These PDF tax returns might look cool, but can cause a lot of headache.
The Dutch tax service experimented with them, a few years back. I could only do my personal income returns through one of these dynamic PDFs. The results:
1. All the different "pages" in the PDF were no actual pages, you had to navigate them using on-page scripted buttons and the PDF would dynamically overwrite a "page" into the content. Result: you couldn't PRINT the document! You would only get the first page! To workaround this, you could use a report generating button built into it, but its output did not match the screen layouts and it required data validation, so you couldn't easily copy inputs or send half-filled-in stuff to the accountant for review.
2. The PDF document seemed to append anything you did to itself. If you worked with it for a long time, it grew and grew. Even if you only corrected previous input it would grow in size. At some point Adobe Reader would take minutes on open or handle a keypress. I had to start over with my tax returns once, which was a pain because of (1).
3. When a new version of Adobe Reader came out, ALL THE OLD PDF'S WERE UNOPENABLE! Apparently, some scripting inside the document could not run anymore. All that was left was the static front page of the document. Very nice if you want to fill in a new return with your old stuff as a template. I wouldn't have cared to open this garbage if I could have printed it, but nooooo!
This stuff was the worst of the worst. And all while solving a non-problem. Arguably some of these issues were caused by a bad implementation, but some of them (the new Adobe not opening them) are fundamental. I never want to touch any scripted PDF again. Fortunately our tax service abandoned them next year. I cried tears of joy.
I seriously cannot believe this. Why should the discussion focus on shooting the messenger? A developer was caught infringing on copyrights pants down. The infringement is hard to do without intent. Would you deal with such a "rogue" developer privately, or send a mail to project mailinglists (perhaps a core or dev list) which likely would be public anyway? Maybe OpenBSD would mail people privately, but can you not understand that others decide otherwise? If your developer makes these kinds of mistakes, the issue WILL be public and you WILL have to make a statement sooner or later.
Transparency on copyright issues is just as important as transparency on security. It serves as an example to all open source projects to be watchful about these issues. This is not only about OpenBSD. OpenBSD is a mature open source project and they have nothing to be insecure (huhuh) about. Sometimes OpenBSD may have exploits, sometimes it may have copyright issues. We live, we learn. Code-wise this is a small issue and it's a fixable issue, as the bc43xx developers said in their statement.
I find the approach of the bc43xx developers perfectly defendable. The first mail was clear, diplomatic, complete, and explicitly offers to work out a deal. That's more than you usually get when you infringe on someone's rights! Unfortunately, the only result of it was another episode of "the Theo Show". Even though the issue was broadcasted, the OpenBSD project still had a great immediate opportunity to contain the issue. Instead, the bc43xx developers doesn't receive much but irrational unconstructive replies, intentional misinterpretation, blaming people for OpenBSD's own developer's decisions, etcetera.
If going public with an issue is inhuman, how is turning the debate into a flamefest human? It was shameful to read. The Theo Show IS the public spectacle. Perhaps it is part of how he defines his personality. In fact, this rogue attitude seems to work for OpenBSD - OpenBSD regularly gets a lot of mainstream exposure from these kind of fights. Maybe it's what saving OpenBSD from becoming irrelevant. Well, good for them. They probably make a great OS (I use FreeBSD exclusively). It's just too bad that they haven't got a Broadcom driver.:)
Scale matters. But control matters too. This is not like the spam problem where the cooperation of thousands of entities with different motives would be necessary to prevent abuse. The service is controlled by a single party that can make changes easily.
It would be very easy for Google to implement a verification mechanism. An automated system could simply ring any added Caller ID number and verbally present a verification code (or ask for a response). If a user can answer a certain number, it's not unreasonable to assume that they could also originate regular calls from that number. In the worst case, it still ties the user to an organization or physical location.
I agree with Weinstein that verification really should be a standard feature. Whoever runs even a simple mailinglist without user verification is considered a spammer these days; the ideas are not new. So it's fair to expect Google to carry out this verification.
However, Google is known for technological innovation so I'm not turning off my phone just yet. They'll probably fix it. Of course, a little public attention may help if they seem unresponsive.
