Phone Security == Computer Security

The explosion of smartphone ownership over the last decade has put powerful multi-function computers into the pockets of almost half of us. But despite the fact that the average smartphone contains at least as much personally-identifiable information as its owner keeps on their home computer (or in dead-tree form) at their house – and is significantly more-prone to opportunistic theft – many users put significantly less effort into protecting their mobile’s data than they do the data they keep at home.

Nokia E7, showing lock screen.
Too late, little Nokia E7: I’ve got physical access to you now.

I have friends who religiously protect their laptops and pendrives with TrueCrypt, axCrypt, or similar, but still carry around an unencrypted mobile phone. What we’re talking about here is a device that contains all of the contact details for you and everybody you know, as well as potentially copies of all of your emails and text messages, call histories, magic cookies for social networks and other services, saved passwords, your browsing history (some people would say that’s the most-incriminating thing on their phone!), authentication apps, photos, videos… more than enough information for an attacker to pursue a highly-targeted identity theft or phishing attack.

Pattern lock configuration on an Android mobile phone.
Android pattern lock: no encryption, significantly less-random than an equivalent-length PIN, and easily broken by a determined attacker.

“Pattern lock” is popular because it’s fast and convenient. It might be good enough to stop your kids from using your phone without your permission (unless they’re smart enough to do some reverse smudge engineering: looking for the smear-marks made by your fingers as you unlock the device; and let’s face it, they probably are), but it doesn’t stand up to much more than that. Furthermore, gesture unlock solutions dramatically reduce the number of permutations, because you can’t repeat a digit: so much so, that you can easily perform a rainbow table attack on the SHA1 hash to reverse-engineer somebody’s gesture. Even if Android applied a per-device psuedorandom salt to the gesture pattern (they don’t, so you can download a prefab table), it doesn’t take long to generate an SHA1 lookup of just 895,824 codes (maybe Android should have listened to Coda Hale’s advice and used BCrypt, or else something better still).

iPhone showing the PIN lock screen.
An encrypted iPhone can be configured to resist brute-force attacks by wiping the phone after repeated failures, which replaces one security fault (brute-force weakness) with another (a denial of service attack that’s so easy that your friends can do it by accident).

These attacks, though (and the iPhone isn’t bulletproof, either), are all rather academic, because they are trumped by the universal rule that once an attacker has physical access to your device, it is compromised. This is fundamentally the way in which mobile security should be considered to be equivalent to computer security. All of the characteristics distinct to mobile devices (portability, ubiquity, processing power, etc.) are weaknesses, and that’s why smartphones deserve at least as much protection as desktop computers protecting the same data. Mobile-specific features like “remote wipe” are worth having, but can’t be relied upon alone – a wily attacker could easily keep your phone in a lead box or otherwise disable its connectivity features until it’s cracked.

A finger swipes-to-unlock a Samsung mobile phone.
The bottom line: if the attacker gets hold of your phone, you’re only as safe as your encryption.

The only answer is to encrypt your device (with a good password). Having to tap in a PIN or password may be less-convenient than just “swipe to unlock”, but it gives you a system that will resist even the most-thorough efforts to break it, given physical access (last year’s iPhone 4 vulnerability notwithstanding).

It’s still not perfect – especially here in the UK, where the RIPA can be used (and has been used) to force key surrender. What we really need is meaningful, usable “whole system” mobile encryption with plausible deniability. But so long as you’re only afraid of identity thieves and phishing scammers, and not being forced to give up your password by law or under duress, then it’s “good enough”.

Of course, it’s only any use if it’s enabled before your phone gets stolen! Like backups, security is one of those things that everybody should make a habit of thinking about. Go encrypt your smartphone; it’s remarkably easy –

The Snip, Part 2

[spb_message color=”alert-info” width=”1/1″ el_position=”first last”]This is the second part of a three-part blog post about my vasectomy. Did you read the first part, yet?[/spb_message]

My vasectomy was scheduled for Tuesday afternoon, so I left work early in order to cycle up to the hospital: my plan was to cycle up there, and then have Ruth ride my bike back while JTA drove me home. For a moment, though, I panicked the clinic receptionist when she saw me arrive carrying a cycle helmet and pannier bag: she assumed that I must be intending to cycle home after the operation!

The Elliot-Smith Clinic. Picture copyright Google Street View.
The Elliot-Smith Clinic lives in an old prefab building buried at the back end of the hospital campus. If you think it looks scary in this picture, imagine what it’s like when it’s dark and you’re going there to be stabbed in the genitals.

It took me long enough to find the building, cycling around the hospital in the dark, and a little longer still to reassure myself that this underlit old building could actually be a place where surgery took place.

My tweet: "Arrived at vasectomy clinic. It's the most well-hidden, badly-lit, shady-looking building I've ever seen on a hospital campus."
My tweet upon arriving at the clinic.

Despite my GP’s suggestion to the contrary, the staff didn’t feel the need to take me though their counselling process, despite me ticking some (how many depends primarily upon how you perceive our unusual relationship structure) of the “we would prefer to counsel additionally” boxes on their list of criteria. I’d requested that Ruth arrive at about the beginning of the process specifically so that she could “back me up” if needed (apparently, surgeons will sometimes like to speak to the partner of a man requesting a vasectomy), but nobody even asked. I just had to sign another couple of consent forms to confirm that I really did understand what I was doing, and then I was ready to go!

