Thursday, June 30, 2005

I have to get out of this state

I just got a lovely little letter and bill from the Pennsylvania tax service. It seems that Pennsylvania has a law requiring people who make more than $8,000 that's not subject to employer withholding (say, selling stocks to pay for college tuition loans) to pay extra installments of taxes, even aside from the regular employer withholdings. If you don't pay, they charge you a "penalty" for underpayment. Of course, the only place this requirement seems to be documented is in the "Gotcha!" bill they send you after you file your tax return.

I wonder what the bill introducing this clever idea was titled. "Stealth Tax Increase Act"? "Screw The Taxpayer Act"? "Let's Build Another Highway And Name It After Bud Shuster Act"?

I suggest a new state motto: "Pennsylvania: Cynicism Lasts a Lifetime".

Wednesday, June 22, 2005

Curses! ... WIDE curses.

Over the last couple weeks, I've been discovering that the business of writing wide-character programs that use curses is almost completely undocumented. I'm trying to figure this out because there are apparently some people who seem to like utf8, and I want them to stop bothering me :-). I was wondering if anyone out there has experience getting ncurses to play nicely with Unicode (or, I suppose, other wide character) locales, and if so, if there's any standard documentation that I could be pointed at. The ncurses manpages have some general information, but they're missing key details (for instance, what are the precise semantics of getcchar/setcchar, and what character encoding should I be passing into them?), and it looks like I'll probably have to dig through the library code to get real answers. *sigh*...

[UPDATE] the library code reveals that my worst fears are realized. getcchar/setcchar operate on whole strings. But, you see, they only let you pass in a single attribute/color value. So despite the fact that you're supposedly manipulating attributes combined with text (like chtype), you're actually unable to do anything more complicated than set the attributes of a whole string at once -- or carefully feed your data to curses one character at a time, generating pointless single-character strings to do so! Ewwwwwwwwwwwwwwwwwwwwwwwwwwwwwww.

[UPDATE 2] In the previous update, I somehow missed the prominent usages of CCHARW_MAX in getcchar() and setcchar(). setcchar errors out if there are more than CCHARW_MAX characters in the string, and getcchar never copies more than CCHARW_MAX characters from its input cchar_t to the output. (there seems to be some funny business going on with the number of wchar_t values in the string vs wcslen, but I could well just be confused)

Monday, June 20, 2005

Credit Cards, Security, and Common Wisdom

The news media here are reporting about yet another massive leaking of credit card information. As usual, we get the hand-wringing about computer security at corporations, proposals to require tougher punitive actions against companies that have lax security, et cetera. Underlying every report is an assumption that this is just the way things have to be: of course companies have to amass huge databases of highly valuable financial identifiers, and of course the only way to mitigate the harm caused by individuals breaking into these databases is to tighten the security around them.

But wait just a moment here. What is a credit card number, anyway? A credit card number is essentially a token which means (translated to English) "I, Daniel Burrows, authorize the bearer of this card to incur indebtedness upon my behalf up to $LARGE_SUM_OF_MONEY." Shouldn't we at least think twice about spreading this sort of thing around? Again: I'm supposed to keep my credit card number a secret, but what earthly good is a secret that (by its very nature) I have to tell to large numbers of people?

Ok, so credit card numbers have problems, but is there any reason to think we can do better? Consider this question: why do we need credit card numbers in the first place? If you think about this a bit, you'll realize that the essential function that my credit card number serves is this: it proves my identity to the credit card company at the time that I use the card to fund a transaction. Can we do this without passing magic blank-check tokens around? Phrasing this more formally: is there a way for me to prove my identity, but without permitting the party to whom I am proving my identity to masquerade as me?

Well, readers with a technical background (especially any Debianites) should know that the answer is "of course there is!" (and the rest of you should have figured it out from the direction my rhetorical questions were tending ;-) ) In fact, this scenario is one of the key features of a modern public-key cryptographic system. Briefly, in a public-key system, I have a secret "key" that only I know -- no-one, and I mean no-one, besides me is allowed to know it. I also have a public "identity" corresponding to the private key -- everyone is allowed to know this. The system then defines techniques by which I can prove that I know the private key corresponding to my public identity.

