Spurred on by gps‘s recent mach blogging (and a blogging dry spell to rectify), I thought it’d be worth noting a new mach feature I landed in mozilla-inbound yesterday: build-complete notifications on Linux.
On OS X, mach build spawns a desktop notification when a build completes. It’s handy when the terminal where the build’s running is out of view — often the case given how long builds take. I learned about this feature when stuck on a loaner Mac for a few months due to laptop issues, and I found the notification quite handy. When I returned to Linux, I wanted the same thing there. evilpie had already filed bug 981146 with a patch using DBus notifications, but he didn’t have time to finish it. So I picked it up and did the last 5% to land it. Woo notifications!
(Minor caveat: you won’t get a notification if your build completes in under five minutes. Five minutes is probably too long; some systems build fast enough that you’d never get a notification. gps thinks this should be shorter and ideally configurable. I’m not aware of an existing bug for this.)
Hello, readers! Today I bring you two posts about law: one Mozilla-related, one not. This is the Mozilla-related post. Mozillians may already know this background, but I’ll review for those who don’t.
In 2010 Goatse Security (don’t look them up) discovered a flaw in AT&T’s website. AT&T’s site detected accesses from iPads, extracted a unique account number sent by the iPad, then replied with a private account email address. Account numbers were guessable, so if someone “spoofed” their UA to look like the iPad browser, they could harvest private email addresses using their guesses.
The people who figured this out were classic Internet trolls interested (to a degree) in minor mayhem (“lulz”) because they could, and they scraped 114000+ email addresses. Eventually Andrew Auernheimer (known online as “weev”) sent the list to Gawker for an exclusive.
The sky is falling!
AT&T, Apple, the people whose addresses had been scraped, and/or the government panicked and freaked out. The government argued that Auernheimer violated the Computer Fraud and Abuse Act, “exceeding authorized access” by UA-spoofing and loading pages using guessed account numbers.
This is a broad interpretation of “authorized access”. Auernheimer evaded no security measures, only accessed public, non-login-protected pages using common techniques. Anyone who could guess the address could view those pages using common browser addons. People guess at the existence of web addresses all the time. This site’s addresses appear of the form “/year/month/day/post-title/”. The monthly archive links to the side on my site have the form “/year/month/”. It’s a good guess that changing these components does what you expect: no dastardly hacking skills required, just logical guesses and experimentation. And automation’s hardly nefarious.
So what’s Mozilla’s brief with this?
Developers UA-spoof all the time for a variety of innocuous reasons. Newspapers have UA-spoofed during online price discrimination investigations. If UA spoofing is a crime, many people not out for lulz are in trouble, subject to a federal attorney’s whims.
Changing the value of X in the AT&T webpage address is trivial to do. For example, to visit this Court’s homepage, one might type the address “http://www.ca3.uscourts.gov/” into the address bar of the browser window. The browser sends an HTTP request to the Court website, which will respond with this Court’s homepage. Changing the “3” to “4” by typing in the browser window address bar returns the Court of Appeals for the Fourth Circuit’s homepage. Changing the “3” to a “12” returns an error message.
Illustrating the number-guessing technique (and implying its limitations in the “12″ part) via the circuit courts’ own websites? Brilliant.
Back to Auernheimer
The court recently threw out Auernheimer’s conviction. Not on CFAA grounds — on more esoteric matters of filing the case in the wrong court. But the opinion contains dicta implying that breaching a password gate or code-based barrier may be necessary to achieve a conviction. The government could bring the case in the right court, but with the implied warning here, it seems risky.
Auernheimer isn’t necessarily a sympathetic defendant. It’s arguably impolite and discourteous to publicly disclose a site vulnerability without giving the site notice and time to fix the issue. It may be “hard to feel sorry for them being handed federal criminal charges” as Ars Technica suggested.
But that doesn’t mean he committed a crime or shouldn’t be defended for doing things web developers often do. Justice means defending people who have broken no laws, when they are threatened with prosecution. It doesn’t mean failing to defend someone just because you don’t like his (legal) actions. Prosecution here was wrong.
One final note
I heard about the AT&T issue and the brief outside Mozilla. I’m unsure what Mozilla channel I should have followed, to observe or discuss the decision to sign onto this brief. Mozilla was right to sign on here. But our input processes for that decision could be better.
The printf family of functions take a format string, containing both regular text and special formatting specifiers, and at least as many additional arguments as there are formatting specifiers in the format string. Each formatting specifier is supposed to indicate the type of the corresponding argument. Then, via compiler-specific magic, that argument value is accessed and formatted as directed.
C originally only had char, short, int, and long integer types (in signed and unsigned versions). So the original set of format specifiers only supported interpreting arguments as one of those types.
