In mid-August SFWA’s (the Science Fiction and Fantasy Writers of America) epiracy committee chair, Andrew Burt, sent a notice to Scribd listing documents that SFWA alleged were being hosted in violation of copyright terms. Unfortunately the list of was poorly researched and little more than a list of documents that contained the words “Asimov” or “Silverberg”. After a couple of email exchanges, Scribd removed the documents.

The result was a number of legally published works were replaced with a page displaying “The document … has been removed from Scribd. This content has been removed at the request of copyright agent Science Fiction and Fantasy Writers of America.” One of the authors affected was Cory Doctorow, who wrote an article on Boing Boing denouncing SFWA’s abuse of the DMCA. SFWA has acknowledged for the error, and contacted the affected authors to apologize. As others weighed in, the issue seemed to spiral into a freedom vs. author’s rights battle, with neither Scribd or SFWA looking good.

While reading about this, I was reminded of the issues some publishers and authors had with Google’s plans to build a full-text index of books, their main concern being that it was not a fair use of copyrighted material.

Put these two stories together, and I think there is an opportunity for Google to provide a valuable service that authors would support. By adding copyright information in a standard format to the book index, anyone would be able to check the copyright status of text indexed by Google. Add an API that returned results in a machine readable format, and sites such as Scribd could easily verify if text is copyrighted and under what terms before publishing it.

Google and the authors would each benefit from a copyright search. Google gets support from authors, and could potentially avoid scanning and verify books by having authors or publishers submit the text for indexing. Their search results would likely also contain advertising for places to purchase copyrighted works. The authors get a single point for maintaining copyright information that is easily referenced by others.

This does little to combat the blatant piracy, but legitimate sites hosting content would have access to an easy way to verify copyright information.

A friend is in need of a notebook to use for a while so I’ve pulled an old 500MHz PIII from miscellaneous parts I had lying around. There’s no money to spend on software, and he’s not the type to spend money when free alternatives are available. The machine will be used for blogging, writing, playing some media files, and general surfing.
(more…)

I’ve just upgraded to Kubuntu 6.10 - actually I did a full reinstall since I hadn’t had much time to use the install I did at the beginning of the summer. This install went a lot smoother than 6.06 did in June. The graphical install worked, and the disk partition tool was able to change the partitions on my disk that already had an XP install on it without any problems.

After the base install was done, I had to spend a couple of hours sorting out a variety of small problems while trying to get to a usable system state. The time spent made me realize just how far Linux is from being accepted at the desktop by average users.

I am surprised to see that basic items like MP3 support still aren’t part of the default install. I understand the licensing concerns, but surely something can be done to solve them. Accessing media on network shares is still problematic, too. A share can be seen, but the media can’t play off it without editing /etc/fstab - try explaining that to a non-technical friend.

When I started configuring the wireless network I found three different tools installed, each of which had a different interface and only one of which could support WPA. In the end the wireless service didn’t get configured because my network card (Broadcom based) wasn’t supported. The system didn’t tell me that either - I remembered from earlier work that the Dell notebooks required extra monkeying around to get wireless working.

Software remains complicated to install, and standard ways of doing things aren’t in place yet. Getting packages I wanted to use required editing the apt configuration files by hand. Even after downloading some packages, the installs failed until I updated the /bin/sh link to point to bash instead of dash.

One area where Linux has simplified things better than Windows is updates. If you stick to using the default package manager for a given distribution, updates for the entire system are simple. There’s no need to connect back to the update service repeatedly (like one must in Windows), or to update individual software packages one by one.

It seems to me that there is too much focus on evangelism and ideals, and too little focus on the actual needs and wants of the average user. Decisions can’t be made simply based on performance, or licenses, or idealistic views of what an OS should be. Usability and consistency are vitally important.

I installed the SARE rule updates channel into a nightly sa-update routine yesterday, and noticed today that the rules didn’t appear to be getting used. I had misread the docs initially it turns out - you must use the updates.spamassassin.org channel if you plan to use any other channels since SA expects to find all rules in one location.

When I tried adding the default channel tonight I was getting the following error tonight while setting up sa-update:

error: GPG validation failed!
The update downloaded successfully, but it was not signed with a trusted GPG
key. Instead, it was signed with the following keys:

24F434CE

Perhaps you need to import the channel's GPG key? For example:

wget http://spamassassin.apache.org/updates/GPG.KEY
gpg --import GPG.KEY

After poking around for a bit I found the last line of the message is misleading - you actually want to run sa-update --import GPG.KEY after downloading it.

