Nor does the fact that these cracked versions could do serious damage dissuade people from downloading them, apparently. We can see from our daily sales figures a drop of nearly 30% since the illegal copies first appeared. Yes, that’s right, 30%.

The worst thing though, worse even than losing 30% of our business to these jerkoffs, is that because the crack was done by an incompetent, the programs could terminate at any time while they’re working on the users’ disks, leaving them with potentially serious filesystem damage. Filesystem damage for which we will be blamed, though it’s not our fault in the slightest.

Sure, iPhone developers have to pay a one-off fee to Apple, and Apple does reserve the right to reject applications if they don’t meet the requirements stipulated in the SDK license agreement. And sure, iPhone does support DRM, something the FSF has been campaigning against for some time, but something the FSF is ill qualified to talk about as it does not, in fact, have any problems of its own with software, music or movie piracy.

I think the most objectionable parts are where the article says things like

iPhone exposes your whereabouts and provides ways for others to track you without your knowledge.

which is nothing less than blatant and unjustifiable scaremongering. Yes, the iPhone 3G has GPS. But in order for an application to use it, the user must agree to a message displayed by the phone. That is, the user is explicitly asked whether to allow an application access to their location.

There is also a claim that

[Fairplay] prevents you from installing free software -- software whose authors want you to freely share, copy and modify their work.

which is total bunk. If authors of Free Software choose to provide a build for the iPhone (and to do that, only a single developer need pay the license fee), they can submit their application to the App Store and Apple will distribute it for free and allow users to install it.

And sure, anyone who wants to modify the application will need a developer license, which they have to pay for. Why is this suddenly a bad thing? Wasn’t it FSF that made the point that Free Software was free as in speech and not necessarily as in beer? And isn’t it also the case that for many platforms those people who build their own versions of Free Software products require the use of commercial tools of some sort?

The go on to say that

Jobs would have us believe that all of these restrictions are necessary.

and he’s right. They are. Why? Because otherwise the iPhone would be full of viruses and other malware within a few months. The way Apple has chosen to do things does have some disadvantages, but it has the major advantage that it’s significantly harder to publish iPhone malware without getting caught than it is to publish malware for other mobile devices.

And as for the theory that Apple is

a single greedy, dishonest and secretive entity

well I think “johns”, whoever he is, needs to grow up. Apple is, of course, a business and is out to make money. That’s what businesses do. But they don’t do it solely for their own benefit; you and I hold shares in businesses, both directly and indirectly (through our bank accounts, our pensions, and a wide range of other investments). If they make a profit, we benefit. Likewise, if we don’t like how they behave, we can turn up at their AGM, or demand that those who represent our interests do so, and demand that they change their behaviour. This modern notion that big business is the Big Bad Wolf is borne out of ignorance, and it’s a great shame that the FSF seems intent on promoting this jaded and inaccurate view of the world.

It’s also a bit rich FUDding someone else and then accusing that other entity of being dishonest.

When I was a student, I used to think I agreed with some of the goals of the FSF. Maybe even most of them. In recent years though, they seem to have become more and more extreme and I now find myself wishing that they would either go back to their roots and forget about all these new things they’re complaining about, many of which have little or nothing to do with the original Free Software idea, or just pack it in and leave the rest of us the hell alone.

I certainly won’t be supporting them in future, and I have no intention of contributing to any of their projects (as I have occasionally in the past).

FSF, you’ve lost my support.

I don’t understand why anyone would be stupid enough to attempt this, actually. I mean, tampering with the code of a copy protected disk utility is a bit like tampering with a nuclear weapon. The person most likely to get hurt is you.

But hey, dumb-ass cheapskate software pirates, by all means destroy your data with pirated copies. Just don’t come crying to us when it happens… we didn’t give them to you and we didn’t tamper with them.

Shocking as this may be, it really highlights a serious problem with current methods of identifying people, both off and on-line.

Marko is understandably unhappy about this, and suggests that Apple should have checked that it was him “by comparing the information in their personal profile”. Yet most information about most of us, particularly prominent developers like Marko, is publicly available (for instance via WHOIS or via a variety of other means). I’m quite sure that, even if Apple had done those kinds of checks, they could be readily defeated by someone with the gall to try this kind of thing in the first place.

The fact is that we need an identity system that is not based on people’s personal details, or this kind of thing is going to happen all the time.

Seems only yesterday I left primary school…

But many of them still hide behind DMCA even when told that they are hosting a folder full of infringing material. They won’t act on their own account and don’t actually care that their Acceptable Use Policies already prohibit such material and would enable them to remove the files themselves.

How do I know this? Well today’s little irritation involved sending a notice to MediaFire about a folder full of files over which we hold copyright. I also, in the same e-mail, complained about the containing folder, which contains a lot of other peoples’ copyrighted work (though I noted that I had no legal standing to do so). What did I get in reply? Yes, that’s right folks, a demand that I format my request exactly as required by DMCA and a notice that MediaFire would ignore any request that wasn’t formatted that way. Furthermore they tell me that they will ignore any request relating to a folder, since they can’t be bothered to check all the files in a folder (just the ones you list).

