Two Hundred Ten Down

I finished the second half of the bar exam Thursday evening. I was actually going to write a blog entry during the lunch break, perhaps to enter the book of world records as the only person ever to blog in the middle of a bar exam, but I decided it would be better to review Secured Transactions. As it turns out, there were no Secured Transactions questions on the essay portion, nor were there any Commercial Paper questions or several other areas of law I had studied intensely. It was a bit of a let-down, although I’m sure many people were happy not to see these questions.

I am firmly convinced that the material tested on the bar exam—particularly the multiple choice section—has almost no bearing on one’s ability to practice law. In fact, it might even prepare you to be a worse lawyer than you otherwise would be. Most legal questions are arguable, and if you’re in litigation it’s probably because the outcome isn’t clear. The most important skills you need to be a competent attorney involve dealing with clients, researching, writing, negotiating, developing creative arguments, etc.. Answering 200 multiple choice questions on doctrines that aren’t even the law any more in any jurisdiction (the Doctrine of Worthier Title, Shelley’s Rule, … even the Rule Against Perpetuities hardly exists anywhere unmodified) is pretty far off base.

Someday, when I have some stature in the legal community, I want to lead a charge to change this ridiculous examination once and for all. I admit that some sort of threshold exam is probably a good thing; and there might be some value to learning certain basic legal doctrine that you would not otherwise cover in law school (I certainly never learned anything about negotiable instruments).

A better exam, I think, would present you with a fact pattern that you couldn’t possibly have seen before that doesn’t fit neatly into any legal box, and ask you to analyze the situation and present possible theories for resolving the problem. Ideally, you wouldn’t even be able to classify the question as fitting into a particular doctrinal area, e.g., corporations vs. evidence. You would have to discuss how these all fit together: for example, there might be an issue of breach of fiduciary duty in a partnership but it might be difficult to ever prevail in court because of the hearsay rule and the statute of limitations.

Instead, we get questions like this:

Two Hundred Down, Ten To Go…

I finished the multiple choice part of the Massachusetts Bar Exam today. Now just ten essays, and by 6pm tomorrow I’ll be a free man, although not yet a lawyer.

One of the basic canons of the multiple choice portion of the bar exam is “if the answer is a doctrine you’ve never heard of, it’s the wrong choice.” Unfortunately, a countervailing canon is “the bar examiners often like to use less-known synonyms for well known concepts to trick you.” (I made this canon up myself, but it’s true.)

I got one of these today, and went with my intuition/countervailing canon idea, and as I’m checking it out now, it turns out I was right. The “doctrine of after-acquired title” is equivalent to “estoppel by deed.” Well, it’s actually not quite equivalent, because estoppel by deed only applies to prevent the grantor from denying the validity of a deed, invalid at the time of the conveyance because the grantor didn’t have good title at the time but did at a later date after the conveyance, while the doctrine of after-acquired title is good against other claimants, but it’s basically the same idea.

So, at least one right out of 200!

(How many hits will I get in the future on a google search for “doctrine of after-acquired title”? We shall see…)

Update: Ari points out that a google search for doctrine of after-acquired title with no quotation marks gives this blog entry as the number one result.

PHP Perils

Alas, the meanies have finally started to invade bostoncoop.net, my own little web/mail/email list server. I knew it would happen sooner or later, but I just wish attackers would focus on the bad guys.

First, I’m starting to see more and more spam in the various wikis hosted at bostoncoop.net. Apparently, the spammers have developed bots that insert commercial links into common wikis that don’t restrict access. I’ve gone through and manually removed the commercial links (although of course they persist in the wiki history).

I feel like I deeded my back yard as an open nature conservancy in public trust, and people are leaving cigarette butts all over the place.

I’m also experiencing fairly regular attempts to crack into the system by people who scour the web for PHP vulnerabilities. None of them have been successful, and I’ve been learning more and more about what I need to do to better lock down the system, but it’s still sad to have more and more volunteer sysadmin time going to these sorts of “nonproductive” uses.

A word of advice to any server admin newbies out there: if you have any place where people are allowed to upload files on your site, don’t call it “upload.php,” “upload.html,” or anything similar. I expect I could have avoided 99% of the PHP-based cracking attempts just by renaming the upload URL to something nonobvious. (I know this isn’t “real” security, but just about every attack I’ve seen starts with a google search for upload.php or something similar).

