported) tend to be the most secure passwords, but can be hard to remember. To solve this problem, password management applications will store username/password combinations for you, locking them with a master username and password. To allow access to the password vault when the user is away from her usual computer, many of these applications offer the facility to store a copy of the vault on a USB drive. That way, the theory goes, users can still reach their vaults when using computers in internet cafes or other public places. This is fair enough in principle, but in practice, mightn't there be some danger in leaving that vault on a USB drive, or opening it on an untrusted computer? This led me to find out a little more about secure USB keys, which offer features like write-protection, hardware-based encryption, and tamper-proofing. The only brand of USB key I could find that offers all these features is IronKey, which claims to make The World's Most Secure Flash Drive. It's designed to protect users against a range of vulnerabilities to which other USB flash drives are known to be susceptible. However, after reading the manual, I came up with an attack vector that IronKey's literature doesn't - as far as I can tell - address: a man-in-the-middle attack using malware on the host PC. Here's how such an attack might play out. An attacker (e.g. an identity thief running an internet cafe as a front business) installs a piece of malware onto a PC (e.g. one of the internet cafe's PCs). The malware waits for a user to insert an IronKey. When a user does so, the malware hides the IronKey's login screen and displays, instead, a visually identical interface. The user enters her credentials into this interface, having been deceived into thinking it is the genuine IronKey interface, and now the malware has them. The malware could then unlock her IronKey and would be free to copy or modify her data for as long as the IronKey remains connected to the PC. So, has anyone tried this?

Microtrams

sampablokuper — Thu, 30 Dec 2010 19:15:51 +0000

What is a microtram, you ask? A microtram is, currently, a fiction; an imagined form of transportation that I hope will one day be real. More specifically, a microtram would be a car- or van-sized vehicle, probably with rubber-tired steel wheels, capable of running on a network of tracks extending door-to-door or very nearly so. In other words, a fully-realised personal rapid transit vehicle. I started dreaming of microtrams in 2001-2. I didn't have time to publish anything about microtrams then, but I'm finally starting to get around to doing so! I've since come up with several forms of tram, but the two most plausible are a street-level tram that would replace buses, vans, lorries and cars, and an alternative overhead type that would run on tracks high enough to let road transport run underneath. About a year ago, NASA started publishing on a scheme that was (for me, at least!) reminiscent of the latter. I'll publish more of my ideas about microtrams when I've got time, but in the interim, here's a table sketching out some of the strengths I think microtrams would have over other forms of transport. I think a solution allowing people to easily walk or cycle short to moderate distances and take microtrams for longer - or more heavily-laden - overland journeys would be ideal.

A new year’s wish

sampablokuper — Thu, 30 Dec 2010 16:00:34 +0000

More jobs… (With thanks to Jerry Atkin.)