Everything, Everything

Seriously, was I unlucky or are the bags completely oversized for the contents? I open up the bag and it's not even half full! I count 14 and a half mini cheddars. That's 3p per cheddar!

Bits or no bits? I definitely prefer smooth/no bits. Are there any weirdos out there that prefer their orange juice with bits in?

I don't know if it's me or them, but I find The Register to be quite boring. I used to love the site, but now I don't like half of the articles, and some of the other content can be found on BBC News/Sky News. If it weren't for BOFH, which appears roughly every Friday afternoon, I'd probably abandon it altogether.

A recent article that showed up over the weekend and annoyed me was this one. Entitled "Vista - End of the Dream?", it starts off complaining about an open source program that is bloated and buggy - which isn't surprising given that it's only on version 0.7. Yes, it's fair to criticise the developers for taking so long to develop the application, and it's arguably fair to criticise the choice of language, but considering the title mentions Vista, I wasn't quite sure where the article was going. Then I reached Vista, or more specifically that XP was going to be supplied again by Dell, as many customers wanted XP over Vista.

Then, just as we reach the word Vista, we "backtrack a little" to the old days of MSDOS and its clean code. Not too surprising, considering it didn't really do much. Then we jump to 2004, when XP was around, and part of the source code for Windows 2000 was leaked onto the internet. The sources contained many now-famous comments including "We are morons", and Dave Jewell (the author of this article) describes it as "a vast sprawl of spaghetti in assembler, C, C++, all held together with blu-tack". It was still 4 years old code. And nearly another 3 years have passed since then.

Jewell states that "Just a few months after the leak, it was announced that WinFS, the flagship relational file system, wouldn't ship with Vista after all. And I knew why: unmaintainable". But I don't think that's the problem. If you followed one of the links he gives in his article, you come across this more balanced review of the source code:

In short, there is nothing really surprising in this leak. Microsoft does not steal open-source code. Their older code is flaky, their modern code excellent. Their programmers are skilled and enthusiastic. Problems are generally due to a trade-off of current quality against vast hardware, software and backward compatibility.

So, based on code written back in 2000, before Microsoft started breaking compatability in order to improve security (Windows XP SP2), and before the Secure Design Lifecycle (SDL) kicked in, their modern code was already "excellent". This pretty much contradicts what Jewell has said, which he claims is a problem for XP and Vista - despite no actual knowledge of the source code for these versions (admittedly, XP was 5.1 with few changes to the 5.0 code, but Vista is a major 6.0 release). And the dodgy code in 2000 is generally only there to provide backwards compatability, which probably isn't too much of a problem for newly developed things like WinFS, especially if they don't plan on backporting it (like DirectX 10 wasn't backported although I suspect that's partly for business reasons to encourage adoption of Vista). The modern code doesn't sound unmaintainable, if anything you'd expect them to revisit the older code and remove/replace/update it. Give that it's been 7 years, they probably already have.

And yet Jewell likes to repeat the word throughout the rest of his article. He doesn't even attempt to explain the reasons why he thinks the "unmaintainable" code has led to "people scratching their heads wondering what other advantages there are in upgrading your graphics card and adding another GByte of RAM" - even though, for example, the graphics drivers are now in user mode instead of kernel, which improves stability, and the entirely new display model has presumably meant virtually a complete rewrite of the old (arguably "unmaintainable") code.

He also says "since XP was launched, Apple have come out with five major upgrades to OS X, upgrades which (dare I say it?) install with about as much effort as it takes to brush your teeth in the morning" - which is no surprise given the tiny market share and the virtual monopoly Apple has over the hardware they have to support. And as Yamahito pointed out to me, 10.4.9 has a fair number of problems (and I gather 10.4.6 had loads of trouble too). You can see the problems with a quick search on Google.

The comments left on the article sum up most of my concerns. Jewell has even left a comment that says:

One thing's for sure: "generally excellent" code can't be immediately equated with good design. An individual brick might be a great brick, but that doesn't mean you'll get a great house when you put a few million of em together...

Well I think he's right, just because you can spell, string a few sentences together, split them into paragraphs and put them in the right order on a page, it doesn't mean you can write a good article.

After watching the last couple of episodes of 3lbs that I'd recorded using Vista's Media Center (Sundays on BBC1? I told it to record the series so I'm not too sure when it's actually on), I couldn't help wonder how MRI machines would cope with my fillings, now that I'm well into double digits (11 of them, although two - or is it three? - of them are white). It turns out - according to many web pages found using Google - that it's generally fine, so I should be safe to get my head scanned when they discover I have a tumour in my head (okay, so it's quite unlikely, but I am a hypochondriac).

This is an edited post. After staying up all night, I've nearly finished watching all of the first season of How I Met Your Mother. One of the things I had to look up was the intro music. It's called Hey Beautiful, by The Solids. I found out about it here. I still think Robin is hot, I want a girlfriend like her. Holy crap, she's younger than me! She's also 5'9" (possibly the perfect height for me), has long brown hair, is pretty, has a nice figure (former model too), and Canadian people rock! While announcing his departure from the long-awaited Wonder Woman feature, Joss Whedon (such an amazing guy) joked that she was his choice to play Princess Diana of Themiscyra (WW herself). Her biography at IMDb says she participated in various sports as a teenager including tennis, swimming and soccer - I normally list swimming, football and tennis as my favourite sports.

I was going through my blog earlier today and I noticed that very few of my posts are what I'd call "journal entries" or "diary entries". I should perhaps rename this section of my site as a "blog" rather than a "diary", but it's too much of a pain to redo the site to use blog.php instead of diary.php, and I do occasionally leave somewhat private "diary" entries on here too. But the important thing is I think of this as a blog. I post rants about things, I post useful information (sometimes only I find it useful, but it has to go somewhere), I post funny things that I come across, and occasionally I write funny things myself (often they're random musings). On the whole, I think my blog is interesting to other random people, as well as most of my friends.

Other friends, however, have less interesting blogs. There are various reasons why. For example, I think Tom's blog is great and I look forward to his posts; but sometimes I'll have to wait weeks to read something new (in fairness, he's getting a lot better). I often read Emily's blog (although I'm not sure she knows this) as I find most of her posts entertaining and witty, but sometimes I struggle to understand why someone that appears to be quite intelligent and lovely can write some of the things that she posts. I also read my "friends page" on LiveJournal, but most of the friends that post on there treat LJ as a "journal" rather than a "blog". Which is fine, as that's what LJ stands for. But it's also a bit dull, which is why I don't usually leave comments, as I often lose the will to read the entire entry. Another friend's journal entries typically talk about a) how busy she is b) how hard she studies c) her weight/diet d) her kickboxing/running e) when she plans on going out in an evening (and usually who with) f) recipes g) financial worries over her house. Virtually every entry is one (or more) of those things, and it's rare that she writes about much else. The way she writes, and her comments, are usually entertaining, but the topics over the last 6 months are really starting to feel repetitive. But as I said, it's a journal, and she doesn't call it a blog. If she did, I'd have to give her a smack. Or perhaps just teach her the error of her ways.

Some of the blogs I enjoy reading are by more famous people, such as The Dilbert Blog by Scott Adams. Despite the name, he rarely writes much about his cartoon, and his daily articles are usually topical and/or controversial. I might not like all his entries about free will or terrorism, but I have subscribed to the RSS feed. I also like the geeky ones by McAfee, Sophos and Symantec. I also like the Errata Security blog, and Stephen Toulouse' personal blog. But part of the reason why I like them is because they talk about things, rather than themselves, and when they talk about themselves they do it in an interesting way. I don't think you'll ever see them make a detailed post about what they plan on doing next weekend.

So I guess what I'm saying is I don't like to read journals, but I do like blogs. So please don't be offended if I call your blog boring (if you call it a journal and write journal entries, then it's less of an annoyance, as at least I know what to expect). But if I want to know what you're doing next weekend, I'll probably ask you. And if I want to find out what you've been up to, I'll ask you over a coffee. And if you expect me to read your blog, don't forget to post fairly regularly - I can get bored quite easily. But don't post for the sake of it. Sometimes it's better to go quiet for a day or two than write crap. Which is partly why I've been quiet for a day or two. Crap, I just told you something about what I've been up to. Hehe.

