I have 4 external 1920x1200 displays connected to my Lenovo Thinkpad X220 Tablet PC, via Diamond DisplayLink based USB adapters.
When I power the besat up, not just cold start, but also, most annoyingly, warm start, from Hibernate (Suspend to Disk) or Suspwend (to RAM) power down modes, it engages in excessive flashing.
The screen blanks and redisplays 15 times!!!
Quite annoying.
Continuing http://andyglew.blogspot.com/2011/12/multiple-displays-on-windows-7-good-but.html
Monday, December 12, 2011
Sunday, December 11, 2011
Lifehack: Binder Clips help Debug Chistmas Lights
Fixing Christmas lights today.
Figured out the binary search approach - e.g. as described by http://www.squidoo.com/howto-fix-broken-christmas-lights#module12970984.
My own embellishment: I find it hard to track where I am in checking the Christmas lights, and/or strand continuity. Even leaving empty sockets behind doesn't help that much, since the empty sockets are hard to see. And since I have a small work space, so had to fold the string of lights back on itself 3 times.
So I marked my position with binder clips. I happened to have at least 4 colours of binder clip. I used four clips to dedfine the boundaries of the interval where I was searching for a duff lightbulb - two clibs at each boundary. Two clips at each boundary because, given the folding ofg the string of lights, it became hard to tell which direction was towards the end, and which inside the interval. So I used two colours of binder clip at each end.
Figured out the binary search approach - e.g. as described by http://www.squidoo.com/howto-fix-broken-christmas-lights#module12970984.
My own embellishment: I find it hard to track where I am in checking the Christmas lights, and/or strand continuity. Even leaving empty sockets behind doesn't help that much, since the empty sockets are hard to see. And since I have a small work space, so had to fold the string of lights back on itself 3 times.
So I marked my position with binder clips. I happened to have at least 4 colours of binder clip. I used four clips to dedfine the boundaries of the interval where I was searching for a duff lightbulb - two clibs at each boundary. Two clips at each boundary because, given the folding ofg the string of lights, it became hard to tell which direction was towards the end, and which inside the interval. So I used two colours of binder clip at each end.
Thursday, December 08, 2011
A Modest 1 bit Proposal about Quotification - making the Default Easy
Listening to an old "Security Now" podcast while doing my morning stretches.
Leo Laporte's TWIT website was hacked, and Steve Gibson, the Security Guy, says "Any time you are soliciting user input, there is a risk of malicious input somehow tricking the backend and executing that input, when it is meant to be, you know, benign [input data, like] user name and password.".
This is typical of the classic SQL injection hack, and, indeed, of any hack where the attacker is able to inject scripting code and fool the backend into executing it. Typically by embedding quotes or the like in the input string.
(For that matter, Steve's description also applies to binary injection via buffer overflow. But we won't go there; this page will talk only about non-buffer-overflow attacks, sijnce we have elsewhere described our agenda for preventing buffer overflow attacks.)
Say that you are talking user input like NAME, and are somehow using it to create an SQL or other language command, like "SELECT FIELDLIST FROM TABLE WHERE NAME = '$NAME' ". But now the attacker, instead of providing a nicely formed string like "John Doe", provides instead something like "anything' OR 'x' = 'x ". (I added spaces between the single and double quotes for readability.) I.e. the user provides a string that contains quotes in the target language - not the language where the query string is composed, but a language further along. So the query string becomes "SELECT FIELDLIST FROM TABLE WHERE NAME = 'anything' OR 'x' = 'x' ". And now the query matches any row in the table. (http://www.unixwiz.net/techtips/sql-injection.html provides examples, as does wikip[edia.).
The general solution to this is "quotification": take the user input, and either delete or quote anything that looks like a quote in the target language:. E.g. transform the attacker's string "anything' OR 'x' = 'x " into either "anything OR x = x " or "anything\' OR \'x\' = \'x ".
