Manhattan, entrance to South Ferry subway station. Returning from a tour of Liberty and Coney islands, I stop to take a photo of a group of street performers taking a break between acts. One of them asks me something I can’t quite hear, I get closer and ask him to repeat. He says: “got that in focus?”. “I think so, yeah.” I take another one anyway, then move on.

Manhattan, the next day. I copy the photos from my camera and see it in detail:

What a lovely city.

Well not really. There wasn’t much to eat, anyway. I sat down and thought about why I had a blog in the first place, and it seems that a lot of them disappeared:

• to have a blog: mission accomplished! no need to actually write anything
• for telling people who care about what I’ve been up to: Twitter is simpler and therefore more likely of actually getting used
• for sharing interesting links: Google Reader is better (and I don’t just say that because I work on it)
• for narcissistic circle-jerking with fellow nerds: Facebook dominates that business and is popular with non-nerds (endless stalking opportunities!)
• for posting pictures, it’s far easier to use Picasa
• for unleashing unto the world results of applying my masterful word smithing to original, thought-provoking ideas backed by solid research and references.. uh, right, nevermind that one.

So, what’s changing? Not much, I guess: the blog stays, and I’ll probably be just as lazy in writing – I’ll just feel less guilty about it.

PS: Check out Friendfeed if you’re a stalker (hi M.!) and don’t want to click on the links above over and over again.

Italians take their food seriously.

How seriously? There’s a company called Flying Mozzarella that will deliver you freshly made mozzarella from Italy to anywhere in Europe (and possibly further, I’m not sure). You order online – in 1kg increments – they make it in the morning and ship it by air right away. It’s delivered it in the afternoon and you’re supposed to eat it the same day in order to fully enjoy it.

This sounds quite crazy and I laughed when a group of coworkers made an order together to split the shipping cost (it’s less than €2/kg if you have enough people). It sounded like too much trouble and besides, how would I eat a kilo of cheese by myself?!

The idea took off: people liked the cheese and group orders were organized every other month or so for the past half year. The most recent one happened last week and given that I now have an Italian flatmate that I could split with, I joined in. Last Thursday, my dinner consisted entirely of very freshly made Italian mozzarella, sliced tomatoes, olive oil and bread.

OM NOM NOM NOM

I’ve switched the RSS feed to Feedburner (mostly so I can play with the admin interface). Depending on which software you use to subscribe, this might cause a bunch of old items to show up as unread – my apologies for that.

Needing a break from what has become an all too mundane Ireland, I found an excuse to take a vacation and spent the better part of yesterday island hopping. How so? Well, I flew from Dublin to London to Reykjavik. It’s too late to make a proper post, so here’s several rough (it’s 4 AM) notes:

• Icelandair is one of the nicer airlines I flew with recently
• they have really fancy inflight touchscreen entertainment systems
• …which are slow
• …and they try to charge you 10 quid for watching the feature films (the TV documentaries are free)
• …if you open the plastic seal from the headphones, it costs you 3 quid (NOT COOL. Bring your own)
• there’s an USB port next to the screen. Judging from the inflight magazine, it’s for some sort of game controller. I wonder what else you can do with it.
• getting drunk on a plane is even better than getting drunk on the train
• Iceland seems to have a law that requires all women to be exceedingly blonde and cute
• somewhat related, hot eastern european women seem to have jobs here that require them to be in hotel lounges at 3 AM, accompanied by their large, humorless male friends (the kind that you mentally nickname as “Bruno”)
• everybody in Iceland seems to speak English (it’s like having a Netherlands flashback)
• even though I haven’t seen much (besides the bus trip from Keflavik to my hotel in downtown Reykjavik), I have an overwhelming feeling that I’ve been here before. It’s really weird. 

By default, xterm scrolling (with the mouse wheel) doesn’t work with screen. Since screen’s scrollback buffer is so useful (I set mine to 100000 – screen is routinely the largest process on my work machine), wouldn’t it be neat if the mouse wheel scrolled through it instead? It turns out it can, just add the following to your .screenrc:

termcapinfo xterm* ti@:te@

This should work with any xterm compatible terminal, although I’ve only tested it with gnome-terminal and putty. It only deals with the scrollback as xterm saw it, so it won’t work as you expect it to after you’ve just switched screen views. Still, it’s better than nothing and extremely useful if you tend to have windows attached to the same screen view for a long time.