Ethical? Like hell.

Our political leadersmasters won’t let us have a vote on membership of the European Union here in the U.K., because they know we’d vote “No”. In fact, they won’t even let us vote on the Lisbon TreatyE.U. Constitution because they know we’d vote “No” and scupper that too—in spite of promising a referendum on that very subject.

Fortunately it sounds like the Irish have scuppered it for us, but it frankly stinks that our government lies to us, fails to represent our views and then won’t let us have our say even when it promised.

Good for him I say.

The only reason the public thinks (at least according to the polls it does) that these kinds of illiberal measures are acceptable is that the government of our country has been conning us. The theoretical threat from Islamist terrorism and in particular Al Qaeda—and it remains primarily a theoretical threat, unlike for instance the IRA during the late 70s and 80s—has been used to justify large numbers of illiberal and frankly unpleasant measures which we are promised are “to combat terrorism” and which are then promptly misused to keep pensioners out of the Labour Party conference, to spy on people sending their children to school, to prevent law abiding people from attending legitimate peaceful protests and all kinds of other similar things which have nothing whatsoever to do with terrorism.

The steady creep of authoritarianism into the British state has continued unabated under this Labour government and the problem is that because our civil liberties have been chipped away one piece at a time it has been difficult for the public to notice the impact it is having.

David Davis, it seems, intends to bring all of this to the fore in his constituency and it will hopefully make his constituents—not to mention the rest of the population—realise that something is seriously amiss.

Chaos.

Not only were there large numbers of vehicles trying to fill up (more than normal, I would say), but a Budgens delivery driver (the local petrol station has a Budgens supermarket attached) was reversing a huge articulated lorry into the station and across the forecourt. In order to do that, he had to spend a considerable amount of time completely blocking the road.

Whether the large queues were caused by the amount of time the road was blocked, or whether this heralds the beginning of yet another round of stupid panic buying, I don’t know, but I did notice that Newgate Lane (along which I have to drive every day) was also clogged up until I got past the ASDA roundabout. ASDA, of course, has a petrol station…

So, the first thing to do is to make sure that you have a working Kerberos set-up. To check this, you can try

$ kinit some-user
Please enter the password for some-user@EXAMPLE.COM:

If it successfully authenticates when given the name of a user in your Open Directory set-up, you’re all set. You can, if you like, look at the Kerberos ticket you just gained by using the klist command, but if kinit worked then there’s probably no need. If, on the other hand, that kinit didn’t work, you need to re-configure Kerberos from scratch. This seems to be very hit and miss and often it’s easier to reconfigure Open Directory from scratch instead, but that’s a bit drastic and is only really practical for smaller set-ups because it tends to result in all the passwords getting reset.

If your Kerberos isn’t working, please don’t bother asking me about it. I have yet to find a reliable sequence of commands to completely re-initialise it on OS X Server. You might find AFP548.com useful if you’re in this sort of mess.

Next, make sure that your client machines are configured to authenticate using Kerberos. On OS X 10.5, that means editing /etc/authorization to change

<key>system.login.console</key>
<dict>
  <key>class</key>
  <string>evaluate-mechanisms</string>
  <key>comment</key>
  <string>Login mechanism based rule.  Not for general use, yet.</string>
  <key>mechanisms</key>
  <array>
    <string>builtin:smartcard-sniffer,privileged</string>
    <string>loginwindow:login</string>
    <string>builtin:reset-password,privileged</string>
    <string>builtin:auto-login,privileged</string>
    <string>builtin:authenticate,privileged</string>
    <string>HomeDirMechanism:login,privileged</string>
    <string>HomeDirMechanism:status</string>
    <string>MCXMechanism:login</string>
    <string>loginwindow:success</string>
    <string>loginwindow:done</string>
  </array>
</dict>

to

<key>system.login.console</key>
<dict>
  <key>class</key>
  <string>evaluate-mechanisms</string>
  <key>comment</key>
  <string>Login mechanism based rule.  Not for general use, yet.</string>
  <key>mechanisms</key>
  <array>
    <string>builtin:smartcard-sniffer,privileged</string>
    <string>loginwindow:login</string>
    <string>builtin:reset-password,privileged</string>
    <string>builtin:auto-login,privileged</string>
    <string>builtin:krb5authnoverify,privileged</string>
    <string>HomeDirMechanism:login,privileged</string>
    <string>HomeDirMechanism:status</string>
    <string>MCXMechanism:login</string>
    <string>loginwindow:success</string>
    <string>loginwindow:done</string>
  </array>
</dict>

That isn’t the only way to go about this part, but you need to make sure that your users get a Kerberos ticket automatically somehow. If they don’t, they won’t be able to mount the static automount because the server won’t recognise them. See Article 107154: Enabling Kerberos authentication for Login Window on Apple’s site, but note that the part where it says that the information is not required as of OS X Server 10.3 is not, in fact, entirely true. Various universities set things up using Kerberos and some of their pages may also be helpful; I quite like Iowa State’s page, personally.

