Key Sizes

Interestingly, it looks like various pieces of software are starting to enforce minimum sizes on keys even if it breaks the specification.

There was a story in Wired on 24th October [1] about a researcher realising that the keys being used to perform DKIM signing of email were in some cases laughably small. Google, for example, were using 512 bits, which makes forging mail from them trivial. I've just upgraded my DKIM installation to the latest version of OpenDKIM, and I see that it's now logging the error "verification error: signing key too small" against some mail. A glance at the source code and the ChangeLog reveals that the feature ("Add library option DKIM_OPTS_MINKEYBITS...default is 1024.") was added on the 24th of October.

Similarly, the openssh suite is now enforcing minimum sizes on host keys. I have an old Cisco srw2008 managed switch, which modern version of ssh now refuse to talk to.

ians-macbook-air:Downloads igb$ ssh srw2008.home.batten.eu.org
ssh_rsa_verify: RSA modulus too small: 512 key_verify failed for server_host_key

RFC 4253 doesn't mandate key sizes, but the ssh client has been modified (some years ago, it would appear --- the oldest version I have is on Solaris 10 circa 2005, and that shows the same behaviour) to enforce minimum key sizes on servers. As I can't fix the firmware on an old switch, I've had to compile up my own version of ssh which bypasses this check!

[1] http://www.wired.com/threatlevel/2012/10/dkim-vulnerability-widespread/

Government Unemployment Statistics, #universalcredit

http://www.publications.parliament.uk/pa/cm201213/cmselect/cmworpen/writev/576/m32.htm  (DWP evidence to Work and Pensions select committee on Universal Credit, 17 August 2012)

38. Universal Credit makes more claimants employable and better able to get jobs. Over eight million people in the UK don’t use a computer, and 38 per cent of these are unemployed.

Even if we take "over eight million" to mean "eight million ", that's just over three million people who the DWP think are unemployed and don't use a computer.   

The unemployment rate was 8.1 per cent of the economically active population, down 0.1 on the quarter. There were 2.59 million unemployed people, down 7,000 on the quarter.

So, how does this all work?  The DWP are claiming that of 2.59 million unemployed, at least 3.04 million of them don't use a computer.  That can't be right, so the numbers must have got mangled in transmission.  Either than, or the DWP know the unemployment figures are wrong, and have accidentally let the cat out of the bag.

ian

#nginx: it's really good

Over the years, I've wrestled with Apache more often than I care to recall, and been astounded about how complex some simple tasks ("set up a virtual server to serve up this directory hierarchy over https with password authentication", for example) are.

A couple of days ago I needed to set up just that on an embedded device (http://en.wikipedia.org/wiki/NSLU2) to serve up logfiles.  I was steered towards a thing I'd heard of mostly as a reverse proxy, rather than a backend server, Nginx (http://nginx.org/).  Straightforward configuration, even first time, so I was able to write a config pretty much from scratch where I understand what each line does (be honest: how much of the last Apache configuration you did do you understand?) and where the config, even including a virtual server, ssl configuration, Basic Authentication and merging two hierarchies on the machine to form one hierarchy over http only totals to (forty!) lines.

ian

Gove Levels #gcse #omnishambles

Consultation document here: http://goo.gl/UHAES

I'm going to read the consultation document and produce a response, I think. My younger daughter will just miss the coming shambles, so I'm a disinterested observer whose children are deep in the current process. And Gove will be leaving a nasty mess on the doorstep for an incoming Labour (please, God, make it true) administration in May 2015, as the idea is first teaching September 2015.

