Dave I/O

Dennis Ritchie, creator of C and father of UNIX

As you may have heard, Steve Jobs – CEO of Apple and wearer of one of the most iconic polo-necks of the Information Age – died recently after a long battle with cancer. I firmly believe that any death is sad, no matter who it is – a mass murderer or a saint – and Jobs’ death is no exception.

Because of his iconic stature, the entire Internet exploded with messages of remembrance for Jobs. Seeing that was wonderful, for the most part. Richard Stallman, or ‘rms’ as he prefers to be known, a very loud proponent of the open source movement, let rip with a mindblowing dick move as he publicly stated that “Steve Jobs, the pioneer of the computer as a jail made cool, designed to sever fools from their freedom, has died” and that “I’m not glad he’s dead, but I’m glad he’s gone.”

I don’t want to do that here. Steve Jobs should be posthumously lauded as a business genius and a visionary. He brought excellent technology to consumers and created a market where people would pay premium prices for premium hardware. He made tablets and mobile devices take off in a way that had never happened before.

The thing that irks me is that in the shadow of Jobs’ death, another extremely important man – in fact, a giant that Jobs stood on the shoulders of – has been largely allowed to pass away unnoticed. Read the rest of this entry »

Rendered by magic.

The use of ‘magic numbers’ in code is a well-known antipattern, meaning a common but bad practice. It refers to the inclusion of set values without documentation of their purpose, making it a thorough pain in the arse for anyone other than the original author to maintain and fix code that relies on them.

0x5f3759df, or 1,597,463,007 in decimal notation, is one such magic number that appears in the Quake 3: Arena source code, in a genuinely beautiful hack committed by John Carmack.

Here comes the maths bit, concentrate

When you’re doing 3D rendering, you have to find the square root of x (where x is a variable input) rather a lot.

Carmack’s code contains a fast way of working out the inverse square root of x, which can be written as 1/sqrt(x). With that information. we can work out sqrt(x) easily -

x * (1/sqrt(x)) = sqrt(x)

The beauty here is that we don’t have to be exactly correct. 3D modelling can operate in tolerances. If our result for sqrt(x) is out a little bit, that’s okay – nobody will notice that the reflected light levels are off by a tiny amount. Carmack’s code accepts this and embraces it. Here it is, trimmed a bit for clarity but with original comments -

float Q_rsqrt(float number) {
	long i;
	float x2, y;
	const float threehalfs = 1.5F;
	x2 = number * 0.5F;
	y  = number;
	i  = *(long*) &y;  // evil floating point bit level hacking
	i  = 0x5f3759df - (i >> 1); // what the fuck?
	y  = *(float*) &i;
	y  = y * (threehalfs - (x2 * y * y)); // 1st iteration
	return y;
}

What it does is generate a guess for 1/sqrt(x) very, very quickly. With that information, Newton’s algorithm (which is used to intelligently refine a guess for any mathematical function) only needs one iteration to get to a tolerable margin of error.

Turns out that, on the processors of the time, this is four times faster than asking the CPU to find the square root by itself.

So where’s the magic?

Read the rest of this entry »

This happens.

Like many geeks, I’m tech support for my parents and occasionally their friends. As I’m sure you’ll also feel, it’s extremely frustrating at times. I was having a chat with our resident Uberherrin of Colouring-In, @Alilouisa, who was going through the same drama and hitting the exact same stumbling-blocks with her parents. Common themes seem to be;

• Confusion of where one UI element ends and another begins (for example, a window in OS X and the menu bar at the top)
• Seeing common widgets (for example, a file browser) as unique and unexpected each time they appear
• Inability to apply conceptual knowledge of one UI widget to a similar widget (for example, the native file browser and a Java clone)
• Inability to segment and mentally track layered windows (thinking of a 2D pane rather than a 3D space)
• Visibility as an identity to presence (“I can’t see it, so it’s not open”)
• Inability to track what should be single-clicked and what should be double-clicked (menu items vs. icons)
• Inability to apply common sub-concepts from one application (for example, open, save, close, undo) to another application

All of this smells to me like a completely different conceptual model of a modern windowing user interface to mine. The mental picture that the majority of the younger generation have seems to be completely different to that of the majority of the older generation.

