Saved from Visa

I’ve written before about the Fraudster’s Friend misleadingly named “Verified by Visa”.  Most directly in my post Phished by Visa, though Bullied by Visa perhaps also deserves a mention.

Today I went to place an order with Argos, who I’ve used several times before and who have always – in contrast to some of their competitors – delivered very efficiently.  This time alas the shopping process has become significantly more hassle, and they’ve introduce the VBV cuckoo into the process.  But I was pleased to note that, when I came to the VBV attack, Firefox flagged it up as precisely what it is: an XSS attack, and in the context of secure data (as in creditcard numbers) a serious security issue.

I hope Firefox does that by default, rather than just with my settings.  Though it would be courageous, to take the blame from the unwashed masses who might think VBV serves their interests when it doesn’t work.  Doing the Right Thing against an enemy with ignorance on its side has a very bad history in web browsers, as Microsoft in the late 1990s killed off the opposition by exposing their users to a whole family of “viruses” in a move designed to make correct behaviour a loser in the market (specifically, violation of MIME standards documented since 1992 as security-critical).

Alas, while Firefox saved me from the evil phishing attack, the combination of that and other Argos website trouble pushed me to a thoroughly insecure and less than convenient medium: the telephone.  Bah, Humbug.

Mac vs Open Source

I develop software.

The kind of software I work on rarely concerns itself with details of the platforms it runs on, and is therefore inherently platform-neutral.  Of course complete cross-platform compatibility is elusive, but one does one’s best to adhere to widely-supported standards, libraries known to be cross-platform, etc.  And if something non-standard is unavoidable, try to package it so that switching it out will be clean and straightforward as and when someone has the need.

So it’s with some concern that I see the Mac platform apparently moving to distance itself from the open source world I inhabit.  I’ve got used to the idea that I sometimes have to use clang instead of gcc, and that that gives rise to annoying gotchas when autoconf stuff picks up gcc/g++ in spite of the standard names cc, c++ et al all being the clang versions!  Still, I guess it’s not the platform’s fault if
CC=cc CXX=c++ ./configure –options
behaves inconsistently.

Now it’s OpenSSL that’s been giving me grief.  Working with it on Mac for the first time, I see all the OpenSSL APIs I’m using appear to be deprecated.  Huh?  Googling finds that the whole of OpenSSL is deprecated on Mac.  Thou shalt use CC_crypto(3cc) instead!  Damn!!

OK, what’s CC_crypto?  Given that lots of software I work on uses OpenSSL, it’s only going to be of interest if it emulates OpenSSL (well, if for example it was an OpenSSL fork then that would be a reasonable expectation).  There’s a CC_crypto manpage, and google finds similar information at Apple’s developer site, but therein lies nothing more enlightening than cryptic hints:

To use the digest functions with existing code which uses the corresponding openssl functions, #define the symbol COMMON_DIGEST_FOR_OPENSSL in your client code (BEFORE including <CommonCrypto/CommonDigest.h>).

and

The interfaces to the encryption and HMAC algorithms have a calling interface that is different from that provided by OpenSSL.

Well, if that means it’s mostly OpenSSL-dropin-compatible, why not say so?  Even googling “CC_crypto openssl emulation” doesn’t turn up anything that looks promising, so I haven’t found any relevant documentation.  And since the header files are different, it will at the very least require some preprocessor crap.  OK, ignore it, stick to OpenSSL, kill off the -Werror compiler option, and maybe revisit the issue at some later date.

Not good enough.  The build bombs out when something (not my code, and I’d rather not have to hack it) uses HMAC functions, whose signature on Mac is different to other platforms.  So openssl on Mac – specifically /usr/include/openssl/hmac.h – is nonstandard!  Grrr …  In fact it appears to be some bastardised hybrid: OpenSSL function names with CCHmac-like declarations.  Is this OpenSSL in fact a wrapper for CC_crypto?  If so, why is it all deprecated?  Or if not, who has mutilated the API?

