I am in Spain for a couple of days. Tonight our hosts took us out to dinner and we partook of the spanish pass-time of tapas. We went to a mere two places to have dinner and I have discovered something about octopus.

1. I like it
2. I’m allergic to it

Bah!

…knowing full well the earth will rebel…

Today I bought an iFP-170T (EU) because I ended up deciding that as nice as an iHP-140 would be, the immediacy of the iFP-170 made it a better buy. Plus it’s smaller and supposedly will last longer without charging/replacing the battery.

It sounds pretty good and is very easy to use with the ifp-line package which I installed from hoary/universe. Apparently there is a filesystem driver but I’m happy with the commandline tools for now.

My sanity safely preserved I shall go back to investigating the international driver’s permit I need to go driving around South Africa.

…of falling in love?

Just thought I should share with you all that I actually feel quite happy today. I feel valued where I work; I’m not too scared about life in general; I’m gearing up to do a real clean of the house (I.E. hire a miniskip and everything) and I generally actually feel good.

Dunno where that came from; but I felt you all should know :-)

An organisation exists called CACert whose primary goals are: “Inclusion into mainstream browsers” and “To provide a trust mechanism to go with the security aspects of encryption.” — Kinda scary to think their stuff may be being added to trusted sets on your computer eh? If you’re not scared yet, read on…

Recently David Pashley had a play with CACert and discovered that it was possible to get one’s PGP/GPG key signed by them while providing them with no conclusive proof that you own the name you claim on the key and with only tenuous demonstrations of owning the email address also.

If I were a malicious third-party I could create keys with email addresses I don’t own (but could intercept), names that were not my own, get them signed by CACert and theoretically obtain some level of trust by doing this.

Fortunately those of us using GPG know better than this and this is why we’re all going to get the CACert Low Security Key and set its trust level to Do NOT trust. The keyid is 9E2BD1F2 and it is a 1024 bit DSA key with a 2048 bit subkey. The subkey is set to expire in 2033 on the 28th July. Kinda pointless eh?

The following is a copy of an IRC conversation between David (JD) and evilbuny (the alleged chief of CACert):

22:22:40 < evilbuny> JD a gpg key signing key was implemented a long time ago, but since very few (relative to the total user base) has assurance points we had to implement a low security (or minimum trust) version as well
22:24:32 < JD> evilbuny: but the low security key is worthless, if not less secure than not signing the key
22:29:24 < evilbuny> JD: it’s what people wanted, they all knew at the time that is the case…
22:30:06 < evilbuny> we are a request driven organisation, if enough people want something and it’s semi-sane suggestion we tend to implement it
22:30:33 < JD> evilbuny: but signing a key without seeing any ID is not even semi sane
22:31:21 < apropos> I have to disagree
22:31:54 < evilbuny> erm we called it a low trust key for a reason
22:32:01 < evilbuny> we issue smime certs without seeing ID as well
22:33:29 < evilbuny> but they’re marked accordingly as well

Unless someone can think of a very very good reason not to; I urge you all to make sure there’s nothing on your systems implicitly trusting CACert.org until they clarify their signing practices and demonstrate them to be sound.

While I was away in Spain, my partner Rob used the BT wake-me-up reminder call service a few times because he had found that his alarm clock wasn’t waking him in the mornings. However because he didn’t know you can do it on the phone keypad he rang the operator to ask them to arrange the call.

He was never informed of the charges despite making seven of these requests over a period of two weeks.

The result was… £28 of charges on my phone bill where had he known that you can type it in yourself, a mere £1.40 would be what I would be facing now.

BT really need to (1) put these prices on their damned website. (2) Inform people when they use the more expensive service that there is a cheaper alternative and (3) bloody well tell you the price of the service when you order something so hideously expensive as a £4 wakeup call.

I don’t blame Rob, I blame BT. Bastards!

For the first time in ages (five years I guess) I’m in a position where I can’t go to France if I want to. I have sent my passport off for renewal since I have to take a trip in February I know this is cutting it fine but I’ve hardly been in a position to do it before now; what with being away from home for nearly all of December and the start of January.

…is an oncoming train.

Matt Brubeck very kindly emailed me last night to mention that a lot of cross-site-scripting vulnerabilities in various RSS aggregators and readers were fixed as a result of Mark Pilgrim’s “prank” where he inserted an obnoxious animation into his feeds. Mark subsequently created an article about how to consume RSS safely. I felt it would be worth letting people know about it in case, like me, they were not previously aware of it.

Be safe.

Recently, Rob, I and a friend of ours – Clive – were chatting about the possibilities of cross-site scripting vulnerabilities brought about by the vast number of RSS syndication systems floating around.

The following is an unguarded <script> directive. If you’re reading this on my blog then it will, naturally, display. However if you’re reading this entry via some syndication, then it may not.

If the above bullet point contains no text; you’re probably safe. If it contains a pile of escaped HTML indicating a javascript script; you’re probably safe. If it consists entirely of a strongly formatted message about unhidden script tags then your syndication system passes javascript through seemingly unmolested. In the last of those cases you should worry if your aggregator is private in any way because goodness knows what damage could be done by javascript running in the security context of your browser when viewing your rss aggregator (especially if this is livejournal and you’re logged in).

If we’re wrong then all our fears are unjustified and I’ll get a raft of people complaining about me scaremongering. If we’re right to be worried though then people will disover that their RSS aggregators have at best nothing to worry about and at worst a great big gaping scary security hole of doom. Let’s hope our fears are unjustified.

…Don’t you know you’re gonna shock the monkey.

Steve Kemp was talking about hacking on the livejournal codebase in a recent blog posting of his. He mentioned that one of his goals was to:

Remove the emotional connotations of the word “friend”, by replacing it with “trusted readers”, and “interesting users”

One thing which I think his choice of words highlights is that livejournal as it stands seems to have no separation between “blogs I want to read” and “blogs of people I want to read my protected postings”. Now I switched to pyblosxom to stop myself needing to be angered by this separation. By only blogging things I’m happy for others to read I figure that there’s no need to worry about the conflation of those concepts.

One thing I do hope is that if Steve manages to separate the ‘friends’ concept into “trusted readers” and “Interesting users” then I’ll be very interested in seeing that codebase feed back to Livejournal. Of course now that six apart are (or have now completed the) aquiring livejournal this may end up not happening.

Does anyone know of a good tool which runs on linux and which can extract an entire livejournal into some useful transition format such as XML? I’d love to backpropogate all my old postings into my pyblosxom so that in the future I could import them into whatever blog software I use going forward.

…no matter how much I pretend.

I’ve had to disable comments on my blog (hopefully temporarily) while I consider how to prevent spam comments. I’ve had two so far; although the second I imagine was a manual attempt because I had added a nonce to my form in an attempt to dissuade spammers from posting comments mechanically.

Any suggestions for ways to prevent blogspam on pyblosxom comments would be greatly appreciated.

…straight from Edinburgh Hogmanay…