Thursday, December 24, 2009

Sandisk Pulls a Sony Rootkit. News at 11.

My brother just bought a Sandisk flash drive, planning to put some sort of cute auto-run holiday greeting on it and give it as a white-elephant gift (the greeting would be a surprise to the recipient, but it would remove itself after first run so as not to be annoying). He stuck the drive into his computer and it installed some crazy junk onto his hard drive. Hoisted by his own petard, I guess. But here's the nature of what it installed:

  • There's a small partition that Windows recognizes as a virtual CD-ROM drive for some reason. On this partition is the autorun script that installs the junk onto your hard drive. Because it's detected as a virtual CD-ROM you can't delete or modify it easily from Windows.
  • If you manage to delete this partition from the drive and zero-out the whole thing, then put it in a Windows machine that already has the software installed on it, the software re-installs the partition onto the flash drive.
  • The software that's installed on your hard drive isn't installed as a service and isn't registered with Add/Remove Programs. So it can't be disabled un-installed through any of the standard channels. There is an un-install feature within the software itself. I'm not really sure I'd trust it.

The takeaways:

  • Sandisk: This is evil. And Sandisk (or whoever wrote the software) knows it. When you're writing software that you intend to be genuinely useful to users you don't install without permission, you don't make it hard to delete, you don't make it come back when the user clearly wants it gone. You do this because you want the software running and the user probably doesn't.
  • Microsoft: Why still autorun CDs without confirmation? Why allow flash drive partitions to show up as CDs? Why make it so ridiculously hard to disable autorun (apparently the obvious controls don't always work on Vista/7 and you have to use Group Policy Editor or Regedit).
  • People: If you must run Windows, disable auto-run. If Mac has an auto-run feature, disable that. If one of the Unix desktops wants to do auto-run, disable that. It's a mind-numbingly stupid idea from a security perspective.
</soapbox>

Sunday, December 20, 2009

Denver Airport Concourse Comparo!

Yesterday while waiting for a connecting flight in Denver Airport with Jess I realized that I've spent an unreasonably large portion of my life waiting for connecting flights in Denver Airport. When Jess suggested that we find food my first thought was, "There's no good vegetarian food in this concourse. Let's go to the United concourse." And thus the Denver Airport Concourse Comparo was born.

Concourse A

  • Airlines: Frontier (17 gates plus several more in the small-plane area operated by Lynx), Continental (3), JetBlue (2), AeroMexico/Air Canada/Lufthansa (sharing 2 gates), British Airways, Mexicana, Midwest, AirTran, Alaska, Frontier JetExpress, Great Lakes (several in the small-plane area)
  • Food (constraints: cheap-ish, fast, vegetarian): The only place to get quick vegetarian food in the A Concourse is Panda Express, and there your choice is basically lo mein and... more lo mein. Oh, yeah, there's some place called Lefty's with some vegetarian stuff, but they're on my blacklist from a previous trip for only serving breakfast food at 8 AM. THIS IS AN AIRPORT, PEOPLE! TIME HAS NO MEANING HERE! That's what pushed me to the Panda Express... I'm sure breakfast exists in China, and maybe even breakfast food, but in America Panda Express will sell you mushy lo mein all day. Um, where was I? Concourse A has Hope's Cookies, which are OK. No trendy coffee joints, but apparently there's a Quiznos with espresso and a full bar.
  • Centerpiece Art (There is lots of public art in Denver Airport, and much of it is in the terminal, which is outside the scope of this comparo; I'm limiting myself to the centerpieces around the tram stations and vertically above): On one side twisted train tracks through a desert; on the other a semi-flattened globe anchored by structures evoking satellite dishes or grandstands. There's some kind of museum exhibit on the mezzanine level, but it's not memorable.

Comments: Frontier is a pretty good airline but its concourse is the worst in the airport.

