I've remarked in various places that the Labour Party is currently in such disarray that if Theresa May kicked off a general election campaign with an hour of drowning kittens on live television she'd still win by 100 seats, or words to that effect. It's basically Leo in The West Wing:
"To sweep all fifty states, the President would only need to do two things-- blow the Sultan's brains out in Times Square, then walk across the street to Nathan's and buy a hot dog."
Which is all good knockabout politics, although I don't hear anyone, _anyone_, whether in the pub or in a CLP meeting, who takes Labour winning in 2020 are requiring anything less than a multi-dimensional miracle.
Unfortunately it does bring up one grim thought to depress me (and I've stopped listening to Today, that's how bad it is). At the moment, there is little the Tories need fear with regard to losing an election, and on the current trajectory with an increased majority, too. Abolish all free education past the age of 11? Fifty quid to see a GP? Declare war on Switzerland and make the eating of Toblerone an act of treason? Whatever: they still win in 2020. There is almost no policy, no matter how toxic, that the Tories could enact which gets the current Labour front bench into office. All the Tories have to do is kick back, chill their beans, and weigh the ballot papers. Labour need a manifesto which challenges UKIP to the right in the north and the SNP to the left in Scotland without alienating London, and even were the party functional and led by an proven election winner that is almost impossible. The more likely dogs' breakfast in the manner of 1983 just means a massive defeat followed by a generation of in-fighting while the Tories celebrate by roasting poor people over an open fire.
Suppose, just suppose, that instead of seeking the glory of a 150 seat landslide, May decided to double down and run on a manifesto which wins by 50 seats but makes her the Thatcherites' eternal heroine by giving party faithful as much as they can possibly have, consistent with winning an election. Not just the Human Rights Act, but tear up PACE, Freedom of Information and the Data Protection Act ("red tape", "stopping the police doing their job"). Not just index linking of university fees, but uncapped, and while we're at it not only grammar schools in every city but post-16 education chargeable via loans. And just for shits and giggles criminalise abortion, bring back workhouses and repeal the Discrimination Act. Whatever: a scorched earth, salted fields, roll the country back to before the Great Reform Act extinction burst of atavism.
With a manifesto like that coming from the Tories, what would Labour do? Lose by fifty seats, that's what. Grim, isn't it?
http://www.aboutmyvote.co.uk
If you are a UK Citizen or otherwise entitled to vote in this month’s referendum, please do so.
http://www.aboutmyvote.co.uk
My generation (born in the mid 1960s) are the single largest cohort in our society, and we vote at high rates. We’re the peak of the post-war boom, and we still go to polling stations.
We’re why you can’t buy houses; my wife and I bought a house, with a 100% mortgage, 11 months after we graduated, and we were hardly unusual: how many of you will be doing that?
http://www.aboutmyvote.co.uk
We’re why your pensions are likely to be grim: we paid a few quid into schemes that were clearly insolvent the moment our parents stopped smoking, but many of us can retire on secure incomes in our early to mid sixties.
And for the university educated amongst us, we got it free, too.
http://www.aboutmyvote.co.uk
Governments pander to us, because we win and lose elections; unlike the cohort older than us, we switch our votes from election to election and are susceptible to retail politics (“what’s in it for me?”). We are why inheritance tax is a major political issue: IHT isn’t about old people, it’s about their avaricious middle-aged children, like me. And we are why crazy rising house prices are a popular thing; the houses we don’t own, our parents own.
We are why education policy is a minor footnote, because most of our children are coming towards the end of, if they haven’t already finished, their educations.
http://www.aboutmyvote.co.uk
The referendum’s outcome could change your lives. Mine, not so much. But my generation will be flocking to polling stations to vote, and our issues are radically different to yours. You don’t trust your parents' opinion on Kanye West (808s and Heartbreak is my favourite, my children disagree) so why would you trust their views on anything else?
http://www.aboutmyvote.co.uk
We’ve now seen two general elections which have been decided by an if not grey at least greying vote, while policies that affect you have been put through without any attention to what you think. Sadly you (or at least people your age) just don’t vote in sufficient quantities to be interesting to politicians. Change that. Please.
http://www.aboutmyvote.co.uk
I don’t think anyone over 45 should be allowed to vote in the referendum, and I shall be voting strictly on the advice of my children. But people like me, and indeed my parents (ie, your grandparents) could decide the outcome of this referendum. Please don’t let us be the only voices that are heard.
http://www.aboutmyvote.co.uk
ian
On 15 Apr 2016, at 01:00, Ian Batten <xxx> wrote:
If anyone is keen enough to be running their own VPN server for Apple clients
More detailed examination with coffee in my hand (hey, I teach two lectures on IPSec and IKE, so this is _real_ _work_) reveals that on the down-low, Apple have re-written the entire opening phase of their VPN software and released it on two platforms over the past couple of weeks.
