The fallout from heartbleed seems to be manifesting itself in a range of ways. I’ve been required to set new passwords for a small number of online services, and expect I may encounter others as and when I next access them.
The main contrast seems to be between admins who tell you what’s happening, vs services that just stop working. Contrast Apache and Google:
Apache: email arrives from the infrastructure folks: all system passwords will have to be reset. Then a second email: if you haven’t already, you’ll have to set a new password via the “forgot my password” mechanism (which sends you PGP-encrypted email instructions). All very smooth and maximally secure – unless some glitch has yet to manifest itself.
Google: @employer email address, which is hosted on gmail, just stopped working without explanation. But this is the weekend, and similar things have happened before at weekends, so I ignore it. But when it’s still not back on Monday, I try logging in with my web browser. It allows me that, and insists I set a new password, whereupon normal imap access is also restored. Hmmm … In the first place, no explanation or warning. In the second place, if the password had been compromised then anyone who had it could trivially have reset it. Bottom of the class both for insecurity and for the user experience.
There is also secondary fallout: worried users of products that link OpenSSL asking or wondering what they have to upgrade: for example, here. For most, the answer is that you just upgrade your OpenSSL installation and then restart any services that link it (or reboot the whole system if you favour the sledgehammer approach). Exceptions to that will be cases where you have custom builds with statically linked OpenSSL, or multiple OpenSSL installations (as might reasonably be the case on a developer’s machine). If in doubt, restart your services and check for the OpenSSL version appearing in its startup messages: for example, with Apache HTTPD you’ll see it in the error log at startup.
My mother died on Sunday. She lost her battle with cancer, and with the treatment that was at times worse than the disease. She leaves behind many friends and relatives, amongst whom special mention must go to my father, whose recent life has been totally dominated by caring for her. In the past several months as she got worse, that extended to my brother and myself taking turns in supporting him. And an array of friends and neighbours who rallied around, as indeed she had done for others in her life.
I had returned home last week for the two concerts that were a major highlight of my calendar, and so it was that at the moment of her death, I was in the final rehearsal for the Stabat Mater :
Stabat mater dolorosa / juxta crucem lacrimosa / dum pendebat filius.
The story of the mother witnessing the cruel death of her son is not a perfect fit, but nevertheless seemed strangely appropriate. Indeed, crucifixion would (by virtue of its relative brevity) have been an altogether less gruesome fate than the horrendous treatment she was on for the last few months. Who would treat a domestic pet so cruelly as we do a dying person?
Requiescat in Pace.
Next weekend is a real highlight of the musical calendar. I’m due to sing in not one but two concerts, and can thoroughly recommend both of them to anyone in the area.
The first is on Saturday April 5th, where Vaughan Williams’s Sea Symphony is the major work in a concert by the EMG Symphony Orchestra at Exeter Cathedral. This is the same group and same inspirational director with whom I sang in Mahler’s 8th symphony a year and a half ago, now returning to another only slightly less huge but perhaps even more glorious choral symphony from the same era. Don’t miss it!
The second is on Sunday April 6th with my regular choir the Plymouth Philharmonic, who are performing Dvořák’s Stabat Mater at the Guildhall, Plymouth. This is my first time in this unjustly-neglected work. In complete contrast to the glorious exuberance of the sea symphony, this is a contemplative poem on the most tragic story in the Christian corpus, set by the 19th-century master best known for his gorgeous symphonies. Another one not to miss, especially if, like me, you don’t already know this work!
Looking forward to an exhausting but intensely rewarding weekend!
Yesterday’s budget sounded a note of optimism. The economy is growing, the deficit is shrinking, and …
… hang on …
… the deficit? We’re running a still-huge deficit when we’re in the cyclical boom? Right, straight back to the bubble-economics that got us into trouble in the first place!
2005 was kind-of the opposite. The economy was slowing, the credit bubble had grown beyond sustainable, house prices were stumbling, and we were staring at recession. The government of the day spent its way out with a huge dose of Ballsian stimulus: add fuel to the fire, buy a couple more years feelgood at the price of turning that recession into the biggest slump for 30 years.