But at first glance, you have to say that all the expensive education the minister and his civil servants have had at our top institutions does seem to have been rather wasted. "1.1 This consultation sets out the Government’s plans to restore rigour...to our examination system at age 16". "3.4 ... The public recognise [the claim that there has been a lessening over time in how demanding GCSE qualifications are] to be true. 60% of those surveyed in a recent YouGov poll believe that GCSEs have got easier, while only 6% think that they have got harder." Oh yes, a _really_ rigorous way to establish facts about complex educational issues is to use a poll amongst people who have no direct knowledge of the topic, and therefore can only rely on anecdote and media coverage. "3.3 ... Employers, universities and colleges are dissatisfied with school leavers’ literacy and numeracy, with 42% of employers needing to organise additional training for at least some young people joining them from school or college". That's an AS Level "Critical Thinking" fail, because it doesn't tell us how many of those young people actually had a C in GCSE Language (to cite the current hotspot), and therefore tells us nothing about the qualifications. And conflating universities with undifferentiated employers is hardly helpful, either.

"4.1. The first of our aims is to reverse the long term decline in standards". It's lovely to be able to use the phrase "begging the question" correctly for a change. Where's the evidence there is a long term decline in standards? And then on page six, after unevidenced hand-waving, we get to the first important consultation questions: what should be the name of the new qualifications? Not "do you agree standards have fallen?" --- that's a given. Objection your honour! Leading the witness! Asking someone what colour they would like their new car in, or when would be convenient to fit the new carpet, is a classic salesman's close: they're assuming you're buying. Similar, "what name should our new qualification have?"

It's shockingly badly written, too. There is a rich irony in "grammar" and "punctuation" appearing in a sentence as rambling as "Ofqual has acted to tighten controls over GCSEs, tackling resits, modularisation and spelling, punctuation and grammar, and demanding evidence that improvements in grades are matched by real improvements in performance." Isn't this what primary teachers call "comma-splicing"? They try to get their KS2 pupils to avoid it for fear of being marked down in SATs. There are stray sub-headings in the consultation response template which entirely alter the meaning of questions from the consultation document (for example, "6 Are there particular approaches to examinations which might be needed to make this possible for some subjects?" is headed "Teaching to the Test", which I suspect isn't the intent).

Ah well. Our new masters.

ian

Bring out your elderly iPod Nanos

Apple announced late last year [1] that they had seen some battery problems with the original 2005 iPod Nano, and that if you sent it in you'd get a replacement.   There was some speculation as to whether you'd get back a refurb or "new old stock", but it was widely reported that what you didn't get was a new iPod.   But replacing batteries in those models is a pain (you have to de-solder and re-solder the connector), so it made sense on the face of it for anyone with one that still worked to get it replaced.  

Ours had gone missing, but turned up last week while looking for something else.  I applied to Apple for a return authorisation, received in the post a couple of days later a pre-paid envelope and packaging, sent the iPod off (having wiped it), and waited for the replacement.  Which turned up this morning: a brand new 8GB iPod Nano.

As it happens, I'm not entirely overjoyed: I like click-wheels, and 2005-vintage iPods are the best things to connect to the 2005-vintage interface in the car (firewire charging).  But if you happen to have an elderly, but still working, iPod Nano, it might be worth getting it replaced to see what toy you get in exchange.

[[ Update: in fact, with the very mysterious Griffin adaptor which allows Firewire accessories to charge USB iPods, my ancient ICElink in fact does drive the Nano.  It doesn't drive Touches and iPhones properly because it doesn't know how to get them into iPod mode, and if you put it into iPod mode by hand it tends to come out when you plug in the accessory. ]]

ian

Dropbox Security

Those that use Dropbox and worry about its security depending solely on a password and don't mind living on the Beta-release bleeding edge may be interested in the latest build of the Dropbox client (1.5.12). This includes 2-factor authentication. The passcode, either generated by Google Authenticator or sent to you by SMS, has to be supplied whenever you supply your password, which means whenever you link a new machine to Dropbox.

https://forums.dropbox.com/topic.php?id=66910

It seems to work at least as far as generating a code and letting you log in.

