On Passwords and SolarWinds

By now everyone knows about the major breach of the U.S. Government (and probably others) that had its genesis in an exploit that gave attackers access to the SolarWinds build chain. Some are reporting that the problem was a leaked and very weak password. Others say that the password doesn’t really matter and that the nation state responsible would have gained access one way or the other.

Whatever the truth of the matter, the password itself deserves comment. The password was the comically inept solarwinds123. The only thing you can say about it is that it’s not 123456 or password. It’s so bad that the SolarWinds CEO felt that blaming it on the standard, all-purpose rouge engineer was not enough so he blamed an intern. I’m sure he would have blamed the janitor if he could have come up with a plausible story to go with the accusation.

The CEO can say what he wants but how is it not a massive management failure for this to happen? Not only was an intern allowed to set a password that gave access to the company’s network but that password was exposed on the Internet for two years before a security researcher found it and reported the exposure to SolarWinds. Why wasn’t the intern’s actions monitored by IT? Why wasn’t he provided with a token generator for two-factor authorization or at least told to use an SSH key?

It’s almost a cliché to say that passwords are dangerous and need to be replaced. I don’t think that’s necessarily right and it’s certainly not going to happen but we can surely do better than solarwinds123. And no one should think that blaming an intern in any way relieves management of the responsibility to see that we do do better.

Posted in General | Tagged | Leave a comment

How to Implement a Zettelkasten Link Type in Org

Christian Tietze is an author at the zettelkasten.de site and, of course, keeps his notes in a Zettelkasten. He has his own app, The Archive, for that but he’s also an Emacs user. He uses a timestamp as a key to his Zettelkasten notes and can access them from his browser with a URL of the form:

thearchive://match/TIMESTAMP

Being an Emacs user, Tietze wanted to be able to link to his notes through Org mode. To do that, he implemented a special Org-mode link type: zettel. Thus he can use links like

[[zettel:TIMESTAMP]]

or

[[zettel:TIMESTAMP][Descriptive text]]

and clicking on one of them opens the relevant note in his browser.

It turns out to be pretty easy to set this up. Take a look at Tietze’s post for the details. Of course, his is a pretty specialized use case but the same simple procedure can be used to set up your own special links. The post is short and informative so it’s worth taking a look at it even if you don’t need a special link type right now.

Posted in General | Tagged , | Leave a comment

An Interview with SciHub’s Alexandra Elbakyan

I’ve written several times about Sci-Hub and the moral quandary it presents for some of us. On the one hand it’s easy to say that what they’re doing is stealing and that it should be stopped. On the other hand, the scientific publishers are rapacious rent seekers who exploit the researchers, the reviewers, their journal editors, and in most cases the taxpayers who paid for the research in the first place. It’s hard not to cheer anything that disrupts their scam.

The Wire has an interesting interview with Alexandra Elbakyan, who founded Sci-Hub. Her impetus for starting it and for continuing to run it is that a large part of the scientific community lives in poorer regions or are not associated with a university and simply can’t afford access to the articles they need for their research.

Elbakyan talks about how she came to found Sci-Hub and her take on the piracy issue. The TL;DR is that Sci-Hub is not diverting funds from the creators who deserve it but from outside organizations that don’t. The publishers, of course, beg to differ and she and Sci-Hub have been sued many times—currently India is being asked by the Publishers to block Sci-Hub. A U.S. court has ordered her to pay Elsevier 15 million dollars, a ruling that she’s blithely ignores.

It’s an interesting interview and relatively short so it’s well worth taking 5 minutes to read it.

Posted in General | Tagged | Leave a comment

Emacs Writer

As most of you know, I’m very interested in the ways that non-technical people use Emacs and ways of making Emacs more accessible to such people. Ashton Wiersdorf is a technical user married to a non-technical writer looking for a better way to wrangle text. Being an Emacs user, Wiersdorf naturally thought of Emacs but worried that it was too intimidating for non-technical users so he built emacs-writer, simple configuration purpose-built for writers.

Wiersdorf makes a point of saying that this is still a work in progress and that you shouldn’t inflict it on a loved one unless you’re willing to provide technical support. Still, it seems like a nice project that can be easily adapted for individual needs.

I think this is a great project as long as its intended users understand that it’s a “starter kit.” I use Emacs for writing all the time and a lot of the features I use everyday are add-ons that users add as they become more experienced. If you plan on using emacs-writer forever, you’re missing the real power that Emacs has to offer. On the other hand, it makes a great configuration to start with and there’s not reason you can’t add to it as you become more experienced with Emacs.

In any event, it’s worth following this project if you have someone who could benefit from a real text editor. As Wiersdorf says at the top of the README,

“Writing should be all about the words. But word processors like Microsoft Word, Google Docs, or Apple’s Pages force you to think about formatting as you compose.”

Posted in General | Tagged | Leave a comment

Facebook and Apple

It’s unlikely that any sentient being in the known universe, let alone any Irreal reader, is unaware of the squabble raging between Apple and Facebook over Apple’s forthcoming iOS change that will require apps to ask a user’s permission before collecting tracking data. “Collecting tracking data” is adtech weasel wording for “stalking and spying on their users.”

NPR has an article on the dispute that is more sympathetic to Facebook’s position than any other I’ve seen but even with their generous reading of the situation, Facebook’s arguments don’t hold up. Facebook can’t attack the notion that users should have control over their own data, of course, so they fall back on two arguments.

The first is that Apple’s action will hurt small businesses and that Facebook is simply acting as their champion. That doesn’t pass the laugh test, of course, and most organizations not Facebook think that the change will have little effect on small business. Facebook, on the other hand, could take a 7% hit to their revenue.

