What Sony Cares About

28. April, 2011

So Sony‘s PSN user database was hacked. It seems the credit card data was in a safe place elsewhere. Encrypted.

The user data wasn’t encrypted.

Which leads me to an interesting thought: Apparently, the money was more important to Sony than the gamers.

Or maybe the credit card companies told Sony in very clear terms how to handle the precious credit card numbers, so Sony complied to those rules and when it came to passwords, age, place where you live, they were economical. As with how they handled the situation. At least, we didn’t have to tell them that they were hacked.

Unlike, say, Apple, they did tell us that something was wrong and they apologized for what happened. We’re just left with the task to clean up the digital mess they created.

How valuable is this data? Well, if you do something sensitive over the phone, say, calling your bank. And they want to make sure it’s you. What do they ask? Well, the simple stuff: Birth date. Where you live.

With data like that, you can open an eBay account and so some online fraud. Good luck proving it wasn’t you. Sure, it won’t be a problem but it will be an ugly hassle.

Make sure you check your next credit card bill; just to make sure Sony didn’t mess that up without noticing.


Why Software Patents Are Illegal

28. April, 2011

Patents on machines are legal, patents on speech are not. You can’t patent Obama’s latest public appearance or a mathematical proof. Those things are covered by copyright laws (and followers of this blog know that those are flawed as well).

So why are software patents illegal? They are recipes which tell the computer what to do. You can’t patent recipes. Therefore, it should be impossible to file a patent on software.

The long version is here: 1 + 1 (pat. pending) — Mathematics, Software and Free Speech (Groklaw). The article explains why lawyers often get confused by computer terms, how this is bad and how to stop them.


Riding The Risk

25. April, 2011

It’s a general misconception that if a human can’t see something, computers can’t either. From my experience, it’s usually one or the other. Or both.

When the financial system crashed, humans knew in advance. Well in advance. Everyone involved knew. The question wasn’t “Will it crash” but “When”. Those behind the bubble made a fortune by riding it. And they still do.

The computers didn’t see it coming because they weren’t meant to. That doesn’t mean it’s not possible, it means that the people, who make fortunes from these events, don’t like the idea of a computer telling the authorities what will happen and when. Especially not when a) they can’t make their fortunes first and b) everyone else has to pay the bill. Bonuses are back at the pre-crisis level. I wonder how that could happen.

Prof. Didier Sornette, Professor on the Chair of Entrepreneurial Risks of the ETH works in statistical models which predict bubbles and crashes. One way is actually pretty simple: If the growth of a market grows exponentially  (i.e. when x in 1^x starts to grow with 1^y where y > 1), there is a bubble forming.

So the problem were facing isn’t “we don’t know” but “we want lots of money.” Lots of money always comes at a risk. If nothing happens, people start to forget that. Or ignore it. Even if they know better. So laws and regulations which “harm the free market” are abolished. Until the next bubble when we all have to learn again why those laws and regulations were in place.

Computers can see things that we’d like to ignore.

I’m not saying computers should make the decisions; what I’d ask is this: When the computers predict a crash, everyone involved should be asked to sign an innocent little extra agreement that reads

In the case of a crash, I’ll be held liable for any damages caused by the crash, personal and fully, with all my wealth.

I’m not saying people want the crash. All I’m saying is that they have little reason to avoid it. It’s their job to make money. To make a lot of money, you need to accept a lot of risk. That’s OK. The problem is that there is no reason not to take intolerable risks. “It’s not my money”, “everyone is doing it”, “everyone makes lots of money, why not me”, etc. That’s human nature. And it’s human nature to start to think as soon as you get hurt personally when it goes wrong.

So let’s add some hurt to the system.


Major Security Flaw in Dropbox on Windows

20. April, 2011

During the installation, Dropbox saves the login credentials in %APPDATA%\Dropbox\config.db

The problem: The file can be copied to another computer or account and this simple operation gives an attacker the same credentials as the victim.

Even worse: Changing the password doesn’t help since the credentials don’t depend on the password. So even after a password change, the attacker can still access the Dropbox account!

Kudos go to Derek Newton for finding this gaping hole.

Original article: Dropbox authentication: insecure by design


Design Patterns for JavaScript

18. April, 2011

Here is a good collection of design patterns for JavaScript: Essential JavaScript Design Patterns For Beginners


Mysterious Eclipse Hangs

15. April, 2011

If your Eclipse installation hangs, there can be several reasons. If it happens while your tests run, chances are that a test printed an exception to the console view. If the exception is very wide, this can cause Eclipse to hang for a few seconds: Bug 175888 – ConsolePatternMatcher causes large delays with some large input.

I’m working on a fix.


Windows 7 Libraries Trigger Eclipse Builds

15. April, 2011

If you’re on Windows 7, you may know this odd behavior: For some reason, Eclipse goes into a build frenzy. Every few seconds, it will rebuild the workspace.

The reason: You added your workspace to a Windows 7 Library and you have “Refresh Automatically” enabled.

