February 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 2019

Expand Cut Tags

No cut tags
mdlbear: the positively imaginary half of a cubic mandelbrot set (Default)

Winterfaire 2018 is open at The Wordsmith's Forge. Browse! Shop! Buy!

I may set up a booth later; I have to look around the pavilion and see whether I have any stock left.

NaBloPoMo stats:
  15537 words in 29 posts this month (average 535/post)
     56 words in 1 post today
      2 days with no posts

mdlbear: (river)

Not a whole lot today. I had been expecting Colleen to get out of the hospital today; apparently that will happen tomorrow. Desti had the cyst on her shoulder removed; she was gone most of the day. I got very little else done -- I could blame worry, but really it was just being unable to focus.

My health doesn't seem to have changed much; that's a very good thing. It could be better -- Colleen seems to be planning a healthier diet, which will help -- but it could also be a lot worse.

NaBloPoMo stats:
  15457 words in 28 posts this month (average 552/post)
    110 words in 1 post today

mdlbear: the positively imaginary half of a cubic mandelbrot set (Default)

Not too bad a week, modulo the fact that Colleen has been in the hospital since Monday; she went straight from her nephrology appointment to the ER. Her kidney function is recovering, thank goodness, and she has fired her old urologist in hope of finding someone in the Everett/Providence system who can do a better job of it. (Notes may include medical TMI, so be aware of that. On the other hand, we had the whole family together for Thanksgiving, both in Colleen's hospital room and the house. We'll end it with music in Colleen's room. this afternoon.

We've done quite a bit of singing, so that's good too.

In NaBloPoMo status, I missed posting Friday (and posted what I'd intended to post then on Saturday). So I'm still on track with number of posts, but not posts per day. Blarg. (For writing every day, I could count the work I did in the Rails tutorial.)

Anyway, not much to say this time. Probably the top link is One Atom of Justice, One Molecule of Mercy, and the Empire of Unsheathed Knives, by Alexandra Rowland, by way of this comment from kyleri on last week's s4s about "The Mary Ellen Carter". It's about "hopepunk", which seems particularly appropriate for this week.

Notes & links, as usual )

NaBloPoMo stats:
  15374 words in 27 posts this month (average 569/post)
   1513 words in 1 post today

mdlbear: the positively imaginary half of a cubic mandelbrot set (Default)

We took advantage of the fact that N and her kids are up at this end of the household for Thanksgiving to get in some practice. Mostly this consisted of songs we are working on harmonies for; in addition the idea is to go down to Everett tomorrow and sing for Colleen in her hotel hospital room. Fortunately there's a lot of overlap. I'm not entirely sure of the order, but we worked on:

There's a story about "Gentle Arms of Eden". Back in 2009, at Consonance, I was in two different groups, Tres Gique and Tempered Glass, which had consecutive concerts at Consonance. We also had a problem -- we wanted to move a song out of the second set so that Tres Gique's bass player wouldn't have to come back on stage during the second concert for that one song. N thought for a little while and pulled up a set of lyrics and chords from some website or other, and asked if I thought I could play guitar on it. I looked at it -- it's in G -- and said yes. I spent the next 20 minutes running through it with N before going on stage for the Tres Gique concert; we sent Tres Gique's drummer down to the lobby to print it out.

We got the printed lead sheet about half a minute before going on stage for the Tempered Glass set, and pretty much nailed it.

NaBloPoMo stats:
  13854 words in 26 posts this month (average 532/post)
    548 words in 2 posts today

mdlbear: the positively imaginary half of a cubic mandelbrot set (Default)

So, I didn't manage to make yesterday's post -- I got distracted, so instead I had to finish up what I'd been working on this morning.

Since it's moderately incomprehensible unless you've been reading this blog very closely, so there will be (perhaps totally unnecessary) notes. No [references] because they would interrupt the flow, as well as being too obvious.

Molly Electric blue. The Only possible color. Skip the drywall jokes.
notes )

I will resist the temptation to back-date this.

NaBloPoMo stats:
  13506 words in 25 posts this month (average 540/post)
    200 words in 1 post today
      1 missed day

mdlbear: Wild turkey hen close-up (turkey)

It's (American) Thanksgiving, so this is the day when I try to include an extra helping of gratitude and maybe add a few explanations. So here we go: Today I'm grateful for...

  • my family, the Rainbow Caravan: my wife Colleen, my sister N, her husband G, my niblings j and m, and our housemate L. The extended family: our kids Chaos and Emmy, the Niblings' other parents, assorted cousins, and most especially my Mom and N's parents.
  • our feline family members: Desti, Ticia, Cricket, Bronx, and Brooklyn.
  • all of my friends on and off the net. Present company explicitly included.
  • our health -- or at least the good parts. Despite serious crises for many of us, we are all still alive and more-or-less functional. No thanks to our assorted conditions -- we are alive in spite of them. Or should that be "to spite them"?
  • modern drugs and medical technology, without which many of our respective health conditions would have been fatal rather than merely harrowing.
  • our medical insurance, what there is of it. Because we live in the US, the above-mentioned modern medicine is overpriced and incompletely covered, but at least it's mostly covered. No thanks to the pharmaceutical and insurance industries and their paid lackeys in Congress.
  • music: the filk community, my bandmates N and m, and the songs -- notably "The Mary Ellen Carter" and "Bells of Norwich" -- that get us through rough times.
  • modern computing technology, particularly the communication protocols and software that tie our household together: TCP/IP, HTTP, ssh, slack, signal, firefox, and dreamwidth, among others. Also noteworthy are git and rsync, each of which has saved my arse more than once.
  • the GNU project for emacs, make, and bash; Don Knuth for TeX, Leslie Lamport for LaTeX, Linus Torvalds for linux and git, and IBM for the Thinkpad keyboard.
  • Whidbey Island.
NaBloPoMo stats:
  13281 words in 24 posts this month (average 553/post)
    328 words in 1 post today

mdlbear: (river)

So, once again I find myself approaching the end of a day without a post, so I'll give you an update on Colleen. When she got to her appointment with the nephrologist Monday, they took one look at her lab results and told her to go the hospital, stat. Apparently her kidney function was way down. (It has improved somewhat since then, but it's still rather scary.)

It feels like a lot longer that two days. I'm worn out. Some changes in her medication this evening should help with her level of comfort. (I'm going to skip the details, since I'm too frazzled to put in a cut tag just now. She's fired her urologist, which is expected to be an improvement.

I called the kids and my Mom a little while ago. Should call Mom before I leave for home. I've been keeping N in the loop via Slack.

mdlbear: the positively imaginary half of a cubic mandelbrot set (Default)

Because I'm thinking about it, and am too tired about what to post, I thought I'd post my Mom's recipe for cranberry relish.

Ingredients:

  • A bag or two of raw, whole cranberries.
  • Apples. One or two per bag of berries, depending on size.
  • Oranges. Maybe one per two bags.

Chop everything up coarsely in a food processor. Even better, if you can find it, is an old-fashioned hand-cranked meat grinder, because that mashes the ingredients rather than simply cutting them.

Put it in the fridge overnight. The next day, add sugar if it seems to be necessary -- don't do it before then because the flavors won't have blended.

I have no idea where Mom found the recipe, and I don't think I've ever seen an "official" printed version -- it's all seat-of-the-pants. Colleen and I have been making it for the last forty-odd years.

Enjoy.

NaBloPoMo stats:
  12751 words in 22 posts this month (average 579/post)
    169 words in 1 post today
>

Cat desk

2018-11-19 06:09 pm
mdlbear: the positively imaginary half of a cubic mandelbrot set (Default)

Once again I find myself at the end of the day with no post, and a very uncertain schedule for the evening because Colleen is in the hospital again. But I ran across this intriguing piece of furniture elsenet:

Ascend Desk on Behance

image under cut )

I may have found my next woodworking project.

NaBloPoMo stats:
  12558 words in 21 posts this month (average 598/post)
    101 words in 1 post today

mdlbear: the positively imaginary half of a cubic mandelbrot set (Default)

I have, perhaps somewhat surprisingly, kept up my daily posting schedule. Some of the posts have been random babbling, of course. You'll find the stats at the end of the notes.

Wednesday L noticed that the fluid-filled cyst on Desti's shoulder had apparently drained itself -- I made a vet appointment for that afternoon to have it checked. She has another appointment a week from Monday to get it removed. Wish us luck.

Thursday Colleen had labs done in preparation for her urology appointment tomorrow; Friday her doctor called and told her to get to her nephrologist ASAP. It looks like she may need dialysis. So Monday's appointment will be with the nephrologist instead. Bletch. Friday we were both kind of in shock. N came up Friday evening to help us deal with it -- my little sister is wonderful.

That's also why I posted The Mary Ellen Carter under s4s yesterday.

