Older blog entries for garym (starting at number 85)

13 Mar 2005 (updated 13 Mar 2005 at 16:02 UTC) »

So like, there's this message on my machine, mild panic, can you call me back, s'real serious; it's early, it's sunday, but hey, what are friends for? I call him up.

"What do you know about spyware and viruses?" begins a long story of a desktop machine, Windows of course, left in a utility room, used by nearly everybody in the department but officially the property of maintenance, the co-op kid hits an alarm, You've got SPYWARE! -- the machine is dispatched at once to IT-Central

long pause

Central comes back, none-too-happy, having found oodles of questionable material in various folders, the sort they'd rather not find on machines with such visibility, and the axe gets poised over the official registrants of the network node.

"So, like, how could that stuff have got in there? When the co-op kid found it, we saw the download thing just whirring along, pause, whirring again over and over -- is this what that stuff does? Download porn over and over?"

Yes, it seems they have a website-filtre, how quaint, and then they also quite freely allow Hotmail accounts to click on any arbitrary attachments, so 2 and 2 together it's pretty easy to plot a dozen courses for how this machine arrived in the present state but ...

if you ask me, and you did, I don't know much about what's what and who does which in the virus spystuffs or what's possible or practical in the post-mortem sleuthing of the Compromised DOS Machine, but if you ask me, there is no excuse for avoidable situations: the real idiot they should fry is the dunce who chose to loose an insecure O/S into an accessible unsupervised location with open full-priviledge access to 'untrusted' websites ...

but I don't suppose that's the 'expert advice' they want to hear.

13 Mar 2005 (updated 13 Mar 2005 at 15:59 UTC) »

Going back a few years, I remember the review in either Byte or more probably Dr. Dobbs talking about the new Intel 486 as providing developers with blazing speed that would result in "a killer re-inforcement schedule" -- following on my last post, while waiting for the 14MB of the db4 rpm to trickle out of python.org (I eventually had to use Prozilla to get a robust connection) I had bandwidth to spare to explore this whole Apt/Yum thing

Another anecdote, I was at one of the very early meetings of the Toronto Linux User's Group, back when Yaggi hosted them upstairs in the North York Library, and the conversation rolled around to ponding topics for future meetings. "What bugs you most about Linux?" was thrown into the ring, and I said, "I hate how, when configuring your kernel, you realize by the current question that you'd answered some previous question wrong and the only way out is to Ctrl-C and start all over again!" -- and I looked around at a room full of oddly confused faces.

Why don't you just use make menuconfig?

Dammit Janet, who has time to re-read the READMEs on every single release?

Anyway, for those snoozers like me who got stoned and missed it, the magic answer to the RedHat semi-automagic update without having to subscribe to anything is not up2date (which needs new certs if you want to use it on RH9 now) but all fully described by DAG with intallable RPM packages going back to RedHat 6.2.

Aye and it's one of those days ... started last night, late, I was washing up the dishes when I realized that a pretty expensive and elaborate system at work could be replaced, in a few hours, with a simple and elegant chain of free software. I ripped through the last of the pots so I could get back to my desk; this was just too good to be true.

Along the way I refined the idea, worked through how it could scale way beyond the existing system, ran through the sequence of installations in my head, and yes, still, only maybe a morning's work, something I could slip in and deliver to the boss by total surprise, which I would have to do because it's not likely anyone would authorize this little diversion or really understand the advance it makes until they had it in their hands ...

Back at my desk, past midnight by now. The idea had been triggered by a new Sourceforge project release that came across the Freshmeat RSS, so that was my first stop. And then reality steps in:

  1. Minimum requirements: Python 2.3 -- all our machines are RedHat 9.0 and right there I knew I was in for a long haul because Python is pretty deeply embedded in the RH utilities, and there's no way anyone will sign for a fleet upgrade, but I figure, just one machine to illustrate the point and think to myself, how hard can it be to just trash the RH-config utils and upgrade only Python? Next stop, Python.org
  2. Python 2.4 just released -- like, literally hours ago, but unfortunately there are no packages for RH9 yet, so I'm stuck with the 2.3 release and that means there'll be another upgrade in my near future but at least they have them, 30 rpms for download, so I set lftp on the list and go to bed.
  3. server timeout! -- python.org it seems, has pretty bare hardware support; several attempts to pull the rpms over FTP all fail due to timeouts, so I shift to doing it one RPM at a time over HTTP. It's now nearly noon and I still don't know what I'm up against trying to wrest RedHat of it's ancient Python