Hopefully you can see some obvious applications of this idea to resolve the problems with credit cards, although of course this is just a sketch; there are issues I've glossed over or left unaddressed. However, the thing that really frustrates me is not merely that people have overlooked one technique or another; I'm not even especially bothered that we're still using the old horribly insecure system (even if a replacement system were ready to roll out today, it would take a long time to convert everything out there to use it). What bothers me is that there is this vast blind spot about the whole idea of credit card numbers. These things are a truly terrible idea in the modern day and age, and I wish more people would think just a level above the usual public discourse about them; not just "how do we fix the latest instance of this problem?", but "can we completely eliminate the cause of this class of problems?"

Or, <rhetoric>Stop trying to bail a ship full of holes, and ask yourself whether you need a new shipwright.</rhetoric>

Thursday, June 16, 2005

New Web Pages

After spending a day digging through HTML and CSS reference manuals, I've finally gotten myself up-to-date enough to make my personal Web pages look halfway decent. At least, they look halfway decent if you're using a CSS2.1-conformant browser. I don't have a convenient installation of IE on hand to check, but I suspect they probably look awful if you're using that browser. You should be able to see all the content, though; you'll just miss out on the attractive page organization. CSS has some warts, but the last time I seriously tried to write HTML was, oh, I think 1998-2000 or so, and it's SO much nicer than the horrible stuff you had to do back then.

Aside from that, I've been hanging out with family members I don't get to see much. I need to get back to the job hunt today (and I have to start packing up the stuff in my apartment and put it in Mom's garage^W^Wstorage, since it looks like I'll have to clear out of here before I have the income to rent a new apartment).

I was asked yesterday why I haven't written anything here about my plane trip home. The main reason is that I wanted to keep the ratio of complaints to interesting posts to a minimum. However, I will provide a free (yes, FREE) travel tip: don't fly USAir, and if you must, don't buy a ticket that connects in Philadelphia. And if you ignore my advice and get an itinerary that routes you through Philadelphia on USAir, make sure to take a comfortable pillow and some food, 'cause you could be hanging out there for a long time.

Thursday, June 09, 2005

Job Fairs

In my ongoing quest to find gainful employment, I decided to try a job fair in Seattle. Most of the companies there were looking to hire service-sector workers -- truck drivers, bank tellers, etc -- and when I asked about computer-related jobs, they said "oh, we do have some of those, but they're all in our corporate headquarters in [some far-away city]". There was only one company that was specifically in the computer field (some sort of consulting agency); their representative glanced at my resumé for a few seconds, then gave me a look of extreme pity and said, "I'm sorry, but all the experience you list is school-related...a Masters degree is something, I guess, but employers want a little more practical experience. Have you ever considered getting a certification?" I left the resumé with her anyway -- you never know what might help.

I do have a few leads to follow up on; maybe I can at least get an interview out of them. Aside from that, I guess I'll keep my reckoning, I can survive for a few more months before I get desperate enough to eat shoelaces or take a help-desk position. Or I could always try to get work at the elephant in the room... (you think it's a joke? You try living on shoelace soup, then!)

One question for the peanut gallery is whether certifications are actually useful at all, at least for getting a job. I doubt I'd learn anything from the course (at least, nothing I couldn't learn better on my own), and the whole thing seems like a racket to me, but if I'm learning one thing about the process of searching for a job, it's that it's full of pointless rackets.

[UPDATE] On a hunch, I looked up the company's Web site and BBB page. They are not a consulting company; they're a certification training company. I sort of suspected this at the fair, but their materials claimed they did consulting as well. So the is just the lowest form of deceptive, sleazy sales tactics (almost as bad as the guy from the Cult That Shall Not Be Named who came around claiming to be doing a survey) -- grab some naïve graduate who thinks you have jobs, cluck sadly at his resumé, then offer a solution in the form of services your firm just happens to be coincidentally selling. Another victory for "no matter how cynical I get, I just can't keep up"...

If I sound annoyed, well, I am.

[UPDATE 2] Thanks for the comments. I have to admit to a certain amount of exaggeration above -- I should be fine for 4-6 months or so, which I hope is enough time to find something decent. I'm not on a shoelace diet yet, just getting a bit frustrated and impatient :-).

Wednesday, June 08, 2005

I may be syndicated again (we can only hope)

I bugged mako about my blog (and other blogs on Blogspot) not showing up on the Planet, and he thinks he's fixed it. If he's right, this utterly pointless post should show up there. [UPDATE] It worked! Thanks, mako!