Dr. Jerry Pournelle

Email Me


Why not subscribe now?

Chaos Manor Subscribe Now



Useful Link(s)...

JerryPournelle.com


Hosting by
  Bluehost


Powered by Apache

Computing At Chaos Manor:
March 6, 2007

The User's Column, March, 2007
Column 320, part 1
Jerry Pournelle jerryp@jerrypournelle.com
www.jerrypournelle.com
Copyright 2007 Jerry E. Pournelle, Ph.D.

I have spent a good part of the last few weeks in Hell and I liked it a lot. Of course what I mean is that I have spent several hours a day working on the new novel by Larry Niven and Jerry Pournelle. It's a sequel to our INFERNO which was a minor best seller from Simon and Schuster/Pocket Books a few years ago, and I'm pretty happy with what we've done. This is essentially what happens when Dante Alighieri meets Vatican II as written by Robert Louis Stevenson with some lines from Oscar Wilde. At least I'd like to think it is that good, and reading it over I can persuade myself that it is.

The upshot is that I haven't built any new systems recently, and I haven't been as diligent in pursuing new equipment as perhaps as I should be. On the other hand, I have plenty of experience at using these little machines, so perhaps it balances out.

Microsoft Activation Code cracked?

It was a big announcement last week:

Vista activation cracked by brute force
Sledgehammered
By Charlie Demerjian: Thursday 01 March 2007, 17:15
IT LOOKS LIKE Microsoft's unhackable OS activation malware has been hacked. <snip>

(link here)

You will note the unconcealed joy in The Inquirer report.

The Microsoft Vista Activation codes were cracked. This caused some discussion among computer pundits, including considerable pontification about how no Digital Rights Management scheme would ever work, and Microsoft's Activation system was doomed from the beginning, and we all told you so. I didn't get in on any of that.

We did have a discussion at Chaos Manor. Dan Spisak said

So it's brute force? That's not really a crack then, its just blasting out 25-digit keys at a wall until something sticks.

A crack would mean someone manages to get enough valid keys to figure out the algorithm that generates valid keys and then releases a tool that would be guaranteed to make a valid key on every try. Or to write the equivalent of WGAFix for Vista. This has not happened.

Additionally, this is not big news because it follows suit with how Windows XP activations were circumvented. First it started with people using pirated known Volume License Keys, then MS invalidated those with SP1. Then hackers generated more, and MS invalidated those. Then hackers hacked WGA so they wouldn't have to care if their key was valid or not, circumventing the serial key issue.

All MS has to do to stop this from working is to rate-limit authentication attempts per incoming IP address. Above a certain rate per minute their firewall just blocks all authorization traffic from that IP for 72 hours. Of course, if someone figures the key generating algorithm out then they are truly up a creek. At that point MS would need to keep track of what keys have been created for shipped copies of the OS and only authorize those. That of course won't completely defeat a third party generated serial however.

-Dan S.

I found that considerably more interesting than most of the speculation that reverberated around the web. Eric Pobirs added,

Besides, since shortly after the RTM was posted there have been apps to stretch the activation period out to some time a decade hence. That is the version that has been a big favorite on the torrents. I know someone who used this while waiting for the arrival of the package from a training seminar he attended.

Eric

There was more. Then Eric reported that it was all a hoax, after which all the discussion died out. I make no doubt that there are ways around the Dreaded Activation, but brute force isn't likely to be one of them.

DRM

It does leave unanswered a number of questions about Digital Rights Management. Most pundits seem agreed that the hackers will always win: there is no security system that can't be penetrated, because the legitimate user must be given the secret that unlocks the software. You may try to hide it from the user by burying it in layers of encryption, but eventually it will give itself away, and the encryption scheme is broken.

Of course most of us base our opinions on this subject on fairly limited experience, and that experience includes some of the silliest and most simpleminded DRM schemes imaginable. Adobe adopted a particularly lame system, then tried to jail a Russian programmer who broke the simple system and tried to explain it to a convention of security experts. (link) The resulting furor made Adobe look ridiculous, and was an early stimulus to opposition to the criminal provisions of the badly flawed Digital Millennium Copyright Act. It also put Adobe on the hit list of a number of people I would not myself care to have angry with me.

We are now several years past that stage. Highly sophisticated encryption algorithms can be encoded in hardware and applied at gigabyte speed. If the hacker community has new and powerful resources, so does the security community. The slogan of the American rodeo is "there never was a horse that couldn't be rode, and there never was a cowboy who couldn't be throwed." I suspect there's an analogy here. Security schemes may all be in theory breakable, but in practice, many of them are likely to be Good Enough, and we may as well get used to them just as we are getting used to "activation malware."