Following up on Friday's post about the Kilogram, I posted a couple of haiku yesterday as my contribution to the Crowdfunding Creative Jam. And if you want to dig deeper, NIST has put up a detailed write-up on the SI redefinition. It's a lot more readable than either my post or the Wikipedia articles I linked to.

Notes & links, as usual )

NaBloPoMo stats:
  12445 words in 20 posts this month (average 622/post)
   1433 words in 1 post today

mdlbear: the positively imaginary half of a cubic mandelbrot set (Default)

It isn't the song I originally intended to write about, but it's been a rough week, and the first song I turn to when things are going down the tubes is "The Mary Ellen Carter".

You probably know it, especially if you've been hanging around me, or filkers in general, for a while. Just in case you don't, though, or you need to hear it again, here's Stan Rogers singing it. It's the second version I heard; I don't remember who I first heard singing it at a con, but I tracked down the CD -- it's on Home In JHalifax -- and learned it, because because I had to. The lyrics are in the first comment, but just in case you want a version with chords, here you go.

It's not about making me feel better. That doesn't work. It's about making me feel defiant enough to damned well get up and keep going anyway.

Afterward, depending on what's going on, I'll sing "Desolation Row", "Bells of Norwich", or maybe even QV. But it's "The Mary Ellen Carter" I turn to first.

And you, to whom adversity has dealt the final blow, With smiling bastards lying to you everywhere you go, Turn to, and put out all your strength of arm and heart and brain And like the Mary Ellen Carter, rise again. Rise again, rise again; though your heart it be broken And life about to end, No matter what you've lost, be it a home, a love, a friend Like the Mary Ellen Carter, rise again.

See you next week.

NaBloPoMo stats:
  11005 words in 19 posts this month (average 579/post)
    438 words in 2 posts today

mdlbear: (crowdfunding)

The theme of today's crowdfunding Creative Jam is Empowerment. Following up on yesterday's post, and the role of the Watt Balance (now called the Kibble balance, in honor of its inventor) in replacing the standard kilogram by defining the Planck constant as precisely 6.62607015×10−34 joule-seconds, I came up with:

A watt balance weighs The old standard kilogram. Planck's Constant defined. A lump of metal Is finally replaced by Something eternal.

There's something epic -- or at least haiku-worthy -- in the story of replacing an imperfect artifact with a precise definition, a century and a quarter after it was made.

Everyone is of course encouraged to join in the Creative Jam.

mdlbear: the positively imaginary half of a cubic mandelbrot set (Default)

I was all set to start another curmudgeon post today, except that I read about "A massive change" and fell down a rabbit hole. Tl;dr: everything you think you know about the metric system has just changed completely. You won't notice the difference.

You probably know at least a little about the history of the metric system. Developed during the French Revolution, it was based on the unit of length, the mètre ("meter", in the American English familiar to most of my readers), which was defined as one ten-millionth of the distance between the north pole and the equator on the meridian passing through Paris. The gramme was defined as the weight of a cube of pure water with sides of one-hundredth of a metre and at the temperature of melting ice. Or in more familiar terms, the weight of a cubic centimetre of water. The French philosopher Marquis de Condorcet called it a system "for all people for all time".

The intent was for the system to be based on unchanging physical phenomena. That didn't last. It's really hard to use the Earth as a reference, so in 1795 a brass metre bar was constructed, and in 1799 two platinum reference objects were manufactured, the mètre des Archives and kilogramme des Archives. (The standard metre was found to be about 0.02% short, meaning that the standard was now based only on a couple of chunks of metal.) New reference objects were created in the 1870s.

I'm going to skip ahead to 1960, when the metre was redefined by the eleventh GCPM (Conférence Générale des Poids et Mesures) as exactly 1,650,763.73 wavelengths of the orange-red emission line in the electromagnetic spectrum of the krypton-86 atom in a vacuum. That conference also defined the rest of the International System of Units (SI, from Système international (d'unités). In 1967 the 13th CGPM redefined the second, which had been defined in 1958 as 1/86400 of the year 1900, as 9192631770 periods of the radiation corresponding to the transition between the two hyperfine levels of the ground state of the caesium-133 atom.

The nice thing about that definition of the second is that it can't change. That made it possible to redefine the metre, as the distance light travels in 1/299,792,458 of a second. The speed of light in a vacuum isn't going to change, either. That leaves the kilogram.

All the units of the SI are derived from a small number of base units: the metre for length, the second for time, and the kilogram for mass, as well as the ampere for electric current, the kelvin for temperature, the candela for luminous intensity, and the mole for amount of substance.

I've always been kind of intrigued by the mole, which is defined as the number of atoms in 12 grams of pure Carbon-12 (Avogadro's number). Or rather it was defined...

Anyway, of the other base units, the ampere and the mole have definitions that depend on the kilogram. The kelvin, defined as 1/273.16 of the thermodynamic temperature of the triple point of water, doesn't, but it's also rather hard to measure precisely. The candela has a precise definition, but since it's in lumens per watt it depends indirectly on the kilogram.

All that changed yesterday with the new definitions voted in by the 26th CGPM (which take effect May 20, 2019).

The new definitions all result from defining exact values for various physical constants, rather than things that have to be measured. Specifically, the newly-defined constants will be:

  • The Planck constant h is exactly 6.62607015×10^−34 joule-second (J⋅s).
  • The elementary charge e is exactly 1.602176634×10^−19 coulomb (C).
  • The Boltzmann constant k is exactly 1.380649×10^−23 joule per kelvin (J/K).
  • The Avogadro constant NA is exactly 6.02214076×1023 reciprocal mole (1/mol).

There are also three that don't change:

  • The speed of light c is exactly 299792458 metres per second (m/s).
  • The ground state hyperfine splitting frequency of the caesium-133 atom Δν(133Cs)hfs is exactly 9192631770 hertz (Hz).
  • The luminous efficacy Kcd of monochromatic radiation of frequency 540×10^12 Hz is exactly 683 lumens per watt (lm/W).

Naturally, the new defined values for the various constants have been chosen to be equal to the best current measurements of them, so there will be exactly no effect on anything you can measure outside of a lab. The whole process had to wait until the various measurements of the kilogram agreed to one part in 10^-8 (1/100,000,000).

So, finally, after just short of two and a quarter centuries, the metric system achieves the original dream of a system of measurement based on unchanging physical phenomena. It's not going to make a whole lot of difference in practice, but it's nice to know that it's not going to change any more.

NaBloPoMo stats:
  10560 words in 17 posts this month (average 621/post)
    837 words in 1 post today

mdlbear: Wild turkey hen close-up (turkey)

Today I'm grateful for:

  • My family; especially Mom
  • Our cats, and our cats' vet
  • Companies that have given me a phone screen and haven't rejected me yet
  • My health (because what there is of it is still better than my housemates', which says something, but I'm not sure what)
  • Still having things to learn.
NaBloPoMo stats:
   9716 words in 16 posts this month (average 607/post)
     84 words in 1 post today

mdlbear: (river)

As it turns out, coming up with four new post topics every week is fairly hard. (Four, because the other three are Thankful Thursday, Songs for Saturday, and Done Since). It's much easier to drift along watching math videos on youtube, listening to Dave Carter songs, and reading other people's blog posts rather than writing my own. So you get more rambling randomness tonight. I believe this is what they call writer's block. Or laziness.

Ticia is watching me. She wants me to come to bed. Silly cat.

Every time I look at a job description I'm struck by how little I can actually do, and how ill-prepared I was -- am -- for this stage of my life. What was I thinking? Where am I going, and what am I doing in this handbasket?

NaBloPoMo stats:
   9625 words in 15 posts this month (average 641/post)
    172 words in 1 post today

mdlbear: the positively imaginary half of a cubic mandelbrot set (Default)

I was reading an interesting blog post a few days ago with the catchy title "How do we make remote meetings not suck?" by Chelsea Troy. The main point was that meetings need some form of moderation, otherwise people tend to talk over one another. This is especially bad in remote meetings because a lot of the visual cues are missing (even with video), and also because network delays make pauses in the conversation hard to distinguish from a series of dropped packets.

Naturally, because I'm a filker, I immediately thought of the many ways our musical community has for organizing song circles. For those who haven't taken part in such a thing, a song circle is a group of people sitting around in a rough circle to sing. Song circles present many of the same problems as meetings, and in the sixty-odd years that people have been singing at conventions they've come up with some interesting solutions. (I might add that similar solutions can be found in operating system schedulers and computer networks; I'll leave most of the details as an exercise for the reader.)

The simplest method is the Bardic Circle, which is more familiar in the OS literature as round-robin scheduling -- the turn simply gets passed around the circle, e.g. to the right (or left) of the person singing. (Without loss of generality I'll say "person singing" for the person whose turn it is at the moment, but they have other options, e.g. picking someone else to perform, asking the group for a song on a given topic, or simply passing. This is generally expressed with the phrase "pick, pass, or play".)