The chancellor of the day rationalised breaking his own rules by explaining that when he had talked of a balanced budget, he meant over the economic cycle. So at the bottom of the cycle in 2005 he would spend more, and make it up when the economy recovered. Ed Balls said much the same even as his idea collapsed in flames. And now … today’s chancellor has made clear his own commitment to Osbrownomics: run a huge structural deficit and – currently – claim the credit when a cyclical boom takes a few quid off the headline figure.
Hmmm … not really so different to 2005 after all …
On the plus side, the mood music about savings is a real change, and a welcome one. It will probably work for some time, propped up by “safe haven” status for the global super-rich. But that of course is another bubble involving prostituting our economy most wantonly! One day sentiment towards Sterling will change, and then what can survive a round of Weimar inflation in commodities including food and energy?
Q: When does a stable system start to go bad?
A: When you install a non-open package with privileges.
This morning my laptop with Debian Wheezy has shown its first signs of software trouble outside of my control. The Cisco AnyConnect VPN client, which I installed to be able to access $employer-intranet from it, refused to start up. No error messages, just that I double-click the launch icon and nothing happens.
I have some relevant information in syslog:
Mar 14 08:43:57 mimir vpnui: Function: ClientIfcBase File: ClientIfcBase.cpp Line: 162 Initializing vpnapi version 2.5.3051 ().
Mar 14 08:43:57 mimir vpnui: Function: loadProfiles File: ProfileMgr.cpp Line: 112 No profile is available.
Mar 14 08:43:57 mimir vpnui: Function: fileExists File: Utility/sysutils.cpp Line: 500 Invoked Function: _tstat Return Code: 2 (0×00000002) Description: unknown File: /opt/cisco/vpn/AnyConnectLocalPolicy.xml Error: No such file or directory
Mar 14 08:43:57 mimir vpnui: Current Preference Settings: CertificateStoreOverride: false CertificateStore: All ShowPreConnectMessage: false AutoConnectOnStart: false MinimizeOnConnect: true LocalLanAccess: false AutoReconnect: true AutoUpdate: true ProxySettings: Native AllowLocalProxyConnections: true PPPExclusion: Disable PPPExclusionServerIP: EnableScripting: false TerminateScriptOnNextEvent: false AuthenticationTimeout: 12
Mar 14 08:43:57 mimir vpnui: Function: CvcGtkNotifyBalloon File: CvcGtkNotifyBalloon.cpp Line: 87 Invoked Function: dlopen Return Code: -33554427 (0xFE000005) Description: libnotify.so.1: cannot open shared object file: No such file or directory
Mar 14 08:43:57 mimir vpnui: Function: connectTransport File: IPC/SocketTransport_unix.cpp Line: 711 Invoked Function: ::connect Return Code: 111 (0x0000006F) Description: unknown
Mar 14 08:43:57 mimir vpnui: Function: connectIpc File: IPC/IPCTransport.cpp Line: 246 Invoked Function: CSocketTransport::connectTransport Return Code: -31522804 (0xFE1F000C) Description: SOCKETTRANSPORT_ERROR_CONNECT
Mar 14 08:43:57 mimir vpnui: Function: terminateIpcConnection File: IPC/IPCTransport.cpp Line: 385 Invoked Function: CSocketTransport::writeSocketBlocking Return Code: -31522783 (0xFE1F0021) Description: SOCKETTRANSPORT_ERROR_NOT_CONNECTED
Mar 14 08:43:57 mimir vpnui: Function: initIpc File: ApiIpc.cpp Line: 299 Invoked Function: CIpcTransport::connectIpc Return Code: -31522804 (0xFE1F000C) Description: SOCKETTRANSPORT_ERROR_CONNECT
Mar 14 08:43:57 mimir vpnui: Function: initiateAgentConnection File: ApiIpc.cpp Line: 214 Invoked Function: ApiIpc::initIpc Return Code: -31522804 (0xFE1F000C) Description: SOCKETTRANSPORT_ERROR_CONNECT
Mar 14 08:43:57 mimir vpnui: Function: attach File: ClientIfcBase.cpp Line: 405 Client failed to attach.
