Related link: http://www.cacert.org/

Getting a digital certificate signed by a recognized Certificate
Authority–and here I mean a well-known entity embedded in web
browsers and other critical places, not a Web of Trust kind of thing
or a hub on your LAN–used to be a major expense.

It was natural to think of Certificate Authorities as heavy-weight,
bureaucratic, and expensive, like getting a domain name (a field
dominated by the same firm that dominates Certificate
Authorities–hmmm) or wireless Internet services.

Well, what’s natural turns out to shift like the sand on a Cape Cod
bayside beach when the tide goes out. You can get wireless Internet
free, if you happen to live near one of the many municipal hotspots
being installed around the world. Competition in domain names is
growing, and costs are correspondingly coming just a bit closer to the
costs of maintaining the DNS infrastructure (which is quite
small). Now, thanks to
CAcert,
everyone can get a free digital certificate signed by a global player.

CAcert is a non-profit volunteer organization. Some of the volunteers
turned up this week at
Usenix
in Boston, where I talked to them for some time. CAcert’s marketing/PR
director Adam Butler also put a long article in the June 2004 issue of
Usenix’s magazine ;login: to explain their approach to
security and their progress toward acceptance.

There are discussions going on at the
Mozilla
and
Konqueror
about including CAcert in their list of Certificate Authorities so
that no extra steps are required to validate web sites that use CAcert
certificates. Several valid concerns have been raised about the
standards for determining whether CAcert itself is trustworthy, which
I’ll touch on later.

How CAcert works

CAcert’s resourceful Australian originators took a hard look at the
infrastructure that’s really necessary to operate a Certificate
Authority, and found that it was fairly small. Free software
implementations of SSL, X.509, and similar secure technologies reduce
technological costs to the price of the hardware. Organizationally,
the service is driven by volunteers and donors who find a mission in
providing authentication to the world.

Registering for a CAcert certification requires no money; the cost
comes in time and trouble. You are asked to register online, perform
some tasks by email, and then bring two forms of picture
identification to a site where CAcert staff can determine whether
you’re legit. (At Usenix, I was not able to complete the sequence.)
This provides enough friction to make cheating non-trivial.

As one volunteer explained, “You could forge or steal a passport, but
then you’re in much bigger trouble than you could ever be with us and
our little certificate.” He also pointed out that Verisign offers
certificates on the basis of documents faxed to them. In short, like
all CAs, CAcert leverages off the existing infrastructure for
verifying identities. The processes for getting passports and drivers
licenses have known vulnerabilities, but getting a digital certificate
from CAcert isn’t significantly more vulnerable.

Certificate Authorities recognize different levels of assurance, based
on how hard it is to get a certificate. CAcert’s process for average
users is not very demanding, but it’s probably adequate for exchanging
email and other everyday online activities. I probably wouldn’t use
one to sign a million-dollar contract.

CAcert has also adopted a Web of Trust system to allow multiple sites
to grant certificates. The criteria for reaching this higher level and
becoming an Assurer is more
rigorous.

The meaning of CAcert in context

Goods and services obey a kind of financial Parkinson’s Law, expanding
to fill the available space. Thus, when commercial Certificate
Authorities defined a digital certificate as a rare item deserved only
by large institutions, they could charge accordingly and the
institutions felt privileged to have one. Meanwhile, the small group
of computer hackers who recognized the value of digital certificates
resorted to the Web of Trust or simple measures such as signing
software with MD5 hashes that they posted in well-known places.

But in an era where we are drowning in malicious code, spam, and an
increasing reliance on the Internet for critical activities, people
are rising up to expose the Parkinson’s Law. A comment on the
Mozilla
site from Glen Morris says, “Security should be a right not dependent
on your ability to pay.”

Critics of CAcert says it fails to follow industry standards.
Defenders point out that these standards impose costs that can’t fit
in CAcert’s service model, that many browsers fail to enforce
standards, and that major Certificate Authorities fail even when
they’ve been attested to by standards committees. (The famous incident
where Verisign gave a Microsoft certificate to an unknown masquerader
comes up a lot.) Furthermore, some experts such as Bruce Schneier are
skeptical of the security claims Certificate Authorities make, on the
basis that real life just isn’t air-tight.

And here’s where CAcert may actually represent that overused phrase, a
paradigm shift. To judge CAcert fairly requires us to go beyond the
accepted industry standards, to decide what we really want in a
Certificate Authority, and to carry out the traditional analysis of
risk, threat, and response that Schneier and others tell us to do
whenever we deal with security issues. I bet that open-minded people
can find a low-cost solution to everyday communications needs
involving a free CA such as CAcert.

How would free, widely used digital certificates change Internet use?

In the early days of Linux, life was simple. Hackers hacked their code, interested parties tried to run it, and the vast majority of people had never even heard of this Linux Operating System. To the world, Linux was merely a hobbyists fascination that few understood and even less cared about. Time did not stand still, and the hackers continued to hack and the interested parties continued to understand, and before we knew it we had a system that had a real and viable commercial potential. This potential was subsequently realised with companies such as Red Hat, SuSE and others creating businesses around the software, and these organisations have gone on to make real and measurable wins.

There is little doubt in my mind that the biggest challenge that face Linux and potential migration is attitude. Prejudice, assumption and intertia are the main bretheren that we need to combat, but in many ways the challenge is applicable to those inside the community as well as outside it. If the Linux community want the outside world to change their attitudes to our software and the potential for an alternative, the community itself needs to also sit back and re-evaluate common attitudes and views on the industry and competition.