The more people you have in the circle, the longer it takes for somebody to get a second turn. In a large group it can take an hour or two, but it's probably the most effective way of managing such a large group. There's a kind of computer network, now largely obsolete, called "Token Ring" that works pretty much the same way.

On the opposite end of the spectrum is the Chaos Circle, which is pretty much what it sounds like. This works best when there are comparatively few people who want to perform, and when they're all from roughly the same (geographic) area. Different regions have different expectations about what constitutes a pause -- we ran into this recently in a conversation that included several people from New York and others from the West Coast. Ethernet, back when every computer was connected to the same piece of coax, was chaos with the convention of exponential backoff to resolve collisions.

Moderated Chaos usually works well in slightly larger groups -- a moderator can resolve collisions by saying "okay, you get the next turn" A good moderator will also keep track of who hasn't had a turn recently, and encourage them to sing. My guess is that this is probably closest to what a moderated meeting is like. The moderator can either be assigned ahead of time by the event organizers, or may simply volunteer if things are getting too chaotic.

In between, we have Token-Passing Chaos, and Poker Chip Bardic. In a token-passing circle each performer gets to pick the next by passing them the token. The token is often an inflatable beach ball -- this has the advantage of requiring the performer to pass it along before they take their turn, to get the thing out of the way. Another good token is a ball of yarn. The resulting web makes it easy to spot people who haven't had a turn yet; if everyone gets a turn it's topologically equivalent to a Bardic Circle, but more flexible and fun.

The Poker Chip Bardic is probably the most interesting, and I think it has some potential for meetings as well. In this format, everyone gets three poker chips when they enter the room, in three different colors, and there are three corresponding rounds, one for each color. It's almost exactly the inverse of a Token-Passing circle -- people toss in their poker chip when they want a turn. Requiring each round to be completed before the next one is, again, topologically equivalent to a simple Bardic.

It gets a little more interesting -- and fun -- when you end a round when no-one wants to throw in the next chip. That gives people who pass in the first round a higher priority in the next. Reasons for doing this vary, of course. It's very effective for changing the subject or bringing in a new song at exactly the right moment.

I don't think this counts as a curmudgeon post, even with the slight technical content. But it's a post.

mdlbear: (technonerdmonster)

Most humans multitask rather badly -- studies have shown that when one tries to do two tasks at the same time, both tasks suffer. That's why many states outlaw using a cell phone while driving. Some people are much better than others at switching between tasks, especially similar tasks, and so give the appearance of multitasking. There is still a cost to switching context, though. The effect is much less if one of the tasks requires very little attention, knitting during a conversation, or sipping coffee while programming. (Although I have noticed that if I get deeply involved in a programming project my coffee tends to get cold.) It may surprise you to learn that computers have the same problem.

Your computer isn't really responding to your keystrokes and mouse clicks, playing a video from YouTube in one window while running a word processor in another, copying a song to a thumb drive, fetching pages from ten different web sites, and downloading the next Windows update, all at the same time. It's just faking it by switching between tasks really fast. (That's only partially true. We'll get to that part later, so if you already know about multi-core processors and GPUs, please be patient. Or skip ahead. Like a computer, my output devices can only type one character at a time.)

Back when computers weighed thousands of pounds, cost millions of dollars, and were about a million times slower than they are now, people started to notice that their expensive machines were idle a lot of the time -- they were waiting for things to happen in the "real world", and when the computer was reading in the next punched card it wasn't getting much else done. As computers got faster -- and cheaper -- the effect grew more and more noticable, until some people realized that they could make use of that idle time to get something else done. The first operating systems that did this were called "foreground/background" systems -- they used the time when the computer was waiting for I/O to switch to a background task that did something that did a lot of computation and not much I/O.

Once when I was in college I took advantage of the fact that the school's IBM 1620 was just sitting there most of the night to write a primitive foreground/background OS that consisted of just two instructions and a sign. The instructions dumped the computer's memory onto punched cards and then halted. The sign told whoever wanted to use the computer to flip a switch, wait for the dump to be punched out, and load it back in when they were done with whatever they were doing. I got a solid week of computation done. (It would take much less than a second on your laptop or even your phone, but we had neither laptop computers nor cell phones in 1968.)

By the end of the 1950s computers were getting fast enough, and had enough memory, that people could see where things were headed, and several people wrote papers describing how one could time-share a large, fast computer among several people to give them each the illusion that they had a (perhaps somewhat less powerful) computer all to themselves. The users would type programs on a teletype machine or some other glorified typewriter, and since it takes a long time for someone to type in a program or make a change to it, the computer had plenty of time to do actual work. The first such systems were demonstrated in 1961.

I'm going to skip over a lot of the history, including minicomputers, which were cheap enough that small colleges could afford them (Carleton got a PDP-8 the year after I graduated). Instead, I'll say a little about how timesharing actually works.

A computer's operating system is there to manage resources, and in a timesharing OS the goal is to manage them fairly, and switch contexts quickly enough for users to think that they're using the whole machine by themselves. There are three main resources to manage: time (on the CPU), space (memory), and attention (all those users typing at their keyboards).

There are two ways to manage attention: polling all of the attached devices to see which ones have work to do, and letting the devices interrupt whatever was going on. If only a small number of devices need attention, it's a lot more efficient to let them interrupt the processor, so that's how almost everything works these days.

When an interrupt comes in, the computer has to save whatever it was working on, do whatever work is required, and then put things back the way they were and get back to what it was doing before. This takes time. So does writing about it, so I'll just mention it briefly before getting back to the interesting stuff.

See what I did there? This is a lot like what I'm doing writing this post, occasionally switching tasks to eat lunch, go shopping, sleep, read other blogs, or pet the cat that suddenly sat on my keyboard demanding attention.

Let's look at time next. The computer can take advantage of the fact that many programs perform I/O to use the time when it's waiting for an I/O operation to finish to look around and see whether there's another program waiting to run. Another good time to switch is when an interrupt comes in -- the program's state already has to be saved to handle the interrupt. There's a bit of a problem with programs that don't do I/O -- these days they're usually mining bitcoin. So there's a clock that generates an interrupt every so often. In the early days that used to be 60 times per second (50 in Britain); a sixtieth of a second was sometimes called a "jiffy". That way of managing time is often called "time-slicing".

The other way of managing time is multiprocessing: using more than one computer at the same time. (Told you I'd get to that eventually.) The amount of circuitry you can put on a chip keeps increasing, but the amount of circuitry required to make a CPU (a computer's Central Processing Unit) stays pretty much the same. The natural thing to do is to add another CPU. That's the point at which CPUs on a chip started being called "cores"; multi-core chips started hitting the consumer market around the turn of the millennium.

There is a complication that comes in when you have more than one CPU, and that's keeping them from getting in one another's way. Think about what happens when you and your family are making a big Thanksgiving feast in your kitchen. Even if it's a pretty big kitchen and everyone's working on a different part of the counter, you're still occasionally going to have times when more than one person needs to use the sink or the stove or the fridge. When this happens, you have to take turns or risk stepping on one another's toes.

You might think that the simplest way to do that is to run a completely separate program on each core. That works until you have more programs than processors, and it happens sooner than you might think because many programs need to do more than one thing at a time. Your web browser, for example, starts a new process every time you open a tab. (I am not going to discuss the difference between programs, processes, and threads in this post. I'm also not going to discuss locking, synchronization, and scheduling. Maybe later.)

The other thing you can do is to start adding specialized processors for offloading the more compute-intensive tasks. For a long time that meant graphics -- a modern graphics card has more compute power than the computer it's attached to, because the more power you throw at making pretty pictures, the better they look. Realistic-looking images used to take hours to compute. In 1995 the first computer-animated feature film, Toy Story, was produced on a fleet of 117 Sun Microsystems computers running around the clock. They got about three minutes of movie per week.

Even a mediocre graphics card can generate better-quality images at 75 frames per second. It's downright scary. In fairness, most of that performance comes from specialization. Rather than being general-purpose computers, graphics cards mostly just do the computations required for simulating objects moving around in three dimensions.

The other big problem, in more ways than one, is space. Programs use memory, both for code and for data. In the early days of timesharing, if a program was ready to run that didn't fit in the memory available, some other program got "swapped out" onto disk. All of it. Of course, memory wasn't all that big at the time -- a megabyte was considered a lot of memory in those days -- but it still took a lot of time.

Eventually, however, someone hit on the idea of splitting memory up into equal-sized chunks called "pages". A program doesn't use all of its memory at once, and most operations tend to be pretty localized. So a program runs until it needs a page that isn't in memory. The operating system then finds some other page to evict -- usually one that hasn't been used for a while. The OS writes out the old page (if it has to; if it hasn't been modified and it's still around in swap space, you win), and schedules the I/O operation needed to read the new page in. And because that take a while, it goes off and runs some other program while it's waiting.

