‘Til Death Do Us Part

May Terri Schiavo rest in peace.

While much of what I have heard regarding Mrs. Schiavo focused on whether she should die, I find it troubling that a less ethically difficult, but still critical, question has been glossed over. Since I am not certain of the specifics of the instant case, I shall pose this hypothetically.

Marriage, in the civil sense, is a contract between parties. Church marriages take on greater significance, and vary among faiths, and may be recognized by the State, but the union is essentially a contract, with rights and privileges defined not only by written agreement but by tradition and law.

Suppose one party to the contract is rendered either incompetent or incommunicado. Can that party remain fully bound to the contract, when he can no longer consent to substantive changes to it? When, and under what circumstances, can the contract become null and void?

Pretty Fetching

So far the only link pre-fetching I’ve observed from Google has been of www.stanford.edu. This is terribly funny, actually, since the pre-fetching of this page doesn’t speed things up. Here’s why:

HTTP/1.x 200 OK
Date: Thu, 31 Mar 2005 17:28:48 GMT
Server: Apache
Accept-Ranges: bytes
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1

Stanford does not provide enough information with the prefetched response for Mozilla to use the cached version, or for Mozilla to ask for Stanford to return the page only if it has been modified. What we should see are some more headers, specifically Last-Modified: and/or Etag:, so that we can make a request to which the server can respond HTTP/1.x 304 Not Modified.

So, even though Mozilla has prefetched the page into local cache, it still makes an HTTP GET for http://www.stanford.edu/, to which Stanford, smart people that they are, respond “OK.”

Now, here’s the really funny part: pre-fetching is broken in Firefox’s default configuration anyway.

MovableType, and TypePad, also enable pre-fetching, by the use of a link rel="next" element. Since typepad.com does not always emit Last-Modified: and Etag: headers, look at my test case here. What we should see is that the next page is pre-fetched, with an HTTP/1.x 200 OK response. Then an actual click should make the same request, but including If-Modified-Since: and If-None-Match: headers, with a HTTP/1.x 304 Not Modified response.

Instead we see Damn. My test case works. I swear it wasn’t working before. Anyway, it doesn’t work with MovableType.

What’s to be done?

Paul Hoffman announced the release of Bruce Schneier’s and his Internet Draft on Attacks on Cryptographic Hashes in Internet Protocols. It’s readable, and covers the issues in their typically not-paranoid fashion — unlike some other articles I’ve read (but will not bother to find again).

While it is certainly possible, and at a first glance even probable, that the broken security property will not affect the overall security of many specific Internet protocols, the conservative security approach is to change hash algorithms. The Internet protocol community needs to migrate in an orderly manner away from SHA-1 and MD5 — especially MD5 — and toward more secure hash algorithms.

This document summarizes what is currently known about hash algorithms and the Internet protocols that use them. It also gives advice on how to avoid the currently known problems with MD5 and SHA-1, and what to consider if future predicted attacks become real.

Mining the Social Network Data

Being the slow, not-so-trendy sort, it took me a while to pay attention to Yahoo! 360°. Or rather, it took Jeremy’s post offering invitations, which suddenly sprouted more than 200 comments.

There are lots of observant people out there, so I doubt my comments, or the mails I threw out, or my internal journal post in February, or my small aside here in June, had anything at all to do with Yahoo! noticing that they already have data on some social networks.

Now they’re mining it, to provide something that you may find useful.

What Did Other Customers Buy?

Amazon now shows what similiar items customers ultimately bought after viewing a particular item. So you can see, for example, that 50% of the customers who looked at the Grundig Mini 100 PE Portable AM/FM/Shortwave Radio with Headphones bought it, whereas only 3% bought the Oregon Scientific WR196T All Hazard Radio with AM/FM Radio & S.A.M.E Technology. Maybe they don’t know what S.A.M.E. is — I didn’t — or maybe they just saw something similiar for $40 less.

