tag:blogger.com,1999:blog-66979503045161384422024-03-13T13:37:28.687-05:00Ian!nerd things, unsolicited opinions, and the occasional outburst of bitternessIanhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.comBlogger24125tag:blogger.com,1999:blog-6697950304516138442.post-70367353001465141872013-11-04T20:31:00.001-06:002013-11-04T20:35:17.927-06:00Cowgirls, AliensA fact that you probably already guessed: I start a lot more blog posts than I finish. In recent years, this has happened to a degree that is no less than tragic. Back when <i>Cowboys & Aliens</i> was still a newly released movie, I wrote 90% of a scathing critique of its shortcomings; a spiritual successor to <a href="http://blog.iangreenleaf.com/2010/01/avatar-and-fetishizing-other.html">my piece on <i>Avatar</i></a>. Then I stalled out on finding a good way to wrap it all up, life got in the way, and I never finished. The piece was consigned to a virtual basement crawl space with only virtual dust bunnies for company.<br />
<br />
Fast forward to several months ago, when I connected with an awesome new website called <a href="http://www.dilettantearmy.com/">Dilettante Army</a> (go read <a href="http://www.dilettantearmy.com/about">their explanation of the name</a>, it's great). Not only did they <i>like</i> my piece, they even <i>paid</i> me for it! Never before have I been compensated for the effort I put into expressing opinions on the Internet.<br />
<br />
You should check out their whole site. But most of all, you should check out <a href="http://www.dilettantearmy.com/rants/243">my article on <i>Cowboys & Aliens</i></a>.<br />
<blockquote>
It was the summer blockbuster boasting such a talented roster that we
dared to hope it would transcend the cheesy premise. It didn’t. Still,
if you only viewed it as a shallow and forgettable action flick, you
missed out. It’s also a treasure trove of scriptwriting ignominy; a
guided historical tour through Hollywood’s various failures of
imagination.</blockquote>
<cite class="quote-attrib"><a href="http://www.dilettantearmy.com/rants/243">Cowboys and Aliens 'takes the high ground' (Dilettante Army)</a></cite>
<br><p>Fun bonus fact: While gathering images for the article, I realized I could very easily compile an entire photo album on the theme "Ella gazing at Jake". Run with that as you will.</p>Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.com0tag:blogger.com,1999:blog-6697950304516138442.post-16939042545498202232011-01-30T01:24:00.000-06:002011-01-30T03:24:37.043-06:00Hobson's WorldPublic unrest over the TSA has finally boiled over. As someone who hated the TSA long before it was fashionable, it's been nice to see the general public finally voicing some outrage. Absurd that it took naked scanners and crotch-grabbing to stir us into action, but still nice. Please, continue to be angry with the TSA, and maybe someday we'll bring that whole farcical organization down upon itself. But that's not really my job here. My job is to explain to you that there are a lot of other things to be angry about, too.<br /><br />Hobson, the story goes, operated a large stable with horses available for let. One could pay to use a horse from his stable, but you were not free to select any horse you liked. You could have the horse currently up for rotation, or you could shove off. This probably worked quite well for Hobson, ensuring that his most popular horses did not become overworked. At any rate, he managed some small measure of immortality; a <a href="https://secure.wikimedia.org/wikipedia/en/wiki/Hobson%27s_choice">"Hobson's Choice"</a> is any choice where the only options are accepting all the terms, or none at all. There's nothing inherently bad about these types of choices. But what if Hobson's stable was the only one in town? And if horses were so heavily used that access to one was no longer a luxury? And what if his rotation wasn't a fair <a href="https://secure.wikimedia.org/wikipedia/en/wiki/FIFO">FIFO</a> system, but something more sinister, like giving the worst horses to those least able to complain?<br /><br />Hobson, the medieval stable master, would have found himself right at home on the internet. Whether you realize it or not, every trip through cyberspace is riddled with Hobson's choices. It starts at the plug in the wall; if you want anything coming down your wires you must agree to the conditions put forward by one of a handful or fewer ISPs available to you. Then almost every website you visit has a Terms of Service (I've <a href="http://blog.iangreenleaf.com/2009/03/enacting-my-own-terms-of-service.html">touched on these before</a>). And for every service you use, even the most basic like email, you've checked off your assent to a massive User Agreement. There's almost nowhere to hang your hat that isn't fenced in with thousands of words of legalese defining exactly what you are allowed to do. You don't often think about the presence of all this contractual weight, but it's there, every time you bring up a browser.<br /><br />What's really appalling about all these terms is how much they take away and how little they offer. Most ISPs, if they so chose, could give you no connection at all, for as long as they pleased, and continue to bill you for it. The provider's side of these agreements is legal ass-covering, allowing them to give as little service as they please and still be within the terms of the contract, protected from litigation.<br /><br />Here's Comcast stipulating that they can install software on any device you connect to their service (i.e. your computer), and that they are not responsible for any damage they cause by doing this (emphasis mine):<br /><blockquote><em>Customer Equipment consists of software or services that you elect to use in connection with the Services</em> or Comcast Equipment (the “Customer Equipment”). You agree to allow us and our agents the rights to insert cable cards and other hardware in the Customer Equipment, <em>send software and/or “downloads” to the Customer Equipment</em> and install, configure, maintain, inspect and upgrade the Customer Equipment and Comcast Equipment.</blockquote><cite class="quote-attrib"><a href="http://www.comcast.com/Corporate/Customers/Policies/SubscriberAgreement.html">Comcast User Agreement, Section 5.b</a></cite><br /><blockquote>Comcast has no responsibility for the operation or support, maintenance, or repair of any Customer Equipment including, but not limited to, Customer Equipment to which Comcast or a third party has sent software or “downloads.”</blockquote><cite class="quote-attrib"><a href="http://www.comcast.com/Corporate/Customers/Policies/SubscriberAgreement.html">Comcast User Agreement, Section 6.b.1</a></cite><br /><br />In case that's not enough, here's Comcast indemnifying themselves against anything short of gross negligence, and claiming that even in that case you cannot be entitled to more than $500 (emphasis mine):<br /><blockquote>CUSTOMER EQUIPMENT MAY BE DAMAGED OR SUFFER SERVICE OUTAGES AS A RESULT OF THE INSTALLATION, SELF-INSTALLATION, USE, INSPECTION, MAINTENANCE, UPDATING, REPAIR, AND REMOVAL OF COMCAST EQUIPMENT, CUSTOMER EQUIPMENT AND/OR THE SERVICES. <em>EXCEPT FOR GROSS NEGLIGENCE OR WILLFUL MISCONDUCT</em>, NEITHER COMCAST NOR ANY OF ITS AFFILIATES, SUPPLIERS, EMPLOYEES, AGENTS, OR CONTRACTORS <em>SHALL HAVE ANY LIABILITY WHATSOEVER FOR ANY DAMAGE, LOSS, OR DESTRUCTION TO THE CUSTOMER EQUIPMENT</em>. IN THE EVENT OF GROSS NEGLIGENCE OR WILLFUL MISCONDUCT BY COMCAST, SUPPLIERS, EMPLOYEES, AGENTS, OR CONTRACTORS, WE SHALL PAY AT OUR SOLE DISCRETION FOR THE REPAIR OR REPLACEMENT OF THE DAMAGED CUSTOMER EQUIPMENT UP TO A MAXIMUM OF $500. <em>THIS SHALL BE YOUR SOLE AND EXCLUSIVE REMEDY RELATING TO SUCH ACTIVITY</em>.</blockquote><cite class="quote-attrib"><a href="http://www.comcast.com/Corporate/Customers/Policies/SubscriberAgreement.html">Comcast User Agreement, Section 10</a></cite><br /><br />Meanwhile, your side of the terms may contain any number of constrictions on what you are allowed to do. Many create licensing terms that cede everything you create to the control of the company, to use however they please. Here's Facebook:<br /><blockquote>For content that is covered by intellectual property rights, like photos and videos ("IP content")... you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook ("IP License").</blockquote><cite class="quote-attrib"><a href="https://www.facebook.com/terms.php?ref=pf">Facebook ToS, Section 1</a></cite><br /><br />Notice that they may license <em>your</em> content out to others if they wish. To Facebook's credit, they no longer claim the license to be "perpetual" and "irrevocable". They briefly added those terms in 2009, and backed off after facing <a href="http://www.pcworld.com/article/159703/facebook_privacy_change_sparks_federal_complaint.html">considerable backlash</a>.<br /><br />Many of these documents state that the terms may change at any time, with no warning, and that your continued use of the service will be bound by these new terms. Here's Comcast again (emphasis mine):<br /><blockquote>Subject to applicable law, we have the right to change our Services, Comcast Equipment and rates or charges, <em>at any time with or without notice</em>. We also may rearrange, delete, add to, or otherwise change programming or features or offerings contained in the Services, including, but not limited to, content, functionality, hours of availability, customer equipment requirements, speed, and upstream and downstream rate limitations. If we do give you notice, it may be provided on your monthly bill, as a bill insert, e-mail, in a newspaper or other communication permitted under applicable law. If you find a change in the Service(s) unacceptable, you have the right to cancel your Service(s). However, <em>if you continue to receive Service(s) after the change, this will constitute your acceptance of the change</em>.</blockquote><cite class="quote-attrib"><a href="http://www.comcast.com/Corporate/Customers/Policies/SubscriberAgreement.html">Comcast User Agreement, Section 4</a></cite><br /><br />Then, of course, are the terms that are simply absurd. When Grinnell College rolled out their new alumni network, <a href="http://www.cs.grinnell.edu/~stone/">John Stone</a> noticed that <cite><a href="http://loggia.grinnell.edu/Page.aspx?pid=518">The Loggia Terms and Conditions</a></cite> disallowed, among other things:<br /><blockquote>Reproducing and storing data in a retrieval system (electronic or mechanical)</blockquote><br />From a technical standpoint, one cannot view a webpage without storing and reproducing data locally, making it impossible to actually use the service and still be in compliance with this rule.<br /><br />To do even the most mundane tasks online, you are forced to relinquish a great number of rights, but in return you receive <em>absolutely nothing</em> except the <em>optimistic hope</em> that the company will provide something to you. You are signing a contract for empty air, and if you're lucky the company will choose to bestow upon you some favors. If these are legally viable is a bit of an open question. Most notably, these agreements could be considered <a href="https://secure.wikimedia.org/wikipedia/en/wiki/Contracts_of_adhesion#Contracts_of_adhesion">contracts of adhesion</a> and may be unenforceable due to the doctrine of unconscionability. Vagaries of the law aside, it should be apparent that this type of agreement, wielded without oversight, is morally wrong.<br /><br />At first blush, the TSA situation seems far removed from that inflicted on us by private companies. After all, the government is the one entity that <i>can</i> compel us to obey certain rules, whether we choose them or not. You don't get to opt out of the legal system, even if you want none of the benefits.<br /><br />But let's examine the TSA's role. Flying is, in the end, a purely voluntary activity. You cannot be compelled to endure an unconstitutional body scan or enhanced patdown if you simply choose not to travel by airplane. Another Hobson's choice. Like many of the others, this choice is a coercive force for many of us. Some people depend on air travel to perform their jobs. Others have no other way to see relatives or friends in far away places. While it's admittedly a middle-class pursuit, air travel is nearly a necessity for many of us who can afford it.<br /><br />Much of TSA's power, as it turns out, stems from this choice. There has been some bluster during the recent opt-outs about levying a civil fine for leaving the airport after the screening process has begun, but it's unlikely those threats will ever be made good on. And that's a civil fine, the only kind TSA has the authority to level. <a href="http://noblasters.com/post/1650102322/my-tsa-encounter">This fascinating account</a> is written by a man who refused to submit to the new policies as a condition of being allowed through customs. The best part is when actual police offers get involved, officers who have been trained on constitutional rights.<br /><blockquote>I clarify, “Well, like I said, I’ll do whatever you say is mandatory. If you tell me that you have to touch my balls—“<br /><br />“—I said no such thing. You’re putting words in my mouth.”<br /><br />“OK. I apologize. If you say that a pat-down is mandatory, and that as a condition of that pat-down, I may have my genitals brushed against by your hand, even though you don’t want to, I will do that. But only if you say it is mandatory.”<br /><br />“I’m not going to say that.”</blockquote><br /><br />The TSA has no real authority. Their power stems only from the fact that they control access to a service that is nearly ubiquitous and seriously disadvantages those who refuse the terms. So they can present a Hobson's choice, safe in the knowledge that almost everyone will submit. Sound familiar? TSA is nothing more than another abusive monopoly.<br /><br />Let's take one final step back. I said earlier that a government is the one entity that can compel you to obey certain rules without any agreement on your part. Enter Hobbes (a very different and much more famous man than our titular Hobson). His most enduring idea is that government is a social contract:<br /><blockquote>I authorise and give up my right of governing myself to this man, or to this assembly of men, on this condition; that thou give up, thy right to him, and authorise all his actions in like manner.</blockquote><cite class="quote-attrib"><a href="http://ebooks.adelaide.edu.au/h/hobbes/thomas/h68l/chapter17.htmll">Thomas Hobbes, Leviathan</a></cite><br />We give up some of our rights, like the right to beat other people over the head with big sticks, for the goal of living peacefully and prosperously, safe from the constant danger of being beaten over the head with a big stick. Being governed is a voluntary act (let's ignore Hobbes' autocratic leanings for the sake of simplicity), undertaken because it's to our long-term benefit.<br /><br />Of course, few of us actively take part in any kind of contractual ceremony agreeing to these terms. We fall under the government's jurisdiction by the circumstance of being born where we were born, living where we live. In fact, land ownership is the source of a government's authority. You may decide to "opt out" of the laws of a country, but you should not remain on that country's land and expect to escape punishment. Conversely, if you leave a country's land, you are no longer subject to their laws. Extradition feels like an exception to this rule, but it's merely an agreement between countries. Extradition does not work when the host country refuses to play along.<br /><br />So! The government controls access to a desirable resource (land). This allows them to require adherence to a stringent set of rules from anyone wishing to gain access. Even if the rules seem unfair, a choice between that or nothing at all leads almost everyone to obey. Hopefully by this point you're drawing your own parallels. That's right, I see governments as nothing more or less than the biggest corporation around, one whose services we all consume. We pay a subscription fee. We reap tangible benefits. All the elements of a contractual agreement are there.<br /><br />And yet, there's one thing the government offers us that no consumer relationships do: the ability to negotiate. The system is horribly inefficient, riddled with bureaucracy, and easily derailed. But in the end, we the people <em>do</em> get a say in the rules that are applied to us. More importantly, we see the idea of a government that answers to the people as obvious and absolutely necessary. So why don't we apply this same expectation to corporations? Why do we insist that corporations are accountable only to their shareholders, instead of to the collective public whose lives they so deeply affect?<br /><br />Looking to the future, I don't think the government will be the one to relieve us of our freedoms. Sure, there will be battles. But the Bill of Rights has survived two centuries more or less intact, and I expect it will keep on truckin'. We won't lose our rights at gunpoint. We'll lose them in bits and pieces, so slowly as to be nearly imperceptible. We'll sign them away one after another in the name of new services or free beer or just following the crowd. Technically, they won't be gone, but a right that we are not free to exercise in the most frequented arenas of public discourse isn't much of a right at all.<br /><br /><h4>Epilogue</h4><br />My slow blogging habits caught up to me once again. I hadn't even started putting this post into words before the furor over the TSA scanners had been totally eclipsed by the Wikileaks controversy. It's a complex affair, and I could write an incredible volume on the details of the various events surrounding Cablegate, but I think I'll leave that to others, and draw two small connections instead.<br /><br />The intentions of the government towards Wikileaks, as far as we can divine them, are rather serious, and in some ways conflict with what I just said. The organization, of which our government was at least tolerant — perhaps even fond — when it was dishing out leaks from third worlds and no particular friends of ours, has become a thorn in the side of some very powerful interests. The Obama administration seems intent on finding a way to declare Wikileaks' actions illegal, though there seems to be no law that fits. There's no attack on Wikileaks as a whole that isn't a dangerous attack on free speech, and it's being perpetuated by our own government. If this comes to pass, it will be one of the battles I predicted, perhaps a very important one.<br /><br />In other ways, however, the assault on Wikileaks has made plain for the first time how much power corporations wield over our speech. The threatened legal action has not materialized, and may never come to pass if those in power can't find a good story to tell about why silencing Wikileaks is no cause for concern. In the meantime, however, direct and damaging action has been flowing in from the private sector. In the space of a few days, Wikileaks experienced cutoffs by hosting services, domain name services, and at least four financial services. All of these cited vague "terms of service violations", but there's little reason to doubt that these shutdowns were incited and choreographed by political interests. As <a href="http://www.guardian.co.uk/commentisfree/2010/dec/17/anonymous-wikileaks-protest-amazon-mastercard">Richard Stallman</a> opines, "It is as if we all lived in rented rooms and landlords could evict anyone at a moment's notice."<br /><br />It remains to be seen whether the government's feud will be derailed by legal protections we have put in place, but there's reason to be optimistic. In the private sector, though, it's been made clear just how great of a blow can be dealt to our freedoms when they become inconvenient to the powerful. We shouldn't need a "use case" for retaining our basic freedoms. For me, idealist notions about the value of freedom for freedom's sake are enough to compel resistance to these Hobson's choices. But if you're of a more pragmatic mindset, I can't think of a better spectre than government and corporations cooperating to stifle political dissent.Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.com1tag:blogger.com,1999:blog-6697950304516138442.post-15469405132871466192010-09-11T20:13:00.002-05:002010-09-11T22:14:50.380-05:00Movies I Hate: Legally Blonde & Pearl Harbor<span style="font-style: italic;font-size:85%;" >I've been badly missing my pathetically modest posting target of once a month, so it's time yet again to break out the filler.</span><br /><br /><span style="font-style: italic;">I have only one "Top Ten List" on Netflix, and it is titled <span style="font-weight: bold;">Movies I Hate</span>. The description reads, "Not just movies I strongly dislike. Movies I wouldn't piss on to put out a fire." Here are two more from that list. Enjoy.</span><br /><br /><div class="hreview"><div class="item"><h4 class="fn">Legally Blonde</h4></div><div class="half_star" title="1/2 star"><span class="rating worst">0.5</span> out of <span class="best">5</span> stars</div><br /><div class="description">96 minutes of my life. 96 minutes which I will never get back. 96 minutes gone forever. That's a debt I won't quickly forget, Robert Luketic. I honestly don't remember most of what happens because I think I slipped into a coma about twenty-five minutes in. Somehow we're supposed to empathize with the protagonist, a total ditz, because she's actually smart and thoughtful on the inside. Ha. Hahahaha. Yeah, good one. Some stuff happens, nobody cares, maybe some more stuff happens, I really don't know. All I know is that I suffered from recurring nosebleeds for two weeks afterward, and I am holding each and every member of the cast and crew personally responsible.</div></div><br /><br /><div class="hreview"><div class="item"><h4 class="fn">Pearl Harbor</h4></div><div class="half_star" title="1/2 star"><span class="rating worst">0.5</span> out of <span class="best">5</span> stars</div><br /><div class="description">Yeah. One of the most dramatic events of the past century, and we spend an hour watching a pilot hit on his dead buddy's girlfriend. This movie has everything: distortion of historical fact, subtly racist structure, mind-numbing romantic subplot, one-dimensional characters... what's not to like? It's like Top Gun without as much entertaining homoeroticism. It's like Titanic without a guy falling onto a giant propeller. It's like flicking the back of your leg in the same spot for two hours straight. Not incredibly painful, but don't you have something better to do with your time?</div></div>Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.com0tag:blogger.com,1999:blog-6697950304516138442.post-41376739350801335032010-06-02T23:19:00.004-05:002010-06-03T22:19:32.313-05:00Money management for laid-back young professionals<i>Disclaimer: I am not an accountant. This information is correct to the best of my knowledge, but I make no promises.<br /><br />Disclosure: I could in theory make money by recommending ING to someone reading this post, which would make me an affiliate.</i><br /><br /><h4>So you're doing alright</h4><br />You've finished (or at least started) college. You're financially secure, except for the occasional Friday where you spend $80 on sushi or forties or candy cigars. You're reasonably careful with your money, and you've got a nice chunk of money sitting in your account.<br /><br />Now, you know that <em>real</em> adults have all sorts of complicated financial problems that drive them to bifocals and reading the Wall Street Journal, but you can't be bothered with that! You are busy riding your hipster bike and learning how to cook a pot roast and wondering why your metabolism has slowed down so much since you turned 23.<br /><br />Well don't worry. You <em>should</em> be managing your money better, but it turns out finance doesn't need to be very complicated. I will explain the things you need to know in 15 minutes, and then you can spend a couple hours setting up accounts. After that, you will be given money every month <em>for doing nothing!</em> Trust me, earned interest is like magic. Not only is it easy money, it's a great psychological payout.<br /><br />I'll start with the most important things and move to the optional stuff. If you're easily intimidated, try the first couple steps and find out how satisfying good money management is, then come back for more.<br /><br /><h4>Three golden rules</h4><br /><ol><li>Don't store large sums of money in your Wells Fargo savings account.</li><li style="font-style: italic;">Don't store large sums of money in your Wells Fargo savings account.</li><li>If your money is doing nothing else, it should be earning you interest.<br /></li></ol><br /><h4>If you're still in college</h4><br />There is one important thing for you to do right now. Go get a credit card. No, you don't need to use it for much (see below), but you should get one. Many banks have a "student card" that you can get with proof of enrollment. Here's why this is important: the second you graduate, getting a credit card becomes much, much harder. You're stuck in a Catch-22 where no one wants to give you a card until you have a credit history, but you can't establish a history because you don't have a card. So get a card now. Not tomorrow after you play some more Modern Warfare. Do it now.<br /><br /><h4>Credit cards</h4><br />You should have a credit card. You shouldn't actually <span style="font-style: italic;">use</span> it for credit, but you should make one purchase a month and pay off your bill immediately. Treat it exactly like a debit card, with one extra step involved. It's a nuisance, but it's the easiest way for you to establish a credit history, and like it or not, you will want a good credit history at some point in your life, like when you go looking for a car or home loan. So play the game, find yourself a credit card.<br /><br />The credit card business is filled with nasty tricks, but if you do like I said and never ever <em>ever</em> buy more than you can pay for at the end of the month, none of them apply to you. Interest rates are dangerous and complex, but if you don't carry a balance they can't charge you interest.<br /><br />Rewards programs are a nice perk, but as a laid-back young professional your spending is pretty low, so your returns will be too. Just find a card with no annual fee and you'll be fine.<br /><br /><h4>Savings</h4><br />Rule number one, kids: don't store large sums of money in your Wells Fargo savings account. Don't store it in your Bank of America account or any other "traditional" bank either. Why? Because they're greedy bastards out for profit at any cost, but here's the kicker: they're so outdated and inefficient that they aren't even good at making a profit, so their strategy is simply to screw you. Really hard. Even when times are good, they only give you some fraction of a percent in interest. This is pathetic, and you can do so much better with so little extra effort.<br /><br />Go ahead and keep a traditional bank account if you want the ATM access, the convenience of a brick and mortar location, and so on. But if you have a sum of money that you expect to hold onto for more than about three months, you should be putting it somewhere else.<br /><br /><h5>Credit Unions</h5><br />Credit unions are like banks, but they are member-owned nonprofits. What this means in practice is that they are generally less shitty than the typical for-profit bank. Interest rates are a bit better, they don't deluge you with junk mail selling life insurance and shit, and they're less likely to try shady tactics to fleece you.<br /><br />Credit unions have some of the same disadvantages as traditional banks. Their rates, while better, are still not amazing. And they tend to be plagued by some of the relics of traditional banking, like crappy websites. Credit unions can have fewer real-world locations than commercial banks, but if you pick one in your area you may find it just as convenient.<br /><br />I still do most of my day-to-day banking through a credit union. I mail in checks as I get them and get money out through my debit card, ATMs (if you live near a coop, they may have a fee-less ATM for credit union accounts), and the odd personal check.<br /><br />Credit unions tend to have some sort of membership rules, but they're not too hard to get into. Look for credit unions serving your area; many accept members from a certain geographical region. Or ask your family members; some credit unions will grant membership to family of current members.<br /><br /><h5>Online savings accounts</h5><br />Online savings accounts are the triumph of efficiency in this brave new world of ours. They tend to utterly destroy traditional banks when it comes to interest rates, without any real catch.<br /><br />Obviously, online banks come with the disadvantage of not having real-world locations. There are two ways to handle this. The first is to simply adjust your habits, and you may find that you never really needed a physical bank. You can mail in your checks, get your paycheck by direct deposit, and use ATMs and debit cards to pay for everything. The second option is to use an online savings account in conjunction with a traditional bank or credit union. Do your transactions in the traditional account, and then when you have accumulated a chunk of money that you don't plan to touch for a while, simply transfer it electronically to your online savings.<br /><br />I use <a href="http://home.ingdirect.com/">ING Direct</a>, and I like their rates a lot. They offer some nice convenience features as well; for example, you can fill out an online form to have them mail a paper check to someone. Unfortunately, their website is possibly the worst banking site I have ever used, both in terms of usability and security, which is saying quite a lot given the field of contenders.<br /><br />If you do want to sign up with ING, get in touch with me and I'll send you a referral code to use, and then we both get free money. Hooray!<br /><br /><a href="http://www.ally.com/">Ally Bank</a> is a newcomer, but looks promising. Their rates are about as good as ING, and they have a refreshing no-bullshit slant to their marketing and policies. I haven't tried them myself, but they are worth a look.<br /><br /><h5>CDs</h5><br />CDs are Certificates of Deposit (I don't know why they are called that). They're also sometimes called Term Certificates. The idea is this: you put money into a CD and lock it up for a specified amount of time (anywhere from six months to ten years). The interest you will make over that period of time is set when you open the CD and does not change. The tradeoff is that this money is inaccessible until the time the CD matures, so you should use CDs for savings you don't expect to need until well after the amount of time you choose. However, if some terrible emergency happens, you can withdraw early, usually at the penalty of three months' worth of interest - not all that harsh.<br /><br />Think of CDs as risk-free, lazy investing. You know exactly what return you'll get on your money, and the only work you do is picking a length of time.<br /><br />Pro tip: if you're thinking of buying into a longer-term CD (a couple years or more), realize that you are also buying into that particular interest rate. This can hurt you; if you buy a five-year CD at 1.5% and the market rises, they may be offering 3% the very next year, so you would actually have been better off buying a one-year and renewing. Of course, this can work in your favor, too. I beat just about every investor ever by continuing to make 4.15% on some of my savings for about a year <em>after</em> the housing bubble crashed (savings, mind you, that had not lost a third of their value like they would have if they had been invested anywhere in the stock market).<br /><br /><h4>IRAs</h4><br />IRAs are special accounts that help you save for retirement. You put in a limited amount of money each year to save for retirement, and the government gives you a tax break - it's like an internal revenue high-five.<br /><br />First things first: your employer may offer some sort of retirement plan as part of the benefits package. It may be an IRA, a 401k (which is like an IRA but lamer), or a SIMPLE IRA (which is more like a 401k than an IRA and <em>why</em> did they name it that way). See if this includes "contribution matching." This is where you agree to put something like 3% of your salary into a retirement account and your employer will put that same amount into your account. If they offer something like this, <em>take it</em>. This is free money - you are doubling your investment simply by making it.<br /><br />If your employer doesn't offer this or you would like to contribute more money, consider opening an IRA on your own. There are two kinds of IRAs: Traditional IRAs and Roth IRAs. With a Traditional IRA, money goes in tax-free, but when you get it out, you pay taxes. With a Roth IRA, you pay taxes when you put the money in, but when you get it out, no taxes.<br /><br />Either type is a fine choice, but a Roth IRA is particularly well-suited to a laid-back young professional like yourself. Roth IRAs have rules about the maximum amount of income you can make and still contribute, but unless you've already struck it rich with some startup, you're good there. And it's a long time before retirement, which means you put a little money in now, and by the time you're getting wheezy it will have grown into a lot of money (thanks to the magic of compound interest), which you then get to withdraw tax-free. Excellent.<br /><br />Another Roth bonus: you can't withdraw your earnings (i.e. interest) until you've retired, but you can withdraw your original contributions if something comes up. And you can even withdraw up to $10,000 of earnings if you're buying your first house. Uncle Sam has got your back, even if he's not going to help you pick out curtains.<br /><br />Here's another thing to know: an IRA is just a container of sorts. Once your money is in an IRA, you still have control over what it's doing. You can put it in cash reserves or bonds (much like a savings account), take out a CD, or invest it (more on this later). The IRA just provides the special tax rules, the rest is still up to you.<br /><br />Now: <em>must</em> you open an IRA and max out your contribution limit right away? Some people will tell you absolutely yes. They may even be unduly aggressive about it. My opinion? Probably, but it's up to you. Saving now will make your life easier in the future. Failing to start saving this very instant will not end with you as a rheumatic beggar wandering the streets of Tampa. It will just mean that later in life, you will have to take retirement saving very seriously; you will probably worry a bit more about your finances. But if you prefer the extra spending money now while you're young and carefree, and are prepared to accept the consequences down the road, it's your prerogative. As long as it's an informed decision, I won't knock it.<br /><br /><h4>HSAs</h4><br />An HSA is a savings account for health insurance. You pair it with a "High Deductible Health Plan," which is insurance that only kicks in after something like $2,500 out-of-pocket; before that you'll be paying for everything except preventative care. These plans are substantially cheaper than typical health insurance, which means you have money left over to put into an HSA. Money goes into and out of an HSA tax-free, as long as you spend it on medical expenses. This can mean a visit to the doctor, but you can also use the funds for things like eyeglasses, crutches, or some NyQuil from the local drugstore. Once in an HSA, your money stays there until you spend it, and if you still have it at retirement, your HSA becomes basically another IRA that you can withdraw from for any reason.<br /><br />HSAs are a good deal if you stay reasonably healthy - money that would otherwise have gone to the insurance company goes into your own savings. On the other hand, if you get sick and incur a lot of medical expenses one year, you'll probably come out behind. It's a wager of sorts, and you know your own health the best, so it's up to you.<br /><br /><h4>Investing</h4><br />I am going to keep this section <strong>short</strong> because there is good news - all those people who obsess over stock picks of the day and use all sorts of acronyms and watch CNBC all day? You can ignore all of them. Picking your own stocks is almost always a losing proposal - you're going up against entities with insane amounts of resources at their disposal. And even if you pay some "financial expert" to manage your portfolio, statistically they're probably going to perform no better than the market as a whole. Experts are not actually as expert as you (or they) think they are.<br /><br />So what's a laid-back young professional to do? <span style="font-weight: bold;">Buy index funds</span>. An index fund tracks the performance of the whole market - the market goes up, you win; the market goes down, you lose. Since markets tend to grow over long periods of time, you'll probably win. Or else you'll be stuck in a post-apocalyptic outback wasteland, and you should probably focus more on securing some petrol and escaping from Lord Humungus and less on the ticker price of your stocks and bonds.<br /><br />Much has been written elsewhere about index funds elsewhere, so do a bit of Googling if you need convincing. I have an account with <a href="https://personal.vanguard.com">Vanguard</a> and have been happy with it - they built their business on index funds, so they're a good bet.<br /><br /><h4>So... many... accounts...</h4><br />If you follow all this advice, you may end up with your money in a lot of different places. As of writing this, I have two savings accounts, two checking accounts, three CDs, two IRAs, and an HSA. That's a lot of accounts to keep track of, and you'll need to come up with some sort of system to make sure you don't get overwhelmed.<br /><br />A quick plug: I use <a href="http://www.mint.com">Mint.com</a>, and I don't know what I would do without them. I can see all my accounts in one place, with a UI that doesn't suck, and a website that doesn't hassle me with <a href="http://blog.iangreenleaf.com/2009/07/worse-than-nothing.html">stupid useless shit</a>. They sort your transactions for you, and have shiny graphs and budgeting tools and the like. Using it is a pleasant experience, which is practically heresy in the world of finance.<br /><br />Yes, giving your account information to Mint is a potential security risk, but they have one of the best-written <a href="http://www.mint.com/privacy/">security sections</a> I've seen on a website. If you're concerned, I highly recommend reading it and deciding for yourself. <br /><br /><i>And no, they didn't pay me to advertise. I just really like Mint.</i><br /><br /><h4>Go do it</h4><br />You made it this far, so you're clearly motivated enough to put at least some of this into action. Start at the top of this article and work down. If you do nothing else, <em>please</em> don't store large sums of money in your Wells Fargo savings account. Or worse yet, in your Wells Fargo <em>checking</em> account. I'm shuddering just thinking about it.Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.com6tag:blogger.com,1999:blog-6697950304516138442.post-34750609250144518512010-05-09T23:51:00.010-05:002010-05-10T01:40:06.229-05:00DumbjackingOne of my Facebook buddies got hit with an attack today that spammed his entire friends list with a link to a "fan page". The page promises "LOOK AT HIS COMMENT.. IM STILL IN SHOCK!!" and gives you a button to "see the worst status update ever". When you click it, you are given a series of commands: hit Ctrl-C, then hit Alt-D, then hit Enter.