The problem with deleting stuff from the user string is that sometimes the user is supposed to have quotelike things. Consider names like "O'Toole". Or consider prioviding, e.g. via cut and paste, Chinese unicode names in an application whose original programmer was English, but where the system is otherwise capable of displaying Chinese. It is a pity if the barrier to internationalizaion is the "security" code scattered throughout your application that santizes user input. Worse, that is the sort of code that might get fixed by somebody who fixing internationalization problems who doesn't understand the security issues
The problem with quotifiying stuff is that it is hard. It is not just a case, for you Perl afficionadoes, of doing s/'/\/g - what about input strings that already have \\' inside them? And so on.
But the real problem, applicable to both deleting and quotification strategies, is that the code doing the user input sanitization does not necessarily know the syntax of all of the languages downstream. It may know that there is SQL along the way - but it may not know that somebody has just added a special filter that looks for French quotes, << and >>. Etc. Not just special symbols: I have defined sublanguages where QuOtE and EnDqUoTe were the quotes.
The security code may know the syntax at the time the sanitization code was written. But the downstream processing may have changed. The syntax of the language may have been extended, in a new revision of the SQL or Perl or ... . (I found a bug like that last year.)
The problem is that the user input santization code is trying to transform user input from strings that may be unsafe, to strings that are guaranteed to be safe forever and ever, no matter what revisions are made to the language, etc. The problem is that the default for character strings is that ANY CHARCATER MAY BE PART OF A COMMAND unless specially quoted.
We need to change this default. Here is my moldest proposal:
Let us define a character set whereby there is a special bit free in all characters. And whereby, if that special bit is set, it is guaranteed by ANY REASONABLE LANGUAGE that no character with that special bit set will be part of any command or language syntax like a quote symbol.
We should strongly suggest, that the visual display for the characters with and without the special bit set is the same. Or at least, the same in most situations - in others you may want to distinguish them, e.g., by shading.
.
If you are using something like BNF to describe your language, then it might be:
ORDINARY_CHARACTER ::== 'A' | 'B' | ...
TAINTED_CHARACTER ::== 1'A' | 1'B' | ...
POSSIBLY_TAINTED_CHARACTER ::= ORDINARY_CHARACTER | TAINTED_CHARACTER
where I am using the syntax 1'A' to describe a single character literal. with the special bit set.
STRING_LITERAL := QUOTED_STRING | TAINTED_STRING
TAINTED_STRING ::= TAINTED_CHARACTER+
QUOTED_STRING ::= " CHARACTER* "
(Actually, I am not sure whether a quoted string should be the abnove, or
QUOTED_STRING ::= " POSSIBLY_TAINTED_CHARACTER* "
)
Leo Laporte's TWIT website was hacked, and Steve Gibson, the Security Guy, says "Any time you are soliciting user input, there is a risk of malicious input somehow tricking the backend and executing that input, when it is meant to be, you know, benign [input data, like] user name and password.".
This is typical of the classic SQL injection hack, and, indeed, of any hack where the attacker is able to inject scripting code and fool the backend into executing it. Typically by embedding quotes or the like in the input string.
(For that matter, Steve's description also applies to binary injection via buffer overflow. But we won't go there; this page will talk only about non-buffer-overflow attacks, sijnce we have elsewhere described our agenda for preventing buffer overflow attacks.)
Say that you are talking user input like NAME, and are somehow using it to create an SQL or other language command, like "SELECT FIELDLIST FROM TABLE WHERE NAME = '$NAME' ". But now the attacker, instead of providing a nicely formed string like "John Doe", provides instead something like "anything' OR 'x' = 'x ". (I added spaces between the single and double quotes for readability.) I.e. the user provides a string that contains quotes in the target language - not the language where the query string is composed, but a language further along. So the query string becomes "SELECT FIELDLIST FROM TABLE WHERE NAME = 'anything' OR 'x' = 'x' ". And now the query matches any row in the table. (http://www.unixwiz.net/techtips/sql-injection.html provides examples, as does wikip[edia.).
The general solution to this is "quotification": take the user input, and either delete or quote anything that looks like a quote in the target language:. E.g. transform the attacker's string "anything' OR 'x' = 'x " into either "anything OR x = x " or "anything\' OR \'x\' = \'x ".