There's a complication, of course: you need to keep track of where each page is in what its program thinks of as a very simple sequence of consecutive memory locations. That means you need a "page table" or "memory map" to keep track of the correspondence between the pages scattered around the computer's real memory, and the simple virtual memory that the program thinks it has.

There's another complication: it's perfectly possible (and sometimes useful) for a program to allocate more virtual memory than the computer has space for in real memory. And it's even easier to have a collection of programs that, between them, take up more space than you have.

As long as each program only uses a few separate regions of its memory at a time, you can get away with it. The memory that a program needs at any given time is called its "working set", and with most programs it's pretty small and doesn't jump around too much. But not every program is this well-behaved, and sometimes even when they are there can be too many of them. At that point you're in trouble. Even if there is plenty of swap space, there isn't enough real memory for every program to get their whole working set swapped in. At that point the OS is frantically swapping pages in and out, and things slow down to a crawl. It's called "thrashing". You may have noticed this when you have too many browser tabs open.

The only things you can do when that happens are to kill some large programs (Firefox is my first target these days), or re-boot. (When you restart, even if your browser restores its session to the tabs you had open when you stopped it, you're not in trouble again because it only starts a new process when you look at a tab.)

And at this point, I'm going to stop because I think I've rambled far enough. Please let me know what you think of it. And let me know which parts I ought to expand on in later posts. Also, tell me if I need to cut-tag it.

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com). If you found it interesting or useful, you might consider using one of the donation buttons on my profile page.

NaBloPoMo stats:
   8632 words in 13 posts this month (average 664/post)
   2035 words in 1 post today

mdlbear: the positively imaginary half of a cubic mandelbrot set (Default)

Pretty good week, on the whole, but kind of a bumpy ride. My self-confidence bottomed out a couple of times. However:

N and the kids came up Tuesday evening (after appointments), and stayed until Thursday afternoon. It was wonderful to have the rest of the family here. Wednesday morning I worked on math with j; much of that evening and Thursday were spent singing with N and m (who has a lovely voice and a good ear for harmony). I had a few problems keeping up -- for some reason I kept screwing up D chords, and it's always a little tricky learning new vocals and a guitar part at the same time. But it was all good.

There was some progress on the job front, too. I heard back from 7cups on Monday, scheduled a phone screen, and did that on Friday. I think it went pretty well, though of course there's no telling whether it will go any farther. One can hope. Also, I finally finished the application to DuckDuckGo. It had some questions on it that made it difficult, but I did hear back on Friday and scheduled a phone screen for a week from Monday. So there's that.

I've managed to keep up with my NaBloPoMo plans as well. There's nothing like a well over a thousand word worth of notes once a week to keep the average up -- it's sort of cheating, but I'll take it. I also wrote the little word-count script that computes the current stats, and made some fixes and improvements in the blogging code. It's quite usable at this point, although it still requires being comfortable on the command line.

The "apartment" -- the room over the garage -- finally has working plumbing! It will still be a while before it has hot water, but it's pretty usable at this point.

On the down side, I'm still beating myself up about all the stupid things I've done, ever, and worrying about how in hell I'm going to survive the next few years after the money runs out.

Notes & links, as usual )

NaBloPoMo stats:
   6590 words in 12 posts this month (average 549/post)
   1515 words in 1 post today

mdlbear: the positively imaginary half of a cubic mandelbrot set (Default)

One of the songs Lookingglass Folk have been working on recently is "Mary O'Meara" (words by Poul Anderson, music by Anne Passovoy) -- according to my archives we started working on it in mid-July, and possibly earlier. (Bears have notoriously bad memories; find and grep are my good friends.)

I remember reading the song in Poul's novel, World Without Stars back in 1966, when it was serialized in Analog under the title "The Ancient Gods". A good story, but what really made it memorable was the song, verses of which were threaded through the story. When I heard it at a filksing, at least a decade later, it brought the whole thing back.

OK, before we go any farther, if you haven't heard the song (it's passed out of the filk repertoire in recent years, possibly due to over-exposure) go listen to it! Here's "Mary O' Meara" sung by Windbourne on YouTube. The only copy of the lyrics I could find online is here, on Mudcat -- skip the comments. Darned if I can figure out where I found the chords [pdf]; possibly in a songbook somewhere.

 

Now, go over to kjn | The origins of Mary O'Meara, where you'll find the song that inspired it: "Anna Lovinda", by Norwegian songwriter Erik Bye, published in 1960. The post contains translations of the original lyrics, and a Danish translation that was probably what Poul was thinking of.

Reading those, you can tell that the basic story and most of the imagery of "Mary O'Meara" came directly from "Anna Lovinda". What's more, the meter is fairly close as well. kjn's post has a good analysis, which I'm not going to try to duplicate.

At this point, I'm going to leave you with this stunning performance of "Anna Lovinda" by Sissel Kyrkjebø, Bjørn Eidsvåg, and Åge Aleksandersen from 2006.

 NaBloPoMo stats:
   5068 words in 11 posts this month (average 460/post)
    339 words in 1 post today

mdlbear: the positively imaginary half of a cubic mandelbrot set (Default)

This is (a first cut at) a sticky-post or landing post for mdlbear.dreamwidth.org. I intend for it to be edited rather than replaced, so the link should stay the same.

The Mandelbear

... is what I call the fractal you see in my default icon. The Mandelbear is infinitely fuzzy, being a two-dimensional cross-section of a four-dimensional object. It occasionally manifests as an elderly hacker-songwriter, and sometimes as a Middle-Sized Bear.

Series Tags

These tags mark ongoing series of posts (and are mostly lifted from the post I made last Thursday introducing NaBloPoMo, with a couple of additions and edits.

curmudgeon - The Computer Curmudgeon
This series is a combination of public service announcements, mostly about security- and privacy-related events, and longer informational pieces. These posts are cross-posted onto computer-curmudgeon.com. I'd like to work up to one or two per week.
done - Done Since...
Posted every Sunday (sometimes delayed or advanced depending on conventions and where the end of the month falls), this contains my summary of the week followed by (under a cut tag) the week's worth of to.do file entries. The format of the to.do entries is described in How to.do it, and has been described as sort of an online bullet journal.
river - The River
These are posts about, ... Hmm. What are they about? Love, friendship, grieving, ... I guess the overall theme is emotions.
thanks - Thankful Thursday
My weekly gratitude posts. I'm not entirely consistent about these -- you will occasionally see a "Thankful Friday". There's (almost) always one on (American) Thanksgiving. Of course.
trainwreck
Posts about my finances.

Other Tags

  • meta -- Posts about the blog itself, and other self-referential stuff.
  • poem
  • review
  • song
  • Conventions and other annual events get a pair of tags: the name of the event, and the year.

There are lots more; those are just the more important ones.

Websites

NaBloPoMo stats:
   4728 words in 10 posts this month (average 472/post)
    398 words in 1 post today

mdlbear: Wild turkey hen close-up (turkey)

Today I am grateful for

  • My family, the whole crazy lot of us,
  • A chance to sing with N and m -- adding m to the group makes a huge difference.
  • New (for us) songs to work on -- "Ripple" and "Mother I Climbed".
  • Taking back the House -- not enough, but a start.
  • Scheduled interviews (for jobs I seriously doubt whether I can do, but my judgement is notoriously poor in that direction).
  • The World Wide Web.
NaBloPoMo stats:
   4322 words in 9 posts this month (average 480/post)
    109 words in 1 post today

mdlbear: the positively imaginary half of a cubic mandelbrot set (Default)

I had a totally different post planned, but it doesn't seem to be going in the direction I wanted it to. It's probably going to take some serious editing, if I don't give it up entirely. Instead you get this.

I miss singing with my family. Since N and her kids moved down to Seattle it's been a lot harder to get together and sing; they were up here for the day (yesterday evening through tomorrow mid-day), and we've spent much of this evening working on songs. I have no idea when Lookingglass Folk's next concert is going to be, but it has the potential to be amazing. Just sayin'

We started with "Ripple", which is new for the group, sang "Bells of Norwich" because I needed it, and worked mostly on "Lord of the Buffalo" and "Ship of Stone", which we've been working up new vocal arrangements for. They're coming along.

For some reason I've been having problems with D chords on the guitar. Weird. My middle finger keeps being off by a string; it took me a while to track down exactly what I was doing wrong, and paying attention to it threw me off on the surrounding chords. Grump. Obviously I need to practice more.

NaBloPoMo stats:
   4206 words in 8 posts this month (average 525/post)
    239 words in 1 post today

mdlbear: the positively imaginary half of a cubic mandelbrot set (Default)

You really ought to go over to ysabetwordsmith's Poetry Fishbowl. This month's theme is family of choice, which is a subject I have a certain interest in.

