Gentoo - 7

Okay, let's be a bit sentimental. Years ago, back when I started using linux, I found a nice little browser called galeon, the default browser of gnome in that time (yes, I also was a gnome-user back then), based on the mozilla/gecko engine. I liked it, because in those days, it was the only browser really having all those features I wanted to have (I especially remember that it was near to impossible to get browsers to open *everything* in a tab).
Someday some gnome people started another browser called epiphany, which quickly became the default for gnome. I never liked it. It lacked features all over, it had no real bookmark management (yes, I know that some people state that it's bookmark management is great), it opened everything in a new window, it just sucked.

Well, in the meantime I've switched 90% of my apps to KDE ones, I'm happily browsing with konqueror, while I' still maintaining the gentoo package of galeon and I start it from time to time when I need to check something with gecko. Recently the galeon-devs announced to stop the development and concentrate their work on epiphany-extensions. It seems that epiphany isn't the feature-lacking piece of code it was back then, they even have something that can be called a bookmark management I heard. Today the galeon-team released 2.0.0, one of the probably last versions, you can expect continuing updates for the gentoo-packages from me as long as there are new releases and they can be built against new firefox versions.

As I belong to the people being so crazy to build their gentoo with gcc 4, I also need the -*-keyworded glibc, finding out that the latest version says:

Portage have a serious bug in regards to symlinks, and merging this with current versions will fail!

!!! ERROR: sys-libs/glibc-2.3.6 failed.
!!! Function pkg_setup, Line 1071, Exitcode 0
!!! Portage sucks.

As Netzpolitik is reporting about the german Tagesschau having a video podcast, I was looking around for free video podcasting (or vlogging) clients.

While with amarok, we have a great audio player supporting podcasts, the most common free video players don't have any support for feeds (xine, totem, kaffeine). vlc seems to have something in svn, but not for the current and the next version. I've once tried this, but failed to get it running.

After some googling around, kmplayer seems to be the solution. kmplayer can use rss-feeds from podcasts as playlists, supports several backends (mplayer, xine, gstreamer) and is probably worth having a closer look at it.

The Hugi Diskmag, which is a diskmag (ok, not really on disks any more) of the demoscene, just released it's 31th issue, containing my article about the demoscene and free software I've published here a while bag.

Hugi is released as a windows-executable, the windowed mode works fine in WINE, the fullscreen-mode doesn't (any wine-hackers around that want to fix this?).

As you may have heard, the WINE-project, which let's you run Windows programs in Linux, released it's first beta version after a long time.
I've been a demoscener for a long time, while with my switch to linux some years ago, I couldn't watch most demos any more (and having a windows partition just because of that was too much hassle, I like my laptop windows-free).

Today I was playing around how well WINE performs with Demos and was quite impressed. My experiences in the past were mostly that WINE only produces error messages and never runs anything. After DasTier (still not blogging) told me that probably my sound settings are wrong and I have to set it to "driver emulation" in winecfg, I could run a couple of older windows-demos and intros, I had at least The Product (FarbRausch), Kötterdämmerung (SquoQuo), Störfall Ost (Freestyle) and Raving Tomatoes - Biomutating Planet Acid running (just some random ones I tried out).
I failed to run more recent stuff, at first because my graphics hardware won't manage that (just a Radeon 9200) and second because of the limited shader support in WINE.

Motivated by that, I also could run the legendary Second Reality (Future Crew) (hey, did you know that it has a hidden part?) in DosBox.

I'm thinking about creating a project for building a database of working demos and writing qualified bug-reports/patches for non-working ones.

Everybody seems to talk about flock today (via BoingBoing). Flock is a web browser based on Firefox supporting features like direct tagging of links, uploading them to del.icio.us, blogging, uploading images to flickr and things like that.

It's surely a nice idea to integrate all those social software into easy to use applications, so more people get to know blogs and all that stuff. Although I'm a bit sceptically about centralised services like flick or del.icio.us, I prefere more standardised, decentralized services that everyone can use with his own software (Blogs, Podcasts and things like that).

I'd prefer to blog this entry with flock, but it seems not to support serendipity yet, at least I couldn't get it to work.

Get Flock today, probably no distribution packages for anything yet, but the binary just works when running from it's unpacked dir without installing anything.