Well OK, that’ll be what Homebrew was talking about when it flashed up some message about installing OpenSSL only under Cellar, and not as a standard/system-wide lib.  So I have another OpenSSL.  Perhaps more?  locate hmac.h finds a whole bunch of versions (ignoring duplicates and glib’s ghmac.h):

/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.7.sdk/usr/include/openssl/hmac.h
/private/var/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.7.sdk/usr/include/openssl/hmac.h
/usr/include/openssl/hmac.h
/usr/local/Cellar/openssl/1.0.2/include/openssl/hmac.h

Of those, only the Cellar version is compatible with the canonical OpenSSL.  A –with-openssl configure option fixes my immediate problem, but throws up a bunch of questions:

  • Why have I had to jump through these hoops?
  • Where would I start if I want to use CC_crypto as advised in existing OpenSSL-using code?
  • What do I need to keep up-to-date on my system?  Presumably standard apps use the version in /usr , but is anything keeping that updated if homebrew isn’t touching it?

Dammit, looks like this Mac may be vulnerable!  Everything in /usr/include/openssl is dated 2011 (when the macbook was new).  The libssl in /usr/lib is dated September 2014 – which suggests it has been updated by some package manager.  But it identifies itself as libssl.0.9.8, which is not exactly current.  Maybe it’s a Good Thing the macbook’s wifi died, so it no longer travels with me outside the house.

WTF is Apple doing to us?

Roots

I recently visited my father for a few days.

That doesn’t mean I revisited a childhood house, or even town: neither he nor I has done that for many years.  But one thing somehow took me back: hearing the cooing of pigeons outside.  That’s not even a very nice sound: it can be quite infuriating when it goes on incessantly, and I have some recollections of them being an annoying pest.  Yet that sound gave me a faintly Proustian nostalgia.  Followed of course by the realisation that there aren’t any around here, and faintly wondering why not: it can’t be just the neighbourhood cats!

During my visit I went to an event in London, and stayed on for a concert in the evening.  It was the RPO, at the Royal Festival Hall.  I got a great seat, and thoroughly enjoyed it.  But a little more than that: the orchestral sound was somehow ultimately “right”: the canonical orchestral sound.  What I was actually hearing (apart from a fine orchestra playing great music) was the Festival Hall’s acoustic, and I think that “rightness” must’ve been because that’s where I first ever heard an orchestra when my parents took me to see The Nutcracker there as a small child!

Hmmm ….

I, for one, welcome our new foreign masters

Today the Scottish Nationalists – who might possibly hold the balance of power after this year’s UK election – have explicitly announced what they’ve been strongly hinting since the referendum.  They will come down from the moral high ground they have hitherto occupied, and start to exercise their constitutional right to a share in the rule of England.  That is, in addition to their legitimate minority share in the rule of the UK (and indeed EU), of which England and Scotland are both parts.

Let’s be clear.  I don’t want to be ruled by the SNP.  I particularly don’t want to be ruled by their socialist economic policies (though the alternatives look pretty bleak, too).  But I have applauded the SNP for taking the moral high ground in the past, unlike the utterly corrupt Labour party who first created our constitutional brokenness and have always abused it.  I applauded the SNP for their heroic efforts to rid us of this brokenness (e.g. here and here).

Now I applaud them once again.  The moral high ground is in practice ambiguous and impractical: that is all part of Blair’s terrible legacy.  And it is far too broken to apply sticking plaster as the Tories now seem to want, or to kick back into the long grass as Labour are desperate to do.  How better to try and combat those things than by provoking the constitutional crisis that’s been inevitable since Blair?  How better to do that than for Scottish MPs to highlight unfairness to the English?

And their choice of issue looks like a stroke of genius, encompassing not just (inevitably) the Westlothian Question, but also the Barnett Formula.  The latter is of course one of the complexities that renders both their former moral high ground and the Tories sticking plaster hopelessly impractical.

Dodgy Data

Oxfam grabs a headline with a report telling us the richest 1% will own half the world’s wealth in 2016.

As with many reports coming from lobbying organisations, this one provokes scepticism.  Not outright dismissal, but a “really“, and a need to know what they’re actually measuring before I can treat it as meaningful.  It also provokes mild curiosity: how rich do you have to be to be in that 1% (not least because I have a sneaking suspicion it includes a great many people who our chattering classes don’t consider at all rich).

