Since someone got me thinking about copyright and related stuff I stopped and thought about which creative commons license I’m using for this blog. I was previously using the Attribute Share-Alike creative commons license, but have now changed to the Attribute license with no requirement to share alike. That seems to fit my views on how copyright should work and how I want this blog to be used fairly well. I did consider public domain but it would annoy me if no attribution was given and I don’t see any real reason to allow it given I would be annoyed. This change applies to all existing entries. Now lets see those creative uses of my incoherent ramblings! Perhaps turn one of the entries into a song? Rap or country would seem to be an appropriate level of quality – take that as you will….

Anthony Towns give a good rundown about how there’s no evidence to support the claim that “pirate” DVDs support terrorist organizations. It should be noted that this is a highly tangential topic to what Anthony was writing about – he just got me started on this so linking to his entry serves as a means to let you catch up with my thought process while giving the added benefit of linking to a highly informative piece. I do feel somewhat compelled to point out that regardless of whether or not pirated DVDs support terrorists or not, the large scale for-profit infringement of copyright is highly unethical. Don’t take that to mean that I think it’s unethical to make a copy of your favorite CD so you can play it in the car, or put a copy on your iPod or even making a copy for a friend. In fact I’d go so far as saying that downloading a copy of your favorite song so you don’t have to pay for it is not necessarily unethical (questionable but not clearly unethical). However, when you start to make money off of copyright infringement I believe you’ve taken it too far. Artists do have a right to compensation, it’s all well and good to say that they still have their copy so they’ve lost nothing, but it is important that people can make a living out of creative works. Selling illegal copies of an artists work really rubs me the wrong way. Now, on the other hand if these “pirates” had taken an existing work and given it a swashbuckling sea shanty feel then rereleased it for profit then I’d put the actions back into the questionable area (and in fact I’d lean towards saying that it’s a good thing). Extremes are generally not good for society. So it’s not good that the MPAA, RIAA (and other similar organizations) want to completely eliminate fair use, nor that they want to lock up creative works under copyright law forever. Similarly, it’s not good to simply throw out all the copyright laws and leave artists with no way to recoup costs of creation or make a living out of their works. The trouble is finding where to draw the line. One of the things I find so frustrating about the current copyright laws is that it’s practically impossible to build on to existing works to create something better. This is essentially the case of our pirates providing a swashbuckling version of the latest hit that I mentioned earlier. I firmly believe that it is in societies interest to have a very active creative culture and I believe that building onto existing work is an important part of that culture of creativity. There are two main benefits provided by allowing people to build on top of other people’s work easily. Firstly, it provides a simple and effective way for new creators to get started. Thinking up a good, original idea for a song, screen play, musical, whatever is really hard and doesn’t happen often. Thinking up an interesting new viewpoint on an existing work however is fairly simple. This provides a simple starting point for people to get into creating and develop the skills required to execute a creative project without running into the roadblock of the original idea. More importantly however, building on top of additional works can improve on the original work either by being better written/performed, by taking a more interesting view point or simply by updating it for modern times. Romeo and Juliet is a classic love story, the essence of which can be enjoyed by people old and young alike. However, culture has moved on from Shakespearean times and while some may find that disappointing, it would sadden me to think that the pinnacle of writing was in the past. More importantly, it would be sad to lose the classic story line in Romeo and Juliet just because the writing style is outdated and doesn’t appeal to today’s audience as much. Fortunately, because the copyright has expired, people can build on Shakespeare’s work to produce updated versions like the sensational West Side Story and the movie of the same title which brought these works to a whole new audience to be appreciated in whole new ways. Having said that, I would be really annoyed if someone took my work, made only very minor changes and published it as their own. I would be thrilled if they added substantially to it and gave credit (even if they made a lot of money off of it and didn’t pay any royalties to me). I’d probably be annoyed if they made substantial changes but didn’t credit me with at least giving them some inspiration. So there is a fine balance here and a set of ethical behaviors need to evolve and be recognized. Such a set of behaviors is already in place when it comes to quoting research however those behaviors don’t directly apply to other mediums and other types of creative work so new sets of ethical standards need to be created and where (and only where) required backed up by law. The end aim, at least in my opinion, must be to improve the availability and quality of creative works within our culture and not to build or support an industry around creative works. Those two aims however are not entirely at odds with each other, in fact it is essential to have some kind of industry built around creative works to provide the monetary backing required to actually fund creative projects as well as to allow creators to pay their living expenses while devoting their full time effort to creative works. Where the right balance is and how you find it, I don’t know. I do know however that it isn’t what we’ve currently got and it doesn’t seem to be in the direction we’re heading.