The second argument is basically an ad hominem. Facebook says that the real reason Apple is making the change is to do away with free apps in favor of subscription-based apps because then Apple gets 30% of the take. Even if we assume, arguendo, that that’s true, so what? That doesn’t change the fact that Facebook wants to spy on us and Apple is saying, “Fine but you have to ask first.”

That last part is significant. Apple isn’t saying you can’t track, merely that you have to ask the user’s permission first. Facebook hates that because, of course, most people aren’t going to give that permission. So who, really, is standing up for the little guy?

Posted in General | Tagged | Leave a comment

Red Meat Friday: Programmers—Then & Now

Here’s a little red meat for all the graybeards out there waving their canes and yelling at the kids to get off their lawn.

Posted in General | Tagged | Leave a comment

Tracking Pixels

Daring Fireball’s John Gruber, taking a break from criticizing the president who is not the president (it’s a Zen thing), has an excellent rant on the abomination that is email tracking pixels. As most Irreal readers surely know, tracking pixels are a one pixel, essentially invisible, image included for the purpose of tracking. When the image is downloaded the requesting IP address (at least) is captured and used to track that the recipient has read the email and, of course, how many times it was opened.

It’s another outrageous practice that the adtech industry tells itself is okay because “everybody does it.” Gruber takes a blowtorch to that and the other excuses that the industry offers. This disgraceful behavior has been going on for a long time. Gruber wrote about it a couple of years ago but it’s use predates that post by many years. According to the BBC, 2/3 of emails sent to personal accounts contain a tracking pixel.

What to do? Gruber mentions that the Hey Email client detects and eliminates essentially all the tracking pixels and laments that Apple, the company known for privacy, does nothing to prevent them. As regular readers know, we here at Irreal are not fans of calling in the government to fix every perceived problem but it’s hard to see how the industry’s behavior is any different from stalking, which we already have laws against. The use of tracking pixels is explicitly illegal in the EU but that law appears to be honored more often in its breach than in its observance. I like Hey’s strategy of displaying a “shaming banner” with any email that contained a tracking pixel. Perhaps if people saw how often it was happening they’d complain to the perpetrators.

Posted in General | Tagged , | Leave a comment

Customizing the Agenda

If you’re an Org-mode user you’ve probably seen some of the custom Agenda displays that enterprising users have created. They can be useful for those who like to organize their activities and use the Agenda as a portal into that organization. Daniel Gopar gives us a pointer to how it’s done:

The link in the tweet takes you to the section of the Emacs manual that describes the default sorting of Agenda items. If you want to build a richer, customized display, you should check the section of the Org manual on Custom Agenda Views or you could take a look at Alphapapa’s org-super-agenda package.

Posted in General | Tagged , | Leave a comment

Maintainers and Expectations

I’ve written things like this before but apparently the right people weren’t paying attention. The free/open software movement depends substantially on volunteers. Yes, some companies contribute by paying their employees to work on projects they’re interested in and, of course, there are companies like Red Hat that make significant contributions. But without those volunteers, open source would die and we’d all be suffering under Windows and complaining about how much we hate Word.

That’s especially true of the maintainers who not only contribute code but take on a significant managerial role as well. As any manager will tell you, any decision they make will annoy someone. Sometimes the annoyed will complain vigorously. That’s not necessarily bad. You see it a lot on the Emacs devel list but by and large the discussions are polite and largely restricted to the matter at hand.

But not always. Sometimes a certain type of people can come to feel entitled and complain that the maintainers are not doing what they want. Often, as in the discussion I linked, the complainant doesn’t really understand the situation or know what’s going on. I pay only casual attention to the Emacs devel list but even I know that Eli, far from “not feeling like it,” was actually working behind the scenes to resolve some real problems with merging gccemacs to the main branch and that the process of merging is ongoing.

Eli and the others ARE VOLUNTEERS. They contribute their efforts and even though most of us know them only as maintainers, they have lives, families, and real jobs to attend to. They deserve our gratitude, not our abuse. Note that I’m explicitly not talking about people like Andrea and Yuuki. They’re making their own contributions and are entitle to query the maintainers on why those contributions aren’t being merged as fast as they like. Also note that their posts were polite and constructive.

I get that not having things move as fast as you’d like can be frustrating but all of us need to remember that guys like Eli are doing a great job for free and they deserve our gratitude. If we’re not going to pay them, at least we can throw an attaboy or two their way.

Posted in General | Leave a comment

Designing with Finite State Machines

I’ve written before (see here and here for example) of my enthusiasm for using finite state machines (FSMs) in my design and coding. I had a C-based template that I used over and over. To implement a new state machine I just filled in a table that mapped the current state and input to a transition routine and, of course, wrote the transition routines. It was fast and easy. More importantly, I found that the software was always more reliable than if I used some other method. That’s because once you write your state transition diagram, almost everything else is mechanical

Alfonso de la Rocha has an excellent post on designing and coding with FSMs. He echoes my opinion that developing with FSMs results in simpler more reliable programs. He also shows how drawing the state diagram helps to understand the problem better, which also improves the implementation.

In his discussion de la Rocha mentions some advanced tools that can help with the design of FSMs. First is mermaid, a tool that lets you specify your state diagram in a markup language and produces a nice state diagram from it. Often, it’s possible to take that idea a bit further and produce both the diagram and the code from the same specification. I wrote about an example of this in Eric Raymond’s UPSide project.

Next he gives some examples of frameworks (in Go) to help produce an FSM implementation. They’re similar to my template that I discussed above. Finally, he mentions TLA+, a system to formally verify that your FSM is correct.

It’s a good post with lots of useful information. It’s definitely worth your time to give it a read.

Posted in Programming | Tagged | Leave a comment