The Substantially Similar Weblog

I finished the multiple choice part of the Massachusetts Bar Exam today. Now just ten essays, and by 6pm tomorrow I’ll be a free man, although not yet a lawyer.

One of the basic canons of the multiple choice portion of the bar exam is “if the answer is a doctrine you’ve never heard of, it’s the wrong choice.” Unfortunately, a countervailing canon is “the bar examiners often like to use less-known synonyms for well known concepts to trick you.” (I made this canon up myself, but it’s true.)

I got one of these today, and went with my intuition/countervailing canon idea, and as I’m checking it out now, it turns out I was right. The “doctrine of after-acquired title” is equivalent to “estoppel by deed.” Well, it’s actually not quite equivalent, because estoppel by deed only applies to prevent the grantor from denying the validity of a deed, invalid at the time of the conveyance because the grantor didn’t have good title at the time but did at a later date after the conveyance, while the doctrine of after-acquired title is good against other claimants, but it’s basically the same idea.

So, at least one right out of 200!

(How many hits will I get in the future on a google search for “doctrine of after-acquired title”? We shall see…)

Update: Ari points out that a google search for doctrine of after-acquired title with no quotation marks gives this blog entry as the number one result.

Alas, the meanies have finally started to invade bostoncoop.net, my own little web/mail/email list server. I knew it would happen sooner or later, but I just wish attackers would focus on the bad guys.

First, I’m starting to see more and more spam in the various wikis hosted at bostoncoop.net. Apparently, the spammers have developed bots that insert commercial links into common wikis that don’t restrict access. I’ve gone through and manually removed the commercial links (although of course they persist in the wiki history).

I feel like I deeded my back yard as an open nature conservancy in public trust, and people are leaving cigarette butts all over the place.

I’m also experiencing fairly regular attempts to crack into the system by people who scour the web for PHP vulnerabilities. None of them have been successful, and I’ve been learning more and more about what I need to do to better lock down the system, but it’s still sad to have more and more volunteer sysadmin time going to these sorts of “nonproductive” uses.

A word of advice to any server admin newbies out there: if you have any place where people are allowed to upload files on your site, don’t call it “upload.php,” “upload.html,” or anything similar. I expect I could have avoided 99% of the PHP-based cracking attempts just by renaming the upload URL to something nonobvious. (I know this isn’t “real” security, but just about every attack I’ve seen starts with a google search for upload.php or something similar).

Another tip: most Apache/PHP installations run PHP as an Apache module rather than as a CGI script. This means that the standard means for controlling CGI—Options ExecCGI in httpd.conf and .htaccess—are ineffective. If you allow anything with a .php extension to run by default, you are inviting trouble (trust me). You would think it would be well documented and easy to find how to turn off PHP execution except where enabled, but in fact it wasn’t. The best solution I found was to put the following in httpd.conf for your site’s directories:

php_flag engine off

Then any user who needs PHP enabled can enable it on a directory-by-directory basis by putting the following in .htaccess:

php_flag engine on

I tried disabling PHP per-directory with RemoveType .php RemoveHandler .php in the .htaccess file, but this apparently had no effect.

As GNU/Linux and other free software enters the mainstream, it’s important for all of us to do what we can to maintain proper hygiene. There are plenty of people interested in exposing security failures in the free software world, and we should give them as little fodder as possible. The recent Mozilla shell glitch (affecting only Mozilla on Windows systems) may be only the tip of the iceberg.

Need a one-time only email address to get a password for a website or register a product? Don’t want to be entered into even more spam databases? Try Mailinator. Just make up any email address @mailinator.com and go and check your mail at that address with no password. Mail gets deleted in a few hours.

This is even better than creating a one-time only email address at your own domain (if you control your own domain): less work (you don’t need to create the address first), and no accumulating load on your server.

It’s simple but clever concepts like this that continue to give me faith in the web.

Update: two readers suggest dodgeit.com and sneakemail.com for two similar “throwaway” email services. dodgeit.com is even more barebones than mailinator, and sneakemail is a more full-featured (includes greylisting).

Update 2: another comment-er suggests spamgourmet.com. When it rains, it pours.

Update 3: Hailstorms. http://spamlinks.openrbl.org/filter-client-account.htm for a list of disposable email providers.