After Doctor Who finished, my attention was caught by the camera work in the introduction (plus they had pyrotechnics). I noticed this last week, but he looks juast as bad this week too: is it just me or does Chris Barton (that ALW appears to be a fan of) look like a crash test dummy (with a wig on)?

What the hell is up with his hair? He's on The National Lottery People's Quiz.

Sheryl Crow is trying to persuade people to use just one square of loo paper - to save the world's rainforests. Whenever I've shared a flat with a woman, the toilet roll has disappeared within a matter of minutes (okay, slight exaggeration). I don't think it's the men that are to blame for the vast quantities of toilet paper that gets used in the US and UK.

And as someone on The Register has pointed out: perhaps she should try campaigning against the massively useless amounts of junk mail that get sent or the equally useless advertising junk that finds its way into newspapers and magazines. That would make a far bigger difference.

I heard about this on BBC Radio 1 this morning, and couldn't help laugh out loud. More than one in 10 university students cannot put a condom on properly and 16% believe two condoms are safer than one. More than a third of students believe condoms have holes in them big enough for HIV to get through. The survey of more than 2,200 university students, carried out for the charity Terrence Higgins Trust and the National Union of Students, involved 20 questions about condoms. Other findings were that one in 10 students think condoms should be stored in a warm place (which can actually cause them to perish), while seven students believed they could be washed and re-used!

I do enjoy this song for some reason, but every time I hear it I can't help but think of Lenny Kravitz's original song ("It Ain't Over 'Til It's Over"). His older albums were great. Talking of Sugababes members, Siobhan's new album is out soon, I'm pretty sure I hear a single of hers the other week ("Don't Give It Up"?) and quite liked it. The album is meant to have had a full release on April 16th, with the single out on from April 9th (charting at number 72).

Sorry for going on about my UK Radio Player gadget yet again, but I threw 1.2.9 with improved volume control (using the scrollwheel on the mouse) onto Microsoft's website on Saturday, and I've nearly finished version 1.3.0 with the new station code. I haven't done what I'd originally planned on doing for 1.3.0, but someone made a suggestion of preset buttons, like on a real radio, which I thought would be really useful and quite easy to implement. I still need to fix a couple of bugs and add some additional code, but the basic functionality works and I might be able to submit it to Microsoft's site on Saturday. I suspect 1.3.0 will sit there for quite a while, as I carefully decide what to do for 1.3.1 onwards (to be honest, 1.3.1 will probably be a few new stations and bug fixes, major changes will come later). Plus I think I'm going to be quite busy with work, and the next few weekends will probably be quite busy too.

The more I look into it the more frustrating it gets. My first complaint is how slow it is (you can do a few tricks to potentially help speed things up very slightly, but nothing major). My second complaint is the poor alpha-transparency support* (see #6) (Microsoft introduced the graphics API so you can add text to an image without it going all weird/purple, but it looks like it might cause memory leaks and makes it very difficult/occasionally impossible to use stylesheet settings). My third complaint is the seemingly slow writing to the registry.

The code I've written isn't particularly inefficient, but I'm struggling to find ways to make it leaner/make the gadget more responsive. My first thought was to stop writing the volume to the registry every time it's changed, but there doesn't appear to be an event to detect when the gadget is closed, or at least nothing like the one that exists for settings. That means if someone shuts down the sidebar and starts it up again, it'll load the gadget and read the settings in the registry. Which is fine, unless that person had the volume set at 100%, lowered it to 0%, and then restarted Windows - once Windows starts it'll start the sidebar.exe process, and the gadget will be using 100% again instead of 0% like it was previously using. I'd like to save the old setting as the gadget closes, and there appears to be a way of capturing an event when the gadget is closed, but I think that's when the gadget is effectively removed from the sidebar. The documentation isn't very clear, so I'm going to have to write something to catch the event, save the value into the registry, and hope that it works.

Next on the list is to teach myself the best way of storing station data - in a separate file (requires VBScript and permissions) or the registry (allegedly has a maximum length)? I've noticed that as of RC1, you can share information between the gadget and the settings, so I might look into using that to access the hidden drop down list in the gadget to populate the settings drop down list, and then do the reverse once they click OK. I'm also wondering what the best way is to edit/reset the contents of the drop down list. I think I'll end up having to create a separate list for each version of the gadget, and hosting it on my server, as the station data also holds the filename for the station graphic, which are files that are stored locally. I could solve the problem by rewriting the gadget to load the graphics from my server, but that'd really increase the bandwidth, and would take longer to appear/probably slow down the gadget.

I have quite a few good ideas rattling around my head, but not enough time to implement them. Sadly, the storing and editing of the stations probably needs to be done together, so I think the 1.2.9 release will have more stations, perhaps the ability to add custom stations, and definitely an improved volume control that brings in mousewheel support. And then, probably a long time after that, 1.3.0 will introduce the improved handling of stations. With that release, I hope the gadget will be nearly complete. The only things that might be added are additional popular stations, updated code that offers performance improvements, bug fixes, and perhaps some updated/new themes. And I'll eventually sort out the flyout information for the top 5 stations. Perhaps I'll sort out 1.2.9 over the weekend as I create my new RAID arrays.

* Microsoft specifically say: The gadget platform allows for transparency around the edges of a gadget. Any PNG file with a transparent region set to 100% can be used if it is specified as the background on the BODY tag. It is not possible to have a transparent region in the middle of your gadget. It is also not possible to have partially transparent regions, such as a shadow, on the edge or in the middle of a gadget. Attempting this will lead to a poor appearance in many cases.

They say that imitation is the sincerest form of flattery. I was looking at the various new radio gadgets at gallery.live.com to see if there were any cool features that I should consider for my gadget. I came across one simple looking gadget that apparently lets you control the volume using the scrollwheel. Excellent, as that way you can control the volume on the themes that don't have volume control graphics! So I looked at the code and what did I see?

I saw some stylesheet information for an "#onNowImage". It could have been a coincidence, as although I had used that on my gadget, with the same case, it's not exactly proof. But then I looked further down and came across my div with an id of "gadgetFooter". I then looked at the JavaScript code to see how the volume control works and came across:

function SettingsClosed()
{

var currentSetting = new String(System.Gadget.Settings.read("stationPicker"));
var wasPlaying = 0;

if(controlImage.src == "images/btnStop.gif"){
wasPlaying = 1;
}

if (mediaPlayer.url != (currentSetting.split("|")[0]))
{

// station has changed, so change the URL

if (currentSetting != "")
{

onNowImage.src = "http://radio.akado.ru/ai/radio." + currentSetting.split("|")[1] + "/logo.gif";


mediaPlayer.url = currentSetting.split("|")[0];
if(wasPlaying)
{
mediaPlayer.controls.play();
}
}

}

}

The wasPlaying variable is definitely my creation. I'm pretty sure the "// station has changed, so change the URL" comment is one of mine too, but from an older version (I now keep track of the stations against the stationTracker). Still, I don't particularly mind (everyone else seems to copy off each other), and hopefully it'll stop the author from complaining if I decide to use his wheelmouse volume control code (EDIT: although I've seen it elsewhere, so perhaps it was written by another person). I'll probably have to rewrite it to fit in with the rest of my code. Most of the other gadgets don't permanently store anything other than the current radio station or background image, mine stores the volume too, which is why it can be a bit sluggish at changing volume (no one else appears to save the volume setting after any adjustments). Microsoft's Sidebar gets a bit sluggish when you make it write to the registry.

I'm in the process of adding a "geek" tag to my blog entries, so that people can filter out the boring technical crap and just read the vaguely interesting parts. Hopefully I won't break anything along the way. It's a good job I know what I'm doing.

Cheeky researchers can still wangle IT passwords with free chocolate and flirting. A train station survey of 300 office workers carried out by Infosecurity Europe researchers in London revealed the disturbing statistic that 64 per cent would hand over their office computer passwords for a bar of chocolate "and a smile". I must admit, both are appealing, but hopefully I wouldn't tell them my password(s). Good-looking, chocolate-bearing researchers apparently had to probe a bit harder with the IT professionals than random train platform suits in order to get passwords, but the questions were simple.

