another weblog

Going pretty good. Days 1-3 of this thing are a course. I’m signed up for the OTP Express course, where OTP means Open Telecom Platform and not One True Pairing. You can read more through the link. So far, I haven’t learned all that much that’s new to me, but it’s been very nice to have an expert at-hand to tell me what I’m doing wrong and what I’m doing right. I expect to learn a lot more new stuff in the coming days.

Perhaps as cool — maybe moreso — are the people that you get to meet through an event like this. I can see why tech conferences are such popular events.

Yesterday, my colleagues and I walked around the Stanford University campus, and I found a scribbling on the men’s bathroom somewhere in the History Corner that I think is a great reflection of Stanford students. I’ll post it when I find some photo software that can handle XTi raw files — F-Spot can read them but can’t manipulate them, or at least not with the plugin loadout I have, and I don’t really feel like getting it to work at the moment.

It is oddly cold and cloudy here in Palo Alto. What’s up with that? I thought southern-ish California was supposed to be all warm and sunny year-round.

tl;dr version: It’s really slick.

Running Ubuntu 9.04 off the LiveCD on my Macbook Pro to see how things work. It’s all going very well, from the important bits like not needing any proprietary drivers to fully utilize all the system hardware to little touches like touchpad scrolling (horizontal and vertical). In my perception, Ubuntu 9.04 is snappier than OS X (admittedly, Tiger) on this machine.

The font rendering in Ubuntu 9.04 is very clean: UI font rendering is crisp, and glyphs are smooth in Firefox. Can’t say anything about the typography engine used by GNOME applications in Jaunty Jackalope; I suspect OS X may still have an advantage there, but I haven’t installed any font files that would allow me to run some ad-hoc tests (like testing automatic ligature glyph substitution) and I’m not sure if the fonts that are bundled with Ubuntu have those features. All that said, I’m not really too concerned about the underlying engine, as 99% of my font usage is a nice monospace font in a programmer’s editor, on the Web, or — if I really need the ultimate in typographic power — through XeTeX.

So I think the only two things I’m really missing are color management (though that’s probably hiding somewhere; I’m sure someone’s worked out a system with e.g. LittleCMS) and an application for me to quickly manage my growing collection of raw-data photos. F-Spot doesn’t quite seem to be able to cut it.

I have been planning to build a capital-F free photo manipulation and management application, though; I’ve never really enjoyed being subjugated by Lightroom. (Besides, Lightroom 2.2 is disgustingly unresponsive on my machine.) Maybe this is it?

nevrast:~ trythil$ wget https://www.netc.navy.mil/naswf/tower/tower.cfm
--2009-04-13 14:18:19--  https://www.netc.navy.mil/naswf/tower/tower.cfm
Resolving www.netc.navy.mil... 206.37.214.144
Connecting to www.netc.navy.mil|206.37.214.144|:443... connected.
ERROR: cannot verify www.netc.navy.mil's certificate, issued by `/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-13':
  Unable to locally verify the issuer's authority.
  To connect to www.netc.navy.mil insecurely, use `--no-check-certificate'.
  Unable to establish SSL connection.

www.netc.navy.mil uses an SSL certificate signed by “U.S. Government” (organization or “O”), which is part of the “DoD” (organizational unit or “OU”). It’s not on any publicly, widely distributed default list of “trusted” certificate authorities, and the “U.S. Government” signer has no trusted signing authority anywhere in its certificate chain. The short version: there’s no way to automatically verify who owns the machine I connected to.

When faced with manual verification, humans generally accept the validity of an SSL certificate. Sometimes this is because the user agent software doesn’t provide enough information to perform manual validation (i.e. Mobile Internet Explorer, which won’t show you any SSL certificate information), but most of the time it’s just because people are lazy.

With a little bit of DNS hijacking, anyone could claim to be “U.S. Government”, and just about everyone would fall for it. What you could do with a hijacked site like this is left as an exercise for the reader. (One possibility: Federal and state tax deadlines are coming up.)

The amusing bit here (to me, anyway) is that this site gives a reason to expect a certificate signed by “U.S. Government”, as a (supposedly) legitimate site under the purview of an organization in the real United States government (i.e. the Navy) uses it. Without such sites it’d be a lot easier to immediately dismiss such certificates as bogus.