chxo internets

Installing Java 1.5 on Snow Leopard

Important Note/Update: Installing “Java Update for OS X 10.6 Update 1” through Software Update will put your system back to square one. But you should update, since there are vulnerabilities that have been fixed in the new version. One workaround: move /System/Library/Frameworks/JavaVM.framework/Versions/1.5.0 to a safe place before updating, then move it back later. Or as one commenter suggests, put it in a different place and link to it, then just restore the links after updating.

Original Howto:

A few other pages on the web give instructions for installing the Java 1.5 support that is (inexplicably) missing in OS X 10.6.0. Unfortunately they rely on an untrusted gzip file posted on a server at washington.edu that is getting hammered.

Here’s how you get it from Apple:

Download the official Java package from Apple, “Java for Mac OS X 10.5 Update 4” dated June 15, 2009.

Then use the excellent shareware utility Pacifist to open the downloaded JavaForMacOSX10.5Update4.pkg file.

How to install

1) First use Finder to go to System > Library > Frameworks > JavaVM.framework > Versions and delete the two aliases (symlinks) “1.5” and “1.5.0”. Don’t skip this step, because otherwise the extraction will follow the symlinks and overwrite the contents of the 1.6.0 folder, oops.

2) In Pacifist, drill down into Contents > System > Library > Frameworks > JavaVM.framework > Versions.

3) In Pacifist, select 1.5 and 1.5.0, right-click, and chose Install to Default Location

Now you can launch Zend Studio 5.5 or whatever else you needed Java 1.5 support for. Enjoy!

(And many thanks to Davey Shafik for pointing me in the right direction with his Fixing ZDE 5.5 in Snow Leopard post.)

Semantic Google

Marking up structured data

Google is finally starting to pay attention to semantic markup, starting with experimental support for review, product, and vcard microformats.

I’m looking forward to the day when they extend this to support rights metadata (Creative Commons) and some subset of the Dublin Core, but this is a great (late) start.

Publishers say e-books at $9 are unsustainable

“I’m thrilled that another major player is entering the fast-emerging e-book market,” [publisher] David Young said. “But I remain deeply concerned that our most valuable front-list titles are being sold at mass-market paperback prices.” — Barnes & Noble Plans an Extensive E-Bookstore, New York Times.

Here’s the problem in a nutshell, Mr. Young: readers will not pay full price for a DRM-crippled e-book. A first-edition hardback is solid and shareable, and meant to last for ages. It looks handsome on the shelf. Paying $26 for it is like an investment.

An e-book is locked away on a device, and digitally protected in a way that makes it clear that you only own the right to read it. If this is worth much less than what you want to charge, I suggest you find a way to add some serious value, fast. Note that iTunes charges more for tracks without DRM…

Kindle download policy clarified… mostly

KindleGate: Confusion Abounds Regarding Kindle Download Policy | Gear Diary

The long and short of it seems to be that, as promised, you can download a book as many times as you need to, but it can only be on a certain number of devices at a time. Usually, but not always, six.

As in, “Six readers ought to be enough for any book.”

DRM sucks, but okay, at least they’re playing fair with the unlimited downloads. We can call off the lawyers for now.

Is Internet Voting Safe?

Is Internet Voting Safe? The answer, of course, is not really. And it likely never will be in the way most folks imagine it. Here’s why:

Small-scale fraud is relatively easy with both paper ballots and electronic ballots. Look up any recent federal election for ample evidence of both.

But, as pervasive as it is, physical ballot fraud doesn’t scale well. It’s much harder to stuff ballots statewide than it is in just one county or polling place. Too many people have to be involved there are too many eyes on the system for large-scale fraud to go undetected.

Electronic fraud, because carried out in software, scales easily and automatically as soon as some exploit or security compromise can be found that enables it. Just look at how much spam is unwittingly sent by people’s PCs. Spamming and e-ballot-stuffing are two very different crimes, but the same kinds of client expoloits can be used for both.

Given sufficient motivation and time, an attacker can find one or more exploits in any internet voting system the runs on untrusted hardware, or on any upstream access point or router. He can then use that exploit to deploy programs that generate, alter, or prevent some number of ballots, systemwide.

Yes, properly implemented cryptographic potocols help, as do physical steps in the process (paper trails). The Arizona system discussed in the Wired article is a printable absentee ballot, not an online voting booth.

But no, I don’t think these methods help enough, not when real power is at stake.