I can live with DRM. What I can't live with is criminal penalties against those who crack the scheme and publish the exploitation. Ideally, DRM ought to protect a publisher's rights from widespread violation, and the law ought to provide for civil but not criminal penalties for intellectual property theft. I suspect that when it's all done, that's what we will have.

Activation

The most common complaint about Activation and DRM is that it doesn't really prevent piracy; pirates can always break the system, so the only real effect is to annoy legitimate users. I've made this argument myself. I was particularly vehement about it back in the days before the Internet, when copy protection schemes could and often did result in users being unable to use a program they'd paid for: the system would crash, they couldn't reinstall from the original disks because they hadn't uninstalled the program, and of course it happened on a weekend before a deadline. Back in DOS and early Windows days, some fairly well known programs and their publishers went down the tubes because of this, and copy protection schemes generally vanished.

Then Microsoft experimented with Activation, starting with experiments in Australia and other places before applying it in the United States. This didn't get a very good press, and still isn't very popular (The Inquirer's description of it as "activation malware" is among the gentlest of its descriptions), but hasn't in general resulted in as many horror stories as I would have expected. I know a lot of Windows users, and the worst stories I have heard have to do with upgrading systems — changing motherboard, or CPU, or hard drive — and discovering that Windows didn't like that and wouldn't activate. In all cases I know, that was remedied by a toll-free telephone call.

In my own case I think it took a quarter of an hour on hold, and about five minutes of discussion once I got through to a polite and well spoken young lady in Bangalore. She said her name was Betty. After I explained that I'd replaced the motherboard on the machine in question, I was given a new activation number. It has worked just fine ever since.

Incidentally, I have replaced the hard drive in three different laptops, using Ghost to save and restore an image, and Windows didn't even hiccough. It took a motherboard replacement to get Microsoft Activation unhappy enough to ask for a telephone call.

I can't say I have any love for Activation, but I can certainly live with it.

The Virtual Machines

We live in a time of increasing computer power; the era of computer plenty, with multiple core machines, cheap memory, low cost disk drives, digital signal processing chips, video processing chips, low cost network communications chips, etc., etc.

One consequence of this will be more use of virtual machines. The best example of this is systems running XP or Vista as applications on the new Intel Mac systems. They use a Mac program called Parallels. There's also Virtual PC, which runs quite well on the older Macs. My wife's reading instruction program (http://readingtlc.com/) was written for Windows 98, and runs on all versions of Windows published since Windows 98. It also runs on my Mac PowerBook just fine, using just about any version of Windows (we've tested it with Windows 98, Windows 2000, Windows ME, and Windows XP) in Virtual PC for the Mac. I am hardly an unbiased reviewer, but I know of no better or more certain system for teaching those from age 4 to 40 to read English. It also runs in Windows XP and Vista, both on Windows PC's and in Parallels on the new Intel based Macs.

The question is, how do you activate Windows when it's running in a virtual system, and what happens if that system crashes? And suppose you want to run more than one instance of Windows on your virtual machine?

I don't recommend this latter for anything demanding; Mac OS needs about half the resources most Intel based Macs have, and one instance of Windows Vista will want the rest. The same thing, more or less, goes for Windows XP. I have reports of several instances of Windows 98 running quite well on a Mac Book Pro, but that was mostly done for a stunt. On the other hand, Moore's Law is inexorable, and within a couple of years we'll all have machines capable of running multiple instances of Vista. And of course Windows has had VMware, a sort of Parallels for Windows, (http://www.vmware.com/ ) for years. It allows multiple operating systems to run on Windows machines. Now that Mac OS — X runs natively on Intel hardware, it may not be long before we see Mac OS-X running on Windows.

Captain Morse informs me that there's also a version of VMWare for Linux, and Linux users use it to set up a Windows 2000 virtual machine that runs on top of Kubuntu. He says "Win2K has many attractions for virtual work, starting with the fact that it doesn't authenticate." Of course Win2K also runs in Parallels, too.

There clearly hasn't been a lot of thought about all this, and it's pretty certain that licensing systems haven't been designed with computer plenty in mind. Of course what's really needed is competition among operating systems. The marginal cost to the publisher of another instance of an OS isn't high; if someone is running XP on a Windows box, it doesn't cost Microsoft much if he opens another instance in Parallels on a Mac, or Apple much if there's a copy of OS-X running on a Windows machine.

We can expect a lot more of that in times to come. It will be interesting to see if the rights management people come up with anything interesting.