<br /><br />Unbeknownst to the user, there is a hidden textfield on this page containing Javascript code. Upon clicking the button these contents are automatically selected. The instructions, when followed, result in the user copying the code and pasting it into their address bar, where it runs like a <a href="http://en.wikipedia.org/wiki/Bookmarklet">bookmarklet</a>. You can see a deconstruction of the code in question in <a href="http://inportb.com/2010/05/09/on-facebook-the-spam-never-ends/">this blog post</a>. The Javascript is obfuscated, but there's no technical need for that - probably just a scammer trying to protect his secret.<br /><br />Having the user copy and paste the Javascript into their address bar breaks out of the sandbox for third-party content, allowing full control over the user's account. The code uses this power to silently mark the user as "liking" the offending page, and sends a message to all their friends "suggesting" the page.<br /><br />The Facebook page in question has been taken down, but at the end of the process the user is linked to this URL to see the promised status update (I don't recommend visiting it):<br /><pre>http://facebook-lmao.blogspot.com/2010/05/shocking-status-update-guy-needs.html</pre><br />There is some invasive Javascript going on that tries to con you into taking a survey. Presumably this is the motivation behind this attack - get people to this site and then relieve them of their money through a venerable internet scam of one type or another. Interestingly, if you can make it past the survey (thanks, Firebug), there's a link to <a href="http://loyalkng.com/2009/07/10/adam-devine-from-facebook-loses-all-his-friends-on-facebook-because-of-his-sick-status-message/">this post</a>, which seems to be a legitimate and unaffiliated blog.<br /><br />Lord knows Facebook has had their share of security fails in the past, but this particular technique seems to have surfaced only recently. I am christening it Dumbjacking, because it's like Clickjacking, but dumber. It relies on tricking the user into doing something dumb, like pasting Javascript into their address bar.<br /><br />But here's the problem: this technique is nothing if not effective. As of writing this, the page I investigated had 15,571 people who "liked" it. It seems dumb, but for someone who has no idea about "Javascript" or "URLs" or "the address bar", the shady sequence of keypresses means nothing and raises no red flags. In fact, a decade of awful usability in web apps has trained people to find arcane instructions like "Press CTRL and C" mundane, a normal part of using websites.<br /><br />Dumbjacking is never going to be completely preventable. There will always be gullible, confused people who will blindly follow any number of steps (remember the old IRC Alt-F4 gag?) and somehow compromise their accounts or other information. We can't prevent all of it.<br /><br />But a large part of the responsibility lies with Facebook's awful app model. The idea of allowing third-party HTML (and worse, <a href="http://wiki.developers.facebook.com/index.php/FBJS">sandboxed JS</a>) to sit right inside pages on the official Facebook site is just terrible. I don't think they have accurately assessed the threat of "native styling" - that is, third-party widgets that look exactly like real Facebook widgets. There's no indication of where Facebook-sanctioned content ends and third-party code begins. Give users a button that looks like a Facebook button, and they will click it. Give users incomprehensible instructions on a Facebook page with the promise of something outrageous at the end, and they will follow them to the letter.<br /><br />Can a site prevent every instance of users doing something stupid? Of course not. But the Facebook app system is just making it easy for scammers. Embedded content means you can launch your attack from the cozy confines of Facebook itself, and Facebook's mission to plaster those stupid "Suggest this to a friend" buttons across every corner of the earth means there will be no shortage of new attack vectors.<br /><br />The technical decisions coming out of Facebook are the decisions of a company interested in monetizing as much as possible instead of doing right by their customers. There will be no end of security and privacy problems surfacing on Facebook. As far as I'm concerned, it should be treated as a site that is always compromised, where all information is public, and no content is trusted. Want to stay safe on Facebook? Use it as little as possible.Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.com0tag:blogger.com,1999:blog-6697950304516138442.post-16263226816564918862010-04-22T23:43:00.003-05:002010-05-10T01:17:32.536-05:00Facebook Hates Old PeopleSo I was on Facebook, inspired by <a href="http://www.eff.org/deeplinks/2010/04/facebook-further-reduces-control-over-personal-information">their latest round of privacy fail</a> to clean out the last vestiges of personal profile information on my account. I decided that altering my birthday to give myself a bit more age might lend me a certain air of respectability. But to my surprise, upon setting my birthday to 1901, I saved my changes only to be informed that I had in fact been born April 22nd, 2010.<br /><br /><img class="subtle-border" src="http://static.iangreenleaf.com/images/blog/facebook/dec_13.png" /><br /><img class="subtle-border" src="http://static.iangreenleaf.com/images/blog/facebook/saving.png" /><br /><img class="subtle-border" src="http://static.iangreenleaf.com/images/blog/facebook/dec_13_result.png" /><br /><br />Cue "<a href="http://www.last.fm/music/Rob+Dougan/_/Born+Yesterday">Born Yesterday</a>."<br /><br />"That's funny," says I. "December 14th 1901 works fine, but the 13th is no good at all, nor anything earlier than that!"<br /><br /><img class="subtle-border" src="http://static.iangreenleaf.com/images/blog/facebook/dec_14.png" /><br /><img class="subtle-border" src="http://static.iangreenleaf.com/images/blog/facebook/saving.png" /><br /><img class="subtle-border" src="http://static.iangreenleaf.com/images/blog/facebook/dec_14_result.png" /><br /><br />So if you're 109 years old and join Facebook, they won't let you show your birthday! Same goes for anyone older (I bet <a href="http://en.wikipedia.org/wiki/Oldest_people">that 122-year-old</a> is pissed). Seems pretty <em>ageist</em>, don't you think? And what's so bad about December 13th, eh? I mean, Ted Nugent was born on December 13th, but you can't hold that against the day itself...<br /><br />Hang on, what's December 13th in <a href="http://en.wikipedia.org/wiki/Unix_time">Unix time</a>?<br /><br /><code>$ date --date '1901-12-13' +%s<br />-2147536800<br /></code><br />Well, I say! That's just a bit past -2147483648, which is... ah, that's right, -(2^31), or the lowest number that can be represented by a signed 32 bit integer. Guess we know how Facebook is storing their dates, eh? Too bad they didn't bother limiting the options on their date picker to match their technological limitations.<br /><br />They must have some validation in place to prevent you from having a birthday in the future, so when the integer rolls over to a positive number, it just gets cut down to the current day. Pity, really. I was looking forward to being born on January 18th, 2038.Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.com0tag:blogger.com,1999:blog-6697950304516138442.post-54039582662052918542010-02-11T23:40:00.014-06:002012-01-02T23:32:11.533-06:00Introducing Scisr, a PHP RefactorerI'd like you all to meet my latest hobby project. It's a standalone refactoring tool for PHP. I call it <a href="http://iangreenleaf.github.com/Scisr/">Scisr</a>.<br />
<br />
I looked around for refactoring solutions a while back when I had some tedious renaming to do at work, and was surprised by how poor the options were. <a href="http://stackoverflow.com/questions/19758/tools-for-php-code-refactoring">This question</a> has a fairly complete list of everything I found, which is to say, not much. And what options existed were not very powerful or, more often than not, simply didn't work at all (I never did get Zend Studio to successfully refactor anything, even in the short periods between crashes).<br />
<br />
So like any good nerd, I decided I could do better. I had been using <a href="http://pear.php.net/package/PHP_CodeSniffer">PHP_CodeSniffer</a> a lot, and thought that it would make a perfect platform to start work on - while my needs were slightly different than the typical "sniffs," the tokenizer architecture would suit me very well. Thus was Scisr born.<br />
<br />
The design goals were influenced by aspects of the other tools that I disliked. I hated the idea of installing an entire IDE and twiddling with a whole bunch of project settings just to rename something. Despite what some Java programmers would have you think, refactoring is not an end in and of itself. Refactoring is something to do, test, and move on with as little fuss as possible. You're not using Scisr for the thrill of using Scisr - you're using it because it can help you get a job done. So Scisr is a standalone tool with incredibly simple installation, and I provide incredibly simple usage instructions on <a href="http://iangreenleaf.github.com/Scisr/">the project page</a>. It should be possible to start using it on your work in under 5 minutes.<br />
<br />
Here's something about refactoring PHP: it's impossible to do a perfect job of it. If you are renaming the class method Foo::bar(), how would you handle the following code?<br />
<code><?php<br />$classname = $_POST['c'];<br />$item = new $classname();<br />$item->bar();<br />?></code><br />
There's no right way to handle this because PHP is weakly typed. I should also mention that you would have to be a madman to use the above code in anything, ever.<br />
<br />
There are definitely some advantages to weak typing, but it means that we will never be able to write completely precise refactoring tools. So why fight it? Instead, Scisr accepts these limitations and just does the best it can. When renaming methods, it looks for typing information in a number of places - instantiations, PHPDoc tags, parameter type hints, the comment type hints that Komodo IDE and Zend Studio recognize. And when it comes across a potential match that it just can't be sure about, it will notify the user without making a change (unless you have it set to "aggressive" mode, in which case it will go ahead and hope for the best).<br />
<br />
I'm also not going to bother supporting actions that require individual attention. I'm focusing on the tedious refactoring tasks that can be effectively automated, and will provide significant saved effort. Currently, Scisr can rename classes, class methods, and files. In the future I may also support renaming functions and class properties. These are things that would otherwise require a lot of repetitive find and replace, or a clever scripted solution, and even then you'll be in trouble if you're acting on something with a generic name (ever tried renaming a method named 'validate'?).<br />
<br />
So, now that you've read about it, why don't you try it out? There are installation and usage instructions over at the <a href="http://iangreenleaf.github.com/Scisr/">project page</a>. Scisr is currently at version 0.2.0, which means it's a little rough around the edges, but it is usable. I would very much love to hear from you if you use it and find bugs, or have suggestions, or if you just enjoy using it. I'm pretty pleased with it so far, and I hope other people will find it useful too.<br />
<br />
Enjoy, and please, let me know how it goes!Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.com1tag:blogger.com,1999:blog-6697950304516138442.post-79934950756267680022010-01-16T19:11:00.011-06:002010-01-18T10:09:21.845-06:00Avatar and Fetishizing The Other<span class="editor">Fair warning: This post may contain spoilers. However, I also feel I must point out that the foreshadowing in <cite>Avatar</cite> is so clumsy that the first half of the movie contains spoilers for the second half. So really, how much damage am I going to do?</span><br /><br />So, James Cameron spends a decade working on his opus, and here it is. Truth and beauty in dazzling 3D, right? Wrong. I think this film is rubbish. Worse, I think this film is insidious rubbish that is a pro-establishment screed dressed in sheep's clothing of weak Iraq war metaphor. I think that continued success of rubbish like this adversely affects any hope of achieving a truly tolerant and egalitarian society.<br /><br />It has already been pointed out that <cite>Avatar</cite> is <a href="http://io9.com/5422666/when-will-white-people-stop-making-movies-like-avatar">another take on the classic white guilt fantasy</a>. But the sci-fi setting gives it a weird undercurrent that I find more even more unsettling. By setting his non-whites as aliens, Cameron accidentally distills all the assumptions Hollywood makes about race, and then forces them into the cold light of day by pursuing an interspecies romance.<br /><br />The Na'vi are a mish-mash of characteristics from just about every well-known "primitive" culture - feathers like Native Americans, Maori skin markings, African accessorizing (all African people are one big homogeneous tribe, if you didn't know), the hunting habits of Amazon tribes, and so on. This provides the framework for a bland allegory about evil white people - it's like indigenous peoples Malt-O-Meal. In the creation of this hunter-gatherer everyman, Cameron has provided a glimpse into the machinations of ignorant white men's minds.<br /><br />Neytiri's introduction is as a howling dervish who shoots arrows mid-leap. She embodies the exotic, the mysterious, the untamed. When perturbed, she hisses like a feline (displaying her sharp, animal-like teeth). She views animals as kindred spirits. And see, what makes this a problem is that us white people have this really obnoxious habit of <a href="http://contexts.org/socimages/2009/08/19/another-photoshoot-places-a-black-woman-among-animals/">dressing dark-skinned models in animal prints and posing them with animals</a>. We like to portray them as exotic, mysterious, and untamed. When we control the image, they are the Other.<br /><br /><a href="http://www.complex.com/GIRLS/Galleries/Amber-Rose?pc=1"><img class="subtle-border" src="http://static.iangreenleaf.com/images/blog/avatar/amber_bling_01.jpg" /></a><br /><a href="http://www.awn.com/articles/visual-effects/avatar-game-changer/page/2,1"><img class="subtle-border" src="http://static.iangreenleaf.com/images/blog/avatar/avatar03_zoe-saldana.png" /></a><br /><br />Let's talk about Otherness. The idea started with Hegel, who said that consciousness cannot become self-conscious until it meets another consciousness and learns to define itself as separate from that other. Since then this idea has cropped up time and time again, because it seems to accurately describe a component of our psychology; humans have a tendency to define ourselves in opposition to other humans. Nationalism, racism, sports fans; we love to forge our identities by labeling Them and Us. It's not enough to have just an Us - if we find ourselves in a situation where there is no Them, we will quickly manufacture one.<br /><br />Now, usually we take the straightforward route and just vilify the Other. Simply <a href="http://www.time.com/time/world/article/0,8599,1924116,00.html">bicker over the prophet's cousin</a>, or <a href="http://en.wikipedia.org/wiki/2005_Cronulla_riots">riot over those immigrants daring to live in "your" country</a>, and get to fighting. But there's another method of oppression at which Americans in particular are becoming very adept. You declare your tolerance for the Other and talk about how much you like Others and how you have all sorts of Other friends. Meanwhile, you continue to marginalize the Other, but you make it subtle. You appropriate bits of their culture, but be sure place them in a one-dimensional box that leaves no room for growth. You pay lip service to equality but don't make any sacrifices of your own. In this way the Other can find no adversary to combat, and you can convince yourself that their failure to better themselves is due to some innate cultural deficiency. This is how we end up with black models dressed in leopard print.<br /><br />What Cameron has created is the authoritative example of being ignorant and white. Not only is the appearance of the Na'vi built out of superficial elements of human ethnicities, but their entire culture is a slurry of half-baked ideas, the kind an ignorant white guy gets from paging through a National Geographic without bothering to read the articles (they <em>are</em> kinda long, after all). He's actually come up with some ludicrous explanation about neurons in plant matter to take the idea that "native peoples are really in touch with nature" to an extreme that has them literally talking to their ancestors through the trees or something.<br /><br />There's neotribalism, and then there's this. This is not just yearning for simpler times or showing appreciation for low-impact lifestyles. This is fetishizing the Other. The Na'vi as a people are presented as strange, unknowable, yet utterly desirable. And creepily, Jake Sully plays out in concrete terms the fantasy that Cameron is playing out in the abstract. Sully is so enchanted by the Na'vi that he seeks to know, to possess, to dominate, and he consummates this quest by exerting his mastery over the natural world, hijacking control of the tribe, and having alien sex with Neytiri. And he is the protagonist because this is how ignorant white men understand desire.<br /><br />We've been analyzing the movie in terms of the racial Other, but in fact the most famous application of Hegel was by Simone de Beauvoir, who applied the concept of the Other in <cite>The Second Sex</cite>, her book on the status of women:<br /><br /><blockquote>Thus humanity is male and man defines woman not in herself but as relative to him; she is not regarded as an autonomous being... She is defined and differentiated with reference to man and not he with reference to her; she is the incidental, the inessential as opposed to the essential. He is the Subject, he is the Absolute – she is the Other.</blockquote><span class="quote-attrib">-- Simone de Beauvoir, <a href="http://www.marxists.org/reference/subject/ethics/de-beauvoir/2nd-sex/introduction.htm"><cite>The Second Sex</cite></a></span><br /><br />I'd like to argue that the Na'vi are not only racial Others, but collectively they represent the sexual Other, Beauvoir's female.<br /><br />It's no accident that Neytiri is the only prominent Na'vi in the film. Sure, Tsu'tey is the chief warrior, but he is practically eating out of Sully's hand by the end of the film, despite having spent the entire movie being cuckolded <em>by Sully</em>. He is the weak, ineffectual man next to Sully's raging pillar of testosterone. Neytiri is the only character to display any depth at all, and she is the only one who sees a considerable amount of screentime.<br /><br /><blockquote>The support of life became for man an activity and a project through the invention of the tool; but in maternity woman remained closely bound to her body, like an animal.</blockquote><span class="quote-attrib">-- Simone de Beauvoir, <a href="http://www.marxists.org/reference/subject/ethics/de-beauvoir/2nd-sex/ch05.htm"><cite>The Second Sex</cite></a></span><br /><br />Neytiri is fierce and capable, yet she displays no volition of her own. There are some weak attempts at connecting her to her land and her people, but she seems to have no personal desires, no ambition or selfishness. She spends the film at the mercy of events around her, captive to her emotions. Her involvement with Sully only further strips her of will - by the climax, she is a Harley babe riding bitch on the gigantic symbol of virility, Toruk, clutched between Sully's manly thighs (but it's okay, she's helping the war effort by <em>cheering</em>).<br /><br /><img class="subtle-border" src="http://static.iangreenleaf.com/images/blog/avatar/shot0003_scaled.png" /><span class="img-caption">Sully definitely has the largest... dragon.