I’d shaved my balls a few days earlier, at the request of the clinic (and also at Matt‘s suggestion, who pointed out that “if I don’t, they’ll do it for me, and I doubt they’ll be as gentle!” – although it must be pointed out that as they were already planning to take a blade to my junk, I might not have so much to worry about), which had turned out to be a challenge in itself. I’ve since looked online and found lots of great diagrams showing you which parts you need to shave, but the picture I’d been given might as well have been a road map of Florence, because no matter which way up I turned it, it didn’t look anything like my genitals. In the end, I just shaved all over the damn place, just to be sure. Still not an easy feat, though, because the wrinkled skin makes for challenging shaving: the best technique I found was to “stretch” my scrotum out with one hand while I shaved it with the other – a tricky (and scary) maneuver.

Where to shave before your vasectomy: front and side of the scrotum.
If I’d had a diagram like this, rather than an Italian street map, I might have stood a better chance of just shaving what I needed to shave.

After sitting in the waiting room for a while, I was ushered through some forms and a couple more questions of “are you sure?”, and then herded into a curtained cubicle to change into a surgical gown (over the top of which I wore my usual dressing gown). The floor was cold, and I’d forgotten to bring my slippers, so I kept my socks on throughout. I sat in a separate waiting area from the first, and attempted to make small talk with the other gents waiting there. Some had just come out of surgery, and some were still waiting to go in, and the former would gently tease the latter with jokes about the operation. It’s a man thing, I guess: I can’t imagine that women would be so likely to engage in such behaviour (ignoring, for a moment, the nature of the operation).

There are several different approaches to vasectomy, and my surgeon was kind enough to tolerate my persistent questions as I asked about the specifics of each part of the operation. He’d said – after I asked – that one of the things he liked about doing vasectomies was that (unlike most of the other surgeries he performs) his patients are awake and he can have a conversation while he worked, although I guess he hadn’t anticipated that there’d ever be anybody quite so interested as I was.

[spb_message color=”alert-warning” width=”1/1″ el_position=”first last”]Warning: The remainder of this blog post describes a surgical procedure, which some people might find squicky. For the protection of those who are of a weak stomach, some photos have been hidden behind hyperlinks: click at your own risk. (though honestly, I don’t think they’re that bad)[/spb_message]

With my scrotum pulled up through a hole in a paper sheet, the surgeon began by checking that “everything was where it was supposed to be”: he checked that he could find each vas (if you’ve not done this: borrow the genitals of the nearest man or use your own, squeeze moderately tightly between two fingers the skin above a testicle, and move around a bit until you find a hard tube: that’s almost certainly a vas). Apparently surgeons are supposed to take care to ensure that they’ve found two distinct tubes, so they don’t for example sever the same one twice.

Next, he gave the whole thing a generous soaking in iodine. This turned out to be fucking freezing. The room was cold enough already, so I asked him to close the window while my genitals quietly shivered above the sheet.

Next up came the injection. The local anesthetic used for this kind of operation is pretty much identical to the kind you get at the dentist: the only difference is that if your dentist injected you here, that’d be considered a miss. While pinching the left vas between his fingertips, the surgeon squirted a stack of lidocaine into the cavity around it. And fuck me, that hurt like being kicked in the balls. Seriously: that stung quite a bit for a few minutes, until the anasthesia kicked in and instead the whole area felt “tingly”, in that way that your lips do after dental surgery.

Pinching the vas (still beneath the skin at this point) in a specially-shaped clamp, the surgeon made a puncture wound “around” it with a sharp-nosed pair of forceps, and pulled the vas clean through the hole. This was a strange sensation – I couldn’t feel any pain, but I was aware of the movement – a “tugging” against my insides.

A quick snip removed a couple of centimetres from the middle of it (I gather that removing a section, rather than just cutting, helps to reduce the – already slim – risk that the two loose ends will grow back together again) and cauterised the ends. The cauterisation was a curious experience, because while I wasn’t aware of any sensation of heat, I could hear a sizzling sound and smell my own flesh burning. It turns out that my flaming testicles smell a little like bacon. Or, if you’d like to look at it another way (and I can almost guarantee that you don’t): bacon smells a little bit like my testicles, being singed.

Next up came Righty’s turn, but he wasn’t playing ball (pun intended). The same steps got as far as clamping and puncturing before I suddenly felt a sharp pain, getting rapidly worse. “Ow… ow… owowowowowow!” I said, possibly with a little more swearing, as the surgeon blasted another few mils of anesthetic into my bollocks. And then a little more. And damnit: it turns out that no matter how much you’ve had injected into you already, injecting anesthetics into your tackle always feels like a kick in the nuts for a few minutes. Grr.

  • The removed sections of my vas, on a tray (actually mine)
    You can see the “kink” in each, where it was pulled out by the clamp. Also visible is the clamp itself – a cruel-looking piece of equipment, I’m sure you’ll agree! – and the discarded caps from some of the syringes that were used.

The benefit of this approach, the “no-scalpel vasectomy”, is that the puncture wounds are sufficiently small as to not need stitches. At the end of the surgery, the surgeon just stuck a plaster onto the hole and called it done. I felt a bit light-headed and wobbly-legged, so I sat on the operating table for a few minutes to compose myself before returning to the nurses’ desk for my debrief. I only spent about 20 minutes, in total, with the surgeon: I’ve spent longer (and suffered more!) at the dentist.

