Treating The Symptom: A Privacy Law Story

Posted on 2012-05-18 by Stephan Sokolow

In May 2011, new legislation was passed in the EU which was intended to require opt-in for tracking cookies. It comes into effect on May 26, 2012. Next Saturday.

While people are agonizing over how compliance will gut websites’ ability to identify and meet user demand, that’s not the problem. The problem is that, in order to have jurisdiction over attempts to weasel out of it by Google and Facebook, it doesn’t set clear boundaries. It’s up to the judge to determine whether cookies like PHPSESSID require prior opt-in from users and not even employees of the UK government are eager to comply.

What’s worse is that it probably won’t even work. Experience with technologies like ActiveX and Windows UAC has shown that people just learn to click “Accept” without reading when constantly bombarded. Even if they don’t nag, the EFF’s Panopticlick has already demonstrated that, with an IP address and a fingerprint of a user’s browser headers, you can track individual users pretty well unless they’re all behind the same NAT and on the same IT deployment image.

A solitary 1×1-pixel transparent GIF from a 3rd-party server is a blatant violation of any privacy laws you might care to craft, but what about a reCAPTCHA? …or a Google Font Library embed? …or that copy of jQuery everyone seems to load off Google these days? Every request for one of those leaks your current location via the Referer header and you can’t turn it off because that will break sites like Snopes.com, Pixiv.net, and many others which use it for hotlinking protection. (Though individual Firefox users can use RefControl to forge a nonsense Referer on all other sites)

User analytics via server logs (eg. /var/log/apache2/access.log) predates Javascript-based analytics and, if anyone has the raw data necessary to design a robust user fingerprint which can survive minor changes like browser upgrades (and an analytics package which uses statistical probability analysis for reliability), it’s companies like Google and Facebook.

Aside from driving companies to implement tracking that’s harder to neuter without companies’ co-operation, my big concern is that some EU company with deep pockets will use this as an opportunity to cripple smaller competitors by forcing them to jump through too many compliance hoops. It’s bad enough that big U.S. companies achieve a similar effect with software patents.

Posted in Web Wandering & Opinion | Leave a comment

The State of Digital Distribution on Linux

Posted on 2012-04-26 by Stephan Sokolow

Note: This is cross-posted from the blog in my Desura account to ensure my backup system catches it.

After one of my previous posts, showing off my obsession with flowcharts and how much I overthink buying new games, it occurred to me that I can actually focus on a question other people might care about: How does one comfortably manage their games collection on Linux these days?

The only options I’ve been able to find for getting Linux games online are as follows and only the first three have package management beyond “download this installer”:

However, when most people think of digital distribution (the buzzword), we think of a unified experience that takes the hassle out of managing our games for us. (In other words, something developers have to support or else like Steam)

Obviously, nothing as comprehensive as that exists for Linux yet, but we can try to MacGyver things up for now. I’d like to hear what your approach is in the comments, but here’s the best I’ve been able to accomplish.

The State of Digital Distribution on Linux

It’s not ideal, but I tried and, since I’m already using TiddlyWiki to manage everything else, it’s quite comfortable.

The key details are:

  • The Desura button is a direct link to the client download page.
  • The PlayDeb button and the PPA links in the “Package Manager” section are direct links to the lines I’ll need to re-add to /etc/apt/sources.list if I re-install.
  • The GOG.com button is a direct link to the “your games” page.
  • The non-bracketed links in the “Package Manager” section use apt: URLs to trigger the package installer from the browser.
  • The rest are just links to the page where you choose your download type (deb, rpm, installer, etc.)

I’m still working on polishing up and streamlining everything, but I’m already making good progress on polishing up Desura as a general game launcher. Here’s what it looks like once I’ve added a few native Linux games and a few Windows games via Wine and wrapper scripts:

Results of set_icon.py

You can do this yourself, if you want, by using the set_icon.py script I wrote. It’ll even extract icons from .EXE files for you.

When I have time, I’m also planning to work on:

  • Making set_icon.py work on Windows. (The main issue is using Windows methods to find Desura and extract icons from .EXE files rather than Linux ones)
  • A script which will create a wrapper for a Wine application, extract the icon, and add it to Desura with one command.
  • A script which will sync all the games in my Linux desktop’s launcher into Desura (both additions and deletions) with one command.
Posted in Geek Stuff, Lair Improvement | 5 Comments

Secure Cloud Backup/Sync

Posted on 2012-04-24 by Stephan Sokolow

Given the mounting concerns over cloud storage offerings and the increasing occurrence of bills like ACTA and CISPA, it’s becoming increasingly important to find alternatives to US-based, un-encrypted cloud storage services like Dropbox.

