08 FebMozilla’s (alpha) Privacy Icons

At the end of 2010, I saw the “alpha release” of Mozilla’s privacy icons. As explained in that blog post, this was the culmination of efforts undertaken throughout the last year, including a workshop that was attended by some very smart folks.

In advising some students at UC Berkeley’s School of Information on their Masters Final Project, KnowPrivacy, I spent a good bit of time thinking about privacy policies and we even created our own set of “privacy icons” to reflect some of the features of the privacy policies analyzed. (See the KnowPrivacy profile for Google, for an example.) This experience taught us that online privacy is a HARD policy issue. Designing useful, comprehensible privacy icons that might actually get used is just one really hard part of a really hard problem.

I preface my remarks with all that in order to make clear that what follows is not intended as criticism, but feedback, which Mozilla has solicited all along the way.

Which Distinctions Matter?

A difficult problem facing anyone seeking to make privacy icons is that you have to decide which distinctions you are going to illustrate, typically based on what distinctions you think do (or should) matter to the audience for those privacy icons.

I disagree with three choices the Mozilla team made about which distinctions to illustrate with their privacy icons.

  1. The Mozilla (alpha) privacy icons do not distinguish between the types of data collected.
    • This is a mistake because most users don’t care if a site collects data on which web browser they used (and whether the site keeps such information forever) but many users do care if a site collects their credit card number (or health records or …) and intends to retain it.
  2. The Mozilla (alpha) privacy icons’ distinction between your data being “given” to “advertisers” or not is too coarse-grained.
    • The KnowPrivacy researchers found that many sites do not “give” information to anyone, but many popular websites allow third parties to place collection webbugs right there on the site’s home page. Privacy policies exploit this distinction to hide the fact that your information is leaking. While Mozilla’s explanation of this icon group seems to take this into account, there is no reason to expect that most users will understand this.
    • The KnowPrivacy researchers also found that most popular sites share with “affiliates”, some share with “contractors”, some share with “advertisers” and some share with third parties generally. The icon group only references “advertisers” and a finer-grained set of distinctions might encourage greater transparency about these different sorts of sharing.
  3. The Mozilla (alpha) privacy icons’ distinction between your data being sold or given away is not typically a distinction that users do (or should) care about.
    • Users just want to know who has or might get their data and don’t really care what the monetary terms of the deal were when their data was given/sold to another party.

Stylistically, one thing I really like in the alpha release is the length-of-time icons for indicating how long a user’s data is kept. However, the KnowPrivacy researchers found that most popular websites do not disclose the length of retention, and so one can assume that, at present, only the infinite icon would get much use. However, perhaps these retention icons would be a sort of public shaming that might encourage sites to select a data retention time period and to disclose it.

Finally, I don’t mean to suggest that the Mozilla team should have just adopted the KnowPrivacy icons and called it a day. The KnowPrivacy icons were intended for an audience visiting the KnowPrivacy website, i.e., a user that is engaged in comparing and contrasting the policies of the most-visited websites. Mozilla’s use case is different and almost certainly requires a different set of icons to serve their purposes. However, my points above are intended to suggest that even for their purposes, Mozilla should strive to capture a different set of distinctions in the beta release.

04 FebAdding Mailman to Postfix with Virtual Domains

I am a big fan of the cut-and-paste howtos provided at howtoforge.com.

I’ve used something like falko’s howto on Virtual Users And Domains With Postfix, Courier, MySQL And SquirrelMail (Ubuntu 10.10) in order to get a mail server with those features working on Debian Squeeze.

Then I wanted to add mailman in order to operate mailing lists.

The closest howto for achieving this is the one by Rich Brown, How to add Mailman mailing lists to Postfix under Ubuntu Linux when using virtual domains + virtual users.

I’m going to try to recount what I had to do to go from a working mail server with virtual users and domains (having completed a howtoforge.com howto) to get to that same setup to run mailman. Perhaps some of this was unnecessary, duplicative, or even wrong. But, the mailing lists are working now, so that’s something.