"Happy Vasectomy" card from Liz and Simon.
Later, I would receive this “Happy Vasectomy” card from Liz and Simon. Thanks, guys!

By the evening, the anesthetic had worn off and I was in quite a bit of pain, again: perhaps worse than that “kick in the balls” moment when the anesthetic was first injected, but without the relief that the anesthetic brought! I took some paracetamol and – later – some codeine, and slept with a folded-over pillow wedged between my knees, after I discovered how easy it was to accidentally squish my sore sack whenever I shifted my position.

The day after was somewhat better. I was walking like John Wayne, but this didn’t matter because – as the nurse had suggested – I spent most of the day lying down “with my feet as high as my bottom”. She’d taken the time to explain that she can’t put a bandage nor a sling on my genitals (and that I probably wouldn’t want her to, if she could), so the correct alternative is to wear tight-fitting underwear (in place of a bandage) and keep my legs elevated (as a sling). Having seen pictures of people with painful-looking bruises and swelling as a result of not following this advice, I did so as best as I could.

Today’s the day after that: I’m still in a little pain – mostly in Righty, again, which shall henceforth be called “the troublesome testicle” – but it’s not so bad except when I forget and do something like bend over or squat or, I discovered, let my balls “hang” under their own weight, at all. But altogether, it’s been not-too-bad at all.

Or, as I put on my feedback form at the clinic: “A+++. Recommended. Would vasectomy again.”

(thanks due to Ruth, JTA, Matt, Liz, Simon, Michelle, and my mum for support, suggestions, and/or fetching things to my bed for me while I’ve been waddling around looking like John Wayne, these past two days)

Oxford Under Water

Parts of Oxford have been flooded for the last few days, and apparently the worst is yet to come. I worked from home yesterday, intimidated by the available choices of traversing flooded roads or else taking the hilly 3+ mile diversion around the problem areas, but today: I decided that it was time to man up and cycle in to the office.

Kennington Road underwater.
Here’s where I forded Kennington Road. Yes, I just used the word “forded” to describe crossing the road.

Conveniently, we’ve somewhere along the way acquired a large pair of Wellington boots (we think they might have been Paul‘s, but as he’s now left Oxford without them, they’ve been sitting in our charity-shop-box). So I booted up and set out. I was yawning all the way:

Police direct traffic away from a waterlogged Abingdon Road.
Police direct traffic away from a waterlogged Abingdon Road.

I had to weave my way back and forth around the cyclepaths nearest my house, and – on a couple of ocassions – get off the bike and wade it through: I’d considered riding through some of the larger puddles – my mean pedal-ground clearance is about as high as the top of my boots, anyway – until I met a soaked cyclist coming the other way: he’d become disbalanced going over a submarine kerbstone and fallen into the freezing water. Seeing that quickly made me choose the safer strategy!

Flood defences erected near Hinksey Lake.
Near Hinksey Lake, serious flood defences have been hastily erected and pumping operations are underway to clear gardens and footpaths.

Alongside the lake was one of the most flood-damaged areas, but heavy barriers had been erected and pumping engines were working at returning the water to the “right” side of them. The lake bridge was completely closed off: it looked like it might be traversable, but if the water gets any higher, it won’t be.

In Hinksey Park, the playing fields and cycle path are completely underwater.
In Hinksey Park, the playing fields and cycle path are completely underwater.

I took the cycle route through Hinksey Park in order to avoid the flooded parts of Abingdon Road, which runs parallel, but I’m not sure that it was much better. In the photo above, you’d be forgiven for thinking that you’re looking at the lake… but in actual fact, the lake is behind me: that’s the playing fields. You can just about make out the line down the middle of the cycle path, through the murky water.

Flooded garden and driveway.
Between Hinksey Lake and the Thames there are flooded driveways and gardens. The sign on the gate reads “No parking. Keep entrance clear at all times.”, in case anybody was thinking of parking in this waist-deep water.

Pressing on, I came to the Thames Path, which my route typically follows for a short distance to the footbridge into the city centre. And that’s when I realised quite how high the river really is.

To the right of the bush - the river. To the left - the footpath. You'd be forgiven if you can't tell the difference.
To the right of the bush – the river. To the left – the footpath. You’d be forgiven if you can’t tell the difference.

By the time I found myself on a footpath with a current, I realised that my route might need a little bit of a rethink. With the bridge I was aiming for just ahead, though, I was able to double-back and cut through an alleyway (between some seriously at-risk houses), duck under a couple of “footpath closed” barriers, and splash out to the bridgehead.

From the bridge, it's clear how much the waters have risen.
From the bridge, it’s clear how much the waters have risen. The path on the left continues to get deeper and deeper underwater: when I’m working in a different office or running training, that’s the route I take to work!

By the time I was on the higher, better-reinforced East bank for the river, things began to improve, and within a few minutes I was right in the city centre. There, you wouldn’t know that, only a short distance away, a significant number of streets were underwater. To sit in the dry, on Broad Street, in the middle of Oxford, it seems strange to think that on the edge of town, people are being evacuated from their homes.

