All posts by Dag-Erling Smørgrav

Om religionsfrihet på Universitetet i Oslo

Teksten under er et brev som jeg i dag har sendt til Rektor Ole Petter Ottersen og Universitetsdirektør Gunn-Elin Aa. Bjørneboe ved Universitetet i Oslo.

Version française

Jeg har registrert at Universitetet i dag inviterer til en samling for de som ønsker å minnes ofrene for fredagens terroristhandlinger i Paris.

Som universitetsansatt, fransk statsborger og ateist ønsker jeg å protestere mot at dette arrangement ser ut til å skulle ha et religiøst tilsnitt.

Continue reading “Om religionsfrihet på Universitetet i Oslo” »

Monkey see, monkey sue

One of the disputed images (Wikimedia Commons / PD)
In case you hadn’t heard, animal rights organisation PETA and primatologist Antje Engelhardt, Ph.D., are suing photographer David Slater and self-publishing services provider Blurb, Inc., over photos of a crested macaque which Slater published in his book Wildlife Personalities. Motherboard has a pretty good series of articles on the subject.

The core of PETA’s complaint is that the photos were not taken by Slater, but by the monkey, who inadvertently pressed the trigger while looking at her reflection in the lens of a camera which Slater had left unattended. Therefore, quoth PETA, the monkey holds the copyright to the photos, and all proceeds from the use of those photos should go to PETA, because of reasons.

If you thought this was bizarre, it gets better: PETA and Engelhardt are not the nominal plaintiffs in the lawsuit. Instead, they claim to be merely representing Naruto, a male macaque living on the same preserve as the female macaque in the photo. In court documents, they consistently maintain that Naruto is the macaque in the photo; outside of that setting, they have repeatedly acknowledged, at least indirectly, that he is not.

Having read both defendants’ motions to dismiss (the title of this post was shamelessly ripped from Slater’s motion), I am left to ponder the questions of PETA’s standing and of the monkey’s agency.

Standing

Both defendants challenge the plaintiff’s standing on various grounds, including the fact that he is a monkey, but neither of them challenge PETA’s standing, which seems to me to violate the prohibition of third-party standing, unless PETA can show that they have power of attorney for the allegedly injured party (which is, apparently, a different monkey than the one on whose behalf they claim to be acting). I find that strange, but the case is ridiculous for so many other reasons that I doubt it matters, legally speaking.

Agency

PETA claims that the pictured monkey holds the copyright to the photo because she pressed the button that caused the picture to be taken, but they do not claim that she set the camera up, pointed it, or performed any other action integral to the art of photography. Blurb address this tangentially when they quote, indirectly, 100 U.S. 82 (1879):

In this as in regard to inventions, originality is required. And while the word writings may be liberally construed, as it has been, to include original designs for engravings, prints, &c., it is only such as are original and are founded in the creative powers of the mind.

Nor do they claim that she had any idea of what she was doing except looking at a shiny piece of glass at the end of a tube sticking out of a black box.

If PETA prevails, this means that the mere act of triggering a camera set up by someone else, even without any understanding of the concept of a camera or ability to comprehend that an image was taken, grants the subject the copyright to the resulting image. How far will this principle extend? Will it extend to motion-triggered game cameras? Would PETA sue hunters on behalf of deer for the rights to the footage? Would they sue an ornithologist on behalf of crows that trigger cameras set up to study their behavior?

Ah, who am I kidding, of course they would. Because PETA.

Everybody’s a journalist

…and a legal scholar, apparently. Fallout from the Patreon hack:

From: Matthew Hopkins <matthopkins@thewitchfindergeneral.com>
Subject: URGENT Media Inquiry – Randi Harper Patreon
To: des@des.no
Date: Tue, 13 Oct 2015 00:33:26 +0100

Dear Dag-Erling Smørgrav ,

I am the author of the major blog www.matthewhopkinsnews.com. I am sending you this email because your name appears in a list of people who donate to a Patreon operated by a person called Randi Harper. The list was confidential but has been hacked and placed online by unknown third parties. As a result of the leak you may be named, so please read this email carefully.