List domain preparation

If the domain that will host the lists is not already served by your setup, be sure you:

  • use phpmyadmin to create the domain example.com in the domains field. NOT lists.example.com!, and
  • add lists.example.com to your dns entry for example.com,


As root:

# aptitude install mailman
# newlist mailman
# vi /etc/aliases

And add the following to /etc/aliases:

## mailman mailing list
mailman:              "|/var/lib/mailman/mail/mailman post mailman"
mailman-admin:        "|/var/lib/mailman/mail/mailman admin mailman"
mailman-bounces:      "|/var/lib/mailman/mail/mailman bounces mailman"
mailman-confirm:      "|/var/lib/mailman/mail/mailman confirm mailman"
mailman-join:         "|/var/lib/mailman/mail/mailman join mailman"
mailman-leave:        "|/var/lib/mailman/mail/mailman leave mailman"
mailman-owner:        "|/var/lib/mailman/mail/mailman owner mailman"
mailman-request:      "|/var/lib/mailman/mail/mailman request mailman"
mailman-subscribe:    "|/var/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe:  "|/var/lib/mailman/mail/mailman unsubscribe mailman"

# vi /etc/mailman/mm_cfg.py

and uncomment and/or appropriately edit the following lines:

DEFAULT_EMAIL_HOST = 'lists.example.com'
DEFAULT_URL_HOST   = 'lists.example.com'
MTA=None   # Misnomer, suppresses alias output on newlist
GLOBAL_PIPELINE.insert(1, 'SpamAssassin')


create a new file: /etc/apache2/mods-available/mailman.conf that looks like this:

ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/
ScriptAlias /cgi-bin/mailman/ /usr/lib/cgi-bin/mailman/

<Directory /usr/lib/cgi-bin/mailman/>
   AllowOverride None
   Options ExecCGI
   Order allow,deny
   Allow from all

Alias /pipermail/ /var/lib/mailman/archives/public/
<Directory /var/lib/mailman/archives/public>
   Options Indexes MultiViews FollowSymLinks
   AllowOverride None
   Order allow,deny
   Allow from all

Alias /archives/ /var/lib/mailman/archives/public/
<Directory /var/lib/mailman/archives/public>
   Options Indexes MultiViews FollowSymLinks
   AllowOverride None
   Order allow,deny
   Allow from all

Now add a symlink to this file so Apache will use your new Mailman aliases the next time it starts:

# cd /etc/apache2/mods-enabled
# ln -s /etc/apache2/mods-available/mailman.conf mailman.conf


Create a new file, /etc/postfix/transport, which contains one line:

lists.example.com     mailman:

Then as root:

# cd /etc/postfix
# postmap transport

Finally edit /etc/postfix/main.cf – add these four lines to the end of the file:
relay_domains = lists.example.com
transport_maps = hash:/etc/postfix/transport
mailman_destination_recipient_limit = 1
unknown_local_recipient_reject_code = 550

Use phpmyadmin to add some aliases in the forwardings field:

mailman@example.com	mailman@lists.example.com
mailman-admin@example.com	mailman-admin@lists.example.com
mailman-bounces@example.com	mailman-bounces@lists.example.com
mailman-confirm@example.com	mailman-confirm@lists.example.com
mailman-join@example.com	mailman-join@lists.example.com
mailman-leave@example.com	mailman-leave@lists.example.com
mailman-owner@example.com	mailman-owner@lists.example.com
mailman-request@example.com	mailman-request@lists.example.com
mailman-subscribe@example.com	mailman-subscribe@lists.example.com
mailman-unsubscribe@example.com	mailman-unsubscribe@lists.example.com

Finishing up

# newaliases
# service apache2 restart
# postfix reload
# service mailman start

After some combination of the above and hopefully not forgetting anything–note my uncertainty there–mailing lists just started working! Go to: http://lists.example.com/mailman/admin/ and get started creating a test list to confirm everything is working.

15 DecDebian Squeeze’s Kernel to Be Blob-Free

Debian announced today that Debian 6.0 “Squeeze” will be released with a completely free Linux Kernel.

Having, in the past, spent many frustrating hours trying to get some wireless card or some other piece of hardware to work with some binary firmware that cannot be examined or improved but is simply foisted on you, I’m really thankful to the team that is doing this work. Congratulations to them!

I’ve already successfully installed Squeeze numerous times with the Debian 6.0 beta installers. Give it a try!

23 JunFive Ways to Improve International Soccer

Watching some World Cup games recently and hearing how Americans largely find soccer boring, noisy, full of sissies taking dives, and controversial officiating, the following suggestions occur to me:

  1. Allow each team captain three opportunities over the course of the entire match to request an instant replay where any of the following are at issue:
    •  A goal was denied due to a penalty of any sort. (Think U.S. v. Slovenia.)
    •  The captain believes that a call or failure to call a handball, diving, or offsides was improper.
    •  A corner kick is denied where the captain believes the defender last touched the ball.
    •  A player is given a red card and the captain believes it was unfounded.
    •  The captain believes the ball did or did not cross the plane of the goal line and was improperly called.
    • The replay officials would require clear and convincing evidence of an error to reverse a call.

