*hypf*

As you may have noticed, I started translating the site and some content into German. I wanted to do this for some time now but only recently installed the Drupal i18n module. I will try to offer all future content simultaneously in English and German, though English will remain the first language in which content is published. Meanwhile I will translate missing content as I see fit and time.

For quite some time now I want tagging of mails instead of hierarchical storage. Thunderbird 2 claims to support that, even with IMAP (which is rare, even more so than tagging mails itself). The feature used there is IMAP keywords which seems to be still a draft, though. However, Thunderbird comes with five tags predefined: Important, Work, Personal, To Do and Later. I did not intend to use them. I'd rather like to categorize similar to my folders, that means tags like Sent, Received in the first place. Furthermore a tag for each person I wrote the mail to or receivde it from (conversations) as well as content tagging. That should allow me to easily categorize my mails like I did before but also allow for conversation reading and quickly finding a certain mail.

So far the theory. First of all, Thunderbird never gave me easy access to the tag management (buried somewhere in the options, but inaccessible from the context menu or Tags dropdown. Defining own tags worked and they are basically stored on the server, however I would have to set up the exact set of tags on the other machine I am using this account from as well. Definitely cumbersome as I expected tags to be solely stored on the server (except for local caching) and not the client. Apparently I was wrong. The Remove all tags menu entry also only removed the tags the client was aware of, instead of all tags associated with the message.

Also I wasn't able to replace the folder view with a tag view. Tagging with keyboard is nice but I'd have to remember all tags and their associated numbers (which won't happen with the number of tags I had in mind). What I'd really like would be a view that organizes messages not by folders but by tags and threads. Thunderbird fails with the first view already.

I currently have some 12,000 mails archived and with some people I have exchanged more than 1,000 mails and finding a single one is pretty hard. I certainly hope for more support for tags in mail clients for the future. As of now, Thunderbird isn't adequate for people with more than one machine (and honestly, where'd be the advantage of IMAP when you read mail only on one computer?).

UPDATE (2008-01-02 05:43): Tried out Mulberry but it only supports up to eight tags (and it's downright ugly). So another client down. Claws mail stores tags only locally and only in the latest version (The gpg4win port is ancient and doesn't work on Vista, at least not here).

UPDATE (2008-01-02 08:35): Read up on RFC 3501. Tags can actually contain arbitrary bytes, except a few forbidden ones (which include things like parentheses, space and a few others). This means we could get one-word Unicode tags via Punycode, actually. Another thing to note: Thunderbird's behaviour on encountering unknown tags is probably intentional (though stupid in my eyes) and there should be no need for it, except for the fact that you will only get the tag name on the server instead of the one you defined in your client (they can and probably will differ, especially if you included forbidden characters or renamed the tag).

No, this is not one of the numerous Hacks performed during this year's Chaos Communication Congress but rather a collection of interesting talks.

I wasn't there in person (I plan to be there next year) but followed the streams and present here a selection of talks I really enjoyed.

Day 4 is currently missing, as well as a few links. This will change shortly.

Day 1

Der Bundestrojaner (de)

[description] [MKV] [MP4]

A quite funny talk about the 'Federal Trojan' as it is usually called around here. Mixed with interview answers of Dr. Schäuble himself which leave a quite uneasy feeling of him not quite understanding what he is really talking about.

What is terrorism? (en)

[description] [MKV] [MP4]

A deeply depressing view on how Germany's law enforcement deals with suspected terrorists. The partner of the presenter was arrested and she was put under surveillance. Reasons for suspecting her partner a terrorist were some writings, being a political activist and not always taking his mobile phone with him.

Design Noir (en)

[description] [MKV] [MP4]

A nice look at some unusual projects of electronic engineering, including an electrocuting jacket, the TV-B-Gone and a device that jams GSM, WiFi or Bluetooth signals. Projects like these reflect an interesting culture, called Design Noir of electronic device design that is meant to fulfill the 'real human needs' opposed to the industry's needs by "using misusing a simple electronic product that challenges the conformity of everyday life." And that Wave Bubble surely looks interesting enough that I want to build one (though I should inform me beforehand on how legal that might be around here, considering that during C3 one person was charged for using a TV-B-Gone at Media Markt [although I don't think the charges will hold]).

Programming DNA (en)

[description]

DNA is, essentially, a programming language for biological beings. By changing or adding certain genes you can alter behaviour of cells. Currently this is at least being done with viruses which have a rather simple structure and can be modified in such a way that we understand what the genes do (reverse engineering DNA is pretty ugly so best try to avoid it). The presenter told about a pretty elaborate component architecture with genes they devised in which you can simple plug together something you like and get the DNA printed (well, sort of). It's still a process of several months but it certainly sounded cool, especially the part with a open database of these building blocks and the ability to simply combine them. Although the thought of some day hacking humans is a bit scary.

