Recently, people have picked up on OpenSSH’s new “feature”: visual SSH fingerprints.

It hurts to see this “feature” in a software like OpenSSH, which is so integral to everything we do, because it’s a waste. It’s additional code, and thus an additional risk of bugs, and it has a net security benefit of zero, NULL, zilch, nada, nothing, nix, nadje, oomph!

The theory is that you learn to recognise the general shape of the visual fingerprints of your hosts, which is easier for us to remember than strings of hexadecimal numbers. So, for instance, if you ssh to pony.debian.net, you get to see something that’s not entirely unlike a pony:

Host key fingerprint is 45:2f:a5:d8:13:95:ba:03:51:c4:8d:ac:82:a8:4c:6a
+--[ RSA 2048]----+
|         ==+o.   |
|        .++=o    |
|   . .  .o*..    |
| .. . . o..o     |
|+.     .S. .     |
|oE        o      |
|.          .     |
|                 |
|                 |
+-----------------+

Rejoice! Because now, should pony.debian.net ever present a new SSH fingerprint, when OpenSSH screams at you:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.

then you can look at the picture and say: “yeah, I knew that”, because your pony has suddenly transformed into the visual representation of a giant fart.

On the other hand, the new “feature” makes day-to-day interactions a lot easier. Imagine you need to ssh into a new host. You take a piece of paper and call up the admin to ask for the fingerprint, but instead of a series of hexadecimal digits, he says “it looks like the easter bunny and a bit like southern Italy”.

Great “feature”. Thanks. I would appreciate if this sort of crap stayed out of important software. Dan Kaminsky might have some good ideas, but most of the time he’s on crack. Get a grip. Stop being a fanboy.

NP: Kinski: Alpine Static

We’re all aware of the financial crisis due to credit default swaps shaking up the markets, media, politics, and what not. Some of us are feeling the pain, most of us aren’t yet.

A few days ago, politicians of the big, capitalist nations convened to agree on a way forward to stablise the financial market and set an end to the crisis. They are planning on doing this by throwing hundreds of billions at the market, buying all the subprime loan packages with the intention to create a new market for them, thus taking the weight off the shoulders of the countless barely-surviving banks and investors, who have written off billions in losses without an end in sight.

Where does this money come from? Taxes and newly printed money. You may not yet feel the effects of this, but you will: taxes will rise, and inflation soar to even higher levels.

Today is Blog Action Day with poverty as the focus, and it’s a good occasion for me to state what’s long been on my mind.

The strategy by our political leaders to combat the credit crunch is short-sighted, and it fights symptoms, not causes. In fact, it’s Robin Hood played in reverse: tax increases and inflation will hurt those most who cannot do anything against it: the poor. On the other side of things, those active in the financial markets will have their damages limited, and new CDS markets might even create more opportunities for those who can.

I strongly oppose the way our politicians are handling the issue, even though I do have small amounts of funds invested in financial products myself, and have already seen the positive effects of their actions.

Rather than throwing money at the markets, we really ought to put those away who have caused all this, those ruthless, greedy ones who have speculated way over their heads, underestimated the risks, and caused this crisis that killed many businesses, threatens to endanger entire countries, and hurts individuals who hardly ever had a choice. Think of it as a driver’s licence, and that should be revoked for those who screwed up so royally bad and got us into this situation in the first place. Don’t let them speculate again!

Update: Andreas Metzeler notes that he is (rightfully) missing a “what is to be done instead” section in my blog post. I don’t have anything to offer on that front, sadly.

I also realise I should have phrased my opposition differently.

Reading this interesting interview with Deutsche Bank ex-CEO Hilmar Kopper (German only) (thanks, Andreas!) helped me understand more that the politicians aren’t saving banks, they are saving the system, and that they have little other choice.

Another aspect I haven’t previously seen as clearly as now is that the governments are purchasing (and willing to carry) risk for others, to relieve the markets. Risk by itself doesn’t cost anything, so it might turn out that the billions they made available won’t actually be spent — though I always new that the governments might well come out of this with a profit even.

The whole affair still stinks, and what I truly miss are the actions to prevent those responsible for getting us into this mess in the first place from doing so again.