Variance Requested

Tonight before the Carmel Zoning Board of Appeals, we will request a variance. We are on the agenda.

APPLICATION OF C. WILLIAM & DEENA COX FOR A VARIATION OF SECTION 63.9 FOR PERMISSION TO CONSTRUCT FAMILY ROOM AND BATHROOM. CODE REQUIRES 25 FOOT SIDE YARD; 21.5 FT. WILL EXIST; VARIANCE REQUIRED OF 3.5 FEET. PROPERTY IS LOCATED AT 142 CRANE ROAD, CARMEL, NY AND IS KNOWN BY TAX MAP #54.14-1-40.

The applicable paragraph of Section 63.9 is sub-section A, which links in the Schedule of District Regulations containing the set-back requirements.

A. The regulations prescribed for each of the districts listed in Article II, Section 63-3, are listed on the accompanying schedule titled “Schedule of District Regulations,” which schedule is hereby adopted and made a part of this chapter. Said schedule may be amended in the same manner as any other part of this chapter.

We expect those 3.5 feet to pose no problems for the board or our neighbors, but we’ll find out tonight.

Goal!

The Big Sister just called to tell me that her travelling tots group played soccer today, and she got the ball away from a Big Boy, and scored a GOAL!.

Progenitorivox

The Journal News led the business section this morning with an article on how Consumers Union is using the Internet to convince Congress to require drug peddlers to release complete test results.

You can’t ask your doctor about the new drug Progenitorivox because it doesn’t exist.

That’s just as well because its side effects include agitation, palpitations, excessive salivation, constipation, male lactation, rust-colored urination, hallucinations, bad vibrations and mild electric shock sensations.

But more than a half million people have heard about Progenitorivox by watching a new Web cartoon that spoofs drug commercials.

That’s just what Consumers Union hoped would happen when the 69-year-old nonprofit institution decided to take a lesson from the blogging generation about getting its message out.

Maybe this will get David some work.

Pass-through Authentication

Firstly, remember that authentication and authorization are separate issues. Secondly, consider the authentication source as an foreign key, to use database terminology. You link with that key in order to authorize activity, but you do nothing else with that key.

So, from the perspective of using an LDAP directory with a web application, if you’re not storing the user data in the directory, then treat it as a key into your database. For example, you have a user, Bob, who will authenticate using credentials stored in the directory. Is he authorized to use the application? I dunno; let’s look that up.

I’ll try to have a more concrete example in a day or so, but you know how well I do with promises. You might want to look at bugzilla‘s handling of the situation, since this is, after all, what Joe and I talked about. (Please ignore the use of Mozilla::LDAP instead of Net::LDAP. This was back in 2000.) In the future, one would appreciate it if new applications were able to assume from the get-go that someone else, like HTTP, might be providing the authentication source.

Intriguing Developments

There have been some intriguing developments over the past little while, which remain to be absorbed. Via Ben Hammersley, I find a9 OpenSearch, and via that argument at Sam‘s, Mark brings Greasemonkey to my attention. Greasemonkey in particular could be quite useful when one is not able to patch the web directly.

I’m looking at this greasy monkey, and the first obvious question is “how do I add these user scripts so that I can use them?” Meanwhile, I especially like the discussion surrounding its antecedent.

mod_speling’s Poor Spelling

Apache‘s mod_speling does two things. One thing it does is fold case, making URIs case-insensitive. This is handy when users are moving files between case-insensitive, but preserving, and case-sensitive filesystems. The other thing it does is try to correct spelling errors. It does this latter by finding off-by-one variations of the name requested. Suppose, for example, that I have a file foo and inadvertently request foob, it will assume that I meant foo and return that file.

This is not a good idea in practice, because files often differ, significantly, by one character. What’s worse, when joined with DAV, it provides you with the ability accidentally overwrite that resource you wanted to save.

So, you want to separate out the helpful case-folding feature from the dangerous spelling correction feature.