November 2005 Archives

This afternoon I signed up to a new web-based application from a very well-known media company. I gave them my email address and the password that I wanted to use and a few minutes later I got an email from them confirming my registration.

That was fine. But then I noticed that the email from them contained the name of their site, my username and my password. All in plain text. This is a breach of basic internet security processes. And thinking about it, I've seem several similar breaches recently. So I thought it was worthwhile making a note of some of the rules you should be following when handling users' passwords on web sites and in emails. A sort of "Password Handling 101".

Rule 1: Don't Store Plaintext Passwords

This is the fundemental principle that all the other rules follow from. It is non-negotiable. If I give you a password to use on your web site then I should be the only person who knows it. I don't want it stored unencrypted in your database so that any of your staff can look it up.

"But," you say, "if it's encrypted, how can we check it against the password you give us when you log in?"

"Easy," I reply, "you do it the same way that Unix passwords have been checked for decades."

You store the password using some encryption algorithm. The stronger the better. Then when I give you a password for you to check, you encrypt the new password using the same algorithm and compare it against the encrypted version in your database. If the two encrypted strings match then I've given you the correct password and you can log me in. Simple isn't it?

"But," you say, "if it's encrypted, how can we tell you what it is if you forget it?"

"Simple," I reply, "you don't."

If I forget my password then you have two options. Option one is that you generate me a new password, email it to my registered email address (but see rule 2 below) and store an encrypted version of the new password in your database. Option two is that you send (to my registered email address) a link to a web page where I can enter a new password. This link should obviously be time-limited (so I can only use it for a few hours) and should contain some encrypted key so that no-one can guess what the link is. The second option is less secure as anyone can intercept the email and get access to the link, so the first option should be prefered.

Rule 2: Username and Password Travel Separately

The problem with internet email is that (unless you use something like GPG) everything is in plain text and anyone can intercept it and read it. It's like you are sending every letter on a postcard rather than in an envelope. For this reason you should never put the username and the password in the same email. The forgotten password scenario above should be the only reason why you ever send a password to a user in an email. So don't put the username in that email as well.

Rule 3: Web Pages with Passwords Should Use HTTPS

Like email, by default, all web traffic is unencrypted. Anyone can potentially read anything that you send to a web site. So when I log on to your site and I enter my username and password, anyone can potentially intercept those values and that will enable them to log on to your site as me. If you serve login pages using HTTPS instead of just HTTP then that login transaction will be encrypted all the time the data is on the public internet and it will be much harder for anyone to extract my login details.

Three simple rules that every web site should be following. And it's surprising (or, at least, it surprises me) how many sites don't follow these basic rules. Following these rules won't make your site impervious to people determined to break into in, but it will go a long way to making your users' accounts more secure.

I was going to name and shame the site that I dealt with this afternoon, but I wrote them a polite email explaining the problems and in less than 45 minutes I got a reply saying that these problems had already been noted and that they should be fixed by the end of the week. That's pretty good customer service so I won't embarass them by telling everyone who they are.

I've been thinking about templating systems a lot recently. By templating systems I mean technologies that allow you to mix some data with some fixed text to produce some kind of output. One obvious use is in creating dynamic web pages where, for example, you would create a row in a table for each item that you pulled out of a database table. Templating systems form the view component (the 'V' in 'MVC') of many web frameworks.

There seem to be two schools of thought on templates. Some people think that the best language to use for templates is the same language that you use for the rest of the system. This is the approach taken by Ruby on Rails, where the you templates will contain a lot of Ruby code. Other people, and I'm one of them, think that it's better if your templating language is completely different from the rest of the system. We believe that presentation logic is (or, at least, should be) much simpler than the rest of your code and that using a deliberately simplified language forces you to separate your business logic from your presentation logic and that leads to cleaner systems. Also, it's often the case that templates are written by a different set of people than the rest of the system and you shouldn't really require the template developers to be experts in the programming language that is used for the rest of the system.

