I was surfing a bit to see if there are any rumours on the release of G5 powerbooks. When I found the image of the prototype.

This picture does not show the fans mounted on the left side of the machine, nor the external battery backpack.

Finally a site dedictated to "Willem Frederik Hermans" 10 years after his death.

Next year a start will be made with the publication of his complete works.

For those that do not read Dutch, I am sad to see that a query on Amazon and Barnes & Nobles (.com) does not provide any translations of his work.

I guess y'all need to learn Dutch.

Discovery channel has a show called MythBusters. Given the numerous pyrotechnic experiments involved I started referring to this show as "Jackass for Scientists"

Here is an idea for a show:

Every time a dummy is used for an experiment by the MythBusters we call upon the help of Steve O. That would make great TV.

Hi Math student. Happy you googled this way on your quest for a topic to write your statistics paper on.

Here is the problem, its a real life problem, one that hurts about 10 million owners of an iPod.

Random is not perceived to be random.

Many of us consumadrin loaded individuals bought an iPod to enjoy a different song every day. But my iPod has a preference for Johny Cash and Dennis Leary. In a Newsweek artcicle Steven Levy wrote that his iPod favoured Steely Dan. He also tried to do a little research on the randomness of the iPod and actually interviewed Temple University prof John Allen Paulos who claimed:

"It's entirely possible that nothing at all is amiss with the shuffle function. It's quite common for random processes (like coin tosses) to get unlikely results here and there, like runs of six heads in a row. Over a very long time, it evens out, but it's hard for us to envision that. "We often interpret and impose patterns on random processes,"

I do not buy that.

I want statistical evidence that the birthday paradox is at work here... I want evidence that I can or can not use my iPod as a casino device. I promise access to my iPod backup to the first student who provides me the paper that proves that the iPod is not random...

And now I'll delete Leary and Cash. I'm sick of them.

I used to draw a lot.

When I was at university I illustrated a student paper and made cartoons and illustrations for several publications. Those days are over. The drawing material is not within reach and for some reason what used to be a satisfying hobby is not even an activity any longer.

I still have the web pages that I constructed back in 1994 (over 10 years ago !) and never updated since. And that contain a couple of logos and cartoons.

The page with the cartoons contains a litle poem that I picked up from a bathroom door in a cafe and the cartoon that was inspired on that poem.

Birdie birdie in the sky
you dropped something
in my eye.

But I don't weep
nor do I cry
I'm just glad that cows
don't fly

The other day I received a mail from an artist from who stumbled upon this picture and wanted to use it for the creation of a postcard. I'm easy and cheap. The only thing I ask when people use my cartoons is a copy of the thing they use it for. This artist used it for a postcard and this morning I received 'the product' in my surface mail box.

I really appreciate the way they used the cartoon.

(Oh.... by the way.. if you ever need a cartoon... contact me)

In his "Burning Apple" story Triv wrote:

I ran downstairs to get the fire extinguisher. You do have one right? Don't be a statistic!

I did not have one. Now I do. I also decided I will buy a smoke detector.

I have one server that goes by the hostname of "bert.secret-wg.org". It has other identities too; "www.trend-watcher.org" and "www.net-dns.org" are examples.

The Apache documentation claims that name-based virtual hosting and SSL can not work

Name-based virtual hosting cannot be used with SSL secure servers because of the nature of the SSL protocol.

Fortunately there is a hack that works. There is an X509 extension called subjectAltName that can be used to create one certificate that can be used for the many identities that your server uses.

There are a couple of things that I stumbled upon that might be nice to know if you try to set this up yourself.

Browser compatibility

In order to be compatible with Firefox you will need to specify the hostname in your subjects common name (CN) but you will also need to specify your hostname in the set of subjectAltNames

Certificate Signing Request

In order to have your "CSR" carry all the subject altnames you need you will need to hack your openssl.conf file.

What follows are the relevant portions or the openssl.conf. First the [req] section that includes the "req_distinguished_name" sections

[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert

here is the "req_attributes" section. For each subjectAltName you want to use you will have to add two lines to the conf file.

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = NL
countryName_min = 2
countryName_max = 2

stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = North Holland
localityName = Locality Name (eg, city)
localityName_default = Amsterdam
0.organizationName = Organization Name (eg, company)
0.organizationName_default = The Secret Working Group
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Web Server

commonName = Common Name (eg, YOUR name)
commonName_default = bert.secret-wg.org
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
emailAddress_default = olaf@dacht.net
0.subjectAltName = Subject altname
0.subjectAltName_default = DNS:www.net-dns.org
1.subjectAltName = Subject altname
1.subjectAltName_default = DNS:www.secret-wg.org
2.subjectAltName = Subject altname
2.subjectAltName_default = DNS:www.trend-watcher.org
3.subjectAltName = Subject altname
3.subjectAltName_default = DNS:bert.secret-wg.org

Once you have this in place you run openssl:

openssl req -config special.conf -new -key private.key -out certificat_sign_request.crs

It is this beast that you want to get signed by your certificate authority. Which gets us to the next problem

CA does not copy SubjectAltName

There is a feature (bug) in openssl. Even if your "copy_extentions" directive in the openssl.conf file reads "copyall" the CA fails to copy the subjectAltNames. You will have to configure the subjectAltNames that need to appear in the signed certificate into your openssl.conf otherwise they will be stripped.

