dbbo's posterous

Dominos Pizza and Your Privacy

There is a Dominos Pizza restaurant just a few blocks from my house. I decided to place an order through their website, dominos.com. The following items were in a plain text URL that was emailed to me as a link to the “order tracker”

1. Entire phone number
2. House number and street
3. City
4. Two-letter state abbreviation
5. Zip code

What’s really disturbing is that this data is transferred over regular HTTP— no encryption whatsoever— even though their privacy policy states otherwise. Do they really need all that info to track my order? They can’t issue some kind of unique order number for use in the tracker URL? (Attached is a screenshot, with my info partially obscured.) And by the way, their privacy policy pretty much says that any info you give them is fair game. I really should start reading these things beforehand.

Something else I’ve found really irritating is that when you get to the order confirmation page, you have to uncheck the “Please send me spam” checkbox every time you place an order.

In light of these facts, I no longer order from Dominos, period. I encourage you to do the same.

Dennis Ritchie *was* that great

In case you don’t know anything about modern technology, Dennis Ritchie created the C programming language, and along with Ken Thompson, the UNIX operating system. He has passed away.

Although I am not personally affected by Ritchie’s death, I am somewhat saddened to see how little attention it’s got in the news today. If Steve Jobs was a genius, then Ritchie was a supergenius, and his work has gone more or less unappreciated by the general public. I hate to beat a dead horse, but there wouldn’t even be an Apple Computer without C and UNIX (at least not the Apple we know).

I think every serious OS X, *BSD, and GNU user ought to read Ritchie’s paper The UNIX Time-Sharing System in order to get a deeper understanding of how their operating systems work.

Why Steve Jobs wasn't so great

Note: since Steve Jobs seems to get credit for everything Apple has done, the terms “Steve Jobs” and “Apple” will be used interchangeably in this article.

In the wake of Steve Jobs' death, I have heard nearly deifying laudation to a degree I never could have anticipated for an entrepreneur. The word “innovative” seems to crop up more than anything else. An innovative person is someone who comes up with new ideas or ideas ahead of their time — not necessarily good ideas.

At the risk of drawing emotionally-charged criticism, I’ll say that most of Steve Jobs' innovations were bad. I’ll even go a step further and, much to my own dismay, admit that I agree with Richard Stallman. Reasons why follow:

1. Closed Hardware

I think that when you buy something, you should be able to do whatever you want with it (anything short of using it as an instrument of suffering). You should not have to “jailbreak” a phone in order to choose a different carrier, for example. That privilege ought to come with the purchase. Apple does not think you are entitled to such privileges.

Apple does not want you to be able to take apart your Apple products. That’s why you need special tools to work on most of them.

Most users neither know how to repair their hardware nor care how it is assembled. They want something that “just works” and looks good doing it. Screws are ugly, so they ought to be hidden. It doesn’t matter that this is inconvenient during disassembly, because the user has no need to disassemble the product. In the event that it doesn’t just work, they’ll pay to have someone else fix it. Apple knows this, and profits from it, both through the ridiculously overpriced “Apple Care” plans and the ridiculously overpriced flat-rate repair fee for customers without Apple Care. For the DIYer or open hardware advocate, this is a pain in the ass.

2. Closed Software

Apple has made modest efforts to contribute free and open source software to the world, but these are dwarfed by their use of proprietary software throughout their products.

The admittedly militant Free Software Foundation has criticized the Apple Public Source License because it allows the linking of completely proprietary software, and thus is GPL-incompatible. Keep in mind that this “open” license only applied to certain parts of OS X (namely XNU and Darwin, which includes proprietary drivers), which the typical end user probably doesn’t know or care about.

A lot of the “open source” code released by Apple was not created by Apple, like curl, X11, zsh, and the list goes on. Apple isn’t sharing this code out of kindness or consideration but out of legal requirement. The only reason Apple used so much pre-existing open-source code in building OS X, in my best guess, was because it was free and cut down on production costs.

On the other hand, a lot of code that Apple did create is proprietary, like iTunes, iChat, Final Cut Pro, Photo Booth, iWork, and even Xcode. Pretty much any graphical program that comes with OS X is proprietary.

Apple also doesn’t want you to be able to “take apart” your desktop. Options like moving panel components around, changing the interface font, or modifying the window manager are taken for granted by open desktop users, but OS X does not provide that capability. I don’t think you should have to rely on a third-party application to modify the look and feel of your desktop’s user interface.

3. Closed Media

Apple has probably done more damage to freedom in multimedia that any other area. Although songs on iTunes no longer carry the weight of DRM, other media formats like eBooks, TV shows, and movies do. Until the iTunes store is completely DRM free, and embraces open media formats like those sponsored by the xiph foundation, I don’t see any reason to waste my money there.

Exceptions The one exception to this list that I can think of is Jobs' criticism of flash, on which I commend him.

4. Marketing is not Design

According to at least one author, Steve Jobs “never had any designs. He has not designed a single project.” I believe that, because he was neither a programmer nor an engineer. He was at best an idea man, and Jobs' ideas often weren’t even that new, they were just better— or at least sold better. If he was any kind of genius, he was a marketing genius, not a technological genius. That means he was good at figuring out how to get you to buy something, not at designing anything.

