Dropbox and the NSA

I’ve written many, many, many, many times that if you are using Dropbox for private information that you don’t want others to have access to you better be encrypting it. And if you’re not, you have only yourself to blame when (not if) if it gets published on the Internet.

Now we learn that the US government is planning to add Dropbox to its Prism providers. As I write this there is some question as to what this means: are the providers willingly giving the NSA access to their users data or is the NSA intercepting the data outside of the providers’ servers. In the end, it doesn’t matter. You should assume that the US government has access to any data you store on Dropbox. If that data is securely encrypted, you are probably secure—at least if your encryption key isn’t passowrd—but if you’re depending on Dropbox to keep your secrets, you’re screwed. DON’T DO THAT!

If there’s anything we can learn from the Prism scandal it’s that you absolutely can’t store sensitive data in the cloud without encrypting it with STRONG crypto. I’m using Dropbox as an exemplar here but the same principals apply to any other cloud storage. Dropbox is probably one of the most reliable providers but even it is not immune to deep packet inspection of its traffic within the Internet nor warrants, no matter how specious.

Posted in General | Tagged | 1 Comment

Where Are My Torrents?

Matt Might wonders why he can’t find a torrent for a BBC show.

Posted in General | Tagged , | Leave a comment

Magit Tutorial

John Stevenson over at jr0cket has a nice Magit tutorial up. If you’re using Emacs and Git then you definitely need to check out Magit. I get mine from Melpa but the link above leads to the Git repository if you prefer.

Stevenson’s tutorial takes us through setting up an new project. After the initial files are created, Johnson starts things rolling with 【Meta+xmagit-init and then walks us through staging and committing files and, finally, creating an external repository. All this can be done from within Magit so there is little reason to fallback to the command line for most operations.

Happily, Johnson promises to write about some of more advanced features of Magit in later posts. I hope he follows through; based on the first in the series, it promises to be a useful introduction to Magit. There’s always the video and the manual, of course, but Johnson’s tutorial is a useful way to get up to speed easily.

Posted in General | Tagged , | 1 Comment

SBCL 1.1.8 Is Out

I just updated my Common Lisp system, SBCL, to the latest version, 1.1.8. Between now and the last update, I had upgraded OS X to Mountain Lion. That, of course, meant that I had to reload GCC and the other command line utilities. I wrote about that the last time I had this problem. That’s fortunate because I didn’t remember how to do it.

After that, everything worked well. The compilation and tests ran without mishap. This is a big release. There’s a ton of bug fixes and enhancements that are all cataloged on the NEWS page. Paul Khuong has a nice post of one of those enhancements, SSE Intrinsics.

I say this every time I update but it bears repeating. If you’re looking for an excellent Common Lisp system, I can recommend SBCL without hesitation.

Posted in Programming | Tagged , | Leave a comment

VimGolf in Emacs

It’s been a while since we Emacs enthusiasts have locked horns with the users of that other editor. Here’s a simple VimGolf challenge to warm us up. Starting with the buffer

one two
three

end up with

(one) (two)
(three)

The best Vim score was 12 keystrokes. I did it in 7 without trying very hard; I just did the first thing that came into my head. So the challenge for Irreal readers is to do better than 7. I have no doubt that one of you will do significantly better.

Posted in General | Tagged | 22 Comments

Tail Call Optimization in Elisp

If you’ve got a Lisp background—especially a Scheme background—you may have internalized recursion as a looping mechanism and general programming strategy. That doesn’t work with Elisp, of course, because each recursive invocation allocates a stack frame. Not to worry, though, Wilfred Hughes has got you covered.

His tco.el provides a macro and some trampoline code that allow you to define a function that can be called tail recursively without worrying about exhausting memory with stack frame allocations. This isn’t something you’ll want to do that often in Elisp but there’s been a couple times when the natural solution to an Emacs project I was working on called for tail recursion and I missed having it. Even if you don’t worship at the church of recursion, you’ll have to admit that it’s a nice hack.

Posted in Programming | Tagged , | 2 Comments

Elisp for Common Lisp Programmers

Jean-Philippe Paradis Tweets a thought about Common Lisp programmers learning Elisp that seems to me to be exactly right. I’ve expressed the same idea myself but not nearly as succinctly or neatly.

