Recent blog entries for nmw

lkcl: Right you are. Except, we need to go a bit further: the Unix kernels need to support SIDs. That means throwing setuid() and friend out the window.

There will be a lot of resistance -- in fact, the idea does not advance, someone has to implement it first (perhaps one of the many "security enhanced" Linux versions out there, such as the NSA's, implements this or a suitable framework for implementing SIDs at the kernel level).

Of course, filesystems too need to support SIDs.

And the old flat UID/GID system has to remain available for backwards compatibility.

In other words, processes need to have multi-component, extensible credentials. And I say they need to have an array of creds, with each thread (or clone()ed process) having an "effective" cred array index.

14 Sep 2001 (updated 14 Sep 2001 at 18:30 UTC) »

I have to get this off my chest:

Several people, here, on the radio, on TV, in print, have been saying things like "yeah it's horrible, but the U.S. begat it -- the U.S. should change its policies," or "the U.S. has propped up despots who've killed so many and blah blah blah, maybe now they'll change."

These people are walking a fine line, rationalizing a horrible act.

They're also ignoring a lot of history.

The U.S. has done the following good deeds during the last 60 or so years:

  • Entered and won WWII
  • Lifted Europe and Japan from the ashes of WWII's ruins
  • Saved South Korea
  • Come to the financial aid of countless countries, during countless crises
  • Destroyed the Soviet Union (a combination of the '80s arms race + the Soviet Union's attempt to grow more [so it could spend more on weapons] by liberalizing its economy)
  • Exported prosperity by maintaining a huge current account deficit during so many years (this is the American people's doing, not just the govt's)
  • Provided better returns on investment to foreigners than most other markets for so many years (also reflected in that current account deficit)
  • Greatly advanced the sciences and technology (also the American people's doing, which they got to do because America is so free)
  • Admitted millions of immigrants
  • Sent peace-keepers where they're needed
  • and much, much more

The evils,the ones that can so be labeled anyways, so often imputed to America are nothing compared to the above. And some of the evils America has in fact committed are often ignored (e.g., the destruction of Dresden, during 1945, a city with no military value, cost: 200,000+ lives).

Don't get me wrong, I'm no moral relativist, but the good America has done far, far, far surpases the bad, and, crucially, America usually, consistently surpasses its moral problems.

The U.S. has, from time to time, done some horrible things, often in the context of war (e.g., Dresden's destruction back in 1945) or in the context of the Cold War (e.g., propping up brutal dictatorships in South America).

The crucial difference between the U.S. (or the West) and the rest of the world is not that the U.S. is morally superior, but that the U.S. surpasses ALL difficulties and challenges in its way, even and especially ones involving moral issues.


  • Slavery? The U.S. fought a very bloody civil war over it.
  • Widespread corruption (back during Prohibition)? Surpassed.
  • Pearl Harbour? Surpassed.
  • Internment of Japanese and Japanese-Americans during WWII? Reparations made.
  • Civil rights problems? Surpassed.
  • Blindly arming bloody tyrants during the Cold War? Cold War over, arming over.
  • etc...

The complaints that incense me the most are about how the U.S. has supported Israel [to the presumed detriment of the Arab world], how it maintains troops in Saudi Arabia, and so on. On the first score I must say that, though Woodrow Wilson's "[ethnic/religious/racial] right to self-determination" is a morally bankrupt and horrible concept noone would today re-integrate Hungary, Austria, the Czech Republic, Slovakia, etc... into a new Austrio-Hungrarian nation and noone in their right mind would now allow hostile Palestinians and Arabs to push Israel into the sea; also, the U.S. proved in 1978 that it is ready to support all Arab world nations that make peace with Israel and has said so many times since. On the second score: American troops are guests in Saudi Arabia -- they are there to defend it and its way of life! How can anyone use this to justify or rationalize Tuesday's massacre or any terrorist act against the U.S.?????

So those of you saying the sorts of things I quoted above: SHUT THE **** UP and think some more.

And those of you who cry over the demise of the Kyoto treaty, you probably have no idea how much dirtier America's rivers were 40 years ago, or just how bad the environment then was -- America has cleaned up more than any other significant part of the world, save, possibly, Japan, which had even bigger environmental problems then. So you too SHUT THE **** UP and think some more before expressing anger over that treaty.

lain: yes, *some* americans have helped the IRA -- most terrorist orgs have likely been helped by some american citizens or residents, usually financially. It's time to stop this.
All terrorism must be destroyed -- start with the IRA

The IRA do not attack U.S. targets -- but they train terrorists who do. Even if they didn't train other terrorists, the IRA, like ETA, Hamas, Osama bin Laden, etc, is evil.

The IRA is the easiest target: search every house in Northern Ireland and the vicinity; take every ounce of cemtex, every gun. And let the British and Irish governments do this together. And get the unionist terrorists while we're at it.

As for the Taliban: use Russia's help and invade, or invade via Pakistan (give Pakistan no choice). Hunt down these fuckers.