It seems that this separate language approach is starting to catch on. Perl has the Template Toolkit which has its own presentation language. PHP now has a separate templating language called Smarty. Django (a web framework written in Python) has uses a similar approach. And even Ruby on Rails has just gained a new separate templating language called Liquid.

But that's not all. As I noted when I wrote about the recent web frameworks night, all of these templating languages look very similar. And that's what got me thinking.

Consider the (common) case where the templates are written by a different team of people to the backend code. We've already established that this team shouldn't need to know whatever programming language the rest of the system is written in. If we assume that this is a web-based system then those people will already be experts in HTML, XHTML, CSS and JavaScript. There's really no reason for them to be experts in Perl, Python or Ruby as well.

But the way things are currently they might not need to know Perl, Python or Ruby, but they do need to know whatever templating system is being used. So the choice of backend language is effecting what the frontend developers are using. And that seems wrong to me. Given that many of the templating languages seem to be converging on a similar syntax, isn't it worth giving them that extra push so they just become the same language? That way, frontend developers can just become experts in "templating" and it doesn't matter to them what language is being used at the backend.

We don't expect frontend developers to use a different type of HTML because the backend is written in a different language. Surely it's a bit weird to expect them to use a different templating language.

Oh, I realise there would be a lot of work to do. Working out a "best of breed" syntax across all the existing templating systems would be difficult. And then you need to work out how each individual programming language would interface with the templates. But isn't it something at least worth investigating?

Someone posted to Digg a link to this story on the BBC about the excuses that people give for being caught without a TV licence. This lead to a huge discussion along the lines of "d00d, they pay for TV over there - that's teh suck!".

A few brave souls have tried to explain the BBC's funding arrangements and how the licence fee is a small price to pay given the generally high quality of BBC programmes and the fact that we get to watch them without adverts. but this has largely fallen on deaf ears. I think my favourite comment was the one that said:

So if british TV has no commercials, when do people go to the bathroom, and get snacks while watching TV?

It's always the same isn't it? You wait all year for a decent geek night out and then two come along at once.

So where shall I go on December 12th?

London 2.0 or the Backstage meet-up.

Decisions, decisions...

Have you ever been reading something that you are enjoying when suddenly you come across something which is so stupid that you lose all confidence in the author and can no longer take anything they write seriously?

It happened to me this morning as I was reading the introduction to Open Source 2.0. In the middle of a perfectly sensible piece introducing some of the ideas behind Open Source I came across this nonsense.

Outside the United States, people find it odd that we use the same word, "free", to mean two very different things "with no cost" or "liberated".

"Outside the United States"? Does that sound a bit strange to you? Can anyone think of anywhere outside the United States where they might understand the two meanings of "free"? Like perhaps anywhere that speaks English!. There is more to the English speaking world than just the USA.

Then they compounded their error a couple of pages later when they claimed that Larry Wall has led the Perl community for "more than 20 years". The first version of Perl was released in 1987. Don't these people check facts?

Luckily this was just the introduction which was written by the book's editors. Most of the book is essays written by other people. If that wasn't the case I don't think I could read the rest of the book.

Oh, I've just seen that the introduction is online. The "outside the US" bit is on page XXXVI and the Larry Wall bit is on page XXXVIII).

A new word for the 21st century.

Many people now own widescreen TVs. Most new TV programmes are made in widescreen. However TV stations still like to broadcast some older programmes that were made before programmes were made in widescreen. This gives you two options. You can either watch the programme in the correct aspect ratio with black bars down each side. Or you can insist on the whole widescreen area being filled by stretching the image sideways so that everyone looks five stone fatter than they really are. In my opinion this distorted monstrosity is unwatchable, but maybe I'm just too fussy.

This second option is Dixonsvision - because that's how all TVs seem to be configured in every Dixons shop.