But it could still be a hoax or a compromised site. Google cache for openlinux.org only shows the "FSI INF" text, so the front page has been put up very recently. Also, releasedetail.cfm defaults to the same story, no matter which ID is supplied.
Well, what about doing a HTTP POST to send you a free text message instead of an expensive SMS message (provided you have flat rate GPRS or something like that). Or perhaps people at work could upload some files to you that you'll need.
For a geek, it should be no problem to think of some cool applications. But I agree that it won't become mainstream fast. I don't even know if most cellphone operators provide real public IP addresses to cellphones. My operator, T-mobile, seems to, but I've never actually tried listening it on a TCP port and connecting to it from the net.
Agreed. Although it may be off topic to this discussion, I strongly prefer SIP above Skype. Skype is a closed protocol, which has several important drawbacks.
Because there are good customizable SIP products such as Asterisk, you can do much more. For instance, my Asterisk server at home has a "firewall" (caller screening), voicemail during the night hours, blocking of callers without caller ID (goes to voicemail), waiting music, hooks for shellscripts (sends me SMS at some events), queues et cetera. I don't see Skype offering a scripting engine, so Skype's limited to the advanced features they are willing to implement.
Second, the Skype protocol locks you in to their service. If you go with SIP, you can choose from various SIP providers. This enables competition, as you can "shop" for the cheapest deals. For instance, I get my incoming landline calls through a dutch service which offers a "prepaid" dial-in number, with credits that don't time out like Skype does. This party is a bit more expensive for outgoing phone calls, so I route my outgoing calls through sipdiscount.com who offer free landline calls to many countries. If they are unstable, I can simply choose another SIP proxy. If Skype is down, you are out of luck.
With SIP, regardless of your SIP provider choice, if you have a static IP address or dynamic DNS name, you can always accept free calls from any peer on the Internet. You'll always be able to make Internet calls for free and nobody can take that away from you.
One problem of SIP is that it doesn't work with NAT easily; you have to have some UDP ports open, which many common home routers don't allow. At the other hand Skype seemed to work instantly behind a NAT.
A hosting customer sent a press release to major dutch media, of course with everybody, role accounts, some personal addresses, in the To. Then the mailserver of some publishing company started looping on the message, resending it thousands of times to all recipients. It took the administrator of the borked server DAYS to resolve this!
Meanwhile, recipients' mailboxes were overflowing, bounces clogged our virus scanner, and press people were constantly calling in threatening the author and us (hoster of the domain in 'From') with legal action and blacklisting if WE wouldn't stop sending these damn messages. I understand the massive mail bomb did quite some damage to the message author's credibility.
Nice to see I'm not alone in my experience with this great product!
I have been fairly cautious about 5.x. We maintain a customized install image for our servers, and I've waited until march this year to switch to 5.x.
I would say that everything from 5.2 and higher is stable for all normal purposes. I have a 64bit Sparc running on 5.2-RC2 and its uptime is 347 days. It handles 3-4 Mbit/s of web traffic with no problem and I never had to look at it after the initial install. All our other machines are running 5.x as well.
But under extreme load, 5.x still has some lingering locking problems. We have a small number of loaded managed servers for a porn hoster which are stuck on 4.x because of strange lockups when huge amounts of processes are created. So far we haven't had any luck in getting rid of this problem. We are not seeing it on any other machines fortunately.
The poster mentioned that he used OpenNIC which is an alternative DNS root. It is proper HTTP, but a transparent proxy that does not "see" domains in this namespace effectively block you from viewing webpages under this domain.
His own box is properly configured to do OpenNIC lookups, but the HTTP request to the (proper) webserver gets intercepted. Now the proxy has to do the real HTTP request, but the proxy does not know about the alternative domains and probably returns a "Host not found" error.
I haven't heard of free proxy servers supporting one of the alternative NICs and I doubt the ISP will be interesting in subscribing to such a service. I guess the only solution will be to convince a friend to set up a proxy on a box someplace else.
