There may be a few problems with my weblog for the next few hours, because I’m upgrading to a newer release of MovableType (for one thing because I’m thoroughly fed-up with comment spam…).

…is that email (even in plaintext) is in any way less secure than a telephone, a letter or a fax.

People who take this viewpoint usually haven’t actually considered the security of the other media in any way. First, let us consider telephone calls and faxes; in the U.K., there are still an awful lot of exposed telephone cables… and even if they are only exposed at the edge of your property, it only takes a few minutes to splice some wires onto your cable, at which point all of your supposedly more secure telephone calls and faxes are easily intercepted. Unless you routinely encrypt them, that is. Mobile phones are a bit safer, because they encrypt your call over the air interface. Unfortunately, the encryption isn’t really strong enough, and in any event, chances are that you’re calling a vulnerable landline—and remember, you only need to tap one end of the call to hear the entire thing.

And as for letters… well, I recently had a debit card go missing in the post, so don’t talk to me about letters! Plus there was a very good television programme recently demonstrating just how easy it currently is to get a job in the Royal Mail sorting departments and how easily that position can be abused.

The difference is that in order to intercept an e-mail, you have to be clever (or you have to have clever people helping you). At the very least, you have to persuade the Internet e-mail system to route it to you rather than to its intended recipient; now, there are a number of techniques you could use to do this (which I’m not going to go into here), but none of them are especially easy for a layman (unless you can find a program written by some irresponsible but clever individual that already does what you need). Unlike tapping a telephone line, which can be done by anybody with an easily purchased engineer’s telephone, a sharp knife and some wire and croc-clips.

On top of that, with S/MIME support in several major e-mail packages—including the very nice implementation in Mac OS X’s Mail.app—it is almost trivially easy to encrypt an e-mail message. Contrast that with telephony, where you need special equipment at both ends, or letters, which would have to be tediously encrypted and decrypted at either end.

Of course, you could point-out that e-mail could be intercepted by tapping the telephone line as well, and you’d be right. It can. But it isn’t really any less secure than a telephone conversation over the same piece of wire, and it’s often more difficult to find the bit of wire associated with an Internet link than it is to locate the cable associated with a given phone number; in the latter case, .

Wired News have posted an article about the closed vs. open source debate, in which they say that James Gosling, widely acknowledged as the creator of Java, slammed Apple at Sun’s JavaOne Conference this Thursday.

As an example of problems he said he believes are caused by closed-source development, Gosling slammed Apple, saying that the company doesn’t provide enough information about its programming bugs and security flaws.

“You don’t know what’s going on in that code,” said Gosling about Apple.

Now this is pretty cheeky. Apple have actually released most of the components of their operating system under some type of open source license, omitting mainly the GUI parts—which are less likely to contain security flaws. When you consider this, it becomes clear that James Gosling was actually engaging in a point-scoring exercise with his audience, by capitalising on recent criticisms of Apple in some sections of the computer press. Generally speaking, I have to say that I think that criticism has been unfair and is really a result of the existence of a large body of vociferous Windows devotees who for some reason feel the need to devote a large amount of time to finding ways to claim that Windows is in some way better than a Mac (thereby missing completely the point that Windows is a piece of software, whereas the Mac is a computer, and a very nicely designed one at that).

Some of the points that have been made are clearly valid, but I don’t agree that immediately informing the world of every security hole is always the best way to approach a problem. In the PC world, every time a new hole is reported by CERT or BugTraq, a spate of new viruses are created that exploit the flaw. Even if you wait until a patch is available before detailing the vulnerability, the chances are that many users won’t have applied it.

I don’t agree with total secrecy either, of course. But I bet that Apple keeping things close to their chest is one of the factors behind the current lack of Mac malware.

My company’s website is now active and (I hope) ready to accept payments. I can also reveal what I was working on (and being so secretive about); the company’s first product is a piece of software called iPartition, which is an advanced partition management tool for Mac OS X. Not only is iPartition capable of resizing HFS+ (Mac OS Extended) partitions without reformatting them, but it also takes care of any rearrangement of other partitions on the disk that may be necessary as a result. It also lets you queue-up several operations so that you can go away and let iPartition get on with it while you have a cup of tea (or coffee). It’s a fully native Cocoa application, enhanced for Panther (it looks prettier), and very easy to use.

