Internet Explorer image caching revisited

A few days ago “I complained about Internet Explorer”:

Google searching leads me to believe that MSIE doesn’t send If-Modified-Since: headers for images (and possibly other files, like CSS); instead, it expects to see an Expires: header in the HTTP response (It will also apparently listen to Cache-Control: headers). The beauty of standards is that there are so many to choose from…

More Googling led me to the following configuration directives for Apache:

   ExpiresActive On
   ExpiresByType image/gif "access plus 1 week"
   ExpiresByType image/jpeg "access plus 1 week"
   ExpiresByType image/png "access plus 1 week"

(It’s possible that image/* will work; I haven’t tried it).

I hope this helps someone else; I hope it helps me remeber next time :-)

posted at 10:50 am on Thursday, August 26, 2004 in Site News | Comments Off on Internet Explorer image caching revisited

Defense in Depth

I’ve visited lots of old fortresses in Canada, and a few in Europe, and I remember learning about defense in depth. This is the idea that your assets should be surrounded by multiple separate layers of defenses to make it harder for the barbarian hordes (or Americans :-) to break in. Ideally the defenses should be _different_, so that if a simple technique of defeating one is discovered, it doesn’t help against the others.

The forts I’ve visited are typically on a hill (so that you can see the enemy coming and prepare. But they’re also sunk into the hill, with sloping outer walls, to defend the inner walls against artillery. They’re surrounded by open fields (no trees or brush). The outer wall has gun emplacements, to mow down anyone trying to cross those fields. There is a deep trench between the inner and outer walls, deep enough that attackers must climb down, slowing them down. The inner walls are full of small, narrow windows to allow the defenders to shoot at anyone trying to cross the trench. The inner walls usually have towers that project into the trench, so that people trying to climb the inner walls aren’t hidden from defenders inside the walls; those attackers can be attacked from the towers. The important buildings inside the inner walls have their own defenses. And so on.

Of course, a few carefully placed shells from a battleship and the fort is history; but that’s progress for you.

Anyway, to make a long story short, here’s Robert Scoble’s “defense in depth strategy for Windows XP”: – enjoy!

posted at 7:11 pm on Tuesday, August 24, 2004 in Security | Comments Off on Defense in Depth

RSS overload

I haven’t even gone on vacation yet, and I already have almost 1000 unread items in my RSS reader. This feels just like the early days of the death of Usenet, when there was simply too much to read (and the signal to noise ratio was dropping with every new message, but that’s another rant).

I just dropped about a dozen feeds; mainly mainstream stuff like Engadget and Gizmodo and a few news sources. They were interesting, but ultimately too much work to read. (Since when did reading blogs become _work_, anyway?). The _really_ interesting stuff gets forwarded to me by other people, or referenced in other weblogs, so I usually see it anyway.

That takes me down to 500 unreads… maybe I’ll drop the cesspool that is /. while I’m at it :-)

posted at 9:21 pm on Monday, August 23, 2004 in Personal | Comments (1)
  1. David Brake says:

    Unlike usenet you can have a little more fine-grained control since a good number of your RSS items will be from individual people whose content you trust to be occaisionally interesting at least. You could always set up an RSS feed that only gave you /. items matching a given search term (using google alert for example?)

Argh; MSIE and bandwidth

It appears that if you set the Cache settings in IE to “Automatically” or “Every visit to the page”, then every time you visit a page at IE fetches all page objects (page, CSS, favicon, embedded images). For some of them, it is sending the If-Modified-Since: header (I see 304 responses for the blog CSS, for example), but it does not seem to be sending If-Modified-Since: for the banner JPEGs. This means that MSIE visitors download the banners several times in a row as they browse the site. This not only wastes my bandwidth, but it also interferes with their experience, since they have to wait for the banner to download on every page visit.