At the very least, electronic voting should be limited to low-stakes offices and opinion polls, and even then results should be vetted using independent sampling. Votes should also be, for good measure, cryptographically verifiable by voters.

Amazon Recalling Some Kindle2s?

I got an email from Kindle support the other day, asking me to call them “at your earliest convenience.” Thinking that it was some kind of phishing attempt, I ignored it. But when they left a message on my home phone my curiousity got the better of me and I had them give me a call (via the Call Me feature of Amazon’s site).

The whole thing might be an experiment in how many times they can put a customer on hold before actually getting to the point of why they want to talk to you (note to Amazon: can you please just be up-front about why you’re contacting me?) but I had nothing better to do so I stuck with it.

Turns out they’re sending me a replacement Kindle2, because of something to do with the wireless hardware and planned upgrades they are making to their system. I asked if my first-gen Kindle would be affected and the rep said no. At no point was the word “recall” used, and yet that’s sure what it feels like.

Smart GMail Trick: Mute a Thread

You know those email threads which you don’t really care about, but which someone seems to post to every day for a week? You archive them, but they keep reappearing in your inbox with every new post. 

Google calls this “the thread that just won’t die”, aka thread from hell.

Well, now you can silence them permanently by using GMail’s mute feature. View or select the thread(s) and type ‘m’ to mute. Bliss for compulsive inbox cleaners!

SSH - How to find remote host fingerprint

With OpenSSH, ssh-keygen is the go-to utility for discovering RSA public key fingerprints, both local and remote, using the -l (lowercase L) switch, and either -f for local keys or -F for keys stored in your known_hosts file.

To find out a remote server’s known-good ssh key fingerprint, use the ssh-keygen command:

ssh-keygen -l -F <hostname>

Normally, ssh shows you the remote RSA key fingerprint when you first connect. But then you never see it again, because the key itself is stored in your .ssh/known_hosts file. Even when connecting in verbose mode, you don’t see it. Ssh compares the key it receives from the remote with the key in known_hosts, skipping the fingerprint step altogether.

So why would you want to see the fingerprint of a known key?

Well let’s say, for example, that you routinely ssh to cloud.example.com from your workstation. Then you get a netbook. The first time you ssh to cloud.example.com on the netbook, using wi-fi, the client shows you what looks like the wrong fingerprint. Is someone in the middle?

You can run ssh-keygen -l -F cloud.example.com on your workstation to see the key fingerprint for aws.example.com. According to the ssh-keygen manual, this looks up cloud.example.com in your known-hosts file, and then shows you the fingerprint of the matching entry:

ssh-keygen -l -F cloud.example.com
# Host cloud.example.com found: line 25 type RSA
2048 c4:63:f2:8b:ca:71:9b:e5:a7:2e:8a:de:49:ef:99:25 cloud.example.com (RSA)

Now you can compare with what the netbook sees, and either continue connecting or go raise hell with the wi-fi operator.

Friday Java Bashing

“Solr is popular with the enterprise crowd, who love its Java.

“Being a Java program, Solr includes no shortage of technology whose acronyms contain the letters J and X. This tickles the enterprise pink, because these sorts of developers love nothing more than hanging out around a whiteboard drawing boxes and arrows and, from time to time, writing XML to make it look like they’re doing real work.” - Ted Dziuba, in a short feature on Sphinx

Oh, snap!

Kindle is a Short Tail product

In re The Kindle Lets amazon Make a Lot From the Few (via Daring Fireball), I feel the need to point out two things, which should be of interest to any company or organization pushing intellectual property in our brave new digital world.

First, a $400 book reader is only going to appeal to people who read a lot of books. You don’t spend that kind of money if you only read books on vacation. So of course Kindle purchasers are going to be some of Amazon’s best customers. 

Second, the Kindle provides instant gratification for book lovers. I can buy a book from anywhere with Sprint coverage and be reading it in under 5 minutes. No trip to the bookstore, no sales clerks, no waiting for UPS to redeliver. It’s right there, in my hands, whenever I want it. 

I read a lot of books. 99% of the books I buy are now purchased, electronically, from Amazon, at what I can only assume is an enormous markup for them despite whatever wireless fees they pay to Sprint. 

So what’s the lesson for other sellers-of-media? If you have a lot of content, find your most important customers and give them the shortest possible path to that content. Put it in their hands instantly, anywhere, and give them a capable way to play or read it.