Concourse B

  • Airline: United (16 bazillion gates), United Express (7 bazillion gates in each small-plane area).
  • Food: There's a pretty good quick Mexican place on the second level. Lots of variety. There's a TCBY. Annoying hipsters and chipper businessdroids rejoice: B Concourse has a Coffee Beanery, a Seattle's Best, two Starbuckses, and a Caribou Coffee. There's something called Pour la France. I didn't know la France was a liquid.
  • Centerpiece Art: There is a sculpture of an astronaut down in the tram station. The motorized walkway continues through the center area, leaving room only for some random neon squiggles and some arches, like something out of that crazy walkway in O'Hare from the United concourse to baggage claim.

Comments: B is the biggest and busiest concourse. This last time there was an enormous Crocs stand on the upper level. It's the most mall-like of the concourses (but not even approaching DFW). The art is not so hot, the crowds are crowdy, this concourse ranks in the middle.

Concourse C

Concourse C is the concourse you're not supposed to know about. It's really a top-C-cret military base. Say it out loud: top-C-cret. And they thought they could get away with it. If you want to figure this stuff out you have to think like they think. See the patterns.

  • Airlines: I guess the army or whoever it was (CIA? WTO? Illuminati?) put up fake airlines and stuff there: 12 gates for "Southwest" and another 5 for "Northwest" and "Delta". Like I believe that -- worst fake airline names ever, amirite? It's rounded out by "US Airways" and "American", which are almost as obvious. We didn't see no planes take off, that's for sure. Oh, and they put the whole concourse in a TIME VORTEX.
  • Food: There's a TCBY in there. Not as big as the one in B. And some place that claims to have tamales, we haven't tried them.
  • TIME VORTEX: When you enter the TIME VORTEX you see spinning pinwheels. When you leave the TIME VORTEX you see flashing lights and a swinging sickle. A++++++ very good TIME VORTEX. Would TIME VORTEX again.
  • Centerpiece Art: It's this awesome decayed garden. Only the truly enlightened can see it, which is how it got so decayed: most people can't even see C Concourse at all, let alone the garden, so nobody can maintain it. Hell, I have it on good word the President's secret puppet master himself can only see the garden through a shard of a mirror once belonging to his puppetmaster. I am on to something for sure!

Comments: Jess and I just took the tram here to see what it was and it opened our eyes. They paged Jess over the intercom, so she picked up an information phone and dialed the number for "paging". Except that's for when you want to page someone else, so she hung up and dialed information. They said the page was actually for a "Jessica Mylan", not her. We got the message loud and clear: we know you're here and we're watching. So we went to a gate for a "Southwest" flight to San Francisco and sat and waited. We started talking one of the people at the gate. An agent or a dummy? We introduced ourselves as Jessica Mylan and Billy Philbert. He said, "Didn't they just page you, over the intercom?" The agent at the gate called for boarding. Nobody lined up. We got the hell out of Concourse C.

Friday, December 18, 2009

Fiiiiinally.

OK, here's the recording of the concert, nicely broken into tracks and with dead spots mostly cut out: LINKY.

Some things came out better than others, but for a first time doing this sort of thing, and for a concert where I am doing most of the instrumental parts on instruments I barely know how to play, we did OK. I just need to find a band where I can play harmonica or clarinet (or bass, even, if I don't have to actually keep rhythm or do anything important).

I don't know why...

...but Stravinsky's Symphony of Psalms, from the first time I heard it, always felt right. Like something I'd heard before, but not (which I think was sort of the point). It's one of my favorite pieces of music of all time (ZOMG I think I should update my Facebook to reflect this fact). I cleaned out one of John's old receivers a bit ago and now I can listen to it again. I can't listen to Stravinsky on headphones.

Anyway, now that I have some speakers I will get back to cutting up the library concert and try to post it before leaving for Chicago. I really lost momentum after Thanksgiving. More later.

Wednesday, December 16, 2009

Spam comments

In case any of the spambots posting comments to my blog are sentient and understand English, I'd like to point some things out.

  1. Nobody reads my blog (at least not at the blogspot address that the comments are posted to)
  2. I get notified of comments to my blog by email and I delete every spammy one.