If, by chance, you need a disk partitioning tool (for example, you’re dying to have a go with your new Tiger Developer Preview), you might want to consider it.

Here’s a screenshot:

BTW, it’s only available for electronic download at the moment; hopefully at some point we’ll be able to ship CDs as well, but for now, if you want to use it to repartition your boot disk, you’ll need another Mac (so you can use yours in FireWire target mode), or another disk you can boot off. An easy way to make a bootable Mac OS X CD, if you don’t already have something suitable, is Charles Srstka’s excellent BootCD.

(Oh, by the way, I know that IE on Windows doesn’t render the company’s site properly; it’s IE’s box model bug and its lack of support for transparent PNGs that are the problem, well, that and some slightly incompatible Javascript. I’ll get round to fixing it soon, although the site is still usable.)

Well now I feel violated. For various reasons, I had an old Lloyds TSB bank account that I hadn’t closed; well, mostly because I was told that I had to go to my branch to do it (and the branch in question is a long way out of my way) and because it still had a couple of direct debits associated with it, one of which was directed to a recipient who refused to acknowledge the validity of the sort code for my new bank account. Anyway, it’s been floating around for four years now, and because it only held £50, I decided that I couldn’t really be bothered to close it.

Now, I wish I had. Apparently, in May, Lloyds TSB sent me a new debit card/cashpoint card. Only it didn’t actually get to me. No, some light-fingered #!*$ in the Post Office must have pinched it, because today I got a letter from Lloyds TSB asking me to confirm a load of transactions, made with a card I don’t even have. Why did I get a letter, you ask, rather than a telephone call? Well, I moved house recently, and guess who I forgot to tell? That’s right, Lloyds TSB, who hold a bank account that I don’t really care about. Fortunately, my mail is redirected, so I get letters from them.

What really irritates me about this is that card issuers have known for ages that cards go missing in the postal system, and some of them—American Express for example—have solved the problem by sending the cards inactive and requiring their customers to phone up and activate them. Not so, Lloyds TSB. No, they send active cards through the post. Last time I received one from them, I don’t even think they used recorded or special delivery, although that, of course, was a couple of years ago now.

The banks, of course, will probably tell you that “Chip & PIN” will stamp this problem out once and for all, but, looking at the short list of transactions that Lloyds sent me, I would guess that they were made by criminals overseas, because of the bizarre retailer names. And I doubt very much that every country on the planet is going to simultaneously transition to “Chip & PIN” overnight.

Lloyds TSB, for their part, have said that they will refund the money. Well, once I’ve signed a declaration to say that it wasn’t me that spent it, anyway.

Lawrence Lessig, Professor of Law at Stanford Law School and writer for Wired Magazine wrote yesterday about the potential impact of the EU ruling against Microsoft, saying that Microsoft needed to “solve its antitrust problems” and implying that the EU’s action had in some way hampered competition.

Even more surprisingly, Prof. Lessig seems to be under the impression that there is a reason for the popularity of Windows Media other than Microsoft’s dominance of the operating system market, citing the availability of Media Player on other platforms including Mac OS X and Solaris. This, it seems to me, is a rather naïve perspective on the situation; as far as I can see, Windows Media is a popular format for content producers because 90% of content consumers already have Media Player installed on their systems—and why is that the case? Well, because they’re running Windows. Yes, Media Player may be available on Mac OS X, Solaris and other platforms, but, oddly enough, sites targetting primarily Mac users tend to pick QuickTime rather than Media Player, and sites targetting UNIX users generally plump for MPEG or Real Media.

The EU ruling is, of course, far too late, and the fine is far too small. In any event, Microsoft will appeal it and attempt to defer paying any fine until the last possible moment—it doesn’t matter to them that this is a dishonorable course of action, because Microsoft, like many large corporations, are more interested in the bottom line than in doing the right thing. They know that they are guilty, that they are attempting to dominate a variety of markets by integrating the required software into Windows or by bundling it with Windows, leveraging the popularity of Windows and the naïvité of their users to ensure that competing products’ markets are destroyed. But they don’t care.