I don't think it provides much additional security against Dropbox's server-side security being compromised. If Dropbox were to allow the bad guys to access their authentication database then the bad guys would have the plaintext of the shared secret for the one-time password generator. The bad guys would then trivially be able to generate passcodes. Your security would then rely on the strength of the hash function used to store passwords and the strength of your password in the face of a brute-force offline attack on that hash function, as before. I also don't think it protects you against an active attacker who can access your security credentials. If the attacker has the ability to steal your credentials, by reading the local security state or in some way attacking the protocol between you and Dropbox, then they can masquerade as the machine whose credentials they have access to and bypass the two-factor stage. Dropbox doesn't seem to have any way to stop the client from storing security tokens: you cannot get it to ask for fresh authentication each time it starts up, and it doesn't appear to have any TPM support.

It does protect you against an attacker able to run a keylogger and able to coerce you into reauthenticating, but not able to otherwise read your security state.

A risk it also mitigates is an attacker who obtains your username/password pair from another insecure site, possibly one that you care about less than Dropbox, and then finds that you've used the same username/password on Dropbox. For large-scale deployments of Dropbox to less security-aware staff this might be very useful.

ian

The Assange Tar Baby

Julian Assange is now acting as a tar-baby of the left: people who previously, whatever their credentials on other topics, were not likely to be found splitting hairs about acceptable and unacceptable forms of rape are now doing just that. Their love for Assange, or at least for his anti-imperialist credentials, means that they have to defend not just the movement, but also the man.

The problem is, they can't quite figure out what it is they feel that they have to defend. They can't make their mind up whether he's been fitted up on trumped up charges, or whether the charges are real but aren't really serious, or why they're being pursued.

The first problem they don't seem able to explain is why Sweden, previously famed for its transparent, liberal and generally right-on nature (Volvos, Ikea, Wallander) is suddenly a crooked patsy of the US. Not only the Swedish government, but the entire Swedish justice system from their supreme court all the way down to a local prosecutor, is in thrall to the Great Satan. Why? Why would Swedish jurists do bad things solely for the benefit of the repressive end of the US government? Why would the US, even accepting arguendo that they want to get their hands on Assange, do so via a route which requires the sign-off of the UK and the Swedish governments, when they can just do it via the UK? And what do the US (represented by Barack Obama who, until recently, was like Sweden a darling of the progressives) want with him any way? At worst he's guilty of the same acts as Daniel Elsberg wasn't prosecuted for, and a prosecution based on publishing leaked documents would fail on straightforward constitutional grounds. Even if the entire US legal system from the supreme court down was in on the same conspiracy that encompasses the entire Swedish legal system and, for all I know, the entire UK legal system, why wouldn't they also prosecute the New York Times --- which has a US mailing address and is staffed by US citizens, publishing in the US --- as well? Then we come to the contentious matter of rape. There are two coherent positions, neither of which Tony Benn or George Galloway have managed to reach:

1. Assange is being fitted up, so whether the crime is parking offences or being the unindicted third Moors Murderer, it's irrelevant, as he didn't do it. The alleged victims are stooges of the US. As to why Swedish women would shred their reputations in order to fit up an Australian who's wanted by the US, who knows? But in any event, it renders discussion of the nature of the crime irrelevant: whether he's being charged with , he didn't do it anyway.

2. Assange is a hero of our times, and even if he is the unindicted third Moors Murderer, it doesn't matter, as he's a hero. We might call this the "Roman Polanski" defence. Again, this renders the nature of the exact crime he's charged with moot: whatever it is, no matter how serious, his status as a hero of our times means that the crime doesn't justify arrest or punishment.

The remaining positions are completely incoherent, as they revolve around the precise crime being alleged. He's being accused of a serious crime in the eyes of the UK supreme court (yeah, I know, they're in on the conspiracy too). If you think it's a stitch up, then it doesn't matter what the crime is. If you think he's a hero, it doesn't matter what the crime is. The only reason you would be worried about the precise nature of the crime is if you accept that he might have done it, or something similar, and that for some of those possible crimes, his hero status isn't enough. In which case, isn't a court the place to decide that? Is the contention, seriously, that the Swedish legal system, for some long a byword for decency and transparency, can't be trusted to do that?

