One criticism of Windows was folks being encouraged (by websites) to download custom .exe file to Desktop and double click.

In response to this, a wave a security products and some access control changes, put a stop to that.

Some users missed the convenience.

Could this ever happen on Linux / Unix?


Here is an extract from the install instructions for a Google publicised project:

curl -L | bash

Seems the nix community is in too great a hurry to put convenience before security.

I point out some of the reasons why not in the next section.

Internet pipe to Bash – why not?

To suggest such an install procedure, is to ignore many of the security lessons from the past decade.

Possible risks 1: Fat fingered redirect

By advising the user invoke curl with -L flag, the developer is encouraging users to trust any locally coded redirection.

The reason curl advises of redirection is to allow the end user to verify any redirection themselves rather than trusting what redirection is entered at the remote site.

What would happen if a bogus redirect was inserted by mistake, or by a malicious insider? If it only happened for an hour would the company think it important enough to inform the developer population?

Possible risks 2: Shifting sands

Exactly how do you personally know that the code that was there yesterday is the same code as today?

Does it come in a package with checksums and a well understood inbuilt verification of checksum feature?

Can you manually download a verification checksum from a different mirror server, than the actual code download?

Possible risks 3: Compromised server

Compromised servers are always a risk for any internet hosted software.

Hosting code through acceptance in a distribution like Debian or Red Hat, allows a small company to leverage the infrastructure provided.

It also elevates untrusted software somewhat, due to the integration build process, qa review, and hosting infrastructure which such distributions provide.

Bitbucket, Gitorious, Google code and Github offer some minor improvement from self hosting a project yourself.

Then there is Pypi, CPAN, and other convenience collections, which whilst not offering massive assurance, at least mitigate the next problem described.

Possible risks 4: Dns hijack / redirection

Dns cache poisoning is all too common unfortunately.

Whilst this project is getting some backing from Google, it would be unwise to assume that it (and any mirrors?) employ DNSSEC to mitigate Cache poisoning. If they did employ DNSSEC effectively, would that be on the original http endpoint or the redirected http endpoint?

Commentary and other examples:

In fairness to the developers, there are some additional install notes, and in particular there is some hints for Debian / Ubuntu folks that include this line:

sudo npm install -g yeoman

However, those install instructions also suggest at the start, that you should still do an initial pipe bash, in case you had a previous install present.

Doing that initial pipe bash, then switching to more traditional package management techniques, does not mitigate any of the risks described earlier.

It may be that developers are being encouraged to do this sort of hacky curl stuff by seeing this entry from the npm site:

curl | sh

The observant amongst you will notice that there is no -L flag here, so strike off one of those risks listed earlier.

What comes after the pipe symbol ( | )? Does that make any difference from the other example?

That answer is left as an exercise for the reader.

Further examples (added after article first written):

Chkrootkit and other tools that scan for rootkits sometimes report a python related ‘.path’ file as suspect.



The script/binary responsible for creating that file is /usr/sbin/update-python-modules

from the Debian & Ubuntu package python-support

code extract from /usr/sbin/update-python-modules

There is no harm in understanding how to adapt chkrootkit or alternatives to ignore a list of locally recognised false positives, however some might consider this ‘false positive’ a bug.

The past 5 years has seen much upheaval in roles and responsibilities within Information Technology.

Business leaders felt that IT was too partitioned (and thus expensive)

The result has been a narrowing of knowledge in individual areas, with a focus now on breadth.

IT - Narrowing and Connecting

Narrowing and Connecting

Phrases such as “The developer is king” reflect this shift.

As with all power shifts, there are upsides and downsides.

Cloud computing was fuelled in part by this shift – that is an upside.

Organisations now have to introduce control processes and checks on developers, some of which it could be argued, are a direct replacement for the partitions between people, in the previous model.

Example: Source code and deployment.

If one person acting alone has full responsibility for source code and deployment, where does that leave the company when the Developer leaves?

Ah, you might argue, but the Developer is a responsible type and pushes to central company controlled repositories and deployment templates.

My question here is “How responsible?”

Surely ‘responsible’ is a sliding scale – some Developers will be more so, some less so.

I was deliberate in using the phrase ‘central company controlled’ when talking about repositories and deployment templates.