</span><br /><br />Oh sure, she turns Colonel Quaritch into a pincushion at the end. But to what end is his death? The battle is already over; the Na'vi have clearly won. So even the vague desires that Neytiri has expressed for herself - preserving her land and people - are not at stake. The only threat Quaritch poses is to Sully, who he is happily trying to murder. Her sole motivation for killing Quaritch is to save her man, and in fact, this display of devotion is the only real thing Neytiri accomplishes all film. She has cemented her own subjugation.<br /><br />Now, I'm not saying Cameron <em>tried</em> to make a movie that was obliquely racist and anti-feminist. But he did, and he is as guilty as anyone. His crime is intellectual indolence; using superficial fairy tales instead of seeking any true understanding. Our crime is that we keep throwing money at bullshit like this instead of exploring anything that we might find difficult or uncomfortable. A movie that grosses $77 million in the first weekend is part of our culture, whether we like it or not. And if we can't even stop <em>producing</em> this shit, how are we ever going to flush it out of our system? Why ask ourselves tough questions about equality in this country when we can indulge our white male guilt with useless tripe? It's useless tripe, but <em>in 3D!</em><br /><br /><br /><a href="http://www.ndtv.com/news/photos/album-details.php?albumPage=31&id=1787&Album=PHOTO_GALLERY&AlbumTitle=Stills%3A+Avatar"><img class="subtle-border" src="http://static.iangreenleaf.com/images/blog/avatar/31_scaled.jpg" /></a><br /><a href="http://www.womanist-musings.com/2009/08/naomi-campbell-plays-exotic-african.html"><img class="subtle-border" src="http://static.iangreenleaf.com/images/blog/avatar/image%5b11%5d_scaled.png" /></a><br /><br /><span class="editor">Bonus: Now that I've spoiled this movie, allow me to spoil the plot of <cite>Avatar 2</cite> as well. The humans come back. This time they just drop the bombs <strong>from space</strong>. All the Na'vi die. The humans congratulate each other and wonder why they didn't think of that sooner. The End.</span>Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.com3tag:blogger.com,1999:blog-6697950304516138442.post-25447952687634138352009-11-08T16:58:00.014-06:002010-01-18T10:08:04.249-06:00Avoiding disaster when using svn switchSo I was going to be my usual negative self again this month, but I created something, so I'll share that instead. Your regularly scheduled cynicism will return next month.<br /><br /><h4>The problem</h4><br />So you're working away on a branch of your project in SVN, and you need to switch to a different branch. <a href="http://svnbook.red-bean.com/en/1.5/svn.ref.svn.c.switch.html">svn switch</a> does exactly that, but there's a catch. Say your repository has a top level with a README and CLI scripts and whatnot. But you've been hacking away in the <samp>src/</samp> folder because that's where all the real code is. And you carelessly type <kbd>svn switch svn://myrepo/branches/other_branch</kbd> while your working directory is <samp>src/</samp>. What you <em>should</em> have typed was <kbd>svn switch svn://myrepo/branches/other_branch/src</kbd> - notice the subtle but important difference there.<br /><br />As soon as you hit Enter, you've screwed the pooch. Remember, SVN doesn't know about branches - it just thinks they're all folders. So what you've done is tell it to switch the working directory, <samp>src/</samp>, to the top level directory of some other branch. It's going to delete everything in your folder and start checking out the whole root directory into your working directory. It's going to make a mess, then yell at you about conflicts and slotting and mismatches and you're probably going to end up getting frustrated and running <kbd>rm -r</kbd> on the whole folder. If there's a graceful way to recover from this mistake, I have yet to find it. I've done this enough times that I usually realize my mistake as soon as the first message pops up, and I often mash Ctrl-C in hopes of preventing further damage, but honestly I think that makes it worse.<br /><br />After making this mistake for about the fiftieth time yesterday, I finally decided it would be in my best interest to protect me from myself, and so I wrote a bash script. It checks the directory (relative to the root of the branch) that you're asking to switch to against your current directory and won't let you continue if it thinks you're about to screw something up.<br /><br />This script assumes that your repository follows the standard SVN repo format - your code should be in <samp>trunk</samp> or <samp>branches/branchname</samp>. And it assumes you're going to run <kbd>svn switch</kbd> on your current working directory - I didn't write any support for more than one argument.<br /><br /><h4>Installing</h4><br />Because of the nature of SVN commands, we have to wrap <kbd>svn</kbd> and just pass arguments for the other commands through untouched. <cite><a href="http://top-frog.com/2009/04/23/client-side-pre-and-post-svn-hooks-with-unix-aliases/">Shawn Parker</a></cite> gets credit for the original inspiration. You'll need to put the below code in a file and make it executable. Then edit your .bashrc to add the following line:<br /><code>alias svn='/path/to/script.sh'</code><br /><br /><script src="http://gist.github.com/279838.js?file=svn_safe.sh"></script><br /><noscript><code>#!/bin/bash<br /><br />### Copyright 2009 Ian Young<br />### Available under the terms of the MIT license<br /><br />### ABOUT<br />### Prevents you from svn switching to a mismatched directory in a different branch.<br />### See http://blog.iangreenleaf.com/2009/11/avoiding-disaster-when-using-svn-switch.html<br /><br />### USAGE<br />### Make sure this file is executable. In your .bashrc or other startup script, add:<br />### alias svn='/path/to/this_script.sh'<br /><br /># We only care if it's a switch command<br />if [[ ( $# = 2 ) && $1 = "switch" ]]<br />then<br /> # Get the current path of the working directory we're switching,<br /> # then filter out the root of the URL<br /> #<br /> # Note: We append "=" simply to make sure that sed found a match, since our<br /> # filtered path may be empty and we need to distinguish that from no match<br /> CURRPATH=`svn info | sed -n -e 's_URL:<br />.*/\(trunk\|branches/[^/]*\)/\?\(.*\)_=\2_p'`<br /> # Now filter the path we're switching to the same way<br /> NEWPATH=`echo -n "$2" | sed -n -e 's_/\?$__' -e<br />'s_.*/\(trunk\|branches/[^/]*\)/\?\(.*\)_=\2_p'`<br /> # If we found a match, make sure the paths are the same<br /> if [[ ( -n "$CURRPATH" ) && ( "$CURRPATH" != "$NEWPATH" ) ]]<br /> then<br /> echo "It looks like you're about to make a big mistake."<br /> exit 1;<br /> fi<br />fi<br /><br /># Otherwise we let SVN carry on with its business<br /><br />svn "$@";</code></noscript>Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.com0tag:blogger.com,1999:blog-6697950304516138442.post-57988967288125781222009-09-23T21:34:00.005-05:002009-12-03T01:11:00.314-06:00Worse than NothingWant to get phished? Don't worry, it won't hurt.<br /><br />If you have an account with Vanguard, the investment firm, <del>you can experience it for yourself <a href="http://demo.iangreenleaf.com/sitekey_phish/">right here</a></del> (works on IE7, IE8, or FF3). If not, you can watch <a href="http://static.iangreenleaf.com/video/sitekey_phish_1200x784.html">a quick screencast</a> of me phishing myself. Note that this is clearly not the Vanguard site, and yet after I enter my username, I'm shown my personal image (mine's a canoe! what's yours?). I didn't answer any security questions, and yet that's my personal image that only my bank and I are supposed to know. And here it is on some scammer's site. That's the unique part of my attack, and the most dangerous.<br /><br />By the way, that screen at the end is where the scammer has just obtained your password and is happily emptying your bank account (since I'm nice, I just display a hash and don't save it).<br /><br />I don't mean to pick on Vanguard, I just happened to have an account with them. A similar attack should be quite possible on <a href="http://www.bankofamerica.com/privacy/index.cfm?template=sitekey">Bank of America</a>, HSA Bank, or anyone else who uses the <a href="http://en.wikipedia.org/wiki/Sitekey">SiteKey</a> system. SiteKey is a scheme banks came up with in response to the large and largely-intractable problem posed by phishing. It's sometimes labeled as a "multi-factor authentication" system, but I think that's incorrect - it's more of a "mutual authentication" system. The site proves that they are legitimate by showing you a picture that you selected when you sign up. Since no one else could know what picture you have set, this proves that the site is who you think it is. At least, that's the theory.<br /><br />My attack is simple. The first page is just a static page that looks exactly like Vanguard's home page - standard phishing fare. When you submit the form with your username, I build a page with an iframe pointing to the Vanguard site, passing it the username. As long as you've logged in from this computer before, the Vanguard site happily shows your personal image. Then I create a form outside of the iframe with a password field and a submit button, and float those elements over the iframe. So while you're seeing the Vanguard site in the background, you're entering your password into a form I control, and the submit button you click submits to my page. And just like that, I have your password.<br /><br />I have your password. I did this with a freakin' Bachelor of Arts degree. It took me about three hours of messing around to get the basics set up, and another few hours to spit and polish. It's a couple of dumb HTML pages with a few snippets of PHP, and a pinch of Javascript thrown in. There is nothing sophisticated here. I don't think this even qualifies as a "hack." I think you should be concerned. This attack has been possible as long as SiteKey has been in existence, and I see no reason why I would be the only person to think this up. In all likelihood, some smart phisher out there is already doing this.<br /><br />I learned retroactively that this technique is called <a href="http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-September/016284.html">UI Redressing</a>, more commonly referred to as Clickjacking. It's behind a number of attacks, of which perhaps the most publicly visible (although not the most dangerous) was the <a href="http://dsandler.org/wp/archives/2009/02/12/dontclick">Twitter "Don't Click" infection</a>. Even worse, since my attack requires no clicking on the actual hidden elements, even NoScript's vaunted <a href="http://noscript.net/faq#clearclick">ClearClick</a> technology doesn't detect it (NoScript does offer an opt-in to disable iframe content, which sounds like it should stop the attack, but it didn't work for me).<br /><br />SiteKey was weak to begin with. It's bad enough that a vast majority of site users <a href="http://www.nytimes.com/2007/02/05/technology/05secure.html?ex=1328331600&en=295ec5d0994b0755&ei=5090&partner=rssuserland&emc=rss">don't notice if the image is missing</a>. And a weaker man-in-the-middle attack that involved asking security questions <a href="http://cr-labs.com/publications/SiteKey-20060718.pdf">was demonstrated 3 years ago</a>[pdf]. But this is worse. A malicious site that shows you your own handpicked image will lull you into a false sense of security. Who would think twice about providing personal information when that mountain stream or étouffée or whatever you picked is staring you right in the face? The banks have worked hard to train users to look for that image, and that very training can be turned against them to make phishing attacks even more successful than before. SiteKey is not just useless - it's <span style="font-style: italic;">worse</span> than nothing at all.<br /><br />I have been in contact with RSA Security, the vendors of SiteKey, about this attack. To their credit, they were very professional about the whole thing. They treated the matter seriously (I was surprised to get a response at all), and did not try to bullshit or bully me. So they get points for understanding how to make the vulnerability reporting process a productive one. They told me they have notified their clients about the problem and suggested corrective action. I imagine this action will consist of <a href="http://en.wikipedia.org/wiki/Framekiller">frame-busting Javascript</a> and a <a href="http://hackademix.net/2009/01/28/ie8s-clickjacking-protection-exposed/">proprietary IE8 header</a>. I can only speculate because as of this posting, neither Vanguard nor HSA Bank have done anything to prevent the attack, even though it has been two months since I reported it. These changes will help, but the headers are opt-in and only work on newer browsers, and the Javascript isn't necessarily immune to circumvention. Besides, recall what I said about my qualifications as a security researcher. If I came up with this in a few hours of spare time, don't try to tell me there aren't similar attacks that could be discovered by a motivated person - say, someone who makes a living managing a phishing operation.<br /><br />There's another reason I think SiteKey is worse than nothing. It's not just users who get a false sense of security from it - banks are biting on these supposed panaceas instead of facing up to the very difficult problem of performing real security. It's all too easy for companies to <a href="http://www.flickr.com/photos/jakobs/2429053738/">set arcane password rules</a> and shell out money for "solutions" like SiteKey, and convince themselves that they've tried hard enough. Wrong. SiteKey is like a Mickey Mouse band aid on the wrong knee. Maybe it gets the three year old to stop crying, but it's not actually doing any good.<br /><br /><h4>Epilogue</h4>I know, I know, I'm such a negative person. Always bringing other people down. Complaining about what exists without offering any suggestions of my own. What would I propose to guard against phishing? Huh, tough guy?<br /><br />I have to be honest - I don't see a silver bullet. Phishing is a serious threat, and one that preys on our inescapably human failings - inattention, belief that our perceptions are accurate, and willingness to adapt our actions to what we are presented with. I don't see it going anywhere any time soon. However, I think the Firefox address bar is a great start:<br /><img class="subtle-border" src="http://static.iangreenleaf.com/images/blog/phish/FF_SSL.png" alt="Firefox address bar" /><br />If we have to train users to look for something, it should be this. Benefits:<br /><ul><li>It's client-side. No man-in-the-middle. No UI redressing. Short of a serious Firefox exploit or SSL vulnerability, there's no faking this part of the address bar.</li><li>It comes (I assume) from the SSL certificate, which is a pretty okay security measure, and one that any respectable site dealing with sensitive information <span style="font-style: italic;">already uses</span>.</li><li>It's friendly and distinctive - it's big and green and it tells you the name of the company.</li><li>It's right next to the address bar, which encourages one to also check the URL. This is the original best security measure, and one that eBay and others <a href="http://pages.ebay.com/help/tutorial/accountprotection/js_tutorial.html#">have been advocating for years</a>. I should point out that the pretty little <a href="https://addons.mozilla.org/en-US/firefox/addon/4014">Locationbar² plugin</a> is helping here as well by highlighting the domain name so it stands out against the rest of the URL.</li></ul>Still, this only works if you think to look. The danger of phishing is that you get caught at the end of a long day, or when you're in a hurry, or when fucking PayPal actually <span style="font-style: italic;">has</span> deactivated your account three times in the past and you're so annoyed by the prospect of a fourth that you get careless and don't check.<br /><br />I've got another suggestion, but this one is a lot further from reality. This is what I think <span style="font-style: italic;">could</span> be, if we would spend less time on <a href="http://www.thisdev.com/2008/02/fake-security-is-worse-than-no-security.html">fake security</a> and more time on real security.<br /><br />Imagine, if you will, a world where PGP is commonplace. That's right, I'm <a href="http://blog.iangreenleaf.com/2008/08/why-i-sign-with-pgp.html">evangelizing</a> again. Imagine every email you receive is signed, and you have an extensive trust network. When you open an account at a new bank, the rep hands you a piece of paper with instructions on downloading the bank's public key and a fingerprint to verify it. Because PGP is so common, your email client actually throws up a big red warning saying "Hey! This signature is untrusted!" whenever you get email from someone whose key you haven't imported. Suddenly you have a proactive warning on every phishing email that comes through. Nobody is going to click through a message from their bank that is labeled as "untrusted." You could teach your grandparents that.<br /><br />Is this a pipe dream? For now, yeah. But it's a good one - it's a world where email phishing is essentially solved.<br /><br />Until then, keep checking your address bar.<br /><br /><b>Update (12/03/09):</b> Looks like at some point in the past few months, Vanguard updated their site with some frame-busting Javascript, and now hides the pages if Javascript is disabled (bad news for accessibility, but arguably more secure). However, let me reiterate: the fact that they have stuck their finger in this leak doesn't mean there aren't other holes in the dike.<br /><br /><b>Another update:</b> I sent this article to Jim Youll, the author of the original paper on SiteKey vulnerabilities. He emailed me back, and in his response was a remark that stuck with me: "they always say that the undisclosed back-end systems are the fail-safe for the front-end attacks. I don't think they're lying." At some point, it hit me: <span style="font-style: italic;">what if SiteKey is nothing more than </span><a style="font-style: italic;" href="http://www.schneier.com/blog/archives/2008/04/the_feeling_and_1.html">security theater</a><span style="font-style: italic;">?</span> Maybe they <span style="font-style: italic;">do</span> know that it's useless. Maybe they don't expect it to stop anything. Maybe whatever fee they're shelling out isn't coming from the security budget, but from the marketing budget. If this is the case, I just hope the marketing spiel isn't working on the people who need to be doing the <span style="font-style: italic;">real</span> security.Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.com6tag:blogger.com,1999:blog-6697950304516138442.post-2591316049603434662009-08-07T19:34:00.029-05:002009-08-08T19:16:21.236-05:00Making Chroma-Hash Less Leaky<h4>Prologue</h4>Recently, Jakob Nielsen yelled at everyone that <a href="http://www.useit.com/alertbox/passwords.html">password masking is a usability problem</a>. When that man yells, people listen, and so were planted the seeds for some <a href="http://lab.arc90.com/2009/07/halfmask.php">interesting</a> <a href="http://lab.arc90.com/2009/07/hashmask.php">experiments</a> in providing password hints. The sexiest of these so far is Mattt Thompson's <a href="http://mattt.me/2009/07/chroma-hash-a-belated-introduction/">Chroma-Hash</a>.<br /><br />Some valid security concerns were raised over this widget. Mattt has solved several of these already with his recent improvements. I'd like to examine one of the remaining issues and suggest a solution. You can view <a href="http://github.com/youngian/Chroma-Hash/tree/master">my fork on Github</a> for the source code.