I’d quite like to find out exactly what different types of people see. I’m looking for the following four types of people to look into this -

• Under 35, considers self technically apt
• Under 35, considers self technically challenged
• Over 50, considers self technically apt
• Over 50, considers self technically challenged

For the last three, I doubt they’re particularly high in my readership numbers – so if you know someone who might be willing to help, please pass on the details at the bottom of the post!

Participants are welcome to participate anonymously if desired.

I’ll take care of setting up the environment, but what I’m aiming to do is get as many people in each category to perform a few tasks in a fairly simple application, while talking me through their experience.  I’ll record the session and the audio, and then afterward I’d appreciate a few paragraphs about the experience – what was confusing, what was obvious and any other thoughts.

Volunteers greatly appreciated – this isn’t something I’m doing to make money, but more something that I think might be useful to the community at large to make both web applications and native applications more accessible to everyone. I’ll post the results in full on Geekosaur.

If you’re interested, give me a shout on Twitter to @syn or by email to uistudy at dave dot io – thanks!

Okay, that headline is probably a bit sensationalist – but it’s a worst-case scenario in a situation where the worst-case scenario is just about feasible.

You’ve seen Facebook’s Like buttons all over the Web. I don’t use them on Geekosaur, but a blog is a perfect example of a site that would get value from them. If you read a post that you enjoy, and you want to share it with your friends, you hit Like. Your browsing isn’t interrupted, and it’s shared on your Facebook Wall for your friends to read. Simple enough.

Opt-in sharing: the way we all like it.

Facebook have decided that the opt-in sharing model isn’t ‘share-y’ enough, and introduced something that they call Frictionless Sharing. With Frictionless Sharing, you authorise Facebook once – this can be through something as benign-sounding as logging in with Facebook or linking your Facebook account – and then everything you do can be shared on your wall without any further action on your part. The granularity of what gets shared is up to the site.

Frictionless Sharing, otherwise known as "a bit creepy".

You read an article, up it pops on your real-time ticker and potentially your Wall too.

Spotify is using Frictionless right now. Whenever you listen to something, your friends get to hear about it -

Like last.fm, but sneakier.

For Facebook, this makes perfect sense. You’re not paying for Facebook, and that means you’re the product, not the customer. The more data Facebook gets about what you do online, the more effectively it can target advertising at you – and that means more clicks and more money for them. It’s not necessarily evil, it’s just a business model.

It’s just a business model that’s worth becoming aware of, before something ugly happens – for example, a job listings site letting everyone you work with know that you’re looking for a new position.

Twitter is a personal medium. When I see tweets from Stephen Fry, or Lady Gaga, or Charlie Brooker – I expect that person to have written that tweet. That’s not always possible, and my personal opinion is that that person should just tweet less frequently.

That doesn’t always happen. One person who, it’s now clear, uses a team of ghostwriters to produce their tweets is an “Internet sales and marketing professional” called Mark Davidson (@markdavidson).

He recently sacked one of his ghostwriters, and that ghostwriter was not best pleased.

Well, that could have gone better.

If you’re going to use a ghostwriter, make sure you trust them implicitly, because you’re putting your entire online reputation in their hands. And as for any employee – if you’re going to lay them off, you need to make sure their privileges are revoked shortly ahead of time.

Here’s his full feed so far – click the image to enlarge.

Full feed - click to see large.

While the ghostwriter’s behaviour is unprofessional and unacceptable, I don’t feel too sorry for Mr. Davidson. If you’re going to dupe your followers into thinking that they’re engaging with you when they’re not, don’t expect sympathy when your duplicity bites you in the arse.

GoDaddy is huge. It’s the biggest ICANN-accredited registrar in the world, and not by a short margin. The registrar for over 45 million domain names in 2010, it’s four times bigger than its closest competitor. GoDaddy is cheap and easily accessible, and it’s the first name that many people think of due to their extensive advertising in mainstream media, including the Superbowl.