The latest site from those nice people at My Society is called Hear From Your MP. The idea is simple (like most good ones) - you give them your name, email address and postcode and they add you to a list of people interested in hearing from your local MP. When they get twenty names on that list they sent an email to the MP saying "twenty of your consituents are interesting in hearing what you are doing". That email is repeated when higher targets are hit. You can read more of the details here. You can also see which MPs have responded.

It's all part of My Society's ongoing campaign to use the internet to make MPs more accountable to their constituents. Which has to be a good thing.

A couple of interesting books on Open Source Software that I've read recently.

Karl Fogel's Producing Open Source Software should be essential reading for anyone involved in an Open Source project (or planning to get involved in an Open Source project). Fogel has been an important contributer to a number of major Open Source projects and this book distills his experience into three hundred really useful pages. It covers everything from the technical infrastructure that a project needs to the politics of working with a team of volunteer developers. The whole text is also available online but you should really support the author by buying a copy.

Then there is Dan Woods and Gautam Guliani's Open Source for the Enterprise. This book looks at ways that companies can make more use of Open Source Software. The main premise of the book is that the major difference between Open Source and proprietary software is in the level of "productionisation" (horrible word, but I can't think of anything better). The authors think that most proprietary software is easier for people to use as it has better installation mechanisms and more detailed user documentation. Comparing successful end-user Open Source projects like Firefox and OpenOffice with their proprietary rivals Internet Explorer and Office, I don't think that this is a completely convincing argument, but it's certainly an interesting viewpoint and the book is well worth reading.

So last night was the Web Frameworks NIght. A great time had by all. Many thanks to the organisers.

We had talks on three frameworks - Catalyst, Django and Ruby on Rails. My overwhelming impression was how similar all three frameworks are. There really seems to be little to differentiate them.

As always the Perl community shot itself in the foot a bit. I know that Catalyst is a great framework and I know that Matt Trout knows a lot about Catalyst. Unfortunately he doesn't know enough about how to sell Catalyst in a presentation. As a result his talk had a lot of slides full of code which would have been almost inpenetrable to anyone who didn't already know Perl. He also failed to give any demos of Catalyst in action. But I thought his biggest mistake was to overlook the one area where Catalyst scores heavily over the other frameworks - the ORM tools that Catalyst are much more powerful than the ones used by the other frameworks. For example, with Class::DBI::Loader you can automatically pull the relationships between your tables out of the database.

Django looked interesting. In particular the default admin screens that it creates had everyone in the audience going "oooh". Django templates use a language that looks a lot like the Template Toolkit, but apparently they are based on the PHP templating system Smarty - so it must have been them that borrrowed the ideas from TT.

Then there was Rails. I don't really think anyone in the audience was there to find out about Rails. It's been getting quite enough publicity recently so I think every has at least a basic knowledge of how it worked. I think most people were there for a first look at the BBC programme catalogue that Matt Biddulph is building. And it didn't disappoint. It looked lovely. I foresee a few wasted days when that is released next year. Oh, and it was nice to hear that some Rails programmers are moving away from the idea of using embedded Ruby as their templating language. A new templating language called Liquid has just been released. This is based on the Django templating language (which is based on Smarty, which is based on TT).

So, to summarise.

• All MVC web frameworks look very similar
• Catalyst has the best ORM capabilities
• Django has the best default admin templates
• Rails has the mindshare
• They are all starting to use templates that look like the Template Toolkit

Update: blech points out that I missed out Catalyst's big advantage. By building on Perl's existing DBI framework, it already comes with connectivity to far more database systems than any of the other frameworks.

Update: Here are links to all the presentation slides:

• Matt Trout - Catalyst
• Simon Willison - Django
• Matt Biddulph - Ruby on Rails

Bruce Tate's book Beyond Java has been published and there's quite a lot of publicity for it appearing on the web. For example this article by Chris Adamson on the OnJava site. In the article Adamson interviews a number of well-known Java programmers about the future of Java.

The replies seem pretty unanimous that Java's dominance is nearing it's end. They seem to think that Java has become too top-heavy and that it's becoming too complex to be usable. Oh, they all agree that it'll still be around for some time (much as COBOL was for many years) but it's surprising how many of them are looking closely at Ruby on Rails.

