In Commentary on
5 March 2012 tagged human rights with 11 comments
Today Attorney General Eric Holder gave a speech in which he explained why the US government asserts that it has the right to assassinate suspected terrorists overseas, even if they are US citizens. I urge you to read the recap of the speech.
How does Holder justify the government’s logic? This way:
This is an indicator of our times, not a departure from our laws and our values.
My fundamental problem with the Bush administration was that it chose to put aside the rule of law in pursuing the so-called “war on terror.” My greatest disappointment in the Obama administration has been seeing it continue and even expand some of the worst practices of the Bush administration. As others have pointed out, the decision to do so has cemented these practices as national policy.
I commend the Attorney General for coming out and offering a justification for this decision, even if I disagree with it completely. I’ll be voting for Barack Obama this fall, and I imagine that a lot of readers of this blog will be as well, but it will be in spite of his policies in the war on terror, not because of them.
In Commentary on
4 March 2012 tagged film with 1 comment
This morning I read that Ralph McQuarrie has died. Oddly enough, I didn’t even know his name until today, but I certainly knew his work. He was the conceptual designer behind the original Star Wars trilogy, among many other works, and he created the visual world that completely enraptured my childhood mind. It’s strange to think that I didn’t know who deserved credit for that until his passing.
There’s a slide show of his concept art for Star Wars at the official site. It’s amazing how faithful the films are to his renderings.
There’s also an extensive gallery of his work at his official site.
In Commentary on
29 February 2012 tagged DNS, law enforcement with no comments
EasyDNS has a chilling post on VeriSign taking down a Canadian Web site in order to service a warrant from the state of Maryland:
We all know that with some US-based Registrars (cough Godaddy cough), all it takes is a badge out of a box of crackerjacks and you have the authority to fax in a takedown request which has a good shot at being honoured. We also know that some non-US registrars, it takes a lot more “due process-iness” to get a domain taken down.
But now, none of that matters, because in this case the State of Maryland simply issued a warrant to .com operator Verisign, (who is headquartered in California) who then duly updated the rootzone for .com with two new NS records for bodog.com which now redirect the domain to the takedown page.
The implications are chilling. So now if you use a TLD that is under the control of a US company, your Web site is in US jurisdiction.
In Commentary on
28 February 2012 tagged software development with no comments
In an email explaining how he optimized GNU Grep for speed, Mike Haertel discloses the secret of high performance software:
The key to making programs fast is to make them do practically nothing.
In Commentary on
24 February 2012 tagged PHP with 8 comments
I’m writing a very simple deployment script that logs into a remote server and uses Git to pull the latest code from the remote repository. The deployment application runs on Server A, and it will update code on Server B and Server C.
The deployment application is written in PHP, and it’s easy enough to call the ssh command using PHP’s shell_exec() function. Well, calling SSH is easy, but making it work is a bit more difficult.
SSH really wants to run as a user who has a .ssh directory in their home directory. First, it needs to find the private key in order to authenticate against the remote server. You can get around that using the -i flag and pointing at a specific key file. You also need to indicate to SSH that you don’t care about the host key (which prevents you from being victimized by man-in-the-middle attacks) or to point it to your known_hosts file. You can specify a custom location for that using the -o option, like this:
-o UserKnownHostsFile=keys/known_hosts
Even after that, though, SSH still insists on using a .ssh directory for the user running the command, in this case, the Apache user. Creating such a folder doesn’t seem like it should be necessary, but I haven’t been able to figure out how to avoid it.
If I can’t get this to work, I could try using the SSH2 library for PHP, but I’d prefer not to, since I don’t want to deal with the added dependency.
I’ve posted this question on Stack Overflow as well.
In Commentary on
21 February 2012 with 3 comments
Don’t miss Dylan Matthews’ piece on Modern Monetary Theory, which argues that deficit spending is essential to economic growth. Here’s the crux of the philosophy:
This claim, that money is a “creature of the state,” is central to the theory. In a “fiat money” system like the one in place in the United States, all money is ultimately created by the government, which prints it and puts it into circulation. Consequently, the thinking goes, the government can never run out of money. It can always make more.
This doesn’t mean that taxes are unnecessary. Taxes, in fact, are key to making the whole system work. The need to pay taxes compels people to use the currency printed by the government. Taxes are also sometimes necessary to prevent the economy from overheating. If consumer demand outpaces the supply of available goods, prices will jump, resulting in inflation (where prices rise even as buying power falls). In this case, taxes can tamp down spending and keep prices low.
But if the theory is correct, there is no reason the amount of money the government takes in needs to match up with the amount it spends. Indeed, its followers call for massive tax cuts and deficit spending during recessions.
Fighting our recession with austerity measures is failing horribly and yet favoring austerity is widely perceived as the serious-minded approach to our current economic woes. Modern Monetary Theory provides a framework for thinking about fiscal policy in a different way and shifts the Overton window away from austerity.
