< mari
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
chi >
[ Page 30 of 76 ]
From: Peter Pentchev Date: 21:20 on 19 Aug 2006 Subject: Encryption done the Perfectly Wrong Way(tm) --9jxsPFA5p3P2qPhR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [okay, apologies in advance - or, come to think of it, I'm here, so no apologies are needed; anyway, this will not be a real software hate, more like a software design hate; still, I think it counts as mind-software hate, so there] Dear Wossname[0], For about four months now, you've been subjecting me and the company I work for to a kind of Chinese water torture - first, telling us that the next version of your system[1] will require some sort of user authentication[2], and then dropping tiny pieces of information, all different, all ever so slightly incompatible with each other, at the maddening rate of about once every lunar month. So we will need to supply a plain-text username and an encrypted password for each query to your product[2]. Now. Let me tell you some things about the way I understand cryptography[3]. 1. Picking an encryption algorithm should not take three weeks. 2. When an algorithm is finally chosen, telling us "use 3DES" would suffice; sending us a three-page listing of Visual Basic code *without* actually mentioning the algorithm's name - except in two lines of code instantiating a CryptoAPI object - is... a bit verbose. 3. Picking an encryption key and an IV should be left to the customers who will actually use the product, *not* referred back to the software vendor. 4. Picking an encryption key and an IV should not take three weeks. 5. Telling us that the encryption key and the IV will not be needed, since you're changing the algorithm, two weeks before our deadline, is a bit... unexpected[4]. 6. Sending us a two-page document (the first page describing the full data path and exchange procedures, the second page describing the actual encryption algorithm) might have been a Good Thing(tm), were it not for the minor mishap of misspelling "algorithm" as "logarithm" in all three places it's mentioned. 7.... Okay. I am at a bit of a loss here. A loss for words. Although a full day - and a half - has passed since we received said two-page document, I still have not completely come to terms with my inner self as to how I *ought* to feel about it, and how I *do* feel about it. Suffice it to say that, after working on this project for an year and a half now, I honestly, sincerely thought that no communication from The Other Side could actually surprise me any more. This document managed to surprise, nay, confuzzle, nay, completely befuddle me for all of two minutes; then I started laughing hysterically, and sometimes I still do. So... let's try this again. 7.... Nope. More hysterical laughter. Just one last time... 7. All the communication with your software so far has involved specifying a character set. Thus, you understand character sets - or, well, or at least you are barely aware of their existence. Also, you understand character set conversion - or, well, or at least you are barely aware of its existence, too. So... if you want the password - only the password, not the username - to be represented in EBCDIC[5], you might have put more than one single passing mention in said document. But hold on, that's not really the hysterical laughter-inducing part. 8. A Caesar substitution does not count as industrial-strength encryption in my book. Yes. Ohhhhhh yes. Ahem. Yep. I know it's hard for you to believe what I just said, but... Taking the numeric code (in EBCDIC, as previously mentioned) of a letter, subtracting it from a constant number, then subtracting the result from *another* constant number, is indeed equivalent to adding a third constant number to the original numeric code of the letter. So when you say we have to do this for each particular letter of the password, you are effectively describing a Caesar substitution. Okay, so it's in EBCDIC; okay, so the offset puts the result well outside of the normal alphanumeric range in EBCDIC; okay, so the result will not look like letters or numbers at all. WHAT THE HELL DOES IT MATTER?! It's still a Caesar subtitution. It's still security through obscurity. It's still not suited AT ALL for this particular software system! And... yes. I'll still do it. I'll write the code, I'll integrate it into our part of the system, and I'll deliver it on time. I'll do this with one, and only one, purpose in mind. To get our part of the system deployed at our customer's site on time, so then you can first wallow, then drown in the slew of bug reports that will first come to us, then be analyzed, and finally duly reflected to land on your desk. I think I need a drink now. Over and out[6], Peter[7] [0] I'm not actually sure I even *want* to know your name. Bearing in mind the existence of certain books and rituals, the world might even be a much safer place for you if were I were to never, ever, ever learn it. For the present, it is enough for me that you think you write software and that you have managed to drag enough people down into this delusion. [1] A big, steamin' piece of s... s... software, that a client of ours has at the core of their services, and that I and a couple of cow-orkers have to write an interface module for. Come to think of it, I may have mentioned it before in this place - and when I may have mentioned it, I may have concluded my mentioning with a hope never to hear about it again. Unfortunately, things didn't quite turn out that way. [2] "Each message will contain a