A fundraising campaign aimed to put “There’s probably no God. Now stop worrying and enjoy your life” ads on London buses raised, up until I write this, £42 110 (it was 16 000 this morning, and their goal was 5 500). This is easily the coolest thing I’ve seen recently.

Before you jump and say that Dawkins is crazy and that this whole thing is over the board for a group of people that aren’t supposed to care, consider that it was done “to counter the religious ads running on public transport, which featured a URL to a website telling non-Christians they would spend ‘all eternity in torment in hell’, burning in ‘a lake of fire’” (or better yet, just read the article).

Well, not really. But if you’re in the tech industry you’ve surely heard about the recently discovered DNS vulnerability, and if you’re the curious type you tried to guess how it might work. Dan Kaminsky had wisely decided to postpone the full disclosure until the Black Hat conference, but it was just a matter of time before somebody figured it out. Halvar Flake just did. In short:

1. Send loads of requests for nonexistent FQDNs to a resolver you want to poison. You can do this on non-public resolvers too – just get one of their clients to load a web page you control.
2. Start spoofing responses for those nonexistent FQDNs. Make sure you include glue records in them for, say, the .com zone.
3. Wait until one of your spoofed responses matches the QID that the resolver used.
4. ???
5. Profit! The target resolver is now delegating all .com queries to you. You did set a long TTL, right?

This sounds entirely unrealistic, until you start to do back-of-the-envelope math on just how many lookups and tries you must do – a couple minutes should be enough on any modern broadband link. I suspect Kaminsky’s presentation will come complete with number magic and tools to make this very quick and straightforward.

Amusing side note: Matasano’s blog just covered this story, linking to Flake’s blog. Not only they gave a simple technical introduction/explanation of how and why it works, but they also confirmed that “the cat is out of the bag”. That wasn’t just a guess about the validity of a guess – they know for sure because they’ve spoken with Kaminsky before and confirmed that the exploit is for real: “Dan has the goods“. The amusing part? They pulled the confirmation story about 2 hours after it was published. The cat is already out of the bag, guys ;-)

This attack is truly scary, for two reasons:

1. It’s dead simple, yet extremely effective. Patching all affected resolvers will take quite a while, leaving a lot of people vulnerable in the mean time. There are certain circumstances (mainly NAT setups) in which a patched resolver can still be poisoned.
2. The patch (randomizing source ports for DNS queries – and proving that DJB was wise, not paranoid) will only work for so long. The roughly 30 bits of entropy (instead of the current 16) will last a while, but connection speeds keep increasing, not to mention the probability of somebody coming up with an even more clever attack.

Update: Kaminsky confirms and provides details. Vixie and Dagon came up with a clever hack to extend the amount of entropy in QIDs.

… except it’s in the present. An amazing video documentary about North Korea, well worth watching. I was young enough during the communist regime in Romania for this to not bring back too many memories, but I’m sure my older readers will find it terrifying.

By far, the most frustrating thing about working at Google is not being able to talk much about the technology we use internally – especially the scale of some of the things we do. I’m really glad to see that Jeff Dean gave an interesting talk at the I/O conference and that, among other things, it has numbers! There’s a video and slides, so here you go: Underneath the Covers at Google: Current Systems and Future Directions.

Who the heck is Jeff Dean?! I hear you ask. He’s a Google Fellow (I believe that’s the highest engineering distinction you can have here), and so famous that somebody built a Chuck Norris-style “Jeff Dean facts” site for last year’s April fools. Here’s 3 of my favorite facts:

• During his own Google interview, Jeff Dean was asked the implications if P=NP were true. He said “P = 0 or N = 1.” Then, before the interviewer had even finished laughing, Jeff examined Google’s public certificate and wrote the private key on the whiteboard.
• Compilers don’t warn Jeff Dean. Jeff Dean warns compilers.
• The rate at which Jeff Dean produces code jumped by a factor of 40 in late 2000 when he upgraded his keyboard to USB2.0.