Of all the potential attitude issues, there are certain primary problems that need to be identified and considered. The first is our attitude to Microsoft. It really pains me to see people referring to Microsoft as Micro$oft and citing them as this big and evil organisation that is out to claim our children and take over the world in a boiling pit of fury. Microsoft are a company out there to make money, and they pursue their business as a commercial software company. In this regard they are no different to Red Hat, IBM, Sun, SuSE, Mandrake and others in their focus to bring in profit. Microsoft obviously have their differences in how they actually do their business, and some of these practices do leave a lot to be desired. The key point here however is that there are a great many organisations out there that could be considered less than stellar citizens in the IT community; we just need to identify the problems with these companies and deal with them in a professional, sane way. I see no need to resort to schoolyard jibes behind the bikeshed about our competitors.

Another point to make about Microsoft is what we can learn from them. Although they are without a doubt a dominant company, and some degree of their dominant position will be from their dominant practices, Microsoft got to the position they are in now because of one simple reason - people like their products. Yes, people may have liked their products many moons ago but were locked in to their upgrade cycle, but Microsoft do have an impressive pulling power to bring new people over to their stable of offerings. What is interesting to note is how they manage to bring over these customers with products that are in many cases inferior, or where an alternative product is available for a fraction of the cost. How do Microsoft bring over these customers to their camp?

To answer can be found within their own attitude to their customers. Microsoft are very much an outcome focussed company; they create products and solutions that are based on practical, real world problems that need to be solved by their customers. At the recent Get The Facts roadshow, I went along to the Manchester leg of the tour to interview a couple of guys from Microsoft for one of the publications I write for (Linux User & Developer magazine). Before the interview took place I sat in a number of presentations from chirpy pro-Microsoft customers who are pleased with their Microsoft solutions. I am confident that these customers were not puppeteered by Microsoft, and the overriding message was that Microsoft helped them solve their problem practically. The focus was certainly more on the problem domain as opposed to the software domain; Microsoft simply directed their software to the customer in a way that could solve the problem in hand.

This primary focus on the problem is something that we need to really shape and refine in the Linux community, and it is the responsibility of the commercial sector to really push solutions as a business model. This kind of use case based methodology has even applied to different free software projects, and this is the right way forward. We need to identify what the user/customer needs to achieve, and how to achieve this goal with the easiest and most elegant solution.

With any products, service or organisation that is hot on the heels of the traditionally dominant entity, we need to learn from the leader as well as challenging the leader. A bright, young athlete will learn from an Olympic athlete, but will also want challenge the views and propose a better application of their craft. The core benefit of being in the mentored position as opposed to being the mentor is that we can identify the benefits and trash the disadvantages. We are all well aware of the bad choices Microsoft and others have made in the industry, and we have the opportunity to prevent these bad choices being made again.

FUD

Fear, Uncertainty and Doubt (FUD) is a major problem in IT. We are all familiar of the kind of tactics used by large corporations to scare customers about the competition, but FUD is fundamentally a two way process. Companies such as SCO and Microsoft do spread FUD about Linux, but certain portions of the Linux community also spread FUD about other solutions, and this negative rambling is a bad thing, no matter who it comes from. In many cases, the resorting of FUD tactics is simply because the vendor has a lack of faith that their solution is the best solution.

I am confident in Linux and Open Source, and I am confident with the different ways that our technology is being used. One of the great joys of my job is in seeing how different people approach problems in different ways, and the technology is ultimately flexible. With this confidence in the technology breeds a sense that FUD tactics are ultimately pointless if the FUD works but the software does not. If after the lights, camera, action and premier the show is held together with chewing gum, no one is going to go for the viewing. The challenge is to change this Fear, Uncertainty and Doubt into Fact, Understanding and Definition.

One of the many challenges that face the community is with regards to a single unified voice. For all we have some incredibly talented and forward thinking members of our community, we also have a raft of trolls; ignorant to any view but their own unbalanced mis-representation of an un-truth. Some may see this as a fault, but this is a factor of life in any community. In our global village we have some fantastic contributors that keep our community ticking over and getting better, but there are a number of other villages out there that are missing their idiots. This is the core difference between a singular vendor and ourselves. Microsoft can send out a memo with the company view, and irrespective of whether some people in the company agree or disagree, the company must have a singular vision if it wants to be seen as credible.

Honesty

One of the biggest challenges that I face as a writer is getting honesty out of people. Sometimes I need to weed it out via probing questions, sometimes I need to research it on the net, and sometimes I need to compare contrasting content to identify the truth. Despite this challenge, I will never ever stoop to the tabloid methods of playing one person against another in an underhand way, and my idealistic side often hopes that the interviewee will provide an honest and frank response with little intervention from myself; rarely does this honesty and frankness shine through.

This is an area where the leaders of the community and the leaders of the commercial sector of the community need to really take note. The traditional method of wrapping up statements to the press and your customers with legalese and a restrictive official tongue has problems within the Linux sector. Business who are involved with free software simply cannot cover over the cracks in the same way that closed source companies can hide internal gaffs from prying eyes outside of the walls of their PR department. Many business representatives seem to be unable to accept liability or the fact that they don’t know how to answer a question. As we head further into a business sector that is driven by openness and clarity, the organisations that service the sector could really capitalise on trust by being frank and honest in any correspondence with the press and their customers. This kind of trust is often found in small local companies who provide a great, personal and honest service, why should it not apply to large organisations?

As we head forward into a new breed of IT choice, our attitude’s can determine how we shape our future. I have ultimate confidence that our technology can take us there, but the true challenge is determining if our will can take us there.

What do you think? Any more suggestions to make? Any comments to give? Share your thoughts below…

Last week, I spoke about the way we “do” Open Source at the Open Source workshop of a large German consulting company. After my talk, another - more product oriented - company spoke and constantly referred to us (somewhat jokingly) as the “white knights” of Open Source - and was sceptical as to how we are actually able to make a business model from the way we do things.

So, let me explain our philosophy. When we (a mid-sized German software company) started thinking about Open Source back in 1999, we thought long and hard about how we could use Open Source in our day-to-day projects and yet at the same time retain a good relationship with the community. For a company that was - to that point - 100% a build-custom-solutions-for-customers-and-get-paid firm, this was quite a revolutionary idea.