Ms Harper is a controversial figure due to her extreme political views, including support for Sarah Nyberg, a political activist who at one time claimed to be a paedophile and supported white supremacism, although now claims they were ‘joking’. Harper has also admitted to drug abuse, including attempting to smoke meth from a broken lightbulb. She also irresponsibly dyed her dog blue and accidentally allowed it to lick up her drugs. The following Breitbart articles may be of assistance –

http://www.breitbart.com/big-journalism/2015/07/21/feminist-champion-randi-harper-in-her-own-words-stop-making-everything-a-gender-issue/
http://www.breitbart.com/big-journalism/2015/09/12/meet-the-progressives-defending-gamergate-critic-sarah-nyberg/
http://www.breitbart.com/big-journalism/2015/09/11/leading-gamergate-critic-sarah-nyberg-claimed-to-be-a-pedophile-apologised-for-white-nationalism/

You are supporting a person who is associated with some of the vilest imaginable extremism. Your exposure is interesting, partly because a similar leak occurred a few years ago here in Britain, when the membership list of one of Britain’s far right parties was leaked online – http://www.theguardian.com/politics/2009/oct/20/bnp-membership-list-wikileaks

As a responsible journalist, I can assure you I shall not be publishing the list. However, some of you may work in regulated roles with responsible access to information, vulnerable adults or children. There may be a lawful public interest in my contacting the relevant authorities (including an employer). In addition, the third parties who obtained the data have, as I said, released it online and I suspect it will find its way to Wikileaks, amongst other places.

I would like to invite you to answer the following questions –

  1. Did you know about Randi Harper’s history?
  2. Do you endorse her extremist views?
  3. In light of the revelations about her, and her support for Sarah Nyberg, will you continue to donate?
  4. Are you aggrieved at Ms Harper’s failure to safeguard your personal data?

Please provide comment as soon as possible.

About Me
I am the author of www.matthewhopkinsnews.com, a Conservative leaning blog that has had over 188,000 unique visits since January this year. My pen name is Matthew Hopkins and my real name is Sam Smith. My blog has sourced stories for some of Britain’s largest newspapers.

I am studying a Master’s Degree in law combined with an LPC (attorney’s certificate). In fact I was praised in the British Parliament by then Liberal Democrat MP John Hemming for my legal skills representing a vulnerable woman in the High Court, who faced being declared mentally incompetent – http://www.publications.parliament.uk/pa/cm201314/cmhansrd/cm140113/petntext/140113p0001.htm.

Kind regards,
Sam Smith
writing as
Matthew Hopkins
The Witchfinder General
www.matthewhopkinsnews.com
http://www.thewitchfindergeneral.com
@MHWitchfinder

He clearly expects me to be intimidated. Should I be flattered?

Highlights:

  1. Citing Milo Yiannopoulos of Breitbart, a far-right blogger whose idea of investigative journalism includes such gems as “there is no evidence that Randi Harper is actually a crack whore” (paraphrased);
  2. “Nice job you have there, it would be a shame if my journalistic and personal ethics compelled me to tell your employer that you support paedophiles” (but don’t worry, it’s totally not blackmail);
  3. Complex question fallacy (“have you stopped beating your wife?”);
  4. Patreon was hacked, the British National Party was also hacked, therefore supporting Randi Harper on Patreon is equivalent to supporting the British National Party;
  5. Randi Harper is responsible for the security of Patreon’s network and therefore for the theft of Patreon’s user database.

His mother must be really proud.

You know what, Sam-Smith-writing-as-Matthew-Hopkins? I just doubled my pledge to Randi Harper, pledged similar amounts to Zoë Quinn and Brianna Wu, and signed up for a monthly donation to Feminist Frequency. Unfortunately, I couldn’t find a way to donate to Sarah Nyberg.

How about them apples?

EDIT: various markup and spelling fixes

Refurbishing a coil pack

While my bug-eyed baby is in the shop for a full respray, let’s flash back to May, when I discovered—ironically, while trying to help someone diagnose an ignition issue—that my coil pack was hanging on by the skin of its teeth.

Closeup of the #4-#1 (driver’s left) coil on my 1993 Miata and the tip of the #4 HT lead. Both posts show damage from arcing due to corroded connectors and sockets.
The image to the right shows what an ignition coil is not supposed to look like. I only have myself to blame for not checking the condition of the coils and HT leads before buying the car.