Its policies are also written by people who are either ignorant, amoral or both.
Read the rest of this entry »

A fraudulent SSL certificate, issued for *.google.com, has been in the wild for the past five weeks. This means that if you’ve been using HTTPS or other SSL-secured communication to talk to Google, then someone with the private key for this certificate could impersonate Google and you would never know the difference (unless you explicitly checked the certificate fingerprint and had a known-good certificate to compare it to, of course).

Sophos’ excellent security blog, Naked Security, reports that a CA from the Netherlands, DigiNotar, issued the certificate on the 10th of July. It has since published a record in its revocation list, but most browsers don’t check these revocation lists – your average browser trusts over 600 such CAs implicitly. It’s not yet clear if DigiNotar were compromised or defrauded by someone posing as a Google representative.

This highlights a serious flaw of scale in the way the current system of SSL certification handles trust. When there were enough CAs to count on one hand, the system was acceptable, but now with so many it’s just infeasible to guarantee that all of them are trustworthy and secure at all times. Do you know 600 people that you’d trust to be able to snoop all of your communications, but to behave properly and not do so? Thought not.

An outfit calling themselves Thoughtcrime Labs have come up with their own implementation of a distributed trust model, known as Convergence. It’s a good idea and scales far more effectively than the system we currently have – but it’s still very proof-of-concept. The only available implementation is Firefox-specific, and doesn’t even install on Firefox 6. There’s also a vested interest in CAs remaining a trusted third-party, as a distributed trust model would hit them directly in the wallet as anyone would be able to generate their own keys.

The Firefox team is rolling out an update with the certificate explicitly rescinded – other browsers are likely to follow suit. Keep checking for updates, this is a big deal.

A thumb. So now you know.

Tim Thumb is a lovely bit of code designed to make PHP developers’ lives a bit easier. It’s a multipurpose image mangler, capable of resizing, cropping and filtering images from external sources to make your WordPress posts look pretty.

It’s also dangerously broken right now.

There are a lot of WordPress themes out there that use Tim Thumb – it’s free, open-source software, and it’s very lightweight. There’s a chance that your theme is using it – and if it is, the flaw means that an attacker can upload a script to do anything they want on your system as the user that PHP runs as. Which is rather undesirable.

Here’s how to check for and fix any intrusions.

Step one: see if your theme is using Tim Thumb.

Before you check for and fix any intrusion, you should get rid of the way that attackers can find their way in.

For this example, we’ll assume that all your WordPress sites are stored in

/sites/wordpress/SITE_NAME

SSH your way into your Web server, and execute the following -

grep -r '$allowedSites = array' /sites/wordpress

You may need to use sudo if you have different file ownerships for each WordPress site – in that case, execute this instead -

sudo grep -r '$allowedSites = array' /sites/wordpress

If there are any results, you’ll see output similar to this -

/sites/wordpress/testsite/tom.php: * TimThumb script

In this case, the file that contains Tim Thumb is the path before the colon, in this case

/sites/wordpress/testsite/tom.php

You’ll need to then take action. You can delete the script – this is the most secure option but might break your WordPress theme. You can also edit the script to deny all includes, which might still break things but it’ll do it more gracefully. Change

$allowedSites = array (
        'flickr.com',
        'picasa.com',
        'img.youtube.com',
        'upload.wikimedia.org',
);

into

$allowedSites = array ();

Or, of course, you can just switch themes and delete the theme that uses Tim Thumb from your server (just switching themes is not enough).

Once you’ve locked Tim Thumb down, it’s time to check whether anyone’s hit you.

Step two: check to see if you’ve been compromised.

The best way to do this is to restore from a known-good backup, but that’s usually impractical. The next best way is to dig through all your code manually, but that’s usually impractical too. If you don’t have the time to pore through things and don’t have a clean backup to blow back on, you can check for most compromises automatically.

This is by no means foolproof, but nearly every malicious script uses base64_decode() to hide itself. That gives us an easy way to check for the vast majority of attackers’ scripts.

