Month: January 2006

PDFs that fink

Here’s a tricky little privacy hole: Adobe PDF Reader 6.0 and later will automatically (and silently) execute Javascript that’s been embedded in a PDF file, and LWN reports that a company called Remote Approach uses this “feature” to tag a PDF so it’ll phone home to their servers whenever it’s opened. Their customers can then go to a special webpage to track when the PDF was opened and at what IP address.

I’m sure you can think of your own scenarios where this would be a Bad Thing™, but the case that brought it to my attention was from a supposedly-anonymous reviewer of an academic paper who discovered Remote’s website in his firewall logs.

The simple moral of the story is that content formats should not be able to run arbitrary code, but the more general point is one of setting limits and expectations. End-users need to be able to limit what’s run on their own computers, and when the actual limits are broader than what a naive user might expect (such as when their supposedly-static PDF document can actually access the network) it’s extra important for the system to alert the user what’s happening and get permission first.

To their credit, Adobe seems to have heeded the moral: the current version of Acrobat Reader (at least on the Mac) gives a pop-up warning saying the PDF is trying to access a remote URL, and allows you to save your security settings on a site-by-site basis. I don’t know when they added this alert or whether it was in response to problems like those I mentioned, but regardless it’s nice to see the feature.

(Thanks to Dirk for the link.)

Exploding drawer trap

I just posted another DIY-trap page, this one an exploding-cap trap for a drawer. This is what I’d call a third-level trap: it takes a bit of dexterity and knowledge to disarm, but anyone with a little experience shouldn’t have any trouble getting past it. I never sent this one off to Jay; it just sits on my shelf to surprise visitors who haven’t learned to be careful when opening boxes around my place.

You can browse through previous traps at my Traps Gallery (I’ve only posted a couple so far, but more will be coming).

Google Talk joins the federation

I’m a bit late on this, but I’m psyched to see that last week Google flipped the switch to allow all their Google Talk instant messenger accounts to talk to any other Jabber client out there. I’ve not verified it yet, but I think that included people with .Mac accounts using iChat, and BigBlueBall has a nice tutorial on how to use the federation to hook up your GTalk account directly to AIM, Yahoo!, MSN and ICQ using Jabber transport services.

This is the final step I’ve been waiting for before ditching my AIM account and going entirely to Jabber!

A gargoyle on the roof…

…sounds crazy, no?

Gargoyle on the roof

File this one under “Only in San Francisco.” One of the attractions at a friend’s birthday party this past weekend was watching them have their chimney swept by a gargoyle.

In hindsight, I guess being a chimney-sweeping grotesque architectural decoration is an odd odd job to have, but somehow Shadow (a costuming major from USCS who always swept out his Dad’s chimney every year) made it seem like a perfectly normal thing to do. Heck, maybe it is…

[more pictures]

Multishot pellet-gun trap

For over fifteen years my friend Jay and I have exchange trapped presents at Christmas. When I say trapped I mean it in the classic Circle of Death game style — if you open the present carelessly a buzzer will sound or explosive cap will trigger.

I usually focus on making it difficult to find and disarm a simple explosive-cap trap, but this year I wanted to change things up a bit and focus on the effect itself. In particular, I wanted to make a box trap that would shoot darts out in all directions, machine-gun style. It had to be completely mechanical (what can I say, I like the style better), and had to be stable enough to ship through the mail without going off or getting jammed. After many attempts I landed on this rather elegant sprung-hammer design (click for video and construction notes).

GPLv3 and the DMCA

The Free Software Foundation has posted a draft version of the new General Public License v3.0, and are soliciting comments. One thing that caught my eye is language intended to make it more difficult for people using GPLed code in DRM systems:

3. Digital Restrictions Management

As a free software license, this License intrinsically disfavors technical attempts to restrict users’ freedom to copy, modify, and share copyrighted works. Each of its provisions shall be interpreted in light of this specific declaration of the licensor’s intent. Regardless of any other provision of this license, no permission is given to distribute covered works that illegally invade users’ privacy, nor for modes of distribution that deny users that run covered works the full exercise of the legal rights granted by this License.

No covered work constitutes part of an effective technological protection measure: that is to say, distribution of a covered work as part of a system to generate or access certain data constitutes general permission at least for development, distribution and use, under this License, of other software capable of accessing the same data.

I gather the second paragraph is intended to grant specific permission to reverse-engineer and make derivative works under the DMCA. It’s an interesting tactic, but I’m not sure how often the licensor of the software (and thus the person granting general permission) would also own the copyright on the data being produced. If I make a DRM-enabled video-player and you break my crypto on the new Disney movie it’s playing, isn’t it Disney who’ll come after you under the DMCA? What difference does it make if you have my permission?

Keyboard not found, press any key to continue…

I just installed TurboTax Deluxe 2005 for the Mac (Intuit annoys me, but TaxCut discontinued their Mac version). Their installation program includes the following End-User Licence Agreement dialog-box::

turbotax-delux-2005-eula.gif

Notice anything missing in this agreement that asks me to confirm that I’ve read and printed a copy? Like, say, a way to actually print the stupid thing? No print button, no menu items functioning, not even a way to resize the tiny window. About 20% of the way down (just below the part saying I agree to notify them promptly if my email address changes) is a note saying:

(f) Printing. You may print this document by clicking on the print button or by going to the TurboTax web site at www.turbotax.com to access and print a copy of it.

Of course, there’s no print button and no indication of where on their website this elusive copy of the EULA can be found (I eventually found the link in the fine print at the very bottom of their page).

And I’m trusting these guys with my taxes?

When everyone on the team is a rocket scientist…

The European Space Agency & Australian National University just announced a new type of ion engine that has four times the efficiency of previous engines. That’s pretty cool, but the part of the story that really impressed me was this:

The new experimental engine, called the Dual-Stage 4-Grid (DS4G) ion thruster, was designed and built under a contract with ESA in the extremely short time of four months by a dedicated team at the Australian National University. “The success of the DS4G prototype shows what can be achieved with the passion and drive of a capable and committed team. It was an incredible experience to work with ESA to transform such an elegant idea into a record-breaking reality”, says Dr. Orson Sutherland, the engine’s designer and head of the development team at the ANU.

I don’t know how much technology they were able to leverage or really what’s involved, but 4 months sounds really fast to go from idea to working prototype. Wow.

(Thanks to Nerfduck for the link!)

SeV Sport TEC

sev-sport-tec-4.0.gif

My friend Jay got me an SeV Sport TEC jacket for Christmas — I haven’t used the “Personal Area Network” channels for iPod headphones or the like (yet), but man is it nice to have all these pockets. I gave it a test drive in Joshua Tree National Park last weekend, and it was great to have one pocket for the camera, another for the wallet, a third for “little important things” like matches, LED flashlight & pocketknife, a fourth for trail maps, a fifth for trail mix, a springy lanyard for the car key, a back pouch for the removable sleeves, etc. I kept finding new pockets all through the trip, each with a little card in it printed with suggestions for what I might use it for. Definitely the great geek-gift of the season!