Further reading:

  • Flood warning for Kennington, from the Environment Agency (looks like we’re just on the right side of the road not to be included in the “flood warning area”).
  • “Live” upstream and downstream water level measurements at nearby Iffley Lock (there’s a beautiful moment in the graphs for yesterday morning when they clearly started using the lock itself to “dump” water downstream, occasionally bringing the level to within the typical range.
  • Video of evacuations from Botley
  • Jack FM’s Traffic Reports have an up-to-date list of roads closed as a result of flooding

11 years, 11 days.

The escape is imminent. I am leaving Aberystwyth (with Jim soon to join me) for Gloucestershire. I am greatly looking forward to several things: Access to proper shopping More live music More comedy Multiscreen cinemas! Having disposable income Being nearer to some of my closest friends There are, of course, things that I’ll miss: The…

Claire and I broke up in 2009, and I left Aberystwyth shortly afterwards. It look her a little while to complete her PhD and be ready to leave, herself, when she made this blog post.

The Snip, Part 1

I’d like to start with a joke:

Is there a difference between men and women?

Yes! There’s a vas deferens.

What’s no joke, though, is the human population explosion. There’re just too damn many of us, as I explained last year. That’s the primary reason behind my decision, held for pretty-much the entirety of my adult life, to choose not to breed.

World population for the last 12,000 years.

I’m fully aware that the conscious decision to not-breed by a single individual – especially in the developed world – makes virtually no difference to the global fate of humanity. I’m under no illusion that my efforts as a vegetarian are saving the world either. But just like the voter who casts a ballot for their party – even though they know it won’t make a difference to the outcome of the election – I understand that doing the right thing doesn’t necessarily have to have a directly quantifiable benefit.

Somehow, this delicious-looking BLT makes an appearance almost any time I talk about overpopulation or vegetarianism. This is the fifth time.
Somehow, this delicious-looking BLT makes an appearance almost any time I talk about overpopulation or vegetarianism. This is the fifth time.

That’s why I’m finally taking the next obvious step. Next month, after literally years of talking about it, I’m finally going to put my genitals where my mouth is (hmm… maybe that wasn’t the best choice of words)! Next week, I’m getting a vasectomy.

The "F" is for "Fuck me you're going to put a scalpel WHERE?"
The “F” is for “Fuck me you’re going to put a scalpel WHERE?”

I first asked a doctor about the possibility of vasectomy about a decade ago. He remarked upon my age, and said – almost jokingly – “Come back in ten years if you still feel the same way!” I almost wish that I still had the same GP now, so that I could do exactly that. Instead, I spoke about a year ago to my (old) GP here in Oxford, who misled me into thinking that I would not be able to get the surgery on the NHS, and would have to have it done privately. Finally, a second doctor agreed to sign off their part of the consent form, and I was good to go. The secret, it seems, is persistence.

I suppose I'll be eligible for a Golden Snip Award. Click through for more information.
I suppose I’ll be eligible for a Golden Snip Award. Click through for more information.

I’m sure that this is a decision that won’t be without it’s controversies. And believe me: over the course of the most-of-my-life-so-far that I’ve hinted at or talked about doing this, I’m pretty sure I’ve heard all of the arguments. Still: I feel like I ought to pick up on some of the things I’ve heard most-often –

"Breeder Bingo" card. Complete a line, get a free case of contraceptives!
“Breeder Bingo” card. Complete a line, get a free case of contraceptives!

What if you change your mind?

Even despite medical advances in recent decades in vasectomy reversal, vasectomy should still be considered a “one way trip”. Especially when I was younger, people seemed concerned that I would someday change my mind, and then regret my decision not to spawn children.

I suppose that it’s conceivable – unlike my otherwise potential offspring – but it’s quite a stretch, to believe that I might someday regret not having children (at least not biologically: I have no problem with adopting, co-parenting, fostering, or any number of other options for being involved in the upbringing of kids). I honestly can’t see how that’d come about. But even if we do take that far-fetched idea: isn’t it equally possible that somebody might ultimately regret having children. We take risks in our lives with any choice that we make – maybe I’ll someday regret not having taken my degree in Law or Chemistry or Rural Studies. Well then: c’est la vie.

Do you just not like children?

Children are great, and I’d love to get the chance to be involved in raising some. However, I don’t define myself by that wish: if I never have the opportunity to look after any kids, ever, then that wouldn’t be the worst thing in the world: I’d just spend my years writing code in a house full of cats. I have no doubt that raising children is great (for many people), but just like there are plenty of people for whom it’s not great, there are also plenty of people – like me – who could be happy either way. No biggie!

There are those who have said that this laid-back “take it or leave it” approach, especially when coupled with the more-recent act of rendering myself infertile, will make me less attractive to women. Leaving aside the implicit sexism in that claim, wouldn’t a fair retort be to point out that a woman who is looking for monogamous breeding probably isn’t my “type” to begin with!

But if only we could make sure only the RIGHT people breed...
But if only we could make sure only the RIGHT people breed…

But you should be breeding?

This argument’s usually based on the idea that I’m somehow genetically superior and that my children wouldn’t be such a strain on the world as somebody else’s, or that mine would have a significantly better-than-average chance of curing cancer, solving world hunger, or something.

The explosion of planet Earth.
Only sterilisation can prevent the detonation of the planet. Maybe.

And let’s face it, any child of mine would be just as likely to be the one to build a really big bomb. Or create a super-virus. Or just engineer the collapse the world’s economies into a prehistoric barter economy in a technophobic future anarchy. Attaboy.

