smashedbug.com, tech music and geek news

If it works, don’t fix it…

Thats probably a good motto to follow. Infact, one of the websites I maintain runs an older version of a content management system — it works, the content creators are happy, the visitors are happy, so why invest the time and effort to upgrade to the latest and greatest when there is no tangible benefit to the end user?

Well if it was built on closed source software, I would be FORCED to.. The recent version of Firefox has a slightly different naming convention that triggers a browser identification bug in the management system. One bad assumption by a programmer made a core function of the management system unusable in the current version of Firefox (due to version naming).

Even though I am running an older, unsupported version, I was able to (thanks to open source), copy and paste one line of code that fixes the issue into my existing installation. Within minutes I was fully functional again, bug squashed.

It got me thinking .. if this was built on closed source software, I would be left with the following options:

1. upgrade the entire site to the latest version (and given the major version number release, would require $$$, upgrade woes and lots of testing and deployment planning)
2. Convince editors to my site to either downgrade to an older version of Firefox, fiddle with the user agent settings in the new Firefox or use Internet Explorer (eeek!!)
3. Stick with a broken site and just ignore the issue, pissing off my users (haha..)

Its just nice to know that instead of resorting to those options, I was able to change one simple line in my other-wise complex site and be on my way … I was able to verify the actual change (unlike updating a huge array of updates/bug fixes where I’m not sure WHAT is being touched) and if desired, run a unit test to verify compliance. Very simple, very straight forward and next to impossible in a closed source world.

So even in a non-programmer world, access to source code is still a very good thing.

I was just doing some maintenance on one of my servers and noticed it has been online 505 days of continuous operations since I rebooted .. Its pretty incredible to think that little white box computer running FreeBSD has been going non-stop as a file server, web server (60,000+ page views per month), mail server (3,500+ mails per day), spam/virus mail gateway, firewall, network proxy, network monitoring, dns services, network time protocol server, squid proxy, database server and ftp server. I’m sure I’m even missing a few tasks it does without complaining.

Whats really cool is this server is up-to-date. No known remote exploits. No need to reboot for a security or software update. Its great. I’m actually slightly sad that I restarted it back in October 2005 because it wasn’t *really* necessary (I rebooted to make sure system services automatically started properly). Infact, at that time it was going strong since I relocated it to its current home from May 2005 .. so it would be getting very close to a solid 2 years of uptime but now I need to wait another 225 days… I don’t think since I installed FreeBSD on that box (Oct 2004) it *REQUIRED* a reboot except for the reboot after the initial software install. Simply awesome.

My personal desktop is catching up .. it has been going without reboot for 131 days .. if you look back on Smashedbug, you can see that was due to a hardware failure (backup drive died on me) — too bad I don’t have hot-swap drives in my home-built desktop computer.

There has been a lot of news recently of upcoming operating system releases — particular Microsoft Windows Vista and user interface changes.

Way back in the pre-Macintosh era for Apple and the DOS era for PC’s, there largely was no definition for a standard user interface. Learning new applications required a significant time simply understanding key mappings, location of similar functionality and so forth. Even simple things like printing required learning new dialogs and configurations.

The Macintosh defined a very consistent UI. Items such as drop down menus, icons, common keyboard shortcuts, windows, etc were commonplace among many applications. As a result, learning a new application did not necessarily equate to learning a new interface but simply the added functionality the new software provided.

In part, many of the design decisions were due to hardware restrictions. Limited sized icons, limited number of widgets and so forth resulted in smaller memory footprint and less user interface processing requirements.

Starting about 6-7 years ago, a divergence from this consistency occured. With Mac OS X, Apple elected to break with rigorious consistency and applications started utilizing various widgets.  For example, some applications utilized a brushed steel look while others used an Aqua look.

With the upcoming Windows Vista release, it appears that Microsoft is attempting to perhaps downplay consistency and develop interfaces around individual applications.

Base functionality within the operating system renders their windows differently. Some have window titles, others do not. Some have help buttons, some do not .. others might have a help button located in a different location. Icons and buttons are different in shape and appearance. Things like menu bars might be available while other applications might do away with menu bars in favor of “ribbons”, shortcut bars, interface clutter and so forth. To top it all off, the colors and layout of the Windows can vary considerably.

Is interface consistency irrelevant? Should interfaces be designed on the whim of the software development team without consideration of the user interfaces of other applications? Does developing rich graphical  system-inconsistent interfaces enhance usability of the system?

It will be interesting. Some people noted that web pages are largely inconsistent and it hasn’t impedded usability — but is this truly accurate? I don’t think so. First, a given user will view webpages in one or perhaps two browsers. The browser provides a consisent interface for navigation, printing, bookmarks and so forth. In addition, well designed sites take into consideration accessibility. Text to speech synthesis, screen resolution, visually impaired visitors, etc. There are still many sites that are simply unusable for a large percentage of users.