The Oxfam report itself is a mere twelve pages and disappointingly light on data.  If there’s any attempt to substantiate the headline claim then I missed it.  But googling “World Wealth” finds this report, which tells me total world wealth is projected to be $64.3 trillion in 2016.  OK, that’ll do for a ballpark calculation.  $64.3 trillion between 7 billion people is an average of about $9k per head.  If the top 1% own half of it, that’s $32.15 trillion between 70 million people: an average of $459k per head within that top 1%.

That’s £300k.  There must be a millions in Blighty with that much in housing wealth alone (and others correspondingly locked out).  Not to mention in other high-cost countries around Europe, America, Asia, and I expect even a few in the third world.  All above the average of that fabled top 1%.

But of course housing isn’t our only asset.  In Blighty and around the developed world, a big chunk of our wealth takes the form of Entitlements.  One such in the UK is the Basic State Pension, which is worth £200k, and even the poorest Brit is entitled to it.  It seems you can be in that top 1% without being rich enough to buy a house in Blighty!

Hmmm.  Oh dear.  Maybe Oxfam’s spin isn’t really very meaningful at all.  Except perhaps to highlight how incredibly egalitarian we are within Blighty – and probably all developed countries – once you include the effect of government actions.

I won’t be going to FOSDEM

Belgian cities full of trigger-happy armed troops, with orders to shoot to kill, and a recent track record of doing so.

In reality, probably a lower risk than regular vehicular traffic, even for those of us with an ample beard and a big backpack.  Though surely a far higher risk than the supposed terrorist threat.  But that level of security theatre is hardly welcoming to visitors.  Since I have the choice, I’m staying away, and withholding the support that might be inferred from my travelling to Brussels for a weekend in the near future.

It’s a bit of a shame: I missed last year’s FOSDEM too due to family commitments.  Maybe next year?

[edit] That last sentence is a bit disingenuous, insofar as it suggests this is a big change of plan.  In reality I hadn’t decided one way or the other.  I’ve been doing that of late: I only got around to signing up for ApacheCon in Budapest the day before it started!

Je suis Voltaire

David Cameron

You disgusting hypocrite

It should go without saying, but let’s say it anyway: I join the rest of the world in condemning the terrorist attack on the French magazine Charlie Hebdo.

I’m not familiar with the publication, and all I know is what’s been reported in the media coverage of the attack.  I’m sure they’ve published offensive things, no doubt often for very good reasons.  Maybe sometimes also gratuitously so, which would be indefensible unless with an apology for poor judgement.  But even if they were completely wrong, nothing justifies gunning them down!

Here in Blighty we were treated to a clip of our beloved Prime Minister expressing sentiments with which we can all agree.  Alas, some of his fine words sit uneasily with his government’s less-than-fine actions.  What I found utterly jarring and what prompts me to comment were his words: “… and we stand squarely for free speech …“.

Ahem …

No you don’t: you have demonstrated that you stand squarely against free speech.  On your government’s watch, people have been imprisoned for having the wrong book, or for being an arse on twitter (the latter looks like a close analogy to the very Free Speech you claim to defend).  Your government shows no signs of rolling back Blair’s police state, but rather looks to extend it, and our culture has moved so far into totalitarianism that a supposedly-serious documentary programme this week on the BBC can be outraged by free speech where it exists elsewhere in the world!

OK, dragging some poor sod through our courts isn’t the same as gunning them down.  That more genteel and sophisticated option isn’t available to private individuals, so while the difference is real, it isn’t a simple case of civilisation vs barbarity.

What a hypocrite!

p.s. There’s another case been in the news recently.  Some footballer who’s been to prison, and whose attempts to return to work have been thwarted by a successful campaign of terror.  That is, real terror: it seems prospective employers have been scared off by credible threats of extreme violence.  Now that situation (of credible threats) is precisely where the State should have a legitimate interest in taking action against the culprit(s).  Will they?