The question for poor saps like me is, who can we trust without paying even more money? Well, here are the cross-platform cloud backup/sync providers I’ve found which assure you that, like Firefox Sync, data is encrypted before it leaves your computer and they can’t recover it if you lose your key:

Name Free Plan Extras
Wuala 5GiB Swiss subsidiary of a French company with Swiss, German, and French datacenters.
SpiderOak 2GiB + 1GiB/referral Optional 2-factor auth via smartphone. In-depth technical details of their encryption are public.

As an alternative, if you have VPS, co-located server, or feature-rich shared hosting in a country you trust, you can also run your own service using open-source software.

Just keep in mind that most options don’t encrypt data on the server so, if you get hacked or police confiscate your server, they probably will grab copies of your data before someone thinks to power it off and lose your eCryptFS or EncFS keys. (EncFS on the client might work though)

Client Server Encrypted Storage? Notes
SparkleShare ssh+git No Dropbox-like client. SSH Public-Key authentication.
various (WebDAV) ownCloud Limited Planned Has WebUI. Supported by remoteStorage.js.
duplicity ssh, rsync, ftp, WebDAV, Amazon S3, … Yes Linux-only. Sync is one-way like rsync. Client encrypts before sending to server.

I’d also keep an eye on Syncany. It’s not out yet, but if it doesn’t end up broken or vaporware, it looks like it will be a good hybrid of SparkleShare and duplicity.

Please feel free to suggest further alternatives in the comments. I’ll update the post if they look good.

Posted in Geek Stuff | 2 Comments

How I Buy Games (as a Flowchart)

Posted on 2012-04-22 by Stephan Sokolow

Being the geek that I am, one thing I’ve wanted for a while is a diagram of how I decide what to do when a video game catches my eye. I finally made one.

(Note: further commentary below the diagram)

Flowchart describing how I buy games

Why do I require such strict conditions before I buy games? It’s fairly straightforward, actually:

  1. I have strong and well-justified feelings about DRM.
  2. I’m a student with very little money.
  3. I’m a full-time Linux user and have been since I was 16.
  4. When you consider all the other ways I entertain myself, I probably have more games than I’ll ever be able to beat. (In addition to the 100+ games I have as downloads, the boxes in my closet contain roughly 500 game CD-ROMs and a CD-R full of disk images made from legally-purchased diskettes)

So, in that case, why do I keep buying games at all? In my own small way, I like to be a patron of the arts, so I try to give at least a little to every game I approve of, whether or not I’ll ever play it.

I still have to get some kind of short-term return on investment with my tight budget, but it’s better than nothing. After all, a little money to a lot of worthy developers is better than a lot to a few quasi-worthy ones… especially when I use every means at my disposal to cost them less in download bandwidth.

Posted in Web Wandering & Opinion | 1 Comment

When Linux Freezes…

Posted on 2012-04-15 by Stephan Sokolow

Like many geeks, I’ve moved less tech-savvy relatives to Linux and, in my mother’s case, common ideology goes a long way to overlooking bugs and rough edges. However, working with her has revealed a serious problem in the Linux desktop as implemented by all major distros.

Once every month or so, I get called in because “Linux froze”. Almost every time, it turns out that some program XGrabPointer‘d the mouse, then froze, leaving the system live and the mouse moving… but no clicks being received. (The exceptions are when she’s using her laptop and an Intel graphics driver bug freezes the X server)

While not ideal, there used to be a clean workaround for this. Just set the appropriate xorg.conf toggle and teach them to use one of Ctrl+Alt+Backspace, Ctrl+Alt+KP_Multiply, or Ctrl+Alt+KP_Divide to recover. However, these days, the old approaches don’t work, the system is in upheaval, and nobody with any significant Google PageRank seems to care enough to keep their documentation up to date.

Despite my loyalty to the platform, I’m not too blind to recognize that this problem, in and of itself, is easily enough to keep Linux on the desktop constrained to households with a full-time geek. (If for no other reason than because it’s an easy PR weakness for Microsoft and Apple to attack if Linux gains any ground)

Wayland could fix this problem if it gains adoption… but it has its own issues:

  • It’s still very young
  • Some people (me) need high-performance 3D drivers, GPU acceleration for HD video, and professional-quality dual-head support, but I haven’t heard anything on whether nVidia will support it with their binary drivers (or ATi for that matter).
  • There is no clear plan for a replacement for ssh -X that’s better than mere VNC.
  • I haven’t been promised a compositor which will forbid client-side window decorations (CSD for short).

The others, I can see being solved with time, but that last one is a big issue. The KWin developers have already said they’ll force force-server side window decorations, but…

  • There’s apparently nothing beyond “peer pressure will save the world” and “applications which don’t use popular widget toolkits are a myth” to prevent an application from insisting that it also show client-side ones.
  • What if I want to forbid CSD but whitelist Chrome and preserve the effect I get by maximizing Firefox and hiding the windeco? (No, not fullscreen. Even with Xinerama hints, Firefox modifies its UI when it detects that.)
  • Most important: I run LXDE because I value a useful desktop over a glitzy one. Given current trends, it’ll be at least a decade before KDE 4 is as stable and responsive as KDE 3.5 was. (I used to be a loyal KDE 3.5 user, so nobody was more disappointed by Konqueror 4 and KDE 4.1 through 4.6 as I was.)
Posted in Web Wandering & Opinion | Leave a comment

Preventing Broken Links

Posted on 2012-04-01 by Stephan Sokolow

TL;DR: If you’re going to move to a new URL, fill out my templates and put them at the old one to make damn sure other people’s links don’t break.