The problem with deleting stuff from the user string is that sometimes the user is supposed to have quotelike things. Consider names like "O'Toole". Or consider prioviding, e.g. via cut and paste, Chinese unicode names in an application whose original programmer was English, but where the system is otherwise capable of displaying Chinese. It is a pity if the barrier to internationalizaion is the "security" code scattered throughout your application that santizes user input. Worse, that is the sort of code that might get fixed by somebody who fixing internationalization problems who doesn't understand the security issues
The problem with quotifiying stuff is that it is hard. It is not just a case, for you Perl afficionadoes, of doing s/'/\/g - what about input strings that already have \\' inside them? And so on.
But the real problem, applicable to both deleting and quotification strategies, is that the code doing the user input sanitization does not necessarily know the syntax of all of the languages downstream. It may know that there is SQL along the way - but it may not know that somebody has just added a special filter that looks for French quotes, << and >>. Etc. Not just special symbols: I have defined sublanguages where QuOtE and EnDqUoTe were the quotes.
The security code may know the syntax at the time the sanitization code was written. But the downstream processing may have changed. The syntax of the language may have been extended, in a new revision of the SQL or Perl or ... . (I found a bug like that last year.)
The problem is that the user input santization code is trying to transform user input from strings that may be unsafe, to strings that are guaranteed to be safe forever and ever, no matter what revisions are made to the language, etc. The problem is that the default for character strings is that ANY CHARCATER MAY BE PART OF A COMMAND unless specially quoted.
We need to change this default. Here is my moldest proposal:
Let us define a character set whereby there is a special bit free in all characters. And whereby, if that special bit is set, it is guaranteed by ANY REASONABLE LANGUAGE that no character with that special bit set will be part of any command or language syntax like a quote symbol.
We should strongly suggest, that the visual display for the characters with and without the special bit set is the same. Or at least, the same in most situations - in others you may want to distinguish them, e.g., by shading.
.
If you are using something like BNF to describe your language, then it might be:
ORDINARY_CHARACTER ::== 'A' | 'B' | ...
TAINTED_CHARACTER ::== 1'A' | 1'B' | ...
POSSIBLY_TAINTED_CHARACTER ::= ORDINARY_CHARACTER | TAINTED_CHARACTER
where I am using the syntax 1'A' to describe a single character literal. with the special bit set.
STRING_LITERAL := QUOTED_STRING | TAINTED_STRING
TAINTED_STRING ::= TAINTED_CHARACTER+
QUOTED_STRING ::= " CHARACTER* "
(Actually, I am not sure whether a quoted string should be the abnove, or
QUOTED_STRING ::= " POSSIBLY_TAINTED_CHARACTER* "
)
And we require that the only place where the possibly tainted characters with the tainted bit set are ONLY permitted in strings. Nowhere else in the language. Not in keywords, symbols, operators....
Then we just have to ensure that all of our input routines set the special bit. If you really need to form operators, the programmer can untaint the data expliocitly. Btter to have to untaint explicitly in a few p[laces, than to have to quotify correctly in all places.
Perhaps better to make taintimg the default. To flip the polarity of the special bit. And to require that language syntax, keywords, etcv., be set only if the special bit is set.
This is just the well known taint or poison propagation strategy. Exposed to programming language syntax definitions.
I have elsewhere espoused taking advantage of extensible XML syntax for programming languages. This is similar, although orthogonal.
- wi8ki'ed at http://wiki.andy.glew.ca/wiki/A_Modest_1_bit_Proposal_about_Quotification_-_making_the_Default_Easy
- as well as posted on my blog
Wednesday, December 07, 2011
Multiple Displays on Windows 7... Good, but...
I love the DisplayLink USB display adapters that let my piddling little tablet PC drive 4 1920x1200 external monitors.
However, many, umm, irregularities happen with Windows 7 support and/or the display or device drivers.
Earlier today, and for weeks if not months, I have been able ti have 5 displays - my laptop/tablet PC's built in LCD, and my 4 external displays.
However, I went into hibernation while travelling from home to work (where I did not use the PC) and back to home again.