And yet I was able to convince my boss that “cherry-picking” Open Source solutions would only help us in the short-term and not in the long-term. So from the beginning we got involved with the community. This wasn’t easy in the beginning - because the community itself was sceptical about our interests and the company was sceptical as to whether this would really work. It took a couple of years for us to actually find the correct balance between what we had to do (i.e. earn money) and what we wanted to do (i.e. support the communities). We had to learn how the communities function, what was expected of us, how we could help and we had to understand that - as a company - you need to give up (to some extent) your initial business interests to become commercially successful with Open Source.

Now, this probably sounds stupid, so let me elaborate. As a company we are prepared to invest a portion of time so that members of my team can work on the Open Source project - without there being a specific customer project in the background. They basically help other people (perhaps even competitors) fix bugs or get going with the Open Source solution. Doing so actually helps us to find new customers and extend our business reach using Open Source.

Giving up our own interests has actually proved to be more commercially rewarding than we expected. “Getting” Open Source is not easy - especially for a commercially oriented software company - and it doesn’t happen overnight. To be called the “white knights” of Open Source is actually very flattering. Because it shows that many other companies don’t yet understand the revolution that is happening around them.

Related link: http://konfabulator.com/

Tiger’s Dashboard widgets seem quite similar to what Konfabulator is all about. Konfabulator’s website now displays “Cupertino, start your photocopiers!”, a response to Apple’s recent “Redmond, start your photocopiers!” posters to promote Tiger.

I use Konfabulator, and its great. I can understand why they must be upset about this. I’m not sure if Konfabulator derives ideas from any other product before it, or if it was an original idea. Does anyone know?

Related link: http://www.publicintegrity.org/report.aspx?aid=332&sid=100

The Center for Public Integrity filed a Freedom of Information request to get a copy of the Foreign Agent Registration database, which includes information on activities by registered lobbyists on behalf on foreign governments.



The Justice Department said that it couldn’t provide a copy of the entire database because doing so could destroy the database.



Meanwhile, you can go to the appropriate office in Washington DC and pay fifty cents a page to make copies of documents. The information is available in (expensive) page-by-page drips, but not as a whole.



I am curious to learn about the quantum database software in use that could subject the data to changes by reading it. Or perhaps the 8 inch floppies that the data is stored on would get too hot and melt if they had to spin so fast to copy entire files?

How far short does a government information system have to fall beneath its legally mandated requirements in order for there to be severe consequences for those who are supposed to be managing the information system?

Related link: http://securityfocus.com/archive/1/367116/2004-06-24/2004-06-30/0

Came across this posting on BugTraq. Apparently, swap files in Mac OS X (as of 10.3.4) contain user passwords in clear text.

Run the following on your Mac OS X box to see if you can find your passwords stored in clear text:
sudo strings -8 /var/vm/swapfile0 |grep -A 4 -i longname

At first, this ‘vulnerability’ may not seem like such a big deal. After all, the swap files are only readable by root. However, a system administrator should not have it so easy if he or she would want to obtain user passwords. Passwords should never be stored in clear text _anywhere_. A malicious trojan with root privileges can now steal user password in clear text, and many users use same passwords for other accounts, so this is a big deal. In addition, Keychain passwords are also apparently stored in clear text within the swap files (I haven’t tested this). I hope Apple fixes this soon!

Related link: http://www.meyerweb.com/eric/thoughts/2004/06/26/structural-naming/

Starting with an earlier post called I don’t want templates, I want HTML-making shortcuts, I’m slowly exploring the idea of the final HTML in web programming coming not from an HTML template, but from programming shortcuts. It seems ridiculous, I’ll bet. But Eric Meyer’s new post on Structural Naming reminded me why this makes sense.

I do believe, VERY much, in the idea of separating business-logic from presentation-logic. (Some call it model-view-controller. Whatever.)

But when HTML moves towards structural naming, it really is more like creating XML, where it’s the programmer’s job to output solid, valid, structually-marked-up data. NO layout, NO colors, NO fonts, just data….

…and it’s not the designer’s job to get that data into structural and valid HTML. Therefore it’s not a good time to be using separate template systems meant just for designers.

Once the HTML is created, then it’s the designer’s job to use a CSS stylesheet to make that structural data look how they want.

I may be totally wrong with this, but in a few weeks I’m going to try to put this vague idea into practice, and letcha know how it goes.

Related link: http://httpd.apache.org/docs/mod/mod_log_forensic.html

Apache version 1.3.31^*) now comes with a special module for forensic logging of requests made to the server.

The module is called mod_log_forensic and is able to log client requests before and after processing the request, so you get two log lines for each request. Each log entry gets a unique ID (or “token”) which can be associated with the request using the normal CustomLog directive.

 * Relate the forensic log to the transfer log by including
 * %{forensic-id}n in the custom log format, for example:
 * CustomLog logs/custom "%h %l %u %t \"%r\" %>s %b %{forensic-id}n"

If data cannot be written to the forensics logfile, the child process exits immediately and may dump core.

For analyzing the forensic logs created by this module, a special check_forensic script is included in the Apache source distribution (see: src/support/check_forensic). This script takes as its argument the name of the logfile and complains if a request was not completed.

The idea for this module came from Tina Bird; the code was written by Ben Laurie.

^*) Apache 1.3.30 was not released.

Related link: http://interglacial.com/~sburke/stuff/pretty_rss.html

Sean Burke explains how to use comments, CSS, or XSL to make RSS files display nicely in web browsers.

Day 3: The last day of the conference came too quickly. I slept in a little (missed Geoff’s Apache-Test talk), then walked over to campus. I overloaded on those tasty banana muffins before checking in on Jeff after his 85 minute talk on extproc_perl.

