Sanctum Sanctorum Mark III

When getting a new desktop that would no longer support my aging Alps Glidepoint, I went looking for what's out there. I found the coolest mouse-eliminator ever.

The iGesture worked out of the box with tons of functionality without a driver on Mac OS X (including Classic), on SuSe Linux 9.1, and in Win 2k. On the USB wire, it just emulates a USB mouse-ish device... but is wildly cooler, works well, and does so much more. Some fancier features came with the utilities. And it's just SMART. If a firmware update fails, it either reverts to old firmware, or goes into update mode. If THAT fails, you can tap it a certain way to put it into update mode. You can reset it at the hardware layer (doing a USB disconnect, reset, reconnect) with five presses of your palm. It's crazyeasy to use. Double-click by just touching 3 fingers; grab and drag with 3 fingers; huge drag space, and scrolling is seriously neat. It's scary intuitive (though there's a lot of funky gestures to learn). Wildly tunable.

I've always liked touchpads better than mice. I've had that Alps Glidepoint for my desktop for years. The only real drawbacks for me were that the things are usually too small, and I eventually get some impact pain from double-tapping to double-click. The Alps's buttons made that less of an issue. Still, kinda small.

I've also used a wide range of pointing devices -- touchpads, mice with 1,2,3 and even 5 buttons, trackballs, ergonomic trackballs, integrated track[ball|pad], and once I had a cool Outbound notebook with a "trackbar" on it. It came close to ideal for a laptop integrated pointing device, by the way.

But the iGuesture takes the prize. They have other really way-out products (keyboard that doubles as a 100% touchpad surface and iGesture pad).

It's been a bad week for email... well, ok, for a lot more than that, though it's email that is mostly at risk in both disturbing items.

Researchers accidentally found a bug in gmail (the free Google email service) that reveals the contents of the previous transaction the server processed -- whatever its content. I.e., you could see other peoples' emails. Google managed to fix the bug about an hour after the story was slashdotted.

--------
Much more disturbing, because it will be harder to fix and is more disruptive, a post I'm calling, "The Security Implications of Domain Name Registrar choice and ICANN policies..."

In a disturbing turn of events, age-old (in Internet terms) commercial access provider Panix has had their main domain name, panix.com, hijacked. While panix.net works still correctly, panix.com is the domain used for their thousands of subscribers' email, web pages, etc.

Bad. Very bad. One wonders how it happened. Did the domain expire and get grabbed up? Did someone break into Panix's Dotster account? Did someone bamboozle Dotster? Did someone put in a transfer request that went unheeded by Panix (the new ICANN policy is that, "Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default "approval" of the transfer")?

( The 'new' whois info for panix.com )
Note that everything including the nameservers has been changed. Email to users "@" panix.com may actually still work for a time, because DNS caches will maintain the data until it expires or the cache buffer gets overwritten. (For example, my DNS cache server shows 22 hours remaining on the cache timer for the "real" panix.com MX record.) The "new" www site has a placeholder page from freeparking.co.uk.

After the caches expire, web browsers will go to the bogus site, and mail to users "at" panix.com will go ... where-ever the people who hijacked the domain want. Unless it's quickly resolved. As I write this, the "new" MX records point to 207.61.90.0 and 142.46.200.0 -- network addresses rather than normal host IPs -- which means the mail probably will fail (and thus just queue up, and with luck be delivered to the real panix.com once this mess is cleared up). Fortunately, right now, the cache expiry on the 'new' MX record is 24 hours, while email delivery is normally attempted for 5-10 days, depending on the mail software and configuration.

( In case you can't get to it, here's the relevant content from Panix's REAL website about the hijacking )

Nipped from tezliana:
Post a favorite line from a film here. Any film. Don't tell me what it is. Then go tell someone else to do it, or pimp it in your LJ or something. It will be great -- Charge of the Non Sequitur Brigade.

"I'm in right now, so you can talk to me personally. Please, start talking at the sound of the beep."

Planning to vote in Illinois this election? (Please do if you're a resident.)

Expecting to be lost when you hit the mammoth judicial retention/selection portion? Who can know 74 judges and a fistfull of new candidates all that well? Well, there's hope.