The ETA, Hamas, Hezbollah, ... -- all of them must be destroyed.

And warn the Colombian guerrillas and paramilitaries that their next if they don't cool it.

Nectar: Very cool. It's about time one of the krb5 implementations included a pam_krb5... It's good to see that you've convinced the Heimdal folks to include ours.

Thanks a lot for your help!


badger: The problem with these protesters is that they are treated by the media as if their protests are of some consequence (other than their destructiveness).

In reality:

  • Locals dislike the violence (to put it mildly)
  • Most of the public doesn't share those protesters' views
  • Most of the public has no sympathy for those protesters' views
  • The protesters tend to be young middle-class western kids who have no idea what means to go hungry, no clue what it's like in the third world, no clue about economics, and yet they claim to represent the interests of people who do know and they "represent" those people through violence.
  • And if they are the sort that believes in "History" (i.e., if they are commies) then they also certainly lack an understanding of recent history.

What a bunch of reckless, dangerous, young moral relativists.

Twenty years from now they'll be like the baby boomers of today who used to be the protesters of the 60s and who they emulate; they'll be the greedy make-our-granchildren-pay-for-our-retirement types.


gary: Secure NFS is already here. Sun designed a GSS authentication flavor for ONC RPC based on work done at OpenVision. The OpenVision version (which MIT uses in their Kerberos V admin tool) is called AUTH_GSSAPI, whereas Sun's is called RPCSEC_GSS (there's other differences too :)

So now you can use RPCSEC_GSS for NFS authentication, which means you can use any GSS mechanism for which you have a plug-in (Sun supports the old Diffie-Hellman based NIS+ system, new variations of that with longer keys and Kerberos V). Specifications for other GSS mechanisms exist; see the IETF RFC Search and the RFC draft repository (search for GSS and Generic Security Service).

Because RPCSEC_GSS does not change existing ONC RPC protocols it can be used to secure NFSv2 and NFSv3. But software changes are needed.

Solaris 2.6, 7 and 8 all support RPCSEC_GSS and secure NFS.

NFSv4 also uses RPCSEC_GSS and, as part of the NFSv4 for Linux initiative a Linux implementation of RPCSEC_GSS is already available for Linux. I haven't followed the Linux NFS situation very closely, but it might be possible to do secure NFS with Linux now or, if not now, soon.

NFSv4 probably shouldn't be called NFS anymore. It fixes all/most of the NFSv[23] problems. For example, NFSv4 is stateful (i.e., it has open/close calls), using a variation on the BSD NQNFS file leasing approach; it supports NFS proxies; NT-style ACLs; NT-style open modes; compound RPCs (one packet, multiple calls); the mount protocol goes away; etc...

One more thing, all of Sun's ONC RPC framework is available under the SISSL, IIRC a very liberal license which essentially says you can do whatever you want with the code, even modify and improve it while keeping your mods private, as long as you publish any extensions to the interfaces and reference code also under the SISSL.

mwh: I've got all but PAIP; what is PAIP?

Another very good book is AMOP.

I'll look into the delcare bit. Thanks!

tbmoore: I've never bothered with emacs and elisp. Isn't the lack of closures in elisp obnoxious?

BTW, I'm one of the few proud owners of a copy of "On Lisp", one of the best computer science books ever. The fascinating thing is that Paul Graham wrote Yahoo Shopper in Common Lisp and made millions doing it. In LISP!

I've been thinking about Lisp a lot recently.

I think Lisp could use a few small extensions. One would be to make CONS sub-classable. This would help, for example, with XML, kinda like Perl 6's [vapourware] per-scalar, per-symbol property values, but I also see much value in writing a compiler: code analysis information could be stored in new fields in the conses of an s-expression without modifying the form of the expression. Such an extension would also require an extension to dot notation so extended conses could be printed and read.

Another extension that would be nice is what I think of as "forward closures", much like Pascal or GCC local functions, which are closures that are defined only as long as the parent function instance does not exit. There is a safety issue with such forward values, of course, but the value of forward closures is that it can make continuation passing style code more efficient by not requiring heap storage for captured variables. And this (CPS) is needed to implement logic programming languages like Prolog or Icon. And I would really like to be able to program in Lisp with Icon semantics.

But this is all kinda academic... I'm not working on that sort of stuff...

lkcl: dunno who nigel is :), but why would you port Python code to C (speed?)? or think that porting python to C would be easy?

Porting python to Lisp might be easy.

See Python v(or rather i)s Lisp.

Once you're porgramming at a high-level, to go back to the low-level is hard -- a straight port would require list/hash table libraries, maybe ffcall and the like, all of which makes it pointless to go to the low-level. It would be better to just have a decently fast high level language.

Mind you, I'm not trying to evangelize. You do what you want :)

Besides, there's no ideal computer language, though Lisp gets pretty close (IMNSHO).



2 older entries...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!