A supoena sent to Google asks for the entire contents of a gmail account used by the founder of AmeriDebt. The subpoena asks for not only current e-mail but also deleted e-mail:

“All documents concerning all Gmail accounts of Baker…for the period from Jan. 1, 2003, to present, including but not limited to all e-mails and messages stored in all mailboxes, folders, in-boxes, sent items and deleted items, and all links to related Web pages contained in such e-mail messages.”

I usually recommend gmail as the mail service of choice for non-technical friends. This is a prime example of why I also suggest people run their own server if they can.

I spent the weekend re-configuring the machines in my home office. My primary workstation now runs Linux (Fedora). The XP station is still running, but it is stripped down to a basic machine. I can access it easily enough through rdesktop when I need to use a Windows app, although that’s only been for Nero so far. All data, our twiki site, and this blog has been moved to a new server.

I’ve been aiming to cut over to Linux as my primary work platform for some time. Almost everything I do now is on open source software, so there was little reason to work within Windows. I rarely have need for the standard office type applications anymore, since most business data is now stored within a wiki. My primary use of a wordprocessor is for writing assignment submissions for CGA courses. Spreadsheets still have their use, but OpenOffice.org Calc should do fine. Should I really need to use MS Office, the corporate notebook still has it.

There are some limitations to Linux though. It’s not quite as polished as Windows is, for example, when network browsing and connecting shares, but most of the issues are small. On the other hand I was impressed to see that the printing worked as soon as I plugged in the Brother MFC-8600 to the USB port. All it required me to do was approve the driver the system had selected as being appropriate. Printing was an area I had expected to have to do some manual configuration.

Microsoft makes some great products. Their operating systems are too popular with the virus and worm authors for my liking right now, but they have come a long way in the last few years. Gone are the days of the daily (or more) reboots to keep a workstation stable. MS Office applications, and particularly Excel, are very powerful - too powerful for the average user. Using a $500 suite of software to type letters and create tables is too expensive, especially when equally useful tools are available in the OSS world.

Yesterday, I posted more info on the Firefox IDN issue along with a couple of additional work arounds to address the issue of the state of the enableIDN flag not being properly changed, even though it shows as being false. I had originally included a link to an extension that has been written to disable IDN permanently, but on the two machines I tested it on, Firefox wouldn’t load properly once the machine was rebooted. For those who just want things to work, I’d recommend against using the extension.

Editing the compreg.dat file manually works, as does installing the nightly build of Firefox, which is the option I chose since I already had to re-install the app to fix the load problem.

For those wanting to experiment, the extenstion is available here: http://friedfish.homeip.net/extensions/no-idn.xpi.

A security risk in International Domain Name [IDN] support was announced at Shmoocon this past weekend. The attack works on most browsers other than Microsoft IE (which doesn’t support IDN unless a plugin has been installed).

The Shmoo Group has a proof of concept page up demonstrating how a browser can appear to load paypal.com. The exploit works for both normal and SSL enabled sites.

The fix for Firefox is straight forward:

1. Navigate to about:config in Firefox (enter it in the address bar).
2. Enter network.enableIDN in the filter bar.
3. Double click the entry for network.enableIDN if it’s value is currently true. It should be bold when false/disabled.

Once IDN is disabled, the proof of concept will fail with an error that the site can’t be loaded.

[update 2005-02-15 - This fix is not 100% reliable, see my later post.]

It seems I underestimated the spammers. I also misunderstood the comment posting system in Wordpress: I thought that updating the comment_status field to ‘registered_only’ meant that only registered users could leave comments. That’s not what happens. Values of ‘closed’ and ‘open’ appear to work as I understood, so I’m not sure what the other value was meant to do. The result was spammers could directly access wp-comments-posts.php and freely post their advertisements for online poker sites and viagra.

This evening a modified the Wordpress code to enable the ‘registered_only’ setting in the comment_status field to work as I thought it should. It doesn’t appear to break anything, but I haven’t extensively tested yet. The patches to wp-comments.php and wp-comments-posts.php are on the Pleiades patch pages.

It seems the spam wasn’t a single pass, so I’ve had to turn on comments for registered users only. I’m sure there’s spam bot that will register itself out there too, but I don’t want to block comments yet - although why not, I don’t know, given that no one but spammers has commented yet.