It will be interesting to see how this works out. I’m personally under the impression that a single, well defined user interface with as much standardization as possible is a good thing. Standardized dialogs, standardized keyboard shortcuts, standardized menu layouts, etc provide an interface that minimizes the learning curve and allows many development teams to provide input that ultimately can enhance ALL applications utilizing that interface.

Email communication continues to become more and more critical for personal and business communication. Unfortunately forged emails are a reality for many — let it be the various “phishing” emails that claim to be from your bank, ebay or other sources or an email generated from malware that forges the sender with your name and email address and attempts to construct an email that *seems* legit. These emails can be very difficult to determine the legitimacy of the content.

A solution is OpenPGP. Dating back over 15 years to 1991, PGP is a public-key encryption technology.

Public-key cryptography has two parts: a private key and a public key. The private key is bound to a particular identity (ie: an individual user). From the private key a public key is derived and distributed (generally through a centralized key server). The public-key allows one-way encryption as well as validation of documents signed by the private key. As a result, people can encrypt items (files, emails, documents) with the public-key, but only the private-key holder can unencrypt the file.

So what does this have to do with anything? One feature of OpenPGP is the ability for a person to sign a document, such as an email, with their private key. This results in a small file attachment that when processed along with the original email and the public key, can ultimately validate that the email was signed with the private key.

How does it all work?

OpenPGP tools are available for virtually all operating systems and most email clients have built-in or add-on support. To demonstrate, I’ll outline the basic steps when setting up the keys and writing an email in KDE using KGPG and KMail.

1. First, open KGPG (Utilities->PIM->KGPG). If it is the first time it will walk you through creating a private key. If the wizard does not appear, click on Keys -> Generate Key Pair. This requires your name and email address. You can also provide a comment, expiration date and increased key size (read: more secure key) if desired. Once done, click Ok. It will ask for a passphrase (to verify only legimate people can use the private key!)
2. Once your key is created, open up KMail and go to Settings -> Configure KMail -> Identities. Select your identity and click Modify. Under Cryptography, click “Change” to select your signing and encryption keys (these should be the same). Click OK to close and exit the settings window.
3. You can now compose an email. When you want to sign, simply select Options -> Sign Message. If you want to always sign emails, in the KMail Settings dialog, select Security -> Composing -> Automatically sign messages.
4. When done, click send. It will prompt for your passphrase (as you don’t want ANYONE signing your emails!).

Thats it! Your now able to sign your emails to validate it came from you.

If the person receiving the email does not have a OpenPGP aware email client, they will simply see a small attachment on your email. However, if they have an OpenPGP aware email client, it will note that you signed the email but it does not have the ability to verify (due to the fact the person does not have your public key).

So how to do this? It is quite simple. In KGPG, right click on your key and select “Export Public Keys” and click the “Default Key Server” radio button. Click OK and the public key will be placed on the key server for others to download. When your signed message arrives, the recipient will have your unique key ID and can easily import your public key throug hthe OpenPGP interface in their email client.

For the astute readers, the question ends up being: How do you know that someone is not forging the key? By default, public keys imported into your keyring are considered untrusted. You can sign the key (in KGPG, right click on a public key and select “Sign Key”) and it will prompt with the unique fingerprint. This can then be verified with the private key holder (either via phone, through another secure channel, etc..) to rule out the possibility of a rogue key.

To expand, it is possible to use the public key to encrypt the entire message, file or document for a given recipient. As a result, it provides the ability to transmit that information over an insecure channel without significant concern of interception (this is different than a signed email which only verifies the email came from a given person and was not tampered with). In addition, revokation keys, increased key size, various crytography algorithms and key expiration dates increase the security for higher security applications.

OpenPGP is a very powerful tool. With systems such as KDE with the KGPG and KMail integration, access to this powerful tool is easily within the grasp of most computer users.

The LinuxQuestions.org website posted the results of their annual User Choice awards and its great to see more and more KDE solutions ranking high on the list. The following KDE-based tools ranked first or second in their respective categories:

• KDE for desktop environment
• amaroK for audio multimedia player
• Knoppix for Live CD (based on KDE)
• Konqueror for file manager
• Konqueror for web browser (2nd place)
• Quanta for web development tool
• KOffice for Office Suite (2nd place)
• Kate for text editor (2nd place)
• Kopete for Instant Messaging Client (2nd place)
• KDevelop for programming environment (2nd place .. almost tied for 1st)
• KMail for mail client (2nd place)

Whats particularly interesting is the fact that the apps that ranked 2nd place lost to apps that are cross platform (windows, mac, linux, bsd and *nix) such as OpenOffice.org, GAIM and vim. As a result, it might be a simple case of larger potential user base versus quality of the software. Needless to say, congrats to the KDE developers for creating not only a great desktop environment but also some great tools and applications to run on it.