Paul Fisher

PayPal broken

Sun, 13 Jul 2008 22:04:19 GMT

For purchases made through stores that accept PayPal, it appears that one can no longer choose a payment method. I've tried to make purchases from two different vendors since last night and in both cases the Payment Method is forced to be "Available Funding Sources", which means that funds will always come out of my bank account (with no option to select a credit card). The only way I could get PayPal to pay with a credit card would be to remove my bank account, or force PayPal to cause my bank account balance to generate a NSF -- thereby forcing a credit card transaction so PayPal could obtain their payment.

WTF? Is anyone seeing this behavior as well?

Sun, 06 Nov 2005 08:50:43 GMT

Looks like Amazon will be delivering the US release of Doctor Who (2005) on the epoch (displayed TZ of -0800). Shame I missed the release.

Mon, 19 Sep 2005 16:57:43 GMT

Happy Birthday to nsj -- Mr. VeeeeJaaaaay! Hope your day goes well.

Wed, 06 Oct 2004 08:56:54 GMT

Arrived in Berkeley, after a very long drive. Sleep now.

Wed, 15 Sep 2004 21:52:15 GMT

Time to update my LJ bio. I found a way back to the Bay.

signature guarantee acquired

Wed, 05 May 2004 18:24:29 GMT

Yesterday I opened up a savings account with $10.

Today I enter the bank...

Bank: How can I help you?
Me: I'd like to get a Medallion Signature Guarantee.
Bank: Are you a customer?
Me: Yes
Bank: Do you have an ID?
Me: *shows ID*
Bank: *looks up my account*
Bank: You opened up your account yesterday?
Me: Yes
Bank: *applies Medallion Signature Guarantee*

I think she was ever so slightly suspicious of the transaction.

Moronic systems

Tue, 04 May 2004 20:21:58 GMT

For a particularly complex stock transaction that I've been working on for some time, the SEC requires the transaction be Medallion Signature Guaranteed -- think of it as one step up from a notary public, with the main catch being that the organization that is doing the authenticity checking of my signature is liable for the financial value of the transaction resulting from that signature, if the signature is forged. All parties that participate in the Medallion programs have insurance to cover fraudulent transactions.

So in theory, I should be able to call up a local bank (I have all my financial accounts with businesses that lack Boston offices); ask them for a Medallion Signature Guarantee; pay them some money; show them a whole bunch of IDs; have them fill out some paperwork, and then put a magical stamp on the same piece of paper as my signature. That would seem to make the most sense.

Instead, the system is much more broken than that. Contrary to what information I've been given from my broker, transfer agent, and others, it's not possible to get a Medallion Signature Guarantee from any Boston-area bank/brokerage/etc without having an account with them. So, my solution to this problem was to open up a $10.00 savings account with a local bank, that has a $10.00 minimum balance, charges no fees for Medallion Signature Guarantees, and will send me monthly statements for that $10.00 balance. SMART BANK. I would have preferred to have simply paid them $10 per Signature Guarantee. Instead, they will be spending way more than $10 servicing my minimum-balance savings account.

digital rights in the free world

Sun, 29 Feb 2004 23:21:44 GMT

It's been a long time since I've posted. Below is a rather technical and rambly post about how I'm now able to make perfect digital recordings from my Comcast high definition cable box using free software, as well over-the-air high definition (once I swap out my old tuner for a new one), and how the happiness that has resulted can be destroyed by The Powers at any moment in the future. I ramble a bit about watermarks too, and how it seems like watermarks would be a nice compromise such that fair use rights could be enjoyed, while giving a level of assurance to the Entertainment Industry that they can track down those who illegally share their content.

I've spent the past year, off-and-on, working on a free software PVR. The initial results using MythTV were unimpressive -- picture quality was terrible, playback was jerky, and it left me seriously considering the purchase of a Tivo.

Fast forward to the middle of February, 2004. Comcast has decided to start turning on the previously dormant IEEE1394 ports on their Motorola DCT6200 and DCT6208 set top boxes. The New England market received a 1394-enabling version 7.07 firmware a little more than a week ago. The original, pure, unencrypted MPEG2 transport stream (MPEG2ts) is now being broadcast over the 1394 ports. This new functionality enables perfect digital recordings of programs -- including High Definition ones. The intended purpose of such ports is to enable digital recordings by DVHS recorders (digital VCRs capable of recording high definition (and standard definition) content over a 1394 port).

I recently spent $9 on a IEEE1394a card and $20 on a 14ft IEE1394a cable. For $29, and a GNU/Linux box, I can now make perfect recordings -- entirely with free software. That's not a bad deal. At some point in time, Comcast will most likely turn on encryption (DTCP aka 1394/5C) on the IEEE1394 ports, and while DVHS recorders will continue to work, PCs will no longer be able to record the MPEG2ts.

