Monthly Archives: September 2014

Sexist flagbearers hypocrisy revealed

This evening, the BBC broadcast the results of a short story prize.  I heard some of the stories as they broadcast them last week, and they were indeed good.  I missed the broadcast of the winning story, but I daresay it was well-deserving of its award.

Being the BBC, they didn’t just broadcast the stories and the award ceremony.  They also broadcast a lot of discussion: of the award, the shortlisted candidates, the stories, of the short story form, of what works well with the form, authors and critics anecdotes, etc.

Never once in all that discussion did anyone remark on the fact that it was an all-female shortlist.  Why should they?  There’s nothing remarkable about it: it’s entirely reasonable (and in the long term statistically inevitable) that a fair and impartial shortlist should, from time to time, be all female.

— However —

This is the same BBC who, a couple of years ago, found itself with an all-male shortlist for another award.  I don’t recollect the award itself, just the huge fuss they made of the absence of women on the shortlist.  This is a huge misogynistic scandal, unacceptable sexism.  How was this allowed to happen?  Do heads need to roll?  This must never be allowed to happen again!

Googling suggests the award in question was probably their “sports personality of the year” (for 2011), which would explain why I had no interest in the award itself and heard only the fuss.  The mindless, blatantly sexist fuss, that is now revealed in the full glory of its hypocrisy by the contrast with today’s very civilised short story award.

Forever war

Once again, we’re going to war against an ill-defined enemy.  But this time it’s clear: this is the enemy’s own agenda, and our Headless Chickens are merrily dancing to “Jihadi John”‘s tune.  As ever, we’ll take a bad situation and make it vastly worse.

When it’s demagogues like Galloway and Farage consistently talking the most sense on the subject of policy towards the world’s trouble spots, one can but shake the head and redouble one’s efforts to reduce complicity.

Oh, erm, and am I the only one to see the irony in all the Islamic State horror coming in this centenary year of 1914, as we look back at “Germans eat your babies”?

Defending against shell shock

I started writing a longer post about the so-called shell shock, with analysis of what makes a web server vulnerable or secure.  Or, strictly speaking, not a webserver, but a platform an attacker might access through a web server.  But I’m not sure when I’ll find time to do justice to that, so here’s the short announcement:

I’ve updated mod_taint to offer an ultra-simple defence against the risk of shell shock attacks coming through Apache HTTPD, versions 2.2 or later.  A new simplified configuration option is provided specifically for this problem:

    LoadModule taint_module modules/
    Untaint shellshock

mod_taint source and documentation are at and respectively.

Here’s some detail from what I posted earlier to the Apache mailinglists:

Untaint works in a directory context, so can be selectively enabled for potentially-vulnerable apps such as those involving CGI, SSI, ExtFilter, or (other) scripts.

This goes through all Request headers, any PATH_INFO and QUERY_STRING, and (just to be paranoid) any other subprocess environment variables. It untaints them against a regexp that checks for “()” at the beginning of a variable, and returns an HTTP 400 error (Bad Request) if found.

Feedback welcome, indeed solicited. I believe this is a simple but sensible approach to protecting potentially-vulnerable systems, but I’m open to contrary views. The exact details, including the shellshock regexp itself, could probably use some refinement. And of course, bug reports!


Wee, sleekit, cow’rin, tim’rous beastie,
O, what a panic’s in thy breastie!

What a letdown, Jock.  Your poet must be spinning in his grave.

Carry On up the Union

Today the Scottish referendum debate has turned to pure comedy, as the preserve-the-status-quo political and media Establishment turn to blind panic and run about like headless chickens. All the Westminster leaders are belatedly running off to campaign, and stressing that You can vote No, because No will mean Yes in all but name. Though each party still seems to have its own flavour of NoMeansYes, so that’ll be another confused and horrible compromise agreement to thrash out, or alternatively no agreement and kick the issue into the long grass (and try to blame the Scots Nats).  They’ve even dragged the Royal Family in, with a well-crafted Denial that the Queen might plead for the Union, and a big Feelgood announcement from her grandson and his missus.

As I’ve said before, our constitution since Blair is hopelessly broken.  Disappointingly, none of his successors at Westminster show any inclination to fix it, so the only proposal on the table is Scottish independence.  That will leave both parties with some interesting problems, but I think much more political will to deal with them than has hitherto been in evidence.

There are of course some glaring problems in the Scots Nats programme.  I don’t think that’s actually a problem: a Yes vote is just the start of a process of negotiation in which everyone can drop their sillier and more outlandish ideas in pursuit of a mutually-acceptable agreement.  Unlike a No vote, which just gives the headless chickens a mandate to sink straight back into complacency.

Now it’s Jocks’ Choice.  Say Yes to independence, force the issue, end the bad marriage, and let’s be good friends, just as we are with other neighbours such as the Dutch or the Irish.  Endure short-term pain – for there will surely be quite a hiatus and disruption on both sides – for long-term gain.  Or say No, succumb to the bullying of the political class, and condemn us all to another generation of brokenness.