Older blog entries for Killerbees (starting at number 232)

Privacy In Public

I'm becoming increasingly disturbed by the possibility of what I call "MAC address stalking", where people could be located if their WiFi is on and if you can associate their phone number with the phone's MAC address. So imagine my horror this week when I saw these instructions for accessing free WiFi in ASDA stores..

Registering for Asda Wi-Fi couldn’t be easier with just a few simple steps:
1. Select Asda Free Wi-Fi from your network list on your phone
2. Enter your mobile number
3. Receive a text message with your access code
...

and from their Terms and Conditions this:

"By signing up to the WiFi service, you agree for us to share your information with ASDA and ASDA group companies for them to use this information for marketing and analytics purposes" 

Note that "ASDA group companies" probably means the whole of WalMart.
Doing this would mean that ASDA now have a link between MAC address and phone number.

At its most benign this means that whenever the same MAC address is seen nearby (you wouldn't even need to "connect" to their WiFi again) they could "use this information" to send a text or a call "for marketing" or just log you for "analytics purposes".

You wouldn't need to interact in any way for them to know that you walked past their store at 2am.

If this data got into the wrong hands (and ASDA isn't necessarily the right ones) it could be a stalkers charter.

Imagine if you could look up someone's phone number and get their phone's MAC address, then you could use the network to find out where they are connected, and use Google's location service to find their physical location.

Ok its not as simple as it sounds, but if I can imagine it, someone somewhere can make it happen. Interested?

Read more here:

android map - by samy kamkar
Stalker App Strikes Back at iPhones & Starbucks 
Hacker pilfers browser GPS location via router attack
Hack uses Google Street View data to stalk its victims 

Syndicated 2013-04-05 15:31:00 from Danny Angus

The Road Not Taken

Syndicated 2013-01-14 17:28:00 (Updated 2013-01-14 17:36:54) from Danny Angus

Battersea Power Station

Worryingly Wikipedia says this about it

It was permanently closed down after five children were killed and thirteen others injured in an accident on 30 May 1972 when one of the trains became detached from the haulage rope, before rolling back to the station (the anti-rollback mechanism having also failed) and colliding with the other train. This is the worst accident in history of themeparks.

Syndicated 2013-01-02 12:57:00 (Updated 2013-01-02 17:43:00) from Danny Angus

If Google and Oracle made aeroplanes where would your sympathy lie then?

There's been a lot of talk about the Oracle vs Google court case, and I was reading this when it occurred to me that I have a few reservations about the strength of Google's argument, and perhaps you'd like to hear them.

If you know about the technology you might want to skip ahead a bit, but I have to cover off some background, so we all know what we're talking about.

My thinking first took shape when the Apache Software Foundation (ASF), of which I am a member, was making its initial steps towards developing a Java Virtual Machine(JVM). At its most simple abstraction the JVM is the thing that runs on your computer, and in its turn it executes the java programs, they are loaded into it. The JVM "hides" the differences between operating systems from the Java programs. For example Mac's and Windows might have different ways for a program to interact with memory, the JVM provides memory management which is the same for all java programs, to make this happen a Windows JVM will be different "inside" than a Mac one.

So Apache were attempting to create an Open Source JVM called Harmony, and it was during early discussions about the "Java Mail API" which I was involved in that I first ran into the issue which is being tested in court right now. (we will ignore the definition of an API at the moment, because we come to that a bit later, it stands for "Application Program Interface" but you don't need to know what that means)

 I was PMC Chair of Apache James, a 100% Java email application server, and I had got chatting to the Harmony folks about one thing and another when the subject came up about whether an ASF licenced version of the JavaMail API  would have a more natural home amongst the java email fanbois of the James project because it is a framework that allows people to write java programs that handle email more easily.

So I started to think about what this would mean from a code perspective, and began to untangle things in my head, here's where I get to the point, stop skipping!

The thing that we call "JavaMail" is composed of three parts, and this is true for many other Java API's including the ones in the court case, and in fact much of the JVM itself. Those parts are:

i) A specification or definition, this part is the API specification.

b) An internal component which makes one half of the software, This part is the API interface.

2a) An example of the other half that you are free to use, or to replace with an implementation of your own. This part is an implementation of the API, whoever wrote it.
 
If we use an analogy here, to avoid getting bogged down in abstract descriptions of computer science ideas, we can imagine that an airliner manufacturer would manufacture the floor in such a way as a seat manufacturer could manufacture seats which could be installed after the plane is built, without the plane having to be adapted.

In order for this to happen the specification for the floor connections would be published and made available to seat manufacturers, who would then compete their little hearts out to make the best/cheapest/lightest seats on the market compatible with the floor specification, and sell them directly to the owners of the planes to be installed after the plane is delivered.