With the rise of <stdint.h>, it’s common to want to print a uint32_t, or an int64_t, or similar. But if you don’t know what type uint32_t is, how do you know what format specifier to use? C99 defines macros in <inttypes.h> that expand to suitable format specifiers. For example, if uint32_t is actually unsigned long, then the PRIu32 macro might be defined as "lu".
uint32_t u = 3141592654;
printf("u: %" PRIu32 "\n", u);
Unfortunately <inttypes.h> isn’t available everywhere. So for now, we have to reimplement it ourselves. The new mfbt header mfbt/IntegerPrintfMacros.h, available via #include "mozilla/IntegerPrintfMacros.h", provides all the PRI* macros exposed by <inttypes.h>: by delegating to that header when present, and by reimplementing it when not. Go use it. (Note that all Mozilla code has __STDC_LIMIT_MACROS, __STDC_FORMAT_MACROS, and __STDC_CONST_MACROS defined, so you don’t need to do anything special to get the macros — just #include "mozilla/IntegerPrintfMacros.h".)
The implementations of <inttypes.h> in all the various standard libraries/compilers we care about don’t always provide definitions of these macros that are free of format string warnings. This is, of course, inconceivable. We can reimplement the header as needed to fix these problems, but it seemed best to avoid that til someone really, really cared.
<inttypes.h> also defines format specifiers for fixed-width integers, for use with the scanf family of functions that read a number from a string. IntegerPrintfMacros.hdoes not provide these macros. (At least, not everywhere. You are not granted any license to use them if they happen to be incidentally provided.) First, it’s actually impossible to implement the entire interface for the Microsoft C runtime library. (For example: no specifier will write a number into an unsigned char*; this is necessary to implement SCNu8.) Second, sscanf is a dangerous function, because if the number in the input string doesn’t fit in the target location, anything (undefined behavior, that is) can happen.
sscanf("256", "%" SCNu8, &u); // I just ate ALL YOUR COOKIES
IntegerPrintfMacros.h does implement imaxabs, imaxdiv, strtoimax, strtoumax, wcstoimax, and wcstoumax. I mention this only for completeness: I doubt any Mozilla code needs these.
This is part two of a series of posts discussing various aspects of a bike trip I did across the United States in 2012. Part 1 discussed the start of the trip and choosing a route. This post discusses my daily routine and where I sheltered each night.
The daily grind
After the first-day snafu, the trip went basically as planned.
I started biking each day sometime in the morning (from as early as 04:00 to as late as 11:45). I finished sometime before or within a couple hours of dark (in the range of 17:00 to 22:00, dependent on my destination) after typical distances of 90-130 miles. Knowing I was on a marathon, I deliberately never pushed for any real length of time. When I hit an uphill, I shifted to the lowest gear that felt comfortable and kept pedaling; I never attempted to power up a hill. And in flatlands I traveled at whatever pace was comfortable, not aiming for speed.
Around home through Bay Area flatlands I usually push myself and average 17-18mph during riding time, depending where and how far I go. On this trip 14-16mph was more common, and I had days well below that. Somewhat hilariously, when I returned I found myself in worse cycling shape by this metric: I was slower than my previous average for awhile, until I could, er, get back into shape. (I also returned well out of shape for playing ultimate frisbee, as I expected would happen from not running and walking little for over a month. When I first played after returning, I had plenty of endurance. But my muscles quickly made it abundantly clear that if I sprinted or made a break, I would hurt myself.)
At night I stayed a variety of places. About half the time I camped in a one-man Eureka Solitare tent. (There’s no better 2.5-pound three-season tent out there for its $90 price. Its only demerits are its fiberglass poles [which long ago I was forced to replace with aluminum poles, that have posed no problems] and, occasionally, its not being freestanding.) I slept in a 45-degree bag (too warm!) and a short-length inflatable sleeping pad. These nights were usually in campgrounds, but I stayed in city parks several times in the middle of the country, when allowed. The rest of the time I stayed in motels of varying quality, from $40 to $100+ for the night, sometimes with a meal, sometimes with a pool, sometimes with nothing.
There were a few nights where I neither camped nor stayed at a motel. A local resident of Ordway, CO graciously shared her home with cyclists, and I ended up staying there a night with a couple other cyclists, some heading west, some heading east. The city of Farmington, MO maintains Al’s Place, a hostel for cyclists on the TransAmerica, and I stayed there a night with another cyclist heading east. I also visited The Place, a hostel in Damascus, VA that I’d stopped at while hiking the A.T. And at the end of the trip, in Yorktown, Grace Episcopal Church provided space for cyclists to stay: much appreciated as a base for me to regroup before heading to an airport to fly home.
One additional hostel that I didn’t visit deserves special note. The TransAmerica Trail was first inaugurated in a 1976 mass cross-country ride. One woman along the way, June Curry, put out a sign informing passing cyclists that they could get water at her house if they wanted. One thing snowballed into another, and eventually, somehow, she found herself opening a hostel as a place for passing cyclists to stay, offering much other hospitality as well. Unfortunately June Curry died just before I started my trip, so I couldn’t meet her. But I’d heard the hostel would still be open and running when I passed through, and even if it weren’t, it’d be worth a visit just to learn about the place. The day I’d hoped to stay, however, was the day after my longest day the entire way — which meant I’d roll in fairly late, certainly after dark. I tried calling ahead, multiple times, to see if it’d be okay showing up later. But I couldn’t get a response, and after a last attempt before the sun went down, I gave up and went with alternative lodging.