<br /><br /><h4>The problem</h4>The scenario goes something like this: a user takes and shares a screenshot or screencast of their login screen with password typed in. Someone malicious views this and can garner information about the hashed password from the color bars. From here, I'm going to assume that you understand the basics of how MD5 is a one-way function and why that's important.<br /><img class="subtle-border" src="http://static.iangreenleaf.com/images/blog/chroma_hash/fullcolor.png" alt="Chroma-Hash password box" /><br />In the standard operating mode, Chroma-Hash is pulling number values right from the MD5 hash. We can get the colors with an eyedropper, and look - they match up (in reverse order) to the first part of the hash of the salted password.<br /><br /><code>$ echo -n "hooray12:7be82b35cb0199120eea35a4507c9acf" | md5sum<br /><b>4ea16c514a6697bce6</b>42ee2250aa92f6 -</code><br />If we were using five color bars, we would have disclosed almost the whole hash.<br /><br />People keep bringing up the fact that MD5 is not considered a secure hash function any more. These concerns are misplaced. MD5 is considered broken because it's too easy to find collisions - things that hash to the same MD5 sum. This is useful indeed if you are wanting to forge a digitally signed certificate or tamper with transferred data. But unless the authentication server is using the exact same salt and hash algorithm as Chroma-Hash, creating a collision with someone's color bar hash is useless - you'll be able to get the same colors, but you won't be able to log in.<br /><br />The real concern here is this: we've allowed an attacker to move the computational load onto their own hardware. When you control the password oracle, it's easy to <a href="http://www.codinghorror.com/blog/archives/001206.html">limit the rate at which login attempts may be made</a>. This makes a brute force attack or even a dictionary attack infeasible. The attacker can't try passwords fast enough to have a reasonable chance of guessing the right one within years. But when an attacker has a hashed result of your password, they can run a dictionary attack as fast as their hardware allows, and a matching MD5 from a dictionary attack is likely to be the right password, because let's face it, people in general don't choose secure passwords.<br /><br />An aside: at the leading edge of server-side security, the equivalent threat of a stolen database is dealt with by bcrypt, a hashing scheme that can be tuned to be computationally intensive. So maybe the password check takes a tenth of a second instead of a thousandth - it's no big deal in the course of regular business, but it will significantly slow down an attacker trying to test a lot of passwords against stolen hashes. This strikes me as impractical for our purposes, and not only because we would need to implement bcrypt in Javascript. Tune it too strong, and a user running on slow hardware could suffer a bad performance hit when trying to type in their password. Tune it too weak, and an attacker with a couple dedicated cores could crank through at a fair clip.<br /><br /><h4>My solution</h4>In this case, I say collisions are actually our friends. If we can limit the information available to an attacker, we can leave them with a very large set of possible matches that they can only check by attempting to log in to the server. The point here is to make them verify against the server, rather than doing it at their own pace.<br /><br />This is where another convenient fact comes into play. In his blog entry, Mattt points out that over-the-shoulder attacks won't be effective against Chroma-Hash. <blockquote>As a color expressed in Hex, there are 16,777,215 possible colors for each bar. Eye-balling it wouldn’t be enough to get an exact color value—the difference between #952A08 and #952A09 is nearly imperceptible...</blockquote> Those millions of possible colors come from 24 bits used to represent each color, which in turn is 24 bits of our hash leaked for every color bar. If we don't leak the information in some of those bits, our attacker cannot be as precise about identifying matches. And since humans cannot really differentiate all those colors anyways, we're losing almost nothing by eliminating some of the possibilities.<br /><br />The best way to do this is to redact the low-order bits, so that we keep the entire color range and lose only the fine distinctions between shades. You can think of this like counting in multiples. Instead of every number being an option, we round to the nearest even number, or multiple of 16, or whatever we like. The more we round, the more information we can withhold from an attacker.<br /><br />Let's see it in action.<br /><img class="subtle-border" src="http://static.iangreenleaf.com/images/blog/chroma_hash/step2.png" alt="Chroma-Hash password box" /><br />In this version, rgbStepSize is 2. You can see that the color values are very close to the original, but each 2-character hex number is even (0x96 = 150, 0xbc = 188, 0xe6 = 230, and so on). And since we're rounding, the attacker cannot know if the original hash contained "96" or "97", "bc" or "bd", etc.<br /><img class="subtle-border" src="http://static.iangreenleaf.com/images/blog/chroma_hash/step16.png" alt="Chroma-Hash password box" /><br />In this one rgbStepSize is 16. Looking at the color values, you can see that the second character of each pair is 0. We've eliminated half of the bits leaked by Chroma-Hash, and the colors are still remarkably close to the exact values as far as the human eye is concerned. In fact, quick experimentation shows that we can go with a step size of 64 or so without affecting user experience too drastically.<br /><br /><h4>Did it work?</h4>Now, how much does this help us? I'm a little out of my depth here, so I can only provide some back-of-the-napkin estimates. The small version of <a href="ftp://ftp.ibiblio.org/pub/linux/distributions/openwall/wordlists/languages/English/3-large/">Openwall's word lists</a>, which consists of various words and word combinations, has about 300,000 entries. For a six-digit password consisting of lowercase letters and numbers, there are about 2 billion total possibilities. A 64 bit hash can have about 18 quintillion different values, so if a dictionary attack finds a match against all bits, it's almost certainly the true password.<br /><br />Let's say we're showing three color bars with a step size of 64. This means that 6 of each 24 bits per color is leaked. So an attacker is working with 18 bits, a space of about 260,000. Assuming the distribution through this space is even (it should be), each possible combination of these 6 bits will match up with roughly 34 million possibilities in the six-digit password space. This is good, as the attacker cannot test 34 million passwords against the server in a reasonable amount of time. However, working with the small word list, we can expect an almost one-to-one correspondence, which is not good. If we were to drop to two color bars, we could expect 73 matches per colorset. If we were to use a step size of 128 instead of 64, we could bring it up to 585 matches per colorset. If we did both of these, 4,688 (but at some point, usability drops off).<br /><br /><h4>Regaining perspective</h4>By dead reckoning, I would guess that most passwords used in a reasonably computer-literate community are stronger than the small dictionary list, containing non-words, numbers and hopefully capital letters or even symbols. But humans do like phonetic constructions and show a strong aversion to random combinations of letters and symbols. And a not-inconsequential number of people are still using dangerously weak passwords, unaware of the dangers of computer security.<br /><br />So, is it worth it? Assess the risks. A user must leak their password information through a screenshot or similarly exact reproduction. This must either be initiated by the user or social-engineered out of them - someone with direct access to the user's computer could just install a keylogger instead. Additionally, that user must have a weak password. An attacker must take the time to launch a dictionary attack against the gathered information, then test all resulting possibilities against the server until one works. Unlikely, but not implausible. Put this in context with the more mundane but oh-so-effective threats like phishing, email password reset, compromise from another site, and general password carelessness. And finally weigh your perceived threat against the usability benefits Chroma-Hash offers.<br /><br />Is it worth it? That's up to you.Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.com4tag:blogger.com,1999:blog-6697950304516138442.post-35966131690974206152009-06-26T01:05:00.003-05:002009-10-21T17:04:37.588-05:00Movies I Hate: I, Robot and S.W.A.T<span style="font-style: italic;">I have only one "Top Ten List" on Netflix, and it is titled <span style="font-weight: bold;">Movies I Hate</span>. The description reads, "Not just movies I strongly dislike. Movies I wouldn't piss on to put out a fire." Here are two more from that list. Enjoy.</span><br /><br /><div class="hreview"><div class="item"><h4 class="fn">S.W.A.T.</h4></div><div class="half_star" title="1/2 star"><span class="rating worst">0.5</span> out of <span class="best">5</span> stars</div><br /><div class="description">I'm actually not entirely sure I've seen this movie. It's hard to tell if I was somehow strapped down and forced to watch it, or if I just ate a bad chicken salad sandwich, went catatonic for a couple hours, and woke up to a preview showing on TV. I'm pretty sure the two experiences are comparable, right down to the taste of expired chicken left in my mouth by the end. All that I can come up with is vague recollections of explosions, shooting, and guns. I assume there were some protagonists and antagonists involved, but they were so forgettable the movie would likely have gone up in quality without them. Sometimes I worry that it's not normal to be missing such a large chunk of time from my memory like this. But mostly I just worry that I actually got tricked into watching this movie. Given the choice, I think I'd take food poisoning.</div></div><br /><br /><div class="hreview"><div class="item"><h4 class="fn">I, Robot</h4></div><div class="half_star" title="1/2 star"><span class="rating worst">0.5</span> out of <span class="best">5</span> stars</div><br /><div class="description">Well, here it is. The stinkiest stinker. The crappiest crapfest. The travesty of all travesties. If movies were animals, this would be the tapeworm. How <span style="font-weight: bold; font-style: italic;">not</span> to make a successful movie: First, take the work of a greatly respected science fiction author. Next, spew vomit all over it. Now, feed that mess to your dog and hire some two-bit hack to make up a script that is, in fact, a disgrace not only to Isaac Asimov's collection of short stories, but to all writers everywhere. Finally, to add insult to injury, plaster blatant product placement everywhere, just to make clear exactly how little you respect the moviegoers who have made the unfortunate mistake of wandering into your film. And there you have it! <span style="font-style: italic;">I, Robot</span>. If there is a convincing argument for why humanity will not survive another millenium, this is it. And that's not because we will design killer robots that will turn on us, it's because a society that actually condones sewage like this is in moral decline. Heck, the robots would be doing us a favor. Look for an exciting matchup sometime later this year, as <span style="font-style: italic;">I, Robot</span>'s right to the title of "worst movie ever" is challenged by a newcomer, <span style="font-style: italic;">I Am Legend</span>, also starring who else but Will Smith.</div></div>Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.com0tag:blogger.com,1999:blog-6697950304516138442.post-30705007352548637242009-05-26T23:36:00.022-05:002010-01-18T10:08:48.449-06:00Radio Sucks<blockquote>Radio programming is just that!</blockquote><span class="quote-attrib">-- Saul Williams, "Penny for a Thought"</span><br /><blockquote>Radio sucks! The same fucking songs over and over again! All the weak ones, all that disposable crap that isn't gonna matter in 3 months, it's just shit!</blockquote><span class="quote-attrib">-- Matt Pinfield, Significant Other hidden track</span><br /><blockquote>Turn on the radio, nah, fuck it, turn it off!</blockquote><span class="quote-attrib">-- Rage Against the Machine, "Vietnow"</span><br /><br />When I posted <a href="http://blog.iangreenleaf.com/2008/12/893-current-and-mysterious-non.html">my analysis of The Current's playlist</a> a while back, I mused about how it might stack up against a station run by the mainstream corporate borg that is ClearChannel. The problem is that no other stations make their full playlists publicly available, so I had no data to work from. Most of them offer the 10 most recent songs played, and that's it.<br /><br />I dropped the idea for a while, but when I got myself a cheapo hosting plan, suddenly I had an always-on box that could, say, run a cron every ten minutes, perhaps a cron that scraped some radio sites for their recent songs. And even better, since every ClearChannel subsidiary <a href="http://www.kdwb.com/iplaylist/playlist.html?last10=1">uses</a> <a href="http://www.k102.com/iplaylist/playlist.html?last10=1">the</a> <a href="http://www.kool108.com/iplaylist/playlist.html?last10=1">same</a> <a href="http://www.cities97.com/iplaylist/playlist.html?last10=1">template</a>, I only had to build one scraper and I could collect data on half the music stations in the Twin Cities. Score! A little later, I discovered <a href="http://www.yes.com/">Yes.com</a>, a cool service that even provides an API, and worked out a way to scrape the other major stations in Minneapolis.<br /><br />The code is available <a href="http://github.com/youngian/Radio-Playlist-Scrapers/tree/master">here</a>. The data you see below is the averages for the period of 3/22/09-5/22/09. If you'd like more discussion of my analysis techniques, check out <a href="http://blog.iangreenleaf.com/2008/12/893-current-and-mysterious-non.html">my original post</a>. Don't worry, this post will not contain any sad kitten pictures. Without further ado, the results:<br /><a href="http://www.flickr.com/photos/iangreenleaf/3602885542/sizes/o/" title="Unique Song Ratio by ian.greenleaf, on Flickr"><img class="subtle-border" src="http://farm4.static.flickr.com/3416/3602885542_3453bf369f.jpg" alt="Unique Song Ratio" height="500" width="499" /></a><br />I went into this expecting KDWB (<span style="font-style: italic;">Today's Best Music</span>) to suck, and they did not disappoint. They come out swinging with an absolutely abysmal level of uniqueness per week - which only gets worse when we measure over a month. However, they're facing some heavy competition from KS95 (<span style="font-style: italic;">Variety...80's, 90's and Today!</span>). Those people seem to be rather confused about what constitutes "variety." Apparently the 80s, 90s, and today just didn't have that much to offer.<br /><br />Most of the other stations muddle along between 0.2 and 0.3 - not as bad as they could be, but if you've spent any significant amount of time listening to Cities 97, you'll know that's still bad enough to drive a person to murder.<br /><br />There are a couple notable standouts at the week level - KQRS and Love 105 (the latest owners of what was once Rev105's signal) do respectably. And Jack FM, who brags constantly that they are <span style="font-style: italic;">Playing what we want!</span>, actually beats the Current for uniqueness at the week level. All these stations suffer significantly in the month-long measurements. To me, it looks like these stations have fairly large playlists, but simply rotate the same playlist over and over again. This isn't entirely a bad trait, especially for KQRS (<span style="font-style: italic;">Minnesota's Classic Rock</span>), who doesn't have a growing field to work with.<br /><br />Still, this demonstrates to me the importance of not only playing good songs, but playing different songs. Sure, it's fun to sing along with "Dirty Deeds" once and a while. But we've been singing along with it for decades now. And yeah, it's quirky when JackFM plays The Bangles right after Linkin Park, but it's a quirkyness that's manufactured by CBS Radio and shipped out to <a href="http://www.google.com/search?q=jack+fm">countless identically-named stations</a> nationwide, and I don't think I'm the only one who starts to notice the cracks in the veneer after a while. So, hooray for The Current! Hooray for quirkyness that's actually just Mary Lucia being wacky and saying whatever goes through her head. Yes, Mary, I was listening that one day when you suggested that Mark Wheat take up cocaine.<br /><a href="http://www.flickr.com/photos/iangreenleaf/3602885554/sizes/o/" title="Highest Playcount by ian.greenleaf, on Flickr"><img class="subtle-border" src="http://farm3.static.flickr.com/2434/3602885554_fd1ea29be7.jpg" alt="Highest Playcount" height="500" width="499" /></a><br />Interesting. You'll notice The Current is definitely not ahead in this race. Jack FM, KQRS, and Love 105 again all put up very impressive numbers, and KOOL 108 isn't bad either. It makes a fair amount of sense - these are the stations that are drawing from several decades of music and shying away from new releases. So they're not under pressure to spin the latest single that some manufactured star just released. Good for them.<br /><br />The Current, of course, is still a long, long way from the real offenders here. KS95 again manages to compress three decades of music into playing one song almost 50 times per week. And B96 pulls out a surprise win over KDWB here, playing the top song for a given week roughly <span style="font-style: italic;">85 times</span> in that week. I just threw up a little in my mouth.<br /><br />Radio sucks, people. It sucks, sucks, sucks. Some stations suck more than others, but I can't lionize anyone here. The best we can ask for in playlist variety, it seems, is mediocrity. Listen to WLTE, who's completely unremarkable in every degree. Or, listen to Rage. Turn it off. There is no guerilla radio. The war was lost to the strains of Howie Day's simpering falsetto.<br /><br /><h4>Epilogue</h4>I've got one last graph for you all because, well, I still have an agenda. Here's the uniqueness graph again, but with one new data point: values from The Current for the same two-month period in 2006 as opposed to 2009.<br /><a href="http://www.flickr.com/photos/iangreenleaf/3602885548/sizes/o/" title="Unique Song Ratio Redux by ian.greenleaf, on Flickr"><img class="subtle-border" src="http://farm4.static.flickr.com/3369/3602885548_ece5803144.jpg" alt="Unique Song Ratio Redux" height="500" width="499" /></a><br />This is what I had hoped to see in the earlier charts. It's completely dwarfing the other stations. The scale is all off. It's not even worth debating how one conglomerate scores compared to the others, because The Current is embarrassing all of them. That's what it looks like when one station is single-handedly saving radio. That's where I want us to be.Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.com1tag:blogger.com,1999:blog-6697950304516138442.post-6584393773110310192009-03-22T15:10:00.012-05:002011-08-31T02:21:58.291-05:00Enacting my own Terms of ServiceI currently have a couple <a href="http://en.wikipedia.org/wiki/Web_crawler">web crawlers</a> running that periodically request content from a couple websites and store it in databases. It struck me as strange that these websites deigned to stipulate certain "Terms of Service" (ToS) over my use of their content and believed that these terms formed a contractual agreement, even though there had been no negotiation over these terms, and I had never signaled my assent (I haven't clicked any little "I agree" buttons on any of these sites). So I decided to bring the art of negotiation back into the formation of these previously one-sided agreements.
