<gushing advert>

Over the past week or so, several articles have turned up in such esteemed publications as Slashdot linking to Forbes.com and Information Week regarding the fact that cloud computers have issues getting at those precious bits of entropy required to secure SSL transactions and the like.

Indeed, modern GNU/Linux distributions, and various other operating systems, rapidly consume the available entropy during normal operations. Ubuntu 9.04, at least, uses ASLR in order to reduce the effectiveness of attacks since no two shells will have the same layout of address space etc. You can read more about ASLR on Wikipedia if you want to. Essentially, ASLR is done by reading 64 bits of data from /dev/urandom during process startup and then using that to seed a PRNG which is then used to peturb the layout of the dynamically loaded objects in the process. Indeed if the process itself is compiled appropriately then the main executable can be moved about from process start to process start.

All this, unfortunately, depletes the pool of entropy available to the system. Fortunately /dev/urandom continues to work when the pool is depleted, and indeed will not reduce the pool below a threshold value regardless of how much it is used. However this does open the door to the question of whether or not there might be an attack related to causing a server to spawn enough processes that it has insufficient entropy to subsequently establish a good SSL session or similar.

Normally a Linux system will gather entropy from such things as the miniscule differences in HDD response times, interrupts from keyboards and mice, etc. However a virtual computer (KVM, VMWare, Cloud system etc) doesn’t tend to have a real HDD, or in many cases, any useful amount of interactivity to produce entropic events to be measured. This results in cloud computers often having little to no entropy and no real way of gathering more. Some people believe this leads to being able to predict the random pool of one virtual machine, using the pool of a clone of it.

When Simtec first started talking about the Entropy Key we were inundated with people interested in whether or not it’d help for virtual machines. Initially we assumed it would, but after spending a long time poking at the Linux kernel, at KVM etc, we determined that unfortunately it wouldn’t usefully help in the state it was in. So, I spent some time and updated the Entropy Key’s host software to support the EGD‘s protocol, over both unix domain sockets and TCP. This, along with another simple tool which can connect to an EGD socket and push entropy into the Linux random pool, means that we have an, admittedly network-reliant, excellent way to push entropy from one host with a physical Entropy Key, to one or more systems for use in their random pools.

When the Entropy Key is released, the host software will be released as free software (under the MIT licence) and as such we hope that if anyone else has any cool ideas, for helping with getting entropy to cloud computers, they will send patches. I’m exceedingly proud that we’re releasing the host software under a F/LOSS licence and I hope that anyone who runs lots of VMs will be interested in this latest development in the host software too. If you are interested, be sure to check out the Entropy Key Website and send us a mail if you want to be told when retail units become available.

</gushing advert>

Dear Lazyweb, sorry to bother you again, but I have tried to get this question answered on IRC, on Usenet and on the
Samba Mailing List, and was not able to get an answer (not even a remotely clueless one) there. Can you help?

I currently have an “interesting” task to accomplish: An IT environment with about 90 % Windows and 10 %
Linux machines would like to unify backup. Currently, the Windows world backs itself up to tape using Backup Exec; the
Linux world has Amanda backing up to a big disk
RAID.

This RAID is acting up and is scheduled to disappear. The current plan is to back up the Linux world with Amanda to a
Samba share which is then backed up to tape by the Backup Exec installation running in the Windows world.

The Linux systems are in a diffent network, and the firewall people would like to keep the ports being open between the
two networks to the bare minimum. I don’t want to see NETBIOS Broadcasts inside the Linux world, I don’t
want to see this server in any network neighborhood, and the system acting as the Samba server for the backup should
have as few open ports as possible. Of course, the share should be read only and to be as secure as possible.

The following configuration for Samba 3.4.0 from Debian unstable seems
to do what is intended (and only needs port tcp/445):

[global]
   workgroup = linuxworld
   server string = %h server
   dns proxy = no
   name resolve order = lmhosts host wins bcast
   interfaces = 192.168.8.26
   bind interfaces only = yes
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = user
   encrypt passwords = true
   passdb backend = tdbsam

   obey pam restrictions = yes
   unix password sync = no
   pam password change = no
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   access based share enum = yes
   allow trusted domains = no
   disable netbios = yes
   load printers = no
   local master = no
   lock directory = /var/run/samba/locks
   pid directory = /var/run/samba
   max smbd processes = 10
   min protocol = NT1
   name resolve order = host
   preferred master = no
   server schannel = yes
   smb ports = 445

#======================= Share Definitions =======================

[amanda]
  comment = amanda backup
  writeable = no
  read only = yes
  locking = no
  path = /mnt/backup/srv/amanda
  public = no
  guest ok = no
  browseable = no
  hosts allow = 192.168.8.23
  max connections = 5
  valid users = amanda

Is this “secure enough” or is there potential for improvement? Which
files do I need to copy to /mnt/backup/srv/amanda to run the smbd
chrooted? Does it make sense to chroot the smbd in this environment?