The Chicago Bar Association puts out its member-driven Judicial Evaluation Committee Findings each year. They're online. They're not just "recommend" or not. They give solid reasons based on the feedback of the people who've dealt with these individuals in their professional capacities. While most are deemed quite professional in their conduct and capability, some few are not. Worth a read before going to the polls. A bad judge can make an expensive mess of the legal system, and can be your caricature-bad-litigator's wet dream, allowing a case that should be tossed to make it into the pipeline, the news, and the political gristmills. Have a good look.

Edit: Note the big top list is just the judicial RETENTIONS. Be sure to also look at the evaluations for new CANDIDATES, towards the bottom.

Some interesting trends and a couple of lightly reported tech events have convinced me that two really interesting things will happen in the tech service sector over the next year.

( AOL becomes largest Liberty Alliance (federated identity) broker. )
------------
( Google Mail becomes largest outsourced spam filtering service. )

...which is to say, file integrity checking tools.

( Hash function geekery )

Jacques Derrida died last night in a Parisian hospital from pancreatic cancer, at the age of 74. The controversial philosopher and social/culture critic had a sizable effect on the practice of social science and literary study around the world. From the positive effect of forcing social scientists to admit their inevitable 'presence' as author in their writings (with positive and negative biases), to the use of literary deconstruction as an effective analytic tool, to the debilitating effect on the social sciences of more nihilistic deconstructionism, his interpreters will no doubt be working with his materials for generations. Perhaps best known for asserting that authors lose control over their literary works once the work is published, Derrida displayed no sense of irony in suing publishers over copyright violation. Like him or not, in whole or part, we're now left with only his interpreters.

Reuters story: http://www.reuters.co.uk/newsPackageArticle.jhtml?type=worldNews&storyID=600118§ion=news

So much depends
upon

A deferenced frame
pointer

In legacy
code

Set uid
root

Well, I finally decided to take the plunge and start in on speech to text -- a.k.a. continuous speech -- software. I'm trying right now to see how close to subvocalization I can get it, since ideally one could use it in a quiet room with other people without disturbing anyone. For the moment I'm using Dragon 7.3 on a pretty slow laptop(600MHz).

It's pretty fun but occasionally quite frustrating as it will sometimes smash interesting phrases out of what I'm actually saying. It makes you ridiculously conscious of how you pronounce things, and makes you wonder, "do I really sound like that?"

For example, it has difficulty with very small words used in rapid series. So something like, "what's up with all that?" Might come out as, "it's up with all that" or worse, "what's up with a hat" which is not quite the same thing at all.

But muttering into a microphone and having words -- mostly accurate -- appear before you has a cachet all its own.

This posting for example was typed entirely through the software: only about 10 corrections had to be made. That's not much worse than my typing.

I regularly read people mention things like "DoD," "NSA" and "IEEE" "standards" for the secure wiping of data from hard drives. I recall a discussion on some list a few years back on how most of those "standards" are mythical, but can't find it now. [EDIT - found it! A BUGTRAQ post by Simple Nomad]. So, I did some digging on my own.

Sure, I've seen Peter Gutmann's paper and Simson Garfinkel's paper on the topic of data wiping.

While there ARE several US military and gov standards, NSA doesn't seem to publish one, and IEEE appears to have no data deletion standard. Indeed, even the IEEE paper on the topic (by Garfinkel) -- doesn't cite any such IEEE standard.

Yet documents citing mythical standards and misquoting the ones that DO exist abound.

Heck, one product blurb says the DoD's 5220.22-M recommends 7 overwrite passes. A look through the document shows it most strongly recommends burning or other utter destruction and has no mention of 7 (or any number of) passes. Interpretation of "destruction" is left to the branches.

It's possible some branch has interpreted it that way, but there is no DoD STANDARD on overwriting. Even Garfinkel seems to have pulled some ideas out of the DoD guidelines that don't actually exist in the documentation.

Some products claim to delete to Gutmann's "standard." Yet Gutmann talks about how his algorithm (which takes 35 passes) is more about him making the point that you have to know what you're erasing before you make a standard. That's in his paper's epilogue, which makes a great case for there not being a general standard.

So, on to the branches. The Army recommends heavy overwriting only if the drive is going to be used in an environment with the same or better security clearance, and recommends degaussing otherwise. Finally, the USAF guideline has the closest thing to an overwrite standard: triple overwrite: 0s, then 1s, then random, then verify. And then it's recommended only on a "case-by-case" basis, with disassembly and degaussing platters as the basic approach.

So, IS there a true public standard anyone has seen? I've just seen a lot of BS in advertising.