If there were one question that I could ask Bill Gates, it would be “How much money is enough?” I wonder whether Bill and his company have ever stopped to consider the answer to that one.

Like all citizens of the United States and United Kingdom, I have been appalled by the tales of our troops abusing Iraqi prisoners, and I trust that our leaders, both political and military, will take any necessary action to prevent recurrence of these problems.

However, what makes me even more angry is the fact that the media seem intent on publishing photographs of this abuse, regardless of the cost that doing so may have in the lives of British and American troops, not to mention the lives of innocent Iraqi civilians that are likely to get caught-up in the middle of any unrest that this causes. Publishing such photographs is unnecessary, grotesque, and sometimes verging on indecent, as well as being unhelpful to the fight for a free and democratic Iraq. It is also, I imagine, doubly humiliating for those Iraqis depicted, which makes it hard for anyone involved in such publication to legitimately claim the moral high ground.

Media companies that do find such material in their hands should hand it over to the appropriate authorities, rather than engaging in what could easily be described as profiteering from the abuse of Iraqi prisoners. I have no problem with the press reporting the issue—as long as such reporting isn’t intentionally inflamatory—but to my mind the publication of photographs is a step too far.

Update

The photographs apparently showing British soldiers abusing Iraqi prisoners were faked. This doesn’t come as a great surprise to me, as they arrived shortly after the revelations about U.S. forces in Iraq, and frankly if I wanted to disrupt relations with British troops in Iraq, publishing faked photos of them abusing Iraqis would seem a very good way to go about it.

Also, Piers Morgan, the tabloid editor responsible for the photographs supposedly showing British soldiers abusing Iraqi prisoners, has been sacked. Sadly, he was sacked because the photos were a hoax, whereas I think he should have been sacked merely for publishing them… still, we can’t complain too much.

It astonishes me that in all the coverage of the Sasser worm, nobody has pointed-out that corporate and government installations simply shouldn’t be suffering from Sasser, because they should be properly firewalled. Sasser spreads via three port numbers, the usual Netbios port (139) and two other ports (9996 and 445). It should, therefore, have been stopped by corporate or governmental firewalls, as there is no good reason to allow connections from the Internet to those port numbers.

What I would really like to know is why the people responsible for this fiasco still have jobs? Goldman Sachs, the European Commission and the UK Maritime and Coastguard Agency should have called for the immediate resignation of IT staff for gross incompetence of this nature. I’m certain that they’d ask security staff to resign if they were robbed because the building was unlocked and unprotected, so why should IT staff be able to get away with the IT equivalent?

Someone called Brian just posted a very interesting comment on my blog; specifically, he asked

I would never create a software and then give it away for free. What is the point? How am I going to get a reward for the work? If a dentist filled teeth for free he would die of starvation, wouldn’t he?

The reason that I say this is interesting is that people have very different views on the subject. I’m currently working on some commercial software of my own (well, actually, I’m in the run-up to selling it… it’ll be on the market this month), but in the past I’ve worked on both freeware and Free/Open Source Software, so I thought I’d explain my motivations for doing so.

Freeware that I’ve released in the past includes:

• A Yahtzee-like game for the Atari ST, implemented as a desk accessory.

• WinPager, which was a desktop switcher for Microsoft Windows.

• qccdasm, which disassembles compiled Quake C code so you can see how it works.

Interestingly, I managed to lose all the sources for the above. Still, I don’t use those platforms at the moment so it doesn’t bother me too much.

So why did I write those programs? Well, mostly because I wanted them. I know, it’s hard to imagine someone needing a Yahtzee game, but at the time I thought it’d be nice. And why didn’t I sell them? Three reasons, really:

1. I didn’t think they were worth anything. Or rather, I didn’t feel that the amount that they were worth justified the hassle of selling them.

2. I didn’t want to have to provide the level of support that people are reasonably entitled expect from commercial software (even shareware).

3. I didn’t feel that I was likely to continue developing them in the long term. This is related to the support issue, in many ways.

So, that’s freeware.

