hall of shame

The pointless churn of SHA1 deprecation

In a recent interview, Linus Torvalds expressed regret about the pointless churn of SHA1 deprecation and this immediately reminded me of a similar, although much smaller pointless churn.

There was once a company-wide ban on SHA1, so a developer replaced SHA1 with SHA256 in a Hashcash implementation in one of the projects... without thinking of the negative side effects:

  1. Hashcash became ~1.5..2 times slower
  2. Third-party tooling could not be used anymore

The project uses this broken Hashcash even today.

P.S. In case it is not clear, SHA1 was "broken" by generating two PDFs with identical SHA1 hashes but different content by adding random binary data to it. This is why the "attackers" used PDF and not C or Java code in the first place. And when they say broken, they mean that the SHA1 collision was generated 100,000 times faster that it should be, but it still took quite a lot of computing and coding.

Where there have been better SHA1 attacks since Google's, they are mostly impractical due to collision detection built into git for a long time already.

How Lenovo, Dell, HP and Fujitsu messed up with their most lucrative clients for 1½ years

It's not a coincidence that notebook docking stations are being sold only with high-end laptops. My Dell e7740 costs over 2000 €. When I bought it in January 2014, I couldn't imagine I'll have trouble making it work under Linux. After all, it was all-intel, already well-supported hardware. The trouble came from a usually dumb piece of hardware: the docking station. I run two 1920x1200 screens in portrait mode, but this freaking docking station"intelligently" merged the two screens into a virtual 3840x1200 screen and presented just that to the notebook.

The bug-o-feature responsible for this is called Displayport Multi-Stream Transport and it was intended to drive multiple displays via one cable using daisy-chaining. When first docking stations with MST support appeared by end 2013, none was prepared for it. It took well over a year before MST support landed in mainline 3.17 kernel. And it will take another year until all major distributions move to 3.17 and past it.

Red Hat itself found it out only when they run into the problem, and it took 6 months before David Airlie came up with a patch to fix this hardware bug. Check out this talk for a good overview of the story.

A subtle allusion to the f-word in Microsoft's EU coding week banners

Just stumbled upon a fancy banner by Microsoft that advertises its Embrace and Extend from the childhood program.

For the record: the only reason Microsoft supports this "Coding in classroom initiative" is because they want to push their products through kids. It's a problem, but a bigger problem is that Microsoft have long striven to make computing an elite profession by introducing inconsistencies and complexity for the most basic abstractions: a character, a file, a block device... their products are designed to fail pupils who want to understand how computers work. And this design is intentional, because the less people understand computing, the less competition their business has... and higher are the profits.

Thus, taking money from Microsoft to promote coding in the classroom is akin to taking money from Philip Morris to promote healthy lifestyle. Shameful.

Recruiter with level SPECIALIST

Here's a an email that I just received from a Belgian recruiter (name changed):
On Fri, Apr 11, 2014 at 04:26:33AM -0400, Abdullah Rahmoyan wrote:
>
> For a well known financial institution, I am currently looking
> for a senior Java developer to take part in a 6 months project.
>
>
> The requested skills are:
>
> - BACK-END AND FRONT-END with level SPECIALIST
>
> - DEVELOPMENT KNOWLEDGE with level SPECIALIST
> - BUILD TOOLS, WEB SERVERS with level SPECIALIST
> - AND DATABASES with level SPECIALIST
> - DESIGN REST SERVICES with level EXPERT
> - AND API'S with level EXPERT
> - JAVA EE6, JAVASCRIPT with level SPECIALIST
> - ANGULARJS,POSTRESQL with level SPECIALIST
> - FULL DETAIS TO BE SENT with level SPECIALIST
> - BY EMAIL with level SPECIALIST

When EU institutions write about opensource… it reads like a good joke

Here is an excerpt of the Legal aspects of free and open source software workshop notes. Every phrase is a masterpiece.

"When the public agency has decided that open source requirements are particularly important for a specific software acquisition case, the process described in this section can be followed. This process would end in the agency downloading open source software itself, with no fee paid whatsoever. Separately, commercially provided services and support, if required, may be acquired by publishing calls for tender. Note that this process can be abandoned at any point - for instance, if the software cannot be found easily, or evaluated, or once downloaded is found unsuitable for any reason. At that point, the other approach described in the next section can be followed, namely, publishing a call for tender for open source software."

How the European Commission disrespects its own cookies directive

The most popular interpretation of the cookies directive is that websites should warn about cookies that are not essential for the operation of the websites. For instance, a cookie set to keep the items in your shopping cart is essential for the operation of an online shop and users should not be warned. If the cookie is set to track user activity for marketing purposes (e.g. by Google Analytics for targeting ads) — that's not essential, and the user should be warned.

The main website of the European Commission sets cookies to store information on surveys. This is not essential to the operation of the website, so technically they should warn about it. Bit they do not. OK. that's a small problem, they are almost clean… on sufrace.

If you look a little bit further, you'll see that parts of ec.europa.eu set Google Analytics cookies for the whole ec.europa.eu domain. For instance, EURES homepage sets Google Analytics cookies __utma, __utmb, __utmc and __utmz for everything at ec.europa.eu, as well as a couple of other cookies for itself,  such as eures_client_nr and piwiki_visitor, as well as a EURES_SESSIONID.

Pages