NaBloPoMo stats:
   3960 words in 7 posts this month (average 565/post)
     66 words in 1 post today

mdlbear: a locomotive engine dangling from a hole in a building (trainwreck)

This is going to be pretty random. I spent much of the day agonizing over a job application (which I finally finished, after about three weeks of writer's block) and an hour or so doing some necessary house repair; after which I've been vaguely out of it, and feeling as though I might be coming down with something. But it's NaBloPoMo, and I'm posting.

I'm still suffering from writer's block on the verbiage for a mailing list ad. I have a pretty good opening sentence (I think) but when it comes down to saying what it is I actually do, I come up empty.

Sometimes you just need to hire a curmudgeon to get annoyed at your computer, or your website, so that you don't have to. Get friendly advice, gentle coaching, understandable explanations, and expert help, from someone who's been using computers for over half a century.

Opinions? The reason I'm stuck is that I really don't know what I do that people would be willing to pay me for. I think I mentioned that I went to a day-long seminar on "Growing Your Consulting Business", and I've been reading books on consulting, all of which assume that you know what in heck you're doing. And have been doing it for a couple of years and just want to get better at it. You have to have at least some clients before you can specialize.

One of the posts I have planned for this month is a brainstorming session about just what I can do. I thought briefly about doing it now, but I think having a brain may be a prerequisite.

Meanwhile, I'm sitting here being kind of appalled at how little I've done -- I've been looking at old posts, and old unsent drafts; old notes for projects that never got finished and in most cases never got started. It doesn't do much for self-confidence.

Our cats are being adorable, as usual. Desti is lying on my gig bag -- it's soft-sided and empty, so her weight makes a little hollow for her to lie in. It's also black, so she's pretty well camouflaged. Ticia is lying on the floor with her head on the side of the gig bag. The other thing Desti does is sit on my lap, or my computer. I can close the lid on my laptop and use just the external monitor, but it's remarkably difficult to type with a cat in one's lap. Browsing, yeah; I can do that.

A programmer looks At a blank emacs window, Mind equally blank.
NaBloPoMo stats:
   3887 words in 6 posts this month (average 647/post)
    472 words in 1 post today

mdlbear: the positively imaginary half of a cubic mandelbrot set (Default)

Good and bad, more-or-less as usual. On the good side,I started NaBloPoMo and started working through the Ruby on Rails Tutorial. That led to my making accounts on GitLab and Heroku, and reviving an old BitBucket account. (Plus making a new one because I couldn't remember which email address I'd used the first time.)

I somehow managed to pull off a better-than-usual singing lesson, pretty much nailing Ripple and Mary O'Meara (though I still have doubts about the melody on that one). I love Ripple, as you can probably tell from yesterday's S4S post. I think the song's calmness is good for me.

On the other hand, I made little progress toward getting a job; five applications, no responses except for a rejection from GitHub, where I applied sometime in September. I've been reading about consulting -- I am really not in a good position to become a consultant. WTF was I thinking? Total writer's block on a job application to DuckDuckGo, a business card for computer-curmudgeon.com, and the text of a DrewsList ad.

The common problem with all three of those is that I can't think of anything I know well enough for any company to want to pay consultant's rates for it. And there are damned few I could get a salary for, for that matter. Java, and that's about it. Git, but everyone knows git by now. (I'm working on a post about git for non-programmers, but I don't know how far I can take that.) I should probably save the brainstorming (brain-drizzle? more like that than a storm) for another post.

I'm kind of beyond panic by now -- I feel like I'm just re-arranging deck chairs. Anyone need a web site? Git expert?

Notes & links, as usual )

NaBloPoMo stats:
    489 2018/11/01--nablopomo.html
     89 2018/11/01--thankful-thursday.html
    617 2018/11/02--learn-enough-to-be-dangerous.html
    340 2018/11/03--s4s-ripple.html
   1867 2018/11/04--done-since-1028.html (includes ~1500 words in the notes)
--------
   3402 words in 5 posts this month (average 680/post)
   1867 words in 1 post today

mdlbear: the positively imaginary half of a cubic mandelbrot set (Default)

Today I'm going to talk a little about my all-time favorite Grateful Dead song (and occasionally my favorite song, period): "Ripple". OtherBear ran across a drop-dead gorgeous cover of it: Ripple - Playing for Change [YoutUbe]. Go listen and watch; I'll wait. Let there be songs to fill the air!

What I like about that video is the absolutely seamless cutting between the various musicians. Just magic. Makes you want to go off with a guitar and sing it -- so I did. The chords you usually find on the web are in G, so it's dead simple to play, and right in the middle of my vocal range. (The original was in F, so it would be perfect on a 12-string tuned down the traditional two frets. Just sayin'.)

It's a very strange song. For the most part, I have no idea what it actually means, but it hangs together nevertheless, invoking an overall feeling of slightly mystical tranquility that's been missing recently in my life. It just sort of ripples along quietly. The fact that the chorus is a haiku (though not in the usual 5-7-5 layout; it's 6-7-4) probably contributes to the tranquility:

Ripple in still water When there is no pebble tossed Nor wind to blow

If you left YouTube up, you might want to check out some other versions. this, for example, is the studio version, which is where I first encountered it. Also, check out The Annotated "Ripple" for the lyrics and more. Dodd may be going a bit off the deep end with the analysis; literary criticism really isn't my field so I can't be sure. But there really are some amazing depths in that song.

If I knew the way, I would take you home. See you next week.

NaBloPoMo stats:

   1528 words in 4 posts this month (average 382/post)
    333 words in 1 post today

mdlbear: (technonerdmonster)

Recently I started reading this Ruby on Rails Tutorial by Michael Hartl. It's pretty good; very hands-on, and doesn't assume that you know Ruby (that's a programming language; Rails is a web development framework). It does assume that you know enough about software development and web technology to be dangerous. And if you're not dangerous yet,...

It points you at a web site where you can learn enough to be dangerous. Starting from knowing nothing at all.

It's the author's contention that Tech is the new literacy [and] [l]earning the basics of programming is only one piece of the puzzle. LearnEnough to Be Dangerous teaches [you] to code as well as a much more powerful skill: technical sophistication. Part of that technical sophistication is knowing how to look things up or figure things out when you don't know them.

There are seven volumes in the series leading up to the Rails tutorial, giving you an introductory course in software development. I haven't gone to a bootcamp, but I'd guess that this is roughly the equivalent. More importantly, by the end of this series you'll be able to work through and understand just about any of the thousands of free tutorials on the web, and more importantly you'll have learned how to think and work like a software developer.

The first three tutorials lay the groundwork: Learn Enough Command Line..., Learn Enough Text Editor..., and Learn Enough Git to Be Dangerous. With just those, you'll know enough to set up a simple website -- and you do, on GitHub Pages. You'll also end up with a pretty good Linux or MacOS development environment (even if you're using Windows).

I have a few quibbles -- the text editor book doesn't mention Emacs, and the author is clearly a Mac user. (You don't need a tutorial on Emacs, because it has one built in -- along with a complete set of manuals. So you'll be able to try it on your own.)

The next three books are Learn Enough HTML to Be Dangerous, Learn Enough CSS & Layout, and Learn Enough JavaScript. The JavaScript is a real introduction to programming -- you'll also learn how to write tests, and of course you'll also know how to use version control, from the git tutorial.

At this point I have to admit that after starting the Ruby tutorial I went back and skimmed through the others; I'll probably want to take a closer look at the JavaScript tutorial to see if I've missed anything in my somewhat haphazard journey toward front-end web development.

The next book in the series is Learn Enough Ruby to Be Dangerouse. (If you skip it on your way to the Rails tutorial, there's a quick introduction there as well.) Ruby seems like a good choice for a second language, and learning a second programming language is important because it lets you see which ideas and structures are fundamental, and which aren't. (There's quite a lot of that about JavaScript -- it's poorly-designed in many ways, and some things about it are quite peculiar.)

Another good second or third programming language would be Python. If you'd like to go there next, or start from the beginning with Python, I can recommend Django Girls and their Tutorial. This is another from-the-ground-up introduction to web development, so of course there's a lot of overlap in the beginning.

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com)

NaBloPoMo stats: 593 words in this post, 1172 words in 3 posts this month.

mdlbear: Wild turkey hen close-up (turkey)

Hmm. Today I'm grateful for

  • not being out of money yet,
  • online courses I can take,
  • a housemate, L, who can do things sometimes when I'm not up to it,
  • the household cats: Colleen, Ticia, and Desti,
  • L's new T-Mobile femtocell (which doesn't help me and Colleen, but we have signal from AT&T; the rest of the family is on T-Mob and our house is in a dead zone)
  • Mom.

mdlbear: the positively imaginary half of a cubic mandelbrot set (Default)

So, ... this is the start of NaNoWriMo -- National Novel Writing Month. I'm not doing that. My track record for writing fiction is rather dismal. I'd be tempted to blame it on the deficiency in imagination associated with Alexithymia, but mostly it's the fact that I didn't do any planning.