How about F/OSS? I’ve worked on two F/OSS packages and submitted patches for a third, specifically:

• I did a lot of work on GCC to make it work as a native Win32 compiler, including better __attribute__ support in C++, anonymous structs (and anonymous unions in C), and MSVC-compatible #pragma pack() support. I even had some scripts at one point that could patch the Platform SDK so that it worked with GCC (well, to some extent, anyway). Of course, others have taken the work that I did and improved upon it, fixing mistakes that I’d made or modifying the code to be acceptable to the maintainers.

• I’ve also submitted patches for GCC for a few other features, like being able to specify the instruction sequence to use for a function call (this is useful on PalmOS and Atari platforms, where system calls use trap instructions rather than plain branches).

• I rewrote large chunks of the XEmacs clipboard code so that it could support multi-format clipboards (like on Windows and the Mac).

• I also wrote an RTF package for XEmacs, that allows you to export RTF from a formatted buffer, preserving all of the fonts, colours etcetera. This plugs-in to the enhanced clipboard support and means that, on Windows, you can copy syntax-highlit code to the clipboard… which is a boon for people who write design documents as it makes them a lot easier to read for very little extra effort.

• I wrote code to implement rlog and list commands for CVS (where rlog means remote log, rather than a synonym for log). I don’t think the code that implements the rlog command in newer versions of CVS is actually mine, although I don’t know.

Looking at the above, you’ll probably see that I tended to contribute to F/OSS whenever I needed it to do something that it didn’t already do. Perhaps that makes me mercenary? Or maybe just pragmatic?

I’ve worked on commercial software too, for my previous employer, Telsis Limited, who make telecoms switchgear, SMS handling kit and those kinds of things. And I’m currently working on my own commercial software. Actually I’ve pretty much finished working on it and I’m onto the more commercial side of things now.

Doubtless RMS and ERS would argue that there’s no future in commercial software; I don’t really agree. I, like many others, think that there’s probably no future in fully commercial operating systems, at least not unless Microsoft successfully manages to obtain legal protection for its monopoly, through whatever means (software patents appear to be the current favorite). I’m a little dubious that F/OSS will eventually subsume all other software development methods however. For one thing, people like me have to earn a living, which isn’t realistically going to happen if we can only sell support.

For another, there’s no clear motivation, particularly for those fortunate enough to possess some level of talent at graphic design or UI design as well as (or instead of) coding. Put another way, graphic designers and UI designers can’t sell support. There’s no incentive for them to work on F/OSS; UI design is hard, takes a lot longer than many people think (well, it does if you do it properly), and only takes a moment to destroy.

I actually think this is the key area were F/OSS falls down. It’s very good in areas that academics, computer scientists and programmers are interested in. Where it isn’t so great is on the desktop; most of the GUIs that I’ve seen from the Linux community in recent times have been poor copies of Microsoft’s user interfaces, partly, it seems, by design. Microsoft themselves were never tremendously good at UIs, although they are a damned sight better than a lot of the professional programmers working on their platform.

I’m actually intrigued as to the reason that the Linux community, which is usually very anti-Microsoft, has decided in both of the major desktop projects (Gnome and KDE) to produce what is essentially a clone of the Windows UI. I wonder whether it’s because the only UI experience that has been shared by many of the developers is that of Windows (or Motif/CDE, which, somewhat horrifically, was based on Windows 3.1). However it came about, I think it shows a lack of vision as regards UI design, and I don’t think it helps the chances of Linux as a desktop operating system.

Anyway, John Gruber’s excellent Daring Fireball articles say it all… take a look at Ronco Spray-on Usability and the corrections and clarifications.

Today we got a new water softener, which you would have thought would have been a fairly simple piece of plumbing, especially given that we already had a very similar water softener in place (albeit a broken one).

Predictably though, it became more complicated than it should have… the controller on the water softener doesn’t have have the thread for the appliance connectors—instead, you are supposed to screw-in a ¾” joiner, which is all well and good, apart from the fact that it seemed to be impossible to get it to seal properly, even with PTFE tape. Eventually, after several extremely frustrating hours of repeatedly attempting to get a decent seal with just PTFE tape, I got fed-up and added a couple of rubber O-rings, which have sealed the system nicely.

Anyway, all in all, a very frustrating day spent plumbing rather than doing what I wanted to be doing, and just to cap it all, the people who were going to buy our house have pulled-out at the last minute, leaving us £500 out of pocket because we’d just put a deposit down on a new house.