Since it's likely that Comcast will eventually turn on 5C encryption, it would be nice if there would still be some content out there that can be digitally recorded with free software. I started doing some research into newer HDTV over-the-air set top boxes, which now contain IEEE1394 ports. These boxes take an over-the-air ATSC signal and decode it into a MPEG2ts and send that data over the 1394 port. The only catch is that all ATSC decoders sold after July 1, 2005 will have to recognize the BPDG flag, and if that flag is set, those "new and improved" decoders will no longer talk to unencrypted 1394 devices (ie. your PC). So while the ATSC radio signals being broadcast to your home are unencrypted, if the BPDG flag is set, the FCC has mandated that it will not be legal for hardware sold in the US to send that unencrypted data to other devices that can be easily used to exercise your fair use rights of those copyrighted works.

In the end, it's a pretty good bet that with cable and over-the-air digital ATSC broadcasts (with the BPDG flag set), you will not be able to make digital recordings using free software, or even with proprietary software on a PC. The Entertainment Industry and FCC are happy to restrict your fair use if a PC is involved, as long as illegal sharing of the Entertainment Industry's content on the Internet is made difficult.

The Entertainment Industry is also worried about the "analog hole". It's not just enough to prevent fair use copying of digital content, but they also want to prevent copying of high definition (anything above 640x480) analog content. The technology used to "prevent" and track analog copying -- watermarking -- could also be used to prevent illegal redistribution of digital content. Digimarc, Macrovision, and Philips are all in favor of using watermarks on digital content.

If the Entertainment Industry's real goal is to not restrict fair use of their copyrighted works, but instead to restrict illegal sharing on the Internet, then why not use watermarking technologies?

Each digital cable box is already individually addressable -- this is how the cable company is able to bill subscribers for Pay Per View movies and determine what channels you are authorized to watch. Since they know who you are, the cable box could simply modify the MPEGts to include a watermark specific to each cable box. If a movie or TV show is illegally shared over the Internet, the Entertainment Industry could check the watermark, and trace back the path of infringement. They could then file lawsuits against parties that have infringed their copyrights.

It's my hope that fair use rights will be preserved as we move toward entirely digitally-connected entertainment systems, but somehow I doubt that's how things will turn out. Fair use will simply be collateral damage in the war to keep digital content off the peer to peer networks.

Oh, and if you want to buy a HDTV over-the-air tuner that will permit you to exercise your fair use rights, do that before July 1, 2005. The MIT MDR-200 for $399 is a highly recommended one. Support the EFF in their cause if you think the BPDG flag is a bad idea. There's still a small amount of hope that the war has not been lost.

Mon, 01 Dec 2003 21:36:23 GMT

If anyone is running a GNU/Linux box with shell accounts, it's time to reinstall. Almost all distros are vulnerable (fedora is a notable exception). Local root exploit for all kernels prior to 2.4.23. Fun stuff.

Election Day

Tue, 04 Nov 2003 16:04:24 GMT

Don't forget to vote today!

For those of you living in Cambridge...

Polls in Cambridge close at 8pm.

Matt DeBergalis (one of the candidates for City Council) even has a LiveJournal.

Thu, 30 Oct 2003 17:26:29 GMT

(12:17:57) rao hdc: don't forget to vote
(12:18:02) rao hdc: rent control is on the ballot
(12:18:06) ***novalis nods
(12:18:24) novalis: Somehow, I think you and I will not be voting the same on that one
(12:18:39) rao hdc: you're voting against it?
(12:19:03) novalis: You're voting for it?
(12:19:08) rao hdc: yes
(12:19:14) novalis: Some libertarian you are.....
(12:19:22) rao hdc: haha
(12:19:26) rao hdc: yeah, is sad, I know.

Sat, 20 Sep 2003 00:55:12 GMT

If anyone is interested in reducing my stress level by working at the FSF, the foundation is hiring another person for the same position that I hold.

Tue, 16 Sep 2003 14:47:32 GMT

From http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html

[openssh-unix-announce] OpenSSH Security Advisory: buffer.adv Markus Friedl markus at openbsd.org Tue Sep 16 14:32:18 EST 2003 This is the 1st revision of the Advisory. This document can be found at: http://www.openssh.com/txt/buffer.adv 1. Versions affected: All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively. 2. Solution: Upgrade to OpenSSH 3.7 or apply the following patch. Appendix: Index: buffer.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/buffer.c,v retrieving revision 1.16 retrieving revision 1.17 diff -u -r1.16 -r1.17 --- buffer.c 26 Jun 2002 08:54:18 -0000 1.16 +++ buffer.c 16 Sep 2003 03:03:47 -0000 1.17 @@ -69,6 +69,7 @@ void * buffer_append_space(Buffer *buffer, u_int len) { + u_int newlen; void *p; if (len > 0x100000) @@ -98,11 +99,13 @@ goto restart; } /* Increase the size of the buffer and retry. */ - buffer->alloc += len + 32768; - if (buffer->alloc > 0xa00000) + + newlen = buffer->alloc + len + 32768; + if (newlen > 0xa00000) fatal("buffer_append_space: alloc %u not supported", - buffer->alloc); - buffer->buf = xrealloc(buffer->buf, buffer->alloc); + newlen); + buffer->buf = xrealloc(buffer->buf, newlen); + buffer->alloc = newlen; goto restart; /* NOTREACHED */ }

Sanely formatted patch here.

