While I was gone recently, I spent a few days near Southampton and saw some things I thought I’d never see. Leaving aside what I was in the area for (which turned out to be a bit out of the ordinary) and the horse we saw standing outside a front door trying (someone was in for a real surprise), Brockenhurst train station has some interesting leaflets to browse through. Some were just us being juvenile, some are genuinely frightening. Have a look for yourself in my first Flickr photo set: Signs Of Brockenhurst.

Incidentally, I was surprised by just how easy to use Flickr is. The uploadr software is one of the nicest bits of UI I’ve seen in a long time.

Though it is ever so slightly delayed, let’s go over this years first month of films anyway. It’s not going to prove useful for anyone looking to find something in the cinema (DVD releases must be imminent at this rate), but then again that has never been what this is all about.

First film of the year was Running Scared. The plot revolves around trying to find a kid who stole a gun, previously used to murder a cop, who shot his father. Yes, it’s that ridiculous. If you can suspend disbelief through the convoluted plot and bizarre b-plot (how that paedophile story got into the script, I do not know), you have a reasonably tense if fairly predictable action-drama. It’s not going to win any awards, but there are worse ways to spend your time.

Next up is the surprisingly warm Steve Martin film, Shopgirl. Written by the comedy legend himself, it’s a story that takes Martin away from the laughs (those are provided by the always excellent Jason Schwartzman) and puts Claire Danes in the middle of a love triangle while she tries to understand the changes in her life. At times tender, uncomfortable and nostalgic, this film portrays relationships in more dimensions than mainstream cinema has in the last decade: no-one is perfect and there are no relationships free from deep problems. Save for the misguided narration framing the piece, Shopgirl is a film worthy of anyone’s time.

A lot of people seem to have left Jarhead with the impression that nothing much happened. While that was overtly the point (the first Gulf War being uninvolving for most soldiers), it misses the fairly blinding subtext that this is a film packed with life: from the brutality of the boot camp to the shipping to the gulf to filling endless days in a desert with paranoia and mindless tricks to fight the boredom. A whole war happens and the marines can only bear witness to it, trapped between their old lives and new lives of combat. Beautifully shot, if occassionally overbearing, Jarhead is an experience- rather than plot-driven film. That’s why it was so good.

The final film of the month is A Cock And Bull Story: the impossible to describe, and devilishly clever retelling of the substance, if not the plot, of Tristram Shandy; a book about how life is too vibrant, detailed and fluid to ever be captured by art. While the film begins as a faithful retelling of the book (the first third focussing on the details of the titular character’s birth), it soon zooms out to incorporate the tales of the lead actors: Coogan’s pety one upmanship and affairs, Brydon’s fight for the limelight and terror when he finds it, parodying both of their public figures perfectly. In forgetting to tell the story of the book and, instead, showing the extraneous details that are needed to fully appreciate the telling, the director has captured the very essence of the book: the map is not the territory. An incredibly clever film.

Winner? Though I pointed at Jarhead as being the winner in a previous post, I think Cock And Bull Story has edged it in retrospect. It is a film with as much depth as one would expect from the classic novel it adapts. Though, it has to be said, three of the four films this month were worth seeing.

It’s been… nearly eight weeks since my last post and, I must confess, I’ve barely noticed the time go past. It’s been pretty hectic, what with a new flat, several cities to visit, work being crazy busy and Glasgow city centre proving to be fairly entertaining. Broadband having been installed last week (finally, after some fairly shoddy service by the first people we tried to get coverage from) I will be posting more regularly now, time permitting.

A quick recap of the last two months, including lessons learned:

• New flat in the city centre leading to many nights out.
• Sleep can be bypassed for large periods of time.
• It’s more than possible to avoid the internet for several months without getting overly antsy.
• 22Mbps broadband is ridiculous. Tricky to max out.
• If you shave your head, it will likely snow heavily the very next day. Sort of like a rain dance, but colder. And with less dancing.
• Prague food: the right mix of cheap, tasty and large portions.
• Prague booze: the right mix of cheap, tasty and large portions.
• Prague culture: the wrong mix of tourism, Western influences and the painfully obvious.
• The less people you have at a party, the more people (as an absolute number) that will pass out.
• My new computer (a 64-bit dual core athlon with 2Gb RAM and other silly goodness) is moderately better than my old computer (comparable to a Casio digital).
• To do lists are the bane of my life, yet I keep them compulsively.
• Although sleep can be bypassed, when the lack thereof hits, it hits hard.