As someone who has never been a big fan of Java and who has always preferred the freedom of "dynamic languages", it's interesting to see so many respected Java programmers coming round to my way of thinking. The advantages of Ruby that they talk about are exactly the advantages that you'd get from any dynamic language. Sure, we get the same old tired nonsense about how Perl encourages untidy code but all in all it's all starting to look like a good time to be a programmer specialising in dynamic languages.

Now, if only we can start marketing Catalyst as well as the Ruby on Rails people market their framework.

There's an interesting piece in today's Guardian about the British political blogging scene. They interview eight people who they consider major political bloggers from the UK. Nice to see that it's in G2 (the cover story no less) and not the technology section.

Of course the downside is that I didn't already have all of those blogs on my blogroll - so I'll have to add them...

In the interests of full disclosure, I should point out that I've started spying on you all. A couple of days ago I added Google Analytics tracking code to a few sites I run, including this one.

So now I can look at loads of pretty graphs telling me who you are, where you are, what pages you read and how long you spend here.

It's all very interesting. If you have your own site you might find it useful to sign up.

The London Web Frameworks night has proved to be very popular. So popular, in fact, that the organisers have had to change venue. It will now take place in the New Cavendish Street campus of Westminster University. See Dean's post for more details.

This means that signup has been re-opened for the time being. But places are still going fast, so sign up now if you're interested.

Should be a good night. Say hello if you're there.

Oh look. Evidence that people are actually reading this site. A piece from last week was mentioned in the latest Britblog Roundup.

Tim Ireland reckons it's about time that Rebekah Wade was taken to task over the lies that The Sun has been telling on its front page over the last few days.

I agree with him. If you do to, then why not sign his pledge.

And tell all of your friends.

And while we're talking about The Sun, take a look at this picture. It's the front page of The Sun from Tuesday of this week. The man in the picture is John Tulloch. He was one of the survivors of the 7th July London bombings. The front page is obviously composed in order to make you think that he wants the readers to "tell Tony he's right".

Except that isn't Mr Tulloch's view at all. What he actually thinks is

This is using my image to push through draconian and utterly unnecessary terrorism legislation. Its incredibly ironic that the Sun's rhetoric is as the voice of the people yet they don't actually ask the people involved, the victims, what they think. If you want to use my image, the words coming out of my mouth would be, 'Not in my name, Tony'. I haven't read anything or seen anything in the past few months to convince me these laws are necessary

And he's furious with The Sun for abusing his image in this way.

Today's Guardian has his story. You should read it.

The Sun is at it's most vitriolic this morning, labelling the MPs who defeated the government as "traitors" on its front page. It goes on to claim that they ignored the wishes of the vast majority of Britons and humiliated Tony Blair.

In a bizarre piece of reporting, it also says the "the limit was slashed to just 28 days". Did you see that? "Slashed"! Since when was "slashed" a synonym for "doubled"?

So if you are lucky enough to have an MP who voted against 90 days yesterday then please take the time to thank them. The Sun names (and shames!) them, but if you can't bring yourself to look at that nasty rag, then there's a complete list over on Bloggerheads. Use WriteToThem.com to get in touch.

I'd love to be able to thank my MP, but Martin Linton seems to have forgottten how small his majority is...

Let's look at it another way. Yes, we saw Tony Blair defeated for the first time. But they've managed to push through a doubling of the time that a suspect can be held without charge. That's still pretty disgusting. Are there any "democratic" countries with a longer period?

If I was feeling paranoid, I might imagine a conversation taking place along these lines a few months ago...

Ian Blair: We think we might want to increase the amount of time we can hold them without charging them.

Tony Blair: What do you want it to be?

Ian Blair: 28 days.

Tony Blair: 28 days! Bloody hell, that's doubling it. The civil liberties crowd will never go for that.

Ian Blair: So we can't have it?