Quick recap: an ignition coil is an engine component that converts the low voltage from the battery to the high voltage required to create the spark used to ignite the fuel-air mixture in the combustion chamber. Coils can be arranged in different ways: a single coil serving multiple cylinders through a mechanical distributor, individual coils for each cylinder, or individual coils for each pair of opposite cylinders. In the latter case, each spark plug fires twice per cycle: once at the end of the compression stroke, to ignite the fuel-air mixture, and once (needlessly but harmlessly) at the end of the exhaust stroke, which coincides with the end of the opposite cylinder’s compression stroke. The Miata‘s four-cylinder B6 engine uses this “wasted spark” arrangement with a coil pack consisting of two coils around a shared laminated iron core, mounted in a frame between the rear of the engine and the firewall. Each coil has two sockets numbered (from driver’s left to driver’s right) #4, #1, #2 and #3. The numbers correspond to the cylinders served by the coils: the left coil serves the rear (#4) and front (#1) cylinders, and the right coil serves the middle two (#2 and #3).

The ignition current is delivered from the coil to the spark plug by an HT lead, which is little more than a high-quality electrical wire with connectors at each end that fit in a socket on the coil and onto the spark plug (with the engine block serving as the return path). If the connection between the HT lead and the coil socket is poor (be it due to dirt, corrosion, mechanical damage or other causes), the current will arc across the gap, resulting in damage to both the lead and the socket. In my case, the arcing developed enough heat to bake the plastic casing, causing it to crumble when I pulled the lead out.

A new coil pack would have set me back quite a bit, so I got hold of a used one and refurbished it. The slideshow below illustrates the process.

I fitted the refurbished coil pack with new 8 mm HT leads and it fired right up. Four months and a few thousand kilometers later and the plugs and sockets are still shiny.

The only issue remaining is that the new coil pack’s bracket is cracked, as shown in the pictures above. The old coil pack has separate cores for each coil, while the new one has a shared core for both coils, so while the brackets are nearly identical, the screw holes don’t line up. I need to drill new holes in the old bracket so the new coil pack will fit. I didn’t have a drill bit of the correct diameter available and was impatient to get the car back on the road, so I’ve been driving around with a cracked bracket. It hasn’t shaken loose yet—knock on wood.

If any other Miata owners read this, I’d love to hear from you about the condition of your coil pack and especially about any uneven wear or corrosion on coil sockets and HT lead tips. I have a hunch that the #4 socket is particularly vulnerable, although I have no idea why.

OpenSSH, PAM and user names

FreeBSD just published a security advisory for, amongst other issues, a piece of code in OpenSSH’s PAM integration which could allow an attacker to use one user’s credentials to impersonate another (CVE 2015-6563, original patch). I would like to clarify two things, one that is already mentioned in the advisory and one that isn’t.

The first is that in order to exploit this, the attacker must not only have valid credentials but also first compromise the unprivileged pre-authentication child process through a bug in OpenSSH itself or in a PAM service module.

The second is that this behavior, which is universally referred to in advisories and the trade press as a bug or flaw, is intentional and required by the PAM spec (such as it is). There are multiple legitimate use cases for this, such as:

  • Letting PAM, rather than the application, prompt for a user name; the spec allows passing NULL instead of a user name to pam_start(3), in which case it is the service module’s responsibility (in pam_sm_authenticate(3)) to prompt for a user name using pam_get_user(3). Note that OpenSSH does not support this.

  • Mapping multiple users with different identities and credentials in the authentication backend to a single “template” user when the application they need to access does not need to distinguish between them, or when this determination is made through other means (e.g. environment variable, which service modules are allowed to set).

  • Mapping Windows user names (which can contain spaces and non-ASCII characters that would trip up most Unix applications) to Unix user names.

That being said, I do not object to the patch, only to its characterization. Regarding the first issue, it is absolutely correct to consider the unprivileged child as possibly hostile; this is, after all, the entire point of privilege separation. Regarding the second issue, there are other (and probably better) ways to achieve the same result—performing the translation in the identity service, i.e. nsswitch, comes to mind—and the percentage of users affected by the change lies somewhere between zero and negligible.

One could argue that instead of silently ignoring the user name set by PAM, OpenSSH should compare it to the original user name and either emit a warning or drop the connection if it does not match, but that is a design choice which is entirely up to the OpenSSH developers.

Update 2015-08-27 NIST rates exploitability as “medium” rather than “low” because an attacker who is able to impersonate the UID used by the unprivileged child can use a debugger or other similar method to modify the username that the child passes back to the parent. In other words, an attacker can leverage elevated privileges into other elevated privileges. I disagree with the rating, but have never had any luck getting NIST to correct even blatantly false information in the past.