In any case, I’m pretty sure that my personal contribution to the betterment of the world ought not to be a genetic one. I’d like to make a difference for the people who are around right now, rather than hypothetical people of the future, and I’d far rather leave ideas in my wake than a handful of genes. I’m sure that’s not the case for everybody, but then – it doesn’t have to be.

How about a vasectomy? (comic)
It takes balls to have a vasectomy. Literally.

Or are there some arguments that I’ve missed? If you’re among the folks who feel really strongly about this, then you’ve got about seven days to make them, and then it’s off to the clinic for me! Just remember: what’s right for me isn’t necessarily what’s right for you, and vice-versa. Just because I use Emacs doesn’t mean that some other, inferior text editor might not be the right choice for you.

I wonder what my surgeon might say to the possibility of me live-tweeting the process? Would anybody be interested? (I promise not to include any photos.)

(with thanks to Nina Paley for permission to use the comics)

Days Like Weeks

You know how when your life is busy time seems to creep by so slowly… you look back and say “do you remember the time… oh, that was just last week!” Well that’s what my life’s been like, of late.

Enjoying a beer at the launch of Milestone: Jethrik, the latest release of Three Rings.
Enjoying a beer at the launch of Milestone: Jethrik, the latest release of Three Rings.

There was Milestone: Jethrik and the Three Rings Conference, of course, which ate up a lot of my time but then paid off wonderfully –  the conference was a wonderful success, and our announcements about formalising our non-profit nature and our plans for the future were well-received by the delegates. A slightly lower-than-anticipated turnout (not least because of this winter ‘flu that’s going around) didn’t prevent the delegates (who’d come from far and wide: Samaritans branches, Nightlines, and even a representative from a Community Library that uses the software) from saying wonderful things about the event. We’re hoping for some great feedback to the satisfaction surveys we’ve just sent out, too.

The Three Rings Birthday Cake. It boggles my mind how they've managed to make the icing look so much like plastic, on the phone part.
The Three Rings Birthday Cake. It boggles my mind how they’ve managed to make the icing look so much like plastic, on the phone part.

Hot on the heels of those volunteering activities came my latest taped assessment for my counselling course at Aylesbury College. Given the brief that I was “a volunteer counseller at a school, when the parent of a bullied child comes in, in tears”, I took part in an observed, recorded role-play scenario, which now I’m tasked with dissecting and writing an essay about. Which isn’t so bad, except that the whole thing went really well, so I can’t take my usual approach of picking holes in it and saying what I learned from it. Instead I’ll have to have a go at talking about what I did right and trying to apply elements of counselling theory to justify the way I worked. That’ll be fun, too, but it does of course mean that the busy lifestyle isn’t quite over yet.

My sister Sarah, with TAS managing director Adrian Grant, at the UK Bus Awards.
My sister Sarah, with TAS managing director Adrian Grant, prepare to announce the winner of the Peter Huntley Memorial Award for Making Buses A Better Choice.

And then on Tuesday I was a guest at the UK Bus Awards, an annual event which my dad co-pioneered back in the mid-1990s. I’d been invited along by Transaid, the charity that my dad was supporting with his planned expedition to the North Pole before he was killed during an accident while training. I was there first and foremost to receive (posthumously, on his behalf) the first Peter Huntley Fundraising Award, which will be given each year to the person who – through a physical activity – raises the most money for Transaid. The award was first announced at my father’s funeral, by Gary Forster, the charity’s chief executive. Before he worked for the charity he volunteered with them for some time, including a significant amount of work in sub-Saharan Africa, so he and I spent a little while at the event discussing the quirks of the local cuisine, which I’d experienced some years earlier during my sponsored cycle around the country (with my dad).

So it’s all been “go, go, go,” again, and I apologise to those whose emails and texts I’ve neglected. Or maybe I haven’t neglected them so much as I think: after all – if you emailed me last week, right now that feels like months ago.

Conference Preparations

Right now, Three Rings seems to be eating up virtually all of my time. It’s hardly the first time – I complained about being incredibly busy with Three Rings stuff just a couple of years ago, but somehow right now it’s busier than ever. There’s been the Milestone: Jethrik release, some complications with our uptime when our DNS servers were hit by a DDoS attack, and – the big one – planning for this weekend’s conference.

Checking the timetable while I wait for inspiration to strike me about what to say about the "engagement" responsibilities of a Three Rings Administrator.
Checking the timetable while I wait for inspiration to strike me about what to say about the “engagement” responsibilities of a Three Rings Administrator.

The Three Rings 10th Birthday Conference is this weekend, and I’ve somehow volunteered myself to not only run the opening plenary but to run two presentations (one on the history of Three Rings, which I suppose I’m the best person to talk about, and one on being an awesome Three Rings Administrator) and a problem-solving workshop. My mind’s been on overdrive for weeks, and I’m pretty sure I’m not even the one working the hardest (that honour would have to go to poor JTA).

Still: all this work will pay off, I’m sure, and Saturday will be an event to remember. I’m looking forward to it… although right now I’d equally happily spend a week or two curled up in bed under a blanket with a nice book and a mug of herbal tea, thanks.

In other news: Matt P‘s hanging out on Earth at the moment, (on his best behaviour I think) while Ruth, JTA and I decide if we’d like to live with him for a while. So far, I think he’s making a convincing argument. He’s proven himself to be house trained (he hasn’t pooped on the carpet even once) and everything.