Tony Blair: I didn't say that. But we'd need to be a bit sneaky. What if we said we were trying to increase it to a completely unreasonable length of time that no sane person would support - and then presented 28 days as a compromise.

Ian Blair: How long would you ask for first.

Tony Blair: Well it would need to be completely over the top, maybe 90 days.

Ian Blair: 90 days! That's ridiculous. No-one would ever go for that.

Tony Blair: Precisely.

It's been a good day in politics. First I woke up to another email from that nice Charles Clarke about the Terrorism Bill. In it he said:

Finally, I would like to apologise for the questionnaire which was attached to the message that I sent out to party supporters on Friday. It was not intended to gauge public opinion but to start a political debate around the proposals currently being debated in Parliament. Many people have raised with me perfectly valid concerns about how the questions were drafted. I can only say that I share those concerns and give my assurance that questions of this type will not used in the future.

Now if you looked too closely at that you'd read the bit that said "it was not intended to gauge public opinion" and compare and contrast with the original email which said "I am emailing you today to find out your views". You might even think that there was a bit of a contradiction there. But let's be generous and just assume he's been a bit busy over the last week and really doesn't have much of an idea about anything right now. I'm sure he'll get better once he's had a bit of a lie down.

But wouldn't it have been nice if any of the mainstream media had taken him to task over the questionnaire.

Anyway, that was just the first course. The day got better. Tony Blair was beaten on the 90-day clause. That looks good so I'll write it again...

TONY BLAIR WAS BEATEN ON THE 90-DAY CLAUSE!

Of course they've still managed to double (double!) the amount of time that you can be held without charge. And they've still passed the ridiculous "glorifying terrorism" clause. But it really made my day to hear that the 90-day clause had been defeated. The only thing that would have improved it would have been if the cameras had been focussed on Blair's face as the result was announced.

Parliament will vote on the new Terrorism Bill this evening. If you want your MP to know how you feel on the issue then can I remind you of the very wonderful WriteToThem.com.

And if you think your MP is likely to be swayed by the ridiculous claims made in the populist press then you might like to point them at Tim Ireland's most excellent deconstruction of the claims in today's Sun.

And tell all of your friends.

So, to summarise:

1. Use this facility to look up and contact your MP: http://www.writetothem.com/
2. Tell them that 97% of Sun readers do not support Blair’s 90-day detention plan and/or send them this link: http://www.bloggerheads.com/archives/2005/11/the_sun_newspap.asp
3. Publish steps 1, 2 and 3 on your own weblog (or send/post these details to your usual community/messageboard)

Update: Mark (in the comments) makes the excellent point that if you don't know which way your MP voted on the bill then you can always check at Public Whip.

I bet many MPs hate having their voting record so easily available to the unwashed masses.

Update: If you think that I've got no right to ponificate on the fight against terrorism, then maybe you'd rather listen to a survivor of the Kings Cross tube bomb.

At home we still record TV the old-fashioned way - using video recorders. It's all very 20th century and we should really think about updating our methods. Here are the things we're considering.

• Buying a hard disk based system, Something like a Tivo. You can't buy a new Tivo in the UK any more, but they are available on Ebay. Alternatively there are many similar systems now in the shops and the prices are falling to realistic levels. Many of them also contain a writable DVD drive.
• Getting one of the hard disk based systems that you can currently get from digital TV providers. I think that the only one currently available is Sky+, but NTL (who provide my cable TV) have one in the pipeline. As I understand it the advantage here is that because the system is tightly coupled with your TV provider, it ties in with your EPG and allows you to record more than one channel simultaneously.
• A home made hard disk system based on MythTV or something similar. That will almost certainly be more flexible than the previous two suggestions.

And then there's the idea that you don't need to record anything, because it's all available anyway. Some of these systems are still a few years away from being a good solution.

