| ||||
| |||||||
A Case for Open Source
There was once a time when the notion that malicious third parties would hijack the technology upon which people have come to rely was seriously entertained by only a few Orwellian conspiracy theorists.
Unfortunately, recent actions perpetrated by Sony Music have demonstrated that that time is passed.
Sony calls it "Digital Rights Management". It is, in fact, a Trojan Horse (for those unfamiliar with the definition of the term, a Trojan Horse is something dangerous hidden within something desirable). In the name of copy-protection, Sony sold audio CDs that harbored software that modified system-level components of Microsoft Windows. Moreover, it was suggested that the Trojan contacts Sony and transmits an ID of the CD:
The EULA also makes no reference to any "phone home" behavior, and Sony executives are claiming that the software never contacts Sony and that no information is communicated that could track user behavior. However, a user asserted in a comment on the previous post that they monitored the Sony CD Player network interactions and that it establishes a connection with Sony's site and sends the site an ID associated with the CD.
This was later confirmed by the person who originally brought the existence of the Trojan Horse to light.
This "phoning home" behavior is actually nothing new. Creative Labs' Poser 4 was said to have employed it to determine whether multiple copies were running with the same registration code; and Microsoft Windows XP uses it for the same stated reason, as well as using it to send back the device list on an XP system (supposedly, if the installed devices have changed, the system is a "pirated" copy running on another machine). This, alone, should have sounded the alarm bells. Surely, it did. It's just that nobody was listening.
I'm quite sure that few are listening, now. After all, you just turn off "autorun", the Trojan CDs don't install their malicious payload, and everything is fine, right?
Ah, such shallow thinking. That might work for audio CDs, because CDs manufactured to the Red Book standard don't need special software for playback. But what about that brand-spanking-new image editor, or that digital camera software? That runs because you install it to your system, and the installer can drop anything it wants onto your hard drive while it's installing what you thought you were installing.
Well, that's not such a bad thing, is it? After all, the company selling the
software has to protect it from its customers pirates, and the
reporting might be useful for other things, too. Right?
Let's imagine the following scenario, shall we?
We all know that child pornographers are evil and dangerous people who should be buried in holes in the ground, never to see the light of day. So, to "protect our children", let's do the following:
- Scan thousands of images of nude or mostly nude people, and convert these scans to bitmaps, such as might be used by image viewers.
- Run a statistical analysis of the values on the bitmaps' pixels, to determine the range of values most frequently seen.
- Assuming that the most frequently seen color values in pornographic photos are fleshtones, draw the conclusion that an image bitmap that is high in these values is pornographic.
- Hide an analysis routine in programs shipped with digital cameras, conveniently "forgetting" to tell users of these cameras and their software that you are doing this.
- When the camera software spots an image high in the color values of interest, it phones the local authorities, who come and haul the evil purveyor of child porn away.
Hurray, hurray, right?
Guess again. This hypothetical person was photographing desert scenes.
|
|
|
| Desert | Skin | |
| Note how the colors are nothing at all similar. | ||
*-o-O--O-o-*
"All right, then," you say. "You've gone on about the evils of copy protection, but your article is titled A Case for Open Source. What's the connection?"
You miss the point entirely, Gentle Reader, but the connection is this: In order to be secure in our computer systems, we need to know what is on those systems, and proprietary software does not afford us that "luxury". There may once have been a time when we could trust software authors to deliver what they advertised, and no more, but that time is gone. Open source software is the best protection we have against malicious software.
How does this work? Because the source code of a program must be freely available if that program is to be distributed as "open source", that program is always subject to review. You may not have the time to review it yourself, you may not have the skill to review it yourself, but someone does. As long as the reviewer is trustworthy, his report that the software in question is safe is a mark of security, and his report that the software contains harmful elements is cause for alarm. Moreover, you can build the binary yourself, and thus rest assured that it is clean, because it came from clean source code.
"But," you say, "I don't want to learn Linux."
Who said anything about Linux? Some choices of open source operating systems are:
- FreeBSD
- OpenBSD
- NetBSD
- OpenSolaris
- and, of course, our friend, Linux
"But," you say, "Microsoft Windows does what I want."
Yes, it does. That, and how much more?
"But," you say, "you're just a conspiracy theorist."
Send me a postcard from whatever large, rectangular state you end up in, would you?
DAC - 15 November 2005
The Fizzbuzz Effect
A friend of mine recently cited an article in Coding Horror, to wit: Why Can't Programmers... Program?. The article opens with the quotation
...the author is having trouble with the fact that 199 out of 200 applicants for every programming job can't write code at all. I repeat: they can't write any code whatsoever.
That, by itself, is an amazing statement.
The article goes on to describe a "FizzBuzz" test: Basically, you give an applicant for a programming position a simple problem, and see if he/she/it can code a solution in a rational period. For example:
Write a program that prints the numbers from 1 to 100. But for multiples of three print "Fizz" instead of the number and for the multiples of five print "Buzz". For numbers which are multiples of both three and five print "FizzBuzz".
Continuing with an observation:
Most good programmers should be able to write out on paper a program which does this in a under a couple of minutes. Want to know something scary? The majority of comp sci graduates can't. I've also seen self-proclaimed senior programmers take more than 10-15 minutes to write a solution.
Astounding.
For the heck of it, let's write a C program to solve the above problem. Take thirty seconds to think. All right, now I know what I want to do:
We're dealing with the numbers from 1 to 100, so we want a loop.
integer index;
int main()
{
index = 0;
do
{
index++;
} while (index < 101);
}
Now, we have four possibilities for output: print the number, print "Fizz", print "Buzz", or print "FizzBuzz".