Need sleep. Real posts soon.

I know, I know. You’re wondering why I haven’t been filling your lives with long winded articles about obscure attacks, or strange foods or music that no-one else likes. When, you’re surely thinking, will I find out what film Gary preferred out of the four he saw in January? (It was probably Jarhead by a whisker, to ruin the surprise). The reasons are threefold:

1. Work. I’ve been incredibly busy for the last few weeks. There’s nothing quite like a deadline to kill all creative and expressive urges; it’s been a case of going to work, coming home, and vegetating.
2. Going out. To stave off going nuts from the above, I’ve been going out a hell of a lot, not least of all being Mr Murray’s 21st birthday last weekend. I do implore you to search out the photos from that particular night. Not because of the incriminating pictures of Derek (which are sadly mostly private) but for the fact I look like I’ve had a stroke incapacitating half of my face in nearly all of them.
3. Moving. Preparation and pre-moving “smaller” items into my nice new flat has been taking up a fair chunk of my free time. I’ve yet to figure out how to get a drum kit from here to there, but it’ll be a fun challenge. Semantic web geeks please note that it’ll mean that my GeoUrl (anyone actually doing anything with those?) will be accurate within 5 miles for the first time!

Sadly, until I get broadband (and a phone line) set up in the new place, the silence will largely continue. See all five of you fine readers at the flatwarming, no doubt.

The piece on decompression bombs was not supposed to be a panic piece, as it seems is implied, rather it was an informative one about a hidden danger in handling compressed files and, in my view, a neat little trick.

To respond to some questions about it: someone asked how you would create the compressed file in the first place since compressing that much data would have to be done in memory, causing you the same problem. Very astute! The answer is that you don’t: the uncompressed data never exists. You need to know enough about your compression algorithm to construct the compressed file directly, writing the output without any real input. This is not that tricky for most formats. The fact of the matter is that you can download decompression bombs quite freely.

In response to a comment by David Russell, and to illustrate some points more clearly, I’m going to discuss some more concrete examples. First of all, David raises the issue that this just means “you restart”. Naively, yes, it does. A restart might not mean much to you, the home user, but it does to quite a few companies. Servers going down means a tangible loss in revenue and respect in the marketplace.

Moreover, denial of service attacks are used to blackmail companies. Mostly these come in the form of botnet attacks, but there’s no reason why a weak company couldn’t be taken down by decompression attacks. Frankly, without adequate defences, a decompression attack is far more effective than malicious pings.

Here are a few scenarios for you:

1. You are an admin for a company with a reasonable IT infrastructure. Being sensible, your mail server scans all incoming attachments for problems. You’ve also put the servers into a replication configuration so that if one server goes down then your mail queues redirect. Someone sends you a decompression bomb; your mail server goes down pretty quickly because the scan tries to handle it in memory. For every minute the servers are down, you lose X pounds. Depending on how much you’ve thought about this, X can be a large number. Your redundant servers can’t easily help because they’ll start scanning the file and falling over. You have a few solutions: you can switch off scanning (obviously dangerous). Maybe you can switch off replication, though that generally means isolating that queue and dropping the mail on the floor while you figure out what has happened, potentially costing more money.
2. You are an image storage/processing company who let your users upload images (like, for example, flickr). People upload whatever photos they like and let you display them. Because you want to save a considerable amount of bandwidth, you accept GZip encoded transfer of images. This saves you Y million a year (a conservative estimate for a large site). Someone sends you an image decompression bomb, which expands to some large amount on your servers. Your resources get drained while you either try storing it or sort it out. What can you do? Maybe you take the one time hit in writing it to disk; poor strategy if someone is using this as part of an effective distributed denial of service attack on your site. Maybe you just kill the GZip upload which, as we know, will cost you at least Y million a year; not a good idea if you’re looking to get promoted any time soon.

There are solutions to these scenarios (which I would like to leave as an exercise for my readers, comments anyone?), and I’m sure there are also more tricky scenarios for the really devious (again, I’d love to hear something quite sneaky). The point is that if you accept any content which is compressed, you should be aware of how this could affect you.