• BitTorrent seems to be the current system of choice for sharing TV shows. Two potential problems with this, one larger and one smaller. The larger one is that not all programmes will always be available - tho' friends that use it tell me that it's rare not to find what they want. The smaller problem is that a lot of the available programmes come from the US, and less people seem to have widescreen TVs in the US - so a lot of the shows I've seen from BitTorrent aren't in widescreen - even when widescreen versions are available. But, like I said, not a huge problem.
• Digital TV providers have started to make available various programmes as "video on demand". Telewest Teleport is a good example. HomeChoice has something similar. Again, you have the problem that not every programme will be available - but the selection can only get better.
• Promise.tv is a homebrew version of a similar system. It just records everything broadcast by your TV provider, so you can watch whatever you want, whenever you want.
• The BBC are starting to experiment with making programmes available for a week after the broadcast date. You can watch them using a program call iMP. If this is successful then it's likely that other broadcasters will also start doing this.

So there are plenty of options. I'm convinced that in five to ten years this will have become a non-issue as we'll just be able to download and watch any programme that we want whenever we want to watch it. But this situation is still a few years in the future so we need an interim solution which will probably be based around one of the hard disk systems. If anyone has any advice on which way we should go then I'll love to hear it. Or, if I've missed anything out, please let me know.

I spent last night back in St George's Hospital. Yesterday evening I started getting a bad pain in my stomach. It got so bad that at about 11pm my wife called an ambulance and they took me to A&E (my first ride in an ambulance!)

Why do these things always happen at night? By the time I had got through triage and had been prodded and tested in various ways and had finally been given a bed for the night, it was almost 4am. Even then, I didn't get much sleep as the pain was to bad.

So it seems that it's a side effect of the sarcoidosis. Or, rather, a side effect of the treatment. My calcium levels are too high and they think this is causing a build-up of acid in my stomach. But they sent me home this morning with some pills that seem to make me feel a lot better.

All in all, not much fan.

A few days ago I mentioned in passing that I really wanted to see the series Dark Skies again. At the time I really had no reason to believe that I'd see it any time soon.

Now I see that ITV 4 are showing it starting from this coming Monday.

That's what I call service!

This week's edition of the BBC programme Click Online contains a report about EuroOSCON. The transcript is here and the Real Audio stream is here. The programme is repeated a number of times on various BBC channels (mainly News 24) over the next couple of days.

It's the first report in the programme, but its worth watching the introductory section that precedes it, just to hear presenter Stephen Cole's slightly patronising comments about Open Source. Oh, and the report describes the conference attendees as looking like the Hair Bear Bunch, but that seems to have been edited out of the transcript for some reason.

It's good of course that the BBC is covering the Open Source movement, but they still seem to think that we're a bit of a bunch of weirdos. Perhaps they should have looked at how much Open Source software they use internally before coming to that conclusion. Or maybe that's how they came to that conclusion...

Obviously running a bit scared following their one vote win in the recent terrorism bill debate, the government have decided to ask us for our views on fighting terrorism.

Except, being "New Labour" they can't bring themselves to ask a straight question that might get an answer that they don't like. The key point in this debate is about changing the length of time a suspect can be held without being charged. Currently it's 14 days, but the government wants to extend that to a ridiculous 90 days.

So if they are interested in canvassing our opinion on this you might expect to see a question along the lines of "how long should police be allowed to hold a suspect without charging them?" Something like that would address the key issue here. But no. What does the Home Secretary ask? His question is:

Do you think police should have the time and opportunity to complete their investigations into suspected terrorists?

Bloody stupid question. Of course I want the police to have time to complete their investigations. But giving them three months to fo it is taking the piss. Of course, opinions like those don't fit into the Labour Party's view of the world so we don't get a chance to say things like this.

Most of the other questions are just as biased.

In a few days, maybe a week or so, the Party will present the results of this "consultancy" and they'll be happy to report that everyone agrees with them. But only because no-one was given the chance to disagree.

Update: There was no way this was going to go unnoticed. More on the same subject from Chicken Yoghurt, Talk Politics, Consider Phlebas and (of course) Bloggerheads.