Another tip: most Apache/PHP installations run PHP as an Apache module rather than as a CGI script. This means that the standard means for controlling CGI—Options ExecCGI in httpd.conf and .htaccess—are ineffective. If you allow anything with a .php extension to run by default, you are inviting trouble (trust me). You would think it would be well documented and easy to find how to turn off PHP execution except where enabled, but in fact it wasn’t. The best solution I found was to put the following in httpd.conf for your site’s directories:

php_flag engine off

Then any user who needs PHP enabled can enable it on a directory-by-directory basis by putting the following in .htaccess:

php_flag engine on

I tried disabling PHP per-directory with RemoveType .php RemoveHandler .php in the .htaccess file, but this apparently had no effect.

As GNU/Linux and other free software enters the mainstream, it’s important for all of us to do what we can to maintain proper hygiene. There are plenty of people interested in exposing security failures in the free software world, and we should give them as little fodder as possible. The recent Mozilla shell glitch (affecting only Mozilla on Windows systems) may be only the tip of the iceberg.

One Time Use!

Mailinator (no relation to the Terminator)

Need a one-time only email address to get a password for a website or register a product? Don’t want to be entered into even more spam databases? Try Mailinator. Just make up any email address @mailinator.com and go and check your mail at that address with no password. Mail gets deleted in a few hours.

This is even better than creating a one-time only email address at your own domain (if you control your own domain): less work (you don’t need to create the address first), and no accumulating load on your server.

It’s simple but clever concepts like this that continue to give me faith in the web.

Update: two readers suggest dodgeit.com and sneakemail.com for two similar “throwaway” email services. dodgeit.com is even more barebones than mailinator, and sneakemail is a more full-featured (includes greylisting).

Update 2: another comment-er suggests spamgourmet.com. When it rains, it pours.

Update 3: Hailstorms. http://spamlinks.openrbl.org/filter-client-account.htm for a list of disposable email providers.

Fahrenheit 9/11 Attacks

I recently saw Michael Moore’s new film Fahrenheit 9/11 but have been reluctant to write about it since every blogger and her brother has already weighed in on the topic. I do feel like I need to respond to this critique, however, from blogcritics.org’s David Flanagan. In addition to making several incorrect assertions about the scope of copyright law that I won’t address here, Flanagan writes:

Really, though, what can you expect from Michael Moore? Michael is not interested in an issue or a cause, he is interested in the bottom line question, what will this film produce for him in the way of fame and fortune? In this sense, then, Moore is no different from any of the so-called “greedy” corporations so reviled by liberals (including Moore).

This sort of attack on progressive writers and filmmakers always strikes me as totally hollow. It can be generalized as: if someone writes a book or creates a film I disagree with, I can attack them as “just trying to sell more books and movies,” and thus impugn their motive in creating the work.

Of course Michael Moore wants people to see his movie, and Noam Chomsky wants people to read his books. I’m sure Van Gogh wanted a lot of people to see his paintings, and Beethoven for many people to hear his sonatas. Publius wrote the Federalist Papers with the hope that a lot of people would read them. Why else do people create?

If the best attack someone has on some political message is that the speaker is just trying to spread their political message, I suggest we just stop listening to that person.

Even weaker critiques, I suppose, are found in virulently ad hominem attack books like Michael Moore Is A Big Fat Stupid White Man (I shudder to even create the link). This book includes gems like “Moore shows the greatest disdain for that which he actually is… a very rich, pasty white American male.” I wonder if these people realize that they strengthen their enemy with such ridiculous attacks. If I’m white and antiracist, or Jewish and pro-Palestinian, does that make me a hypocrite?

Relatedly, here is a video clip of Michael Moore explaining his views on file sharing. He basically says he wants more people to see his movies, so if people share them online in a noncommercial fashion, that’s fine with him.

They Might Be Giants Is (Are?) Doing The Right Thing

They Might Be Giants, perhaps my favorite band when I was a teenager, is doing the right thing and selling unencumbered high-quality MP3s online at a reasonable price. Directly from the artists. Please support Them—They really seem to “get it.”