plain-text username and an encrypted password. Well, okay, not at once - there will be a transition period when some messages will work the old way, without the username and password. Yep, only some messages - there are some important ones that will require authentication at once. Yes, this is one of them. No, not this one. No, not this one either. No, we cannot give you the full list yet. Oh, well, some messages will not require authentication even after the full deployment. No, not this one. No, not this one either. Yes, of *course* that one will work without authentication. No, we cannot give you *that* full list either. What? Of *course* we know which messages will require authentication and which ones won't - we just can't tell you yet. Yep, that's our version and we're stickin' to it." [3] Not all that well, of course. I think most people here will wholeheartedly agree that teaching does not necessarily imply understanding, especially so in Academentia, so my being on a team teaching a university-level network and software security course would be completely irrelevant. [4] Well, okay, it *should have been* unexpected. In this case... to be honest, I wasn't a bit surprised. The surprise came later - read on. [5] Aye, mates, you heard that right! Yep. I've been aware of EBCDIC for the past fifteen to seventeen years. I've been aware of it pretty much in the same way I've been aware of the Enigma and Bombe encryption gadgets - in a fun piece of trivia sort of way - I've known what it was, I've known where and when it was used first, I've known where and when it was widespread, I've had at my disposal conversion tools that I could use any time I had a couple of minutes with nothing to do and, just for the fun of it, I could convert a piece of text from ASCII to EBCDIC and back, just to see what comes out... But I've never - never - NEVER even imagined that I could ever actually *come across* it in any kind of Real Life(tm) and Real Job(tm). Oh, the sweet delusions of youth. [6] Normally I conclude my e-mail communication with a "G'luck", but in this particular case... [7] The careful reader might note that I've taken the time to edit my work e-mail address out of this e-mail's signature, just to state even more clearly that this is a purely personal opinion and in no way affiliated with any legal or physical entity except for the dozen or so selves dancing around inside my mind. --=20 Peter Pentchev roam@xxxxxxx.xxx roam@xxxxxxx.xxx PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 When you are not looking at it, this sentence is in Spanish. --9jxsPFA5p3P2qPhR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFE53Kc7Ri2jRYZRVMRAmETAJ4jgFqaImJPXq4q++rwN3yvCS8u1wCgif+X UmxHtsAOGP7kyV8pxlp6JyY= =N131 -----END PGP SIGNATURE----- --9jxsPFA5p3P2qPhR--
From: Phil Pennock Date: 18:02 on 19 Aug 2006 Subject: [OT] Mac recommendations for minimising hate Wotcher, Sorry for the lack of hate here, but having read various rants about Macs, I'm hoping for some advise on how to minimise future hate. After losing last weekend to reinstalling, twice, Windows on my wife's machine, today she agreed to go into the local Apple center and try out MacOS on a Mac mini. Very friendly chap helped us and we succeeded! I have a forthcoming move, but after that we will be buying a Mac. Can anyone make recommendations on software for me, probably off-list, or pointers to useful sites? And perhaps a book recommendation or two? I'll want stuff for the *nix sysadmin wanting to get some use out of the machine and even stand a chance of fixing some problems and Kathy will want things like a MUD client (or plain telnet, anything better than Windows telnet; it's for a talker, and she can use tinyfugue if it builds and works (has done in the past)), IM client that can handle MSN, simple image manipulation for family pics and basic word processing. Pointers appreciated. Heck, even heavy sarcasm appreciated, I'm that happy that I'm not likely to need to reinstall Windows ever again. Please, @DEITY, make it so!
From: Nicholas Clark Date: 10:46 on 14 Aug 2006 Subject: finder making aliases So, I have a folder on a shared drive that I wish to have aliased on my desktop. How do I do this? Well, Finder offers me "make alias". But that wants to make the alias into the same directory as the directory. Where I don't have sufficient privileges. And if I try to drag the folder, Finder attempts to copy it. (with any modifier key, except "command" which initiates a move). So, hateful software, w.t.f. isn't there an option to do what I need? Drag me a nice alias to somewhere else. With the same name even. (other hate about the usual 3 step process - make alias, move, rename) I thought that this operating system was supposed to have an easy to use user interface. Hatefully it seems not. Either that or their all a bunch of trusting hippies over in Cupertino who have no need for security on their own server systems, so don't see the reason for anyone else to need it. Nicholas Clark
From: jrodman
Date: 02:07 on 13 Aug 2006
Subject: A simple hate for livejournal
Nothing impressive here, but, all the same:
I was writing my grand opus explaining to an interested non-unix user
all the hateful things about GNU Texinfo, the lack of manpages, botched
Debian manpages, incorrectly installed Debian Texinfo pages, idiocies of
the info tool, and so on, in response to a question he asked about my
post to this list. It was pretty good.
(Okay, I didn't say _all_ hateful things about those topics, but I
covered about 12 different awful things in there.)