<br />
<br />So, when one of my spiders makes a request, it adds a name/value pair to the query string of the URL, like so:
<br />
<br /><code>http://server.contentprovider.com/requested/1234567?tos=http://static.iangreenleaf.com/TermsOfService.md</code>
<br />This parameter directs the content provider to my own <a href="http://static.iangreenleaf.com/TermsOfService.md">Terms of Service</a> for the transaction. My terms start out by making clear how a content provide may accept or decline them:
<br /><blockquote> <p>By serving the content I requested, you are agreeing to all the terms and conditions set forth in this document, without reservation. If you do not wish to agree to these terms, do not serve your content in response to this request.</p></blockquote>They go on to detail how I may use the content I am requesting. My favorite part is this:
<br /><blockquote>By serving the requested content, you agree to hereby waive any and all restrictions on use of your service that you may stipulate in your own Terms of Service, Terms of Use, or other legal document...</blockquote>So if the content provider responds to my request, they have agreed to my ToS and waived any terms that they may subsequently try to stipulate on my use of their content.
<br />
<br />Now, you might think this is stupid or absurd. You might even think that this is totally unenforceable, seeing as how all I have done is provide access to the terms I am stipulating and take continued participation as consent. And I would tend to agree with you.
<br />
<br />However, I claim that if my terms are unenforceable, so are those stipulated by the content provider. How is my request any different than providing a tiny link to the Terms of Service way down at the bottom of the page?
<br />
<br /><img class="subtle-border" src="http://static.iangreenleaf.com/images/blog/tos/tos_example.png" alt="Example of Terms of Service link" />
<br />
<br />I have as much right to place limitations on the transaction as they do. My limitations just happen to nullify all of their limitations. They're welcome to stop serving me content if they don't want to accept my terms.
<br />
<br />Think I'm wrong? Tell me why.Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.com1tag:blogger.com,1999:blog-6697950304516138442.post-12325566654917662652009-03-20T23:37:00.010-05:002010-01-18T01:13:57.309-06:00Rsync and retrying until we get it rightOk, this isn't all that special, but I scoured the first two or three pages of Google results and didn't come up with anything that solved my problem. So here it is, Internet - may the next person be luckier than me and not have to read any man pages.<br /><br /><a href="http://en.wikipedia.org/wiki/Rsync">Rsync</a> is a cool utility, especially when I'm trying to plonk my 10Gb backup onto Dreamhost's flaky backup server. But I wish I could make it retry when things go south. There are various threads on doing this, but it would seem it's not built into rsync itself.<br /><br />The obvious solution is to check the return value, and if rsync returns anything but success, run it again. Here was my first try:<br /><br /><code>while [ $? -ne 0 ]; do rsync -avz --progress --partial -e "ssh -i /home/youngian/my_ssh_key" /mnt/storage/duplicity_backups backupuser@backup.dreamhost.com:.; done</code><br />The problem with this is that if you want to halt the program, Ctrl-C only stops the current rsync process, and the loop helpfully starts another one immediately. Even worse, my connection kept breaking so hard that rsync would quit with the same "unkown" error code on connection problems as it did on a SIGINT, so I couldn't have my loop differentiate and break when needed. Here is my final script:<br /><br /><script src="http://gist.github.com/279849.js?file=rsync-retry.sh"></script><noscript><code>#!/bin/bash<br /><br /># Trap interrupts and exit instead of continuing the loop<br />trap "echo Exited!; exit;" SIGINT SIGTERM<br /><br />MAX_RETRIES=50<br />i=0<br /><br /># Set the initial return value to failure<br />false<br /><br />while [ $? -ne 0 -a $i -lt $MAX_RETRIES ]<br />do<br /> i=$(($i+1))<br /> rsync -avz --progress --partial -e "ssh -i /home/youngian/my_ssh_key" /mnt/storage/duplicity_backups backupuser@backup.dreamhost.com:.<br />done<br /><br />if [ $i -eq $MAX_RETRIES ]<br />then<br /> echo "Hit maximum number of retries, giving up."<br />fi<br /></code></noscript><br /><br />On a side note, <a href="http://duplicity.nongnu.org/">duplicity</a> is pretty neat. I only wish it would support resuming of interrupted backup sessions so that I didn't have to do this in two steps. My current backup workflow is<br /><br /><code>PASSPHRASE="backup" duplicity --encrypt-key 77XABAX7 /home/youngian --exclude "**/.VirtualBox" --exclude "**/.kde" --exclude /home/youngian/tmp/ --exclude /home/youngian/backup/ file:///mnt/storage/duplicity_backups/ --volsize 100</code><br /><br />...and then the above rsync script.Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.com13tag:blogger.com,1999:blog-6697950304516138442.post-53666159627316983182009-02-26T23:08:00.001-06:002009-02-26T23:09:02.329-06:00Pascal and Global Warming"Global warming?" I hear you ask. "Why bother? The scientific community has <a href="http://en.wikipedia.org/wiki/Scientific_opinion_on_climate_change">already delivered a verdict</a>." Well, yeah. But big names like George Will are still churning out the occasional piece on how <a href="http://www.washingtonpost.com/wp-dyn/content/article/2009/02/13/AR2009021302514.html?sub=AR">global warming doesn't exist</a>, and while they generally get <a href="http://www.fivethirtyeight.com/2009/02/george-f-will-takes-on-science-loses.html">slammed</a> in certain online circles, the big names aren't losing their jobs. This suggests that a significant portion of the population still likes hearing about how <span>the sea ice is totally not melting at all</span>.<br /><br />And there is one facet to the global-warming-doesn't-exist camp that I acknowledge as having some merit. This is the argument that we humans don't know <span style="font-style: italic;">shit</span>. Despite all our <a href="http://video.google.com/videoplay?docid=-1110688500980448420&pr=goog-sl">jetpacks</a> and <a href="http://gl.ict.usc.edu/Research/3DDisplay/">holograms</a>, there are still a lot of things we don't understand, and how the climate works is by and large one of those things. Meteorology is hard, and you don't have to go farther than the local news to see how poorly we have mastered it. So yeah, the planet's been a bit uncomfortably warm lately, and we're kinda thinking maybe it has something to do with us, but we don't <span style="font-style: italic;">know</span> that. We can't <span style="font-style: italic;">prove</span> it. We can't even prove that <a href="http://science.slashdot.org/comments.pl?sid=201099&cid=16465737">cigarettes cause cancer</a>, so of course we can't prove that our dirty habits are causing the North Pole to become the world's biggest EZ-Bake oven.<br /><br />Take one step more moderate, and you can claim that we don't know what course global warming will take. This is hard to argue against because, well, we don't. Maybe things will level off again and we'll only lose Florida. Maybe <a href="http://hanson.gmu.edu/greatfilter.html">the Great Filter</a> will turn out to be something totally unrelated that wipes the floor with us long before we get too warm. Maybe Xenu just bumped into the thermostat dial on his way to the office and is gonna straighten things out as soon as he gets home.<br /><br />What I'd like to do is advance an argument that doesn't demand wholesale acceptance of global warming. Leave facts and statistics out of it, since there's not much we truly know on the subject. All I ask is that you acknowledge that global warming, in the human-created worldwide-catastrophe sense, is a possibility. The "we don't know" argument works both ways, so it's certainly conceivable that the pinkos are right and we're on the first SUV to Sweatyville, right?<br /><br />This is where Pascal comes into play. You've probably come across <a href="http://en.wikipedia.org/wiki/Pascal%27s_triangle">his triangle</a> at some point or another. But never fear, we're not doing math today. Pascal was a well-rounded dude, so besides being a skilled mathematician, he was a bit of a famous philosopher too. He's best known for a theological argument that has since become known as <a href="http://en.wikipedia.org/wiki/Pascal%27s_wager">Pascal's Wager</a>. To make short work of it (the hardcore philosophers out there are already wincing), Pascal reasoned as follows: <blockquote>We don't really know if God exists. But if he does, the stakes are high (eternal life, Hell, all that jazz). And if he doesn't, the believers aren't any worse off than the non-believers - we all cease to exist in the same way. So it's a good gamble to be pious regardless of any proof of God's existence.</blockquote><br />I'm not so sure that Pascal's claims of no cost were true - I would argue that the effort of regular church attendance is a cost, not to mention possible financial losses from behaving like a pious Christian rather than an opportunistic capitalist. And since Pascal probably wasn't happy with an entirely risk-return based belief - "I accept Jesus into my heart because it makes good economic sense" might not cut it with St. Peter - you'll be needing to convince yourself that you truly believe, which sounds like a lot of <a href="http://en.wikipedia.org/wiki/Emotion_work">emotion work</a> to me (bam! sociology blindside!). But the reasoning still stands with a non-zero cost - a little bit of piety during one's lifetime doesn't seem like such a sacrifice when compared to an eternity in Hell.<br /><br />Scott Adams (yes, the author of Dilbert) has taken the wager and run with it in <a href="http://dilbertblog.typepad.com/the_dilbert_blog/2007/07/pascals-wager.html">some interesting directions</a>, including the conclusion that we should become peace-loving Muslims. Of course, I have yet to convert (as does Adams), so maybe it's not as convincing as all that, but it's at least a good read. For me, the interesting next step of Adams' musing is this: Can we apply Pascal's argument to other avenues? I don't see why not.<br /><br />Pascal's argument is dealing with theoretically infinite values, but I am convinced that humans cannot actually conceive of the infinite (that really <span style="font-style: italic;">is</span> a topic for another day). My position is that our conception of infinite is the same as our conception of really, really big. I like Adams' framing of the argument in mathematical terms, because I don't think we have to actually hit infinity for the probability to tilt in our favor. Think about the math that considers what happens when a value is infinite, like <a href="http://en.wikipedia.org/wiki/Limit_%28mathematics%29">limits</a> or <a href="http://en.wikipedia.org/wiki/Big_O_notation">Big O</a>. It's all couched in terms of "as <span style="font-weight: bold;">x</span> approaches infinity" because all we need is for <span style="font-weight: bold;">x</span> to get big enough that the numbers behave in a predictable way. We can't actually model infinity in math, but once we see a definite trend, that last step is easy to infer. This isn't math we're doing here (trust me), but I argue that we can approach it the same way. If a reward is large enough, and the costs small enough, we can apply Pascal's wager to it.<br /><br />Sure, if you're already being a <a href="http://barefootbum.blogspot.com/2007/07/worst-apologetic-ever.html">pedant</a> about it, I'm bet you could trot out some claims about the types of logic involved. But frankly, if you're using phrases like "epistemic probability," I think you're already missing the point. Pascal's argument is just numbers. Adams gets this, and it's what helps him hit some interesting points without sounding like a pretentious windbag. The strength of the argument lies in pointing out some very big numbers and some not-so-big numbers, and from there any bookie could tell you which horse to bet on.<br /><br />So, the argument:<br /><br />If global warming exists, preventing it earns us the reward of continued existence. Worst case scenario: if the Earth keeps warming up, it's going to stop supporting human life sooner or later. We're remarkably fragile creatures, and our technological prowess will only get us so far, especially when we will have to cope with not only climate change but all the <a href="http://www.sciam.com/slideshow.cfm?id=top-10-places-already-affected-by-climate-change&thumbs=horizontal&photo_id=40DF5ED1-D4FF-29D2-C64A7E706AA67373">wars, famines, and tempests</a> that spring up as a result. We'll probably snap and bomb each other into oblivion long before the last corn crop fails, but the end result is the same - we cease to exist, Darwin declares us the weakest link and sends us home. The <a href="http://en.wikipedia.org/wiki/Water_bear">water bears</a> trundle along happily, and the universe quickly forgets about us.<br /><br />What are the costs of preventing global warming?<br /><ul><li>We might have to start driving cars that get more than 8mpg. Yes, I know you love your Expedition.</li><li>We should probably insulate our houses our houses and use fluorescent bulbs. Quickly recouping your investment in monthly utility savings is a big sacrifice, I'm aware.</li><li>We'll have to research and improve alternative sources of energy. People, we're going to need to do this eventually, because the oil is going to run out, warming or not. I don't see why getting a head start on this is such a bad idea.</li></ul>The costs come down to this: we'll have to spend some money now. There are some more factors that mitigate this further, especially for Western society - we'll be creating local jobs, we'll be reducing our dependence on other nations, and so on. I'm not qualified to judge the strengths of all these arguments, nor do I feel the need to. I'm satisfied that the costs of reasonable action on this front are not ridiculous or unachievable. We don't have to sacrifice any sons or clean the Augean stables, so I think this is doable.<br /><br />So in one corner, we have a significant but manageable financial investment. In the other corner, we have the possibility of extinction of the species. Even if this possibility is somewhat remote by your reckoning, it's there, and it's a near-infinite value. Balanced against the low cost, this is a wise investment by the Pascal/Adams metric.<br /><br />Even if you don't think global warming exists, you should still buy a hybrid. Or, y'know, <a href="http://www.newbelgium.com/team-wonderbike">bike to work</a>.Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.com2tag:blogger.com,1999:blog-6697950304516138442.post-62461421118737128262009-01-11T18:57:00.016-06:002009-10-21T17:02:46.008-05:00Movies I Hate: War of the Worlds & Gone in 60 Seconds<span style="font-style:italic;">Hooray, filler! I only have one "Top Ten List" on Netflix, and it is titled <span style="font-weight:bold;">Movies I Hate</span>. Here are two of the members of that list. Enjoy.</span><br /><br /><div class="hreview"><div class="item"><h4 class="fn">War of the Worlds</h4></div><div class="half_star" title="1/2 star"><span class="rating worst">0.5</span> out of <span class="best">5</span> stars</div><br /><div class="description">Never before have I sat in a movie theater and actually wished that a scene would turn out to all just be a dream. But as I sat through the transcendentally bad denouement of this movie, I realized that if Tom Cruise woke up, and it was just a dream, and he was really dying of pneumonia, I would forgive everything this movie had put me through. I would forgive the fact that our so-called protagonist is a lousy father and totally unsympathetic character. I would forgive the fact that tanks and helicopters can't take down a Strider, but apparently Tom Cruise with a couple grenades can. I would forgive the fact that each time Dakota Fanning screamed, I involuntarily squirted a little bit of urine into my pants from the horror.<br /><br />It was not to be, and unless I blacked out momentarily from the sheer idiocy, the scene was not, in fact, a dream. If I end up an alcoholic five years from now, this movie is at least a little bit to blame. </div></div><br /><br /><div class="hreview"><div class="item"><h4 class="fn">Gone In 60 Seconds</h4></div><div class="half_star" title="1/2 star"><span class="rating worst">0.5</span> out of <span class="best">5</span> stars</div><br /><div class="description">What is the one reason we tolerate all the horrible plots, awful dialogue, and wooden acting in movies revolving around cars? Why, it's because we get to watch cars run into each other! So if you're going to make one of these movies, which element should you NOT remove? I'm no expert, but I would go with 'cars running into each other.' <br /><br />To this day I am at a loss for why anyone thought it was a good idea to give this movie a plot stipulating that none of the sexy cars the characters drive can be smashed to smithereens. That was all it had going for it. Instead all we get to see is some police cars hitting scenery, and everyone one of those is followed immediately with a shot of the bumbling policeman appearing from the wreckage unscathed. Because, y'know, if someone got hurt, Nick Cage might be morally responsible (gasp), and how could we root for a washed-up felon then?<br /><br />This movie also subjected me to the worst scene involving dirty talk and car parts I have ever witnessed. Really just one of the worst scenes of any type. It's been about five years, and I'm still angry.</div></div>Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.com0tag:blogger.com,1999:blog-6697950304516138442.post-31275042065988888682008-12-04T21:23:00.005-06:002011-08-31T01:52:54.747-05:0089.3 The Current and the Mysterious Non-Expanding PlaylistLet me say this much up front: I still love <a href="http://minnesota.publicradio.org/radio/services/the_current/">The Current</a>. I still have the dial on my car tuned there permanently, I still listen to the podcasts when I get a chance, I'm still a member. I'm saying this because the rest of this post is going to sound like Current-bashing. I still think it's a wonderful station - I just don't like the direction it feels we're heading.