If my pace were more leisurely, I might have tried out Warm Showers, a site for on-the-road cyclists looking for a place to stay overnight. But as I mostly didn’t know where I’d be til end of day (I set aggressive goals that I didn’t always reach, or only reached late in the evening — see the June Curry story above), the last-minute scheduling seemed way too much hassle for both me and any person who might be willing to host me for a night. It seemed much better to use campgrounds or motels that expect people to spontaneously show up (and more to the point, are specifically paid market rates for it), than to put people hosting mostly for fun through any hassle.
One year ago, after 37 days of biking around ~3875mi total starting in San Francisco, I reached Yorktown, VA to finish biking across the country. An exact day-to-day accounting would likely bog down in uninteresting logistics (particularly given the way I traveled — other approaches would likely yield more interesting day-by-day commentary). Instead, I’m going to cover a variety of topics of interest from the trip, in somewhat random order, in series. If you want a very cursory, sometimes out-of-order account of the trip, reading approximately July 18 to August 25 of my Twitter stream covers it.
An inauspicious start
The trip got off to a bumpy start the Tuesday night before I planned to leave. I planned to ride my spiffy, super-light carbon-fiber racing bike. I use it for regular transport, so I waited to get a final tune-up til the last minute, picking it up the evening before I departed. I began loading it with panniers and gear. Racing bikes don’t have mounts for carrying gear, so I’d use a seatpost rack (with correspondingly light ~16-pound load). When I began attaching the rack, I noticed the clamp matched a much smaller-diameter seatpost. Looking at how the clamp would make contact with the seatpost, it suddenly occurred to me that attaching a seatpost rack to a carbon fiber seatpost might not be a good idea. Carbon fiber is strong along its length, not laterally: the clamp could easily crush the seatpost.
Wednesday morning, I asked the bike shop if they had an aluminum seatpost of the right size. They wouldn’t have one til Friday. Other local shops didn’t have any, either. Replacing the seatpost was out.
Seeing no other options…I went to the first bike shop, bought a non-carbon road bike that fit me, walked home with it, transferred gear and pedals to it, and biked to Caltrain to head to San Francisco to start the trip.
Thus I crossed the country on a bike I bought the day I left.
This is crazy. But not quite as crazy as it sounds. I’d purchased a 2012 Scattante R-570; I’d previously owned the 2010 version, so I knew I’d be comfortable. And months before, I’d considered getting a touring-oriented bike for extra carrying capacity. But I’ve never spent money very easily. I had the money, but I didn’t want to spend it if I didn’t have to.
Now I was in a “have to” situation. Riding a totally untested bike would rightly scare most people to death. Most people would probably cancel the trip or substantially change plans. But my philosophy is that what must be done, can be done. So I did it.
Other than lost biking time (day 1 was 23.76mi route miles rather than the ~100mi I’d intended — no small loss, but not huge, either), all I lost was the ability to buy the bike on sale for ~$160 less. It could have been worse.
Choosing a route
I traveled pretty much entirely with the aid of the Adventure Cycling Association‘s route maps. I considered finding my own route, but I discarded the idea for lack of time and being unsure I’d enjoy route-planning. In hindsight this was clearly the right choice. Unless you enjoy route-planning for its own sake, buy existing cycling maps. You’ll get better routes, and more cycling-useful information, than you can create on the fly. (Plus GPS units cost hundreds of dollars and must be charged every night.)
The 4200-mile TransAmerica Trail goes from Oregon into Montana, southeast to Pueblo in Colorado, then east to Virginia and the coast. It’s the most well-known and commonly-used cross-country route. The 1580-mile Western Express goes from San Francisco to Pueblo. Most people do the TransAmerica because it avoids much waterless desert and elevation change. For me, convenience and available time made the Western Express and eastern TransAmerica a no-brainer.
A definite perk to using an existing route is that the roads will be good for cycling. Often I was on relatively empty back roads, or on state roads with light traffic. The worst roads were in the Rockies in Colorado, likely because of the terrain. The worst regularly-bad road occurred between Cimarron and Sapinero along US-50: a narrow, winding stretch of road with little shoulder and a bunch of RV traffic, where I should have occasionally taken the entire lane rather than let anyone unsafely pass me. Colorado also had the worst irregularly-bad stretches of road, along CO-145 due to road construction. There were two two-mile stretches of riding through gravel where roads were being re-oiled, which I rode through (what choice did I have?) past Motorcycles use extreme caution signs on 700×23 tires (less than an inch wide). Good times. And the stretch from Telluride to Placerville had so much construction dust I sometimes couldn’t see ten feet; I had to stop and turn on head and tail lights to be visible. But generally, ignoring these rare exceptions, the roads were great.