Recent Discoveries

To be added to my ongoing useful linux omnibus page:

  • Firefox 0.9 remote newtab syntax
    When I open a link from another application (gnome-terminal or evolution, for example), I would like it to open in a new tab in Firefox, so I had a script which I called newmoz:

    firefox -remote “openURL($1,new-tab)”

    This is my default web browser. With Firefox 0.9, the syntax has changed. You now need:

    firefox -a firefox -remote “openurl($1,new-tab)”

    I believe this has something to do with the confusion of the possibility of several related Mozilla applications running all at once, although I’m not entirely convinced. To make it really snazzy, try:

    firefox -a firefox -remote “openurl($1,new-tab)” || firefox $1

    This way, if firefox isn’t already running, it will still work.

  • Email yourself after a long task
    This is a really obvious one, but I only recently thought of it. Due to several recent failed hard drives, I’ve been moving a lot of data around from one drive to another, some through NFS, and some over my cable modem. Moving 200 gigabytes, even within a LAN, takes a long time—even longer if you throttle it so as not to congest the network too much. I would find myself checking back on the process every few hours, even though I knew it probably wasn’t done. So why not append a mail command after a long process? E.g.:

    rsync -Pa / storage.system.somewhere:backup ; echo done | mail adam

    Since I’m always checking email, I’ll find out as soon as it’s done, and waste less time continually checking back on the process, especially when the transfer might take three or four days.

  • ssh timeout error/connection reset by peer with rdiff-backup and D-Link DI-604 router
    Backing up bostoncoop.net over a cable modem takes a long time. If something goes wrong, rdiff-backup has to roll back the previous backup and start over. As best I can tell, rdiff-backup first makes the connection, then starts the roll back, but doesn’t send or receive any data during the roll back. On my system, the roll back can take longer than the timeout period for my DI-604 router—the consequence being that the connection is reset before the backup can start and rdiff-backup fails out.

    There’s an easy fix, which should come in useful to anyone with a router that is too vigilant about timing out ssh connections (for example, if you ssh to get your email and often leave the window alone for an hour at a time). Add the following to your .ssh/config:

    serveraliveinterval 300
    serveralivecountmax 10

    This will insure that ssh will occasional send an ACK type request every 300 seconds so that the connection doesn’t die.

  • Fixed font in gnome-terminal
    I’ve wanted to use gnome-terminal for a long time, primarily because of the tabbed terminal feature (many terminals in one window) and because of the URL recognition (open a URL by right clicking on it). I also like being able to paste into the window with the keyboard.

    There was always one problem, though. The font. I know some people like the new fixed-width GNOME fonts, but I don’t. I just wanted plain old fixed, which I use with xterm (10×20). But that font never showed up in the list of available fonts.

    I finally found the solution in /etc/fonts/local.conf—namely, the following lines:

       

    Just uncomment the path, run fc-cache as root, and you should see fixed in the output of fc-list.
    I’m not sure how a naive user would ever figure this out, but then again, maybe a naive user wouldn’t care that much about having fixed font in gnome-terminal. I also don’t understand why we wouldn’t users to have access to bitmapped fonts by default—why not just set the default font to something the GNOME people like, but have the other choice in there to start?

Okay, now I’ve really got to study for the bar exam.

IE Homeland Insecurity

From the “for those of you who don’t regularly read slashdot department”: I’m usually pretty skeptical of the Department of Homeland Security; I think it’s a pretty bad solution to the threat presented (see, e.g., Bruce Schneier’s comments on the subject), but I have to agree with them this time. The agency has issued a recommendation that users stop using Microsoft’s Internet Explorer and pick an alternative web browser. Wired Magazine reports that upgrades of the free software browser Mozilla have spiked sharply following the announcement.

The only reference I could find to the issue on the DHS website (which is not, incidentally, served by Microsoft software) was the following bit from this report:

Handling Dependencies

A coordinator may be required to conduct significant research into software, hardware, and firmware dependencies in order to provide complete and correct advice.

Rationale: Vulnerabilities are often discovered in software components on which other software relies. For example, a shared library may be used by dozens or hundreds of products. For instance, vulnerabilities in Microsoft’s Internet Explorer often affect other products (including products by third-party vendors) in ways that aren’t obvious to end users. Examples of products that are sometimes affected by Internet Explorer vulnerabilities include Lotus Notes, Eudora, and Microsoft Outlook. Furthermore, these dependencies are not typically recorded.

Presumably something more on-topic will be posted soon. There is also this warning from CERT (the United States Computer Emergency Readiness Team).