Rest in Peace, Yale Braunstein

berkeley, friends, policy, education, iSchool

Yale Braunstein, a professor at UC Berkeley's School of Information, passed away last night.

Yale was a significant influence in reinforcing my interests in information and technology policy. In his Information Policy class, he always had very interesting stories and perspectives on important policy issues. Not only was he wise, but he knew important people like former Secretaries of State. He seemed to always have a smile on his face and was never afraid to jump into a difficult problem and do his best to make it better. I'll think of him, as I do with all my mentors, in the future when confronted by a particularly difficult policy problem.

Yale also taught me to take tedious and seemingly boring problems and try to find a way to make them fun... that's a clever trick I still use to this day. Thanks, Yale.

Transparent Signature Stamps for PDFs

system, legal

Occasionally, I need to sign something digitally (not in the crypto sense). With Acrobat Pro, I can just copy and paste an image of my signature... but copying and pasting an image into Acrobat doesn't preserve transparency, so my signature will block surrounding text in the PDF.

That doesn't look good at all.

Here's a solution courtesy of Adobe products: use something like Photoshop Elements to create a transparent PDF of the signature and then create a custom "stamp" in Acrobat that you can stamp onto PDFs. It works like a charm.

Here's how:

  1. You'll need:
    • Adobe Photoshop Elements (PSE) to erase the background and to save a transparent PDF.
    • Adobe Acrobat Pro, the all-around PDF swiss army knife.
    • One good quality scan of your signature, black ink on white paper. You can use low-quality scan software ? like TurboScan for the iPhone ? or use an actual flatbed scanner (I suggest 8-bit grayscale saved to uncompressed TIFF).
  2. Open the image of your signature in PSE. Crop it tight but leave a bit of space around the sides. Next use the "magic eraser" tool, with the tolerance set at 5, and click somewhere outside your signature. Now click inside of each "island of white" that the eraser tool didn't get to. When you're done, you should have no white left; just the signature and a grey and white checkered pattern in the background that indicates transparency. Save this image as a Photoshop PDF, which preserves the transparent background.
  3. Open a document you want to place the signature on (or just a random PDF if you just want to "install" your signature for the first time). Make sure you have the Comment & Markup toolbar visible with the Stamp tool ("View" > "Toolbars" > "Comment & Markup"). Click the triangle to the right of the Stamp icon in that toolbar and select "Create Custom Stamp...". Select the transparent PDF you created with PSE in the last step. If you don't have a "Signatures" Category here, create it. Name the stamp, something like "JLH Signature". Don't unclick the "Down sample..." checkbox; we don't want to kill files with an extremely large signature image!
  4. Now, you can "stamp" the signature on to signature lines in PDFs. You can adjust the size of the signature after stamping too.

(This post was inspired by the more comprehensive post by Rick Borstein at the Acrobat for Legal Professionals blog: "Creating a Transparent Signature Stamp")

Turning Tables on Censor Circumvention

hacks, open source, privacy, research, usability

Stanford's crypto group has just released a neat piece of research: Flash Proxies.

The idea is very cool: Since Tor can be blocked in countries that practice heavy censorship in a variety of ways, they seek to thwart attacks that involve blocking the list of Tor nodes by "matchmaking" 1) a censored user with 2) a proxy that is not blocked. They do this by creating a ton of censorship-circumvention nodes directly in web browsers via javascript and then coordinate traffic between these browsers and users living in censorsed regimes (Iran, China, etc.). Web pages can embed a badge (an iframe that loads javascript) and then browsers that navigate to those pages automatically help route traffic through the censor's filtering system.

I've embedded the flashproxy on my home page and on this blog; presumably this means I can just leave a browser window open to my home page and help route traffic. Very cool! If you're reading this and the badge at the bottom of the screen is navy or light blue you are, respectively, waiting to route or currently routing Tor traffic. (If it is grey, you're on a mobile device or your browser doesn't support the particular flavor of WebSockets they use. If it is black, there's been an internal error (you'll see this if you block javascript from stanford.edu and/or bamsoftware.com -- the coordination server).

(One wrinkle: if you want your web page to pass XHTML validation, remove the frameBorder="0" bit from their iframe and add style="border:0". That will ensure your pages validate and draw no border.)

I'll need to read their paper, but I have a few questions before I start:

  1. Is it ethically ok to use unassuming users to run code to help in censorship circumvention? Do we need a "Do Not Execute" browser flag/setting that asks sites to not run code that isn't needed for the immediate user experience?
  2. What is the effect, in terms of user experience (slowness, etc.) and in terms of user safety, of a web user happening upon a site with a flashproxy on it?
  3. What kinds of organizations should run flash proxies? (Google? Does the coordination mechanism scale?)

(After having read the paper and thought a bit...)

It strikes me that there are many organizations that would want to install this badge on their site but who also might find it ethically dubious to co-opt the browsers of unassuming web surfers that may not be loading the page to route Tor traffic. In addition to the other parameters that flashproxy.js allows badge installers to change, they should allow a setting that would load the proxy in a default "off" state. And in this state, by clicking a ">" button ("play" or "start") the proxy would start. This would allow organizations that aren't comfortable installing the badge in a default "on" state to have special pages that people could load -- "Click this badge to help internet freedom!", click on the badge to start the proxy and then leave the browser window open.

