The game itself is very simple; you’re a blob of energy or somesuch, and you grow bigger by consuming blobs smaller than you. You can move around by expelling small pieces of your mass, this makes you smaller and more vulnerable to other blobs.

Sounds maybe too simple? Well! Not quite, the blobs have inertia, there is repulsing blobs and so on.

Also, the presentation is simply so wonderfully calm and beautiful. Set on an ambient music background, playing the game has some sort of tranquilling effect on me. It’s kind of like watching a lava lamp, and playing it too.

Check out the Osmos demo, and if you like it, buy it. It’s only $10. I bought it and I think it’s well worth the money.

The good news is that this is super simple to fix.

As for bad news… well, there is none, this time. With these instructions, and the ones from part I, I was able to do a complete tax e-deklaration in Skatteverket’s page, including signing the final submission.

The Problem

You can’t sign things (with the non-repudiation certificate), at least not with the version 4.10.2.16 of Nexus Personal.

The Reason

This is because Firefox lacks the plugin. The Nexus Personal installer copies it into a weird place.

The Solution

Fix the situation by copying the browser plugin to a proper place:

cp /usr/local/lib/personal/libplugins.so ~/.mozilla/plugins/

Then restart Firefox.

Write “about:plugins” to the address bar and ensure Nexus Personal is there. The plugin should claim to accept MIME types such as “application/x-personal-signer”, and all of those should be enabled (all rows have “Yes”).

Now you can fill your skattedeklaration online, AND sign it too. Enjoy!

You need the “pocket calculator” cardreader (I used Todos NCR1), a suitable USB cable and a card with an EMV chip. If you have Nordea-issued bankkort or VISA you’re OK.

Note: These instructions are Debian-specific but they should work with other distros too with appropriate, slight changes.

Update: Signing will most likely be broken for you, but you can fix the signing too.

Step 1. Get the driver + Nexus personal

Go to this Nordea page to download.

Interestingly, I could not find the page from within Nordea’s web page. Also, the information on that page was not in the same place as for the other OSs (Windows, MacOSX). No pain, no gain!

Step 2. Activate e-Legitimation on your card

Log in to Nordea’s web site. Then go to Vardagsärenden, e-legitimation, kort and choose activate. Sign with the Todos box as usual.

Click the link to go back to cards page. You should see your cards in Inaktiv status.

Click Aktivera. Tick the box for Uttag activation, and proceed.

Now you need to go to an ATM and make a money withdrawal. This will finally activate e-legitimation in your card by downloading some data from the bank.

Step 3. Install the software

Yeah, I wish it were all open source, in case of problems… but it’s not. Take a deep breath and prepare to install some Chinese driver binaries, plus a binary-only browser plugin, etc.

But first verify that you get printout like the following when you:

• attach the USB cable to your Todos box
• issue “dmesg” command


[4332544.912080] usb 2-3: new full speed USB device using ohci_hcd and address 4
[4332545.162128] usb 2-3: New USB device found, idVendor=0b0c, idProduct=002e
[4332545.162142] usb 2-3: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[4332545.162151] usb 2-3: Product: Nordea E-code
[4332545.162158] usb 2-3: Manufacturer: Todos Data System AB
[4332545.162369] usb 2-3: configuration #1 chosen from 1 choice


If that was OK, proceed. Otherwise make your USB work :)

Next, you need pcscd and libccid.

apt-get install pcscd and libccid

Unzip the Nexus and do as root:

./install.4.10.2.16.sh i

Unzip + install the driver:

unzip NCR1_Linux.zip

The zip contains a .deb so you’ll need to install it too:

dpkg --install NordeaDeb_1.0.0_i386.deb

Now the software part is done.

Step 4. Test drive

Restart Firefox.

Start Nexus application. Attach Todos reader NCR1 with USB cable. Insert your card. You should see something other than “Unknown” in it.

Nordea’s own test page is broken – they expect Microsoft Internet Explorer (maybe some ActiveX control too) for some totally screwball reason, I did not investigate this further. So it’s best to try e.g. Skatteverket’s page where you can check your Skattekonto.