I’ve noticed IE doing this before on the client side with image intense applications (like MovableType :-), but I hadn’t investigated until recently, when a small increase in visitors to my blog site _doubled_ the bandwidth used…

Is this a known IE bug? Is there anything I can do on the server side to work around it? The investigation continues…

posted at 8:44 am on Saturday, August 21, 2004 in Rants, Site News | Comments (2)
  1. Reid says:

    You could conditionally use a low-res substitute for IE users..

  2. Harald says:

    An excellent suggestion, and trivial to implement. Since WordPress already shoves a bunch of rewrite rules into a .htaccess file, it is trivial to add another one to conditionally rewrite the .jpg URLs for MSIE users. I’ve compressed the JPEGs to about 20% of their original size. The quality suffers, but less than I expected it would…

looming energy crisis?

These days it is stories like these that keep me awake at night.

* “China – An Energy Timebomb?”:
* “Basic Choices and Constraints on Long−Term Energy Supplies”:

Basically: We’ll run out of oil in my lifetime; long before that, it will be expensive, and then rationed. Alternative sources simply can’t fill the gap; we do not have the capability to replace just our electricity needs with renewable energy, never mind our other energy needs. Even if North America switched to nuclear power, we’d run out of fuel in 35-58 years, a mere band-aid for the problem.

Meanwhile, SUVs are the fastest growing market segment in China, and GM is actively marketing them.

I haven’t the faintest idea what we’re going to do about this looming crisis; I do know that our current technique (hiding our heads in the sand) isn’t going to cut it.

posted at 6:38 pm on Friday, August 20, 2004 in Current Events, Science and Technology | Comments (5)
  1. Greg Wilson says:

    When OPEC turned the screws in the 70s, the market responded very quickly. Within five years, German and Japanese compact cars had made significant inroads into the American market, American manufacturers were downsizing their vehicles (as well as their plants) in response, and energy-efficient appliances were coming onto the market. As energy becomes more expensive over the next 20 years, I expect the same market forces will have the same effect. The real question is whether any of our elected leaders will be forward-looking enough to push us that way ahead of the rest of the planet, so that we can sell to them the way the Germans and Japanese sold to us 25 years ago. Reducing income taxes, while increasing sales tax on both fuel and fuel-inefficient machinery (factories and cars in particular) would be a revenue-neutral way to do it…

  2. Jeff K says:

    “Forward-looking” “elected leaders”? Hell, I hope you like horses!

  3. Harry Neff says:

    One statement and 3 responses to this crisis…. That should show us the real apathy around this country on the subject…. When we’re out of reserves, fule is $8+ per gallon and we’re all buying/riding horses or bicycles, maybe the collective will wake up.
    My grandchildren (now 1 – 7) will be left to solve this, I’m afraid.

  4. Jeff K says:

    I think even saying it is our grandchildren may be optimistic. I’ve read a number of books on the subject, and they all think that military might will protect the oil reserves for the western world. Unfortunately, might is not always right, *money* often trumps, and if China needs fuel to produce goods for the rest of the world, a worthy task, the people paying for the goods coming from China will be driving up their own fuel costs. My guess is that it would be less than 20 years before we’re making serious choices in the west to our personal transportation in order to keep the economy running efficiently because production is in Asia, not here. I’ve met people who said 3 years ago they couldn’t pay $1/L for gas. I often pay close to $1/L now for 94 octane gas… For some people then, the future is *now* (although, I’ve noticed these same people still buy the gas)

    Anyway, there is risk to any planning. I think the plan should be to estimate the cost and time to electrify suburban & inter-city rail, build the nuclear power-plants to power them, eliminate the tax on diesel fuel and ban the use of diesel in personal autos and ban the use of natural gas in power-plants. Then the plan should sit on a shelf waiting for the crisis to become more obvious to the stupid.

  5. Jeff K says:

    Btw, on Thu or Wed the National Post ran an article about the worsening crisis. Apparently not only do we have to worry about China, but the U.S. may want to reduce its dependance on mid-east oil, thus increasing its desire to buy Canadian oil. I think in the long run that’s fine, but there’s a lot of construction that has to be done before supply can meet demand in that situation, I believe.