Researchers asked IT conference delegates if they knew what the most common password is (my guess is "password", although if it's a Windows machine with password complexity, I'd probably try "Password1") and then asked them what their password was. Only 22 per cent of IT professionals revealed their "Open Sesame" at this point (the fools!), compared to 40 per cent of non-techie commuters (bigger fools!). If at first they refused to give their password, researchers would then ask if it was based on a child, pet, football team, etc, and then suggest potential passwords by guessing the name of their child or team (this wouldn't work on me, my passwords are generally far too cryptic). By using this social engineering technique, a further 42 per cent of IT professionals and 22 per cent of commuters inadvertently revealed their password. Of course, I'd have lied once they started asking more questions, in the hope of getting rid of them so I could dive into my free chocolate. Mmmm, chocolate. Mmmm, attractive women.

I don't know if you've all seen the open letters between the Bank of England and HM Treasury, but you'd think with so many people reading them, Gordon Brown could find himself a proper pen, instead of using some sort of thick marker that he must have stolen off one of his kids.

My 90 day trial of Trend's anti virus software ran out a little while ago and although I thought it performed pretty well (it caught the EICAR test string, although it did it silently, which is great if you're a dumb user that might otherwise click the wrong option, but annoying if you wanted to check the software works works; the service didn't crash or cause anything else to crash), I decided to try McAfee's anti virus software, as I have a copy from McAfee from when I was at their office in Slough the other week.

Because I'm using Vista, I had to download the new setup file from the website, which was relatively painless, but made me wonder what would happen if I'd typed in the wrong URL or the McAfee site was infected with something. The installation was painless, I went for the custom option and only installed the SecurityCenter and VirusScan, as I figure I'd rely on Windows Defender and IE7 to save me from my own stupidity (Site Advisor hasn't typically fared well in independent tests compared to the IE7 Phishing Filter). So I was amazed when Vista told me that Windows Defender had been disabled! I restarted the service, it doesn't appear to have caused any problems, and I have anti spyware software again. I then went into the SecurityCenter console and noticed that despite only installing VirusScan, I apparently have the following services protecting my computer and files:

• Virus Protection
• Spyware Protection
• SystemGuards
• Windows Protection
• PC Health

Considering I specifically asked it to install just the VirusScan software, I'm amazed that I have things like Spyware Protection. Isn't that what their anti spyware application - that I chose not to install - is for?

Anyway, despite the initial confusion as to what I have running, the software appears to catch the EICAR test string without any trouble, and it seems to update itself without the problems I had with Trend when I was using a wireless connection (it would often try and check for updates after I resumed the PC from hibernate, when the wireless connection sometimes looked valid, but the router wanted to establish a new connection). A small part of me is tempted to pay money for a full subscription and go back to Trend, but I'll give McAfee a chance, and I think they might be slightly better in terms of definitions for new exploits. Not that I plan on getting infected, but I did stumble across the Asus website looking for drivers (thankfully on another machine with AV software, rather than the one I was about to start patching) the other day when it was serving a file that exploited the ANI vulnerability.

I just came across the breaking news on BBC News and Sky News about the shootings that occured in Virgina Tech university. It sounds like a lone gunman may have killed 32 people before shooting himself, along with over a dozen injured people. You have to wonder why someone would do something like that, and wonder why the situation apparently escalated from the initial two deaths to the final toll after the second incident a quarter of a mile away. It sounds like the gunman had plenty of time to get across campus, reload his weapon(s) and wander around several areas, killing so many innocent people, despite law enforcement supposedly being on the scene.

I did discover that I can stream Sky News over the web, which is quite cool, although it's a bit jerky.

Edward Norton is to play the lead role in the forthcoming Incredible Hulk film, according to industry reports. My first thoughts are they must have offered him a lot of money. Norton will take over the role from Munich star Eric Bana, claims Hollywood trade publication Variety. Marvel Studios have confirmed a release date for the next film for 13 June 2008, to be directed by Louis Leterrier whose credits include The Transporter (at least that was a fun movie to watch, unlike Hulk... I wonder if Jennifer Connelly will be back?).

Hulk 2 will be less serious (*ROFL*) than the last and more in tune with the comic book series, according to Marvel. The scriptwriter is Zak Penn, who penned the X-Men sequels (which I quite liked, although I hated X-Men 3 right up until the end, and now I can't wait for a fourth).

The Gloucestershire Echo recently published an article about the Government's scheme for free countywide bus travel for pensioners. It has proven to be hugely popular and not enough money was set aside for it. Stagecoach lost so much money providing the free travel that it appealed for compensation. Now the local councils are stuck with paying the shortfall. Cheltenham and Tewkesbury borough councils have had to find an extra £131,000 for the scheme. That's a lot of money. The next line is taken directly from their article, and made me smile:

There is no doubt it is a brilliant scheme. It gets pensioners out of their cars and on to public transport.

I must admit, this scheme is excellent for getting pensioners out of their cars and away from the steering wheel where they're a fairly constant menace. I know what they meant to say, that it reduces congestion, and that it even gets those that'd stay at home all day to go out and meet people. But I wonder how many accidents have been avoided thanks to OAPs no longer being behind the wheel (are there any statistics for accidents caused by OAPs?). Perhaps we should get the insurance companies to contribute a little bit towards the huge bill?

My boss was complaining about Windows (he has a Mac at home). I can understand his frustration at the software he wanted to use not being able to find the dongle that came with it, but I must admit I'm not a fan of dongles and other types of copy protection. He also complained at how long it took Windows to boot up, for him to check his calendar, and how long and unreliable it is at shutting down. XP isn't perfect, but using Hibernate (with the hotfix, as I have 2GB of RAM), it can be pretty quick. I'm very impressed with Vista, the mixed mode standby thing is great, and I can get my laptop go from a completely powered down state to staring at the webpage I had previously been viewing in IE7 in slightly under 30 seconds. I imagine the reason it even takes that long is because it's reading 2GB worth of data from the laptop hard disk (I can't wait to see what it's like when using the hybrid drives with Vista's ReadyDrive technology - Samsung and Seagate are meant to have 4GB prototypes, which I'd be quite interested in). As for Standby, that's impressive. Lift up the lid, the screen powers up and a split second later you're staring at the login screen (and presumably if you don't require a password when resuming from standby, you're at your desktop). Standby takes a while to power down, due to the "mixed" support that also saves the data to disk (like Hibernate) in case there's a power cut, but you can disable that if you're worried (or using a laptop with a decent battery?). I thnk the problem is too many people shut down their PCs, because that's what kept Windows 9x running pretty smoothly. But you don't have to shut down. In fact, I only seem to reboot when I install updates for Windows, and occasionally for new software. The rest of the time I use Hibernate, even on XP, as it's quicker to get back into Windows and even uses less power (as there is less CPU usage involved in getting it back up and running). So make better use of your time and energy bill, and start using Hibernate, and if you're using Vista you should use the default power management options instead of shutting it down every time.

I finally got around to adding a way to sort the search results by date, as sometimes I'd be looking for something from a specific month or year. I initially used style settings to set the text field and the drop down list to both have a width of 120 pixels, yet the drop down list appeared to be slimmer in IE7. The submit button might appear to be the same width as the text field, but it's set to 126 pixels. I've now set the drop down list to be 126 pixels too. The inconsistent width thing seems to occur on both IE7 and Firefox 2, so at least the inconsistency is fairly consistent (even if they're about a pixel different). So why does it happen? I haven't got a clue, I could use my stylesheets to make them all look "right" in IE7 and Firefox, but for now I don't think I'll worry about it. I did fix the strange linespacing problem in the bar, although it'll probably look too spaced out in IE6 and older (upgrade to IE7 folks!), by using a stylesheet to control whether a br tag is displayed or not. IE7 is making things easier, but there are still too many quirks and bugs with CSS and I'm fed up of writing hacks and fudges.

