Copyright is not theft!

Recently there have been quite a few copyright-related posts which came up in my feedreader. This is of course a complicated and layered problem which can’t be solved in the couple of paragraphs of this blogpost, but at least I can post a bunch of great materials which should contribute to the edification of all of us.

From comixtalk.com: Copyright Is Not theft

Also from comixtalk: Nina Paley Discusses State of Sita Sings The Blues. This is an animated movie (which you can watch for free) that had legal problems because of the backing soundtrack, even though the music in question was created in 1920, so it should be in the public domain.

You might also be interested in the documentary rip! a remix manifesto (embedded below for your convenience). It is a documentary (Michael Moore style) talking about the issue. And while it isn't perfect, it manages to raise a lot of interesting issues (BTW, personally I find the songs on the Grey Album much better than the originals on the Black album - just a random example how derivative works can improve the original):

Finally here is a presentation from TED comparing industries with different level of copyright protection (via Slashdot):

This should be enough information to keep you outraged for weeks :-)

PS. Just a quick rundown of my current opinion: all works are derivative. But even if we skip over this, long copyright stifles innovation. And even if we don’t consider (or don’t accept) this premise, labelling all copying as “theft” is (depending) wrong, (possibly purposefully) misleading and unethical. For example I posses the copyright for all the materials published on this blog (since it is my original work), but I explicitly grant anyone to reuse the content under the conditions of the CC-BY-SA 3.0 license.

PS #2: An other interesting documentary to watch is Patently absurd. I didn't include it above because it deals with patent law, not copyright, two domains which are frequently bundled together under the term "Intellectual Property" (together with trademark law), but the fact is that these three domains are completely separate and the laws governing them are distinct, ergo I didn't want to add to the confusion.

PS #3: Technology != Breaking the law. Just because I use bittorrent, it doesn't mean that I'm breaking the copyright law! I might be very well downloading a Linux ISO (as I frequently do), one of the many free (as in freedom) material from Clearbits (previosuly legaltorrents) or a World of Warcraft patch for that matter.

Dear people: try to think harder, even if it makes your head hurt!

This again is the case of a couple of links on the same topic piling up in my reader (this tends to happen if you take a pause in blogging :-)):

• Gmail's Spam Filter No Longer Effective?
• 60% of Facebook users consider quitting over privacy
• Poll: 93% say Facebook should make you 'opt-in' to sharing rather than 'opt-out'
• Marketing study: avid gamers average seven hours per day

The commonality between all these articles is that they make statements based on faulty questions (PHD Comics says it best). A website poll is not the same as a scientific study (to name just  one the problems - it has a selection bias towards the reader of the particular site - which wouldn't be a problem if the results wouldn't be presented as applicable for the general population). And even if they were scientific studies, the purpose of a scientific study isn't to find the absolute truth! It is to present a hypothesis which doesn't contradict any of the current observation. But it doesn't exclude the possibility that in the future there will be an observation which contradicts the hypothesis, and as such, it must be changed.

Who is hype-free?

I’ve done a writeup about the name of blog when I started it. However recently two links came up in my Google Alerts:

The first one is from Urban Dictionary and it defines hype free as “Slang word for drug free”.

The second one is from Yahoo! Answers and states pretty much the same thing (in a conversational form).

I didn’t know this meaning of the expression until these items came on my radar recently, but they are very funny (and certainly true in more than one sense).

Update: the Yahoo Answers page states that it was deleted “according to our Community Guidelines”. Bummer.

delicious/cdman83

Password Strength Checker Posted: 09 Apr 2010 05:40 AM PDT

NetPositive error messages Posted: 13 May 2010 09:52 PM PDT

Default Passwords | CIRT.net Posted: 14 May 2010 06:23 AM PDT

AmigaRemix - The place for Amiga Game- and Demo-music Remixes! Posted: 18 May 2010 09:54 PM PDT

Remix64.com: C64 and Amiga Music Remix Community Posted: 18 May 2010 09:54 PM PDT

Cognitive Biases - A Visual Study Guide by the Royal Society of Account Planning | Scribd Posted: 19 May 2010 04:17 AM PDT

KeygenJukebox.com - Streams Keygen Music Directly to Your Web Browser! Posted: 19 May 2010 12:24 AM PDT

Algo Trading and How To Get a Job on Wall Street Posted: 21 May 2010 03:41 AM PDT