And when I woke up, I cannot get my laptop built in display to work, when the external displays are plugged. Sure, it works when they are not plugged in; but when they are plugged in, the laptop built in display gets "blackened" in the Orientation box.
Just yet another Windows 7 strangeness.
However, many, umm, irregularities happen with Windows 7 support and/or the display or device drivers.
Earlier today, and for weeks if not months, I have been able ti have 5 displays - my laptop/tablet PC's built in LCD, and my 4 external displays.
However, I went into hibernation while travelling from home to work (where I did not use the PC) and back to home again.
And when I woke up, I cannot get my laptop built in display to work, when the external displays are plugged. Sure, it works when they are not plugged in; but when they are plugged in, the laptop built in display gets "blackened" in the Orientation box.
Just yet another Windows 7 strangeness.
Saturday, December 03, 2011
Organization and time management, technology for
I felt inspired to start writing this. More like collecting.
Human handwritten proofreading marks
http://creativeservices.iu.edu/resources/guide/marks.shtml has a nice collection of human proofreading marks.
Some are irrelevant to pen or touch tablet computers - why mark that a period should inserted, when you can just do it?
But some might be usefully considered for use as commands in a pen driven text editing system
Possibly also for depiction of edits and revisions.
Some are irrelevant to pen or touch tablet computers - why mark that a period should inserted, when you can just do it?
But some might be usefully considered for use as commands in a pen driven text editing system
Possibly also for depiction of edits and revisions.
Organization Tools, Evolution of
I am fascinated, or at least interested, in tools for organization, scheduling. Time management. Filing.
American schools say "Time management skills are the most important thing you have to learn in high school to be prepared for success in college." But, as far as I know, nobody actually teaches techniques for organization and scheduling.
Perhaps one of the reasons I am fascinated by this is that it does not come naturally to me. But, as a result, I have studied it, and my career as a computer programmer and computer architect is really all about organization and scheduling. Albeit for computers, not people.
My whole career has been about scheduling for computers. First software operating system schedulers, in particular real time schedulers. Then hardware OOO CPU schedulers.
But I remain interested in scheduling and organization in many different aspects: computerzs, factories (JIT and kanban), people (organizers, PDAs, DayTimers, etc.)
It is quite interesting to see how organizing tools for people have evolved. I probably need to convert this into a wiki post so that I can evolve it. http://wiki.andy.glew.ca/wiki/Organization,_technology,_evolution_of
First paper, and now on computer.
In paper:
Duotangs
Three ring folders.
Tracker-keepr --- I just learned from a friend how this tracker/keeper system for holding papers together became popular for elementary and high school kids in the US in the 1980s. Essentially plastic sheets that folded to provide an envelope out of which is was hard for things to fall.
Three ring folders have made a comeback in my daughter's
school, but with zippers around them.
Staples
Paper clips.
A famous engineering author explains how, prior to paper clips and stables, people used straight pins.
American schools say "Time management skills are the most important thing you have to learn in high school to be prepared for success in college." But, as far as I know, nobody actually teaches techniques for organization and scheduling.
Perhaps one of the reasons I am fascinated by this is that it does not come naturally to me. But, as a result, I have studied it, and my career as a computer programmer and computer architect is really all about organization and scheduling. Albeit for computers, not people.
My whole career has been about scheduling for computers. First software operating system schedulers, in particular real time schedulers. Then hardware OOO CPU schedulers.
But I remain interested in scheduling and organization in many different aspects: computerzs, factories (JIT and kanban), people (organizers, PDAs, DayTimers, etc.)
It is quite interesting to see how organizing tools for people have evolved. I probably need to convert this into a wiki post so that I can evolve it. http://wiki.andy.glew.ca/wiki/Organization,_technology,_evolution_of
First paper, and now on computer.
In paper:
Duotangs
Three ring folders.
Tracker-keepr --- I just learned from a friend how this tracker/keeper system for holding papers together became popular for elementary and high school kids in the US in the 1980s. Essentially plastic sheets that folded to provide an envelope out of which is was hard for things to fall.
Three ring folders have made a comeback in my daughter's
school, but with zippers around them.
Staples
Paper clips.