And she's back in Berkshire. Miss Middleton left her family home in Berkshire on Saturday morning without speaking to the assembled press pack. She's actually slightly younger than me, but only by a month. But if she went for William, 24, then it's obvious she's not after a much older guy (although she might be after a guy with power). She's very pretty.

Assuming the order goes okay, I'm hoping to have 8 new SATA hard disks and a couple of PCI-X SATA controller cards arrive on Thursday. I'm not entirely sure when I'll start the upgrade, it'll possibly happen over the weekend. The plan is to move the content of two hardware RAID 5 arrays that are on separate Highpoint controllers onto a brand new software RAID 5 array that should have roughly the same capacity. That'll let me ditch one of the existing arrays and turn the original hardware RAID 5 array into another software RAID 5 array to store new content. Why am I doing this? Although the performance of the RR1820A is pretty good,. it has a nasty habit of dropping or failing to detect disks. Setting the priority of Windows to services, instead of programs, has pretty much stopped it from randomly dropping disks, but reboots usually cause a disk to drop off the face of the planet. Also, the card likes to beep when an array breaks, and will only Wstop beeping once you shut down the PC, and I don't particularly want to have a go at the speaker with a soldering iron. What might speed the whole upgrade up is the fact I finally rebooted yesterday and the server never came back up, because it had dropped a few disks. I let it try rebuilding at that point, knowing it'd take forever compared to doing it under Windows, but after 1% it complained about an error of some kind. I played for a bit, and it looks like one of the channels doesn't want to pick anything up, whether it's the cable or the card, I'm not quite sure yet. I eventually gave up and pulled the power from all the drives, and booted into Windows so I could at least get to half my content straight away. I think I should be able to rebuild the array, as I only need 6 disks and I seem to be able to get 5/6 disks up (if I plug 2's cable into 3 and vice versa, I can see 3 but I then lose 2), and there's the usual Highpoint randomness where it seems to think there's a second array of the same name but with only one disk, so I'm guessing I might have lost 5 from the array, and I can't seem to get 1 to show at all, but I haven't tried another cable yet either. I'm fairly sure I can find some combination of 6 drives that'll let me rebuild, and hopefully after the first part of the upgrade (copying the first array on the new software array), I can plug the cables into the second array's disks and rebuild and then copy the content onto the software array (and eventually replace the Highpoint card with the second cheap controller card). If it fails*, then I'll have a half full software array, loads of disk space, and it'll probably only take a few hours to complete. I really hope it takes me a few days to complete this upgrade. I think I'm going to stick well clear of hardware RAID in future.

* All the really important stuff on that second array is backed up on a spare hard disk that is currently on the floor next to my main machine, just in case I need it, and half of that is backed up on another disk at my parents' house, as I'm not completely stupid

So addictive. I'll complete it sometime.

I want one. I don't need that much power, but I'd like it anyway. Perhaps it's something to put on my Christmas list.

Movies and music could be shared faster over the net thanks to a system pioneered by researchers in the US. The findings are outlined in a paper, Exploiting Similarity for Multi-Source Downloads Using File Handprints, written by David Andersen of Carnegie Mellon University, Himabindu Pucha, of Purdue University, and Michael Kaminsky of Intel Research.

Current file-sharing systems, like BitTorrent work best when there are multiple sources of a specific shared file. When a file is shared it is divided into chunks and distributed to groups of people who are searching for that file. The more sources of those chunks there are, the more information there is that can be sent to a user, resulting in faster download speeds. But these services often fail to deliver fast speeds because there are not enough users sharing the chunks of a specific file.

"A big limitation of BitTorrent is that it only lets clients share data if they're downloading the exact same file," said Professor Andersen. "This means that the available client pool for any particular file is smaller than it needs to be."

Similarity-Enhanced Transfer (SET) works by spotting chunks of identical data in files that are an exact or near match to the one needed. The trio realised that many files being shared on the net contain identical pieces of data even though they appear to be different, resulting in faster speeds when SET is used. Professor Andersen said he was "shocked" by this discovery. I'm very surprised he was shocked, it seems quite sensible and logical to me, but I can also see why it's not worth implementing.

A lot of torrents contain the same files, e.g.

linux-distro.iso

linux-distro.iso
linux-distro.md5
linux-distro-readme.txt

Both contain the main "linux-distro.iso" file, but because of the additional files in the second torrent, the resulting infohash is different, so they aren't a match.

naughty-file.avi
naughty-group-file.nfo
naughty-tracker-file.txt

naughty-file.avi
naughty-group2-file.nfo

In this second scenario, both contain the same naughty file, which takes up most of the torrent, but (for the reason stated above) there is currently no way they can work together, even using DHT, as they have a completely different infohash. Even having a different filename (I think, as I believe it's a hash based on the info value from the metainfo) or ID3 tag information will make a difference to the overall infohash.

But, if they use the same size pieces and it starts with the largest file first, there's a good chance that the majority of the torrent will be identical (ID3v2 information is stored at the start of the MP3, so a different ID3v2 tag would cause problems, but if it just had an ID3v1 tag at the end of the MP3 then you'd probably be able to grab most of the first file okay). Although you can't tell that based on the (overall SHA1) infohash of the file that's sent to the tracker, each piece is also hashed and compared against a SHA1 hash associated with it to ensure that the downloaded data is identical. So you could run another DHT-type tracker that will perform the same task based on the pieces, rather than the overall infohash. As long as the overhead of DHT data for pieces doesn't use significantly more bandwidth, it could be very useful for poorly seeded material. But most legal content is, or should be, well seeded. And ideally you'd want to download your linux distro from the official website, as it's less likely to have been altered (in a very bad way, e.g. including a backdoor in a service) than the similarly named download at some random website.

Once you start looking at illegal side of things, if an anti-piracy group obtain one of those naughty files, there's a good chance that asking the DHT-type tracker for the IP address of everyone else that has one piece that's the same would result in it quickly giving up every single illegal filesharer, no matter where they grabbed their torrent from. The only thing I can think of to counteract that service would be a private tracker, as that shouldn't return the information, so you would probably see an increase in the number of private trackers, forcing piracy further underground (which might be what the MPAA/RIAA want), and making illegal content poorly seeded (or even more poorly seeded?). Or you see more odd sized rar files being seeded to make SET utterly pointless (and malicious people might seed fake content within password protected rar files etc. to annoy people that illegally download content). Or the piece size goes crazily small, so it's harder for the anti-piracy companies to say you've got the illegal file because of just one piece, although if you have 99% number of all the pieces they check for, it might be a safe bet that you've got the same file, but it might also be difficult to prove in court as they can't prove you're sharing the complete file as long as one piece at the end doesn't match up.

In my opinion, SET is a good idea for poorly seeded legal content, but there shouldn't be that much around. It's an interesting idea, but there might be privacy problems, and for well seeded content there would be very little gain. Probably not enough to warrant the extra overhead. Perhaps it'd be possible to allow it as an option that can be enabled in the client and only kicks in when you're very low on seeds. But I'd rather not see it implemented.

I just had our HR woman* stand by the doorway to the office, begging me to come next door to save her from a spider that was on the wall. I'm not a huge fan of spiders, but I was brave and managed to capture the little creature without showing any fear (you never know, maybe they can smell it?). It would have been too difficult to get out of the building with my hands full, and the windows only open an inch or so, so I decided to kill it.

* Obviously, as a man would never admit being scared of a spider

I was reading Scott Adams' blog again and came across this "moral dilemma":

Let's say you're the butler to a billionaire who lives alone. The billionaire dies in his sleep. You know he owns a large piece of jewelry that no one else has seen, and you have access to it.

If you steal the piece of jewelry, sell it, and give the money to an African charity, you can feed an entire village for a year. The village would otherwise starve. If you don't steal the jewelry, it will go to his surviving family who has so much money they won't care about it.

Obviously it is illegal to steal the jewelry and feed the starving village in Africa. But do you have a moral obligation to commit the crime for the greater good?

And if so, do you likewise have a moral obligation to steal anything else you can get your hands, from dead billionaires or living neighbors, if you can use the stolen property for the greater good?