For people who like to play around with crazy bleeding edge stuff (who doesn't?), I've created cvs ebuilds for Luminocity (the wobbling windows effect) and cairo-gtk-engine (gtk theme engine using the possibilities of cairo).
See Seth Nickell's blog for information, screenshots etc., I also made a video of luminocity a while ago.

For luminocity you need to switch to the modular x ebuilds and the kdrive-snapshot, if you have it installed, run it with:
Xfake :1 -ac -screen 1024x3072x32 &
DISPLAY=:1 xterm &
luminocity :1

cairo-gtk-engine can be installed right away as long as you are using unstable (~x86) gtk+ and cairo versions (then copy over /usr/share/themes/Caligula*/gtk/gtkrc to ~/gtkrc-2.0).

Recently I've been playing around with testing HD videos based on the H264-codec. For those who don't know, HD videos are video files with very high quality and resolution. The upcoming HDTV television standard is based on that (which is quite problematic due to the HDCP copy protection, but that's not the topic of this article).
Apple recently released Quicktime 7 to play HD mov files, Microsoft supports WMV HD videos in it's Media Player. HD videos are available in three qualities, 420p, 720p and 1080p.

For the system requirements of 720p-videos in Quicktime, Apple says:
2.8 GHz Pentium 4 or faster processor, At least 512MB of RAM, 64MB or greater video card
And even more for 1080p:
3.0 Ghz Intel Pentium D (dual-core) or faster processor, At least 1GB of RAM, 64MB or greater video card
As my system doesn't really fit these requirements (1,5 GHz Pentium M, 512MB RAM, 128 MB video card), I was quite impressed that I could run a bunch of videos in quite reasonable speed and quality with linux software.

Trying out various players the cvs-version of mplayer did it best for me. Pretty much every player available on linux uses ffmpeg for H264-decoding, so they should do all, but there have been a bunch of important fixes in ffmpeg recently and this is quite the easiest way to get a recent ffmpeg-version running.
Running mplayer with these options gave me the best results:
mplayer -lavdopts skiploopfilter=all -framedrop -fs [videofile]
-fs is for playing the video in fullscreen (you don't want to play HD videos in a window), -framedrop let's mplayer skip frames when your system is too slow (else it will be out of sync very fast, some framedrops don't really hurt). About the -lavdopts skiploopfilter=all, I don't really know the details of video codecs, as far as I understood, this disables some steps in the decoding that shouldn't be needed on most videos, but can result in wrong decoding. I couldn't see any differences, it improves the speed quite a lot.

Now I could play all 420p and 720p videos at pretty reasonable speed. I especially liked this BBC one showing african animals and landscape. For the 1080p ones, it differs. This Trailer for "The Island" runs pretty well, others don't.

Bugs: Some videos cause mplayer to crash. On my radeon, the mplayer xv output has a problem with the large videos (width of 1900) displaying a pink block on the right side. I've written bug-reports and hope those things get resolved soon.

To sum it, I'd call linux pretty much "HD ready", beside some small issues it plays the HD stuff very well and with impressive performance.

Places to get HD videos:
Microsoft WMV HD Content Showcase
Apple HD Gallery

After commiting a compile-fix for kmail, I finally managed to switch to KDE 3.5 Alpha. As you can see on the right, Konqueror now passes the acid2 browser test for standards compatibility (beside Safari it's the only Browser that does - Internet Explorer, Firefox and Opera all fail, Microsoft already announced that even IE7 won't be able to pass acid2 - I wonder what the IE-devs are doing all day).
Probably more interesting for reality usage is that kde 3.5 finally supports automounting based on pmount with the new hal/dbus-API. I also happily noticed they fixed an annoying bug in konquerors ssl-handling when trying to permanently accept certificates that were issued for wrong hostnames.
Gentoo users can try it out by copying the kde 3.5 section from the package.mask-file to /etc/portage/package.unmask.

As the German News-page Golem writes, Firefox is going to drop obsolete SSLv2 support in it's next version, because it has known vulnerabilities by design.
While this is in general a very good idea to make things "secure by default", it will probably lead to people crying "Firefox can't open URL xy any more". We have a vast number of deprecated servers, applications etc. that just don't support up-to-date security standards and weren't updated for ages.