In Commentary on
20 February 2012 tagged copyright with 2 comments
Last month, I wrote a post arguing that people illegally download content because it’s convenient, not just because it’s free. Along comes The Oatmeal to make the point in cartoon form. We should all cast a dubious eye on businesses that want to generate scarcity where it doesn’t really exist.
In Commentary on
17 February 2012 tagged Apple, OS X, security with no comments
Panic Software has a long post explaining code signing and Apple’s new Gatekeeper feature in OS X Mountain Lion. Gatekeeper provides a way for developers to digitally sign their applications, verifying their origin, and for those signatures to be revoked so that the applications cannot run any longer if they are shown to be compromised by malware. Users can decide for themselves whether they want to let their Mac run any application or only applications which have been signed. (Or only applications from the App Store, although I think you’d have to be crazy to do that.) What I find particularly interesting about this is that Apple had decided last year to implement much more draconian rules that would essentially force developers into the App Store by making that the only way that developers could distribute signed applications. Wil Shipley beseeched Apple to take another course and allow developers to sign apps themselves. Here’s the recommendation he made last November:
My suggestion is for Apple to provide certificates directly to developers and allow the developers to sign their own code. And, by doing this, Apple can then reasonably say, “Ok, now we’re going to, by default, not allow the user to run any code whose certificate wasn’t issued by us and signed by a real third-party developer (except the stuff the user checks in the control panel).”
Apple then has the power, if any app is found to be malware, to shut it down remotely, immediately. This is a power Apple doesn’t have now over malware, and that won’t come from more sandboxing or more code audits. I have shown the only way to achieve it is to require developers to sign their code with a certificate from Apple.
At the time, I read the post, linked to it, and thought that it made too much sense for Apple to do it. I was pleasantly surprised to see Apple take that advice.
Update: Nelson Minar reminds us that features like Gatekeeper require users to put a lot of trust in the gatekeeper. I think one reason people are happy about Gatekeeper is that it’s such a retreat from Apple’s previous untenable position.
Daniel Jalkut’s post on Gatekeeper is also worth reading. Gatekeeper is important because it’s a step back from Apple’s previous decision to essentially force developers to distribute their apps via the App Store. That was problematic because App Store apps will be required to operate within a very limited Sandbox. Daniel Jalkut argues that the next step for Apple should take is to greatly increase the rights granted to apps in the Sandbox. Even though Apple has climbed back from its stance that would force developers into the App Store (and Sandbox), it is still making some new features of the OS available only to apps that are distributed through the App Store, so it’s important that the Sandbox be flexible enough to satisfy as many independent developers as possible.
In Commentary on
16 February 2012 with 6 comments
Matthew Yglesias on how societies stock up for the future:
A lot of the stuff we make has a pretty short shelf-life. Computer software gets obsolete super fast. Clothing wears out. Food spoils (even Twinkies). Durable goods like cars last longer. Airplanes last even longer. But the real durability is in structures. Houses, office buildings, bridges, tunnels, factories, train tracks. As a society, we save for the future by channeling resources—steel, elecricity, human labor power—into the production of things that last a long time rather than things that are more perishable.
This is a point the federal government does not seem to really understand.
I would take issue with his point about software, though. Yes, most software does not last very long, but as we build software, we also build a corpus of knowledge about how to build software more efficiently, and to create more powerful computers to run that software. I would argue that the software industry has created massive social value over the course of its existence.
In Commentary on
15 February 2012 tagged iPhone, privacy with 1 comment
The big online privacy scandal of the past couple of weeks has been the discovery that the social networking app Path uploads your entire iPhone address book to its servers without asking for your permission. People were not only surprised that Path does this, but also that Apple lets them do it. Shortly after this was discovered, we learned that lots of other companies upload your address book as well. The Verge has a rundown of which applications access your address book and whether they ask for permission first.
The discussion I’m interested in is what access applications should have to your address book. One possibility would be for Apple to put the same warning on address book access that they put on use of location services, but as Chris Dixon points out, the more often you ask users for permission, the less attention they pay. I don’t like that solution.
Another option is to simply block access to the address book for apps entirely. I would not be opposed to this approach. Yes, social networking apps desperately want to hook you in by making sure you’re connected to your friends, and they want you to invite your friends to the service to grow their user base. What value do users get out of it, though? Automatically connecting to your friends is a small benefit, and in many cases there are other ways to determine who you’re friends with without pillaging your address book. Apple should strongly consider just blocking address book access entirely.
Short of that, the policy solution is to allow access only to applications once a user has acted to grant access for that application without being prompted directly. So, for example, applications that ask users to upload everything in their address book as soon as they sign up would not be allowed, but applications that have a “Search for contacts in my address book” button would be allowed. Whether Apple could enforce that policy is another matter. As a matter of policy, though, applications should not try to access your address book unless you try to use a feature that requires it.
Update: And I managed to get this post in right before Apple announced a policy change that will require explicit permission before an application can access the address book.