Posted in General | Tagged , | Leave a comment

Responsible Disclosure

Most Irreal readers are familiar with the concept of responsible disclosure: the idea that if you discover an exploitable flaw in a site or piece of software, you should contact and inform the folks responsible for the site or software before publishing your findings. That gives the developer or admin a chance to fix the problem before tipping off the bad guys. This week, there were two interesting articles posted about responsible disclosure.

The first was by Troy Hunt. Hunt is a security expert whose work we’ve discussed many times on Irreal. He illustrates the challenges of responsible disclosure with two stories. In the first, he publishes a story about a fairly innocuous vulnerability concerning a mall’s car location service. The story was picked up by the local press and the mall management immediately suspended the service and contacted Hunt asking for advice on how to resolve the problem. Result: a potential problem is resolved quickly and efficiently even though Hunt didn’t give official notification.

Hunt’s second story involves a serious problem (user names and passwords publicly exposed) with a Black & Decker web site. Hunt does everything according to protocol. He attempts to notify B&D but is unable to get any response. He tries contacting B&D in the U.S. (Hunt is an Australian) and still can’t find anyone to talk to him. Finally, a Microsoft contact, who has a relationship with B&D, gives him a contact. The story just goes on and on. Four and a half days later the problem is finally fixed. The story illustrates how resistant some corporations can be to acknowledging and fixing vulnerabilities.

The second post is from the Google Blog. In it Google announces its new policy concerning responsible disclosure. The salient feature is that they will support researchers disclosing critical vulnerabilities seven days after notifying those responsible if no patch or advisory is issued. They hold themselves to the same standard so we know they’re serious.

Google’s policy may seem harsh but all they ask is that vendors acknowledge problems and issue an advisory expeditiously. In an age where many vendors prefer to ignore problems, this seems reasonable to me. What do you think?

Posted in General | Tagged | Leave a comment

A Year of Posts

A year ago today I gave myself a challenge: make at least one post to Irreal every day for a year. Yesterday’s post successfully completed that challenge. It was harder than I thought.

The experience has given me a new respect for those bloggers who post every day or even several times a day. It’s easy to be blasé about it until you try it yourself. It’s not the writing that’s hard; that’s the easy part. Rather, finding something semi-interesting to say every day can be intimidatingly hard. I don’t, in fact, find something worth writing about every day—I have no idea how people like Sacha Chua and John Gruber do it—but I try to keep a queue of about 5 posts available for those inevitable days when inspiration doesn’t strike. Some days inspiration is banging on the door and screaming at me to let it in. On those days I can write two or more posts, thereby keeping a comfortable safety margin in the queue.

Will I keep it up? Probably. It’s become pretty much a routine by now. I won’t stress about filling every single day but my intention is that Irreal will seem pretty much the way it has for the last year.

Posted in Blogging | 3 Comments

Sacha Chua Chats With Bastien Guerry

For those of you who aren’t familiar with Org Mode, here’s a bit of the back story. Carsten Dominik, an astronomer, originally wrote Org Mode as a small extension to outline-mode to help with his note taking and list management but along the way it grew into a Swiss Army Knife. Eventually, Dominik wanted to spend more time on his research so the maintenance fell to Bastien Guerry who managed development until recently when he turned it back over to Dominik.

As part of her series of chats with Emacs luminaries, Sacha Chua had an interesting discussion with Guerry. I had always assumed that Guerry was also a scientist and an experienced hacker but it turns out that he’s actually a philosopher who is very modest about his programming skills and claims that Emacs Lisp is the only language he really knows. As with all of Chua’s chats, this one is interesting and engaging.

One of the things I really like is how “an ordinary guy1” was able to learn Elisp and take over development of a very complex Emacs package. It shows, again, that Emacs isn’t just for programmers; everyone can participate and benefit.

The talk is a little over 50 minutes so plan accordingly. But do plan to take a look. It’s an interesting chat and you’ll probably learn a bit about the history of Org Mode.

Footnotes:

1 By which I mean not a programmer or someone trained in what we now call the STEM fields. Guerry is hardly ordinary in his accomplishments or contributions to Emacs and Org Mode.

Posted in General | Tagged , | 2 Comments