The official word is that the openssh developers don't know if the bug is remotely exploitable. But given all I've heard over the past couple of weeks, plus the increased port 22 scanning reported at http://www.heise.de/security/news/meldung/40331, I'm inclined to assume the worst -- remote root exploit is out there in the wild.

Update:
The bug will be assigned CAN-2003-0693. Number was assigned on 2003-08-14. Looks like a botched coordinated release.

Update 2:
new Debian x86 debs have been uploaded to security.debian.org.

Update 3:
Red Hat has new RPMs now.

Fri, 29 Aug 2003 19:32:39 GMT

From CNN:

Parson also admitted that he renamed the original "MSBlast.exe" executable "teekids.exe," after his online name 'teekid,'" according to the FBI case.

From Reuters:

While the Web site [t33kid.com] is no longer active, a cached version of it stored by Google refers to a computer program called "p2p.teekid.c," which is described as "my little p2p worm" that spreads via peer-to-peer, or p2p, computer file-sharing methods.

S-M-R-T

Mon, 18 Aug 2003 05:27:12 GMT

The amount of misinformation regarding the ftp.gnu.org compromise is annoying.

The FSF does not run wu-ftpd, nor does it run proftpd. We've been running vsftpd since shortly after the initial public release. vsftpd is one of the best pieces of free software out there.

ftp.gnu.org was compromised from a local shell account. Maintainers had shell accounts in order to put up releases. This is no longer the case.

Wed, 06 Aug 2003 21:51:14 GMT

Bring it SCO.

Sun, 20 Jul 2003 06:42:41 GMT

More LGPL FUD. This is really starting to get old.

joke taken from James J. Cramer

Fri, 11 Jul 2003 18:45:00 GMT

What would you call the merger of Motorola and Enron?

MORON

Wed, 18 Jun 2003 19:29:05 GMT

Wed, 21 May 2003 13:09:58 GMT

Dan Gilmor has a column in today's San Jose Mercury News regarding OpenTV and the GPL.

Original story from his blog: "GPL Legal Battle Coming?" ... and the in-print edited copy with additional comments about the SCO situation.

Mon, 19 May 2003 22:26:27 GMT

Palyh has been hitting gnu.org pretty hard today. Seems like Microsoft is having a bit of problem keeping up with all the bounces sent to support@microsoft.com.

SMTP error from remote mailer after MAIL FROM:<mail@gnu.org> SIZE=2452:
host maila.microsoft.com [131.107.3.124]: 452 4.3.1 Out of memory

How do some people sleep at night?

Mon, 19 May 2003 17:40:45 GMT

SCOX had a huge opening gap up this morning. Today's high is currently 8.04 for a stock that had a previous 52-week high of 4.86.

Mr. Softee can't buy SCO -- owning Unix would have just a few antitrust concerns. They want to fund SCO's efforts to destroy Linux (and free software in general), but why simply fund SCO, when you can license the Unix source code and patents in the process? Microsoft comes out of this licensing arrangement looking like a model citizen in the software world, while the free software community looks like a vagrant pickpocket.

The SCO vs. IBM lawsuit is expected to go to trial in two to three years. The SCO FUD isn't going away anytime soon -- unless they get bought -- which is exactly what they want to happen.

Red Hat posted a short letter to their customers regarding the SCO situation. It's worth reading.

Sun, 11 May 2003 05:37:27 GMT

To any Perl hackers out there:

Why does [^\s]* match a sequence of zero or more non-spaces in 5.005, but fails in 5.8.0?

I had to change some code in parrot to get it to build under Red Hat 9.
Specifically, I had to change:

            if ($line =~ m/TEMPLATE\s+([^\s]*)\s*{/) { #}
    to:
            if ($line =~ m/TEMPLATE\s+(\S*)\s*{/) { #}

Oddly Enough

Fri, 09 May 2003 15:05:45 GMT

CDW is now posting images of boxes they send to you. Truly weird (and kinda cool).

Wed, 07 May 2003 21:10:42 GMT

wilee,

newegg.com is considering carrying automotive parts. Computer hardware and car parts at the lowest possible prices. Heaven, right? :-)