However, this is also National Blog Posting Month (supposedly; NaBloPoMo's web page, such as it is, seems to be mostly broken, possibly due to a change in ownership of BlogHer.com. Many other references have also gone stale.) No matter. I don't need somebody else's website to keep track of what I post this November -- that's a one-liner.

 ls ~/.ljarchive/2018/10 | wc 

So here I am, staring at a mostly-blank page in Emacs, writing down a very vague plan in hopes that it will become more specific as I go on.

I do have a goal. I recently added a couple of donation buttons to my Dreamwidth profile page; the goal is to make this blog into something that people feel is worth supporting.

I have a few ongoing series of posts -- not all of them are things I'd consider worthy of being paid for, and in fact most of them aren't, but all of them are important for maintaining audience engagement. That's my excuse, anyway.

The ongoing series at present are:

  • Done Since... -- posted every Sunday (sometimes delayed or advanced depending on conventions and where the end of the month falls), this contains my summary of the week followed by (under a cut tag) the week's worth of to.do file entries. This is currently the only thing that's posted consistently.
  • Thankful Thursday -- my weekly gratitude post. These have been mostly fairly consistent recently.
  • Songs for Saturday -- pretty much what it says on the tin. I haven't been all that consistent about these. There's (almost) always one on (American) Thanksgiving. Of course.
  • The Computer Curmudgeon -- these are a combination of public service announcements, mostly about security- and privacy-related events, and longer informational pieces. These posts are cross-posted onto computer-curmudgeon.com. If people think these are worthy of support, I'd be delighted.
  • The River -- These are posts about, ... Hmm. What are they about? Love, friendship, grieving, ... I guess the overall theme is emotions. There were a lot of these in 2008 and 2009, to the point where I was considering publishing a collection tentatively titled Two Years on the River. Didn't happen. Should it? It would take a lot of editing.

Okay, when you get down to it only The Computer Curmudgeon has the potential for being donation-worthy, and that only if I post to it more often. Poetry could if I wrote more of it. Anyway.

It's November 1st Posts: 1; days with a post: 1.

mdlbear: a locomotive engine dangling from a hole in a building (trainwreck)

It has not been a good week. Between a synagogue mass murder in Pittsburgh yesterday, filk fan Harold Stein ([personal profile] hms42) dying of cancer Friday, and pipe bombs in the mail, the fact that I'm despairing of finding work in time to keep from going broke seems comparatively small, but it isn't helping either.

The fundamental problem is that I can't think of any area of expertise I have that would be worth charging consulting rates for, and as time goes on it becomes less and less likely that any of my skills will get me hired for doing it as an employee. Yes, I'm acquiring new ones. But I'm not going to acquire four years of experience in Ruby or JavaScript overnight. I'm a genuine expert at git, but I think that's pretty common. Maybe I could predict the next big thing, but my track record as a seer isn't all that good either.

I certainly didn't predict that IBM would buy Red Hat. Big Blue Hat? Nah. Does "If AOL Buys RedHat" count for a prediction? I wrote it in 2002, and it has nothing whatever to do with the current situation. I guess if Microsoft can buy GitHub...

I did manage to get some website work done, including importing quite a few older software-related posts into the blog on computer-curmudgeon.com/. I'm not sure it matters. And last Sunday I swatted the second simplex bug in hyperviewer, but I don't think tetrahedra and tesseracts have a lot of market value.

I'm blathering, aren't I?

Notes & links, as usual )

mdlbear: (technonerdmonster)

There’s an article about a security problem getting a bit of attention lately, Apache Access Vulnerability Could Affect Thousands of Applications. Sounds really scary. Here’s a better article about it, Zero-day in popular jQuery plugin actively exploited for at least three years. Looking at those titles you might think that the problem is either with a jQuery plugin, or Apache’s .htaccess files. It’s neither. The real situation is more complicated. You might think that if you’re not using this plugin on your website, you’d be safe. You’d be wrong. You might think that patching the plugin, or the Apache web server, would solve the problem. You’d be wrong about that, too. The real problem is still there, waiting to bite you in the tail. If you don’t have a website, or don’t allow file uploads, you can stop reading now unless you’re curious. If you do, stick around (or jump to the last section if all you want is the fix).

The problem being reported

You may have noticed that the two titles up there are highlighting different aspects of the problem. There’s that “popular jQuery plugin”, blueimp/jQuery-File-Upload. People building websites use it to allow their users to upload files (e.g., cat pictures). It’s really popular – 7800 forks on GitHub, 29,000 stars; probably tens or hundreds of thousands of sites using it. And then there’s the Apache web server. Apache is even more popular – it runs some 45% of the web. Since there are presently just short of two billion websites (although all but a couple of hundred million are currently active). And more specifically and specifically htaccess files, which are used to override certain server configuration options (including security options, which is almost as scary as it sounds, but doesn’t have to be).

The specific problem is this: jQuery-File-Upload lets visitors to a web site upload their cat pictures. These get put in a directory somewhere in the server’s file system. If you’re running a website and have any sense, you’ll put that directory someplace where it can’t be seen from the web, but of course that means that your visitors can’t see the cat pictures they’ve uploaded, without you or your software doing some work, and that could be tricky.

If you have a directory that’s part of your website that you want to be invisble from the web, or visible safely (we’ll get into that a little later), there are two ways to set that up. If you have access to Apache’s configuration files, you do it there. Unfortunately that requires root access, and most of us are using shared servers and our hosting sites don’t allow that, because it would be a huge security hole if they did. The other way of configuring your site is to put a file called .htaccess somewhere on your site, and it will apply configuration overrides to that directory and everything below it. That’s a little dicey, because it’s possible to get that wrong, especially if you’re not an experienced system administrator, but if you’re operating a shared hosting service like the one I use, you have to give your users some way of setting parameters, and .htaccess is the only game in town.

Finally there’s the fact that, some ten years ago, Apache changed the defaults on their server so that .htaccess files are disabled, so the administrator has to specifically re-enable them. What does that mean?

Well, if you are allowing users to upload files, and if you put the upload directory where it can be seen from the web (meaning that people can download from it), and if you were counting on a .htaccess file to protect that directory, and if you upgraded Apache any time in the last ten years, and if you or your system administrator didn’t re-enable .htaccess files, and if you thought that your .htaccess file was still protecting you, then you have a problem. That’s a lot of “if”s, but there are an awful lot of websites.

Here’s how this situation can be exploited, as reported by a security researcher at Akamai named Larry Cashdollar, in an article titled Having The Security Rug Pulled Out From Under You.

If you can upload files to a website, all you have to do is:

1$ echo '<?php $cmd=$_GET['cmd']; system($cmd);?>' > shell.php
2$ curl -F "files=@shell.php" http://example.com/jQuery-File-Upload-9.22.0/server/php/index.php

It’s not hard. The first line there creates a one-line file with some PHP code in it. The second line uploads it. Now you have a file called shell.php on the server. You can send a request for that file with a query string attached to it, and PHP will helpfully pass that string to the system, which runs it. Boom.

The problem with the reporting

Here are a couple of passages quoted from the ZDNet article:

The developer’s investigation identified the true source of the vulnerability not in the plugin’s code, but in a change made in the Apache Web Server project dating back to 2010, which indirectly affected the plugin’s expected behavior on Apache servers.

Starting with [version2.3.9], the Apache HTTPD server got an option that would allow server owners to ignore custom security settings made to individual folders via .htaccess files. This setting was made for security reasons, was enabled by default.

Actually, what happened was that the server disabled .htaccess files by default, and it was done for performance reasons – having to read .htaccess files with every request is a big performance hit. Here’s what the Apache documentation says about it:

.htaccess files should be used in a case where the content providers need to make configuration changes to the server on a per-directory basis, but do not have root access on the server system. In the event that the server administrator is not willing to make frequent configuration changes, it might be desirable to permit individual users to make these changes in .htaccess files for themselves. This is particularly true, for example, in cases where ISPs are hosting multiple user sites on a single machine, and want their users to be able to alter their configuration. [emphasis mine]

The DARKReading Article adds,

A security vulnerability is born, Cashdollar said, when a developer looks at very old documentation and uses .htaccess for authentication instead of one of the methods now suggested by the Apache Foundation.

Well, no. The documentation is still current, and it’s very clearly marked as something you shouldn’t use unless you have to. And most of the people who have vulnerable websites aren’t developers, don’t have any choice about whether to use .htaccess, and aren’t reading the docs. They’re just doing cut-and-paste from the quick-start documents that their web host provides.

What’s the real problem?

There are a couple of things that the articles I’ve refererred to didn’t mention, or just glossed over.