Additional Progress in Virtual Systems

Dan Spisak says

VMWare has released a new Beta of their Fusion software for the Intel based Macs. The software now allows for DirectX version 8.1 level accelerated 3D graphics capability in virtual Windows machines now, which is a pretty huge deal. VMWare does not have support for a Coherence mode yet like Parallels right now.

Parallels finally released Version 2.5 of their Desktop for Mac software as well which has full support for Coherence mode (aka, Windows apps mixed in with OS X apps seamlessly) but no accelerated 3D graphics support yet. Parallels claims that is the next big feature they are working on, presumably Version 3.0.

Parallels can still not yet boot Vista from a Boot Camp partition, necessitating a dual install still but they claim they are working on the feature for the next version. I expect to see it come in the next public beta release at some point. Once they get that out of the way then accelerated 3D will be the next Big Thing I'm looking forward too.

All I can say right now however is that competition is a great force right now between these two companies, especially with the Leopard release of Mac OS coming up sometime in the next few months. I imagine by summertime we may have two fully featured virtual machine products with accelerated 3D support and other advanced features that will make the Mac platform the first truly versatile and flexible OS/ hardware platform for knowledge workers who want the best of both worlds.

-Dan S.

Eric Pobirs adds

Also, Microsoft's reaction to VMware was to buy Connectix, makers of VirtualPC. They've since made the entry level version a freebie and continue to upgrade the commercial version along with integrating parts of the functionality into versions of their server platforms. Recently, a MS VP suggested that one of the likely big items for Vienna, the working title for the next major Windows rev, is built-in virtualization support taking advantage of the features recently added to CPUs by both AMD and Intel. Nor is any other major OS effort leaving this potential untapped. This will all be fairly nebulous to the average PC user but present all sorts of possibilities in what will become common in a few years.

Eric

Alex, Peter, and I got excited about the coming virtualization revolution at WinHEC several years ago. It look as if that freight train is rolling fast now.

Vista and Outlook Express

I found this discussion interesting, and I expect you will also. It began with a note from Bob Thompson (Building the Perfect PC) :

Installing Office 2007 apparently borks Outlook Express 6.0 by removing all of the spell-checking files except French. There's no fix, existing or planned, and Microsoft suggests installing a third-party spell-checker. (Link here).

Eric Pobirs added:

There are potentially a lot of other apps affected. OE gets its spell-check from Office in the first place. The Office spell-check module can be called from any app that wants it, with OE just being by far the most common.

It looks like one of the differences in Vista's Mail app (really OE 7) is that it has its own spell-check built-in without needing Office installed. It looks like they managed to forget that there would be people installing Office 2007 on XP but still using OE. (For myself, I find it preferable because Outlook has a massive amount of functionality that is overkill for my simple needs and that functionality unavoidably uses more system resources. The applets in Vista come pretty close to reproducing most of Outlook but you only load the bits you want.) Or there were some changes they wanted to make in Office Spell-check that were regarded as important enough to break the relation with OE for that subset running Office 2007 on XP but not using Outlook.

This is a bit too reminiscent of the Photo Editor issue we ran into this week. That, at least, has a partial fix in that just the Photo Editor from earlier Office versions can be installed on its own. The big issue is that the direct link from the Word context menu doesn't work. The should be some way to pull the old Spell-check off earlier Office and keep it in place for OE users but it isn't going to come from Redmond by all appearances.

So what motivated the change in dictionary format? What was gained that it was worth breaking the support for apps integrating the old Office dictionaries?

Until now I hadn't noticed that Vista Mail had its own spellchecker. That brings back some old ideas about creating a dictionary standard that would bring ASCII or Unicode up to the word level. I think there are some interesting things that could be done if there were a recognized standard by which a word like 'examination' could be represented by a number requiring much less data. The overhead for this would have been excessive once but minor now. A lot of apps do this sort of thing internally already. This would just bring it to the OS for all apps to use with a cross-platform standard for the dictionaries.

Eric

That got me thinking. I replied that I do use Outlook for most everything, and only use Outlook Express to read news groups. Actually, I almost never read news groups, but I do use OE to read and reply to the Science Fiction Writers of America newsgroup. When I do, I seldom use spell checking because it has to be done explicitly — unlike in Outlook itself where I have instant spell checking including automatic correction — because, in OE the spell checking has to be done explicitly, and I forget to do it.

Eric replied

Actually, there is a check box in the Options panel that makes it automatic when you click on 'Send.' I regard it as very valuable and, as mentioned before, have long wanted spell checking to become OS level so it could be applied everywhere. Especially since web based forums have become something I use far, far more often than newsgroups. For a while I was using the freeware IE Spell but switched to the spell checker in the Google Toolbar for IE when that feature was added.