Re: oops

So after looking at “the mail I accidentally misfiled”: there were, in fact, about 150 spam (almost 50%). has completely revamped their spam filtering service since I last looked; I can now monitor rejections, forward messages to myself, and add whitelist entries, all through a fairly simple interface. I’ve switched it on; so far one spam has gotten through, with no false positives…

posted at 9:11 am on Tuesday, August 17, 2004 in Personal, Security | Comments (3)
  1. Reid says:

    Have you looked into Sender Policy Framework yet? I was thinking of doing that. Not sure if will let me edit the appropriate bits of my DNS record though..

  2. Harald says:

    # dig txt 3600 IN TXT "v=spf1 a mx ip4: -all"

  3. Reid says:

    I checked, and I can’t see any way to set the TXT field of my DNS record via’s web interface. Well, maybe it’s time to move away from hmm.

Kids Plus Rocks Equals 120,000 Angry Bees


Yahoo! News – Kids Plus Rocks Equals 120,000 Angry Bees

Reminds me of watching “The Swarm”: when I was a kid. Not so amusing is that African “killer” bees are “slowly moving north”: across the USA, and interbreeding with our European honey bees…

posted at 10:02 pm on Monday, August 16, 2004 in Current Events, Science and Technology | Comments Off on Kids Plus Rocks Equals 120,000 Angry Bees


I found the problem.

Due to a typo in my .procmailrc, all of my incoming mail was being saved to the folder


Which isn’t terribly useful, is it?

posted at 7:41 am on Monday, August 16, 2004 in General | Comments (1)
  1. Reid says:

    Ha hah ah ahahahahaha…..

    *smrf* .. sorry, but thaat is way too familiar. I did something similar with all of Luisa’s email going to a folder named “spam”..


Very strange.

I just came back from a weekend of camping to find one new message in my inbox, and zero messages in my spam and spamMaybe boxes.

I’ve checked all the logs, and everything _seems_ to be working properly…

posted at 11:01 pm on Sunday, August 15, 2004 in Personal, Security | Comments Off on SPAM

Active Directory

It is very easy to setup a self-contained network, with a Domain Controller, using Active Directory. Too easy, in fact; I’m on my third attempt :-).

I’m using cloned hard disk images under Microsoft Virtual PC, which caused my latest problem; Active Directory let me register a computer in the domain with the same name as the domain controller. Needless to say, _nothing_ worked after that. The reason this happened was because I tried to rename the image _and_ join the domain at the same time; Windows 2000 apparently joins the domain _first_, then attempts to rename the computer. This surprised me :-)

Fortunately, I had a master disk image, so it was trivial to restart from a fresh install and rebuild the domain controller (which, thanks to Microsoft’s wizards, is easy). But then I had to rebuild the two child domain controllers, since they refused to “demote” themselves when the domain master was unavailable.

Sadly, all of this is _time consuming_, even when the host is a P4 2.8 with 1Gb of memory and oodles of disk bandwidth…

posted at 9:32 pm on Thursday, August 12, 2004 in Personal, Science and Technology, Security | Comments (1)
  1. Reid says:

    It took me a moment to figure out what you meant by PIV. I thgouht it was some sort of PVC pipe variant for plumbing or something!

    I think P4 is easier to grok.. :)

watching the weather

I derive a certain perverse pleasure from watching the weather forecast for eastern Ontario changing every 12 hours. Apparently nobody can predict where those two hurricanes are going to go next :-)

posted at 9:26 pm on Thursday, August 12, 2004 in Personal | Comments Off on watching the weather

passwords and PKI

“Densise Anthony”: doesn’t mention her security research on her “home page”:, but the “slides from her presentation”: are available on the “Dartmouth PKI Unlocked Summit and Workshop”: page, which I found after a bit of Googling led me to the “Dartmouth PKI Lab Outreach Web Home”: page. There’s a bunch of good stuff buried in there, especially deployment tips, and the “Dartmouth OpenCA – LiveCD”: looks especially interesting; I’m going to try it out in my testing lab soon.

posted at 9:44 am on Wednesday, August 11, 2004 in Security | Comments (4)
  1. Greg Wilson says:

    Your “testing lab”? Does that come complete with lightning rods, bubbling beakers, and an igor?