Craziest Internet Explorer Bug Ever?

As web developers, we’re used to working around the bugs in Microsoft Internet Explorer. The older versions are worst, and I’m certainly glad to not have to write code that works in Internet Explorer 6 (or, increasingly, Internet Explorer 7) any more: even Microsoft are glad to see Internet Explorer 6 dying out, but even IE8 is pretty ropey too. And despite what Microsoft claim, I’m afraid IE9 isn’t really a “modern” browser either (although it is a huge step forwards over its predecessors).

But imagine my surprise when I this week found what I suspect might be a previously undiscovered bug in Internet Explorer 8 and below. Surely they’ve all been found (and some of them even fixed), but now? But no. It takes a very specific set of circumstances for the bug to manifest itself, but it’s not completely unbelievable – I ran into it by accident while refactoring parts of Three Rings.

A completely useless Internet Explorer error message.
A completely useless Internet Explorer error message. Thanks, IE.

Here’s the crux of it: if you’re –

  • Using Internet Explorer 8 or lower, and
  • You’re on a HTTPS (secure) website, and
  • You’re downloding one of a specific set of file types: Bitmap files, for example, are a problem, but JPEG files aren’t (Content-Type: image/bmp), and
  • The web server indicates that the file you’re downloading should be treated as something to be “saved”, rather than something to be viewed in your browser (Content-Disposition: attachment), and
  • The web server passes a particular header to ask that Internet Explorer does not cache a copy of the file (Cache-Control: no-cache),

Then you’ll see a dialog box like the one shown above. Switching any of the prerequistes in that list out makes the problem go away: even switching the header from a strict “no-cache” to a more-permissive “private” makes all the difference.

I’ve set up a test environment where you can see this for yourself: HTTP version; HTTPS version. The source code of my experiment (PHP) is also available. Of course, if you try it in a functional, normal web browser, it’ll all work fine. But if you’ve got access to a copy of Internet Explorer 8 on some old Windows XP box somewhere (IE8 is the last version of the browser made available for XP), then try it in that and see for yourself what a strange error you get.

On This Day In 1999

Looking Back

On this day in 1999 I sent out the twenty-eighth of my Cool Thing Of The Day To Do In Aberystwyth emails. I wasn’t blogging at the time (although I did have a blog previously), but these messages-back-home served a similar purpose, if only for a select audience. You can read more about them in my last On This Day to discuss them or the one before.

For technical reasons, this particular Cool Things Of The Day appears to have been sent on 27th October, but in actual fact I know that the events it describes took place on 5th November 1999. The obvious clue? The fireworks! I knew that Cool Thing Of The Day as shown here on my blog was out-of-sync with reality, but this particular entry gives a great indication of exactly how much it’s out by. And no, I can’t be bothered to correct it.

Back in 1999 I started as a student at the University of Wales, Aberystwyth (now Aberystwyth University), moved away from home, and had a fantastic time. One bonfire night, I called up two new friends of mine – Rory and Sandra – and persuaded them that we should wander over to nearby Trefechan and climb the hill (Pen Dinas) there to watch the fireworks. It was a wild and windy night, and certainly not the conditions to climb an unknown and occasionally-treacherous hill, but we weren’t dissuaded: we set out!

You know those films or sitcoms where the protagonist (usually through their own stupidity) ends up on a date with two people at the same time, trying to keep each unaware of the other? That’s what I felt like at the time: because (though neither of them knew this at the time) I had an incredible crush on both of them. Of course: back then I was far shyer and far less-good at expressing myself, so this remained the case for a little while longer. Still: my inexperienced younger self still manged to make it feel to me like a precarious situation that I could easily balls-up. Perhaps I should have better thought-out the folks I invited out that night…

A storm blew in furiously, and the fireworks launched from the town scattered around, buffeted and shaken and only occasionally still flying upwards when they exploded. The rain lashed down and soaked us through our coats. We later found ourselves huddled around a radiator in The Fountain (under its old, old ownership), where the barman and the regulars couldn’t believe that we’d been up Pen Denis in the

Looking Forward

A little later, I got to have a ludicrously brief fling with one of the pair, but I was fickle and confused and ballsed it up pretty quickly. Instead, I fell into a relationship with my old friend-with-benefits Reb, which in the long run turned out to be a very bad chapter of my life.

Trefechan – exotically across the river from the rest of Aberystwyth – didn’t seem so far away after a few more years in Aberystwyth… only a stone’s throw from Rummers! But for three new students, just a couple of months into their new home, lost and drunk and fumbling their way using an outdated map and seeing by firework-light, it was an exciting adventure. In 2004, SmartData (my employer at that time) moved into their new premises, right over the road from The Fountain and in the shadow of Pen Denis. The Technium turned out to be a pretty good place for SmartData, and it suited me, too. Some days in the summer, when it was warm and sunny, I’d leave work and take a walk up Pen Dinas. It wasn’t the same without the fireworks, the company, or the mystery of being somewhere for the very first time, but it’s still a great walk.

Sometimes I’d go up there in the rain, too.

This blog post is part of the On This Day series, in which Dan periodically looks back on years gone by.