We went to Fuddruckers yet again for lunch with a large group and got back in time to catch a large part of Damian’s talk, which was pretty entertaining. Town Hall seemed pretty useless, but I guess it’s a tradition. There seemed to be too many people complaining about dumb stuff, like the guy who was upset that he didn’t know about the trip to Niagra falls on Saturday morning. Of course, it’s been on the wiki for a long time. There were some funny comments on the #yapc IRC channel about that particular guy.

After Town Hall, we (Geoff, Jeff, Mike, and I) went to the speaker’s dinner, which was nice. I met Jon Orwant and got to hang out a bit more with Nat. Jim Brandt was there with his whole family. He seems like a really nice guy, and he did a super job with the conference. Other people I recall seeing include Damian Conway, Andy Lester, and James Duncan.

After failing to talk Nat into joining us for a movie, we went to see Dodgeball, which was hysterical. Geoff and I got the souvenir barrels of Coke on purpose, so I now have three of those (Geoff didn’t want his).

Back at the hotel, Geoff and Jeff went to bed, and Mike and I hung out at the bar until 5:00 or so. There, we chatted with James and Katrien before they went to bed, and I met Gavin Estey.

Day 4: I woke up feeling extremely tired (and thirsty, thanks to the half dozen pints of Guiness), but managed to get packed up and out by 10:30 or so. We went to Niagra falls, which I had never seen, and that was really cool. We ate the Hard Rock Cafe for lunch, and Mike came up with a true gem of an idea (I’ll keep the idea a secret for now). He jokingly mentioned the idea as a Lightning Talk, and we all decided it would work best as a 5 minute movie that we plan to have ready by OSCON in Portland. Now I need to learn how to use iMovie.

I thought the conference was great, and as always, it was good to get to hang out with friends. It’s too bad I only see them a few times a year at conferences. Being mostly a PHP guy, YAPC was particularly fun, because my primary goal was to hang out, so there wasn’t even any underlying pressure to have a more legitimate reason to be there. It was a nice way to enjoy a conference.

Pictures:

• Me and Perrin at the Anchor Bar
• Jeff, me, Geoff, and Mike at Niagra Falls

Related link: http://yapc.org/

Day 0: I took a train from Penn Station to Philadelphia to stay at Geoff’s house Monday night (Day -1). We then drove to Buffalo on Tuesday (Day 0) with Jeff and Mike (a former co-worker of Geoff and Jeff). Everyone is staying at the University Inn, but since I had just decided to tag along at the last minute, I didn’t have a reservation. I arrive to learn that they’re booked, so I end up rooming with Geoff.

The four of us had dinner at the hotel restaurant, then sought out Main Street (at the waitress’s recommendation) to have some fun. We quickly learn that Main Street is dead, so we drive to Sean Patrick’s to see if anyone is left from the arrival dinner. There were a few people there, including Nat, so we chatted over a few beers, then headed back to the hotel to sleep.

Day 1: We made our way to campus, got registered, and listened in on the last of Allison’s keynote. Geoff then spent quite a while trying to get his laptop to play nice with the facility’s AV equipment, which was finally successful. Lunch was at Fuddruckers, courtesy of Scott Meyers (of Sams Publishing). Perrin and a few other people joined us.

I listened to Damian Conway speak (my first time hearing him) at his Perl 6 talk. He is a very good speaker, even with his quirky pronunciations of words like data and cache. What surprised me the most about the upcoming Perl 6 features are the non-ASCII characters in the language syntax. The Yen symbol is a zip operator (”it looks sort of like a zipper”), while “naughty French brackets” and “naughty German brackets” are two others. These each have ASCII equivalents, but this decision seems really odd to me. Apparently Perl people aren’t very happy either. On the other hand, the coolest syntactical sugar I learned about was the semi-infinite yada (…), which has all sorts of handy uses, all of which are mostly intuitive (which is not how I would describe many of Perl’s operators). All in all, I was impressed with Damian’s speaking talent as well as what I can best describe as a solid theoretical foundation upon which language design decisions seem to be made in the Perl world.

After going back to the hotel for a bit (I went for a short run), we (Geoff, Jeff, Mike, Perrin, and I) joined other YAPC people at the Anchor Bar, which is where Buffalo wings were invented. Geoff has a picture somewhere of two college girls who apparently didn’t notice that the whole room was reserved for the large crowd of computer geeks. Nat’s choice for a caption: “One of these things is not like the other.”

We finished the night with a trip to the IMAX cinema to watch the new Harry Potter movie (sponsored by O’Reilly). When Mike, Perrin, and I went to get some concessions, Geoff gave me $5 and asked for a large Coke. Well, it turns out that $5 gets you a lot of Coke, so we brought back this enormous souvenir barrel of Coke that required its own special straw. It made for a pretty funny scene when we returned. The movie itself was pretty good, although the YAPC crowd is very unforgiving of all the lame parts and would laugh mercilessly at them. I think the highlight was the IMAX introduction that described how the speakers were laser-pointed at us.

Day 2: Geoff gave his Why mod_perl 2.0 Sucks, Why mod_perl 2.0 Rocks talk at 9, which marked its final showing. The idea will live on at OSCON this summer with Adam’s similarly-titled talk, Why PHP 5 Sucks! Why PHP 5 Rocks!.

I watched Andy Lester speak about Perl testing before heading to the Lightning Talks. For some of those speakers, I’m glad they only spoke for 5 minutes. Nat, on the other hand, was excellent (and hysterical).

There was a nice dinner held at the hotel prior to the Perl Foundation auction (I found a picture with Perrin, Mike, Jeff, Scott, and I). The most memorable moment was hearing Uri say something like “who’s ever heard of the Developer’s Library?” (in a rhetorical manner, suggesting that no one has) while sitting near Scott Meyers, the creator of the series. I think Geoff has a picture of Scott’s expression.