One of the comments caught my attention, here's a snippet from it:

Your "dilemma" is a simplistic attempt to set up an either/or situation, a forced-choice decision. This is rarely the case. You yourself delight in telling how you never have enough information to decide who is a better candidate for president (or whatever elected position). Your attempt to set up a situation where people assume they do have all the necessary data is artificial and irrelevant. So to answer your question, no, there is no moral obligation to steal to do good since there is no way that you can know with certainty that YOUR "greater good" is the "greatest good", or even actually greater.

My answer would be something similar, except my first thought was to question whether anyone else had seen it. I know it says no one else has, but it must have been acquired from somewhere, you'd think someone would know about it (or am I just being paranoid?). My second thought was "why risk going for the expensive item that people might not have seen but are more likely to notice is missing if they are aware of its existence?" - which led me to the thought that you'd be far better off stealing several small and expensive items that no one would notice were missing or were easily traceable to you/the dead guy.

Without knowing how the inheritance would be spent/invested in years to come, it's hard to know for sure what the most responsible action would be (for example, the person named in the will might decided to do the same thing, but be might be able to legally sell the item for more money). Stealing off living neighbours might sound worse, but it's the same evil deed, the fact they're alive doesn't change anything (except you're perhaps more likely to be caught when they miss it). The obvious answer is that you shouldn't break the law. You also can't predict what will happen based on your action (i.e. the butterfly effect, your small action might have huge ramnifications over time), so there's no point in trying to justify whatever you decide is the greater good. So the real question is are you a selfish person that's willing to break the law? We're all human, we can't be perfect all the time. But unless we want to revert to animalistic behaviour, it's probably best to put yourself in their shoes and see how we'd feel in their position. If I was the neighbour, I'd be pretty annoyed if someone was stealing off me. But if I was dead, I wouldn't be around to care. My family might care though. Unless they were dead too.

You're an A grade student, a prefect, you spend your free time representing the school in sporting events. And because of a stupid policy decision, this unfortunate girl is being banned from the netball team and her own prom. A school governor has quit in protest but the school insists the tough line on extra study benefits pupils.

The row started last June when the school asked all year 11 parents to sign a form allowing their children to attend the sessions. Kayleigh Baker, 16, is a prefect at Hurworth School and already has two A grade GCSEs. Her parents did not sign, saying their daughter was already a high achiever who did not need the burden of extra classes, which sounds like a pretty good reason to me. Headteacher Dean Judson then wrote to them saying their daughter would be excluded from any "other voluntary activities" at the school. This includes the end-of-school dance at Hardwick Hall.

School chief executive Eamonn Farrar said the extra study sessions were made compulsory five years ago. He said: "If we were to give the children the choice of attending the extra study sessions, what do you think the response would be? They wouldn't attend".

I can see why the school would want to force children to attend the extra lessons, as it'd probably help them achieve better grades and make the school look better in the league tables and probably gain additional funding/avoid closure. But if they're not careful, all schools will start to force extra classes on the students and we'll end up with stressed out kids and no change in the league tables.

Are the extra lessons required because of a general lack of quality in teaching? I'm not criticising the teachers, although I suspect some of them are sub-standard, but class sizes have increased over the years, so I presume teachers are finding it harder to properly connect with their students. This might make it harder to spot that kid in the corner with the glossed eyes, as well as being harder to demand the attention and gain the respect of an unruly class (the more people in a room the more likely it is that someone will disrupt the lesson?).

Perhaps the "large sizes for longer" approach is a cost effective method of teaching, but sometimes you have to stop and evaluate the impact this will have on the wellbeing of the children. Education is important, but don't drive people out of it too soon by forcing them into a generic style of teaching that doesn't work for them, and don't force the intelligent ones to sit through unnecessary lessons when they could, and perhaps should, have a better work-life balance - they probably already study in their own time in the comfort of their own home, around their other responsibilities and activities.

This girl shouldn't be excluded from "voluntary activities" because she already has a good track record. It should be possible to make an exception to the "mandatory" lessons for children that display an outstanding academic ability and have little, or nothing, to gain from the additional lessons, as long as they continue to display that ability during the regular lessons.

I wonder if the school could reach a compromise, where she sits "additional lessons" with a private tutor at home. All she'd need then is someone that's willing to lie for her. I can imagine a few sympathetic people would be willing to do that. She shall go to the ball! Or at least I hope she does.

Professor Jim Horne, director of Loughborough University's Sleep Research Centre, claims that we don't necessarily need eight hours of sleep: "There is a normal distribution - the average sleep length is seven, seven and a quarter hours". Women may need more sleep than men, due to the structure of their brains. And there is evidence that young children are getting too little sleep, with a detrimental effect on their behaviour.

I haven't seen it yet. If anyone tells me what happens, I will shoot them. Okay, not really, but I certainly won't be very happy with them.

I wrote a nice long post, I submitted it, and it appears it never made it onto here. So here's a quick and dirty recap. Phishing sites often rely upon users typing in wwwmicrosoft.com instead of www.microsoft.com (incidentally, Microsoft owns both domains), and similar typos, because individuals are generally free to register any domain name within the .com, co.uk and several other popular domains. Other Top Level Domains (TLDs) such as .gov, .mil, as well as .ac.uk and .nhs.uk are tightly controlled by organisations that are responsible for the "vertical" (e.g. JANET controls .ac.uk and specifically forbids individuals, and has a strict requirement on eligibility). So my suggestion is we introduce more "verticals". The current TLDs are generally countries across the world. Great if I want to find local content by going to www.vodafone.co.uk instead of www.vodafone.com (incidentally, again, both are owned by Vodafone). But this also makes it easy for someone naughty to register www.vodfone.co.uk in case my A key is a little sticky or something and setup a fake login site for "My Vodafone". So instead of splitting by country, split the TLDs into groups of similar industries/organisations.

You can already see it happening with the .museum domain (the.british.museum and smithsonian.museum, for example), so why not introduce it to banks? Only allow banks to have a .bank domain, and you end up with barclays.bank and natwest.bank. You might be thinking "but bank is very English, what if I'm French?" - well the French banks could have their own .banque domain. This also means you keep the idea of localisation, so global companies would offer local content based on the language of the TLD domain (rather than trying to guess based on IP or making users click a language page). For example, www.barclays.fr could use barclays.banque instead. In short, everything would move away from the .com domain, and similar "risky" TLDs. It doesn't work perfectly, some groups might not know what to use (would computer related companies use .computer - and who would regulate such a broad TLD?), and you'll still get problems with things like Apple (Apple Inc might want apple.music but so might Apple Records), but it's no worse than the current system. Perhaps it's something that's only created for certain "verticals" such as banks and porn (e.g. the controversial .xxx domain).

Of course, none of this helps if the user clicks the www.microsoft.com link without noticing the underlying link goes somewhere else. Showing the address bar and the use of EV certificates (the address bar goes green) isn't going to be of much use to naive/ignorant users that miss all the warning signs, and the more we throw at them the more annoying it gets for other users. User education only works up to a point. After that we should ban them from using a PC, and ban them from having children. Or something like that.

No, not from doing too much of that; over the long weekend I played a load of computer games against some old friends from uni. It was the second proper LAN party I've attended, and the first one where we've played a racing game (those sort of games aren't played too often at LAN parties, it's mostly FPS games like Counter-Strike: Source). It was great fun, and feel free to download TrackMania Nations from their website, but with all that constant acceleration using the up arrow, my hand still hurts even now. Between tracks we were all desperately trying to get the cramp out of our hands, and at one point I thought about getting a good time and then stopping for 5 minutes and hoping no one would beat it, but Chris and Fab put up a pretty good fight. Occasionally I managed to get some amazing times that no one else could touch, I even got a compliment from Chris, but near the end most of us were enjoying it without caring too much about who had the best time.

If the teachers are being bullied by kids and can't do anything about it, what hope do the other kids have? Teachers have been calling for tougher restrictions to be put in place to prevent them being targeted by online bullies. They claim offensive videos of them being abused, bullied and derided by pupils affect their ability to command respect in the classroom and causes them pain. Perhaps they should practice what they preach; or is this a frank admission that all the bullying advice that teachers give to pupils is just a load of crap and there's nothing that they can do?