I recently saw Michael Moore’s new film Fahrenheit 9/11 but have been reluctant to write about it since every blogger and her brother has already weighed in on the topic. I do feel like I need to respond to this critique, however, from blogcritics.org’s David Flanagan. In addition to making several incorrect assertions about the scope of copyright law that I won’t address here, Flanagan writes:

Really, though, what can you expect from Michael Moore? Michael is not interested in an issue or a cause, he is interested in the bottom line question, what will this film produce for him in the way of fame and fortune? In this sense, then, Moore is no different from any of the so-called “greedy” corporations so reviled by liberals (including Moore).

This sort of attack on progressive writers and filmmakers always strikes me as totally hollow. It can be generalized as: if someone writes a book or creates a film I disagree with, I can attack them as “just trying to sell more books and movies,” and thus impugn their motive in creating the work.

Of course Michael Moore wants people to see his movie, and Noam Chomsky wants people to read his books. I’m sure Van Gogh wanted a lot of people to see his paintings, and Beethoven for many people to hear his sonatas. Publius wrote the Federalist Papers with the hope that a lot of people would read them. Why else do people create?

If the best attack someone has on some political message is that the speaker is just trying to spread their political message, I suggest we just stop listening to that person.

Even weaker critiques, I suppose, are found in virulently ad hominem attack books like Michael Moore Is A Big Fat Stupid White Man (I shudder to even create the link). This book includes gems like “Moore shows the greatest disdain for that which he actually is… a very rich, pasty white American male.” I wonder if these people realize that they strengthen their enemy with such ridiculous attacks. If I’m white and antiracist, or Jewish and pro-Palestinian, does that make me a hypocrite?

Relatedly, here is a video clip of Michael Moore explaining his views on file sharing. He basically says he wants more people to see his movies, so if people share them online in a noncommercial fashion, that’s fine with him.

They Might Be Giants, perhaps my favorite band when I was a teenager, is doing the right thing and selling unencumbered high-quality MP3s online at a reasonable price. Directly from the artists. Please support Them—They really seem to “get it.”

To be added to my ongoing useful linux omnibus page:

• Firefox 0.9 remote newtab syntax
  When I open a link from another application (gnome-terminal or evolution, for example), I would like it to open in a new tab in Firefox, so I had a script which I called newmoz:
  

  firefox -remote “openURL($1,new-tab)”

  This is my default web browser. With Firefox 0.9, the syntax has changed. You now need:

  firefox -a firefox -remote “openurl($1,new-tab)”

  I believe this has something to do with the confusion of the possibility of several related Mozilla applications running all at once, although I’m not entirely convinced. To make it really snazzy, try:

  firefox -a firefox -remote “openurl($1,new-tab)” || firefox $1

  This way, if firefox isn’t already running, it will still work.

• Email yourself after a long task
  This is a really obvious one, but I only recently thought of it. Due to several recent failed hard drives, I’ve been moving a lot of data around from one drive to another, some through NFS, and some over my cable modem. Moving 200 gigabytes, even within a LAN, takes a long time—even longer if you throttle it so as not to congest the network too much. I would find myself checking back on the process every few hours, even though I knew it probably wasn’t done. So why not append a mail command after a long process? E.g.:
  

  rsync -Pa / storage.system.somewhere:backup ; echo done | mail adam

  Since I’m always checking email, I’ll find out as soon as it’s done, and waste less time continually checking back on the process, especially when the transfer might take three or four days.

• ssh timeout error/connection reset by peer with rdiff-backup and D-Link DI-604 router
  Backing up bostoncoop.net over a cable modem takes a long time. If something goes wrong, rdiff-backup has to roll back the previous backup and start over. As best I can tell, rdiff-backup first makes the connection, then starts the roll back, but doesn’t send or receive any data during the roll back. On my system, the roll back can take longer than the timeout period for my DI-604 router—the consequence being that the connection is reset before the backup can start and rdiff-backup fails out.

  There’s an easy fix, which should come in useful to anyone with a router that is too vigilant about timing out ssh connections (for example, if you ssh to get your email and often leave the window alone for an hour at a time). Add the following to your .ssh/config:

  serveraliveinterval 300
  serveralivecountmax 10

  This will insure that ssh will occasional send an ACK type request every 300 seconds so that the connection doesn’t die.

• Fixed font in gnome-terminal
  I’ve wanted to use gnome-terminal for a long time, primarily because of the tabbed terminal feature (many terminals in one window) and because of the URL recognition (open a URL by right clicking on it). I also like being able to paste into the window with the keyboard.

