Gamer friend Scott just discovered that the reason he was having so much trouble with PCGen under Linux was that the JVM was defaulting to a rather small heap size, effectively thrashing the app into oblivion when he tried to print.

Now, while it’s true that PCGen is as piggy as a perl script when it comes to building complex data structures in memory, it’s still fundamentally a straightforward application, and yet it exceeds the default maximum heap settings. He had plenty of free RAM, gigs of free VM, and here was Sun’s Java, refusing to use any of it unless he relaunched the application with a command-line override. Doing so not only fixed printing, it made the entire application run substantially faster. Feh.

I’d noticed a slowdown with recent versions of PCGen on my Mac as well, but Apple was good enough to compile their JVM with defaults sufficient to at least make it run completely. Sure enough, though, increasing the default heap settings makes it run faster, by eliminating a whole bunch of garbage collection.

In other words, with Java, Sun has managed to replicate the Classic MacOS annoyance of adjusting memory allocation on a per-application basis, and made it cross-platform!

PCGen is still the only major Java app I have any use for on a regular basis, although there’s another one that has recently entered my arsenal of special-purpose tools, Multivalent. I have no use for 99% of its functionality, but it includes robust tools for splitting, merging, imposing, validating, compressing, and uncompressing PDF files, as well as stripping the copy/print/etc limitations from any PDF you can open and read.

There’s another Java application out there that might join the list sometime soon, Dundjinni, but first the manufacturers have to finish porting it from Windows to the Mac…

Last year I posted a reference to Arnold Reinhold’s Diceware page, and included a copy of my favorite passphrase generator, which attempts to generate pronouncable nonsense words.

I’ve always been a big fan of pronounceable nonsense, even in the days when passwords were limited to eight characters, but I think it’s particularly useful for long passphrases. My problem was that it can actually be pretty difficult to get a good nonsense phrase out of the original table. So I made my own.

Now, the instinctive reaction to someone creating their own security tool instead of using one created by an expert is (or ought to be) an anguished cry of “Noooooo, you fooooool!”. This is a special case, though, because the beauty of the Diceware scheme is that the contents of the table don’t actually matter, as long as each cell is unique. You could fill the first column with colors and the rest of the cells with the names of different superheroes, and the resulting passphrases would contain just as much entropy.

So here’s my new favorite method of generating passphrases. Roll three six-sided dice (one to choose a consonant, two more to choose the rest of the syllable), repeat at least ten times, and assemble into a phrase.

Update: Sorry if I didn’t make it clear. Split the results up with spaces to create two- or three-syllable “words”.

Also, a word on the relative strength of passphrases. Each syllable contains ~7.75 bits of entropy (log2(666)), so ten syllables produces a 77.5-bit passphrase, which is likely good enough for data that isn’t kept under lock and key 24x7 (e.g. login password on a laptop). See Reinhold’s FAQ on passphrase length for details. Note that the dictionary-based Diceware system requires longer passphrases to get the same strength (5d6 per word versus 6d6 for nonsense syllables).

I hadn’t seen any good spam for a while, even when I indulged my curiosity and looked inside Mail.app’s Junk folder before wiping it clean. This one, however, stood out in the crowd.

Silly me, I didn’t even know the FDIC had an office in Beijing, much less that it was where they hosted their “ATM/Debit/Check Card Protection Program”.

It was, of course, sent to the email address that’s in my WHOIS records, which is not on file with any banking institution I do business with. Not that I’d have fallen for it anyway…

more...

Fun little blog entry documenting the life and death of a bug in Microsoft Word for Mac. A nice reminder of how difficult it can be to predict how your shiny new feature will interact with old code, and, more importantly, why it can take so darn long to fix an “obvious” bug. I’d love to see a similar explanation of Apple’s “can’t use capital U in firmware password” bug.

One thing this story doesn’t touch on is the importance of clear, unique error messages. If Word had actually reported “too many open files” instead of “disk full,” the problem might have been fixed a lot sooner. In one of my own favorite debugging stories, our discovery of the message “oh shit: fState != kParseError” led us directly to one line out of 16,000. It wasn’t clear, but it was at least unique.

This Mac security hole has been all over the web recently. The thing that makes it dangerous is that it’s ridiculously easy to exploit. The thing that makes it annoying is that anyone on the development team should have seen it coming a mile away, especially given the many well-publicized scripting exploits in Windows software.

How did it happen? WebCore. In an effort to produce a common HTML/HTTP library for all applications, functionality that used to be restricted to the Help tool was suddenly embedded in everything that retrieved or displayed web pages. Apple’s pervasive AppleScript support completes the circle.

Ask not what you can do with scriptable applications; ask rather what scriptable applications can do to you…

Update: The official fix is available via Software Update.

Update: You still need to turn off the Open “safe” files after downloading option in Safari, because disk: URLs still work, and mounted disk images can include auto-execute programs. Yes, there are two stupid features in the previous sentence.

"I downloaded the file in the hope that perhaps Microsoft had released some sort of public beta. The file unzipped, and to my delight the Microsoft icon looked genuine and trustworthy. I clicked on the installer file, and to my horror in 10 seconds the attachment had wiped my entire Home folder!"

Why, yes, Microsoft often officially releases beta software on peer-to-peer file-sharing networks. Your confusion is understandable, and no one is going to accuse you of being a software pirate. Really.

Besides, I’m pretty sure you won’t be downloading any commercial software in the future…

Update: Oh, and note the clever way the story implies that this had something to do with Intego’s “concept trojan horse” scare story. Sorry, Charlie, but we’re not that stupid. An application that doesn’t do what you think it will ain’t the same thing as an application disguised as an MP3 file.

Not only did I finally get one of the “you use illegal file sharing” extortion scam spams, it actually slipped past OS X Mail’s filters. Just the once, of course, now that I’ve told the system about it.

I’d love to know where they came up with the phony IP address they claim I’ve been using, though. I suspect it’s just boilerplate, since even if I were using a file sharing app, there’s no way they could associate it with that email address. Unless they (gasp!) really did manage to confiscate the contents of my computer. Tee hee.

Of course, there’s also a trojan attachment for infecting Windows boxes, which pretty neatly undercuts any claim that they ever got anywhere near the contents of my Macintosh…

Best part: the use of a phony Italian email address (from a machine that really is in Italy) while claiming to be associated with the FBI’s Department for “Illegal Internet Downloads”. They even supply a phone number.

Worst part: according to multiple news reports, there are quite a few people who are dumb enough (or, to be charitable, “sufficiently unsophisticated about the Internet and con artists”) to fall for this cheesy scam, and the associated “we found illegal porn on your computer” version.

more...

I’d love to supply a link to this extremely cool iPod accessory, except that the manufacturer doesn’t list it on their web site, and Apple’s online store generates nonsensical URLs that don’t share well.

Instead, imagine a white plastic brick, about the size of an O’Reilly book, that opens up into a surprisingly good mini-speaker system that doubles as a fully-functional iPod docking station. It’s quite loud for a system with only 2 watts/channel, and distortion is well-controlled at reasonable volumes. It’s compatible with older iPods and other devices through the Aux port (short cable supplied), which I’m connecting to my PowerBook for a significant sound boost.

They claim up to 24 hours of life on four AA batteries, or you can use the supplied wall-wart to run it on AC.