<br />
<br />A short primer: A few years back, a magical public radio station was born. It billed itself as "<a href="http://www.startribune.com/entertainment/music/11510551.html">the antiformat</a>" station, gave the DJs a massive amount of freedom, and played music that was always fresh, varied, and exciting (and usually quite good besides). Then, somewhere along the line, someone decreed that certain songs needed to get certain amounts of airtime. DJs started being told what their playlists should contain. One DJ <a href="http://www.citypages.com/2008-03-26/news/the-current-shrinks-its-playlist/">quit over the issue</a>. And people like me started wondering why the same song was playing every day on my 20-minute commute. Not that it's a bad song, just... I don't need to hear it every single day. I don't need to hear <span style="font-style: italic;">any</span> song every day.
<br />
<br />But, rather than complain anecdotally, I decided to use <span style="font-weight: bold;">the power of numbers</span>. The Current makes a massive history of their playlist publicly available on their website, dating back to 2005. So I wrote a screen-scraper in Python to pull all the songs off the site and store them in a sqlite database, which I could then run queries on and make pretty spreadsheets and graphs.
<br />
<br />On methods: I tried to normalize all the data before storage, such as stripping non-alphanumeric characters and converting to lowercase letters. This helps increase correct matches. I also ran queries against songs grouped by (artist, title) to avoid false matches on title alone. I don't think I screwed anything up, but I have no formal training in statistics, so no promises. All code used to collect and analyze the data, <del>as well as the spreadsheets and graphs of the results,</del> are available for download under the GPL <a href="https://github.com/iangreenleaf/Radio-Playlist-Scrapers">here</a>.
<br />
<br />The question I wanted to answer was "is The Current's playlist shrinking, and how badly?" Generally speaking, a "good" playlist should play many different songs, and not play any particular songs too frequently. The challenge is to coax a subjective measurement like "good"-ness out of a massive pile of song listings.
<br />
<br />The first measure I have is the "unique song ratio" - that is the number of <span style="font-weight: bold;">distinct</span> songs played in a period of time compared to the total number of songs played in that time. So it should be a fairly good measure of how much variety a playlist is offering. Higher is better - it means of the total playcount, there is a larger selection of songs played.
<br /><a href="http://www.flickr.com/photos/iangreenleaf/3080895539/sizes/o/" title="Unique song ratio by ian.greenleaf, on Flickr"><img class="subtle-border" src="http://farm4.static.flickr.com/3136/3080895539_67a9e98282.jpg" alt="Unique song ratio" height="500" width="499" /></a>
<br />The numbers themselves are somewhat arbitrary, but there's a pretty clear and shocking trend visible here. Somewhere near the end of '07, things take a massive dive. The ratio over a week, which was hovering around 0.9, drops to nearly 0.6. It makes sense that the ratio over a month is lower all along - over the course of a month, it becomes much more likely that the song you're playing has already been aired. But when the giant dip in the graph levels out, the ratio over a week has leveled out right around where the ratio over a month used to be. That can't be good.
<br />
<br />Similarly, we have average song plays, or the number of times a typical song will be played over a period of time.
<br /><a href="http://www.flickr.com/photos/iangreenleaf/3080895527/sizes/o/" title="Average song plays by ian.greenleaf, on Flickr"><img class="subtle-border" src="http://farm4.static.flickr.com/3022/3080895527_0f4f4df92f.jpg" alt="Average song plays" height="500" width="499" /></a>
<br />That same programming shift is visible here, peaking at an average of 2.5 plays per song per month and leveling out over 2.
<br />
<br />Of course, if The Current played every song exactly twice a month, I wouldn't have much room to complain (I might wonder if the director of programming had some nuerotic tendencies, but that's a separate issue). My concerns lie more in if certain songs are being overplayed. To further address that, let's measure the maximum playcount - the highest number of times any one song is played in a period of time.
<br /><a href="http://www.flickr.com/photos/iangreenleaf/3080895533/sizes/o/" title="Highest playcount for a single song by ian.greenleaf, on Flickr"><img class="subtle-border" src="http://farm4.static.flickr.com/3090/3080895533_95f6b97dde.jpg" alt="Highest playcount for a single song" height="500" width="499" /></a>
<br />Again, the same trend is plainly visible. And this time, the numbers themselves are troubling. The recent end of the graph is somewhere between 60 and 70. That's enough to play the most popular song for a given month more than twice a day, <span style="font-style: italic;">every single day</span>. The weekly count is up near 20, which is almost three times a day for that week.
<br />
<br />So... ouch. This isn't just a minor tweak to programming. To me, this looks like a shift in the very identity of the station. And I don't think I like the new Current as much as the old one.
<br />
<br />I don't want to get too hyperbolic. I'm sure these numbers would still look very good put up against <a href="http://www.cities97.com/main.html">a Clear Channel subsidiary</a>, or really just about any commercial station. I would have loved to compile some numbers from one of those stations to have a good laugh, but sadly I couldn't find any that made old playlists available. If you know of one, I'd be interested to hear.
<br />
<br />All the complaints flying around are not because we haven't counted our blessings - it's because we know just how lucky we are, and we're afraid we're slowly losing our treasured station to the mainstream. So no, it's not the end of the world, and I'm not convinced 89.3 has sold out to The Man just yet. But I used to describe The Current to my friends as "single-handedly saving radio." And I'm starting to wonder if I can still count on them for that. Maybe it's time to lay the responsibility in <a href="http://www.abc.net.au/triplej/">Triple J</a>'s hands.
<br />
<br /><h4>Postscript</h4>I want to close with one more analysis. Curious if drive time or other factors would affect the playlist at all, I ran a set of queries for the same uniqueness ratio as above, but now broken up into two hour time slots throughout the week (and yes, I included the weekend, whether that's good or bad).
<br /><a href="http://www.flickr.com/photos/iangreenleaf/3080895543/sizes/o" title="Unique song ratio by time block by ian.greenleaf, on Flickr"><img class="subtle-border" src="http://farm4.static.flickr.com/3126/3080895543_9acfa58278.jpg" width="499" height="500" alt="Unique song ratio by time block" /></a>
<br />The orange line along the bottom is the monthly value, included just for reference. As you can see, most of the time slots follow the general trend towards less variety very closely. There are three slots, however, that don't: those from 4AM through 10AM. The Morning Show runs from 5-9AM. Strangely, the 6-8AM slot actually takes an upturn as everything else heads down. Did they ramp up their eclectic selection in reaction to the station's overall homogenization? I don't know. At any rate, woo yay Morning Show! <a href="http://fitzgeraldtheater.publicradio.org/events/#morning_show">Too bad it's ending forever in a week</a>.
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /><a href="http://www.flickr.com/photos/popinjaykev/516335793/" title="So Sad... by popinjaykev, on Flickr"><img class="subtle-border" src="http://farm1.static.flickr.com/234/516335793_748beddc24.jpg" alt="So Sad..." /></a>Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.com3tag:blogger.com,1999:blog-6697950304516138442.post-55335372771386207042008-11-05T21:34:00.007-06:002009-08-08T01:47:22.989-05:00Visualizing sorting algorithmsI think sorting algorithms are cool. What? You're leaving already? But you only just got here...<br /><br />It's true, I think sorting algorithms are cool, and not only because I'm a huge, massive nerd who sometimes spends weekend evenings coding for fun. I think they're cool because they're one of the places where the theoretical side of computer science can almost be concretely realized.<br /><br />Visualizations of sorting algorithms not only make the process easier to grok, they sometimes look really cool. I like things like the <a href="http://en.wikipedia.org/wiki/Mandelbrot_set">Mandlebrot set</a> because it's beauty from a totally theoretical source. By providing a simple set of rules for how the output should display and letting the computation run its course, one can create art.<br /><br />So, when Grinnell's CS department decided started looking for a new logo, and John Stone brought up the idea of sorting a list of colors visually, I immediately liked the idea. Two Grinnell students, David D'Angelo and Soren Berg, had spent the summer implementing <a href="https://bugs.launchpad.net/inkscape/+bug/169967">a Scheme console in Inkscape</a>, and had recently given a very impressive presentation on their work. So I decided to give the idea a go with Inkscape and Scheme.<br /><br />The resulting code can be found <a href="http://www.iangreenleaf.com/inkscape_sorting.ss">here</a>. I tried to stick close to the functional paradigm, so you end up passing in a bunch of functions: most importantly, a function which takes a list and performs one "round" of sorting on it. In the examples here, I've tried to use "rounds" that take roughly <span style="font-style: italic; font-weight: bold;">n</span> time. So with the simpler algorithms, it's one pass through the list. With quicksort, it's picking one pivot and moving everything else to one side or the other. And so on.<br /><br />A visualization of mergesort that I made with this has been accepted as the new Grinnell CS logo, and will presumably be making an appearance on the website sooner or later.<br /><br />Enough exposition! Let's move on the the results.<br /><h4><br />Insertion Sort</h4>Well, we had to start somewhere...<br /><br /><a href="http://www.flickr.com/photos/iangreenleaf/2997814183/" title="Insertion sort (with borders) by ian.greenleaf, on Flickr"><img class="subtle-border" src="http://farm4.static.flickr.com/3050/2997814183_4120c86fb9.jpg" alt="Insertion sort (with borders)" height="500" width="283" /></a><br />Pretty straightforward, no? We start with a randomized list of colors on a gradient between black, Grinnell Red, and white. Each pass, we pull an item off the unsorted group and run through the sorted list to find the right spot for it. It works, and it's simple, but it's kinda dull and pretty slow.<br /><br />Here's the same sort without the black borders, for your aesthetic enjoyment:<br /><a href="http://www.flickr.com/photos/iangreenleaf/2997814189/" title="Insertion sort (no borders) by ian.greenleaf, on Flickr"><img class="subtle-border" src="http://farm4.static.flickr.com/3034/2997814189_0457489b83.jpg" alt="Insertion sort (no borders)" height="500" width="284" /></a><br /><br /><br /><h4>Merge Sort</h4>Now we're talking. <span style="font-style: italic; font-weight: bold;">O(nlogn)</span>, wooooo!<br /><br /><a href="http://www.flickr.com/photos/iangreenleaf/2997814191/" title="Merge sort (with borders) by ian.greenleaf, on Flickr"><img class="subtle-border" src="http://farm4.static.flickr.com/3156/2997814191_2c37e55f87.jpg" alt="Merge sort (with borders)" height="150" width="500" /></a><br />Each black border represents a sorted list (in the beginning, every list of one is sorted, because it only has one element). On every pass we merge these lists by twos, until we only have one list left.<br /><br />Here's an un-bordered merge sort:<br /><a href="http://www.flickr.com/photos/iangreenleaf/2997814193/" title="Merge sort (no borders) by ian.greenleaf, on Flickr"><img class="subtle-border" src="http://farm4.static.flickr.com/3008/2997814193_7a51a3b981.jpg" alt="Merge sort (no borders)" height="149" width="500" /></a><br /><br /><h4>Quicksort</h4>Everyone's favorite fast algorithm that's still <span style="font-weight: bold; font-style: italic;">O(n^2)</span>.<br /><br /><a href="http://www.flickr.com/photos/iangreenleaf/2997814195/" title="Quicksort (with borders) by ian.greenleaf, on Flickr"><img class="subtle-border" src="http://farm4.static.flickr.com/3035/2997814195_26126510d9.jpg" alt="Quicksort (with borders)" height="243" width="500" /></a><br />On each pass, a list is split into three lists: an arbitrary pivot, and all items less than and greater than that pivot. You can see divide and conquer at work here: on the first pass there is just one pivot created. By the second, there are three: the original, and one pivot picked out of each of the sublists. In contrast to merge sort, here it is when we have a plethora of one-item lists that the sort is done.<br /><br />One without borders:<br /><a href="http://www.flickr.com/photos/iangreenleaf/2997814197/" title="Quicksort (no borders) by ian.greenleaf, on Flickr"><img class="subtle-border" src="http://farm4.static.flickr.com/3218/2997814197_8d9b40839f.jpg" alt="Quicksort (no borders)" height="223" width="500" /></a><br /><br /><h4>Bubble Sort</h4>That's right! A very special treat for you all!<br /><br /><a href="http://www.flickr.com/photos/iangreenleaf/2997819441/" title="Bubble Sort by ian.greenleaf, on Flickr"><img class="subtle-border" src="http://farm4.static.flickr.com/3219/2997819441_054a2ec127.jpg" alt="Bubble Sort" height="500" width="313" /></a><br /><br />Remember kids, just because it's kinda pretty, doesn't mean it's a good sorting algorithm.<br /><br /><h4>Other Stuff</h4>The cool thing is that now that I have my framework written, it's relatively easy to plug in new ideas. Following are a couple examples that I wrote up just recently.<br /><br />Quicksort on a value-only gradient.<br /><a href="http://www.flickr.com/photos/iangreenleaf/2997819449/" title="Quicksort (value only) by ian.greenleaf, on Flickr"><img class="subtle-border" src="http://farm4.static.flickr.com/3042/2997819449_03474470b3.jpg" alt="Quicksort (value only)" height="408" width="500" /></a><br /><br /><br />Quicksort on a list across the entire range of hues. The previous examples sorted by a simple sum of the RGB values of each color. For this one, I wrote a new comparator that sorts by the Hue part of HSL and used that for the sorting instead.<br /><a href="http://www.flickr.com/photos/iangreenleaf/2997819451/" title="Hues quicksort by ian.greenleaf, on Flickr"><img class="subtle-border" src="http://farm4.static.flickr.com/3006/2997819451_a8b5ea25e1.jpg" alt="Hues quicksort" height="297" width="500" /></a><br /><br /><br />Mergesort on the same list of hues. Yes, I realize these are obnoxiously bright.<br /><a href="http://www.flickr.com/photos/iangreenleaf/2997819455/" title="Hues merge sort by ian.greenleaf, on Flickr"><img class="subtle-border" src="http://farm4.static.flickr.com/3181/2997819455_beb9aedf1e.jpg" alt="Hues merge sort" height="149" width="500" /></a><br /><br /><br />Okay! That's all for now. Hope you have enjoyed this, and maybe it's even inspired you to think differently about sorting algorithms for a moment. I may get inspired to mess around with these more in the future, who knows. I feel like this is only brushing the tip of the iceberg as far as the potential of scripting in Inkscape goes. Another promising route is to use David and Soren's library of transformation functions to do cool things to the items in the lists after they've been created, or in relation to their stage in the sorting cycle. And this list-based approach could probably be applied to things besides sorting. I'm off to research entropy...Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.com1tag:blogger.com,1999:blog-6697950304516138442.post-69382280560130899402008-10-28T21:49:00.006-05:002008-10-28T22:12:10.145-05:00How Bulk Political Mailing Should Be DoneA few days ago, I came across a real gem of a political mailing from the Republican Party of Minnesota. To a casual observer, it might just look like a sad smear attempt by a party hijacked by reactionaries and lacking any real substance. But I saw beyond the partisan hackery, and realized that this mailing had far more potential. It could be something truly great. And behold, with some scissors and glue, I made it so.<br /><br /><span style="font-weight: bold;">Before</span><br /><a href="http://www.flickr.com/photos/iangreenleaf/2983321486/" title="Before by ian.greenleaf, on Flickr"><img src="http://farm4.static.flickr.com/3036/2983321486_473feff326.jpg" alt="Before" height="375" width="500" /></a><br /><span style="font-weight: bold;">After</span><br /><a href="http://www.flickr.com/photos/iangreenleaf/2983322482/" title="After by ian.greenleaf, on Flickr"><img src="http://farm4.static.flickr.com/3285/2983322482_32ceca634f.jpg" alt="After" height="375" width="500" /></a><br /><br />For best results, read in your best <a href="http://www.youtube.com/watch?v=7QPMvj_xejg">Dan LaFontaine</a> voice (and watch a preview or two in his memory).Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.com0tag:blogger.com,1999:blog-6697950304516138442.post-90019891422532605322008-08-27T00:27:00.013-05:002011-08-31T01:47:13.529-05:00Why I sign with PGP<div>If you've received email from me recently, there's a good chance it's arrived with a funny-looking header and footer. At the top, it will say
<br /></div><pre id="line1">-----BEGIN PGP SIGNED MESSAGE-----
<br />Hash: SHA1</pre>And at the bottom is something like this:
<br /><pre id="line1">-----BEGIN PGP SIGNATURE-----
<br />Version: GnuPG v1.4.7 (GNU/Linux)
<br />Comment: Promote trust on the internet - Use PGP!