  There was always one problem, though. The font. I know some people like the new fixed-width GNOME fonts, but I don’t. I just wanted plain old fixed, which I use with xterm (10×20). But that font never showed up in the list of available fonts.

  I finally found the solution in /etc/fonts/local.conf—namely, the following lines:

  Just uncomment the path, run fc-cache as root, and you should see fixed in the output of fc-list.
  I’m not sure how a naive user would ever figure this out, but then again, maybe a naive user wouldn’t care that much about having fixed font in gnome-terminal. I also don’t understand why we wouldn’t users to have access to bitmapped fonts by default—why not just set the default font to something the GNOME people like, but have the other choice in there to start?

Okay, now I’ve really got to study for the bar exam.

From the “for those of you who don’t regularly read slashdot department”: I’m usually pretty skeptical of the Department of Homeland Security; I think it’s a pretty bad solution to the threat presented (see, e.g., Bruce Schneier’s comments on the subject), but I have to agree with them this time. The agency has issued a recommendation that users stop using Microsoft’s Internet Explorer and pick an alternative web browser. Wired Magazine reports that upgrades of the free software browser Mozilla have spiked sharply following the announcement.

The only reference I could find to the issue on the DHS website (which is not, incidentally, served by Microsoft software) was the following bit from this report:

Handling Dependencies

A coordinator may be required to conduct significant research into software, hardware, and firmware dependencies in order to provide complete and correct advice.

Rationale: Vulnerabilities are often discovered in software components on which other software relies. For example, a shared library may be used by dozens or hundreds of products. For instance, vulnerabilities in Microsoft’s Internet Explorer often affect other products (including products by third-party vendors) in ways that aren’t obvious to end users. Examples of products that are sometimes affected by Internet Explorer vulnerabilities include Lotus Notes, Eudora, and Microsoft Outlook. Furthermore, these dependencies are not typically recorded.

Presumably something more on-topic will be posted soon. There is also this warning from CERT (the United States Computer Emergency Readiness Team).

Richard M. Smith· performed security audits· of the official George Bush and John Kerry websites; the results were posted· on Declan McCullagh’s Politech· list. Both sites come up short in many ways, but Kerry is the clear winner for choice of technology:

It appears that the open source vs. closed source debate has also entered the presidential campaign. The Kerry home page comes from an Apache Web server running on a Red Hat Linux box. The Bush Web site on the other hand is hosted on a more corporate Microsoft-powered IIS 5.0 server and uses ASP.NET. I did not check to see if this IIS server is up to date with Microsoft security patches.

(yet another entry that should really be filed under multiple categories; “politics->electoral” and “free software->politics.”)

I just recently discovered qemu·, and the result is that I’m a happy camper. I’m preparing for the Bar Exam using antiquated software from MicroMash·, the “other” bar prep company (cf. Barbri·, at about twice the cost). The program is basically a Visual Basic quiz application written originally for Windows 3.1 and updated slightly in the intervening time (the questions, of course, are entirely up to date to current law). It’s not a bad system—it tracks your progress as you go, and feeds you questions in the areas where you need to focus.

Obviously, there is no GNU/Linux version of the program. Less obviously, but perhaps predictably, the program doesn’t run under WINE· either. I’ve found that new, highly complex software like Microsoft Office XP works much better under WINE than old, very simple programs like this quiz program. There was also no easy way to extract the questions so that they could be presented by some other Linux-native software.

Enter qemu, a virtual machine emulator included in Debian·. With qemu, I can run a full-fledged Windows 98 box (or any other version of Windows that I might own) in a window on the Linux X desktop, and the bar prep program runs fine. Because my laptop is pretty fast, the resulting system is faster than any Windows 98 system I ever had in my Windows days, despite the emulation layer. Network and sound work as well. I had previously tried this on bochs, a similar emulator, but it was painfully slow (I think there are other advantages to bochs).

Plus, no worry about viruses and other forms of Windows pestilence, since the whole system is contained within a single file. Backup or “snapshot”? Just copy the file. Want to take a break? Just pause the whole machine. It’s all quite clever.

qemu is also in various stages of emulating several other common processors, including the PowerPC, so someday you could run Mac OS X Panther (or Jaguar, or whatever they call it), on a GNU/Linux system on a commodity PC… Even, say, an XBox·.

It strikes me that these sort of emulators are crucially important to the eventual world domination of linux. Just as today the only way I can run my old Commodore 64 software is with vice·, someday the only way to run the thousands of obscure Windows programs now extant will be with WINE and virtual machines like qemu and bochs.