Are you a head of IT or company Director? – if so do you know….

  • How granular the access control is on source repositories?
  • How granular the access control is on deployment templates?
  • How many people are sharing the main ‘Owner’ account?
  • The credentials for the ‘Owner’ account?

For the final two points, an argument and counter argument:

But the Head of IT and Directors do not need to access source control, in fact best not have them in there in case they do some damage

Without access to source control, which non-developer have you tasked to act as code keeper on your/company behalf?

This post is providing background for a series of articles – more to follow.


For this particular project the contained the following line:


Note: if you use ‘memcache’ or ‘memcached’ instead of what is written, you will probably get a message like:

Couldn’t find index page for ‘memcache’ (maybe misspelled?)

remote: Reading
remote: No local packages or download links found for memcache>=1.45
remote: Best match: None

This is a break from the norm, not a technology article, unless you consider NLP to be a technology.

Austerity in Europe and America has many negatives, and the growing misuse of the word ‘Entrepreneur’ for multi level marketeers is one of them.

I have never had exposure to Neuro-linguistic programming, but now I have, let me tell you how it works (from my experience), and signs to look for:

  1. Iconography
  2. Negative sounding messages (that are really positive reinforcement)
  3. Unannounced speaker
  4. Disjointed presentation
  5. Multiple reflection / returning to the icons
  6. Notable resistance becomes agreement – change in participants reactions

Some of those points relate particularly to NLP employed as part of a multi level marketing sell.

That was my context, and I provide some detail next.

1 & 2: Iconography and Negative Sounding Messages

The image ( a currency symbol £ / $ / € ) is introduced within the first 5 or 10 minutes, and features prominently.

That symbol will probably be in the centre of the first / second page, and be large in comparison to other text.

This will be part of a negative message – here is an example

I was chasing the £s, but I was not happy

The introduction early for this negative message is key, because what is actually happening is, you are being moved away from the goal (rejection), in order that you strongly associate with the goal later on.

3 & 4: Unannounced speaker / Disjointed presentation

NLP is a feedback technique and requires participation and adaptability on the part of the presenter.

So a presentation that is employing NLP might seem less planned than a typical presentation. This is easy to explain away if the presentation is described as ‘last minute’, or the presenter says they are really keen on participation, rather than a typical serial approach.

There are fishing elements, similar to what you might expect from TV Clairvoyant

mediums who do cold readings “fish, suggest possibilities, make educated guesses and give options”

Quote from Wikipedia – Mediumship

Some of the disjointedness / participation is the presenter fishing for themes on which to play as part of NLP – Bereavement, Divorce, and others.

5: Multiple reflection / returning to the icons

The ‘my story’ part of the presentation is often followed by a reflection where the presenter returns to the first / second page which features the prominent icon(s)

If this is a typical ‘my story’ then it starts with ‘I was down / broke’ and finishes with the successful outcome – multi level marketing in my case

Then the £ sign reappears as the presenter flicks back to the first page.

A childlike description of the sequence might be:

bad icon, unhappiness, what I did, how the company saved me, good icon*

*Although the final ‘good icon’ is not overt – the ‘I was chasing the £s’ is never consciously contradicted, although the icon use has now been placed in a different context

6: Notable resistance becomes agreement – change in participants reactions

Subconsciously, participants know that something is unusual, although they often don’t know what in real time.

So there is resistance / an unsettled feeling on the part of some. This is later followed by quietness / lack of vocal opposition as acceptance sets in.

A strong NLP practitioner will go beyond lack of opposition, and participants who showed resistance, may actually start to be vocal in support of the presenter.

(you will know if you are in a room and this happens – believe me)

Further notes:

NLP might include associating icons, so there may well be unobvious associations that go a bit like this:

A moment where the presenter says ‘I like smiley faces’ and then draws a smiley face. This will somehow be linked to the behavior they have just described / or the main icons they have introduced earlier.

Remember in NLP, most of the stuff which is given out as low key / insignificant is usually being employed as part of a subliminal program.

The smiley face can also be a useful feedback mechanism, as with infectious yawning, it can help the NLP practitioner select the most pliable of the participants.

You will be encouraged to clap at the end. Sometimes participants are left a bit stunned by the NLP technique, so a helper / assistant might prompt the clapping.