For as long as I can remember there’s been a Yamaha electric organ at my parent’s place – I spent many, many hours playing it in my youth but since I moved out of home noone plays it. Now every time I come home my mother tells me the organ’s had it and broke down long ago. Of course once I plug it back in and actually try playing it everything works as well as it ever did. I’m not sure what I’d do with myself on my trips up home without that organ….

I’m heading up to Ingham (just north of Townsville in far north Queensland) tomorrow for a week holiday and my sister’s wedding. I’ve had to pack the absolute minimum clothing as I’m taking up a huge collection of musical instruments and assorted junk. 2 saxophones, a ton of music and I’m still not sure how I’ll fit my saxophone stand in. I’m borrowing my younger sister’s clarinet while I’m up there to play as the bride walks down the isle so I’ll have the week to learn to play that. It’s pretty similar to the sax and I’ve played clarinet previously without sounding too bad so it should come off okay. I’m more concerned about the rendition of “The Rose” on keyboard I’m meant to do as backing for my little sister while the register’s being signed. Somehow I liked the original idea of having a few musicians involved instead of just me but it’ll give me something to do anyway. Aside from that I need to find out a few things about the bridal party – most of whom I’ve never met – as I’m the MC for the evening and probably should have something half intelligent to say when introducing people. On the plus side, I’m far enough away that I haven’t had to worry about all this until now – everyone else has been madly organizing things for months.

Brad makes an excellent comment regarding the root logins via ssh issue:

I think the biggest disagreement we’re having here is where should this be solved. Adrian , as a developer, thinks it should be coded around. Myself, as a sysadmin, think the user should take some responsibility for their actions and check their setup on the critical pieces of software – in this case, the Internet accessible ones. It all makes sense now. I think the movie Babe probably best covers this when the sheep dog goes to talk to the sheep and talks very slowly and clearly because every sheep dog knows that sheep are stupid. When the sheep reply they do so very slowly and clearly because every sheep knows that wolves are ignorant. In this case every developer knows that all users are stupid and so they try to make everything work as safely and easily as possible. Then of course every sysadmin knows that programmers are incompetent and so they double check everything and always assume that the developer has stuffed up. It’s then quite natural (and indeed beneficial) for Brad and I to have differing reactions to this issue. As a sysadmin Brad knows that he should read the README.Debian files for the security related packages he installs and that he should double check configuration files (plus he often knows how to do this off the top of his head). As a developer however, I know that when the software gets into the hands of end users (as operating systems for PCs generally do), the users aren’t going to do any of this (mostly because they won’t know how) so the default configuration should be secure and stable to avoid the user having problems.

Brad comments on my condemnation of root login being enabled in the default SSH config for Debian systems (noting again that SSH is disabled by default).

Debian’s SSH package explicitly asks if you want to run the ssh daemon, and by choosing to do so, you take a certain level of responsibility into your hands. Granted – Sandra acknowledged this and I acknowledged this.

I don’t agree that its the software’s fault more than the users – as a maintainer you make some assumptions, some of which will not match the users requirements, and its up to the end user to ensure that it meets their needs. The assumptions should always err on the side of security. It is trivial for a user to turn something on if they discover it is missing – it is effectively impossible for them to (knowingly) turn something off if they don’t realize it’s turned on. Microsoft is very often criticized for leaving unneeded services on by default and not being configured securely by default – Linux should receive the same criticism when it falls into the same trap.

With the real planet humbug down, I’m only occasionally checking the temporary planet humbug since it’s not coming through my RSS feeds at the moment. While I wasn’t looking, there seems to have been a little bit of a stink kicked up about Linux’s security. The story as far as I can tell seems to be that Sandra Mansell had her Debian router compromised because the root password was a dictionary word, ssh was available to the world and root logins were allowed. She took responsibility for the compromise pointing out that it was “lazy” (I would have said careless or possibly even crazy) to use a dictionary word as the root password and then complained that Debian’s default settings were to allow root logins over SSH. Brad Mashall and Greg Black then provided some useful advice on setting up SSH and security in general. However, from both posts (particularly Brad’s) I got the impression that this was entirely the users fault. I’d very strongly disagree with that. Was the user at fault? Absolutely, and Sandra acknowledged that. Was the software more at fault? Absolutely. It is very common knowledge that allowing root logins via ssh is an unsafe practice and should be avoided. It’s completely inexcusable for the Debian developers to have root logins enabled by default and even worse that it (apparently) doesn’t even display a warning about this. It is simply not good enough for an OS to ship with insecure settings and expect ordinary users to perform a full security audit and know all about arcane config files to make their system secure. The OS installer should always make the system as secure as possible given the features the users have indicated they need. Specifically, the installer should have disabled SSH by default (I think it did) then when told that SSH was required, it should have left root logins disabled. Better yet, it could have asked which accounts were required, from which networks and hosts and whether or not it could generate a key pair to be used for authentication and disable password authentication. All of that however does make the installation more complex so there’s a balance to be reached, but since there’s almost never a reason to allow remote root logins I’d be quite prepared to criticize the developer responsible for that configuration being the default. I’d then set about making sure that the users understands where they went wrong and how to avoid similar problems in the future (most likely by pointing them at Brad and Greg’s comments, which I definitely suggest you read). Why is it that in commerce the customer’s always right but in software the user’s always wrong?