  2.  Have the clock kept by official timekeepers on the sideline with control of any scoreboard clocks. They stop the clock every time the ball crosses the plane of the sidelines and any time the official’s whistle blows and start the clock when the ball is back in play. This eliminates unpredictable stoppage time at the end of matches and also would probably allow the halfs to be shortened to 35 or 40 minutes while yielding the same amount of actual play.
  3. Allow unlimited substitutions.
  4. Give an automatic red card to players penalized for diving. They are removed from the match immediately and the side must complete the match without a substitution.
  5. Make the goal 22 cm higher and 44 cm wider. (This adds one diameter of the ball on every side, which ought to lead to more scoring.)

Bonus idea: Forbid artificial noisemakers of any sort in the stadiums.

There you have it. Five simple suggestions that would, I think, greatly improve international soccer and which would resolve many of the greatest complaints among those who are interested in soccer, but not yet committed fans.

20 Maylinks for 2010-05-20

27 AprRemote backups with rsnapshot

I’ve previously used rdiff-backup to do remote backups of my Debian servers, but for whatever reason they tend to fail and I don’t learn about the problem soon enough and I needed a new solution. Enter: rsnapshot.

Install rsnapshot on both the remote machine and the backup server:

apt-get install rsnapshot

Save yourself a copy of the default config file if you ever need it:

cp /etc/rsnapshot.conf /etc/rsnapshot.conf.default

On the backup server I create an rsnapshot user:

groupadd -g 3500 rsnapshot
useradd -u 3500 -s /bin/false -d /home/rsnapshot -m -c "rsnapshot" -g rsnapshot rsnapshot

Then prepare the backup server to be able to automatically access the production server using ssh keys:

cd /home/rsnapshot
su -m rsnapshot

With the previous command you become the user rsnapshot on the shell. You could confirm this with:


The next few commands must be run as user rsnapshot!

Create the keys:

ssh-keygen -t rsa

Hit enter on all prompts. It is important that you do not enter a passphrase otherwise the backup will not work without human interaction, so again hit enter. In the end two files are created: /home/rsnapshot/.ssh/id_rsa and /home/rsnapshot/.ssh/id_rsa.pub.

Now copy over the public key you just created to your production server:

ssh-copy-id -i /home/rsnapshot/.ssh/id_rsa.pub root@yourdomainname.example.com

If your production server to be backed up happens to run Ubuntu, as one of mine did, then you should login to the production server and then do away with it’s silly refusal to have a password for root with:

sudo passwd root

and then you’ll have no trouble with the prior step which copies the public key of the user rsnapshot to the file /root/.ssh/authorized_keys on the production server yourdomainname.example.com.

You can confirm that this worked with:

ssh root@yourdomainname.example.com

That should have logged you in as root on your production server without requiring you to enter a password. Now, on the one hand, this is exactly what we were trying to do, but on the other hand, we don’t want to leave it like this or anyone who gets access to the rsnapshot user on your backup server could be root on your production server. Not good. So next we fix that by taking a look at /root/.ssh/authorized_keys. It should look similar to this:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA[...]/zkctw== rsnapshot@backupservername

Now prepend from="",command="/root/validate-rsync" just before “ssh-rsa” separated only by a single space, all on a single line like so:

from="",command="/root/validate-rsync" ssh-rsa AAAAB[...]/zkctw== rsnapshot@backupservername

where “” is your backup server’s numeric IP address. This change means that user rsnapshot can only login from your backup server’s IP address and can only run a single command, “validate-rsync”. We must now create the file /root/validate-rsync with the following content:


echo "Rejected"
echo "Rejected"
echo "Rejected"
echo "Rejected"
*\<*) echo "Rejected" ;; *\`*) echo "Rejected" ;; *\|*) echo "Rejected" ;; rsync\ --server*) $SSH_ORIGINAL_COMMAND ;; *) echo "Rejected" ;; esac

Special thanks to Troy Johnson for this script. Now make the script executable:

chmod u+x validate-rsync

You should now be setup on the production server and can logout and go back to your rsnapshot user on the backup server. Become root on the backup server so you can edit the rsnapshot configuration file, /etc/rsnapshot.conf which you can learn more about at this rsnapshot HOWTO. The main thing to know about this config file is that everything that looks like a space probably should be a TAB instead.