Some alternative roots have their own "real" Internet domain which acts as a gateway domain, for instance name.space has http://name.space.xs2.net/ (regular hostname) which enables non-subscribers to view http://name.space/ (namespace only), making the domains available globally. If OpenNIC provides such a service, an alternative solution could be to run some proxy at home and let it rewrite OpenNIC urls into "regular" URLs.
I agree that NAI has brought the demise of this product upon themselves. This product was destined to be a killer app, but they have not given it a proper chance.
They have never marketed it properly to the corporate world. Except for us geeks, who knows about it? Surely the underlying concepts of cryptography will never be well-known, but they haven't even tried to push the feeling "PGP makes my email secure". (This marketing goal is feasible; compare it to the majority that thinks "Linux is secure!")
To make it worse, NAI effectively denied the existence of a consumer market. In fact, in my area (Netherlands) it was not possible to buy PGP 7 as an end-user until end 2001 (I gave up trying then). No web shop for Europe, so no impulse purchases. NAI's dutch branch only sold the obsolete 6.x version; does a geek want to spend their money on a (flawed) old version? I know several other people in my area who were willing to buy a copy but failed. If this sample is representative for NAI's overall policy I can imagine why they could not "excel" in this market.
I hardly feel sorry for NAI, they have made serious mistakes and the lack of revenue and market share is a logical result. Although NAI effectively destroyed PGP's credibility, PGP (even their PGP application suite) still has a lot of potential and even now NAI could be able to clean up their act; they have a good working set of applications which can easily be adapted to all ages and markets!
To see this valuable product moved into maintenance mode is a big shame. I wonder who will jump in to fill the hole they left.
What puzzles me most is - why hasn't Microsoft Corp. made an offer to buy the PGP technology?
Slashdot Mirror
These PDF tax returns might look cool, but can cause a lot of headache.
The Dutch tax service experimented with them, a few years back. I could only do my personal income returns through one of these dynamic PDFs. The results:
1. All the different "pages" in the PDF were no actual pages, you had to navigate them using on-page scripted buttons and the PDF would dynamically overwrite a "page" into the content. Result: you couldn't PRINT the document! You would only get the first page! To workaround this, you could use a report generating button built into it, but its output did not match the screen layouts and it required data validation, so you couldn't easily copy inputs or send half-filled-in stuff to the accountant for review.
2. The PDF document seemed to append anything you did to itself. If you worked with it for a long time, it grew and grew. Even if you only corrected previous input it would grow in size. At some point Adobe Reader would take minutes on open or handle a keypress. I had to start over with my tax returns once, which was a pain because of (1).
3. When a new version of Adobe Reader came out, ALL THE OLD PDF'S WERE UNOPENABLE! Apparently, some scripting inside the document could not run anymore. All that was left was the static front page of the document. Very nice if you want to fill in a new return with your old stuff as a template. I wouldn't have cared to open this garbage if I could have printed it, but nooooo!
This stuff was the worst of the worst. And all while solving a non-problem. Arguably some of these issues were caused by a bad implementation, but some of them (the new Adobe not opening them) are fundamental. I never want to touch any scripted PDF again. Fortunately our tax service abandoned them next year. I cried tears of joy.
To guard their citizens against these virus threats, the Chinese government should create a giant firewall and put all their machines behind it!
Oh wait...
I seriously cannot believe this. Why should the discussion focus on shooting the messenger? A developer was caught infringing on copyrights pants down. The infringement is hard to do without intent. Would you deal with such a "rogue" developer privately, or send a mail to project mailinglists (perhaps a core or dev list) which likely would be public anyway? Maybe OpenBSD would mail people privately, but can you not understand that others decide otherwise? If your developer makes these kinds of mistakes, the issue WILL be public and you WILL have to make a statement sooner or later.
:)
Transparency on copyright issues is just as important as transparency on security. It serves as an example to all open source projects to be watchful about these issues. This is not only about OpenBSD. OpenBSD is a mature open source project and they have nothing to be insecure (huhuh) about. Sometimes OpenBSD may have exploits, sometimes it may have copyright issues. We live, we learn. Code-wise this is a small issue and it's a fixable issue, as the bc43xx developers said in their statement.