A famous engineering author explains how, prior to paper clips and stables, people used straight pins.
School websites
School websites sound like a good thing: use your browser to keep track of your kid's school, homework assignments, etc.
In reality, it turns into a mess unless the website is organized. And teachers are not necessarily good website architects[*].
The school may have a website. Good. In a content management system like Drupal. Okay. With pages for every class, a news system, etc. Not so bad.
But then some teachers may use a separate Moodle.
And some other teachers may use a separate Google Apps or Google Sites site,.
So, for class #1 you have to go to the Drupal site. For class #2 you have to go to the Moodle. For class #3, the homework is posted on the Google Sites site, but there's some background info on the Moodle. And, oh yes, still other stuff on the Drupal.
AAARGH!!!! I can't remember which webtool - Drupal, Moodle, Google Sites - to use for any particular class. Yes, I may be a Luddite parent - but I am a reasonably web.savvy Luddite parent.
And it's not just me, the Luddite parent, who finds this confusing. The students do too. Not just my kid: I have had a teacher complain to me that this teacher keeps telling the class to use the Google Sites site for the class, but the students never seem to understand. Could it be because this teacher is their only teacher using Google Sites instead of Drupal or Moodle, and the kids naturally look to one place? Perhaps if this teacher created a class page in standard place on the Drupal or Moodle page, and linked to the Google Sites site for his class? It might also help the Luddite parents.
Note that above at the [*] I decided to say "website architect" or "website organizer" rather than "website designer". Website designers, at least the not so good ones, often concentrate on visual flashy effects. School websites have plenty of that. What they seem to lack is organization, or architecture.
Note: it's not just a question of installing a new content management system. They already have more than enough. Note that I am not saying "too many" - I am saying "more than enough". I am not against using different CMSes. But, if you do, you need to link them together, so you can get from one to the other.
---
Here is a dream, a suggestion a modest proposal for school websites:
(0) Have a front end, in whatever CMS you want. Drupal, say.
(1) Allow the teachers to create sites in whatever other CMSes they insist on using. Moodle. Google Sites. Whatever.
(2) But insist that there be a classroom page created on the front end site (Drupal, in this example). If nothing else, it should point to where on the other CMSes the real classroom contents.
Note that I don't mean just with text saying "some teachers use the Moodle or other tools". Which basically means that you have to figure out how to get there on your own. No, I mean a real, clickable, link to that other site. If you can't create a link into that other site, well... (IMHO that's the only reason to forbid using a different tool.)
In reality, it turns into a mess unless the website is organized. And teachers are not necessarily good website architects[*].
The school may have a website. Good. In a content management system like Drupal. Okay. With pages for every class, a news system, etc. Not so bad.
But then some teachers may use a separate Moodle.
And some other teachers may use a separate Google Apps or Google Sites site,.
So, for class #1 you have to go to the Drupal site. For class #2 you have to go to the Moodle. For class #3, the homework is posted on the Google Sites site, but there's some background info on the Moodle. And, oh yes, still other stuff on the Drupal.
AAARGH!!!! I can't remember which webtool - Drupal, Moodle, Google Sites - to use for any particular class. Yes, I may be a Luddite parent - but I am a reasonably web.savvy Luddite parent.
And it's not just me, the Luddite parent, who finds this confusing. The students do too. Not just my kid: I have had a teacher complain to me that this teacher keeps telling the class to use the Google Sites site for the class, but the students never seem to understand. Could it be because this teacher is their only teacher using Google Sites instead of Drupal or Moodle, and the kids naturally look to one place? Perhaps if this teacher created a class page in standard place on the Drupal or Moodle page, and linked to the Google Sites site for his class? It might also help the Luddite parents.
Note that above at the [*] I decided to say "website architect" or "website organizer" rather than "website designer". Website designers, at least the not so good ones, often concentrate on visual flashy effects. School websites have plenty of that. What they seem to lack is organization, or architecture.
Note: it's not just a question of installing a new content management system. They already have more than enough. Note that I am not saying "too many" - I am saying "more than enough". I am not against using different CMSes. But, if you do, you need to link them together, so you can get from one to the other.