Mar 14 08:43:57 mimir vpnui: Function: run File: ApiIpc.cpp Line: 387 Invoked Function: ApiIpc::initiateAgentConnection Return Code: -31522804 (0xFE1F000C) Description: SOCKETTRANSPORT_ERROR_CONNECT
Mar 14 08:43:58 mimir vpnui: Function: detach File: ClientIfcBase.cpp Line: 288 Shutting down vpnapi
OK, that gives me some things to check and messages to google. Lots of results, people experiencing similar though not identical grief. Seems often to happen when something gets upgraded. OK, let’s see if reinstalling the VPN client fixes anything.
But first, ensure the system is fully up-to-date. Now apt gives me another, rather more worrisome message, repeated many times:
insserv: Starting vpnagentd_init depends on minissdpd and therefore on system facility `$all’ which can not be true!
Dammit, it’s running an agent behind my back. Grrr …
After that, re-installing the VPN client fixed it, and I may have to repeat that when I reboot in future (which I rarely do – suspend is more convenient). But now I have a system error. Is this the start of a slippery slope to an unstable system?
A promising solution is here. Let’s hope!
It’s reported (e.g. here) that the Queen’s grandson wants all the royal family’s ivory destroyed.
I am reminded of the Taliban destroying the Bamiyan Buddhas. The act looks much the same: destroying priceless works of art. The motivation looks much the same too: the works are founded on something seen as absolutely unacceptable. Is there a difference?
I heard someone debating this on the radio today. A lady supporting the Prince’s line put the Endarkenment argument: by owning the ivory, the royal family is complicit in the slaughter of elephants to collect it. Just as consumers of sex and violence are complicit, and we must be protected from such depravity as Shakespeare …
Hmmm. Yes, it’s a good link. A close analogy between policing the ‘net, destroying the ivory, and destroying the Buddhas.
It seems the southwest is very largely cut off from the rest of England. And now it’s indefinite!
The main railway line across Somerset has been closed for some time, along with many roads. An inconvenience, but at least an alternative (much slower, single-track) line to London remains open. But now the serious problem has happened: the Dawlish/Teignmouth coastal stretch has dramatically collapsed. The BBC has some footage of it here, showing the waves crashing over what remains of the line. Right now they’re apparently not even running replacement buses: conditions on the roads are challenging too.
This has long been a disaster waiting to happen: that stretch is surely not maintainable (as many of us, including Yours Truly, have long been saying). Time to get that alternative Exeter-Plymouth line North and West of Dartmoor reinstated, not in many years but as a matter of urgency!
mod_form is one of my old Apache modules. It serves to parse a standard form, and make its contents available to application modules in Apache. One fewer wheel for application modules to reinvent.
Like many of my older Apache modules, I wrote it for my own applications, but released it as open source in case it might be of use to anyone. I hadn’t heard of anyone using it, but then I wouldn’t necessarily: I’ve seen my forgotten works pop up in a few different contexts, sometimes as-is, sometimes developed a lot further than I ever took them.
A day or two ago I got email from Peter Pöml, telling me that it is used by MirrorBrain to parse arguments. But this usage requires a patch: mod_form as-was consumes the data so they no longer exist for anything else that needs the unparsed data. A very simple patch: just copy the data before parsing and leave the original untouched.
The patched version has been in use since 2007. But now it seems Fedora packaged it un-patched for MirrorBrain, leaving potential breakage in unexpected places. Whoops!
Peter’s patch is simple and beneficial, and carries no risk of breaking anything. So I’ve just applied it: download it now and you’ll get Peter’s improvement. mod_form is not versioned (I never considered it important enough – maybe I’ll rethink if it’s being packaged in the mainstream) so it won’t be immediately obvious. Blogging here for the benefit of anyone googling the story.
POSTSCRIPT (Jan 10): Peter mailed me again. It seems my information was incomplete, and the Fedora package was patched after all. There’s also another patch (from SUSE) for Apache 2.4 per-module logging, which I’ll look at when I have time.
Our rail companies regularly do line maintenance and engineering work at weekends and holiday periods, when much of their market – above all commuters – is quiet. Works often mean diversion and delays, so for some years I’ve (wherever possible) avoided weekend rail travel.
This christmas/new year period is no exception: they’ve taken advantage of it to conduct some major works. But what has changed in the last couple of years is that the online timetables now take account of all planned disruption. So we can now plan a journey with reasonable confidence. If your journey is shown as running normally, it’s because you’re unaffected by works, not (as before) because the timetable is a work of hopeful fiction. My main reason to avoid weekend/holiday travel is nullified.