The first is that uploading files is a problem, and it’s been a problem since long before there was a World Wide Web! I first ran into this while running an FTP server. There are all sorts of ways file uploads can be abused. Somebody can bring down your server by uploading junk and filling your disk. They can upload malware. It has nothing at all to do with jQuery-File-Upload; this has been a problem since day 1.

The solution, if you must allow uploads, is to upload them to someplace safely outside of your website, and process them immediately – either with your server-side code, or a cron job. This is just as much common sense as not using any form data until it’s been validated and sanitized. Some languages, like Perl, give you some help with this. This is true on the client side too, if you have JavaScript. Validate your inputs! I ran into that one last week, you may remember.

The second problem is PHP. Actually, the problem is putting executable files in your website instead of someplace like a CGI script directory, or a web server. But PHP is the biggest offender. It was designed to make it so easy to build a website that anyone could do it. And everyone did.

PHP was designed to be simple. It wasn’t designed to be safe. (It has a lot of other problems, too, but that’s the big one.) See Why PHP Sucks and PHP: a fractal of bad design, for example.

The biggest problem with PHP is that it works by mixing executable executable code with the documents you’re serving to the user. Sure, it’s convenient. It’s also bad design – it’s a series of disasters waiting to happen, and this is only the most recent one.

What should you do?

  • Obviously, if you have access to your server’s configuration, you should disable .htaccess and do everything at the server level. That’s not always possible.
  • If you aren’t using PHP on your website, disable it.
  • At the very least, disable PHP in your upload directory!
  • If you want to let users upload files, put them someplace outside your document root and keep them there until you or your software can review them for safety. (When I was running an FTP server, I had separate ‘incoming’ and ‘outgoing’ directories.)

You may find Disable PHP in a directory with Apache .htaccess - Electric Toolbox helpful: just put these three lines into an .htaccess file, either at the top level of your site, or down in any directories where it’s not needed (which includes not only your upload directory but also image directories and other assets, just to be sure).

RemoveHandler .php .phtml .php3
RemoveType .php .phtml .php3
php_flag engine off

While you’re at it, make it so that the web server – and anyone else who isn’t you – can’t write into your website files:

1cd your_server's_document_root
2chmod -R go-w .

Have fun, be safe out there, and don’t use PHP.

Another fine post from The Computer Curmudgeon.

mdlbear: (technonerdmonster)

You may remember from my previous post about Hyperviewer that I’d been plagued by a mysterious bug. The second time the program tried to make a simplex (the N-dimensional version of a triangle (N=2) or tetrahedron (N=3), a whole batch of “ghost edges” appeared and the program (quite understandably) blew up. I didn’t realize it until somewhat later, but there were ghost vertices as well, and that was somewhat more fundamental. Basically, nVertices, the field that holds the number of vertices in the polytope, was wildly wrong.

Chasing ghosts

Eventually I narrowed things down to someplace around here, which is where things stood at the end of the previous post.

1        let vertices = [];
2        /* something goes massively wrong, right here. */
3        for (let i = 0; i < dim; ++i) {
4            vertices.push(new vector(dim).fill((j) => i === j? 1.0 : 0));
5        }

I found this by throwing an error, with a big data dump, right in the middle if nVertices was wrong (it’s supposed to be dim+), or if the length of the list of vertices was different from nVertices.

 1        let vertices = [];
 2        /* something goes massively wrong, right here. */
 3        if (this.nVertices !== (dim + 1) || this.nEdges !== ((dim + 1) * dim / 2) ||
 4            this.vertices.length !== 0 || this.edges.length !== 0 ) {
 5            throw new Error("nEdges = " + this.nEdges + " want " +  ((dim + 1) * dim / 2) +
 6                            "; nVertices = " + this.nVertices + " want " + dim +
 7                            "; vertices.length = " + this.vertices.length +
 8                            ' at this point in the initialization, where dim = ' + dim +
 9                            " in " + this.dimensions + '-D ' + this.name 
10                           );
11        } 
12        for (let i = 0; i < dim; ++i) {

It appeared that nVertices was wildly wrong at that point. If I’d looked carefully and thought about what nVertices actually was, I would probably have found the bug at that point. Or even earlier. Instead, what clinched it was this:

 1        this.vertices = vertices;
 2        this.nVertices = vertices.length;  // setting this to dim+1 FAILS:
 3        // in other words, this.nVertices is getting changed between these two statements!
 4        if (this.vertices.length !== this.nVertices || this.edges.length !== 0) {
 5            throw new Error("expect " + this.nVertices + " verts, have " + this.vertices.length +
 6                            " in " + this.dimensions + '-D ' + this.name +
 7                            "; want " + this.nEdges + " edges into " + this.edges.length
 8                           );
 9        }

The code that creates the list of vertices produces the right number of vertices. If I set nVertices equal to the length of that list, everything was fine.

If instead I set

1        this.nVertices = dim+1;

it was wrong. Huh? For example, in four dimensions, the number of vertices is supposed to be five, and that was the length of the list. When is 4+1 not equal to 5?

At this point a light bulb went off, because it was clear that dim+1 was coming out equal to 41. In three dimensions it was 31. When is 4+1 not equal to 5? When it’s actually "4"+1. In other words, dim was a string. JavaScript “helpfully” converts a string to a number when you do anything arithmetical to it, like multiply it by something or raise it to a power. But + isn’t always an arithmetic operation! In JavaScript (and many other languages) it’s also used for string concatenation.

What went wrong, and a rant

The problem was that, the second time I tried to create a simplex, the number of dimensions was coming from the user interface. From an <input element in a web form. And every value that you get from a web form is a string. HTML knows nothing about numbers, and it has no way to know what you’re going to do with the input you get.

So the fix was simple (and you can see it here on GitHub: convert the value from a string to a number right off before trying to use it as a number of dimensions. But… But… But cubes and octohedrons were right!

That’s because the number of vertices in a N-cube is 2**N, and in an N-orthoplex (octohedron in three dimensions) it’s N*2 (and multiplication is always an arithmetic operator in JavaScript). And it worked when I was creating the simplex’s vertices because it was being compared against in a for loop. And so on.

If I’d been using a strongly-typed language, the compiler would have found this two weeks ago.

There are two main ways of dealing with data in a programming language, called “strong typing” and “dynamic typing”. In a strongly-typed language, both values and variables (the boxes you put values into) have types (like “string” or “integer”), and the types have to match. You can’t put a string into a variable with a type of integer. Java is like that (mostly).

Some people find this burdensome, and they prefer dynamically-typed languages like JavaScript. In JavaScript, values have types, but variables don’t. It’s called “dynamic” typing because a variable can hold anything, and its type is that of the last thing that was put into it.

You can write code very quickly in a language where you don’t have to declare your variables and make sure they’re the right type for the kind of values you want to put into them. You can also shoot yourself in the foot much more easily.

There are a couple of strongly-typed variants on JavaScript, for example CoffeeScript and TypeScript, and a type-checker called “Flow”. I’m going to try one of those next.

There was one more problem with simplexes

(simplices?) … but that was purely geometrical, and just because I was trying to do all the geometry in my head instead of on paper, and wasn’t thinking things through.

If you’re in N dimensions, you can create an N-1 dimensional simplex by simply connecting the points with coordinates like [1,0,0], [0,1,0], and [0,0,1] (in three dimensions – it’s pretty easy to see that that gives you an equilateral triangle). Moreover, all the vertices are on the unit sphere, which is where we want them. The last vertex is a bit of a problem.

A fair amount of googling around (or DuckDuckGoing around, in my case) will eventually turn up this answer on mathoverflow.net, which says that in N dimensions, the last vertex has to be at [x,...,x] where x=-1/(1+sqrt(1+N)). Cool! And it works. Except that it’s not centered – that last vertex is a lot closer to the origin than the others. It took me longer than it should have to get this right, but the center of the simplex is its “center of mass”, which is simply the average of all the vertices. So that’s at y=(1+x)/(N+1) because there are N+1 vertices. Now we just have to subtract y from all the coordinates to shift it over until the center is at the origin.

Then of course we have to scale it so that all the vertices are back on the unit sphere. You can find the code here, on GitHub.


Another fine post from The Computer Curmudgeon.

mdlbear: the positively imaginary half of a cubic mandelbrot set (Default)

On the whole not a bad week. Pretty good week? Anyway. The main achievement was finding what to me was a very obscure bug in my hyperviewer graphics demo. In retrospect it shouldn't have been that obscure; the fact that it took me a week to find was probably because I'm too used to using strongly-typed languages. Hint: when is x+1 not equal to 1+x? (Answer under the cut, in Monday's notes.)

The other thing I did this week (I only did two things? Sad.) was attend a workshop at the Seattle office of SCORE: "Growing a Consulting Business", presented by John Martinka. I spent a lot of the time feeling very much like a fish out of water, but I had a couple of encouraging conversations during the breaks that made me think that maybe I do have expertise that companies would pay for. Probably not big companies, but small businesses. Maybe. The biggest problem is my almost total lack of self-confidence.