The education secretary Mr Alan Johnson will tell delegates at the NASUWT conference in Belfast that web providers have a "moral obligation" to cut offensive videos of people being attacked, harassed or ridiculed. But if you ban videos of people being attacked, harassed or ridiculed, videos that violate copyright laws and all pornographic content, what exactly are you left with on YouTube et al? I can't help think that tackling the problem of bullying is what needs to be done, not attacking web providers for allowing such user content to be distributed. Johnson claims that by removing the platform, it'll blunt the appeal, but there's always going to be somewhere online where this sort of content will appear. All you'll do is drive it deeper underground, or onto servers in countries where they can't be touched.

Has anyone else heard her cover of the Kaiser Chiefs song Oh My God? It's off Mark Ronson's new album. I hate to admit it, but I quite like the Lily Allen singles I keep hearing on the radio. Not quite sure I want to buy her album though. She has a surprisingly nice voice though.

I miss my home comforts. I'm not uncomfortable upstairs, but I do miss a big comfy double bed to roll around in. The shower was warm and I could listen to music on my mobile, but it's not as nice as my power shower in the ensuite, or being able to stream music using my work laptop (and the wireless connection to everything on my fileserver). Or being able to watch old episodes of Frasier through the shower (an incentive to keep it nice and clean). I also wouldn't be hideously short of disk space right now (778MB free on C:). And my PC would be recording Doctor Who (thankfully, instead of recording static for an hour, it refused to record anything because it was low on disk space). On the plus side, I do have a BBQ waiting for me, and it's been fun to play games. I even won Command & Conquer last night - I had to win something while I'm here! Some of the CS:S mods have been fun too, like Zombie Mod and the Gun Game mod. There's a distinct lack of decent beer here, although (hopefully) some of the others did grab me some John Smiths when they made a run to the shops. I also randomly placed an order for a couple of audio CDs.

It's been ages since I've mentioned my gadget, so I thought I'd post a quick update. I've added and tweaked more things than I can remember, and I've put a lot of effort into things behind the scenes (working on the flyout data, updating the redirects, and a lot of tech support). Since my last post, the version number has gone up in minor revisions from 1.1.3 to 1.2.8 (yes, fifteen!), I've added a volume control and way to skip the stations, the number of streams has probably nearly doubled, and there's a variety of themes (the flyout matches the rest of the theme, and I'm offering a theme contributed by another user). I've also generated a portal site for people to visit if they're having trouble with the gadget, or if they want to get in touch.

I hate to say it, but I don't use the Default theme anymore. I should change the default sometime, but I'm really starting to like my "Common (Advanced)" theme, although I miss not knowing what the current status is. I'm still not entirely happy with the volume images, and I might replace the 4 images with 11, so that people can have the triangular looking volume graphic on other themes, similar to how it looked in version 1.2.7. There are still a number of things I want to change, but I think I need to make more of an effort behind the scenes, sorting out the flyout data for the top few stations, and I'm hoping to add another half dozen stations (maybe more, I stumbled across a few Welsh stations earlier and this is the UK Radio Player after all).

So if you're using Vista, please give my gadget a try.

An election pack issued by Bournemouth Borough Council stated that "lunatics and idiots" and "deaf and dumb persons" were disqualified from standing. Matt Pitcher, electoral services officer, said it was a mistake and that the terminology was allegedly taken directly from election law dating back to 1766 (although I can't seem to find anything using Google). The information pack has been amended and the council apologised for "any offence which may have been caused". Which is a shame otherwise it might have kept Fab out of office (have you seen his crazy driving?). ;)

It seems that Berkshire is one of the cheapest places for parking in this country. Of course, this isn't of much use to most people across the UK, especially those of you that park in central London. Both the cheapest and most expensive car parks are owned by a private company, National Car Parks (NCP), who declined to comment on the charges. Mind you, I don't think they should have to answer to anyone (except their shareholders). They're a company that owns land in some very convenient locations, and they can charge people whatever they like for the privilege of parking there. If the price is too high, people will vote with their feet. If competition is high, prices will have to be lower (short of any price fixing conspiracies). Where space is a premium, prices will be significantly higher (bear in mind that the land is typically very expensive). Is it fair? Not really, but that's life. If you want to pay the same price no matter where you park, you'll need to nationalise car parking. Or get McDonalds to run it, their prices and menu are fairly consistent across the UK. Of course, you might not be allowed to park in certain places before 10:30AM. Do you want fries with that parking space?

I saw a variation of this somewhere else, but this was nicely formatted so I thought I'd paste it from Tania's blog. You're supposed to answer each question using just one word:

1. Where is your mobile phone? Bedside
2. Describe your boyfriend/girlfriend? Absent
3. Your hair? Shortish
4. Your mother? Lovely
5. Your father? Great
6. Your favorite item? Kickers
7. Your dream last night? Vague
8. Your favorite drink? Coffee
9. Your dream car? Quick
10. The room you are in? Bedroom
11. Your ex? Okay
12. Your fear? Unwanted
13. What do you want to be in 10 years? Settled
14. Who did you hang out with last night? Alone
15. What you're not? Fat
19. The last thing you did? Read
20. What are you wearing? Black(ish)
22. Your favorite book? High Fidelity (how do you answer that question with just one word?)
23. The last thing you ate? Crisps
24. Your life? Bearable
25. Your mood? Lonely
26. Your friends? Online
27. What are you thinking about right now? Work
28. Your car? Mine (okay, it will be in about 24 hours time)
29. What are you doing at the moment? Relaxing
30. Your summer? Unplanned
31. Your relationship status? Single
32. What is on your TV? 3lbs
33. When is the last time you laughed? Monday
34. Last time you cried? Unsure
35. School? Okay

Thirty five questions seems like an odd number, I almost want to make up another 15 to turn it into a nice round 50 questions. Any suggestions? Or shall I make up my own?

EDIT: Here are my responses to the extra questions:

36. Boss/Teacher? Incommunicado
37. God? Humanism
38. First Job? PC World
39. Kids? Probably
40. Favourite Music/Album? Parklife (or OK Computer or In Utero or many other albums)

A little while ago I criticised the "Associate Editor (Dublin)" of The Register for a few of his recent articles, I even emailed Joe Fay (Editor) to complain about the poor quality journalism, and when a few people raised issues when it was also posted on SecurityFocus I even provided a few answers. I thought it was just me that thought his articles have become a joke and anti-Microsoft rant, but I stumbled across another article on The Register that made me cringe. Then I noticed it was Greene's latest article. And then I reached the comments. It seems I'm not the only one that thinks his articles are crap, and that he doesn't deserve to be published. Enjoy.

On March 30th, spammers began a campaign with a link to a Russian website with the promise of revealing pictures of Britney Spears (despite the fact that most people can find them using Google). The site contained a script that pointed at Microsoft Windows' animated cursor vulnerability that could officially be patched as of yesterday. At this stage the emails don't contain graphics (a typical tactics used by stock spam to evade anti-spam software), but cycled their subject lines in an attempt to avoid detection, as shown in a blog entry by Sophos:

2007/03/30 14:21:10 birtney psears nakde
2007/03/30 14:26:58 birtney speasr nkaed
2007/03/30 14:34:04 britnye speras anked
2007/03/30 14:39:20 briteny psears nkaed
2007/03/30 14:40:15 britnye speasr nkaed
2007/03/30 14:40:23 rbitney spaers nakde
2007/03/30 14:40:24 rbitney speras anked
2007/03/30 14:42:48 rbitney speasr nkaed
2007/03/30 14:42:58 britnye speras nkaed
2007/03/30 14:44:16 birtney speasr nkaed

Since the initial campaign, the attack has evolved, and now use subject lines such as "Hot pictures of Britiney Speers" as well as an embedded image of the scantily clad pop star (that links to a malicious website which attempts to use the animated cursor exploit). I must admit, the tactic sounds rather crude, and I can't see myself falling for it, but others might. Just in case, you can view the Sophos blog entry and see a screenshot of one of the spam emails, complete with the scantily clad embedded image. Enjoy!