Tomorrow is the last day of the conference. I’ll give another update once I get back to New York over the weekend.

Since I got back the real world I have been reading a lot more news sources than I used to. This RSS stuff is great!

With that, I am reminded that 90% of the stuff out there is crap. Today, an IDG News Service article I read on MacCentral annoys me, but is really just another instance of poor reporting.

I’m not bemoaning about inaccuracies or errors, but omissions of information, intended of not. The article, “U.S. House subcommittee approves spyware bill” by Grant Gross, talks about the “Securely Protect Yourself Against Cyber Trespass Act (SPY ACT)” before the US House of Representatives. I am interested in this bill because it may make things like the present form of DidTheyReadIt, which I ranted about earlier this week, illegal (and rightfully so, in my opinion). The article neglects to identify the bill by its actual title or number, and it refers to another bill it does not identify at all.

I had to search THOMAS to find this bill because the article does not say which one it is. I did not find it under the reported name, but I did find H.R. 2929, the “Safeguard Against Privacy Invasions Act” which fits all the particulars. I had to search for about five minutes to find it though, without using the words in title the article uses.

So what is going on here? Although the web can have hyperlinks directly to the bill text, even a dumb, print version could benefit from specifically identifying the bill. Is this simply inept journalism? Don’t necessarily blame the reporter because other people get to stir the pot too. Or do they not know how to use the web to link to source documents, original sources, and related information?

However, IDG is a news service, which is another big problem with the news on the web (and in print too, actually). Unless you are looking at a newspaper’s website, you are probably reading news from only a handful of sources, such as Reuters, Associated Press, and so on. Although I read the story on MacCentral, the same story shows up on ComputerWorld. The news world only looks big because news became a money maker and companies want to wrap their ads around it.

What is the purpose of news? If the service does not intend the news to be as informative as possible, then they do not have much to improve. Nor do they have much to do if they merely want to be titillating. They can give the broad strokes of the story without including the specifics so we get the entertainment without the expectation of action.

It is all useless to think about this, I expect. News services are only good as far as their headlines, in my opinion. They only let me know that there is a story, while the rest is left to the research I usually do not have time for and which I thought was the raison d’etre of reporters anyway.

Useful tip: If you know a bill number before US Congress, it is usually easy to find just by typing it into Google. “H.R. 2929″ finds the bill and gives a link, whereas THOMAS sometimes hides the direct link behind a CGI script.

Related link: http://www.waxy.org/archive/2004/03/21/infocomb.shtml

A friend of mine told me to chat with InfoComBot on AOL Instant Messenger. After saying “hello”, I get:

Welcome to Waxy.org’s InfocomBot… If you get delays, try InfocomBot2 or Infocombot3 instead! For help and more info, go to http://waxy.org/projects/ifbot Type a game to play: adventure, deadline, enchanter, hitchhikers_guide, leather_goddesses, lurking_horror, planetfall, quake, shade, wishbringer, zork1, zork2, zork3

Cool! Although it is a lot slower than a locally running game, I like it.

Related link: http://openreader.org/

Anyone who does serious publishing or design, or just wants to get
information online in a well-structured and attractive way, knows how
limited online formats are. Finally we have a framework for doing
things right, and for adding new features in a standard and open
manner as they come along.

OpenReader™ is an initiative led by digital publication expert
Jon Noring, who challenged publishers and manufacturers to adopt open
standards last year in a well-circulated
article,
which I commented on in a
blog.

OpenReader is just starting out, but Noring and his partners have a
solid foundation (thanks to sticking closely to XML and related
technologies) and have piqued the interest of some hardware vendors
and potential users. Potentially, with OpenReader, a publisher could:

• Put out a book, magazine or newspaper in electronic format that is
  rendered exactly like the printed page, preserving all the expensive
  and attractive design elements.

• Let the user switch to some other layout more appropriate to the
  device or user’s needs, through the press of a button that adjusts the
  CSS.

• Put up a document that is formatted in some existing style, such as
  PDF, the DocBOOK XML used in many computer publications, the DITA
  format proposed by IBM for online help, TEI, and plain old XHTML.

Users, in turn could have a field day. Features currently considered
for OpenReader include:

• Simple one-click changes to trivial layout matters such as font and
  margin size, along with an advanced settings window for customizing
  the CSS.

• Bookmarks implemented as XPath/XPointer links from parts of one
  document to parts of another, and the potential to create pathways
  through multiple documents.

• Sharing bookmarks and pathways over instant messaging, RSS, or other
  low-barrier communications.

• Plug in converters such as text-to-speech.

Noring has authored all three versions of OEBPS, the ebook industry
specification, and is presently the acting vice chair in the OeBF
PubStruct Working Group. He writes, “I view OpenReader as the
next-generation digital publishing system, addressing the need for a
universal open distribution standard and the needs of a wider range of
types of digital publications. It embraces what’s been learned, and
new standards developed, since OEBPS was first authored in 1999.”

I think Noring and co. pretty much have their hands on the magic formula that will
equally please readers, publishers, and hardware manufacturers.

• Readers should be pleased because they can tug and refashion the
  material to fit their needs with links, can share links with friends,
  and–above all–can feel assured that they will continue to have
  access to content whatever happens to their current hardware
  manufacturer.

• Publishers should be pleased because they can offer the carefully
  branded look they’ve worked so hard to achieve, are not locked in to
  proprietary formats that come laden with expensive costs and
  ultimately, disappear, and can develop formats and format converters
  at relatively low costs because of standards.

• Hardware manufacturers should be pleased because they no longer have
  to develop their own rendering software, and because they can expect a
  huge amount of content to become available for their devices.