#I suggest the following changes:
snapshot_root /home/rsnapshot/.snapshots/
logfile       /home/rsnapshot/rsnapshot.log # user rsnapshot can't write to /var
lockfile      /home/rsnapshot/rsnapshot.pid # user rsnapshot can't write to /var
ssh_args      -o BatchMode=yes

#Uncomment the following:
cmd_cp        /bin/cp
cmd_ssh       /usr/bin/ssh
cmd_du        /usr/bin/du
interval      monthly 3

#Choose some directories to exclude:
exclude       /home/user/JunkThatIDontWant
exclude       /cdrom
exclude       /proc
exclude       /sys
exclude       /tmp

#And choose some directories to backup:
backup        root@yourdomainname.example.com:/home/user/ yourdomainname.example.com/
backup        root@yourdomainname.example.com:/etc yourdomainname.example.com/
backup        root@yourdomainname.example.com:/var yourdomainname.example.com/
backup        root@yourdomainname.example.com:/usr/local yourdomainname.example.com/

Now you probably put some spaces where there were supposed to be tabs, so check your config file's syntax with this test:

rsnapshot configtest

Once it comes back with "Syntax OK" you are ready to try your first hourly snapshot. Become the rsnapshot user and give it a try with:

cd /home/rsnapshot
su -m rsnapshot
rsnapshot -V hourly

This will give verbose output so you can see that something is really happening. Once you get an hourly snapshot or two to complete successfully, you should automate this with cron. As the rsnapshot user, type:

crontab -e

and choose your schedule, something like:

0 */4 * * * /usr/bin/rsnapshot hourly
50 2 * * * /usr/bin/rsnapshot daily
40 2 * * 6 /usr/bin/rsnapshot weekly
30 2 1 * * /usr/bin/rsnapshot monthly

which would do 6 hourly backups a day (once every 4 hours, at 0,4,8,12,16,20)
1 daily backup every day, at 2:50AM
1 weekly backup every week, at 2:40AM, on Saturdays (6th day of week)
1 monthly backup every month, at 2:30AM on the 1st day of the month.

And there you have it! You have automated remote backups of your production server using rsnapshot.

17 JanHigh load average but low CPU usage

One of my Debian servers had its load average pegged at 3.0 but top didn’t show anything using a lot of CPU. A little Google research revealed this approach that solved things for me:

top -b -n 1 | awk '{if (NR <=7) print; else if ($8 == "D") {print; count++} } END {print "Total status D: "count}'

top - 11:53:48 up 5 days, 18:47,  1 user,  load average: 3.00, 3.00, 3.00
Tasks: 132 total,   1 running, 131 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.2%us, 12.3%sy,  3.8%ni, 83.3%id,  0.2%wa,  0.0%hi,  0.0%si,  0.0%st
Mem:   2075620k total,  1773432k used,   302188k free,   395648k buffers
Swap:  2650684k total,      716k used,  2649968k free,  1165208k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND            
 8548 root      20   0  2296  684  576 D    0  0.0   0:00.00 find               
 8675 root      20   0  2296  684  576 D    0  0.0   0:00.00 find               
32070 root      20   0  2296  688  576 D    0  0.0   0:00.00 find               
Total status D: 3
tempe:~# killall -9 find

After that, the load average immediately began dropping back to normal.

14 DecA Firefox search engine plugin

If, like me, you often find yourself searching for judicial opinions online, particularly to freely-available complete versions, and especially to Federal Circuit Court and Supreme Court opinions, then you’ve probably encountered the opinions at resource.org. I particularly like to link to these versions on my syllabi, because the paragraphs are numbered and then I can specify for students precisely which parts to read, in cases where we aren’t reading the entire opinion.

I just made such searches a lot easier for myself by creating this Firefox search engine plugin that searches resource.org via Google.

I typically know the citation or party name that I’m looking for, and so this search engine plugin puts your terms in quotation marks automatically so that Google searches for exactly that search phrase on resource.org.

In using this plugin so far, I get exactly the opinion I am looking for as the first link far more often than I used to when just using Google. Try it for yourself.

13 Declinks for 2009-12-13

10 Declinks for 2009-12-10