My little home Apache server is overwhelmed by log entries from various virus attacks - Nimda, CodeRed, etc. It's tiresome. If you edit Apache's httpd.conf and replace your old CustomLog entry with this stuff, the logs go somewhere else. It looks like the Debian Apache package will even rotate the new file for you, I'll see in a week.
SetEnvIf Request_URI (cmd\.exe|root\.exe|default\.ida) attack
CustomLog /var/log/apache/attack.log combined env=attack
CustomLog /var/log/apache/access.log combined env=!attack
Discusson on Slashdot on VA Linux taking the "Linux" out of their name. Much pessimism, probably well placed. I can't help but feel that VA is an example of a VC-backed firm cynically going public before they had a stable business figured out. Now the company seems hinged on SourceForge, which is a great free service but as a product? Beats me, but I'd think Collab.net is in a better position in that market. They've been doing exactly this for a long time.
The Register reports that Kuro5hin is already being booted out of the VA/OSDN family. All those open source projects hosted at SourceForge better be sure to have copies of all their files, and a plan for moving if they need to. Are there any good alternatives?
Shame on the New York Times for publishingVeiled Messages of Terrorists May Lurk in Cyberspace, an oversensationalized story trying to make the case that steganography is in use all the time on the Internet. Sources in the NYT story refuse to reveal anything about methods or results, and yet are cited as proof that 0.6% of images found contain hidden messages. The article does finally get around to Niels Stovos' excellent work, the one bit of recent published research in steganography detection. He's analyzed over two million images on eBay and found not a single message.
Let's see, who are you going to believe; the CEO of a startup that needs military funding to survive and won't let you evaluate his work, or a grad student who publishes all his methods and results?
Fun web site, the halfbakery. A place for people to post their wacky ideas, other people to comment on them. Fountains that flow up, flags to mark parking places, "uncooperative supercomputing" (steal those cycles!), and web based web browsers. The site is very slow, so patience is required. Ponder.
The NYT today covers the history of science in Islam. While Europe was deep in the dark ages, the Islamic world was busy translating the Greeks and creating the fields of astronomy, mathematics, and medicine, just to name a few. Nice to have a reminder every once in awhile.
Brewster is a nifty Windows shareware screensaver that simulates the physics of a kaleidoscope. Nice anti-aliasing, too.
One of the things I've learned is that RPC by itself isn't enough to build reliable distributed systems, particularly on the Internet. SOAP + WSDL is interesting because it doesn't just mandate RPC, it can do other things, too. Most people are missing that. I wrote up some of my thoughts on this as an email to the simple web services API group.
Justin Chapweske steps up to bat with a draft idea he calls "the content addressable web". The core idea is to improve the experience of getting big things from the web by naming resources by pointers to the resource, not the resource itself. Then you can have a transparent way to mirror resources. For an added bonus, those pointers can include secure hashes of the contents, so you know you got the correct data. Using URIs this way isn't entirely a new idea, but Justin's version is good.
I'm concerned that we'll never get to a web using "better URIs" to identify resources. We've been running around this idea for eight years, and still nothing. Justin's approach has the virtue of being simple and incremental. For more, see the discussion on the decentralization list.
It struck me that there's one more big risk that MS is taking with .NET. Will that consumers really pay $25-$50 a year? If it works, then someone will finally crack the nut of getting people to pay for things on the Internet. But Microsoft is taking a huge (and uncustomary) risk in trying to be the first to make it work. As a developer/user, I feel they're already making mistake in charging developers for access to My Services. How will ordinary consumers feel?
Obvious counter-strategy: build a totally free alternative service. Plan to give it away the first few years, then either start charging (the Salon model) or monetize the service some other way (the MSIE model). This strategy is high risk, and currently unfashionable. But companies like IBM, Sun, and AOL could afford to do it.
The funny thing is I like the idea of MS charging for My Services. It puts the expectations in the right place; my service belongs to me, I pay for it. I hate the way most "free" services take their toll in turning my data into a marketing channel. MS has promised not to do this. If someone follows with a free version, they should give the same protection to consumers. Maybe this is a pipe dream.
Teach me to report speculation on a mailing list. The report that an HP printer was notifying the FBI of something has a simpler explanation; maybe someone's attacking the printer's web server with forged IP addresses, it's responding, and one of the forged addresses just happened to be an ifccfbi.gov. More info on the cryptography list.
There's a disturbing report on the cryptography mailing list that someone's HP printer has been trying to send bits to a host named origin.ifccfbi.gov. Later posters suggest this may be some sort of fraud or counterfeit detection in the printer firmware itself. Do you know who all your printer talks to?
Interesting analysis article in the NYT: Anthrax Offers Lessons in How to Handle Bad News. Talks about how best to convey uncertain and scary information. The thing I like best is this simple set of recommendations for how authorities should speak:
Great article by Andy Patrizio of Wired News (referenced on Slashdot) about fans remaking classic old games like Ultima and The Bards Tale: Gamers Making Retro Remakes. Bunch of smart geeks get together, want to remix Ultima, even get Richard Garriott's permission. The article has a horrible comment from an Electronic Arts spokesman:
"EA owns the rights to Ultima and all of its characters, and in this case, no permission was requested or granted," said Jeff Brown, an Electronic Arts spokesman. "As for Richard Garriott's approval, that's like getting permission from Toto to remake The Wizard of Oz."
I played Ultima I when I was a wee mite, and it had a huge influence on me. A whole world, inside a machine! And created by Richard Garriott, a guy just a few years older than me, not 20 miles from where I lived. When I was 12 I reverse engineered parts of Ultima II, learned a lot. I remember being particularly weirded out because he was using BCD mode on the 6502. To refer to an artist like Garriott as a dog is so deeply offensive.. Technically, he's right, EA owns the IP. But ugh!
Read up on Jtrix, an open source (LGPL) distributed app framework that's just been announced. They say:
[Jtrix is] for developing applications which smoothly evolve and adapt. That means they are scalable, adaptive and cost effective to run.
It reminds me of my master's work on Hive, a Java framework that includes some sort of discovery mechanism, remote messaging, mobile code, all with an interesting bottom up design. The engineering work on Jtrix looks solid - lots of tests, good documentation. The introduction for everyone (PDF, 29 pages) is the first thing to read if you want depth.
The thing I'm curious is how they make a business case for doing this kind of work - I'd love to have an answer for that for myself. There's a bit about this in the FAQ, but it's not very specific ("we wanted it"). Their parent company, Hyperlink, seems to be an incubator of sorts, but with not much info about their seven years of incubating. Regardless, Jtrix is out there, and it's free, and das ist gut so.
Now that I'm unemployed, it's harder for me to organize my time. So I've started using time tracking software, where I track every minute of my working day in one of several categories ("noodling around", "goofing off", "coding Funes", "job search", and two contracting assignments I'm on). There's a million of time tracker programs out there, but I settled on the AllNetic Working Time Tracker. It's simple, free, and integrates nicely into Windows (tray icon, senses when I'm away). It's still a bit buggy, but overall it's good.
I'll report later what I've learned running this, and if it's not too embarassing share some of the data (no goofing off in the past three days!).