That’s a tough proposition, and it’s no wonder that it’s taken so
long. The ebooks movement is almost universally regarded as a failure,
because of the myriad of incompatible, low-quality, proprietary
formats in existence. It’s time for a whole different approach such as
this one, based on a careful technical foundation and a welcoming
approach to stakeholders.

Do we need an open standard for electronic books?

We are facing an interesting future. Not only is the world changing in new and different ways, but the free/open software community is changing. With our array of fresh achievements and capabilities, we are offset by the challenges and threats that face our community. Through all this turmoil, challenge and elation we still have one thing intact though - our community.

As a system, Linux is beginning to enter what I would consider the innovation honeymoon. In the beginning, when Stallman crusaded for free software, Torvalds wrote his ‘little’ kernel and free software was seen by many as a cheap offshoot of shareware, the biggest challenge was creating an infrastructure. In the same way you cannot build a home without a house, you could not create a great Operating System without a sufficient Operating System. The challenge was set. Create and replace the key chunks of UNIX that made UNIX work well. The hackers set forth and most of the system was created in entirely free software.

Up until about a year ago, I think that imitation was one of the key targets for many Linux contributors. Developers around the world were creating alternatives to the common software on Windows and Macs, and we now have powerful alternatives such as Mozilla, OpenOffice.org, GIMP, KDE, GNOME and many others. Although some innovation was occurring at each step of this process, imitation appeared to be the subconscious target. If we cannot at least match the competitors on the level playing field, how can we even begin to overtake them?

Although useful, imitation has one key weakness - you are only as good as the product you are imitating. Despite that Linux is not directly copying Windows or Mac OS X (I certainly don’t refer to ‘imitation’ in this way), the Linux community has sought to provide a compelling alternative for many of the same tasks - this is functional imitation as opposed to implementation imitation; imitate tasks as opposed to specific products. Until around a year ago, we had pretty much developed an alternative to Windows that was quite compelling. The regular Joe or Josephine could install Linux easily, access the web, send email, use productivity applications, run a server and more. There were certain key benefits with Linux such as network transparency in X, stability, performance etc., but Linux did not seem to offer a truly innovative solution to push people forward in really wanting it because of unique innovative features as opposed to simply assessing if it could replace their existing solution.

Recently it seems that some visionary hackers are pushing forward in making Linux step up to the next level of the game and truly innovate in how the OS progresses. Examples of such hackers include the Project Utopia brethren of Robert Love, David Zeuthen, Joe Shaw, Kay Sievers and others in making hardware just work. Freedesktop.org is another area making great strides. People such as Keith Packard, Jim Gettys, Havoc Pennington and others are pushing to create desktop technologies that are really opening up Linux and free software to a more flexible and powerful future. I am also encouraged by innovative projects such as Dashboard for finding information on related activities on your system. This is a new and untested ground, and it is great to see that hackers are brave enough to step forward and push their technology in new and different directions.

As the innovation continues and Linux is furthered and developed, it is inspiring to see that the important issues are gaining more and more importance. Usability is a subject that I have faith in to varying levels, and it is great to see that usability is a core concern with many software projects. As we continue to get easier and more accessible, the usability angle will not only rise in importance to imitate the ease of use of other systems, but we must ensure that we explore new and different areas too make our systems even easier to use. Yes, this is going to involve certain controversial features such as the GNOME Spatial Nautilus, but credit where credit is due - the GNOME folks stepped forward and had the balls to give it a shot. In my view it was a wise decision and has made the desktop easier to use.

Linux is a variant of UNIX. To some this will be reminiscent of an elegant, well designed Operating System. For many this will be reminiscent of a clunky, aging, complex, elitist system that only hardened system administrators could use. Part of the reason for the negative views of UNIX from a more modern desktop orientated generation is the fact that UNIX was never really designed for the desktop. Linux has been afflicted by a double edged sword; on one hand, UNIX is a dependable and tried and tested target platform to create a variant of, but on the other hand, basing Linux on UNIX fundamentally limits the direction of the system to a UNIX style system. When free software and Linux all kicked off, we could have quite easily ended up with just another UNIX clone, but we didn’t.

Linux is exciting because it is bringing a powerful Operating System framework into a modern desktop orientated industry. Not only does this system retain the power of UNIX for hardened power users who crave for more power than a registry and control center, but it is ensuring that computers can be accessible to those who don’t know their cronjob from their kernel. We could theoretically have the best of both worlds, and if Mac OS X is anything to go by, this is certainly possible. The really exciting thing though, is that Mac OS X shows what is possible from a mainly commercial standpoint - just imagine what the already well established open collaborative development model can do for us. We have only just scratched the surface.

For Linux to win we need to innovate. Innovation is not imitation but new thinking backed up by developers who actually care about their software. We have the enthusiasm, talent and potential, we just need to ensure that we all head forward instead of backwards.

What do you think? Accurate considerations or rambling rubbish? Chalk your views down below…

Related link: http://www.mozilla.org/products/firefox/

I upgraded to Firefox 0.9 yesterday. I followed the instructions to install it (drag it into the applications folder), but it did not copy my preferences and bookmarks like it should have (and said it would). The “File> Import…” menu option seemed to do something although I am not sure what.

No matter: the Firefox team explains the change in the release notes. In previous versions, the profile folder is in ~/Library/Pheonix/Profiles, and in 0.9 it shows up in ~/Library/Application Support/Firefox/Profiles.

I copied my old profile folder (all of which have hard to guess names like “wf4na7m9.0ls”) to the new location, then edited the ~/Library/Application Support/Firefox/profile.ini file to change the name of the default profile to the one I just copied.

Everything seems to be working fine. My bookmarks and cookies show up like I expect them. Once the initial flood of downloads end, I will reinstall the plug-ins too.

Dave Winer recently shut down portions of Weblogs.com, stranding a lot of users. People have been arguing for one side of the other, but I think both sides were wrong, and that both sides should have thought about this much earlier. This situation is not new, and has bitten many people who tried to offer free things to the world only to be overwhelmed by the community they created.