Other disruption is alas less predictable, and our recent weather has provided it. It’s been warm, wet and windy, and storm damage has led to disruption that the timetables cannot generally deal with. To their credit, national rail now make very creditable efforts to provide up-to-date information about unscheduled disruption such as weather, too. Today‘s weather forecast was – correctly – for more heavy rain and strong but not extreme wind.
So I embarked on the long journey home hoping for the best but prepared for the worst. Taking the first train of the morning at 7 a.m. at least leaves plenty of time. While not at risk of overcrowding, the early train was much busier than I had expected at that hour on New Years Day, and happily it was perfectly on time. The second train was less busy, and also perfectly on time. Disruption? What disruption?
The third and longest leg is the intercity route from London to Southwest England, which I joined at Westbury. Westbury is always a miserable station to wait at, and today’s weather certainly didn’t help when the train arrived something over ten minutes late, on top of the twenty minutes scheduled change. But once on the train I was compensated by the luxury of a nearly-empty carriage, and I accepted the explanation that it had been slowed for safety reasons. If there’s a landslip or a tree down on the line, you don’t want to hit it at 200Km/h! Later there was another stretch where we again slowed to a crawl. 15 minutes or so late in Plymouth, but one can’t blame them in the circumstances. My sister-in-law took nearly as long to travel one third of the distance by road!
What really impressed me was how the train passed through flooded areas. Extensive surface flooding on the Somerset Levels approaching Taunton was deep enough for the wind to whip up crested waves, and at a higher level than the tracks. Yet (presumably) by some miracle of engineering, the tracks themselves were clear of floodwater and the train was able to pass the stretch at speed.
Fortunately (and because I’d checked the tide tables) we passed the coastal stretch around Dawlish/Teignmouth at low tide. A few hours later those stormy-weather waves would’ve been breaking over both the track and the train.
 [I fell asleep writing this. Just returned to it Jan. 3rd, but read Jan.1st for "today".]
Who can I rape today, to make the angels rejoice?
This month I have, as one does, found myself singing a few carols. Love ‘em or hate ‘em, they’re a seasonal fixture for any singer. On the whole it’s not a bad thing: some pretty tunes, a lot of nostalgia, and occasionally something with musical interest. Though of course it becomes really nasty when muzaked through a sound system into a public place.
One of these was a new setting of the words of “the angel gabriel”. Unfortunately the setting is about as dreary as they come, and being slower than the well-known tune, I couldn’t help noticing those words. Glad tidings of …. well, of the Droit du Seigneur. The right of the feudal lord to first claim on a new bride’s virginity. I can’t claim to know the history of such rights, beyond the fact that Enlightenment artists like Mozart and da Ponte took the p*** out of it wickedly, and their 18th century audiences would presumably have known what they were talking about – just as a modern audience understands about slavery or Harper Lee’s Mockingbird.
Is the Droit du Seigneur in fact a form of rape? By modern standards, there can be little doubt. Rape no longer implies violence or even coercion: rather the definition centres on a notion of consent. A notion fraught with such difficulties as to raise questions over whether consent can exist if a woman is too drunk to know what she’s doing, or is mentally disturbed. But I think the Droit du Seigneur looks much more clear-cut: where there is compulsion, there cannot be valid consent. So when the carol says:
Then gentle Mary meekly bowed her head
To Him be as it pleaseth God she said
she is – in modern terms – merely paying her taxes with good grace. The alternative of struggling vainly against the inevitable would be akin to mounting a legal challenge to your tax bill: futile and self-destructive.
OK, the Christmas story is a Droit du Seigneur, which is in turn a pretty clear case of rape in today’s terms. And we celebrate it unthinkingly. One silly carol may be negligible, but the whole culture surrounding it is not. We all know this story. We teach it to our children from infancy, so by the time they grow old enough to understand or question it, it’s become second nature to them: so deeply rooted that they wouldn’t think to examine it, regardless of whether they believe in christianity, or in any part of the christmas story as historical.
Much of the world is celebrating rape today, and the angels are rejoicing.
 Bear in mind that Virgin Birth was perfectly common in biblical times. It was only much later that the word Virgin took on its modern meaning precluding the sexual act.
 Could a man being similarly drunk or disturbed work as a defence?