Yesterday, I finally found a use for the root http://ssokolow.com domain… I delegated it to GitHub to shorten and professionalize URLs for my projects. (eg. http://ssokolow.com/quicktile)

…but that meant that I could no longer use .htaccess to set up permanent redirects on URLs like http://www.ssokolow.com/ContactMe.

After a little research, it turns out that GitHub Pages doesn’t seem to have a method of declaring HTTP redirects… but Google and Yahoo will treat no-delay meta redirects as if they were HTTP 301.

Here’s what I came up with for a general, thorough way to ensure the least chance of broken links. (including .htaccess in case I switch hosting in the future) The example assumes you’re moving a whole domain (eg. from SourceForge to GitHub), but it applies equally well to specific URLs within a domain.

(Also, don’t forget to use the change-of-address notification feature in Yahoo and Google Webmaster Tools)

# The proper way to HTTP Redirect... but not all hosts listen to .htaccess (eg. GitHub Pages)
# Some hosts also provide a special redirect option in their hosting controls.

RedirectPermanent / http://www.newsite.com/

# Probably never used, but just to be thorough.
ErrorDocument 404 /404.html
view raw .htaccess This Gist brought to you by GitHub. 
<!DOCTYPE html>
<html>
 <head>
  <!--
   Custom 404 page. (GitHub Pages version)

   This will provide a last-ditch protection against broken links for actual users.
   However, search engines won't recognize it as a redirect. Hence why index.html is necessary.

   IMPORTANT: You should also activate your old site in Yahoo and Google Webmaster Tools.
     That will allow you to file a change of address notification in their search indexes
     for all pages within your domain.
  -->
  <meta http-equiv="content-type" content="text/html; charset=utf-8" />
  <script type="text/javascript">
      var NEW_HOST = 'www.newsite.com';
      location.replace(location.protocol + '//' + NEW_HOST + location.pathname + location.search + location.hash);
  </script>
 </head>
 <body>
  <noscript><p>This content has moved. Please replace the <code>http://www.oldsite.com/</code> portion of
   the address in your address bar with <code>http://www.newsite.com/</code>.</p></noscript>
 </body>
</html>

view raw 404.html This Gist brought to you by GitHub. 
<!DOCTYPE html>
<html>
 <head>
  <!--
   The less-than-ideal way to redirect that relies on the browser rather than the server.

   Requires a browser or other compatible User Agent and only covers the site root, 
   but Google and Yahoo treat it as equivalent to a proper HTTP 301 redirect.
   Source: http://sebastians-pamphlets.com/google-and-yahoo-treat-undelayed-meta-refresh-as-301-redirect/
  -->
  <meta http-equiv="content-type" content="text/html; charset=utf-8" />
  <meta http-equiv="refresh" content="0;url=http://www.newsite.com/" />
 </head>
 <body>
  <p>This content has moved to <a href="http://www.newsite.com/">http://www.newsite.com/</a>. Attempting to automatically redirect you.</p>
 </body>
</html>
view raw index.html This Gist brought to you by GitHub.
Posted in Geek Stuff | Leave a comment

My Issues With AppIndicators

Posted on 2012-02-16 by Stephan Sokolow

With the work I’ve been doing on my systray icons in the last few days, it occurred to me that I should probably mention that, when given the choice, I explicitly turn off Ubuntu-style AppIndicators for applications with regular systray icons.

It’s not that I don’t like the idea. I think it’s a good one. The problem is that the year is 2012 and I’m using Linux. When I left-click an icon, I expect it to toggle application visibility, not display a context menu where I have to use another click to toggle visibility. That’s reserved for right-click.

Just because Apple took so long to accept the reality of the two-button mouse doesn’t mean my Linux desktop should punish me for not using some kind of desktop widget system to glance at things like torrent status. (Though, given how many other matter-of-personal-taste apple-isms Ubuntu has been adopting, like the global menubar and the titlebar buttons on the left-hand side, it doesn’t really surprise me that they’d blindly adopt that design quirk too.)

Now, if AppIndicators gain the ability to relegate the menu to right-click and bind a window handle to left-click, I’ll be the first person to welcome consistency between different applications’ definitions of “toggle a window that’s already shown but is on another desktop or is below other windows”. (Personally, I think it should be “If the window isn’t on this desktop and top of the stack, then raise it on this desktop.”)

Posted in Geek Stuff | Leave a comment