The airliner manufacturer will make floors and install them in customers planes.

The specification is a piece of intellectual property, it has taken time to produce and does have some intrinsic value.

The situation in the Oracle v Google case would be analogous to the situation in which a rival airline manufacturer has published an identical copy of the specification of the floor, manufactured compatible floors and is wooing customers and seat manufacturers from the originator of the specification with the promise of compatibility for all the seats and tooling and expertise that they have invested in.

What Oracle are contending, or trying to, or failing to, or *ought to be* saying, is that the specification is not in the public domain, it is their intellectual property and they are within their rights to restrict its use to allow people to implement the replaceable parts (the implementations, the seats), and not the internal part (the interfaces, the floor). In other words, not only is it breach of copyright (as the court has recently determined) but it is also probably not "Fair Use" (which they are still to decide upon) for Google to produce an API of their own to Oracle's specification. If it is, then people are going to very quickly stop publishing API's that allow competitors to benefit from years of research and development.

Of course this is then masked by a big shit-storm of FUD and misdirection by both sides, trying to veer off the subject onto other more easily determined areas of IP law where they believe they have an edge, such as:

The "field of use" restrictions, which are important but not directly relevant to the API arguments.

Patent infringement, of course, which is the modern lawyer's soup-of-the-day for the whole decade and IMHO totally irrelevant here.

And the distracting but easy to comprehend copy'n'paste IP crime where code appears to have been copied from somewhere that it couldn't have been legally.

The last one is the worst FUD of the lot because that is copyright infringement, as is the case where the specification is used in contradiction to the terms of its licence, but its a different crime, a separate incident, qualitatively something else altogether .

From this point of view I don't think Google's position is as solid as they might want it to be, or as solid as the judgements may suggest, but the truth of the matter is that Sun caused this whole debacle by vacillating over the legal status of Java, the API's the JVM, the TCK and a raft of other things that they thought morally *ought* to be open source and free for people to use for any purpose but weren't in law, because they never made it clear enough what was being explicitly permitted and what was being benignly tolerated.

And that is why I have mixed feelings about the merit of Google's case, and some grudging understanding of Oracle's position, and a bad taste in the mouth about Sun's failed attempts to be Machiavellian with the IP laws.

And if you're wondering what happened to James and the JavaMail API, we never did take it on, its a very poorly designed API and would have brought us a lot of work with precious little benefit.

Syndicated 2012-05-25 10:05:00 (Updated 2012-05-25 14:01:47) from Danny Angus

This Site May Harm Your Computer

Oh Lordy.
New Colleague X (did I mention I have a new job?) decided to google the new boss, and discovered that this blog had been blacklisted for being "harmful".
Instead of seeing this stuff it came up with this message in firefox..

Reported Attack Page!
This web page at killerbees.co.uk has been reported as an attack page and has been blocked based on your security preferences.

"Oh my", I thought, "'Reported Attack Page!' that sounds serious, and it has an exclamat!on mark and three capital letters."

D'y'know what it was? A little investigation revealed that it was a link to the bileblog (not linked here for the obvious reason!) which had some kind of malware on it, apparently.

Whats worse is that in Google's search results it says "This Site May Harm Your Computer" more capitals, it must be Bad.
Let me put the record straight, this site won't "Harm Your Computer", or anyone else's, but if you follow the links eventually you may get to a site which might, in fact Google's own diagnostic page say:

Of the 50 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-05-05, and suspicious content was never found on this site within the past 90 days.

That's right, "Zero pages", and "suspicious content was never found on this site"

I have to say that I was surprised at the draconian and alarmist reaction, surely when someone clicks the link that should be the point at which the browser screams "Reported Attack Page!".


In honour of this hyperbole and lack of perspective I have replaced the sub title of my blog.

Syndicated 2012-05-14 16:55:00 (Updated 2012-05-14 17:01:28) from Danny Angus

Eek! a Patent Troll

So, yesterday a patent troll in the form of a company called Kelora Systems, LLC came to my attention, for reasons which need not concern us at the moment. And having followed up on it a bit  I can now understand why so many companies are involved in the aparently insane pastime of suing and counter suing each other through nearly every court in the world. I'll tell you why in a minute, but forst to kelora.

What staggered me is that they claim that they hold a patent, 6,275,821, known rather familiarly as '821, which covers "a method and system for executing a guided parametric search"

What is that? I'll tell you in a few short lines what the patent takes pages to painfully struggle to express:

In order to help people select a product from a catalogue the system displays a list of products and product attibutes.
Then, on the user selecting values the list of products is filtered to show only matching products, and the available attribute values are filtered to only show ones which still apply to the subset of products.