Byron continues on the ampersand issue:

I’m not going to accept your argument that it’s not harmful to produce invalid HTML. What would your code produce for: http://example.com/entities.cgi?entity=& The requirements are that it should produce exactly that since that will work in all known browsers and would break in all known browsers if the ampersand wasn’t escaped. Since I didn’t personally write the code I can’t be certain that it does output that, but that’s what it should do. It should output whatever it is that makes things the most compatible so our users are the most happy.

I spent about two years working as a research assistant at Griffith University and quite enjoyed my time there. I spent time working with both pure mathematics lecturers as well as software engineering oriented lecturers, so I’ve got a fairly good grasp and appreciation for the academic point of view and the processes and logic they tend to use. One of the things you notice if you spend time in an academic environment as well as a commercial environment is that the abstract nature of academic thought and reasoning fits very poorly into a commercial context. This is why so many very good ideas that come out of universities so often struggle to be commercialized (and why there are dedicated departments to help inject commercial sense into an academic idea and bring it to market). It’s not that academics are a bunch of nut-jobs with no idea about reality, it’s simply that the values and expectations in an academic environment are very different to those in a commercial environment. For instance, if a mathematics professor is developing software, his prime concern is that it is “correct” and usually wants it to be provably so. A software engineering lecturer’s primary concern will be that the software meets the requirements precisely. In most cases however, a commercial developer’s primary concern is that the software does what the user wants. With contract style work the commercial interests match up much better with a software engineering lecturer’s viewpoint, but with commercial off the shelf software development the requirements are largely unimportant – making users happy and thus buy the product is important. The biggest difference though is not between “commercial developers” and software engineering academics, but rather between mathematicians (or possibly referred to as computer scientists which tend to be mathematicians who specialized in computers) and “commercial developers”. A mathematician always wants everything to be correct (aka perfect) and provably so. A commercial developer just wants it to work, remain working and be maintainable. Sometimes of course, commercial developers are far too slack and could use an injection of the mathematician’s viewpoint, however I’ve generally found the reverse to be true more often. Academics tend to be overly pedantic to the point where it would in fact damage a commercial project. So am I saying that academics are useless or that commercial developers are somehow better? Heck no. Both viewpoints are extremely useful and allow for different types of innovation. Both are required. Just if you ever find you’re in an argument (as opposed to an informative discussion) with someone from “the other camp” give up and walk away – that argument will never be resolved.

I try not to link to everything that comes through the Oddly Enough feed, but this was just too funny to resist. Have Sex Until The Cows Come Home Source: Reuters.

We’ve acquired a new engineering manager at work so at long last we’re starting to put in place some of the things we’ve always said “we should do that” about for a long time but never actually gotten around to doing. One of those things is establishing how accurate our estimates are by actually tracking the time taken to complete the task. Other metrics may be useful later, but for now we just want to track time taken since time is our most limited resource. The trouble is, I don’t know of any really good time tracking tools. Here’s the rough requirements:

A long time ago I made some comments about String interning and Anton Tagunov made some interesting comments. It turns out he was very much right and that I was smoking something…. There are definitely still times when string interning will improve performance, even in multithreaded situations (XML parsing turns out to be one) but my comments on threading and synchronization should probably be ignored unless you’ve got the mythical hardware I had in mind when talking about it. Essentially, to achieve what I was talking about you need to be able to add a map entry (not create the entry, just add it) as an atomic operation. You would have to be able to replace the existing map with a new one as an atomic operation as well (don’t add the new entry until the expanded map is in place), however with multi cpu systems, such assignments are likely to wind up in a single processors cache and not be available to other processors. You’d need the ability to tell the processor to put this straight into RAM (reads could still come from cache but the main memory version would have to be checked in a synchronized block before creating a new entry). In Java it is definitely not possible to tell the CPU to put just one variable directly into main memory and I haven’t found any reference to this algorithm even theoretically working on any common computer system. Shame, it seems like such a good way to do it…. Good sounding design trumps working design right?