Eric

So I learned something about OE and spell checking that I didn't know, and if I didn't know it, I'll bet a lot of you don't know it either.

Babel Spam

It started with a question from Ernest Lilley (link)

I'm curious about the nonsense text spam that I often get. You know, the stuff that looks like actual writing but drifts around from topic to topic randomly.

What's its purpose? Is it address harvesting or something?

And how is it generated, and by whom? The thing is, its generally got good writing tone and there's something in our pattern searching brains that really tries to find an actual message in it.

If computers are writing it, they're getting close.

Ern

We've all seen this stuff. It appears to be random selections from Project Gutenberg for the most part. They take a random length chunk, then another, and so forth, and string them together. This generates real English sentences in good grammar, but of course none of it makes sense to a human being.

The purpose is that there's an attachment or a URL for you to visit. The URL will have a payload, and the attachment God knows what.

Eric added

It's just randomly extracted from sample text, which could come from any number of sources. Just about all of the spam I get like that includes an image for the real payload, which is the data for a stock pumping scheme. The machine readable text exists to fool spam filters.

The most recent one I've received appears to have the text made up from articles in the Business section of a newspaper site but promotes a stock in a barely legible image. No two sentences go together but the first and last may be from the same job listing.

The whole stock pumping thing seems incredibly stupid but I get a few hundred every day. Someday the image will encode the Snow Crash virus and then we'll be in real trouble.

Eric

The real problem is that this stuff is really straining the capability of my Bayesian spam filter, and it all gets past Spam Assassin (which is in use at my ISP) -- at least a LOT gets past. It is now taking me 15 minutes a day to deal with "questionable" spam that got past Assassin and got past InBoxer to the "review" stage. InBoxer does stop most from getting to my Inbox, but I still have to look at this stuff to be sure it's not a legitimate press release or mail from a reader.

Bob Thompson replied

You need better client-side filtering. Of every 100 spams that get past SpamAssassin on the server, my local filters (in Kmail) ordinarily catch 99 or 100. I had one that made it all the way through to my inbox today, but that was the first one in several days that hadn't ended up in my junk mail folder.

If I have 100 messages in my junk mail folder, it takes me maybe a minute to deal with them. Sorting by subject lets me delete them in large blocks, especially since there are often many messages with the same or very similar subjects. After that, I can delete them at the rate of maybe two a second by rapid-fire use of the delete key.

I used to use Mozilla Mail, which is also available on Windows in its SeaMonkey incarnation, and was about as good as Kmail at catching spam. Alternatively, Thunderbird Mail is also available for Windows, and also seems to be very good at catching spam.

You might also think about setting your threshold value higher for SA on the server. IIRC, you have it set to about two or three levels lower than I do, so you're going to get a lot more spam. I know you think you need to allow spamming-looking messages through for press releases and so on, but is that really necessary? Anything you really need to hear about, you'd probably hear about from us anyway.

-- Robert Bruce Thompson

He has a point. One of the main advantages of being me is that a bunch of intelligent people look for and send me unusual items they think I ought to see — without overloading me with stuff of no interest. Regarding this spam, though, we both have the same ISP, and when we looked into my Spam Assassin settings we found that my settings are the same as his. Apparently I get just a lot more of that stuff than he does.

I suppose I could just rely on my advisors, but up to now I have thought that given what I do, I have to allow a lot of press releases to get past my filter system. Perhaps I need to rethink that, but meanwhile that's another hole that the spammers can exploit. The worst of all this is that it does them no good to get their stuff into my mail box. I have Outlook set to preview all mail in Plaintext; I have the option of converting to HTML, but I only do that for mail from sources I know. I never open any of the attachments. I never look at their images. I never respond to their nonsense.

Alas, there are just enough people who do respond to keep the spammers in business — or there are enough gullible people out there who will buy "Make Millions by Sending Email!" kits and who don't get discouraged easily. Or, of course, both.

I am not at all sure what can be done here. I would certainly be willing to pay a small fee per month — say a tenth of a cent per email I send — to some service that would certify that the mail comes from me, and which would certify to me that mail sent to me comes from the person who signed it. I don't see how that will be implemented.

I continue to use InBoxer (link). It's a Bayesian system that does fairly well at sorting the really bad stuff — it has seldom put anything in the "blocked" stack that didn't belong there — and it at least questions much of this new style spam. If there's something better for my purposes I don't know about it.