#include <stdio.h>
integer index;
int main()
{
index = 0;
do
{
index++;
printf("FizzBuzz\n");
continue;
printf("Fizz\n");
continue;
printf("Buzz\n");
continue;
printf("%i\n", index);
} while (index < 101);
}
Yes, there's a reason I ordered the formatted print statements the way I did. There are two conditions to be tested; there's something to do if both are met, there's something to do if one is met, there's something to do if the other is met, and there's something to do if none are met. Let's start with both:
#include <stdio.h>
integer index, test1, test2;
int main()
{
index = 0;
do
{
index++;
test1 = index / 15;
test2 = test1 * 15;
if (test2 == index)
{
printf("FizzBuzz\n");
continue;
}
printf("Fizz\n");
continue;
printf("Buzz\n");
continue;
printf("%i\n", index);
} while (index < 101);
}
Sneaky, huh? If a number is divisible by both three and five, it is divisible by fifteen. I used two variables for testing to eliminate any ambiguity in casting. Now, tests for divisibility by either three or five can be handled in the same way:
#include <stdio.h>
integer index, test1, test2;
int main()
{
index = 0;
do
{
index++;
test1 = index / 15;
test2 = test1 * 15;
if (test2 == index)
{
printf("FizzBuzz\n");
continue;
}
test1 = index / 5;
test2 = test1 * 5;
if (test2 == index)
{
printf("Fizz\n");
continue;
}
test1 = index / 3;
test2 = test1 * 3;
if (test2 == index)
{
printf("Buzz\n");
continue;
}
printf("%i\n", index);
} while (index < 101);
}
Note that I don't need to explicitly test for "divisible by neither five nor three". By arranging the tests the way I did, and continuing once a condition was met, if you get that far, the condition is met by elimination.
So, there it is. The completed program:
#include <stdio.h>
integer index, test1, test2;
int main()
{
index = 0;
do
{
index++;
test1 = index / 15;
test2 = test1 * 15;
if (test2 == index)
{
printf("FizzBuzz\n");
continue;
}
test1 = index / 5;
test2 = test1 * 5;
if (test2 == index)
{
printf("Fizz\n");
continue;
}
test1 = index / 3;
test2 = test1 * 3;
if (test2 == index)
{
printf("Buzz\n");
continue;
}
printf("%i\n", index);
} while (index < 101);
}
I will never cease to be amazed that the high-enders have trouble with something like this; it sprang fully-formed, like Athena, from my head. Dan Kegel says
Speaking on behalf of software engineers who have to interview prospective new hires, I can safely say that we're tired of talking to candidates who can't program their way out of a paper bag. If you can successfully write a loop that goes from 1 to 10 in every language on your resume, can do simple arithmetic without a calculator, and can use recursion to solve a real problem, you're already ahead of the pack!
The trouble, Dan, is this: If those capable types exist at all (which I seriously doubt), you're not going to see them; the Human Resources morons who get first shot at those resumés have already weeded them out. At a time when I still clung to the hope that I could find a job "out there", I was shown an "ideal resumé" for a senior programmer. It emphasized facility with Photoshop® and Microsoft Word®! Needless to say, that was the day hope died.
Like everything else, programming is spinning on its way down the crapper. One need only look to Windows Vista® to see what I mean. If anyone knows of a Galt's Gulch, could you please get a message to me?
DAC - 31 May 2007
The Latest From LiveJournal
I take it that at least some of you will have seen the latest "features" implemented by LiveJournal: content filtering and user-based flagging for "objectionable content". Believe it or not, Miss Individual Rights over here doesn't have much of a problem with content filtering, as long as the user gets to define what is filtered and when it is filtered. LiveJournal may even be using such a provider-based model, in that the provider flags his own articles and/or journal for "adult concepts" and "explicit adult content". The problem I have is with user-based flagging for "objectionable content".
The way I understand it, some number of user flags will get you sent to LJ Abuse. The thing is that I'm having a really hard time finding out what happens once an account is sent up for review. Is this because nobody is talking about policy, or is this because there is no policy?
There just might be a way to find the answers to these questions, but in order to find out, I'm going to need a little help. Here's the deal:
- Get a library card, if you don't have one already.
- At your local library, set up a couple of LJ accounts.
- Wait a month. While you're waiting, you might want to make the occasional post to your new accounts, to help make them look like they're actual journal accounts.
- After the month is over, and your "offensive content" flags count for something, go to the library, and from your new accounts, go looking for content that is truly offensive. Examples might include (but are surely not limited to) "attachment parenting", "christian", "Democrat", "Republican", "intelligent design", and "breastfeeding".
- Flag the articles and journals as "offensive", remembering that you get only five flags per day.
- Repeat (4) and (5) for some suitable period.
It's unlikely that Six Apart/LiveJournal will suspend any of the accounts you flag, but that's not the point. The point is in showing 6A/LJ what they've let themselves in for. There surely are people with more time than sense who will actually try something like this in an attempt to silence people who publish such "offensive content" as life, liberty, and responsibility. (So how did I think of this, you ask? Shut the hell up and remember that I subscribe to the philosophy of "Know your enemy".) The little trick I propose may possibly make 6A/LJ think twice about their policy when they get innundated with all manner of "objectionable content" flags.
How strange it may seem that the ability to flag content as "offensive" is, itself, offensive. The point, though, is that it enables (and perhaps promotes) morons to eschew responsibility, taking the few rational people there are down the tubes with them. Perhaps it is now time (or long past time) for a "Campaign For Reason" to give some time to the alternative view.
DAC - 1 December 2007
Last revised: 2009-01-05 14:46:48
![[Valid XHTML 1.0!]](/images/valid-xhtml10.png){kind=small}
|
![[Valid CSS!]](/images/vcss.png){kind=small}
|