Conclusion

All in all, I would say that Jobs was and Apple is an enemy of computer users' freedom, or at the very least, he personally did little to help the free software/hardware movements. The praise he’s getting is misguided if not entirely unwarranted. He was first and foremost a businessman: his number one goal was to turn a profit. If it wasn’t, then he was a terrible executive and just happened to be extremely lucky. He did not come up with cool gadgets to make you happy but to get your money. He was not a genius or a hero, and technology will be just fine without him.

What to do about Facebook's "Frictionless Sharing"

In response to Dave Winer’s post about Facebook’s new “frictionless sharing” and Nik Cubrilovic’s response, I have decided to propose some alternative solutions aimed at Firefox users.

1. Use Cookie Monster

This addon makes it very quick and painless to delete all cookies from a specific domain, e.g. “facebook.com”. However, since it requires a toolbar button, it may not play nice with your Pentadactyl/Vimperator setup. Link: https://addons.mozilla.org/en-US/firefox/addon/cookie-monster/

2. Use Cookies Manager+

This is basically an improvement over Firefox’s default cookie manager. Instead of opening Edit –> Preferences –> Privacy –> View Cookies, searching “facebook”, then manually selecting and deleting all of them, you open Tools –> Cookies Manager+, then search “facebook”, check the “select all” box, then click “Delete”. Done. Link: https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/

3. Do it yourself

If you are some kind of purist or your machine only has 128MiB of memory or something and you don’t want to install an addon, you can do it yourself as outlined in no. 2.

Of course, you could ask yourself whether you really need to be using Facebook in the first place, and whether your life would really be that much worse if you stopped using it.

If you know of similarly helpful addons for other browsers, please tell me and I’ll add them here.

I've decided to declutter my zsh prompt. Now it only includes:

• a symbol for current host
• the current directory, with ~ replacing $HOME
• a guillemet to indicate the command-typing area
• the git branch if .git exists in $PWD

My laptop is named "ganymed" (German spelling from a poem by Goethe), so I use Jupiter's symbol to represent it. My desktop, nicknamed the "reddevil", gets a trident, and miscellaneous machines get an asterisk. The code can go pretty much anywhere before $PROMPT is set:

if [ $HOST == 'ganymed' ]; then
    HOST_SYM='♃'
elif [ $HOST == 'reddevil']; then
    HOST_SYM='♆'
else
    HOST_SYM='*'
fi

The git-business goes in precmd():

if [[ -d .git ]]; then
    GIT_BRANCH=`git branch`
else
    GIT_BRANCH=''
fi

Finally, here's a screenshot:

Passwords

A recent XCKD comic conjectured that a password consisting of four “random” words is harder to guess than a pseudo-random string of characters.

Let’s ignore entropic bits for a moment and consider combinatorics— something I can wrap my head around.

It’s hard to say how many “common” words there are, but I’ll ballpark it. There are 98_569 lines in /usr/share/dict/american-english, and 24_673 of those lines contain non-word characters (i.e. /[CARET\w]/ matches), like “Ångström” or “zero’s”. If we take out capital letters to eliminate proper nouns, there are 64_024 left. Still, we have some pretty long words such as “unscrupulousness”, and short ones like “a”. I think setting a 3-character minimum and 10-character maximum is pretty reasonable for “common” words. My final pattern /\CARET[a-z]{3,10}$/ gives 52_434 matches. A cursory glance shows that many of the remaining terms aren’t really vernacular, e.g. “neodymium” or “zygote”, so I’ll round down to 50_000 for my ballpark answer.

There are about 50_000 ** 4 ≈ 6.3e18 permutations of these words. Since all the words are stored in an easily accessible file, it’s certainly possible, albeit time-consuming, to generate a list of all these possible four-word passwords. Keep in mind that the length of the password, /CARET\w{12,40}$/, is irrelevant.

There’s a problem here. When I say there are 6.3e18 possible passwords, I already know that each element of that set is a combination of elements from a subset of all combinations of letters, which in turn is a subset of all combinations of printable characters (our universe). In other words, I have some special knowledge (a posteriori) about the password that helps me narrow down the possibilities. If I didn’t have that special knowledge, I would have to assume that any printable character could be in the password (a priori). In that case, string length is the only determining factor in cracking time.

Now let’s think about permutations of the 94 printable characters on a typical US keyboard. There are 94 ** 10 ≈ 5.4e19 possible permutations for a 10-character string, which is on par with the magnitude of our four-word-password set.

Common words are still strings of characters, but they are built from a smaller set— only the 26 lower-case letters. A string of 14 letters gives us 26 ** 14 ≈ 6.5e19 permutations. We need an extra 4 letters to make up for the fact that we’re using a smaller set. Since our original target was a string of 4 common words, our average word length has to be about 4 letters, which fits right in to my {3,10} range.

Earlier I said I’d have to assume any printable character could be used in a password. However, let’s say I decide to use some heuristics and assume that letters are more common in passwords than numbers, and numbers are more common than non-alphanumeric characters, and I start off trying all combinations of letters alone. In this case, the passwords “oneapetwoegg” and “OneApeTwoEgg” are actually less secure than “o2!-702o,br3” or even “llrxyoxzcvu3”.

Conclusions: * If a password is known to be a combination of N “common” words, its a posteriori security (regardless of its length) is equal to the a priori security of any password of length 2.38 * N ( since log(50000)/log(94) ≘ 2.38 ). * The a priori security of any N-word-password is heuristically less than that of any password of equal length that contains one or more non-alphabetical characters.

Note: the caret character cannot be escaped and was producing unwanted superscript text.

/sbin/init

Initial post.