---
Here is a dream, a suggestion a modest proposal for school websites:
(0) Have a front end, in whatever CMS you want. Drupal, say.
(1) Allow the teachers to create sites in whatever other CMSes they insist on using. Moodle. Google Sites. Whatever.
(2) But insist that there be a classroom page created on the front end site (Drupal, in this example). If nothing else, it should point to where on the other CMSes the real classroom contents.
Note that I don't mean just with text saying "some teachers use the Moodle or other tools". Which basically means that you have to figure out how to get there on your own. No, I mean a real, clickable, link to that other site. If you can't create a link into that other site, well... (IMHO that's the only reason to forbid using a different tool.)
---
More on the same lines: Use dates, so that stale data does not keep rising to the top.
I keep clicking to links and URLs that say stuff like "Fourth Grade Science". But it turns out that it was 4th grade science for 2008. Or last years' class. Or ...
A page identifier like "4th grade science" is really a floating identifier. At any particular time it should point to something like "4th grade science 2011-2012". Every year, it should be updated.
I'm quite happy to have the old years' stuff remain on the website(s). It's nice to look at. But, I don't like it getting in my way when I am looking for this year's stuff.
---
Perhaps "News" should expire after a while?
I.e. I am not at all sure that class presentations for history class from two years ago are still "News". More like "Olds". Again, useful for reference, but a time waster when I, am a parent, am trying to find what is really new at my child's school website.
---
In my dreams: wouldn't it be nice to have a page you or your child could log into, that contained links to the particular class webpages for all the classes your child is taking?
Actually, my effort to do that myself - to create a wiki/Evernote/whatever page, pointing to all of the key information on my child's school website - is what inspired this post. It's darned frustrating finding it.
---
Hypertext systems like the web have great potential. But they are a pain to use if disorganized.
It's hard to keep them organized.
Search engines like Google are the saving grace for the real web. But Google is not allowed to index a school website with possibly sensitive information. Most CMSes have their own search, but when you have multiple CMSes, this doesn't help much.
It would be nice if each school ran its own private Google indexer on its various websites and CMSes. (Hmm, Google, maybe that would be a nice public service? Or are you hell bent on getting as many schools as possible to use Google Sites and Apps, giving non-Google Drupal and Moodle the cold shoulder?)
But even if there was decent search for school websites, some modicum of organization is desirable. I think what I suggest is pretty basic: (1) All class webpages in a fixed place, linking to whatever other websites or services the teacher chooses to use. (2) With dated content content, and floating labels - ("4th grade science 2008-9" versus "This year's 4th grade science".)
===
Nothing that I say here is specific to schools. This is just good website design - or should I say "architecture" - for a heterogeneous system.
Nothing that I say here is critical of school IT. School IT just sets up the system - the teachers provide the content. The only slight criticism is that IT should enforce the very minimal standards that I suggest. Perhaps school IT should set up the default classroom pages on the primary website. Teachers should be responsible for linking to whatever other non-standard website technology they choose to use.
===
I just had a thought about why this schizophrenia arises aty school websites.
Teachers are often not the most sophisticated web.users, whether in their own college days, or afterwards.
In college, teachers probably used whatever their university IT department provided. And university IT departments are often pretty good, in particular good at providing services to unsophisticated users (faculty and students)
But different universities have different CMSes. Some use Drupal, some Moodle, Google Apps and Google Sites increasingly common.
So a newly graduated teacher is used to whatever they used at school. And is also used to having reasonably good IT support.
But when they start teaching at a K-12 school, you get teachers who graduated from different university programs, each used to different CMSes. And they all want to use what they are familiar with. Moreover, the K-12 school IT, although perfectly competent, is NOT as fledged as that of a university IT department.
I am sure that large school districts enforce website standards: e.g. they probably tell their teachers that Moodle is the only CMS supported, use it or else. Makes it easier to organize. However, that is not true for the schools that I have interacted with. And I remain an advocate of heterogeneous systems. It;s just that they require a certain minimum amount of work.
===
I should probably volunteer to help my kid's school organize its website.
Subscribe to:
Posts (Atom)