A Broken Oath

As part of the ongoing challenges that came about as part of the problems with my dad’s Will, I was required the other week to find myself a local solicitor so that they could witness me affirm a statement (or swear an oath, for those of you who are that-way inclined). Sounds easy, right?

A close-up of my dad's Will, showing where it was clearly re-stapled.
One of the more-significant issues with my dad’s Will was that it was re-stapled sometime after it was signed. This was probably legitimate, but it quickly makes it look like it’s a forgery.

Well: it turns out that the solicitor I chose did it wrong. How is it even possible to incorrectly witness an affirmation? I wouldn’t have thought it so. But apparently they did. So now I have to hunt down the same solicitor and try again. It has to be the same one “because they did it partially right”, or else I have to start the current part of the process all over again. But moreover, I’ll be visiting the same solicitor because I want my damn money back!

I’ll spare you the nitty-gritty. Suffice to say that this is a surprising annoyance in an already all-too-drawn-out process. It’s enough to make you swear. Curse words, I mean: not an oath.

Rave Reviews for Your Password Sucks

Last month, I volunteered myself to run a breakout session at the 2012 UAS Conference, an annual gathering of up to a thousand Oxford University staff. I’d run a 2-minute micropresentation at the July 2011 OxLibTeachMeet called “Your Password Sucks!”, and I thought I’d probably be able to expand that into a larger 25-minute breakout session.

Your password: How bad guys will steal your identity
My expanded presentation was called “Your password: How bad guys will steal your identity”, because I wasn’t sure that I’d get away with the title “Your Password Sucks” at a larger, more-formal event.

The essence of my presentation boiled down to demonstrating four points. The first was you are a target – dispelling the myth that the everyday person can consider themselves safe from the actions of malicious hackers. I described the growth of targeted phishing attacks, and relayed the sad story of Mat Honan’s victimisation by hackers.

The second point was that your password is weak: I described the characteristics of good passwords (e.g. sufficiently long, complex, random, and unique) and pointed out that even among folks who’d gotten a handle on most of these factors, uniqueness was still the one that tripped people over. A quarter of people use only a single password for most or all of their accounts, and over 50% use 5 or fewer passwords across dozens of accounts.

You are a target. Your password is weak. Attacks are on the rise. You can protect yourself.
The four points I wanted to make through my presentation. Starting by scaring everybody ensured that I had their attention right through ’til I told them what they could do about it, at the end.

Next up: attacks are on the rise. By a combination of statistics, anecdotes, audience participation and a theoretical demonstration of how a hacker might exploit shared-password vulnerabilities to gradually take over somebody’s identity (and then use it as a platform to attack others), I aimed to show that this is not just a hypothetical scenario. These attacks really happen, and people lose their money, reputation, or job over them.

Finally, the happy ending to the story: you can protect yourself. Having focussed on just one aspect of password security (uniqueness), and filling a 25-minute slot with it, I wanted to give people some real practical suggestions for the issue of password uniqueness. These came in the form of free suggestions that they could implement today. I suggested “cloud” options (like LastPass or 1Password), hashing options (like SuperGenPass), and “offline” technical options (like KeePass or a spreadsheet bundles into a TrueCrypt volume).

I even suggested a non-technical option involving a “master” password that is accompanied by one of several unique prefixes. The prefixes live on a Post-It Note in your wallet. Want a backup? Take a picture of them with your mobile: they’re worthless without the master password, which lives in your head. It’s not as good as a hash-based solution, because a crafty hacker who breaks into several systems might be able to determine your master password, but it’s “good enough” for most people and a huge improvement on using just 5 passwords everywhere! (another great “offline” mechanism is Steve Gibson’s Off The Grid system)

"Delivery" ratings for the UAS Conference "breakout" sessions
My presentation – marked on the above chart – left people “Very Satisfied” significantly more than any other of the 50 breakout sessions.

And it got fantastic reviews! That pleased me a lot. The room was packed, and eventually more chairs had to be brought in for the 70+ folks who decided that my session was “the place to be”. The resulting feedback forms made me happy, too: on both Delivery and Content, I got more “Very Satisfied” responses than any other of the 50 breakout sessions, as well as specific comments. My favourite was:

Best session I have attended in all UAS conferences. Dan Q gave a 5 star performance.

So yeah; hopefully they’ll have me back next year.

A Three-Sentence Review Of Looper

Looper is a time travel movie of the “self-healing timeline” mechanic (a-la Back To The Future, although Looper “fixes” itself faster and changes to the time stream can be observed and remembered by everybody affected by them). As a result of this, and a few other issues, it suffers from a handful of plotholes and internal inconsistencies: however, it’s still an enormously fun film that I’d recommend that you see.

Looper.
Looper. The second-best film of its category. For a given definition of “category”.

Looper is the second-best of all three movies that feature Bruce Willis travelling back in time and encountering a younger version of himself – and now it’s going to bug you until you work out what the other two are.

Lucy’s Birthday

The other Three Ringers and I are working hard to wrap up Milestone: Jethrik, the latest version of the software. I was optimising some of the older volunteer availability-management code when, by coincidence, I noticed this new bug:

Lucy 173's birthday is in 13/1 days.
Well, at least she’s being rational about it.

I suppose it’s true: Lucy (who’s an imaginary piece of test data) will celebrate her birthday in 13/1 days. Or 13.0 days, if you prefer. But most humans seem to be happier with their periods of time not expressed as top-heavy fractions, for some reason, so I suppose we’d better fix that one.