  2. Harald says:


    Sadly, no. About the only exciting thing about my testing lab is that one of the computers isn’t under the desk, which caught the attention of the Health and Safety droids…

  3. Reid says:

    caught the attention of the Health and Safety droids…“??

    Okay, I sense an untold story here…

  4. Harald says:

    It’s simple, actually. One of my 9 desktops masquerading as servers is _not_ under a desk; it is instead sitting on the floor in front of all of the other computers under the desk. Despite the fact that this is not in a corridor or anything else vaguely resembling anything other than a _desk_, this is apparently a Class B Safety Hazard (insert ominous music here :-)

passwords in the news

I can’t find it now, but I remember reading recently about another “cross-discipline” team that discovered all sorts of interesting things, because each member of the team had a different way of looking at the data. Now a PKI research group has attached a sociologist to the team, and that is “starting to produce insight”:

bq. A recent survey found that 75 percent of Dartmouth students have shared their network passwords. “They like having people who know their password,” explained “Denise Anthony”:, a sociologist who spoke at the PKI summit conference I attended earlier this month. “They like having someone who can check their e-mail for them or log them in to places where they’re supposed to be.”

bq. Professor Anthony’s talk was dramatically different and showed why it was a really smart move to attach a sociologist to Dartmouth’s PKI research group. As security technologists, we’re easily dazzled by our shiny cryptographic swords. But while we’re brandishing our swords, our users — like Indiana Jones in that famous scene from Raiders of the Lost Ark — might simply pull out their guns and shoot us. Better security protocols alone can’t thwart such game-changing behavior. We need to understand what motivates the behavior and figure out which carrots and sticks will influence it.

bq. It’s a given that most people take the path of least resistance. So, for example, two-thirds of Dartmouth students never change their passwords during their four years of enrollment. And most reuse their internal passwords for external sites such as The New York Times and How do they perceive the risk associated with such behavior? According to Anthony, it’s a tragedy of the commons. The network is a collective resource, but people connected to the network feel that they’re consuming a private good. Their subjective view, she says, is this: “I’m in my office. I’m using my computer. It doesn’t feel like I’m part of a group. I don’t recognize how my behavior affects you.”

InfoWorld: Tragedy of the network commons

posted at 9:44 am on Wednesday, August 11, 2004 in Science and Technology, Security | Comments Off on passwords in the news


Fragile like my hold on reality

posted at 10:44 pm on Tuesday, August 10, 2004 in Humour, Links | Comments Off on Fragile

spam source

Ok, so it turns out that all (well, 125 of 126 :-) of the spam I’m getting these days is coming through my address. The greylisting is working fine, in other words :-)

It’s been great having a portable email address, but now that I pay real money for my own domains, maybe it is time to switch over. I can do more accurate spam filtering on my personal server than they can on their shared servers Unfortunately, the massive spam volumes floating around these days are forcing us to these drastic measures. I’m beginning to believe the pessimists; e-mail is dying…

posted at 10:57 pm on Sunday, August 08, 2004 in General, Security, Site News | Comments (1)
  1. Re: oops
    So after looking at “the mail I accidentally misfiled”: there were, in fact, about 150 spam (almost 50%). has completely revamped their spam filtering service since I last looked; I can n…

greylist results revisited

So maybe I spoke too soon; in “greylist results”: I said that my spam volume had gone way down. Well, it has come back up again. I’ll have to write scripts to prove it, but I have a theory.

Machines owned by spammers are being used relatively infrequently, maybe to reduce the chances of getting detected and blacklisted? So the first time a spam host shows up, it gets greylisted. But if they show up again a day or a week later, they get past the greylist filter, because they’re now in the cache (but haven’t been expired yet).