Or more simply still, if your system shows a list of products and gives the user the ability to filter this list by price, or size, or colour, you are potentially infringing the patent. My favourite example can be seen in the left hand column of this page (on a website which isn't within the jurisdiction of the US courts).

I hear you, you just said OMGWTF, didn't you? Yeah, so did I.

So I dug into it a bit and uncovered some interesting bits and pieces, first of all these trolls are gunning for just about everyone you could imagine, and a whole lot of other folks too. And it seems like there are legal challenges afoot by a number of big hitters to get the patent overturned, this from last year which was only partially sucessful and another move in the federal courts to be heard in November (2011).

I know theres a lot of talk about software patents, but for someone to be allowed to use a patent for something as self evident as the "method" and as dated and stuck in the 90's as the "system" is a total indictment of the whole notion. I could understand the intention (but not necessarily agree with it!) if the company had invented a useful product which was differentiated on the basis of the method, and sought to protect their investment, and if it was limited to the field of use originally intended, but this is little more than a patent on the application of common sense to a well recognised pattern of problem (how do you let people browse an online catalogue).

If the US patent office allows people to patent things as non specific as this its little wonder the courts are filled with patent cases, this isn't protecting your R&D this is a land grab for the common sense of the future. And if the courts continue to uphold patents like this, and the patent offices of the world carry on granting them we may find ourselves in a situation where innovation is held to ransom by lawyers and patent trolls.

Syndicated 2011-10-19 13:09:00 (Updated 2011-10-19 13:10:34) from Danny Angus

Note to self, how to get a list of recipients from the maillog

I spent a while figuring out how to get a list of email recipient addresses from the maillog, without duplicates, for a specific day on RHEL. In the end I distilled it into to one line.

I'm sure I will have to do it again, so I'm making a note of it here, meantime if you need to extract recipient addresses from maillog you're welcome to try it. just paste it onto the command line and hit the go button, its surpisingly quick.

cat /var/log/maillog | grep "Oct 19" |\ grep to= |cut -f5 -d":" | cut -f2 -d"=" | cut -f1 -d"," | \ sed 's/<//' | sed 's/&gt//' | \ sort | uniq > addresses.txt

Syndicated 2011-10-19 11:39:00 (Updated 2011-10-19 11:39:08) from Danny Angus

Penis seen from space IV

In my ongoing quest to keep you up to date with these important developments here's another one..
Penis Seen From Space  For the other stories check out seen-from-space

Syndicated 2011-09-22 12:58:00 (Updated 2011-09-22 12:58:30) from Danny Angus

Dipping a toe in FCommerce

FStore Homepage

 Today AllSaints launch our Facebook store (US store follows next week), click the link to browse, view products and buy them directly from within Facebook.

We spent a lot of time looking at other peoples' facebook stores, and rather than try to cram everything in we decided that ours should not be only a replacement for our web store, instead we thought that as we have too much in our catalogue browsing it in facebook would be too cramped an experience. Rather it is intended to promote our web store to our facebook fans, and allow us to do more to monetize our investment in facebook.

FStore category view

We wanted it to blend in well with facebook, and to be a familiar environment for facebook users, not look just like our web store in an iframe. As we see with ASOS and JC Penney. I'm sure that works for those guys, but we wanted to take a more joined up approach to "fcommerce" and to augment and enhance our customers choices and their experience of our brand.

So we have created a place where we can showcase a selection of products, in a specially selected range of categories. Our visual merchandisers have full control of the catalogue, using the same systems that they use to merchandise our other online channels, and I hope that in the coming weeks we will see the facebook store take on a character of its own, seperate from, but complimentary to, our main web site.

FStore product detail

FStore embedded "cart"

And now our fans can buy things that we promote on facebook without having to find them again on our website.

Good Job Team!

Syndicated 2011-08-19 10:55:00 (Updated 2011-08-20 12:05:35) from Danny Angus

+1 button

As an experiment (and before I let anyone go anywhere that near my employers precious website with it) I added the google +1 button to this blog today.
Unfortunately while I understand the idea of giving a bit of content an Big +1 I can't see where anyone would know that I've +1'ed anything.
If you have more of a grip of reality than I do, do let me know!

UPDATE! I found out, you need to use google.com not google.co.uk[1].. hardly had I done this and +1'ed things than +1's started showing up in my search results.. 

[1] I had to go to my google profile, enter a search term in the search box, then click "reset search tools" and I was on google.com instead of .co.uk

Syndicated 2011-06-07 11:54:00 (Updated 2011-06-07 12:40:52) from Danny Angus