Is this configuration going to work with Samba 3.0 (Debian etch)
and/or Samba 3.2 (Debian lenny) as well?

Any hints will be appreciated.

What are you doing in that the 1.1GB of resident memory (1357m of
virtual memory) you have decided to consume in order to display three
web pages? All fairly basic pages — no flash, no excessive Javascript, and I
haven’t even done anything particularly exciting in the browser — just loaded the
pages up and
let them sit for a few days.

Time to look at Conkeror on the Netbook, I suppose. I’m unlikely to
be needing Firebug on there any time soon.

1. Need Business Plan
   • Battle-tech Pod area (Partnership with Virtual World Pods will be cheaper)
   • Kids Party Area* (this where the money will be.
   • Tabletop game Area
   • Internet Gaming Area (Counter Strike, Unreal Toranment,Star Craft…)
   • Xbox Live Area
   • Free Wireless Internet
   • Food & Shop Area
   • larger Arcade areaneed more space for bigger cabenits or more Arcade Games
2. Financial data on the current active business.
3. Security
4. Market data on the College Campus (Queens College and other nearby schools)*
5. Kids Parties (I in a residential area), need someone experience planner for kids games) *
6. Need a deal Whitestone Bakery near my house for birthday and party cakes.

When United Airlines recently broke some expensive guitars but refused to pay for their negligence, the owner of the guitars made a Youtube video. United corporate HQ noticed, and were so embarrassed that they fixed things.

I’ve had some trouble with Dell breaking the law, and their corporate HQ noticed, were embarrassed, but didn’t bother fixing things.

However, I have discovered something that Dell does care about: FEDERAL PROSECUTORS.

I Hate Junk Mail

Before continuing, I need to answer a FAQ: why I hate junk mail. It’s bad for the environment, takes time to process, and fills up my recycling bins. We only get our recycling picked up once a month (we’re lucky to get that where we live), and I hate filling them up with catalogs for things I’ll never use. Also junk mail has a way of multiplying like rabbits. Get on one list, and pretty soon you’re on dozens.

Normally when I get junk mail, I’ll find the website or call the company that sent it to me and ask to be removed. And then they will stop sending me junk mail.

That approach has worked with every single company that I’ve tried it on. With one exception: Dell. Even though ignoring my requests puts them in violation of their own privacy policy.

The Story So Far

It’s been a little while since I’ve written about this, so here’s the condensed version. Click the links for more details.

Back in early 2007 — yes, more than 2 years ago — I had a lapse of judgement and tried to get a Dell monitor serviced under warranty. After a frustrating evening of trying to explain to them that I have a Dell monitor but not a Dell PC, they finally agreed to fix it. And put me on their “flamingo pink Inspiron catalog” mailing list.

I went to their website trying to get off the list. They have many different list removal forms, and I tried them all. I called them. I even got a comment from Debbie at Dell HQ in Texas, offering to try to help. Despite repeated attempts, she didn’t (or couldn’t).

So, in December of 2007, I decided to let Jacob rip apart my junk mail (with associated cute photos).

By August 2008, I still wasn’t off their list. I tried everything, and Dell customer service replied to my request to be REMOVED from their snail mail list by saying they would ADD me to their email list. Lovely.

So I finally obtained a prohibitory order (see scanned copy on that link) in July 2008, which enforces federal law (39 USC 3008) prohibiting Dell from mailing me any more of those catalogs. From August 25, 2008 on, it was a federal offense for Dell to send me any more catalogs.

Guess how successful that was. By September 2008, they were back at their old tricks, sending me catalogs.

The New Bits

So — I sent in a couple these catalogs to the USPS as evidence of violation. By February, I received this letter, which made me Very Happy:

(see also larger version)

Yes, that’s right. The United States Postal Service went to court to obtain a court order against Dell, prohibiting them from sending me more catalogs.

And — it was successful! It’s been several months since I’ve received any more catalogs from Dell.

It took two years (it wouldn’t have had to, but I didn’t push things along very fast from my end, giving them lots of time to comply each step of the way), but I am finally free of Dell mailings.

I suspect some federal attorneys in some remote office somewhere owe their jobs to Dell’s noncompliance of postal and privacy regulations.