NP: This Will Destroy You: Young Mountain

I’ve previously ranted about the Lufthansa website. Trying to help out a blind friend obtain some assistance from Miles & More, the Lufthansa frequent flyer programme, I can confidently say that the two companies have a common origin and probably read the same customer service guidelines, which must be somewhat along the following lines:

• require your customers to fill out a web form by not providing any alternate contact information;
• make your website inaccessible to screen readers, so that visually disabled people cannot get in touch with you;
• require full contact data to be filled in before the contact form can be submitted, even if the customer is logged in and the system thus has access to all the data;
• auto-reply to ever form submitted with a mail that assigns a case number to your request, but provide no information on how to use that number: no link where I can inquire about the status of a case, and no means to post follow-up information;
• send this email from do-not-reply@miles-and-more.com to emphasise how customer-oriented your company is and how well you have understood the potential of email;
• when (if) you eventually send a real reply, send it from service@miles-and-more.com, which gives the impression of a real email address, and quote the case number in the subject, along with the first line of the customer’s original request, like this: “Re: To Whom It May Concern (#17 (#1729700) / (#M1449889)”. For extra bonus points, use non-matching parentheses;
• try to ensure not to take into account any of the data provided with the original request and prefer stock replies to useful content;
• do not give the name of a person, but sign the email with something like “Miles & More Service Team”;
• refuse all mails sent to service@miles-and-more.com with a note telling people to use the web form to provide feedback (with a cryptic link) and that your email is not being forwarded or read;
• when the customer uses the cryptic link to provide follow-up to the open case, possibly under the impression that the reply will be associated with the original case, assign a new case number and ensure that another team member answers the email with pretty much exactly the same information as the last reply you sent. Under no circumstances assume that the customer has already asked a given question before and couldn’t make sense of or wasn’t satisfied with the answer provided in the last round.
• should a customer enquire about alternative means of contact, tell them they can send regular mail via the post office, and that you are sorry that “at the moment”, you cannot reach the company by email.

If you follow the above guidelines carefully and possibly add a twist here or there, you can rest assured that you’ll fit in quite perfectly with most of your competitors and companies in many other fields. You’ll understand that the customer is evil and you have to protect your company and your customer service staff from them, by making it extraordinarily difficult and inconvenient to reach them, and ensuring that they won’t get any further than the computerised guard at the front door. It’s not like they are your most important asset.

Interestingly, neither Swiss, SAS, nor Thai have read these guidelines. I hope they will never find them.

NP: Porcupine Tree: The Sky Moves Sideways

OpenExpo ended last night with a lovely dinner at Roter Turm, and I ought to thank Matthias Stürmer and his team for their efforts.

I especially would like to thank Myriam Schweingruber of the Ubuntu team! Debian.ch could not assemble enough manpower for a booth, and so Myriam took care of selling our new t-shirts at the Ubuntu booth — 29 of them.

That’s Ubuntu giving back to Debian!

NP: AC/DC: Stiff Upper Lip

Today, 35 years ago was a dark day for the human age. I mourn the deaths of 4 innocent children as a result of the 16th Street Baptist Church bombing.

As I crawl through the social science literature — a very painful endeavour, believe me — it fills me with disgust to see how much bullshit is being spread as authors randomly insert citations into their text to back up some claim they need to argue their case.

Often, the claim is something in which I am interested, so I go out and seek the reference they cite only to find that the referenced authors say nothing even remotely related to the claim for which they were cited. It is happening all over the place, and even in articles that appeared in “renowned” journals.

If we ever get to the point where all academic articles are properly interlinked so that references can be automatically checked — and I don’t mean just checked for correctness of the reference data, but for actual correctness of the reference — then the population of academics will probably shrink to single-digit percentages, at least for the social sciences; I don’t recall it being much different when I was researching artificial intelligence a few years ago though.

Until then, I am compiling a list. Whether I’ll publish it and point journal editors at, or just send it to the journals depends on my mood at the time.

NP: Guns ‘n’ Roses: Appetite for Destruction

Inspired by Amaya, I would like to commemorate the thousands of people who died of hunger on any given 14th of September.

Today, nine years ago, 13 September 1999 was a dark day for the human age: only a few days after more than a hundred of people were killed in bombings all over Russia, another bomb took the lives of 118 in an apartment complex in Moscow. Several other bombs were fortunately defused on the same day.

NP: Pulp: This is Hardcore

Gazpacho, one of my all-time favourite bands, are (finally) coming to Switzerland!!! On 17 October 2008, they’ll play a gig at the Z7 in Pratteln/Basel. Guess who’ll be there!?!

It makes me very happy that they have recently signed WiV Entertainment as event/tour managers, because it means I’ll probably get to see them more often in the future. To help a bit, I have agreed to be their Swiss “street team” (together with Tibor from Basel), which means I’ll be distributing flyers and posters when I return from Ireland, in exchange for free tickets for Penny and myself. You should join us! Tickets are €22 and can be ordered from the Z7 concert page (scroll down, I can’t link directly, unfortunately).

According to their news page (scroll down a bit), they are also playing in Oslo on 26 September, in Verviers, Belgium on 18 October, and in Den Bosch, The Netherlands on 19 October. Don’t miss them!

NP: Pulp: Freaks

Sixty-six years ago was a dark day for the human age: thousands of innocent died when the RMS Laconia (1921) was (allegedly erroneously) torpedoed and the desperate rescue attempts by the offenders were (allegedly erroneously) foiled by a bomber plane.

NP: Gazpacho: Night