Maybe a fix would be to put two cache timeouts in; the first would be for machines that have not yet successfully delivered a message i.e. by retrying the original delivery), and would be relatively short, probably less than a day. The second would be the existing long timeout for machines that have already passed the first test.

That would eliminate spam machines that only show up infrequently. I don’t know whether it is worth the effort, though.

On the plus side, greylisting _is_ still keeping out the virus traffic…

posted at 12:18 pm on Sunday, August 08, 2004 in Security, Site News | Comments Off on greylist results revisited

The fridge arrived!

fridge picture

My “New Refrigerator”:” arrived at about 8:30 on Saturday morning. We took out all of the packing materials, hooked up the water and electricity supplies, and plugged it in. It is a thing of beauty :-)

It took about 3 hours for the freezer temperature to drop to -15%deg;C and a few hours longer for the fridge compartment to cool to about 2.5°C. I went out last night and loaded up on fresh food again; now we have a fridge that looks just like the pictures you see in the advertisments…

posted at 12:09 pm on Sunday, August 08, 2004 in Personal | Comments Off on The fridge arrived!


Baby teeth are wierd. They seem to take forever to get slowly looser, looser; then suddenly, wham!

I guess she’s officially a big girl now; two 6-year molars _and_ her first visit from the tooth fairy :-)

posted at 11:24 pm on Tuesday, August 03, 2004 in Personal | Comments Off on Teeth


I don’t understand how the “exact”: “same”: fridge can sell for $600 more (almost 40%) with a different _door_. Although I do understand how the same fridge can sell for two different prices, $400 apart, depending on the sticker on the door (Kenmore vs. Whirlpool, in this case :-).

Anyway, we’ve purchased the replacement fridge. I turned the old one off, just in case it decides to catch fire or something useless like that. I took the doors off and cleaned it out, so that it wouldn’t start to smell bad (because the new fridge doesn’t arrive until _Saturday_…).

posted at 4:02 pm on Tuesday, August 03, 2004 in Personal | Comments (2)
  1. Jeff K says:

    The dimensions and Energuide (about $3/year diff.) rating are slightly different. Also $1899-1599 = $300 and you get clear shelves, a wine bin and “ice in the door” and 1 less shelf for your $300. Anyway, the real answer is “don’t pay retail, they just want to catch you in a time of need”.
    For just about anything big I buy now I present an ad from someone else and they either say “You should buy it there”, or “We can beat it by 10%”. I would start with Homeshow, Tasco and Goodmans(sp?) before I would venture to the Brick, Leons or Sears. Actually, they all have their niche, I guess (and in fact, Homeshow *is* the Brick… they just have a fantastically huge warehouse I like to poke around in). I’m starting to think Best Buy might be a good place to pop into as well. That said, I think I just don’t go to the local Brick, Leons or Sears because the ones near me are small, there’s a huge Leons in Whitby.

  2. Harald says:

    The dimensions are different because the curved doors are taller (they stick up above the main body of the fridge). I dunno why the Energuide numbers are different, but there was one side effect; the lower number (barely) qualifies us for a current government efficiency rebate of about $128.

    We were in a hurry, and didn’t have time to shop around extensively. After looking at several online offerings, Sears had the best price/performance ratio for the stuff we wanted :-)

Mom brought Google to its knees

Mom brought Google to its knees (via “”:

bq. Fortunately for the internet, my mom’s on dialup. But unfortunately for the internet, your mom has cable. And your mom is just as obstinately ignorant as my mom. You might as well try to convince them to change their own oil as to keep their computers maintained.

In short: trying to teach Mom about computer security is a lost cause. Which leads to the obvious conclusion; we’re not going to fix the problem until we don’t have to teach Mom about computer security…

posted at 12:00 pm on Monday, August 02, 2004 in Security | Comments Off on Mom brought Google to its knees
Next Page »