You're wasting my time and yours by posting spam to my blog. It would probably be better if you stopped.

Personally I find it hard to hate spammers. Well, a lot of them, at least. I'm currently in the middle of a frustrating and difficult job search. But I know that it's possible for me to find a job in my chosen field with a stable employer. A lot of people get involved in the spam business because that's not possible for them. Some are clever programmers that, because of where they live and their language skills, don't really have an opportunity to work for "legitimate" software companies. Many others may not even be that -- they're just people playing demanded roles in a global market with enormous wealth disparities. The entry costs for spamming are so low compared to the entry costs for other global business models that it's really no surprise people turn to spam. If we in the USA are annoyed by it we should get involved in micro-loans or something.

Really, the worst offenders are educated people from rich countries. This blog post will get mirrored on Facebook, so I'll use Facebook as an example. Get people to sign up all their friends through Facebook. Now they're a captive audience. If you quit Facebook because of its ludicrous policies on privacy and advertising you're quitting all your friends (who can't be bothered to remember your email address anymore). So nobody ever leaves, even when Facebook makes unpopular decisions -- and they can do this because they have near-total control over your data and the software you access it with. This is the best contribution Mark Zuckerberg could make to the world with his Harvard education. To me that's a lot more scummy than what 419 scammers do, and about on par with most Craigslist scams.

Tuesday, December 15, 2009

¡Tan embarazado!

After making my last post I was thinking about why it bothers me so much that JavaScript uses braces for blocks but doesn't use those blocks for variable scope. I think the reason is that the braces are a false cognate. Braces mean the same thing in many popular languages, and JavaScript uses them in identical contexts to mean something different. We have false cognates, of course, in natural languages. My favorite is from Spanish, where embarazada means pregnant, not embarrassed. But in a programming language, designed deliberately by people, we should try to avoid this stuff, right?

Actually one of the most confusing false cognates I've seen as a programmer is the static keyword of C and C++. There are three major ways to allocate memory for a variable: static, dynamic, and automatic (these terms apply to all languages, not just C). In C global variables are allocated statically and local variables automatically (you can also allocate automatic variables using alloca() on many platforms -- this allows automatic allocation of structures and arrays whose size is not known at compile-time). Memory can be allocated dynamically using malloc() and free() (new and delete in C++). That's all fine. Here's where it gets tricky: you can apply the static keyword to both local and global declarations.

For local declarations this makes sense; they're allocated automatically by default, but if you modify the declaration with static they are allocated statically instead. The scope is still limited to the block in which they're declared, but the lifetime is the full lifetime of the program. For global declarations it does something totally different: it prevents the symbol name from being exported (it limits the visibility of the name of the variable or function to other code in the same object file, although you can export the resources manually using pointers, a common strategy to achieve polymorphism in abstraction layers).

Then C++ comes along and overloads static yet again. By default class member variables have dynamic linkage and functions have static linkage. This basically means that every instance of the class gets its own copy of the variables but shares the same functions. The static keyword lets you declare variables with static linkage; they are statically allocated and thus must have a global definition, as member functions typically do. Similarly, the virtual keyword lets you declare functions with dynamic linkage (this isn't as cool as it is in languages with first-class functions, but it's useful enough).

The real problem, out of these three uses, is C's use of static to limit symbol visibility for globals. Because it's by far the most common use of static, C programmers refer to static variables and static functions when talking about the visibility of their symbols, not their allocation or linkage, using a term that really has nothing to do with visibility at all...

... which is just so pregnant!

Someone with sense behind the wheel!

As much as I rip on Javascript, it's good to know that there are people working on it that want to solve some of its big problems. See this talk by this dude.

TL;DW version:

  • He understands that scope is JavaScript is wrong (given that all the languages that use braces for blocks have block scope), and wants to fix it similarly to how Perl did, extending the language.
  • He cares about the fact that binary floating point numbers can't exactly represent powers of 1/10. But recognizes that JavaScript probably isn't the best place to fix it.

That's basically all I care about, at least.