We're in the territory of the 9/11 troofers who, after an evening of laser holograms and pre-rigged explosives and invisible cruise missiles and secret airfields, leave you thinking "wouldn't it be easier just to hi-jack a couple of planes and crash them into a tall building?" Sweden's a liberal democracy which is bound by the ECHR so can't extradite without due process and assurances that neither the death penalty nor torture will be used. So's the UK. If the CIA under Obama is going to breach all known legal standards, they would just have executed Assange in the street, or fitted him up for a violent child rape/murder which would render this whole debate moot. The whole reason it's cluttering up the courts is because Assange is being given due process. In the meantime, rather than accept that Sweden is a decent country, Tariq Ali is bigging up the human rights records of Venezuela, Galloway and Benn are making schoolboy jokes about women who want it really (Galloway's formulation would mean that no marital rape case could ever be brought again; Benn wants to bring back the "she was just a slut who probably wanted it anyway" school of rape cases) and in the centre of it, Craig Murray is slut-shaming alleged rape-victims as though he were working for the Sun in 1973. Why is Assange such a tar baby that he makes people forget their decency?

BBC News - University applications from the UK fall 8.9%

http://www.bbc.co.uk/news/education-18768857

Aargh. Why can't people read data and think about the implications.

> The biggest fall for the 2012 intake is among the over-18 age group - for example, applications from 19 year olds and those aged between 25 and 29 are down by 12%.

Yes, because everything who thought "I might apply for 2012 admission" applied for 2011 admission to save money, and therefore the volume was pulled forward. People who might have taken a year out to retake for a "better" university went now rather than later. Etc. You need to subtract out of the figures for this year the unexpected rise in last year's figures. In other news, fewer people buy things in the week following the Christmas sales than during the sales, and people sometimes buy whatever they can get in the sales rather than waiting for new stock later.

> Among the 18 year old school leavers, the fall has been less marked, approaching 3%.

Look at the population figures. The TFR is downhill all the way from until current six year olds. The TFR is falling most dramatically amongst affluent, indigenous women (ie, the parents of the "wealthiest 20% of students") and not amongst poorer, immigrant and less advantaged groups where if anything it's rising. So if the wealthiest group were applying at exactly the same rate, there would be fewer of them.

> The biggest reduction in England was among the wealthiest 20% of students - although whether this means they are not going to university, or studying outside the UK, is not certain.

If you study abroad, you need to get funding up-front. Even if you go abroad to somewhere which doesn't charge fees or charges much lower fees, you need to fund the accommodation and travel. By definition, you can't live at home, which is more prevalent (for financial and other reasons) amongst less advantages applicants. Rates of applying overseas are increasing. It's fairly obvious what the outcome will be. If you were going to fund your kids to the tune to fifty grand (fees plus accommodation) and you have the fifty grand available (or you have 17 grand per year available, at least) then you may as well shop around for value. So although only small numbers apply abroad, there'll be more of them than amongst working class applicants. And therefore a drop in the number of affluent applicants anyway (vide supra).

ian

Why TV Shakespeare is crap

I didn't manage more than a couple of scenes of last night's Richard II on BBC2, and it left me thinking why I don't enjoy Shakespeare on the TV. A day of reflection, and I think I know. I was looking forward to the production. I've seen a couple of fine Richard IIs lately which had given me a taste for the play (Jon Slinger at Stratford, Eddie Redmayne at the Donmar) and Rupert Goold is never less than interesting. The warning sign was that I've recently watched TV adaptations of productions I saw and loved (the Doran/Tennant Hamlet, the Goold/Stewart Macbeth) and been unmoved; perhaps I was unrealistically hoping to recapture the experience of being in a theatre. But at least I watched those through to the end; on Saturday I was bored stiff after a couple of scenes and gave up.

It's perhaps significant that although I watch films in cinemas, I rarely watch films on TV. So it may be that my problem is with small screens in my front room, irrespective of content. I've watched a few series to completion (West Wing, The Wire, Spirals) but I've given up on several widely praised efforts (The Killing, The Bridge) or not even got past the trailers (Mad Men --- does anyone watch this other than Guardian columnists?) But what was it that I objected to about Shakespeare on screen in general, and this Richard II in specific?