Note: When prompted for a certificate, choose the certificate with “Basic PIN” in it. The other option did not work for me.

Enter your card PIN in the Todos box when prompted.

The web page should open properly, now you’ve got e-Legitimation!

The marketing slogan used for it is “Our most advanced technology in a magical and revolutionary device at an unbelieveable price”. Indeed, it is revolutionary in the business model it represents.

The hit products which Apple has made recently include the music player iPod, the smartphone iPhone, and now the table computer iPad. What do all these have in common? Snazzy UI, yes, but also the closed hardware and the tight lock-in with the Apple App Store (and iTunes for media content).

On a more abstract level, every single one of those devices give the vendor more or less exclusive control over what you can and cannot run or view in your device.

Is this the magical and revolutionary new way of the future? If so, count me out.

The asteroid in question is 99942 Apophis, which currently stands at 1:250000 odds of smashing into Earth on 2036. 99942 Apophis also has a close fly-by on Friday, April 13th, 2029.

I am delighted that such a high-level instance is speaking so strongly in favor of asteroid protection.

Indeed, Apophis could be a good candidate to practise deflection, since we already know it’s coming and know the orbit relatively well too. Plus, there is enough time to act.

Some previous posts about the asteroid threat and why it is important to do something about it are here and here.

For Finns 6th of December is a very important day. Flags fly, and there’s a traditional military parade in some city. People light (usually blue-white) candles to remember the independence and most importantly the people who died defending the independence.

Another big tradition is the President’s Independence Day reception at the Presidential Castle in Helsinki. They air that on television, and most of the nation (something like nearly half!) sits and watches who is invited, how the movers and shakers are dressed, and who, if any, will cause a scandal this time.

A nice thing is that the reception is streamed on the Internet too, and therefore can be seen from abroad too. So my plans for today are to make some nice food, tuna fillets with leek-onion white wine & parsley sauce and mushroom-leek risotto, open a white wine and watch the reception via Internet!

They gave me a freebie to go, a little bag of potato chips.

Normally, potato chips are made of 1. potatoes, 2. oil, 3. salt. That’s it. How boring.

Luckily this one was barbeque flavored one!

Here’s the list of stuff contained in the barbeque flavor – a handy list if you wish to barbeque-flavorize your morning yoghurt or your living room rug, although it might be wisest to not try to make it at home, unless you possess a meth lab in the basement:

• sugar
• whey powder (from milk)
• rusk (from wheat)
• flavour enhancer (monosodium glutamate, aka. MSG)
• flavourings (contains wheat, soya, lactose)
• colour (paprika extract, caramel)
• sweetener (aspartame)

How could they fit all that into that tiny 27,5 g bag? Well, it was tasty, though.

In the world of Chromium OS, applications will be web apps. Access to the applications will be through the web browser. The web apps live in the cloud, i.e. in a bunch of servers somewhere in the Internet.

In light of this, let’s talk about cloud computing. More specifically, let’s talk about the security and privacy trade-offs of non-cloud and cloud computing.

Do you trust the cloud?

In the non-cloud scenario, i.e. your Linux PC, your Windows desktop, your Apple laptop, whatever, your data is stored locally. You run applications locally. You do not need Internet access to do something. As the data is stored locally, access to your data can therefore be achieved by breaking into your computer.

In the cloud scenario, such as Google Chromium OS, your data lives inside the Google servers somewhere, inside the cloud. You need Internet access. You’re more protected in the device side: if someone breaks into your computer, you can restore a clean system easily and your data will persist elsewhere, unchanged.

It is exactly this “elsewhere” which is the problem.

In the cloud scenario, you have zero visibility about how your data gets used. This is because you have zero visibility and zero control about who gets access to the data – whether it is advertisers who examine your behavior patterns and personal data you store (with or without your consent), or whether it is more powerful entities such as governments (yours or another country’s).