Before I start talking about this, I need to define some operational terms. Although I trust most readers know these terms, I often run into people who get them mixed up, or have slightly different definitions.

For the purposes of this post, I say that Duty is the obligation to do something, and Responsibility belongs to the person who is held accountable for the result. They usually go together, but they are slightly different. I might have a duty to do something, but I can also be responsible for something outside of my duty.

Now, as far as I define those terms, as an open source developer, I have often argued that open source folks have a duty to their users. I beleive, and this is just my opinion, that we have the duty to make our software as useable and bug-free as possible, or the data we host for others as open as possible. We have this duty because we recognize that other people are going to use it, even if we don’t intend it for their particular use. We know that we may create an environment of dependency in other people simply by posting code. It is just reality, even if we think it should be different.

This is where most people cry caveat emptor. We may have a duty to the communities we create, but that does not mean we are necessarily beholden to them, have to constantly nurse them, or respond to every demand, expectation, or feature request. People are responsible for their decisions. If they use some of my open source software, even if I just released it, nobody else is using it, or I tag it as a development release, the consequences belong to them. If my software is missing a feature that users want, it is not my duty to add it, although I beleive it is my duty to make the software work as advertised (or advertise it correctly).
I did not force them to use the software, and aside from specious claims on my part, they made the decision themselves. I am not going to be the one to get fired for their decision.

Sometimes Duty and Responsibility collide, and that is what I think has happened in the case of Weblogs.com. A lot of people used the free service. They made the decision on their own and a lot of other people say they got what they deserved: nothing. On the other hand, people argue that Dave Winer had the duty to give people advance notice of the disruption, even if he could not help people recover or backup their weblogs. Both sides end up losers, and everyone makes a lot of noise about it.

Duty and Responsibility do not have to crash into each other leaving a big mess because people are ready to help if we give them the chance. In the community of open source, blogs, and the other great things on the net, interesting things can happen in the middle of Duty and Responsibility. Given the chance, someone can step in to help where other people cannot, but to do that, we (as developers or service providers) need to accept the help of others.

I think that if Dave Winer had given some warning about what he needed to do, plenty of people would have come forward to help. Even if he did not want to provide access to the database, other people could have easily wrote screen-scrapers or simply downloaded the entire web log HTML and all. That is the crux of community: people helping other people. On the other side, people should have stored their own copies of their weblogs. It is easier to do that when there are tools or an interface for that, but people should have realized that something disasterous could have happened, whether it could have been helped or not.

The way that it played out turned out to be bad for both sides. If developers and service providers take care of the people by giving them the means to take care of themselves, and the people take care of themselves by using the tools, this sort of thing should not happen. Developers and service providers should think about this as early as possible.

Earlier today I got three more invitations to hand out to Gmail (after three last week too), and tonight I got another five.

I have read some speculation that Gmail would slowly fill up their user base instead of opening the flood gates. They did just add Safari support, so maybe they are ready.

Related link: http://seminars.longnow.org/

When I walked into the Fort Mason center where Bruce
Sterling was about to to present his view
on the Singularity, I almost took a step back, because out there on the
screen was the banner from my LA friend John Smart’s Singularity
Watch web page. Just hanging there in the middle of the big screen. Wow.
Some short notes to Bruce’s talk. The Long
Now Foundation taped it and you will be able to see it in a couple of weeks
on their web page.

He refers to the Long
Now Folks as his 10,000 year old friends.

Introduces Singularity referring to Vernor
Vinge 1993 paper: in short "Within thirty years, we will have the
technological means to create superhuman intelligence. Shortly after, the human
era will be ended." Back then Vinge wrote, that he would be surprised
if it happens before 2005 or after 2035. [My comment: We are getting close.]

He raised some doubts, because not all networks are on a accelerating trajectory.
The electric power networks are not accelerating, for our water networks the
opposite is true, we have a water shortage all over the world and it is getting
worse by the minute. [For Singularity to happen, not all networks
have to be on an exponential curve. Computer-, Bio-, Nano-technology accelerating
and combining is enough.]

A Singularity would have the biggest impact on our culture, but it is tough
to write about it. First casualties of that event are the Science Fiction writers,
they are having writers block. On the other hand it is also used as an easy
way out for them. A scenario is hard to believe/make coherent: Oh well, a Singularity
went through here, this is why it is how it is.

He showed a
graphic it beautifully maps the development of computer processor power over time and compares it to the capacities of different life forms. The acceleration of the machine power is rapidly approaching human level intelligence. [I really would like to see an update to Moravec’s 1997 graphic where do we stand 7 years later?]
Bruce pointed out, that in comparison to life forms, where there
are still bacteria around as well as amoebas, all of the older computer generations are extinct. [That isn’t totally correct. There may be no IBM PC with 51/4 inch floppy drives around anymore, but the 8086/8088 microprocessors are still used in all kinds of devices. It is an interesting aspect of this chart, but it doesn’t
change that the complexity and capabilities of chips are approaching and will
soon surpass our brain capabilities]

We don’t know what cognition or even for that matter what computation is. We
don’t know how ants think. Therefore, our analogy is incorrect. We assume,
that the machines will wake up somehow. Lot’s of hand waving going on there.

He has big reservations against hard AI. Used MS Clippy’s demise as an example
on how far away we are. [Kurzweil’s Ramona is another example.]

Then he looked at Singularities in history and he found three.
1945 after the first atomic bomb dropped. For 6 years humanity was struggling
to come to terms with this event.
LSD in the 60s presents you with the perception of a Singularity.
Computer viruses singularitarian event.

All of these have no staying power, all got swamped. LSD even fallen off the planet.

He projected some examples of Singularity organizations, where John
Smart’s Singularity Watch was the first one.