Next, set-up your shares using Server Admin, setting the Custom mount path setting as required. For instance, I set one up with the path /Network/Groups. On previous versions of Mac OS X, you could do this step from Workgroup Manager, which was useful because it meant you could manually edit the mount URL to remove the hard-coded “;AUTH=NO USER AUTHENT” setting. Unfortunately you can no longer do this as of 10.5, which means that you have to use dscl or the various LDAP utilities.

Even more unfortunate, when I tried to edit with dscl, I just got the error message

*** Uncaught Exception:  ([DSoDataNode initWithDir:value:] value is not a valid NSString nor NSData)

(and yes, I’m certain I used the right command). As a result, I ended up making myself a file like this (I called mine groups.ldif):

dn: cn=server.example.com:/Volumes/SomeVolume/Groups,cn=mounts,dc=server,dc=example,dc=com
replace: mountOption
mountOption: url==afp://server.example.com/Groups

and then I did

$ kinit diradmin
Please enter the password for diradmin@EXAMPLE.COM:
$ ldapmodify -f groups.ldif

The first line is just to authenticate as the directory administrator—you only need to do that once. If you need to examine your LDAP mount records first, you can do something like this:

$ ldapsearch -b "cn=mounts,dc=server,dc=example,dc=com"

which will list all of the mount records.

One other useful tidbit is that if you’re trying to test this from a client machine, you can do

$ sudo automount -v

from Terminal to refresh the automount set-up on the client.

It all sounds so simple written down, but this took me a good few hours and a lot of frustration. Hopefully I’ve saved someone else (or even just myself, in future) from repeating that experience.

I was trying (carefully, I might add… there was never any danger of a collision) to push into the lane he was in. I think when he noticed this happening at first, like a lot of people he decided to be bloody-minded and to not let me in. Which is both rude and awkward, but a lot of people do that kind of thing. Anyway, as a result, he ended up alongside me, with me slightly impinging on his lane and I think assumed then that I hadn’t seen him, which wasn’t true. All I wanted was either (a) for him to slow down and let me in (which, given that I was ahead of him at the time would have been sensible… when I started to move over, there was even a small gap), or (b) for him to speed up and go past. I got the result I wanted in the end, but not without him honking his horn at me and gesturing at his eyes.

I find these kinds of things, which happen to me rather rarely, somewhat upsetting. Not least because he will doubtless tell all his friends that some stupid car driver nearly knocked him off because he wasn’t looking, which is totally untrue—as I say, there was never any danger of that happening. It’s the kind of incident for which there isn’t really any blame to apportion, because nothing actually happened and nothing ever would have. It’s still frustrating though. Ah well…

I often disagree with Matt Asay’s views (which makes his blog fun to read, if only for the rush of righteous indignation I tend to feel after reading it). But to argue that Google Docs, Zoho et al. are going to replace desktop apps is just plain crazy.

Who wants all their documents stored on someone else’s server where they could be snooped on (or even sold) by wayward systems or database administrators and where Big Government is much more likely to come up with a justification as to why it should be allowed to poke its nose into them at will. No thanks, I think I’ll pass.

Even if a substantial proportion of the general public decided that hosted web apps were the way to go, I can’t see any sane CEO or MD agreeing to their company going down that route. And most of the money in the office suite market is in corporate sales, not least because of widespread piracy by home users.

The only way out of that problem is selling e.g. a Google Docs “appliance”. And once you start going down that route, I don’t really see many advantages over buying a conventional desktop office suite. Sure, with an appliance you get single-point upgrades (and single point of failure too, unlike a desktop suite). Except that (a) there are already tools to manage desktop applications across multiple machines, and (b) as your company grows, you start needing more and more of these appliances, which eventually need to be distributed between your offices so that users get an acceptable response time. Pretty soon you have all the same problems you had before, but now you have this special box that you can’t easily maintain yourself (even if it is commodity kit, fiddling with it is likely to void any warranty or maintenance contracts you may have).

No, sorry Matt, I just don’t buy it.

My two cents: desktop software is here to stay.

There are various reasons for this, but the most recent has been that I’ve been busy doing a re-design of the Coriolis Systems website. It’s still a way from where I’d like to be with it, but the new design is a lot better in many respects and what’s more it fixes a couple of long-standing bugs and problems with the old site, the most commonly complained about being that you can now specify your own password.

And, unlike so many websites out there, your password is stored safely on our server; even we can’t read it, and we won’t be told by our site about any incorrect passwords you may try (well, we’ll be told you’ve tried, but not what you tried). A lot of websites’ administrators have direct access to cleartext copies of your password (if you use the same password everywhere and this doesn’t scare you, it probably should).

It should be a lot easier for people to download our software now too… as long as you’re logged-in, all the download demo links change to download links for the full version.