My guess is that indexing of Windows 7 Libraries creates temporary files which make Eclipse believe something changed in the Workspace. Which causes a rebuild. Which makes Windows re-index the workspace.

Workaround: Remove your workspace from the library or disable “Refresh Automatically”.

See also: Bug 342931 – Windows 7 Libraries trigger rebuilds


Project Ceylon, Successor for Java?

14. April, 2011

A lot of languages compete for the king’s seat taken by Java. Most of them solve a lot of problem with Java but none of them really takes the win. As I say: “Why is there more than one database? Because they all suck.”

Now Ceylon enters the stage (slides from the presentation). The main goal is to clean up the SDK while keeping an eye on what was good and what was bad with Java.

I’ve had my share with programming languages. On a scale between 1 and 10 (best), Python gets 9 from me. Java gets 6. Scala gets 5.

So how does Ceylon fare? At first glance, I’d give it a 7.

Pros:

  • Compact syntax. No packages, no classes.
  • I like to idea of the recursive block scope which gets rid of the very limited public/private and the ill fated package public. My only concern is how you can declare friends to something at a nested scope (for example for tests).
  • Short syntax to avoid NPEs. The approach allows to catch null pointers when they are assigned instead of when they are used. This means: If you find a bug, you’ll actually know what to do about it.
  • No new keyword! I really never understood why they added that.
  • No checked exceptions. No one got them right, anyway.
  • Just one constructor per class. I never use them anyway, and the new named argument syntax solves many of the existing problems.
  • Method references

Cons:

  • = vs. :=. Come on. In 2011, I still need to tell the compiler something it already knows? Also, looking at my code, I’ll probably use := a lot. So that means extra effort for me. Bad. Not everyone’s brain is wired for immutables.
  • “if (exists foo)” to check for null values. If I already have to use a special syntax to mark something as “can be null”, why do I need to mention that again in a condition? What’s wrong with “if(name)”?

Things that leave me puzzled:

  • local vs shared. I understand that the compiler can’t infer types for shared references in a single pass but who cares? The compiler is a tool that has to make me more productive. If the compiler needs two or three passes to resolve dangling type reference, so what?
  • How is the module system working? How do you bundle types in a container to keep the namespace clean?

Sony vs. The World 1:0 …?

13. April, 2011

So Georg Hotz “caved in” and accepted to sign a settlement agreement (good article). Those quotes aren’t accidental; being accused in a law-suit does odd things to your life and most of them are unpleasant. Being famous isn’t as great as MTV wants you to believe. Ever wondered why all those famous persons are either weird, drug addicts or die early? There might be a connection.

As for Georg, one hell is over and now he gets raped by all his supporters. It’ll wash over, trust me.

So did Sony win? No. Win would mean to prove in court that it’s illegal to decrypt and modify the firmware of the PS3. Which they avoided. If you’re a multi-billion dollar company and someone/something is a threat to one of your most valuable products (my impression after reading what SCEA said during the lawsuit), wouldn’t you want to make sure this issue is fixed once and for all? For some reason, Sony didn’t.

It’s probably because they didn’t want to harm poor Georg.

*hilarious laughter*

Oh man, I’m killing myself. So. Sony caved, Georg won: He’s not going to jail, he isn’t fined, he isn’t prosecuted. He’s a free man. Well, mostly.

He isn’t allowed to do illegal things with “any SONY PRODUCT” (their yelling). Oookaaayy… what exactly is illegal? Wasn’t that one important point that the lawsuit should have settled?

I mean in Europe, it’s legal to reverse engineer any software if you need that knowledge to make it cooperate with some other software (“make it interoperable”) and if you can’t get that knowledge some other way (competitor wants to keep you out of the market, producer is no longer around, etc.). You must not spread the reverse engineered code but you could, for example, write a patch or an installer with it.

And Georg isn’t allowed to talk about the settlement which is confidential. I don’t need to understand this, I guess, but I’m sure he would rather forget this sad story and move on.

So. One guy fixed. I’m sure no other smart person on the planet is going to try this again. Ever.

And one prediction: It seems that Georg has some money left. Instead of wasting it on his own case (which Sony might have dragged out for a decade, for example) he might have invested it in the other lawsuit where chances to win might be much higher – especially with all the notes he got from his case.


Maven Tools for Eclipse: Patching POMs

11. April, 2011

I’ve added a new feature to my Maven tools for Eclipse: Applying patches to POMs.

This is a first step towards solving issues like this one: Bug 342046 – Invalid third party dependencies in Mavenized BIRT plugins

I’m not 100% happy with the result, though. Currently, the patch overwrites the original code. I think it would be much better if it created a profile instead. This way, you could see the original code and it would be simple to switch between different solutions for a problem in a POM.

The two standard problems are:

  • Bad version (no version, version range or wrong version)
  • Dependency name

The latter is introduced by the fact that Eclipse projects need to pull dependencies via Project Orbit. Orbit often renames dependencies so there is a naming conflict if you pull your dependencies from Maven Central. So we need a way to say “I’m using Orbit” and “I want Maven Central”.