All of them he claims are loosely connected, small fringe groups.
I was sitting on the edge of my chair every minute expecting the Future Salon
would be in the line up :-)

He was wondering, why these groups so far haven’t done any major interruptions, no killings,
no nerve gas in underground stations …

The reason he claims is, that they think, they don’t have to work very hard: "Why bother, we are
the early adopters, the Singularity is inevitable, time is on our side."
[The ones I know of these groups, work extremely hard, but that is another story]

As Vinge writes in his essay, take away the hard AI and instead of
a Singularity, we are having a glut of technological riches, that we are less
and less able to absorb: Technobesity. [Love that word, although it is
a frightening perspective]

He showed Gardner’s Technology
Usage and the Hype Cycle graphic. Of course he said Gardner left out, what
is coming on the right, obsolescence, uselessness and death. You just can’t
sell this to your customers, but would you pick up Windows 2.0, if you found
one on the sidewalk?

[Then he went here and there, or I did dose off a bit :-) ]

Everyone claims, that we are on the edge of something big, but what if we are
on the edge of nothing critically important?

Political change:
Everyone balks at the idea of one world government. How about a two world government?
They would be in constant fruitful competition. [Marc Goodner afterwards at
the pizza place was speculating, that Brazil is at the moment working towards that
that, with strengthening the home grown software industry through majorly adopting
Open Source software, … Therefore it may be South America together with Africa as
one block]

Most societies are against science. Case in point is what’s happening in Washington
right now.

Nice closing lines: Post human is a sound bite. The Future is a process,
not a destination.

Crossposted on the Future
Salon. Sorry if you are subscribed to both feeds. Check out the Hard
Science and Smart Art Salon this Friday in Palo Alto.

Related link: http://www.technewsworld.com/story/34289.html

In an article posted today, Alastair Rampell tells Tech News World:

If you’re upset that your friend sent you an e- mail using DidTheyReadIt, then that’s a problem between you and your friend.

If he really thought that, why does DidTheyReadIt have to use a web bug? In most cases, I do not think people are even going to know that someone has used the service.

I know that someone loaded the web bug in the message I sent to his email address (alex@rampellsoft.com), and apparently had it open for over four minutes from something in California. I have not received a reply yet, but I know the message got there.

And, not only that, I posted one of their web bug URLs (http://didtheyreadit.com/index.php/worker?code=844eea38c4f0ab9bd2220f65f4107dbe) in my use.perl journal and it has been picked up by a couple of spiders. I am not sure why spiders are loading images, but I guess some do.

Preston Gralla recently mused about a new web service, DidTheyReadIt, that claims to notify you when and for how long someone read your email.

I was playing around with Rampell Software’s DidTheyReadIt service which claims to be able to tell you for how long the recipient of a message had your message open. Their other products are various forms of spy ware, too.

I thought that DidTheyReadIt was probably a refresh trick: just keep reloading the image. However, the actual HTML is very simple (and not even valid):

test.<br />
<br />
this page has a little "web bug" in it.  that's an image that loads. <br />
supposedly from that the DidTheyReadIt folks can tell me when, where,<br />
and for how long you read this email (although you have to click on<br />
"display external images" in Gmail.<br />
<br />
<br><img src="http://didtheyreadit.com/index.php/worker?code=844eea38c4f0ab9bd2220f65f4107dbe"
width="1" height="1" />

I tried accessing the URL in Firefox and in lynx. Data kept coming down the pipe as long as I let it. Other people tried the same thing with the same result. DidTheyReadIt just keeps pushing data at you.

I was amazed at how stupidly they did this. On a slow link, this just about killed my bandwidth (although I was loading it in three different user-agents). Imagine if your business got a lot of mail from another business using this. That’s a lot of open connections and a lot of data clogging your pipe.

Not only that, though, imagine the poor system engineers at Rampell who will have to deal with the amount of data and the number of processes they will have to run to service every open email if they get as successful as any business hopes to be! They have really set themselves up for failure, or at least lots of bandwidth charges.

Related link: http://www.deadendsw.com/Products/webRemote.html

A long time ago I wrote Apache::iTunes so I could control my iTunes through a web browser. Today I found webRemote, a mini-webserver with a Mac configuration interface which does the same thing.

webRemote is speedy, although I have not dusted off Apache::iTunes to see if it is any faster on my new hardware. webRemote comes with several skins and looks like better designed versions of the ugly template I used in my module.

Both things have the same problem: I can only run one iTunes instance on a particular machine, and iTunes has to run under a real login account, not something like nobody, root, or some other bogus user I make up. This makes some sense, but it is still annoying to this unix guy.

webRemote is certainly easier than apache to set up:

Related link: http://www.wired.com/news/technology/0,1282,63782,00.html

Yesterday, Wired News reported on NASA’s Personal Satellite Assistant which NASA intends

to move and operate independently in the microgravity environment of space-based vehicles. The PSA will assist astronauts who are living and working aboard the Space Shuttle, Space Station, and during future space exploration missions to the Moon and Mars.

And, later that day as I was standing in line at Panda Express in the H concourse of O’Hare, I saw one of the prototypes in the glass case next to me.

Related link: http://www.wired.com/news/infostructure/0,1377,63786,00.html

Wired News reports that the bottom has fallen out of Gmail account selling, and indeed it has. A couple of days ago I checked eBay to see how the accounts were trading and the high price was around $50 for auctions with less than 10 minutes to go. Today (right now), there are auctions that will end before I finish this post and their highest bids are under $5. The highest bid for auctions finishing in the next ten minutes is under $15.

Unfortunately, it looks like some poor slobs bid high prices on the longer term auctions, so they are going to end up on the line for several times the going rate.

eBay also lists 56 pages of results for my simple search of “gmail”. Now current account holders should create artificial scarcity if they want to drive the price back up.

How much is a gmail account worth to you?