While working on the text, adding subheadings, providing links and
references, and so forth, I would repeatedly use the provided
[Preview this post]
button, and livejournal would dutifully render the post according to its
html limitations, and so forth, allowing me to determine that the html I
was hand-entering was at least close to correct.
Only after previewing the post a good fourteen or so times, cleaning it
up iteratively, and after I went to post it, did it let me know,
helpfully.
"Sorry, LiveJournal comments have a limit of 4300 characters, your 8934
character post that we've been previewing for you without complaint for
the last 15 minutes will have to now be manually chopped into pieces by
you and a text editor and copy and paste."
Thanks.
-josh
(Oh, and before you point it out, yes, I know I'm asking for it by using
LiveJournal, but I'm also asking for it by using the web, and by using
a computer at all. Ever.)
From: Nicholas Clark Date: 13:28 on 12 Aug 2006 Subject: Challenge response systems Challenge response systems. Particularly those hooked up to mailing lists. I'm not sure whether I want to kill the authors first, or the users. Nicholas Clark ----- Forwarded message from kickidle@xxxxxxxxx.xxxxxxxxxxxxx.xxx ----- Received: from server344.server-center.net ([65.98.58.178]) by plum.flirble.org with esmtp (Exim 4.43) id 1GBsUe-000BeY-S8 for nick@xxxx.xxx; Sat, 12 Aug 2006 13:21:34 +0100 Received: from kickidle by server344.server-center.net with local (Exim 4.52) id 1GBsUb-0005T0-Qq for nick@xxxx.xxx; Sat, 12 Aug 2006 08:21:29 -0400 X-Boxtrapper: iuBOI2FRD4BOm9uMkmFuxPXa_w4RRQO0 To: nick@xxxx.xxx Subject: Your email requires verification verify#vBKibBm4rGqMiod20gc4QyIi2ywp0ZQ7 From: <kickidle@xxxxxxxxx.xxxxxxxxxxxxx.xxx> Message-Id: <E1GBsUb-0005T0-Qq@xxxxxxxxx.xxxxxxxxxxxxx.xxx> Date: Sat, 12 Aug 2006 08:21:29 -0400 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - server344.server-center.net X-AntiAbuse: Original Domain - ccl4.org X-AntiAbuse: Originator/Caller UID/GID - [32135 12] / [47 12] X-AntiAbuse: Sender Address Domain - server344.server-center.net X-Source: X-Source-Args: X-Source-Dir: ALL YOU NEED TO DO IS REPLY TO THIS MESSAGE AND HIT SEND. Thanks for your email! However, I now get over 150 spam emails a day. That's just too many to handle. And unfortunately, my automatic filters like to claim that mail from my family and friends is spam. So I have to double check all those messages to make sure I'm not actually ignoring my mom instead of the spam. Since I haven't setup your email address on my approved list yet (sorry!), you need to let me know you're not an evil spammer. Please don't change the subject line when you reply. The text in the subject tells my email server how to locate your message and forward it on to me. I know this is inconvenient, but your address will automatically be remembered after your first email. From then on you're emails will go straight to me, and you won't have to deal with this hassle again. If you don't reply within a few days, my email server will delete your message. I'll never get to read it. So please reply. Thanks! The headers of the message sent from your address are show below: >From siesta-dev-bounce@xxxxxx.xxxxxxxxx.xxx Sat Aug 12 08:21:29 2006 Received: from kickidle by server344.server-center.net with local-bsmtp (Exim 4.52) id 1GBsUa-0005Sk-Vw for kickidle@xxxxxxxxx.xxxxxxxxxxxxx.xxx; Sat, 12 Aug 2006 08:21:29 -0400 X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on server344.server-center.net X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_50 autolearn=ham version=3.1.4 Received: from penfold.unixbeard.net ([80.169.162.84]) by server344.server-center.net with esmtp (Exim 4.52) id 1GBsUa-0005SI-Ms for daniel@xxxxxxxx.xxx; Sat, 12 Aug 2006 08:21:28 -0400 Received: by penfold.unixbeard.net (Postfix, from userid 65534) id C56702000B2; Sat, 12 Aug 2006 13:21:22 +0100 (BST) X-Original-To: siesta-dev@xxxxxx.xxxxxxxxx.xxx Delivered-To: siesta-dev@xxxxxxx.xxxxxxxxx.xxx Received: from plum.flirble.org (plum.flirble.org [195.40.6.20]) by penfold.unixbeard.net (Postfix) with ESMTP id EB0762000A9 for <siesta-dev@xxxxxx.xxxxxxxxx.xxx>; Sat, 12 Aug 2006 13:21:20 +0100 (BST) Received: from nick by plum.flirble.org with local (Exim 4.43) id 1GBsUR-000BdR-Q3; Sat, 12 Aug 2006 13:21:19 +0100 Date: Sat, 12 Aug 2006 13:21:19 +0100 From: Nicholas Clark <nick@xxxx.xxx> To: Michael Reece <mreece@xxxx.xxx> Cc: siesta-dev@xxxxxx.xxxxxxxxx.xxx Subject: Re: [siesta-dev] no subject Message-ID: <20060812122119.GV5342@xxxx.xxxxxxx.xxx> References: <D2B00150-B992-4051-AEB4-7DC6C3C8AB86@xxxx.xxx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <D2B00150-B992-4051-AEB4-7DC6C3C8AB86@xxxx.xxx> User-Agent: Mutt/1.3.25i X-Organisation: Tetrachloromethane List-Id: siesta-dev <siesta-dev.siesta.unixbeard.net> List-Help: <mailto:richardc@xxxxxxxxx.xxx>; List-Unsubscribe: <mailto:siesta-dev-unsub@xxxxxx.xxxxxxxxx.xxx>; List-Subscribe: <mailto:siesta-dev-sub@xxxxxx.xxxxxxxxx.xxx>; List-Post: <mailto:siesta-dev@xxxxxx.xxxxxxxxx.xxx>; List-Owner: <mailto:siesta-dev@xxxxxx.xxxxxxxxx.xxx>; List-Archive: NO Sender: <kickidle@xxxxxxxxx.xxxxxxxxxxxxx.xxx> ----- End forwarded message -----
From: Phil Pennock Date: 16:33 on 11 Aug 2006 Subject: Siesta, or a user Could whoever subscribed PayPal's customer service to hates-software please reconsider their actions? (Assuming that, since there's insufficient trace information to actually see why I have an auto-ack blurb response to my reply about automounts).
From: Jeremy Stephens Date: 18:56 on 10 Aug 2006 Subject: GTK file selection dialog Fellow haters, Since it's been a week or so without any hate, I thought I'd express my hatred of the GTK+ file selection dialog. Not only does it lock up Firefox for 2 minutes when I try to choose a program to open a file with from /usr/bin, but its filename completion is sketchy at best. Say I want to upload a file to some site from /usr/share/cool-stuff, and I start typing the directory I want in the dialog. Sometimes (this happens randomly as far as I can tell) the dialog will perform auto-expansion, so if I'm not paying attention and typing quickly the directory box will contain '/usr/share/are/co/cool-stuff'. If I did happen to notice the expansion, and only typed '/ushco', the dialog would expand it correctly, but when I hit enter, I get an error that says something like, "'/usr/share/co' does not exist". Apparently the newest version of GTK+ (2.10) addresses some of these issues, but it's not available in Debian yet. Jeremy
From: Nicholas Clark
Date: 15:01 on 01 Aug 2006
Subject: Spreadsheet::ParseExcel
return pack('C*', unpack('n*', $sTxt));
No. That's not a valid way to convert ucs2 text to anything, let alone
ISO-8859-1
Urge
To
Kill
Rising
[It's converting network order 16 bit values into a list of numbers, then
converting that list to 8 bit characters, with an implicit truncation]
Nicholas Clark
From: Geoff Richards Date: 18:32 on 28 Jul 2006 Subject: Firefox and/or Flash "blah blah unresponsive... Do you want to abort this script? [OK]" It doesn't seem willing to accept that it might not be OK with me to refuse to run the bloody thing.
From: Smylers Date: 14:34 on 26 Jul 2006 Subject: Firefox Page Setup I've just printed a bunch of pages in Firefox, then collected them from the printer and found them all to be landscape when I expected portrait. I printed something landscape last week and forgot to change the setting back. That's because Firefox (on Linux at least) doesn't include the portrait/landscape option in the Print dialogue box which pops up every time I'm printing, but in a separate Page Setup dialogue box which persists its state. Portrait/landscape is not a property of my printer or corporate policy or whatever; it isn't something I wish to customize to my preferences then use for evermore; it depends on the particular shape of the thing I'm printing. Hate. And I can't imagine ever wanting to set this except just before printing, but there isn't an easy way of getting from Page Setup to Print (or even the other way round). Hate. While looking at my wrong-way-round print-outs I spotted that some of the footer text is off the edge of the page. I see that for juggling this there is a Margins option in page Setup (I think the footer appears in the bottom margin). Separately, from the Print dialogue box there's a button for opening the Printer Properties dialogue box which has settings for 'Gap from edge of paper to Margin'. The margins setting is in millimetres; the 'gap from edge' one in inches. Hate. Smylers
< mari
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
chi >
[ Page 30 of 76 ]
Generated at 10:28 on 16 Apr 2008 by mariachi