I find the approach of the bc43xx developers perfectly defendable. The first mail was clear, diplomatic, complete, and explicitly offers to work out a deal. That's more than you usually get when you infringe on someone's rights! Unfortunately, the only result of it was another episode of "the Theo Show". Even though the issue was broadcasted, the OpenBSD project still had a great immediate opportunity to contain the issue. Instead, the bc43xx developers doesn't receive much but irrational unconstructive replies, intentional misinterpretation, blaming people for OpenBSD's own developer's decisions, etcetera.
If going public with an issue is inhuman, how is turning the debate into a flamefest human? It was shameful to read. The Theo Show IS the public spectacle. Perhaps it is part of how he defines his personality. In fact, this rogue attitude seems to work for OpenBSD - OpenBSD regularly gets a lot of mainstream exposure from these kind of fights. Maybe it's what saving OpenBSD from becoming irrelevant. Well, good for them. They probably make a great OS (I use FreeBSD exclusively). It's just too bad that they haven't got a Broadcom driver.
Scale matters. But control matters too. This is not like the spam problem where the cooperation of thousands of entities with different motives would be necessary to prevent abuse. The service is controlled by a single party that can make changes easily.
It would be very easy for Google to implement a verification mechanism. An automated system could simply ring any added Caller ID number and verbally present a verification code (or ask for a response). If a user can answer a certain number, it's not unreasonable to assume that they could also originate regular calls from that number. In the worst case, it still ties the user to an organization or physical location.
I agree with Weinstein that verification really should be a standard feature. Whoever runs even a simple mailinglist without user verification is considered a spammer these days; the ideas are not new. So it's fair to expect Google to carry out this verification.
However, Google is known for technological innovation so I'm not turning off my phone just yet. They'll probably fix it. Of course, a little public attention may help if they seem unresponsive.
I don't think that the nameserver has been compromised. The site has always been at the same IP address. See its history at: http://toolbar.netcraft.com/site_report?url=http:/ /www.openlinux.org
But it could still be a hoax or a compromised site. Google cache for openlinux.org only shows the "FSI INF" text, so the front page has been put up very recently. Also, releasedetail.cfm defaults to the same story, no matter which ID is supplied.
Well, what about doing a HTTP POST to send you a free text message instead of an expensive SMS message (provided you have flat rate GPRS or something like that). Or perhaps people at work could upload some files to you that you'll need.
For a geek, it should be no problem to think of some cool applications. But I agree that it won't become mainstream fast. I don't even know if most cellphone operators provide real public IP addresses to cellphones. My operator, T-mobile, seems to, but I've never actually tried listening it on a TCP port and connecting to it from the net.
SePo!!!!
Agreed. Although it may be off topic to this discussion, I strongly prefer SIP above Skype. Skype is a closed protocol, which has several important drawbacks.
Because there are good customizable SIP products such as Asterisk, you can do much more. For instance, my Asterisk server at home has a "firewall" (caller screening), voicemail during the night hours, blocking of callers without caller ID (goes to voicemail), waiting music, hooks for shellscripts (sends me SMS at some events), queues et cetera. I don't see Skype offering a scripting engine, so Skype's limited to the advanced features they are willing to implement.
Second, the Skype protocol locks you in to their service. If you go with SIP, you can choose from various SIP providers. This enables competition, as you can "shop" for the cheapest deals. For instance, I get my incoming landline calls through a dutch service which offers a "prepaid" dial-in number, with credits that don't time out like Skype does. This party is a bit more expensive for outgoing phone calls, so I route my outgoing calls through sipdiscount.com who offer free landline calls to many countries. If they are unstable, I can simply choose another SIP proxy. If Skype is down, you are out of luck.
With SIP, regardless of your SIP provider choice, if you have a static IP address or dynamic DNS name, you can always accept free calls from any peer on the Internet. You'll always be able to make Internet calls for free and nobody can take that away from you.
One problem of SIP is that it doesn't work with NAT easily; you have to have some UDP ports open, which many common home routers don't allow. At the other hand Skype seemed to work instantly behind a NAT.