DNS Rebinding And More Packet Tricks (en)

[description] [MKV] [MP4]

Dan Kaminsky has a track record of rather cool, but ugly hacks as well as a presentation style that is downright entertaining to watch. After last year's visual bindiff he now presents a reimplementation of TCP in JavaScript, Flash/Java and IFrames. And yes, it is as weird as it sounds. Maybe this is yet another reason to avoid having any browser plugins that display active content and if Silverlight provides sockets and is scriptable from the outside via JavaScript it has the same problems as well. He even performed a live demo of that stuff and it worked (with Firefox and Flash).

Day 2

Elektronische Dokumente und die Zukunft des Lesens (de)

[description] [MKV] [MP4]

An interesting tour through the history of devices for electronic reading and why they failed or are still unusable. It was the first talk of the second day and thus quite early (a.k.a. in the middle of the night or 11 am) but it was funny and interesting.

Absurde Mathematik (de)

[description] [MKV] [MP4]

A short talk about some mathematical paradoxes. Nothing too fancy but might be interesting to some. Main drawback was that it was too short (in my opinion). Another problem was that the presenter was not that firmly rooted in mathematics and didn't even know that much more besides what he presented (a person from the audience asked about the Banach-Tarski paradox and he didn't even grasp the problem).

Toying with barcodes (en)

[description] [MKV] [MP4]

A nice overview about what barcodes, scanners and the inherent security risks. I certainly didn't hear before about barcode SQL Injection. But scanners themselves are usually also vulnerable, regardless of the software behind it. Since barcode scanners can usually be reconfigured using barcodes this is also an easy attack vector as those configuration barcodes can easily be obtained from the vendor. But for most scenarios this isn't necessary as you can more often than not exploit vulnerabilities within the software which most of the time doesn't check the data it gets.

Spiel, Freude, Eierkuchen? (de)

[description] [MKV]

A quite interesting talk about the neverending debate about killer games (mostly first-person shooters) that came under attack after an incident at a school in Erfurt. Most media usually cited the killer playing games like Counterstrike as the reason for running amok. There were some TV segments about the subject, mostly riddled with incorrectness and inconsistencies and one of the speakers was actually the one who made a few of those segments and answered most of the questions of the audience.
One person from the audience was actually a representative of the German Bundestag and had a few interesting words to say about the whole issue. I laud that such people attend events like 24C3.

DIY Survival (en)

[description] [MKV]

A quite funny talk about ways of the world to end and what to do in such an event. But behind its tongue-in-cheek presentation were some nice things to build for oneself, maybe not only in the event of a robot uprising or nuclear attack, such as for example an EMP emitter.

Day 3

What can we do to counter the spies?

[description] [MKV]

The speaker has been with Britains MI5 for several years and felt increasingly dissatisfied with their actions which sometimes even led to attacks being carried out instead of prevented. MI5 and MI6 seemed to operate outside the laws numerous times and this led to Annie's and her partner's departure from MI5. They went into hiding in France for two years and she wrote a book which the British intelligence didn't want to be published. Now she is a political activist. Her talk includes many interesting anecdotes on how the intelligence agencies worked in the 90s.

Wahlchaos (de)

[description] [MKV]

A short look at some not entirely clear paradoxes and weirnesses of the German voting system. Also trying to discover what could have been changed by carefully manipulating votes in certain districts.

Die Wahrheit und was wirklich passierte (de)

[description] [MKV]

I didn't watch this talk to the end, but I will certainly do so. Basically each story has four versions: Your version, their version, the truth and what really happened. The talk mentioned a concept named major concensus narrative which is the version of an event that is remembered by people. This is most often granted for the truth, although it does not need to have anything in common with it. An interesting look into how we think and handle perception.

Meine Finger gehören mir (de)

[description] [MKV]

A talk about biometric security measures in the new electronic passport and their weaknesses. Most security gains (which aren't that great) are reduced to nothing because of obvious holes in the law texts. If you are fine with getting a new preliminary passport every year you can get away without ever having your fingerprints taken. And of course, terrorists can't do anything damaging within the timespan of a year ...
The whole protocol also leaves enough room for faking your fingerprints which is fairly easy with transparencies, a laser printer and glue.

Hacker Jeopardy (de)

[description] [MKV]

Well, not much to say about it, weird as ever and very entertaining. Although the questions, erm answers this year were pretty hard, at least for me.

When writing a loop sometimes it can become necessary to break out of the loop before it is finished. Batch files allow loops, but do they allow some kind of break statement?

Actually, yes:

This is the whole file. When run it will print the numbers from 1 to 10 and then break out of the loop, displaying the appropriate message. The code itself should be pretty straightforward. The if statement checks for the loop variable being greater than 10 and based on that will either break or print the number. And as you can see, if we would let the loop finish we wouldn't see any message since we quit immediately after the loop.

Does this work with subroutines as well? Sure:

Not much harder, actually. Be careful, though, that the breaking happens in the loop itself and not in the subroutine. A subroutine ends when the end of file is encountered (either due to the end of file or a goto :EOF), so when branching out of the subroutine we would print "successfully broken the loop" but return to looping directly thereafter.

Well, starting from “Or” considered harmful. we noticed that the distinction of andor, xor and ewok is certainly a useful concept, however, the naming scheme leaves room for improvement. Andor is certainly too long for practical usage and ewok always raises associations to small furry creatures.