News | DriverPacks.net Posted: 21 May 2010 01:00 AM PDT

CARO 2010 Slides - F-Secure Posted: 29 May 2010 09:52 PM PDT

Scan Websites for Viruses - URLVoid.com BETA Posted: 30 May 2010 04:24 AM PDT

On the hopelessness of pulling content from the interwebs

In the last couple of weeks I had at least two cases where I saw a (provocative) post come up in my feedreader, click trough to read the entire piece (BTW, partial feeds just suck!), just to find that the owner removed the post. The first was from the DynDNS blog named “Open Dialogue” (apparently openness and censorship can co-exists in some people’s minds, without having their brains blown-up by the cognitive dissonance) and it said the following:

We hope we're wrong, but it looks like DNS Made Easy (aka Tiggee LLC) is secretly behind DNSComparison.com

Let’s first start off by providing some definitions of key attributes that Dyn Inc. lives by across our organization and takes pride in while representing the DNS industry. These characteristics define us and make us the company we are today. Call us naïve, but we also “still” hold out hope that the rest of the DNS space (and the business world, in general) believes the same and truly means well when their actions might seem otherwise.

The second one comes from the MaraDNS blog (is there a pattern here? are there many frustrated people in the DNS space? :-p):

Xonotic: Type 2 Freetards can’t make content

If you want to piss a type 2 freetard off, take an open-source project, make it proprietary (after getting everything with copyright to the code to agree to the non-GPL terms), and sell the proprietary product.
This happened with Tux Racer. Boy were the freetards pissed off, whining about how the commercial game wasn’t very good, blah blah blah. But, bottom line: The developers worked hard making the program. They wanted to get paid for their work. The type 2 freetards felt something was stolen from them because the next version of their program was not open-source.
Another successful open-source game is now doing the same thing: Nexuiz, an excellent fun little first person shooter with everything (both the engine and the content) under a GPL-compatible license.
Well, the developers realized one day that they wanted to get paid for their work, so they decided to have a remake of Nexuiz for consoles that will be closed-sourced using different content.
The freetards went ballistic. It became a front page story at Freetard central. In short order, a fork was declared. Freetards everywhere talked about how evil Nexuiz was; their declarations were mainly based on ignorance; inaccurate posts accusing the Nexuiz development team of violating the GPL were posted everywhere.
The next Nexuiz will, for the record, be 100% legal: All of the Nexuiz code has been licensed for non-free use. The content will be, for the most part, entirely new. There is no GPL violation here.
Once the dust cleared, development on the fork (called Xonotic) stalled. One developer recently admitted that, two months after declaring this fork, that

It is my opinion that such actions inherently undermine the trust in a person / brand. It is also ineffective (proven by the fact that at least one person – ie. myself – was able to read the content). My ideal publishing platform would be:

• Versioned, so that everyone could look up what the text looked like at a given moment in time
• Verified by a third-party agency (such as a timestamp signing service) which guarantees that it had a certain content at given point in time (you don’t have to transmit the full text to such a service BTW – them signing a cryptographic hash is good enough)
• Digitally signed by the author

We all make mistakes. Lets act as grownups about it. Don’t try to wish some things away. I understand that in some circumstances there are legal obligations to take some things down, but at least post the takedown reason in these cases (ie. “this post was taken down because of allegedly defamatory content. sorry”).

Picture taken from sara~'s photostream with permission.

Putting the eval into Java

“eval” (short for evaluate) is usually the name given to the method in dynamic languages which makes it possible for the programmer to access the compiler / runtime. Here are a few links to the documentation for the function in different languages:

• Javascript
• Perl
• PHP
• Python
• Ruby
• LUA

They are usually used to quickly evaluate a DSL (Domain Specific Language) expression. What I mean by this is the following: lets say that the user supplies an expression which can be easily (ie. with a few string replacements or regular expressions at most) converted into a valid expression in the current language. Then you don’t have to write your own lexer / parser / runtime to support this function.

To make this example even more concrete, lets say that you are implementing a simple graphing calculator where the user can supply the right part of the f(x)=... expression and you draw the function for a given interval of x. If the user supplies something like 1 + 2*x + 3*x*x, this is pretty much a valid expression in all programming languages (there are minor syntactic differences to be precise - like Perl/PHP requiring you to prefix variable names by the “$” sign), so you could simply use “eval” on it.

Warning! Running eval on unverified, user supplied code is a really, really bad idea! (yes, I know that red and bold underline is a little over the top, but this is just that bad! Never, never, ever do this! It is equivalent to letting everybody connected to the Internet (assuming that we are talking about an webapp) running arbitrary code on your server. Implement very strict filtering (based on whitelisting if at all possible) for such features!