Alternatively, if you have a PocketPC PDA, you can run the freeware SIP phone SJPhone on it. Also works great with Asterisk.
Ha! Ha! I have seen this bug in action too.
A hosting customer sent a press release to major dutch media, of course with everybody, role accounts, some personal addresses, in the To. Then the mailserver of some publishing company started looping on the message, resending it thousands of times to all recipients. It took the administrator of the borked server DAYS to resolve this!
Meanwhile, recipients' mailboxes were overflowing, bounces clogged our virus scanner, and press people were constantly calling in threatening the author and us (hoster of the domain in 'From') with legal action and blacklisting if WE wouldn't stop sending these damn messages. I understand the massive mail bomb did quite some damage to the message author's credibility.
Nice to see I'm not alone in my experience with this great product!
I have been fairly cautious about 5.x. We maintain a customized install image for our servers, and I've waited until march this year to switch to 5.x. I would say that everything from 5.2 and higher is stable for all normal purposes. I have a 64bit Sparc running on 5.2-RC2 and its uptime is 347 days. It handles 3-4 Mbit/s of web traffic with no problem and I never had to look at it after the initial install. All our other machines are running 5.x as well. But under extreme load, 5.x still has some lingering locking problems. We have a small number of loaded managed servers for a porn hoster which are stuck on 4.x because of strange lockups when huge amounts of processes are created. So far we haven't had any luck in getting rid of this problem. We are not seeing it on any other machines fortunately.
It is 2 April here, you insensitive clod!!
No Ctrl-Alt-Backspace to zap the X-server
That was the first thing I googled after switching over a workstation to Solaris. This blog post may be helpful.
If I recall correctly, FreeBSD also uses this strategy when the kernel is compiled with ADAPTIVE_MUTEXES which is now the default in 5.3.
The poster mentioned that he used OpenNIC which is an alternative DNS root. It is proper HTTP, but a transparent proxy that does not "see" domains in this namespace effectively block you from viewing webpages under this domain.
His own box is properly configured to do OpenNIC lookups, but the HTTP request to the (proper) webserver gets intercepted. Now the proxy has to do the real HTTP request, but the proxy does not know about the alternative domains and probably returns a "Host not found" error.
I haven't heard of free proxy servers supporting one of the alternative NICs and I doubt the ISP will be interesting in subscribing to such a service. I guess the only solution will be to convince a friend to set up a proxy on a box someplace else.
Some alternative roots have their own "real" Internet domain which acts as a gateway domain, for instance name.space has http://name.space.xs2.net/ (regular hostname) which enables non-subscribers to view http://name.space/ (namespace only), making the domains available globally. If OpenNIC provides such a service, an alternative solution could be to run some proxy at home and let it rewrite OpenNIC urls into "regular" URLs.
I agree that NAI has brought the demise of this product upon themselves. This product was destined to be a killer app, but they have not given it a proper chance.
They have never marketed it properly to the corporate world. Except for us geeks, who knows about it? Surely the underlying concepts of cryptography will never be well-known, but they haven't even tried to push the feeling "PGP makes my email secure". (This marketing goal is feasible; compare it to the majority that thinks "Linux is secure!")
To make it worse, NAI effectively denied the existence of a consumer market. In fact, in my area (Netherlands) it was not possible to buy PGP 7 as an end-user until end 2001 (I gave up trying then). No web shop for Europe, so no impulse purchases. NAI's dutch branch only sold the obsolete 6.x version; does a geek want to spend their money on a (flawed) old version? I know several other people in my area who were willing to buy a copy but failed. If this sample is representative for NAI's overall policy I can imagine why they could not "excel" in this market.
I hardly feel sorry for NAI, they have made serious mistakes and the lack of revenue and market share is a logical result. Although NAI effectively destroyed PGP's credibility, PGP (even their PGP application suite) still has a lot of potential and even now NAI could be able to clean up their act; they have a good working set of applications which can easily be adapted to all ages and markets!
To see this valuable product moved into maintenance mode is a big shame. I wonder who will jump in to fill the hole they left.
What puzzles me most is - why hasn't Microsoft Corp. made an offer to buy the PGP technology?