I think the main problem is the focus on faces, rather than the text. Richard II is entirely in verse, often rhyming couplets. Each speech comes as a coherent whole, often with the last four or six lines as couplets to provide a structure and show that the end is approaching. On Saturday, the director didn't trust the text, so cut to reaction shots of other people, or close-ups of the speaker, or crowd shots: anything to avoid the viewer having to listen and engage. With incidental music dubbed over as well, it was as though the text was incidental to a Masterpiece theatre piece with ActOrs declaiming in large English Heritage properties, with the audience expected just to admire the vowels.

In a theatre, you are not forced to look in any particular direction, but in general you will be looking at the person who is speaking. The director will block the play so that if you are expected to see the reaction of another person on stage, they will be within your field of vision while looking at the speaker (those with a distaste for thrust stages might disagree). Each speech starts, proceeds and finishes, driven by the line of the text. A television production controls your gaze: you cannot look anywhere other than where the director thinks you should, and therefore your pattern of attention is constructed. The individual shots and edits form punctuation, overlaying the text and providing a different rhythm, fighting with the speech. No matter how good the speaking is, each time the shot changes it will introduce an additional, unintended emphasis.

Some productions avoid this. The BBC series of the late 1970s and early 1980s was shot in studios with multiple cameras, rather than on location with a single camera. Complete scenes were shot in their entirety, with such camera moves as were required being done on-line, rather than in post-production, a limitation which means that most speeches fit into a single shot. The same goes, largely, for the excellent documents that the RSC shot of their most successful productions in the 70s and 80s (the Nunn/McKellen/Dench Macbeth, for example) --- they aren't quite a camera set up in the stalls and locked off for two hours, but they are not far from it. But it seems that as soon as a production is shot in a film style with a single camera, the director has coverage of each scene from several angles, and finds it hard to avoid cutting between shots (and, of course, takes).

This problem doesn't arise with films that aren't line-by-line adaptations of plays, because the shooting script evolves organically: the dialogue won't be as dense as it is in a play, and the natural grammar of film is the shot in any event. Of course the progress of a film is punctuated with edits, and when they aren't present for a while (Touch of Evil, The Player) or for the whole film (Russian Ark, Timecode) their absence is deliberate and intended to be noticed, just as startling linguistic and typographic effects are in modern novels. The problem for filming a play is that the text isn't intended to have extra punctuation added.

ian

Country Matters

"But seriously I do understand the issue with the Times. Let's discuss over country supper soon. On the party it was because I had asked a number of NI [News International] people to Manchester post endorsement and they were disappointed not to see you. But as always Sam was wonderful (and I thought it was OE's [Old Etonians] were charm personfied!) I am so rooting for you tomorrow not just as a proud friend but because professionally we're definitely in this together! Speech of your life? Yes he Cam"

No-one's going to suggest that Cameron and Brooks were having an affair, mostly because there's not the slightest evidence or suggestion of any impropriety on anyone's part.  But you can't help thinking La Brooks had the idea in mind.  Her text message is excruciating, and conjures up coquettish hair twirling, high colour in her cheeks and a special bottle of perfume for the occasion.

But for all Jonathan Freedland's excellent exegesis [1], he appears to miss the obvious reference.  I'm not sure Brooks is widely enough read to have done it deliberately, but it's hard to imagine Cameron not thinking of:

HAMLET: Lady, shall I lie in your lap?
OPHELIA: No, my lord.
H: I mean, my head upon your lap?
O: Ay, my lord.
H: Do you think I meant country matters?

(III.2, ll 112--116).

Rebecca Wade as a pre-Raphaelite Ophelia, her innocent heart broken by the man she loves, which leads her to self-destruction?  Well, she looks like the Millais painting, doesn't she?  I just can't quite see David Cameron handling Act V terribly well...

ian