Execute

grep -r base64_decode /sites/wordpress

Again, if you have permissions issues, use sudo -

sudo grep -r base64_decode /sites/wordpress

If your results include any huge base64 encoded strings (massive swathes of what looks like random alphanumeric characters) as arguments to base64_decode, you’ve probably been hit. Don’t worry about smaller strings, they’re usually legitimate.

If you have been hit, I’d recommend backing up your uploaded files and reinstalling WordPress and your themes from scratch. Your database contains your settings and content other than your uploaded files. Going into how to do this without losing data isn’t within the scope of this article, but if you Google you should be able to find a few decent guides.

Step three: Keep safe

Standard best practices here. Keep everything up to date in your WordPress installation – themes, plugins and WordPress itself – and follow a few security people on Twitter to keep an ear to the ground as far as critical vulnerabilities like this go.

You know how it goes. You’re working on a file, then you close the Finder window and have no idea where you put it (and even if you do remember where it is, you have to click and click and click your way through your hard disk’s folders).You’re researching something and you accidentally close the Finder window. You want to quickly re-open that app that you just closed.

Blast is a Mac-only utility that sits in your Mac’s menu bar, where it watches and waits. Like a helpful yet nerdy ninja, it silently hooks into the OS X filesystem events daemon and keeps an eye on files being opened, closed and modified. You decide how many files at at time you want Blast to keep track of. When you open a file, Blast adds it to its list of up to 500 recently accessed files. If you want it again, all you have to do is click Blast on the menu bar and find it.

Blast in action

Sure, the use-cases are fairly trivial. Finding a quicker way to do the things that Blast can help you with is going to save you twenty seconds a pop – maximum. Ask yourself, though, how often you get annoyed because you need to re-open a file you just closed. Ten, twenty times a day?

Blast’s selling point, then, isn’t that it’ll give you more hours in the day. It won’t. It’s designed to fix a small but irritating problem. And there’s the benefit – it doesn’t save time, it saves stress. Using it will make you that little bit less frustrated, and to me that’s worth $10.

Blast is available on the Mac App Store, or can be trialled and purchased directly from Apparent Software.

Disclosure: Apparent Software offer free licenses to reviewers. I don’t feel comfortable with that sort of arrangement (though I don’t mean to suggest any foul play whatsoever on Apparent Software’s part). I purchased Blast as a consumer and will not be requesting a free license.

I’m a shameless sci-fi addict. I love sci-fi old and new, original and respun, metaphorical and just plain silly. I’ll happily enjoy myself in front of anything from A Clockwork Orange to Shark Attack 3: Megalodon. All I ask is that it’s inventive – that it brings something new to the table. For the 2003 version of Battlestar Galactica, one of my favourite pieces of science fiction ever, this was a political allegory for the Iraq war mixed in with some good old self-determination vs. predestination. For Dinocroc Vs. Supergator (no, really), this was the sheer joy (that came through in the film itself) from a bunch of people making a ridiculous movie about monsters having a barney.

There is no such joy, and certainly no such inventiveness, in Alphas. It is a collection of clichés and lazy, inaccurate writing, held together with celluloid sticky tape. Absolutely nobody appears to be enjoying themselves.

Alphas, as far as I can see, is an attempt to blend the ‘organised do-gooders’ vibe from X-Men with the ‘bunch of people thrown together by chance’ vibe from Heroes. What I can say to this is that Heroes and X-Men both had me wanting to watch the next episode. Hell, Heroes and X-Men were even different in that they had me wanting to finish the current one.

Here’s the tl;dr version of the premise. There are some people. They have powers for some reason. A doctor, who may or may not be related to the US Department of Defense, collects them – possibly every day or possibly not – and they go to a bowling alley with a meeting room, MRI scanner and medical area with green lights in it. They solve crimes, using their powers to overcome fairly conveniently placed obstacles. Freedom is saved.

In the first ten minutes of the first episode, I spotted no less than four things that I considered awful enough to whinge about on the Internet, and here they are.  Remember, all of these appear in the first ten minutes of the pilot, the exact time that the writers are giving their all to convince new viewers to stick with it.

Read the rest of this entry »