NLP – the positives?:

Rather than state hard opinions here, I will just present alternative scenarios where it might be felt that NLP is less damaging than cult like Multi Level Marketing schemes

  • NLP as part of smoking cessation care package
  • NLP as part of drug misuse treatment plan
  • NLP as part of rehabilitation of criminal behaviour

In those contexts, is NLP use a positive tool?

The view that NLP should not be employed on the vulnerable (addicts, recently released prisoners) is quite a strong argument also.

Your own social group and wider society needs to form an opinion on this.

What to do if you have been NLP’d

  • Leave the group / meeting situation as soon as is convenient.
  • Talk to somebody and explain what did not feel right about the meeting
  • Consult your partner / family and any other support network outside the group you just left.
  • Try to avoid going to sleep immediately*

*NLP works on your subconscious, and even though you might feel a little sleepy (like post hypnosis), immediate sleep may well allow unchallenged reinforcement of the presenters message.

Once you have talked to your partner / family and put the programming in a safer context – perhaps talking about the key points from the meeting and gauge reactions of trusted family, sleep as usual.

The Scam index – a couple of questions for the wildly successful presenter:

  • If you are earning thousands a month, then why can you not afford email at your own domain name? does not sit right.
  • If you are earning enough to drive a flashy sports car and flaunt your wealth, then surely you would already have gone beyond hiring church halls, and would have your own business premises?

On a final note, I explain what I meant by ‘the misuse of the word Entrepreneur’:

In studies of several of the largest multi level marketing schemes, the evidence suggests that 90% of the participants make no income whatsoever.

In a typical large multi level marketing scheme of 10,000 agents

  • 9,000 of those agents will make no money at all.
  • 990 of those agents will make an income that is at a level typical of a blue collar worker
  • 10 of those agents will make a huge income but it will *take a decade to get there.

*There have been some pyramid / multi level marketing schemes that did survive that long, however most will not.

If you think you are the top 10 in a pool of 10,000 then you will not need a scheme to launch your own wildly successful business $

( $ There are many other franchising opportunities out there if you feel you can only be an elite businessperson through a pre-configured template. )

If you think you could be above 9,000 of those 10,000 agents, then why not just work in a factory from the outset.

(In the UK even those fairly elite 990 very hard working marketeers will not earn more than they could working in a cake factory.)

Wikipedia is as good a place as any to start in your own research

Or alternatively just websearch for ‘multi level marketing scheme zero income’ and start reading.

Apologies if the ‘fat friend’ reference in the title offends – It was meant to grab your attention, but refers to a network TV show in the UK

GNU/Linux systems now have a new major Kernel version – 3.

Best way to test / report kernel in Python?

Example script – hosted on Bitbucket:

The Python at the link above, will report what it knows about your running kernel.

Example output:

Example output for Linux kernel 3.x

Python reports Linux 3

Something important is happening to markup.

The semantic web – that’s xhtml right? About 5 years back that was the only way, but today its modern take is RDFa

What should I beware of then?

Competing standards licensed under FRAND terms.

For those of you not familiar with Frand, it is a pretence. It’s proponents will use the word ‘open’, however there are always caveats, and a ‘boys club’ mentality involved.

You cannot confer Frand to anyone else and that is where the lie is outed.

Ask anyone bearing Frand gifts this question

If the terms are Non-Discriminatory, like you say, then how come I cannot give those rights to the other 50 people in my local business networking club?


So RDFa is an open standard?

Yes. In 2008 the standard reached ‘Recommend status’ and has the backing of the web standards body W3C.

The Wikipedia link above gives a short snippet, but here is a more in-depth primer on RDFa

So if I want to add ‘richness’ to your content and make it easier for search engines to index, use RDFa.

There are at least two alternatives to RDFa being promoted at the moment, however both of the other markup extensions would result in your website content being subject to ‘Terms and Conditions’ defined by their proponents.

The web was never about corporate ownership of tags and markers.

As a company you need to have a strategy for rich markup that includes considerations regarding tag copyrights.

With RDFa, there is no corporate entity or terms and conditions involved, which keeps things easy for that future strategy.

Your existing site probably has been safely created without needing to decide on this, however I suspect your next relaunch will have to decide one way or the other.