Even SSLv3 supports a lot of weak ciphers, like Single-DES, RC4 etc., that are known to be broken for ages. Not to talk about things like RSA 1024 or SHA1, that are not yet broken in reality, but probably will be at some time in the future.
The implementation of secure standards in todays software is far away from what's neccessary for high security applications.

We need to get rid of all that old cruft. High security is possible with today's cryptography, but we have to use it and we have to design applications that use secure technology by default.

As the article some days ago about SHA1 got a lot of interest, I thought I'll write some more background info about this, especially for people thinking that collisions aren't a big problem.

Cryptographic hash functions are functions where you can put a string of any length and get a fixed-size result. E. g. with SHA1, you get 160 bit, with MD5 128 bit. The hash-function has to fulfill some requirements:
- It should be hard to get two strings with the same hash (collision-resistant).
- It should be hard to get a string to a given hash (one-way-function).
To be more precise: In an optimal case, hard means that it shouldn't be possible with all hardware on earth in the timeframe that your cryptography needs to be secure. Some examples where cryptographic hashes are used are shadown-passwords, digital signatures or verification of file downloads.

I found this a while ago and thought it's worth mentioning. Secret Maryo Chronicles is a Mario-Clone and seems to be one of the better ones. It's in a quite early stage, but with some talented level designers it could evolve to something really nice.
The gameplay is a bit different from the original games, it doesn't have a speedup-button. It's features are comparable to Super Mario Bros, while it's graphics are more like Super Mario World.
It's free software and it's available for Windows and Linux.

Xiaoyun Wang, chinese cryptographer and well known for her analysis of the SHA1 function, was not allowed to travel to the US to attend the Crypto conference starting today (via Bruce Schneier).

Too bad, because she discovered some new results on the attacks on SHA1, which reduce it to a complexity of 2^63 to generate a collission. Adi Shamir, well known cryptographer and one of the RSA-inventors, presented these results.
These news are important, because 2^63 is a complexity that can be broken with todays hardware if you invest enough money and time. This would be an interesting project for distributed computing, although I don't know if the attack can be implemented on common hardware (maybe someone with cryptographic experiences wants to comment if this is possible).

Too bad that most software devs have not noticed the recent results on hash-functions. Most of them still use MD5 (which has been broken about a year ago), SHA-1 is widely used. The GNU Coreutils don't have any tools for modern hash-functions, same goes with most programming languages (PHP, Python), while they implement some sort of md5sum or sha1sum, no sha256sum or whirlpoolsum at all.

I recently installed privoxy and tor and Lars asked me to write some words about it. So here it goes:

Privoxy is an ad-blocking proxy, which means it filters out banners, pop-ups and other annoying stuff. It's highly configurable, but I use it in the basic configuration, which should be enough for most needs. The advantage is that privoxy, unlike for example the firefox ad-block extensions, can be used within any browser. It's the successor of junkbuster.
tor is a project by the Electronic Frontier Foundation, an internet anonymizing system. It's internals are complex, but the basic funktion is that you connect encrypted to a tor-node, it forwards your request through several other tor-nodes and then it get's answered. It doesn't provide full anonymity, you have to trust the tor-node you connect to. But it's definitely better than nothing.

Both integrate well, if you are a Gentoo user, just emerge tor pricoxy, add forward-socks4a / localhost:9050 . to your /etc/privoxy/config, copy the torrc.sample to torrc (in /etc/tor), add both to your runlevels (rc-update add tor default, rc-update add privoxy default) and you are done.
Now set your Browser to use Proxy localhost and Port 8118.
For other Linux-Distributions, it's probably similar. I have no idea if and how tor and privoxy work on other OSes (especially the evil one with the W), so don't ask me, you'll have to find out yourself.

This will save you some privacy and you'll get rid from a lot of internet ads.

Note: tor had some security-issues recently, so take care that you use the latest version available (0.1.0.14).

Stefan Esser, who writes a blog about php security that is really worth reading, discovered several vulnerabilities in the PEAR XMLRPC lib. Various PHP applications use this, especially all major blog-systems, including wordpress and serendipity. So please update your blog-software.