Today you’ll be marked if you’re a lunatic and converse with other lunatics to, say, purchase hundreds of kilograms of fertilizer and diesel fuel with plans to kill a lot of people with bombs. What about tomorrow? Supporting a certain political party will get you into trouble? Investigating government corruption raises a flag? Speaking against an unfair, exploitative corporation will trigger an alarm? Will thinking differently simply make you vanish?

If you represent a company, and valued trade secrets go into the cloud in the form of documents, mails and spreadsheet data, how can you be sure that the information will not be leaked to your competitors? How can you ensure that your trade negotiation strategy is not made known to the other party? How can you ever again win business-wise in anything important, if the other party already knows everything?

It is easy to dismiss this line of thinking as some sort of a silly slippery slope argument, but I would not dismiss the argument so easily myself. Why? Well, once an entity is empowered with:

• knowing what you search (example: Google Search)
• knowing what you read and where you surf (Google Ads)
• knowing where you live (geolocating your IP address)
• knowing who your friends are (GMail, Google Wave, especially the invites when those services are launched)
• knowing your voice communications (GTalk)
• owning all of your data (Chromium, coming soon!)

that entity may or may not use these capabilities to your detriment, whether you’re a private individual or someone representing a corporation.

It all boils down to this question: do you trust the cloud – can the cloud do no evil?

Can the cloud do no evil?

So, going back to the original question: is the security of the non-cloud scenario worse than the cloud scenario? It depends. If one disregards data security and privacy issues for a while, then the security model presented by Google Chromium OS is, in fact, better. Life will be harder for viruses, trojans, and so on, on the client side. All in all, keeping secure on the client side will be less hassle for the normal user.

It will take less effort for someone (criminal or curious) to compromise your laptop and your data than to compromise the cloud/Google servers. However, the cost of compromising your data will drop dramatically for someone who is a friend of Google or who can somehow leverage Google – mostly this means other big businesses or, rather, various governments.

Given that the data confidentiality and privacy is the real issue, what about encryption of user data? This can only work if no plain-text data goes to the cloud as an input for some computation (such as data entry to a spreadsheet cell). If plain-text data does go to the cloud, then encryption will be irrelevant – the data is already in clear inside the cloud.

(There are methods to do computation on encrypted data, for example fully homomorphic encryption. With such technology, one could build a web app where the cloud/server-side learns nothing of the data itself, but the cloud could still provide, for example, a spreadsheet program.)

All in all, it’s a trade-off. It depends on what you as the user value most and where your priorities lie. For the record, I’m not trying to argue that Google is bad, or that Google Chromium OS is an overall bad development. I’m saying that all trade-offs (security or otherwise) must be weighed in whole, together with their impacts, and the likelihoods of different impacts, to reach a good conclusion in order to make an informed judgment.

For this reason, I want to see more discussion about the overall security issues, especially the question about what exactly is the level of confidentiality and privacy of user’s data in the cloud computing paradigm. I’d like to see Google raise these issues too.

Simonides of Ceos wrote about it with these words:

Go tell the Spartans, you who read:
we took their orders, and lie here dead.

Here’s the 10/GUI video by C. Miller.

Why do I like it?

Basically, I agree with Mr. Miller’s points and motivations. I don’t like the mouse either so much, anymore. Mouse is fine and good just like a steam engine train is fine and good: it works, but technology has progressed far enough to provide better alternatives.

In 10/GUI, the Xeroxian UI paradigm of overlapping rectangular windows is radically transformed into application windows residing in a non-overlapping smooth continuum.

The clutter of a desktop is dramatically reduced. Reduced clutter means more efficiency, more time in the zone, and more stuff done.

To paraphrase Mr. Weiser when he talked about ubiquitous computing: technology will fade into the background, will not jump at your face, will not demand constant attention, but just lets you do your stuff. And meanwhile, everything is calm – and you’re staying in the zone.

Now, if only the 10/GUI could somehow combine the keyboard with the touch-part, or have an onscreen predictive keyboard and no physical keyboard at all…