Now if only I can get Rep. Tiahrt to stop sending me junk mail… He keeps sending me literature, and I don’t even live in his district.

Elaine Morgan gave an interesting TED talk about human evolution and the theory that our ancestors lived in the water [1]. The aquatic ape theory explains why humans are the only primates that have almost no body hair and why we can consciously control our breathing (which is essential for speech and which is apparently rare among land mammals).

So it seems that when (not if) we start a program of uplifting animals to the same status as humans a good starting point would be animals with an aquatic history. So we want animals that are friendly towards humans, reasonably intelligent, and which can be trained. Animals that can work well on dry land would be most convenient as are animals that can be owned domestically, so dolphins are not good candidates.

There are a number of dog breeds that have been specifically bred for operation in water [2]. This includes dogs bred for assisting fishermen (such as the Spanish Water Dog) [3] and for hunting in marshes (the majority of Water Dogs [2]). Even dogs that have not been bred for aquatic work can be very expressive in their barks (as I’m sure every dog owner has observed), so an aquatic dog should have the potential for greater speech.

So it seems to me that the Norwegian Puffin Dog offers great benefits for dexterity [4] which combined with slightly more speech potential from some water dogs should give a good start to the breeding program.

CNN has an interesting article on the intelligence of dog breeds [5]. It seems that the top 5 are:

1. Border collies
2. Poodles
3. German shepherds
4. Golden retrievers
5. Doberman pinchers

The Poodle being a water dog and the second most intelligent breed of dog seems to have some good characteristics for uplift, so a Poodle/Puffin-dog cross should do well.

Recently I have been reading Michael Anissimov’s blog at AcceleratingFuture.com which concerns Transhumanism, AI, nanotechnology, and extinction risk [6]. A large part of Michael’s blogging concerns the development of Friendly Artificial Intelligence (FAI) [7], this is a type of AI that would not destroy us by accident or malice if it gains the ability to self-improve at a rapid rate (and therefore vastly exceed human capabilities in a small amount of time). It seems to me that if we can uplift dogs to a level equivalent to humans and have them still like us then we will have achieved a significant step towards developing general non-human intelligences that are sympathetic to us.

• [1] http://www.ted.com/talks/elaine_morgan_says_we_evolved_from_aquatic_apes.html
• [2] http://en.wikipedia.org/wiki/Water_dog
• [3] http://en.wikipedia.org/wiki/Spanish_Water_Dog
• [4] http://etbe.coker.com.au/2007/02/15/a-good-dog-for-uplifting/
• [5] http://edition.cnn.com/2009/LIVING/personal/08/07/smart.dogs/index.html
• [6] http://www.acceleratingfuture.com/michael/blog/
• [7] http://en.wikipedia.org/wiki/Friendly_artificial_intelligence

The world of Free Software is riddled with ironies, or so I like to tell myself, as I am devoting a history chapter that uses the frame of irony to trace the historical rise of this technological domain. One irony (though not entertained in the chapter) has to do with the status of Free Software in the academy: it is pretty weak among CS-ey types and yet Free Software is often identified as a paragon example of the openness and communitarian elements of how academic science is supposed to work. So.. what is exactly going on?

Recently I had the pleasure of discussing this issue a bit with Colin Turner, a professor of Mathematics at University of Ulster who has given this issue a lot of careful thought and is trying to make some changes on the academic side of things. You can read and learn a little more about his them in this thoughtful interview and his blog.

Do you know of any academic programs where FS was nowhere to be found but with some clever or bold initiative it flourished? Thoughts of what can be done to make FS a realistic presence in academic department? Is this perhaps where the future of Free Software advocacy should be headed?

In my diploma thesis I’m working with supersymmetry spectrum calculation programs (primarily SPheno) which use the SUSY Les Houches Accord (SLHA), defined in arXiv:hep-ph/0311123 and arXiv:0801.0045 [hep-ph], for data input and output. To ease editing input files and reading output files with my favourite text editor Vim I wrote a corresponding syntax file for the Accord. It is really helpful for preventing spelling errors of block names (which are partially cryptic) and for navigating and extracting numerical data.

To enable syntax highlighting in Vim for SLHA download the two files slha.vim and scripts.vim. Copy the slha.vim into ~/.vim/syntax/ and copy scripts.vim into ~/.vim/ or if you have already a scripts.vim file append the content of my file to it. Without further ado Vim should now highlight SLHA files. Here is the compulsory screenshot:

If you have further suggestions or found an error in the scripts, please don’t hesitate to contact me. I’ll try to keep the scripts up to date here.