I hope this is all worth the both because the preparation to development has already taken longer than my worst-case estimate of the time to deliver the application, and I haven't even really started the real muck and mire of actually upgrading these third-party Python RPMS. There's been some side-roads too since I spent some time trying to find out if RedHat had any equivalent to urpmi, of which Apt and Yum were mentioned at the DAG site, but with no further easy pathways to discover more about them and this was already taking way too long (leave that for another day -- anyone care to recommend one over the other?).

So that's the day so far, killer-app idea on a back burner while I haul the hardware out of it's Rip Van Winkle lapse in upgradings, and people wonder just why it is that software developers almost never meet their initial timeline estimates.

Why Events Are A Bad Idea

This is interesting, via Graham Burnett, Why Events Are A Bad Idea (for high concurrency servers):

Event-based programming has been highly touted in recent years as the best way to write highly concurrent applications.
Having worked on several of these systems, we now believe this approach to be a mistake. Specifically, we believe that threads can achieve all of the strengths of events, including support for high concurrency, low overhead, and a simple concurrency model. Moreover, we argue that threads allow a simpler and more natural programming style.
SCO Scuttle and other SPECTREs

Of course it's bogus, and about as likely to score a land-claim as the bid to have most of North America returned to the First Nations peoples (even where such claims have legal basis) there's just too much water under the bridge now to do much other than shrug, but as we all know, lawyers don't get paid to shrug.

So it's a countdown to yet another non-event for January 27th when SCO will (this time for sure) finally disclose what has their ire in such a knot, and then the long and painful march to the court date of April 2005, during which period we'll all get deluged by terrabits of pundit profferings --- yeah, I remember the Microsoft Anti-Trust case, and yes, I confess, I even played a part of that media frenzy, chatting with Bob Young while he caught a ferry just to ask his 'reaction' to the finding ... as if it really mattered.

But it doesn't matter, does it. It's bogus, playing into the media hype specifically designed not to inform us, but to feed us more ZDNet advertisements, lined up to dutifully hand our eyeballs over to the flash animation sidebars, and who cares what the content is. It's a shame it can't be wholesome content like Conrad's, but alas, no, it's our own media circus, our own OJ Simpson nee Jacko nee Jackie O (for those old enough, or Maggie T for us Canucks) and it's oh so predictable, like the so-called war correspondents who sit in hotels, barred from direct observation, speculating over rumours and gossip presented nightly via satellite as 'news' ... and now, seeded by the lunacy of SCO, we're about to do it too, again, still.

Of course the solution to the whole IP Patent Opensource Infringment Thing is really quite simple: Release all code anonymously via identity-protecting file-trading networks ... but, like, not many geek egos are going to let that happen --- anonymous code was, once upon a time, quite prevalent, perhaps even dominant, but that was a long time ago, back when we cared more about what computers actually did rather than who it was that made them do it.

In the mean time, come Jan 27 and in that long march to 2005, do yourself a favour: Grab all your headlines via RSS, and at the least hint of anything even remotely related to the SCO caper, just look away and seek instead real news, like Batboy or the latest Jacko story ...

Macromedia for Linux?

Found this job posting on Mojolin: Macromedia is willing to spend upwards of $100k/year for someone to take possession of the Linux Flash porting project.

"This is a highly visible position for a software engineer who has the ambition and commitment to help us deliver the next-generation technology to a global user community that currently includes over four hundred million people."

Declarative Bliss: Prolog Resources

I loved Prolog; it was the language of choice for most of my small "get this going quickly" contracts in the middle 80's while everyone around me was wrestling with IBM Pascal and TurboC. Prolog was more like the way I thought about programming, starting from the premise of "how do you know you have the answer" and working backwards to the base principles.

The Toronto Star StarBall Fantasy League software was Prolog (linking C for the buffer crunching) both for the parsing of the human-generated (read "colourful") news wire and also to manage the work-flow of the UI for the data entry operators who had to type in some 60,000 hand-written player-selection forms clipped from the paper.