They’re busy days for Three Rings, right now, as we’re also making arrangements for our 10th Birthday Conference, next month. Between my Three Rings work, a busy stretch at my day job, voluntary work at Oxford Friend, yet-more-executor-stuff, and three different courses, I don’t have much time for anything else!

But I’m still alive, and I’m sure I’ll have more to say about all of the things I’ve been getting up to sometime. Maybe at half term. Or Christmas!

Update: Squee! We’ve got folders!

 

Three Films I’d Watch (if anybody made them)

Here are three ideas I’ve had for movies recently. If only the movie studios would stop making pap like Dredd 3D (or as I call it, Judge Dreddful) and take on some of my ideas, perhaps I’d find myself at the cinema more often.

So here are my three pitches:

Knights of the Living Dead

A twist on the Arthurian legends. With zombies.

King Arthur’s trusted White Knight (Lancelot) on a “routine” quest to oust Brandin, a corrupt ruler of a nearby township, who is accused of evil sorcery. Lancelot rallies the townpeople but Brandin escapes to his lair in a cursed cemetery. Lancelot slays Brandin, but – an an effort to decode a riddle Brandin made about the source of his power – lifts an enormous metal plate over a mysterious tomb, exposing the world to a dangerous plague that turns those affected into monstrous zombies.

Knights of the Living Dead
Knights of the Living Dead

Under instruction from the Church, Arthur and his knights set out to find the Holy Grail, which has the power to defeat the curse, questing through zombie-infected lands. There’s lots of hacking and slashing and eating of brains, Lancelot shags Guinevere, Arthur dies a heroic death to let the others escape (hinting at the time that he knows about the affair and wants them to be happy together), and ultimately the knights use the Grail to save the world from the zombie plague.

My Daughter’s Hand

A tale of love, homophobia, and the meaning of family, inspired by a true story.

In the news this week, a Hong Kong businessman has offered the equivalent of £40M to the man who can woo and marry his daughter. The problem? She’s a lesbian, and is already married (although same-sex unions are not recognised in Hong Kong) to her girlfriend of many years.

My first thought when I heard this news story was that she should find a man who’s willing to “marry” her, and split the money between the two of them. Hell: for £20M, I’d fly to Hong Kong and marry her for a fortnight. Where’s my plane ticket.

Hong Kong corporation heiress Gigi Chao (right) with her wife Sean Eav.
Hong Kong corporation heiress Gigi Chao (right) with her wife Sean Eav.

But then I thought of an even better variant on the story. In my version, a (disowned, unless she recants and marries a man) lesbian daughter has her partner dress as a man and pretend to be a suitor. There are slight overtones of the story of Hua Mulan, a legendary Chinese heroine who pretended to be a man in order to take her aged father’s place in the army, during a conscription drive.

In any case, the partner, disguised as a man, succeeds in impressing the father, and the father eventually comes to admire this young “man” and gives his blessing to marry his daugher. But as the wedding approaches, their secret is exposed when they’re caught having sex. However: after much soul-searching the father sees that he liked his daughter’s partner as a person when he believed that she was a man, and so he agrees to accept her into his family as a woman, too.

It’s a story about combating homophobia with deception, I guess.

The Bone Wars

Back when Richard Owen and Gideon Mantell  and were rocking up the early British palæontology scene, in the late 19th Century, their USA contemporaries Edward Cope and Othniel Marsh were embroiled in a bitter rivalry of dinosaur proportions.

Marsh and Cope.
Marsh and Cope.

These gentlemen were in such a rush to get the fame of collecting the most dinosaur bones, that they resorted to ludicrous (and somewhat shocking) measures: using dynamite to blow away hillsides (probably destroying many fossils as they went), spying on one another (to such an extent that they would sometimes operate through fake companies to try to evade each other’s spies), and bribing people to keep quiet about the locations of big finds.

Their rushed efforts led to some ludicrous mistakes. Cope – a neo-Lamarckist – famously assembled his Elasmosaurus skeleton backwards, with the head on the “tail” end, among other mistakes (Wikipedia even has a tag to label naive Victorian-era drawings of dinosaurs, I recently discovered).

I have a vision for a film in the style of A Dangerous Method, which I enjoyed earlier this year, telling the dramatised story of these men and their rivalry. There’s already been a comic book and even a board game about them: isn’t it time for a movie, too?

What do you think? Would you watch these movies?

The Leap Machine (Puzzle)

Here’s a puzzle for you –

Like the TARDIS, your time machine has a fault.
Like the TARDIS, your time machine has a fault. The fault isn’t a failure of its chameleon circuit, but a quirk in its ability to jump to particular dates. Picture courtesy aussiegall (Flickr), licensed Creative Commons.

You own a time machine with an unusual property: it can only travel to 29th February. It can jump to any 29th February, anywhere at all, in any year (even back before we invented the Gregorian Calendar, and far into the future after we’ve stopped using it), but it can only finish its journey on a 29th of February, in a Gregorian leap year (for this reason, it can only jump to years which are leap years).

One day, you decide to take it for a spin. So you get into your time machine and press the “random” button. Moments later, you have arrived: it is now 29th February in a random year!

Without knowing what year it is: what is the probability that it is a Monday? (hint: the answer is not 1/7 – half of your challenge is to work out why!).