I'm sorry for sounding like a Microsoft "fanboy" today, but I came across this link on Sandi Hardmeier's blog, a ZDNet blog entry about Firefox:

Determina is previewing a version of the ANI exploit that will hijack Mozilla Firefox 2 as well as Internet Explorer 7 running on Vista.
[snip]
What's interesting about this is the fact that Firefox doesn't have the benefit of Protected Mode under Vista, which can somewhat mitigate the damage that can be done if Internet Explorer 7 is exploited by this vulnerability. While UAC will prevent the exploit from infecting the system with a persistent backdoor or rootkit [NB: this isn't entirely true, according to details on the Metasploit blog, although it's currently only theoretical], nothing prevents damage to the user's data unless Protected Mode is implemented. If someone using Firefox gets exploited with this or any other vulnerability, that malicious code gets the same permissions as the user, which means it can read and write to all of that user's data. That means the exploit can steal personal data, delete personal data, or encrypt it for ransom. Internet Explorer, on the other hand, running in Protected Mode would "only" permit the malware to have read-only access to the user's files. While that's still very bad, it's not nearly as bad as full read and write permissions. With Protected Mode, the malware still gets to steal and copy all of your personal data, but it can't alter it, delete it, or encrypt it for ransom.
[snip]
Firefox alone in recent months has had more exploits than Windows XP and Vista combined and is in serious need of mitigation measures (not to mention better code auditing). For example, here's a batch of 11 critical vulnerabilities and here's a batch of nine critical vulnerabilities, and some of those exploits were zero-day with proof-of-concept code. If Mozilla ever wants Firefox to be taken seriously, it's going to need to do better auditing of its code and implement security measures that are available in the operating system. The Web browser is simply too large an exploit vector to ignore, and the sooner Mozilla implements Protected Mode the better.

In the past, Firefox has had a good reputation because it's not tied into the OS like Internet Explorer, but without adopting some form of "Protected Mode" to broker access to the OS, it's clear that IE7 is currently using a better model - although it may still be just as prone to vulnerabilities, and it still has a few things that probably shouldn't be there (it's nice to see MSXML4 support being ditched fairly shortly). I thought it was very interesting that Mozilla security chief Window Snyder recently said in a News.com article:

"The researcher has all the power. They control when they disclose it, and they control the idea whether or not the vendor responds in time... I would appreciate 30 days, but I will take what I can get."

I thought it was interesting that she believes that researchers have all the power. You'd think that the developers that write the code in the first place have all the power, and that if they did their jobs properly there wouldn't be any vulnerabilities for researchers to discover. And that's assuming that a malicious person hasn't already been abusing it first.

This caught my eye, although I was sad to discover that they were talking about a character called "Nickels" and not Nicholls. Also from acceptable.tv is Operation Kitten Calendar, which is a spoof of The Apprentice (with kittens!).

With all the fuss over a few Windows exploits using the ANI vulnerability, people may not have heard about another problem with telnetd. Sure, people shouldn't use telnetd, just like people shouldn't use ftp anymore, as it's all sent in clear text, but people still do. It seems that the MIT krb5 telnet daemon (telnetd) up to and including krb5-1.6 allows unauthorized login as an arbitrary user, when presented with a specially crafted username. Exploitation of this vulnerability is trivial. A user can gain unauthorized access to any account (apparently including root) on a host running telnetd. Whether the attacker needs to authenticate depends on the configuration of telnetd on that host. A malformed username beginning with "-e" can be interpreted as a command-line flag by the login.krb5 program, which is executed by telnetd. This causes login.krb5 to execute part of the BSD rlogin protocol, where an arbitrary username may be injected, allowing login as that user without a password or any further authentication. If the telnet daemon is configured to only permit authenticated login, then only authenticated users can exploit this vulnerability. This is a somewhat similar problem to the telnetd bug seen on Solaris 10 and 11, where the use of a flag results in telnetd passing information to the login process and ultimately allowing attackers to log on as arbitrary users. It's not just Microsoft that screw up. People may criticize Microsoft, but when was the last time you saw such a trivial way into a system*? Also, see this comment to see why it took Microsoft so long to patch the ANI vulnerability.

* from memory, it's probably MS06-009 for those of you running XP or 2003 with Korean language support and Remote Desktop enabled, but it did require a fair bit of clicking to get there

Long Live SilentBob. Or at least I hope that's the case tomorrow morning when I bring in a spare hard disk (IDE), graphics card (ripped from my P4 server that's currently idle) and RAM (also from the P4) and - importantly - an XP SP2 CD I can boot off. I'm not entirely sure what's at fault with my quiet little server in the office. I doubt it's the RAM as it's running at stock and has worked perfectly (and the BSOD on bootup occurs no matter which stick is installed), I doubt it's the graphics card as it appears to be working with the monitor right up until it briefly displays the Windows logo and then a flashing BSOD (Safe Mode gets as far as mup.sys and then it reboots, Google suggests it's a hardware fault too, or perhaps a corrupt registry), I've even ripped out the second network card I was using (as the onboard Gigabit LAN doesn't particularly like working with the 10MB hub), so my money is on the 200GB SATA hard disk, which has been used constantly for nearly 3 years. I think there's a couple months left of the warranty. It's still a pain. I suspect I can grab the data off the SATA disk. It might even be some random corruption that I can fix and then switch the disks back over. The server desn't do much, so it shouldn't take too long to install Windows, all the updates, and some applications (and hopefully copy some tools and scripts off the SATA drive). It also gives me a good excuse to permanently switch the graphics card and use the 7600GS in the P4 machine, leaving the 2MB ATI card, as I never have the server hooked up to a monitor (unless, like today, it doesn't come back up after a restart). That trusty 2MB card has been very useful over the years. I believe it's my first ever graphics card, taken from a Gateway 2000 P5-75.

I was having an interesting chat with Joe yesterday, and we stumbled upon the crazy idea of a nuclear powered car. It seems we weren't the first to consider it, Ford even created a prototype design called the Nucleon back in 1958, but never actually built it. Probably because scientists believe (or did a few years ago) that it'd be impossible to shield the radiation, so you'd end up killing "the driver, the passengers, and perhaps bystanders". You certainly wouldn't want to crash into anything. A nuclear powered lunar rover is a bit more practical, and something China hopes to achieve. Although the notion of strapping nuclear material to a rocket and hoping it doesn't explode on its way to space sounds a bit risky, it isn't a new idea. The first nuclear powered satellite, Transit 4A, was launched in 1961 and until the Columbia disaster in 2003, NASA had been pushing hard to expand the use of nuclear power in space.

Today I came across another interesting/crazy idea that was suggested back in 1981: a cross-channel bridge to France. A submission for a £3bn three-lane motorway link was made to transport officials in April 1981, files released by the National Archives show. Dismissing the option of tunnelling under the Channel as "impractical", the LinktoEurope proposal suggested a bridge spanning 21 miles from Dover or perhaps Folkestone. The bridge, 220ft above Channel waters, would bring in a revenue of up to £220m a year, the group estimated. Engineers conceded the huge pylons on which the bridge would rest could make navigation of the Channel difficult for ships. However, they said the structure would be sturdy enough so that traffic above would be unaffected if a vessel ploughed into the struts. Obviously the "impractical" tunnel became reality when the Channel Tunnel was opened in 1994 after eight years of development.

Does Windows Update tell you to install them? When you install them, do they fail? If so, you've encountered what I've seen with a copy of Winows XP running under VMWare (being a VM that I can revert to a snapshot, I wasn't too concerned about installing the update). It turns out, there's a fix. It's not that straightforward though, and involves a few reboots.

Uninstall KB927978 from Add/Remove Programs.
It will be listed as "MSXML 4.0 SP2 (KB927978)"
Reboot

Now uninstall KB925672 from Add/Remove Programs.
It will be listed under "Windows XP - Software Updates" at the bottom
(The "Show updates" box at the top next to "Currently installed programs and updates" must be checked to see the installed Windows Updates)
Reboot

After rebooting, download MSXML 4.0 SP2 KB927978
Save it, do NOT run it.
Close the browser and ANY other open window
If you've done any printing, suggest rebooting prior to installation.