On the quest for appropriate names we thought that or certainly suffices for andor, just like (mathematical) logic tells us. Xor is short and pronounceable enough for everyday use and the meaning is clear with the usual knowledge of geeks. This leaves ewok. sh suggested eor, which may be interpreted as ewok-or. It does not sound too stupid, is short enough and thus quite usable.

The only challenge now is to switch my writing and talking habits over to those new words :-)

I faintly remember the times when games and other software came along with installation instructions (nowadays it seems most publishers assume that people can install software without instructing them). A common and recurring template was “Insert the CD into your CD ROM drive. The setup program should start automatically, if it doesn’t, follow these steps to turn on AutoPlay and try again: …”

This is, essentially, a non-solution. It solves a problem the customer doesn’t even have: Usually you don’t think ‘How could I turn on AutoPlay which I disabled a few weeks ago to save me from setups popping up?’ instead you want to run the setup that simply didn’t start automatically (which may be on purpose).

A similar situation occurred to me recently when I visited a web page that wanted to display an image in a popup. I have set my popup blocker to highly aggressive, so it blocks essentially everything that opens a new window. When I manually opened the link that caused the blocked popup in a new tab (a method that usually yields the content) I found myself on a page that explained in detail how I could either turn on Javascript or turn off my popup blocker.

Great. They are solving a problem I don’t even have. I just want to access the content.

Since the advent of popup blockers I doubt popups are a valid method of conveying information to the user anymore.

Microsoft Word 2007 has the ability to post blog entries to various sites. Since Drupal optionally supports some Blogging APIs I decided to give it a try.

This post was edited entirely in Word 2007 :-)

UPDATE: I think I will not use this way of submitting content because (a) it emits HTML, instead of nice formatted plain text (Drupal converts line breaks automatically, so no need for <p>) (b) it does not give me the categories from the taxonomy module, so tagging has to be manually done afterwards and (c) it does not support the URL Aliases which I set up for each post to allow for a clean URL.

After InstallShield and others moved on to simply generating Windows Installer scripts that were executed and wrapping their own GUI around it (though I still don't quite understand why this GUI has to be so ugly skinned in recent versions. Consistency across a platform is actually a nice thing to have and I don't like it when programs break that intentionally) now there is a new problem to overcome for installers: Signatures and requesting elevated privileges.

The first part might already have been important with Windows XP SP2, though I can't really tell since the time I've used that OS accounts for maybe a few hours total. However, more and more open source projects move to signing their installers what I see as a good thing since it enables Windows to check the signature and detect changes (whether deliberate or just download errors) before executing the whole thing and it enables users to establish a base of trust (plus, it's tracable to the person or corporation that signed it). Also Windows will display a much more friendly confirmation dialog when the signature can be verified.

The other part is more icky on Windows Vista. Since Microsoft introduced UAC programs can request elevated privileges through a manifest. If the administrator disabled automatic setup discovery heuristics (which are pretty accurate, however they cannot be bypassed which makes them not quite good if they give a false positive) through group policies the only thing Windows will use for determining whether the program needs administrative access is the manifest.

Actually, there is another option: Requesting elevated privileges only when you need them. This is what the Windows Installer currently does and I found it to be a pretty nice idea. Why bother the user with requests that are unnecessary? However, most installers actually do need elevated privileges.

Many programs nowadays are packages with the Nullsoft Scriptable Install System (NSIS) and since most of them are hobbyist or open source projects almost none are signed (a problem not specific to NSIS, but it has a broad userbase in the open source community due to the fact that it is itself open source). Furthermore, no NSIS installer I found included the manifest that told Windows to start it in elevated mode. And NSIS apparently does not support (or no one uses it) requesting privileges only when needed.

The funny thing about NSIS is that if you start it as a limited user it will try to run the installation (which may succeed to some degree thanks to Vista's virtualized files) and then fail miserably. The worse part here is, that on failure NSIS won't even bother to do a rollback which I find a little disturbing. An installer often meddles with the system at a quite low level and may produce inconsistencies if it won't run completely. An installer not being able to properly roll back changes already made on failure relies a little too heavily on the assumption that everything will work fine (I doubt they even try to use Transactional NTFS on Vista [although this may be true for all installers currently but would be a nice addition]).

So basically you have to clean up your system a bit after NSIS failed due to limited user rights. Thankfully the stuff for that is all in one place.

Windows already has a hard time dealing with the multitude of different installers while the only package management system which could be called by that name (Windows Installer) isn't used as widely as I'd hope. Come on, guys. There is already a decent installer framework. InstallShield, Wise, etc. made the move to compile their scripts to Windows Installer, should be possible to do that with NSIS as well.

Or use WiX.

Introduction

Earlier this year I bought a ThinkPad R60. Upgraded to one and a half Gibibyte of RAM I was pretty sure it at least should be able to run Vista. The built-in Intel GMA 945 graphics chip isn't impressive but at least it's able to meet Vista's requirements for the Aero user interface.

So far my impressions are mixed and for people willing to upgrade it may be safer to wait for Service Pack 1 to be released (somewhen in first quarter 2008).