<br />Comment: http://enigmail.mozdev.org
<br />
<br />iD8DBQFIqfcGDTFvtHdOkUcRAm4JAJ4vJrcQcAM7gtzoHbI8ul3bA7EUagCcC5aO
<br />RLpYAOHP5YS40I0xSB89pDA=
<br />=VHP3
<br />-----END PGP SIGNATURE-----</pre>This all looks like nonsense. Has rage and bitterness finally won the battle for Ian's soul, leaving him banging the keyboard randomly while shouting obscenities at the Internet? No! Well, not yet anyways. This stuff around the message is a PGP signature.
<br />
<br />If I were to send you a letter or write you a check (hypothetically of course, I hate you all and you certainly aren't getting any of my money), at the bottom there would be a little scribble vaguely resembling my name, as penned by a somewhat slow seven-year-old learning cursive for the first time. This signature is the conventional way of saying "hey, it's really me, your old pal Ian, and I did write this."
<br />
<br />A PGP signature serves the exact same purpose for electronic communication. Of course, a string of letters proves nothing. But when I open a signed message in Thunderbird with the Enigmail extension installed, it looks something like this instead:
<br />
<br /><a class="img-link" href="http://static.iangreenleaf.com/images/blog/pgp/pgp_screen1.png"><img class="subtle-border" src="http://static.iangreenleaf.com/images/blog/pgp/pgp_screen1_sm.png" alt="" /></a>
<br />That's nice, innit? That green bar means that I can have confidence that these somewhat unsettling threats are, in fact, from CM Lubinski, and he has electronically signed his name to them.
<br />
<br />Ok, so you're probably thinking that this is mildly interesting so far, kind of like a poorly-drafted version of Wikipedia, and it sure beats calculus or mopping the kitchen floor or whatever you ought to be doing, but, well, big deal. Dorks like Ian can get all excited about this PGP thing, but you're going to go trawl YouTube for some clips of a baby rabbit eating its own poo. You don't need all this signature stuff, right? Wait! That furry redigester will be there in ten minutes. First, read about...
<br />
<br /><h4>Why <span style="font-style: italic;">You</span> Need PGP</h4>You need PGP. You're complacent. Things are going smoothly on the internet. Your biggest problem most of the time is the occasional piece of spam that slips through the filters and annoys us for the ten seconds it takes to read "Fr33 V1agr@" and click Delete. But the convenience of technology hides an ugly truth: email is horribly, horribly insecure.
<br />
<br />Right now, <span style="font-style: italic;">right this instant</span>, I could send you a message purporting to be absolutely anyone. It doesn't even take that diploma sitting on my bookshelves to do it. The Grinnell mail server and a dirty trick (which I am not going to share) is sufficient. Oh look, good old Rupert sent me something just now:
<br />
<br /><a class="img-link" href="http://static.iangreenleaf.com/images/blog/pgp/mail2.png"><img class="subtle-border" src="http://static.iangreenleaf.com/images/blog/pgp/mail2_sm.png" alt="" /></a>
<br />I (or someone with considerably worse intentions) can pretend to be anyone in email. To illustrate my point further, here's an email coming from a domain name that doesn't even exist (I checked):
<br />
<br /><img src="http://static.iangreenleaf.com/images/blog/pgp/mail.png" alt="" />
<br />It doesn't have to be imaginary email addresses either. I could send a message with a bunch of inappropriate jokes to your boss that looks like it's from you. I promise I'm not going to, but I, or anyone else, <span style="font-style: italic;">could</span>. That's scary stuff. We've seen the tip of the iceberg on this with phishing emails that look like they come from accounts@ebay.com or whatever. People click those fake links by the boatloads and compromise all sorts of financial information. Even smart, internet-savvy people do. Why? Because we're complacent, and no one ever taught us to doubt that the person in the <span style="font-weight: bold;">From:</span> field actually sent that message.
<br />
<br /><h4>Encryption</h4>Scared yet? Here's some more food for thought: ever send private information through email? Like, say, financial information, or your company's business deals, or those emails you get when you register an account somewhere that sometimes have your new password in them. Or even just personal correspondence that you don't want to share with anyone except the recipient.
<br />
<br />Guess what - everything you send in email winds its way across the internet in "plain text" - meaning, anyone who looks can read it. If any link in the chain of servers and data lines between you and your recipient is compromised - like someone eavesdropping at your wireless hotspot, or a mail server that's been broken into by hackers, or someone tapping an ethernet line somewhere, or a <a href="http://arstechnica.com/news.ars/post/20060515-6829.html">spying government aided by crony telecoms</a> - all your email is sitting there waiting to be poked through. Additionally, there's very little oversight of how mail servers (of which any given message may cross through quite a few) are administered, so it's quite possible that your messages will end up sitting on the server or on backup tapes for a long time - quite possibly years.
<br />
<br />My point is this: we have no reason to be certain that everyone who gets a look at our email is trustworthy, and yet we send everything totally unprotected from prying eyes. It's like sending all of your bank deposits and love letters on postcards when some of the postmen have no credentials and didn't even pass a background check to get the job.
<br />
<br />Luckily, PGP also provides optional encryption. It's like the electronic version of a security envelope. An encrypted messages looks like garbage, just a string of nonsensical letters. It's only when your intended recipient decrypts the message that it becomes readable again.
<br />
<br /><h4>How PGP Works (the short version)</h4>I want to give a brief overview of how PGP works. This isn't going to be the technical version (I'm not even qualified to give the technical version). It's also not going to be a guide to setting up your computer to use PGP. For that I simply direct you to the two plugins I use and like: <a href="http://enigmail.mozdev.org/documentation/quickstart.php">Enigmail</a> and <a href="http://getfiregpg.org/">FireGPG</a>, and especially the <a href="http://enigmail.mozdev.org/documentation/quickstart.php">quick start guide for Enigmail</a>, which is really stellar and walks you through the steps of setting it up and using PGP for the first time. In this article, I just want to explain the underlying concepts so you can see how PGP works, and why it's such a great idea.
<br />
<br />To start using PGP, you create a "key pair," which consists of two parts, a public key and a private key. Your public key is something you can give to everyone - you can email it as a file, put it somewhere online, upload it to a <a href="http://pgp.mit.edu/">keyserver</a> (try searching for my name or email address), whatever. Your private key, as the name suggests, you keep to yourself - it's usually password protected as an additional layer of security. These two keys are tied mathematically. I don't pretend to understand all the details, but it's something to do with factoring primes, and the important point is that it's very quick to go one direction, but incredibly difficult to go the other. So while someone could, in theory, guess your private key using only your public key, it would take the world's fastest hardware thousands of years (yes, human years) to do so. Basically, these keys are pretty secure.
<br />
<br />Now, when you write an email and sign it with PGP, the program uses your private key to create a string of letters that is algorithmically tied to the contents of your message. When someone receives your message and wants to verify that it came from you, they take your public key and reverse the process, checking the signature against the message. Verifying a PGP signature assures you that the message came from the owner of the key because only the person with access to the private key could have created that signature. When you want to encrypt something, you take <span style="font-style: italic;">your recipient's</span> public key and use that to turn the message into gobbledygook. That way, only the person with access to the private half of that key (i.e. your intended recipient) will be able to decrypt and read the message.
<br />
<br /><h4>A Brief Interlude on Trust</h4>There's one more feature of PGP I want to touch on briefly, because I think it's pretty cool: the concept of trust.
<br />
<br />I've been going on and on about how secure PGP is, but there's a hole in all this: how do you get other people's keys in the first place? After all, just because someone puts a key up on a public keyserver saying they're James T. Madison, you have no proof that that's actually who made that key. If you downloaded the key from that person's personal website or imported it the first time they sent you a signed message, you might trust that it's who you think it is. If they gave you the key in person, say, printed on a business card, you might trust it a whole lot more. But of course, it's not feasible to get all your keys in person - email is supposed to be convenient.
<br />
<br />Keeping that in mind, let's do a quick thought experiment. In real life, you trust Bill because you've been friends with him for ten years and he's always been reliable and honest. Bill has a friend, Jack, who you have never met. But Bill vouches for Jack, and since you trust Bill, you trust Jack (to a certain extent).
<br />
<br />PGP has functionality that emulates these sorts of relationships - the phrase "webs of trust" gets used a lot. When you import someone else's key, you can specify how much you trust that key. And, if you choose, you can <span style="font-style: italic;">sign</span> other people's public keys, which is like vouching that they are who they claim to be. So suppose I have complete trust that John Stone's key is legit, because I got it from him in person. I sign Stone's public key. Now maybe CM just pulled Stone's key off a public server. He doesn't know if he should trust it or not. But say CM already trusts my key - since he trusts me and I have signed (vouched for) Stone's key, CM's PGP program knows that Stone's key is reasonably trustworthy.
<br />
<br /><h4>The Future of Trust</h4>Stop and think about webs of trust for a second. Isn't it a cool idea? This is the power of social bonds, realized in electronic form. Picture a world where everyone uses PGP. Imagine how hard it would become for frauds to work their way into a position to do any real damage when no one will vouch for them. Imagine the freedom to trust, really <span style="font-style: italic;">trust</span>, people on the Internet. This is where I think PGP could take us.
<br />
<br /><h4>One More Time, Why?</h4>Okay, so I think PGP is important. But why am I signing all my emails with it, when next to none of my recipients are currently equipped to handle it? I have several reasons, most of which are inspired by <a href="http://www.cs.grinnell.edu/~stone/">John Stone</a>'s opinions on this topic:
<br /><ul><li>Someone's gotta do it. If we all hang around waiting for other people to use PGP first, it will never happen. By signing my messages with PGP, the benefits are immediately available to anyone who sets it up and imports my key. </li><li>Advertising the functionality. Sending signed messages advertises my public key. If you want to send me an encrypted message, you know I am equipped to handle it, and you can pull my public key from the signed message to use for encrypting.
<br /></li><li>Proselytizing. This is probably my biggest reason for signing at the moment, and is also my reason for writing this post. I hope that some small percentage of people who receive my signed messages will, rather than being confused or just ignoring the extra stuff, be curious and look into PGP, and maybe realize what a great thing it is. I plan to link to this post in the comment section of the signature, in hopes of furthering this goal.</li></ul>
<br /><h4>Final Thoughts</h4>Go! Go install Enigmail or FireGPG! Do it! It's fifteen minutes of time now, but after that, they run quietly and unobtrusively in the background. You can do like I do and sign everything you send out, or you can just use it to verify any signatures you get and sign outgoing messages selectively (I guarantee if you send me a signed message, it will brighten my day). You're making yourself safer, and you're furthering a very worthy cause. The Internet is a cool place, people. But it belongs to us and it's our job to keep it respectable. Use PGP.Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.com1tag:blogger.com,1999:blog-6697950304516138442.post-46926153617634546522008-08-01T00:44:00.001-05:002008-08-01T17:55:14.472-05:00Hacking Grinnell Laundry<span style="font-size:85%;"><span style="font-style: italic;">Disclaimer: I am giving you the knowledge, I am not dictating how it should be used. That's up to you to decide.</span></span><br /><br />Easy steps to being a Grinnell outlaw:<br /><ol><li>Put your laundry into a dryer. Pay with your P-card.</li><li>Hit "Delicates" or the other option that isn't "Colors/Whites". Your dryer should fire up with something like 70 minutes on it.</li><li>Open the dryer door. Close it again. The dryer will start blinking <span style="font-weight: bold;">Select Cycle</span>.</li><li>Hit "Colors/Whites". The dryer display indicates that it is using the Colors setting (i.e. higher heat) but with all 70 minutes or whatever you got out of step 2.</li></ol><br />For the record, I haven't actually checked to see if the dryer is doing what it claims to be doing. It could be so dumb that it is displaying one setting while giving you lower heat. I don't know. I do know that Grinnell laundry machines are crap.Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.com0tag:blogger.com,1999:blog-6697950304516138442.post-31984784478079997312008-08-01T00:30:00.002-05:002008-08-03T00:09:24.740-05:00The Laundry Day Boxer ProblemAs a certified lazy person, I've been known to put off chores like, say, laundry for quite some time. And since I can keep wearing the same pair of pants until I drop food on them or something, it's easy to let things slide a little too long. To moderate my laziness in this regard, I use a tried and true lazy person technique: laundry day boxers.<br /><br />This is the pair of boxers that stays in the drawer until all the other boxers are gone. This is the pair that is so garish that even in your sleep-addled 8am state, you can't help but notice what you're putting on, and realize that this means the grace period is up. You can't put it off any longer. Your laundry day boxers are a constant reminder that you need to do laundry <span style="font-style: italic;">now</span>.<br /><br />I know some of you own laundry day boxers. Don't be shy. Mine are bright orange, with little bats and Frankenstein monsters on them. My old roommate had a pair that were silk, with a screenprint of Elvis on them - brilliant.<br /><br />Now here's where I encounter a problem (see, that title was relevant after all!): I need something to wear on laundry day. That, naturally, is my laundry day boxers. But I can't wash them because I'm wearing them. So come next laundry day, what will alert me that it is, in fact, laundry day? My laundry day boxers are now dirty and in the laundry, where they are useless to me. Useless!<br /><br />Having ruminated long and hard on this problem, the only solution I can come up with is to obtain a second pair of laundry day boxers. At that point it's just a bootstrapping problem to arrange things so that one pair remains clean the first time I do laundry post-acquisition. Then, come that first laundry day, the dirty pair gets cleaned while I wear the clean pair, and I alternate from then on.<br /><br />It doesn't seem quite <span style="font-style: italic;">right</span> though. I really feel like each person should only own one pair of laundry day boxers. Call me old-fashioned, but when it comes to laundry day boxers, I believe in monogamy. I mean, when you're cavorting around in your purple sequined laundry day boxers, how do you think the ones with the Taco Bell chihuahua feel, down at the bottom of the hamper? Maybe I'm just off on this particular topic. Anyone out there own more than one pair of laundry day boxers? Maybe if I got two identical pairs, that might be a reasonable compromise - it's like I'm wearing the same pair, even if they're actually twins. And with that, I've strayed into borderline creepy analogy territory. Moving on.<br /><br />Is this two-boxer solution the only way? Am I overlooking something painfully obvious? I feel like one of you people who likes game theory or something should be able to model this mathematically. This is serious business, folks.Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.com3tag:blogger.com,1999:blog-6697950304516138442.post-3874817779519400362008-04-22T21:42:00.001-05:002008-06-26T16:01:20.767-05:00Hello, WorldThis is a good blog. It is probably not the best blog.<br /><br />If you're looking for the stories of my travels in the land down under, those are at <a href="http://iangreenleafaussie.blogspot.com/">iangreenleaf.blogspot.com</a>.Ianhttp://www.blogger.com/profile/14922548722060582232noreply@blogger.com0