My banker, who was concerned that microcomputers were not making any money for me, called me in to 'discuss' my account. I told him that I had a breakthrough, a way to code software blazingly fast, often in a quarter or even a tenth the time it would take in C or Pascal, and thus I could lower my net charges and open up new markets. He leaned forward and said, "You get paid by the hour don't you?" and I nodded.

"So this Prolog thing isn't going to be very profitable, is it."

Well, wrong he was, Prolog paid a good chunk of our bills over the 80's, was used for TorStar and several museum exhibits, and it was my love of Prolog that lead me to meet Robert Stanley, head of Research at Cognos, and that lead directly to my work on the infamous Zeus project (which was Eiffel, but that's another story)

Anyway, I loved Prolog, and you will too because now you can learn it and even practice online, and you can download the kick-ass GnuProlog compiler/interpreter to get you started.

Kudos to 0xDECAFBAD for reminding me of an old friend.

20 Aug 2003 (updated 20 Aug 2003 at 02:12 UTC) »

Attack of the Rubber Spam

I'm under attack, and this following yesterday when my webhost was under their worst ever attack which makes me wonder if the two might be related, but whatever, this is an attack for which I really don't see any solution: Someone sent out a large virus using all of my website email contact address as the Reply-To and now thousands of well-meaning webservers are 'returning' the email because of full mailboxes, because a virus was detected or just because it's spam.

And what can I do but receive them all? All are from legitimate domains, all of them are from hosts that resolve, all of them are simply replying to that reply header. There's no defense I can see and if someone has one, do let us know.

But what really amazes me is the dense stupidity of these mail servers doing the rubber spam bouncing: If the message contains a virus, why return the virus to the sender?? ... I mean, really, that's pretty smart on their part. For the others, the full mail boxes should probably return the whole message (those that don't still do annoy me because I most often forget to CC: myself) and the anti-spam bots, well there again, when we all know that spam almost never comes from who it says it comes from, why bounce it? ... bouncing spam is, like, so nineties.

Whatever, it seems I'm stuck with it, and since the trees have overgrown the wireless tower plunging me back to rural dialup rates, it means that ever time we go online, the pipe is jammed with the same virus over and over and over and

black arts of estimation

I hate estimating projects. Face it, unless you've done the same job a statistically significant number of times before, there isn't an estimate on the planet worth the bits in it.

They tell me there are two basic philosophies of estimation. There is the American way of over-estimating and then joyously coming in under budget. And then there's the way I'm told is currently in vogue among the off-shores where the initial estimate is absurdly low, and creeps up and up and up and up as the client is drawn more and more into their commitment to the investment.

I prefer the former :) The rule I like to use is almost universally both right on the mark and initially completely, categorically and flatly rejected, the Fahrenheit-to-Celsius rule:

Take my best estimate (say $24k, double it and add 10% ($52.8k) and take away 32 comparable-sized units, usually of the next lower order of magnitude ($52.8k - 3.2k = $49.6k).

That said, I wouldn't want to ask for $50k up front; I'd instead prefer maybe 20% up front to get us rolling, prime the dev environment and then involve them in all facets of the progress as soon as we have even a few pages to show, and keep the discussions in the open, making sure everyone knows where we are at all times so we can manage the burn rate to hopefully get to the destination state way under that price.

It's like the game we used to play with art installation funding with the Canada Council: They offered some cash sum for some certain kind of event, we'd target that sum in our proposal, then pay our musicians, technicians, suppliers and artists out of that account, and everything left over by the end was a bonus (usually paid for opening night pizza).

But, really, realistically -- asking us for our estimate is all backwards. A client should be preparing to wager some fraction of their ROI, some sum that says unspoken, "If it's headed higher than this, we need to bail." Their return on this wager/investment is the only true bottom line -- if the return is $1M/year, then it's worth half that to build a truly stunningly brilliant design; if the return is only $10k/year, then it makes more sense to cobble it on the dirt-cheap from spare parts and student volunteers.

'Course, you can I both know that no one wants to face this reality, and without that basic bit of realism, we're all still stuck with that old smoke and mirrors cat-and-mouse game of "how much does it cost?" vs "how much are you willing to pay?" :)

76 older entries...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!