Surely, you would say, such a dynamic feature isn’t easily accessible for a statically typed compiled language as Java... And you would be wrong! As of Java 6 each JVM install (including the JREs) includes the Java compiler, and it also includes a public API to access it. Using this feature you can implement the Java equivalent of “eval”: giving a string to the compiler and getting a class instance back, on which you can call methods. You can find the source in my SVN repo. It is (almost entirely) based on the following article from 2007 (just to give you an idea how long this option has been around): Create dynamic applications with javax.tools. An other (pleasant) surprise was the fact that this process doesn’t require any security privileges and works perfectly in restricted environments such as browser.

An additional advantage of using the JVM rather than your own runtime is speed: many man-hours have gone into optimizing both the source –> bytecode and the bytecode –> machine code transformations. Which brings me to an other possible use for this kind of solution: generating particularized instances of generic classes to give more hints to the JVM about possible implementations.

For example, the StrinkTokenizer class does the following when looking for separator characters:

char c = str.charAt(position);
if ((c > maxDelimCodePoint) || (delimiters.indexOf(c) < 0))
    break;

Now imagine how much more efficient (in the sense of: easier for the JVM to translate into an efficient machinecode) this code would be if we knew that we have exactly one possible delimiter (as it is the case most of the time). Replacing delimiters.indexOf(c) with delimiter == c can give you an order of magnitude speedup for this particular code.

The takeaway should be:

• This is a very powerful technique, but it should be used with care! Only use this method if you’ve proven (by using a profiler for example) that the given class is the dominant factor in the performance picture.
• Be particularly aware of potential security risks which could appear!
• Also, be aware that you give up many things when going this route:
  • Automated refactoring
  • Reports generated by bytecode analysis tools (like coverage or bug detection)
  • Debugger support
• In conclusion: use it with great care, but if used properly, it can result in considerable performance improvements!

Picture taken from Hexadecimal Time's photostream with permission.

Update to the Blogger Tag Cloud

A small PSE (Public Service Announcement): if you were using the Blogger Tag Cloud I’ve put together based on the WP-Cumulus plugin, you might have noticed that it stopped working some time ago (I’m not entirely sure when, since I didn’t notice it, until a reader commented and brought it to my attention – thanks again Soufiane).

The problem was that the server hosting the SWF and JS file didn’t serve them anymore, instead giving a 403 – access refused error. To mitigate this problem I’ve uploaded the SWF file to Google Code and used the JS file from the Google Ajax Library and bought the plugin back to life.

So, if you are using the plugin and you are subscribed to my feed, go to the original (now updated) post and use the new code.

Thank you and sorry for any inconvenience caused!

“Funny things I found while browsing the web” post

The Geek/Nerd/Dork/Dweeb Venn Diagram (via Joel Esler’s blog):

BTW, here is a quick way to convert JPEGs which should be PNGs or GIFs (because they aren’t photos!): simply use a photo editing software (like the GIMP or IrfanView / Paint.NET) and reduce the color depth without dithering. This should pretty much get you there. You might want to play around with the number of colors to retain.

The second one is Pixels by Patrick Jean (via Wondermark):

MC Frontalot released his newest album Zero Day (via the Veracode blog):

Updated YARPG

This has been sitting in my queue for some time: almost four years ago (it’s incredible how time flies!) – amongst the first posts I’ve published on the blog – I’ve written a random password generator in Javascript which I’ve named YARPG (for “Yet Another Random Password Generator”). The advantages to using it are the same as they were back then:

• Customizable (password length, types of characters included, etc)
• Secure (it doesn’t communicate over the network, hence no need for SSL)
• Fully reviewable (as opposed to server-based solutions, where you have to trust the server)

The only flaw it had (as pointed out by a commenter) was the fact that passwords didn’t always include all the characters you’ve selected (ie. the checkboxes represented “possible” not “mandatory” characters, which was a little counter-intuitive).

I’ve thought about how to create passwords which included at least one character from each set. My first ideas were around generating a password, then checking that it contained at least one character from each set and if not, replacing some of the characters with ones from the missing set. However this train of thought quickly ran into problems when I had to decide which character to replace. Choosing something fixed (like the first one, last one, etc) is too predictable. If I choose a random one, I run the risk of overwriting previous change. So finally I realized that there is a simple solution: just re-generate the password until it satisfies all of the constraints. Although this might seem like a brute-force solution, in practice its speed is indistinguishable from a constant-time solution.

Below you have the new and improved YARPG:

Password length:
Include letters
Include mixed case
Include numbers
Include punctuation
Include all printable characters
Quantity	12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364

I've also updated the original posting. You can get the source code for it by looking at the source of this webpage, or from my SVN repository: js_password_generator.html. Hopefully you find it useful!

Picture taken from cjc4454's photostream with permission.