Install msxml4-KB927978-enu.exe now
Reboot

If you're still having trouble, check out the original blog entry.

SFX released their Top 10 Sci-Fi movies the other day, but only two of them were standalone movies. You could argue that's because they're not good enough to spawn a sequel, but I'd like to think that the movies are self contained and therefore don't and can't spawn a successful sequel (or prequel). The Matrix is probably a fine example of a fantastic standalone movie that was stretched into a rather dissapointing trilogy.

I haven't put much thought into it yet, but I have several movies in mind. So, what's your Top 10 Standalone Sci-Fi Movies?

Some quick and dirty suggestions:

2001: A Space Odyssey
28 Days Later
Being John Malkovich
Blade Runner
Children of Men
Donnie Darko
E.T.
Eternal Sunshine Of The Spotless Mind
eXistenZ
Fight Club
Gattaca
Independence Day
Minority Report
Serenity
The Fifth Element
The Truman Show
The War of the Worlds
Tron
Twelve Monkeys

A friend raised an interesting point regarding Simple File Sharing on Windows. Personally, I keep my Guest account disabled and rely upon having the same local username and password (or mapping a different username and password) on two machines that are not part of a domain (things are obviously a lot simpler when both machines are on the same domain), as I don't like the idea of anyone connecting to my shares.

According to this article "By default, the Everyone group no longer includes anonymous users on a computer that is running Windows XP Service Pack 2 (SP2)" and this article also states that "When a Windows 2000 system is upgraded to Windows XP Professional, resources with permission entries for the Everyone group (and not explicitly to the Anonymous Logon group) will no longer be available to Anonymous users after the upgrade. In most cases, this is an appropriate restriction on anonymous access. you may need to permit anonymous access in order to support pre-existing applications that require it. If you need to grant access to the Anonymous logon group, you should explicitly add the Anonymous Logon security group and its permissions. However, in some situations where it might be difficult to determine and modify the permission entries on resources hosted on Windows XP Professional computers, you can change the Network access: Let Everyone permissions apply to anonymous users security setting." (some of you may have already noticed that the first link specifically mentions the change in behaviour as of SP2, while the second link suggests it applies to all versions of XP).

And according to this MSDN article, Authenticated Users are "Any user recognized by the local machine or by a domain. Note that users logged in using the Builtin Guest account are not authenticated. However, members of the Guests group with individual accounts on the machine or the domain are authenticated." and an Anonymous Logged-on User is "Any user logged on without an identity, such as an anonymous network session. Note that users logging in using the Builtin Guest account are neither authenticated nor anonymous. This SID is only available on Windows XP and later."

So if the Guest account is "neither authenticated nor anonymous", why does enabling the group policy setting "Network access: Let Everyone permissions apply to anonymous users" apparently allow a Guest account to access a folder that is shared with default permissions of Everyone: Read only ?

To help confuse things, according to the XP Professional Product Documentation (that I also linked to above), "The group whose membership is controlled by the operating system or domain is Authenticated Users. It is the same as the Everyone group, except that it does not contain anonymous users or guests." This implies that the Everyone group does not contain anonymous users or Guests, yet the MSDN article clearly says that "members of the Guests group with individual accounts on the machine or the domain are authenticated" (perhaps by "Guests" they meant "Guest"?).

My assumption is that enabling the group policy setting must also let Everyone permissions apply to the Guest account (as other members of Guests are apparently considered to be authenticated). I still think it's odd that the Guest account is not considered to be an Anonymous user (I shall have to see if adding Anonymous users will allow access with the Guest account), but at the same time apparently isn't included as Everyone. I wish Microsoft's documentation was clearer.

I'm surprised and very glad to discover that Serenity has beaten Star Wars to the title of best sci-fi movie in an SFX magazine poll of 3,000 fans. The futuristic release from 2005 was based on the short-lived TV series Firefly (yes, I have both the TV and movie on DVD). Both were the work of Buffy the Vampire Slayer creator (the amazing) Joss Whedon. SFX editor Dave Bradley said it was a "massive surprise" to see Serenity beating Star Wars.

1. Serenity
2. Star Wars
3. Blade Runner
4. Planet of the Apes
5. The Matrix
6. Alien
7. Forbidden Planet
8. 2001: A Space Odyssey
9. The Terminator
10. Back to the Future

Source: SFX magazine

According to BBC News, Apple's iTunes store will start selling the EMI tracks in the "premium" format in May. EMI said every song in its catalogue will be available in the "premium" format. It said the tracks without locks will cost more and be of higher quality than those it offers now. The higher price will apply only to single tracks that customers download. On iTunes EMI tracks free of digital rights management (DRM) software will cost $1.29 (99p).

I'm pretty sure the exchange rate hasn't changed suddenly in the last few days, so I presume the price in brackets is the price we'll pay in the UK. Nearly twice as much. I suppose the good news is that at 99p for a DRM free track it makes it cheaper than the 320kbps MP3s I've been purchasing from www.djdownloads.com (I've lost track of how much I've spent there this year, it must be over £50 by now). I'm not entirely sure what "higher quality" means, or what format the music will be in (presumably AAC, but will it still use the proprietary .m4p container file? The advantages of AAC are not entirely conclusive, and the MP3 specification, while outdated, has proven surprisingly robust. AAC and HE-AAC are better than MP3 at low bit-rates; but at medium to higher bit-rates, the two formats are more comparable in most fields, and MP3 obviously has better support. I wonder if the DRM free AAC files will play okay on Microsoft's Zune? Apparently the K800 will support AAC, which may be a good excuse to finally upgrade from my wonderful K750i. Or do I hold out for the new K810 that's recently been announced and looks quite nice? Or do I go for the W810, which has a much better colour scheme than the old W800, and can be used purely as a music player. It's a shame all the new phones use M2 external memory, as I won't be able to use my current 2GB memory stick with them.

Microsoft's ongoing monitoring of the situation has identified an increase in the number of attacks against this vulnerability, and because of public disclosure of proof-of-concept code, they have been working around the clock to test a security update that they are currently planning to release on Tuesday April 3 (a week before the usual monthly release).

The issue was first brought to Microsoft's attention in late December 2006, and was previously scheduled for release as part of April's monthly release on the 10th, but I'm a bit surprised that it's taken them this long to come up with the patch. The WMF vulnerability just over a year ago was identified over the New Year, yet they were able to come out with an "out of band" patch very quickly. This recent vulnerability is probably just as technically difficult to fix. I presume that, despite being a critical vulnerability, Microsoft handled it as a low priority problem because they hadn't seen any attacks. With their people now working around the clock, you have to wonder if they made the wrong business decision, especially when it's put so many users in jeopardy.

Except perhaps me, as I use Protected Mode on Vista, and enable DEP. I don't get why so many people find UAC annoying, or feel the need to disable it.

No, nor was I. Google pretended to offer broadband via the sewer system, which wasn't particularly funny, and IIRC one of the councils in the south of England have actually run cables through the sewers as a backup connection. I did come across a better one where Maria Sharapova's website had a Cross Site Scripting (XSS) error that allowed you to see that she was now Cisco Certified, and to make it more plausible there was a XSS attack on a Cisco search engine that allowed you to read a similar article on Cisco's site. Vaguely funny, but the problem with XSS attacks like that is that the URLs tend to be long and contain obvious signs of JavaScript. It's much better when they get to post content onto the site for all to see when accessing "normal" URLs. I did that last week during a training session, getting the instructor to see a "Hello World" JavaScript alert popup while he was trying - and ultimately failing, because the server was escaping the pipe symbol - to demonstrate another form of attack. The best idea for an April Fool's was one I read on Scott Adams' blog that was performed on him several years ago and apparently took him years to work out how they did it. They'd called one of his telephone numbers and also called another number of his, so that when he answered the phone all he heard was his own answering machine asking him to leave a message. It obviously works best if you withhold your number.