Regular readers will know that I dislike pop-up ads on web sites. But I hate the new breed of pop-up ads that go to the effort of breaking through pop-up blockers and insist on showing me pop-ups even though I have explicitly said that I don't want to see them.

You'll also know that I have a soft spot for the Guardian web site as the nice people who run it generally like to do the right thing when it comes to the necessary evil of ads. Yes, they run pop-ups, but they are usually well behaved pop-ups that are blocked by Firefox.

So I was surprised and more than a little disappointed when I was browsing the site just now and a pop-up... er... popped up. It was an advert for HP, if anyone's interested in boycotting companies.

David Blunkett has resigned from the cabinet for the second time in twelve months.

You'd think that someone would learn a lesson somewhere along the line. Either he should learn to stop abusing positions of power or Blair should stop appointing him to them.

But no. I've no doubt he'll be back again within six months. How many "second chances" has Mandleson had now?

Update: A couple of comments on the Guardian story.

Mr Blunkett's second resignation from the cabinet in less than a year almost certainly ends his career in frontline politics.

I don't believe that for a second. As I said above, he'll be back within six months. Like nothing has happened. And when he is, I will link back to this post. And laugh.

Oh, and here's what that liar Tony Blair had to say on the matter

Mr Blair said Mr Blunkett left office "with no stain of impropriety against him whatsoever".

You know he might just scrape back an iota of respect if he actually came clean and admitted that Blunkett had done something wrong and that the resignation was the minimun punishment that should be expected. But no, he continues lying to defend his friend and in the process make himself look as shifty as Blunkett.

Looks like The Guardian have taken their new search engine out of beta and are now linking to it from the main site.

It all looks very nice.

Here's an interesting story from a Windows user who found a rootkit on his system. Further investigation revealed that it had been installed by Sony when he had played the digitally protected music on a CD he had bought (Get Right With The Man bu Van Zant). Sony is apparently so concerned about protecting its copyright that it is happy to use the same techniques that crackers use to take control of unprotected computer systems. As the discussion on the story mentions, installing this kind of software without the user's permission almost certainly breaks the Computer Misuse Act.

Oh, and when he removed the offending software (which took a lot of work), his CD drive stopped working.

This nasty piece of software was written by a UK company called First 4 Internet.

Yet another reason not to buy copy-protected CDs.

Update: The BBC have picked up on this story.

Update: Sony have released a patch which allows users to "uncloak" this software. They say

This component is not malicious and does not compromise security.

It might be true that the software isn't malicious (just incredibly stupid), but it's certainly not true that it doesn't compromise security. Just look at the comments on the original article.

Most TV documentaries have been dumbed down to such an extent that they are often unwatchable. Programme makers seem to think that it's impossible to explain concepts to the viewer without flashy graphics or re-enactment of key scenes. And a lot of time is wasted telling us what we are about see or what we have just seen, presumably on the assumption that viewers are incapable of holding anything but the simplest concepts in their head for more than a couple of minutes. It was therefore a joy to watch the first episode of Jonathan Miller's A Brief History of Disbelief yesterday. Miller starts by describing the standard tricks of modern documentary making as "vulgar" and promises not to use them.

True to his word, the programme then consists of Miller filmed in various locations talking about the history of atheism (and, more specifically, the history of his own atheism). Occasionally he is shown in conversation with other people which have interesting things to say on the topic and every once in a while Bernard Hill is shown reading quotations on the subject.

All in all it makes for one of the most fascinating hours of television that I've seen for some time. It was great to see a documentary that didn't treat me like an idiot. It's made by BBC Four (the BBC's "intellectual" channel) so perhaps that explains it, but it's good that it's getting a repeat showing on the more "mainstream" BBC Two.

If you have any interest at all in the subject then I strongly recommend that you want the remaining two programmes (7pm, Monday nights). But even if you're not interested in the subject then you should watch at least one of the programmes to get an idea of how a good documentary should be made.