Historically, the Apple L2TP-over-IPSec implementation was as brittle as thin glass. The recommended deployment was talking to an Apple “Server” on OSX, but if you wanted to roll your own, it was very difficult to end up with an IKE configuration which would work with the Apple clients and also work with anything else. In essence, you had to configure the server with exactly the algorithms used at each phase by Apple, and none others: if you so much as mentioned an algorithm the clients didn’t support, the whole thing collapsed. I don’t have anything other than Apple kit in my mobile VPN estate so this didn’t matter to me, but I gather from former colleagues that using the Apple VPN client and the Microsoft VPN client into the same server is the best tool in your Cisco’s salesman’s box to convince you to just buy the end-to-end Cisco solution. Which Apple kind-of admitted by shipping the Cisco VPN client, branded, as a standard part of iOS (I think I’m right in saying that it’s the only piece of iOS as installed on a new device which has anyone else’s branding on).
The new stuff is completely different. You can turn on all the algorithms you like, and the Apple clients (a) in main mode, negotiate a sensible mutual combination of algorithms and use those for the rest of the exchange and (b) more impressively, in aggressive mode (where the two ends need to know in advance what algorithms are in use, as there’s no “what has and encryption do you fancy?” phase) it steps through a sequence of proposals to try to find one that works: that’s not fast, but at least it works. So you can turn on the offer of algorithms that Apple don’t support yet (large DH groups, EC crypto, SHA512, that sort of thing) and leave them there waiting for the clients to catch up, and for use by more capable clients.
There’s some other changes which aren’t as easy to analyse. The negotiation of PFS has definitely changed: it used to be that if you asked for it on the server, the client dropped the connection, now you can have it enabled with a group selected. But it’s not obvious whether it’s actually respected: since you can ask for crazy groups (6144 bits) or for things that don’t appear to be supported anywhere else in the Apple client (EC) and it still “works”, the implication is that the client is just doing a better (or worse, depending on your view) job of negotiation and is not using PFS even though it’s offered. I’m not sure how to check this. The packet sequence is the same, and although the contents are different they are encrypted: I’d need to find a way to get hold of the Phase 1 keys and use them to decrypt the Phase 2 packets in order to check. My gut feel is that Apple haven’t added PFS, they’ve just fixed the negotiation so it’s rejected cleanly.
It’s interesting that there’s a paper which raises concerns about widely deployed IPSec configurations, and within six months Apple are fielding a complete suite (they’ve made the same changes to the server, but I’m not using that code) of changes to close the whole issue down. They are playing hardball with the US government.
ian
One day, I am going to get around to writing my magnum opus on the mistaken beliefs that some security people have about threat actors. But today, I’m going to consider one of them: the terrorist with perfect operational security.
There are a whole range of arguments which assume that there is no point is society adopting mechanisms to attempt to defend itself, because our enemies have perfect operational security. There is no point in intercepting communications because they all use encryption, both effective algorithms and with flawless security around key management (a feat few national agencies have managed). There is no point trying even traffic analysis because they all use TOR with flawless, error-free precision (even though there is ample reason to believe this is very difficult). There is no point using ANPR because all criminals drive stolen cars with false plates (although this weekend’s Paris attacks used hire cars). And so on.
There are good reasons to be wary of security service claims as to the efficacy of their boxes of tricks, and certainly we need to balance civil liberties and security agendas. We need to do this all the more in the aftermath of appalling events as happened in Paris this weekend. But we need good arguments. Arguments which presume that terrorists are criminal masterminds with not only access to, but the skills and discipline to use effectively, top-quality crypto and therefore interception is pointless are just wrong. Terrorists have many things to be doing while planning an outrage, and they clearly are not communicating using perfectly-used one time pads.
There's a fairly well documented, and rather annoying, bug in Emacs 24.3 on OSX 10.9. Under some circumstances it either consumes a lot of memory and CPU and starts to run very slowly, or it causes distnoted to do likewise. It happens particularly after sleep and wake-up, and if distnoted is the victim it's usually enough to get the fans to come on and stay on. It happens to me roughly once a week. The bug is present in the binaries available from http://emacsformacosx.com.
There is a patch:
It's apparently incorporated in the 24.4 pre-tests and nightlies, if you like to live dangerously.
I've applied the patch to a set of clean 24.3 sources and compiled it on 10.9.4 with the latest version of XCode, to get the fix without any other changes.
If anyone needs the binaries:
http://www.batten.eu.org/~igb/emacs-24.3-leakpatch-mavericks.tar.xz
SHA256 hash [1] is f94c2f9dbf40ff42dd8ee41ce7fab4e1f5208c2178aa99ab8a8344560e49d41c
Just untar it and move the resulting Emacs.app directory to /Applications or wherever you keep such things. The OSX tar command now automagically handles .xz.
Aficionados of the ludicrous bloat of modern software will have their prejudices confirmed upon learning that using a good compression algorithm, the installation kit (ie a tar of /Applications/Emacs.app) is 100MB.
ian
[1] openssl dgst -sha256 -hex < emacs-24.3-leakpatch-mavericks.tar.xz