Where do I find lost files and mail settings on Mac?

OK, today the macbook lost my mail.

That is to say, instead of Mac’s mail client launching normally, showing me my folders and connecting to my servers, it gives me the setup wizard.  It won’t even let me bypass the wretched wizard and launch the mailer.

OK, I haven’t lost anything irretrievable (except perhaps some long-forgotten drafts), but I’d really rather not do battle with that wizard again: so much frustrating guesswork to find the settings that’ll talk to imap and imaps servers.  Are my settings somewhere I can retrieve them?

It’s at this point I realise how hopelessly irrelevant my Unix knowledge is when it comes to a Mac.  There’s no lost+found directory.  “ls -la ~ |grep -i mail” (and variants) turn up nothing.  Neither does a look in Mac’s /Applications/Mail.app turn up anything that looks remotely promising.

More frustratingly, neither does Google.  My attempts to google this question just turn up screenfuls of how to do things using the Mail GUI.  The same mail client that refuses to launch without the ritual incantation of the setup wizard.  Grrrr …

Dear lazyweb, Anyone know where in the mac filesystem I might look?  MacOS announces itself as 10.7.5.

The apple in winter

I know I’ve blogged before about the macbook’s dead wifi.  That’s now a worked-around problem: it generally serves as a desktop-substitute at the treadmill, where it can use wired networking.  And if I want to use it elsewhere, I can connect it with USB+4G.

I don’t think i’ve ever troubled the blogosphere with a lesser but nevertheless very annoying problem: the macbook’s inability to hibernate in winter.  I set it to sleep in the evening, then when I come back in the morning it’s unresponsive to anything on the keyboard, or any mouse click.  Sometimes the screen is screwed too; other times it’s a perfectly normal but just unresponsive password screen.  Nothing short of powering it down and hard reboot will revive it.  That’s both frustratingly slow, and sits very poorly with the number of applications – particularly browser tabs – I keep alive.  Past experience tells me this problem goes away with the warmer weather in spring, but not for quite a while.

Any tips for using a macbook in winter?  Keeping certain apps open will prevent it sleeping so it remains warm and active indefinitely, but that goes against my principle of not wasting more electricity than a standby-state for overnight or longer periods.

Your favourite paedophile

Santa Claus

A benign image, but a darker history.

The modern image is benign: a fat jolly supernatural fellow, and the implausible giver of gifts to children.  And his mortal doppelgangers in innumerable shops and seasonal events.

But is there a historical original?  And would he be welcomed in today’s society?

The answers are a qualified Yes, and a pretty unqualified No.  The Yes comes from tracing “Santa Claus” back to “St Nicholas”, the 4th century Bishop of Myra.  It’s a somewhat-tenuous derivation that works very differently in different modern languages, and is not the only origin story: hence only a qualified Yes to the man we call St Nicholas as the original Santa.

So who was this man?

Well, for one thing, he was quite the opposite of the modern image of jollity.  He appears to have been a killjoy who saw fun as a sin and prayed earnestly while others let their hair down.  There are possible hints that he might even have prayed for divine retribution on the sinners, though that remains speculation.  Not, in character, a role model for the modern Santa.

But in one thing – the story that lends credibility to his being the origin of Santa – he was very much the role model.  He gave gifts to children.  Gifts of gold, that might be thought to sit uneasily with Christian ideas of disdain for worldly wealth.

It’s in the recipients of his generosity that the true nature of the story becomes clear.  These are girls.  They’re at the age where they rebel a bit against parental discipline, but their father keeps them on a tight reign to protect them from the Big Bad World.  In other words, young teens.  Nicholas’s gift of gold helps liberate them to have some … erm … fun.  So not an early case of “bishop and choirboys”, but rather one like the girls in this more modern story (albeit without the racial element).

Was he in fact a pimp?  I know of no strong evidence, but circumstantially it seems entirely likely.  It would account for his repeating the gift for several girls, and might’ve helped with being able to afford them!  But at the very least, he was not a man modern parents would want near their children!

Follow

Get every new post delivered to your Inbox.

Join 67 other followers