The paper doesn't indicate that they've tested the effects (CPU load, bandwidth) to a user-agent that loads the badge in the worst-case scenario -- routing 10 active proxies (the default maximum) at the default bandwidth for each proxy. The statements in the paper like:

The badge itself runs in the background and has no impact on the visitor?s interaction with the volunteer site.

seem to imply that the site hosting the badge sees little impact because the code is run by the client browser. I first read this to mean that there's no impact to the user-agent running the proxy, but that cannot be correct (and this was confirmed by the flashproxy folks). Granted, this is very likely moot as the flashproxy is designed to be widely deployed such that any one browser will only rarely see a connection. That seems to be the case as I only rarely see connections when I load the badge in Chrome or Firefox.

[UPDATE 2012-07-18T09:45:29 EDT]: Removed the instructions to edit the frameBorder attribute as they've corrected it. Also added a bit at the end.

An Easy (if kludgy) Way to Clean Up Apps in iTunes

system, hacks

From time to time I use OmniDiskSweeper on my Mac to point out what parts of my hard drive are getting particularly full. Sure, computer scientists say, "Just buy more disk!" but I find it more useful to take the archivist's perspective -- one I first heard from my father, "when you file something, you should un-file something"; the point being that you must curate your data if you value it.

Today, I noticed that my ~/Music/iTunes/Mobile Applications/ folder was almost 25GB; very big. When I looked into it, there were a ton of old Apps that I don't use. It sounds like iTunes only recently started cleaning up after itself and deleting old Apps when new ones were released.

Poking around on the internet reveals there's no easy way to clean up the Mobile Applications folder. However, whereismyjetpac's answer on this thread provided a very workable answer: delete all the apps in iTunes and then restore purchases from your devices. This seems to work!

You have to be very careful, so here's what I did (I am not responsible for problems you create with your device after following these directions!):

  1. Delete Your Apps!: Make sure your device is not plugged into your computer. Open iTunes. Click on "Apps". Click on the view so that you see them in a list form. Select them all (Cmd-A) and delete them. When prompted, confirm that you want to move the files to the trash. (You can empty the trash now, but you're deleting all your apps! Do so carefully.)

  2. Restore Apps from Device!: Now, plug your device in, but very quickly cancel the sync. That is: IMMEDIATELY, click on your device and cancel any sync by clicking on the small "x" in the iTunes display at the top of the window. Right-click (control-click) on your device and select, "Transfer purchase from "foo"...", where "foo" is the name of your device.

At this point, it will sit there and very slowly upload all your apps from your device into your iTunes library. You'll have to do step 2 above with other devices you have associated with this iTunes Library.

mvsha1dir: Move a file to a hash-named directory

hacks, open source, secrecy, development

In 2007 I wrote a simple script that I use all the time: mvmd5dir.

It's a script that takes a file or list of files and moves each to a separate directory where the file's md5sum -- a cryptographic hash -- is the name of the directory. I use this all the time to share files on my webserver. This gives the files a bit of practical obscurity and makes it easy for recipients to verify the file corresponds to the link I sent. Like so:

https://josephhall.org/d8e8fca2dc0f896fd7cb4cb0031ba249/test.txt

However, the MD5 hash function is now seriously dead. Not so recently, cryptographers have found varieties of collisions (where two different inputs create the same hash value). Also, it was used recently inside the Flame virus in a very powerful chosen-prefix collision attack (where the attacker can change small parts of a fake document until he finds one with the same hash value as a target document). Even the (non-cryptographer) author of the widely-used password hashing algorithm based on md5 is imploring people to use something else.

So, it's about time I upgraded this simple script to use a less vulnerable hash algorithm. So here's mvsha1dir which does the same but for the SHA-1 hash value (you can check a SHA-1 hash of file foo at the command-line with openssl dgst -sha1 foo, if you have openssl installed). So, links will look like:

https://josephhall.org/4e1243bd22c66e76c2ba9eddc1f91394e57f9f83/test.txt

SHA-1 also has some theoretical collision problems, but it will suffice for some years until finding collisions becomes more efficient or computing power ramps up as it does. For usability's sake I upgrade conservatively here; an md5 hash is 32 characters, sha1 is 40 and sha224 is 56... and I don't want to make directory names too long too soon!

#!/bin/bash
#
# mvsha1dir (Time-stamp: <2012-06-11 10:00:58 josephhall>)
#
# This script accepts filenames from the command-line, then 
# calculates the sha1 hash of the file, creates a directory 
# named after the sha1 hash and finally moves the original 
# file to the new directory. (This script is public domain.)
#
#
#wrap in for loop to handle multiple files
for oldName in "$@" ; do

    #First, store the sha1 hash value in a variable.  NOTE:
    #"cut" extracts hash value as 2nd field (`-f 2`) of a 
    #list where the delimeter is a space (`-d " "`)
    sha1print=`openssl dgst -sha1 ${oldName} | cut -f 2 -d " "`

    #create the new directory using the hash value
    mkdir ${sha1print}

    #mv the file to the new directory
    mv ${oldName} ${sha1print}

    #report out to the user what we've done
    echo just moved ${oldName} to ${sha1print}/${oldName}

done

Copy this into a text file, save it as mvsha1dir, make it executable (chmod +x mvsha1dir) and move it to somewhere like usr/bin/ to have it across your system.

Contact / Help. (cc) 2018 by Joseph Hall. blog software / hosting.
Design & icons by N.Design Studio. Skin by Tender Feelings / Evo Factory.
And a few words about the structure of the eye . Everyone " retina ". Especially often we hear it buy clomid online in the phrase " retinal detachment ." So what is the retina ? This - the front edge of the brain, the most distant from the brain part of the visual analyzer. The retina receives light first , processes and transforms light energy into irritation - a signal that encodes all the information about what the eye sees . The retina is very complex and in their structure and function . Its structure resembles the structure of the cerebral cortex. The shell of the retina is very thin - about 0.14 mm.