So in your CA's openssl.conf you will have to put somewhere in the '[usr_cert]' section:

subjectAltName=DNS:www.net-dns.org,DNS:www.secret-wg.org,DNS:www.trend-watcher.org,DNS:bert.secret-wg.org

Off course you should not forget to remove this line once you signed the certificate.

In theory you can off course skip hacking the openssl configuration for the certificate signing request and just have the CA introduce the subjectAltNames, that is what is effectivly being done now. But remember, setting the subjectAltNames by the CA is a workaround that should not be needed in the future.

Apache Configuration

The apache configuration is trivial. For each virtual name you will have to setup a virtual host both on port 80 as well as on port 443.

# Wherever you see square brackets you should see angle brackets,
# plog just does not accept them ...
[VirtualHost 192.168.0.1:80]
ServerName www.net-dns.org
(... the usual cruft ...)
[/VirtualHost];


[VirtualHost 192.168.0.1:443]
ServerName www.net-dns.org
(...exactly the same the usual cruft ...)
# use exactly the same SSL key and CERT for each of the virtual SSL servers
SSLCertificateFile /usr/local/certs/bert.secret-wg.org-http.pem
SSLCertificateKeyFile /usr/local/certs/bert.secret-wg.org-http.key

[/VirtualHost]

So now I can securely set up a connection without all the warning boxes. That is, as long as the proper CA root certificate has been loaded into my browser.

I never, in my wildest imagination, figured how Stan and Eric would look in a manga. http://www.geocities.com/proxectolipe/southpark features a couple of images.

Now I did try to imagine what Kyle, Stan, Eric and Kenny would be doing as adults. My guess would be loitering chain-smokers and alcoholics... (on the other hand Kenny might not live to be 26).

I have not yet started to get my finger behind Plog's plugins ---This evenings project was was not Blog but Mail. I finally got around to have my home-gateway talk SASL/TLS to my main server that acts as a relayhost so that all my mail leaves from one server. --- but the templates stucture is cool enough in itself. Its one of those appealing little features of the plog architecture.

The AmIAScreenSaverOrNot screensaver is a funny screensaver is very nice hack. It just grabs pics from http://www.hotornot.com and displays them, one by one. While trying to figure out how that hack worked I noticed that HotorNot has an RSS feed nowadays. That makes hacking up a template that shows the latest 10 girls on HotorNot a trivial excercise.

The result can be found at http://www.trend-watcher.org/static/ladies.


The core of the template only counts a few lines:

{include file="trend-watcher/header.template"} 
{if $rss->parse("http://services.hotornot.com/rss/girls/")}
{assign var=channel value=$rss->getChannel()}

<a href="{$channel->getLink()}">{$channel->getTitle()}
 
{$channel->getDescription()} 
  {foreach name=articles from=$rss->getItems() item=rssItem} 
    {if ($smarty.foreach.articles.iteration < 10)}      

getLink()}">{$rssItem->getTitle()}    

         {$rssItem->getDescription()} 
 {/if} 
  {/foreach} 
 {/if} 
 
{include file="trend-watcher/panel.template"} 
{include file="trend-watcher/footer.template"} 

Today I made an announcement on our internal maillinglist. I told my colleagues that I walked into an irresistible opportunity and that I will be leaving the organization.

It is the sort of announcement over which you should be happy but wich brings you mixed feelings. Perhaps because I still feel part of a very good team.

Anyway, the dice has rolled (*). It is now public knowledge that I'll be joining NLnet Labs as of September 1 with the intend to take over responsibilities as a director per January 1, 2006.

But I am not gone yet. I still have things to do and projects to finish. So although I announced that I'll be going, I'm not ready to leave yet.

* that's the second time today I use that term today.

I just upgraded this blog from plog 0.3 to version 1.0. The upgrade procedure works like a charm and the admin interface and the xmlrpc are improved. Its worth the step and its worth not to wait for the FreeBSD port to be available.

The events in Rome made me dig up a little avant-garde masterpiece from my vinyl collection.

Blessed Easter Track 2 from "Rome Remains Rome" by Holger Czukay (1987) (also available on Amazon)

The credits on the cover read: We were blessed by the appearance of his holyness popestar Woytyla and is swining nuns during the easter ceremonies.

3 Songs that start with the cry of a cock.

• The Beatles, Good Morning Good Morning from Sgt. Pepper's Lonely Hearts Club Band.
• Tom Waits, I'll Be Gone from Frank's Wild Years.
• William S. Burroughs (and the Disposable Heroes of Hiphopricy), Words of Advice for Young People from Spare Ass Annie and Other Tales

Are there more?

Earlier I wrote that Bert submitted an April 1 RFC. Unfortunatelly it will not be published. The reason given is its length, and I must admit it was somewhat bulky. Below is the response from the RFC Editor. I obfuscated parts of the mail so that the members of the Secret Working Groups are not disclosed and we still have a possibility to publish the idea in a condensed form somewhere else.