It may be too late to help with my current financial crunch.

It was also given at 8:15am in downtown Seattle, which made for a l o n g day. Fortunately, I haven't been sleeping all that well lately (c.f. previous paragraph), so I was able to leave a little before 6am and get there on time. It does say something about the possibility of commuting. I could do it once a week if I had to, though.

One of the highlights of this week's linkspam is "How Lisp Became God's Own Programming Language", which includes a reference to Kanef's song about it, The Eternal Flame. More Lisp links in Wednesday's notes.

This week's security links include some updates on the Facebook hack, plus this page in FB's help: scroll down to see if your account was affected. Mine wasn't, but...

Notes & links, as usual )

mdlbear: Wild turkey hen close-up (turkey)

Is it Thursday already? Where did the week go? Today I'm thankful for...

  • A phone interview scheduled for next week,
  • A cat who reminds me when it's bedtime (not to mention dinner time -- thank you Ticia),
  • Non-employers who get rejections back to me quickly (I know, sort of back-handed),
  • A bug that I should have figured out sooner, but was ultimately successful at finding (will make a decent blog post),
  • Strongly-typed languages, in which 3+1 is always equal to 4 and not 31,
  • The ability to concentrate on a problem for hours on end (which is something of a double-edged axe).

I'd be thankful for hope, if I had any.

mdlbear: the positively imaginary half of a cubic mandelbrot set (Default)

Not too bad of a week, and productive after a fashion. A job rejection (npm; I didn't have much hope for that one), and a couple of applications including one Friday that got a same-day response asking more questions. I posted on Monday about one of my latest software, under the title Adventures in Hyperspace (and Javascript) -- then spent at least half of this week chasing a very mysterious bug. That post originally appeared on Computer-Curmudgeon.com, and was pretty successful as an experiment in cross-posting. It did produce much uglier HTML than I prefer; the post was originally written in markdown. (I also used pandoc to do the conversion; it looks as though the converter Jekyll uses does a better job of it, so I'll have to see if I can take advantage of that.)

I also started the process of separating the Computer Curmudgeon site, which exists mainly for my (currently non-existent) consulting business, from my GitHub Pages site, which I've decided ought to be about the software I'm sharing. They have a very similar look at the moment, but that's changing. Tell me what you think!

There's obviously going to be a lot of cross-posting going on (and I still need to automate that) -- I think I'll put that in my next curmudgeon post. TL;DR: everything except specifically site-related news will get cross-posted to DW (and from there to LJ), and the news posts will at least be linked. For completeness, I probably ought to post links on twitter and FB, too -- I don't read them unless I get a link, but I know some people do. Maybe.

Let's see... the usual collection of data breaches. This time, Google Exposed User Data, Feared Repercussions of Disclosing to Public, but now that the cat's out of the bag, they're (belatedly) "Protecting your data, improving our third-party APIs, and sunsetting consumer Google+". That last bit is the main one affecting those of us who were using G+ as our main alternative to Twitter and The Book of Faces Lies. As for me, I guess I'll be reading more eBooks on the ferry.

My mood's been all over the place. Tuesday, I wrote, "I seem to be feeling more competent/confident now that I've spent the last couple of weeks getting back into a work groove. Who knew?" It does indicate that I actually can work full days, if the work fascinates me. But Thursday, I wrote, "losing hope. Cash low; no jobs I'm qualified for", and had a "bit of a breakdown". More like a meltdown, I suppose. Still enough for me to snap at Colleen for trying to help. Mostly a case of "what not to say to a depressed person", but I can't fault her for suggesting that I get out of the house or make some music, because those really do help. It's just that when I'm that depressed, it feels as though nothing will help. And of course the underlying cause is mostly my financial trainwreck, which only makes me feel worse about myself.

I'd really like to get onto Drip, but it's invite-only at the moment. Meanwhile, anyone have any advice for choosing between Patreon, Buy Me A Coffee, Ko-fi, PayPal, or anything else? (I should get on Bandcamp, too, I suppose.) update: PayPal donation button added to DW profile. Feed the bear?

Notes & links, as usual )

mdlbear: Wild turkey hen close-up (turkey)

Tough one today.

  • I'm still alive.
  • So are my family members.
  • Colleen's new meds appear to be helping.
  • I have a net connection.
  • We have excellent cats.

mdlbear: (technonerdmonster)

(This will be something of an experiment. The original was written in markdown and posted on Computer-Curmudgeon.com. We'll see whether the process made a hash of it. I may have to do some cleaning up.

This post is about Hyperviewer, an update of a very old demo program of mine from 1988 that displays wireframe objects rotating in hyperspace. (Actually, anywhere between four and six dimensions.) Since this is 2018, I naturally decided to write it in JavaScript, using Inferno and SVG, and put it on the web. It was a learning experience, in more ways than one.

Getting started

I had been doing a little work with React, which is pretty good an very popular, and had recently read about Inferno, which is a lighter-weight, faster framework that's almost completely interchangeable with React. Sounded good, especially since I wanted high performance for something that's going to be doing thousands of floating-point matrix multiplies per second. (A hypercube in N dimensions has 2^N vertices, and a rotation matrix has N^2 entries -- do the math). (It turns out I really didn't have to worry -- Moore's Law over three decades gives a speedup by a factor of a million, give or take a few orders of magnitude, so even using an partially-interpreted language speed isn't a problem. Perhaps I'm showing my age.)

To keep things simple -- and make it possible to eventually save pictures -- I decided to use SVG: the web standard for Scalable Vector Graphics, rather than trying to draw them out using an HTML5 Canvas tag. It's a perfect match for something that's nothing but a bunch of vectors. SVG is XML-based, and you can simply drop it into the middle of an HTML page. SVG is also really easy to generate using the new JSX format, which is basically XML tags embedded in a JavaScript file.

Modern JavaScript uses a program called a "transpiler" -- the most common one is Babel -- that compiles shiny new JavaScript constructs (and even some new languages like TypeScript and CoffeeScript, which I want to learn soon) into the kind of plain old JavaScript that almost any browser can understand. (There are still some people using Microsoft Exploiter from the turn of the century millennium; if you're reading this blog it's safe for me to assume that you aren't one of them.)

Anyway, let's get started:

cut tag added to protect your sanity )

(Not too bad of a formatting job, though of course the color didn't come through. Cut tag added because it's over 2000 words.)

Another fine post from The Computer Curmudgeon.
Cross-posted on computer-curmudgeon.com

mdlbear: the positively imaginary half of a cubic mandelbrot set (Default)

The program I've been working on, which displays a rotating hypercube or other shape, is working nearly as well as the version I wrote in C about 30 years ago. This version, however, is in Javascript and runs in your browser. It still needs quite a bit of work on the user interface, and there are a couple of really weird things going on with simplexes (simplices? The regular 3-simplex is the tetrahedron; the 2-simplex is the equlateral triangle. Anyway...) follow the link to the current working version.

I've learned a few things:

  • quite a bit more Javascript,
  • that Javascript, in many ways, sucks even more than I expected,
  • that that I can still concentrate on a program all day, every day for a week,
  • that I'm still lousy at estimating,
  • and that I really shouldn't try to do geometry in my head (though I did pretty well on the perspective transform, I think).

In other news, my trigger thumb is no longer triggering, meaning that the inflamation in the tendon has gone down. There are still quite a few residual aches and pains, probably caused mainly by under-use over the last month or two.

Down in the notes for Tuesday you'll find the practice questions I used with (nephew) j, and under Thursday you'll find a lot of rather inconclusive talk about the alleged Supermicro Hack. It's quite strange. Somebody's credibility is going to go through the floor, but whether it's Bloomberg or Apple+Amazon is not at all clear at the moment.

I really didn't want to be living in a dystopian SF underground comic book, but that's the way things are trending.

Notes & links, as usual )

mdlbear: Wild turkey hen close-up (turkey)

Today I am thankful for...

  • The cats. Especially the one sitting in my lap and purring. Thank you, Desti.
  • People who like my songs. Especially, people who like my songs enough to sing them.
  • Mom.
  • A daughter with initiative. (That would be the younger one.)
  • Being able to spend entire days programming. I was worried.
  • New skills I can learn.

mdlbear: the positively imaginary half of a cubic mandelbrot set (Default)

Not a bad week? Hard for me to tell. Nothing disastrous happened, anyway, and my trigger thumb appears to be mostly better. I sent out two job applications, and got back a rejection from the one I had a phone screen for last week. There is one from a couple of weeks ago that I'm also waiting to hear from.

I spent almost all of Friday and a lot of Saturday programming -- it's very encouraging to know that I can still do that. It suggests that I probably can handle a full-time job. The program in question is an update of the rotating hypercube (and other polytopes) demo I wrote somewhere around 1990. The original was, of course, in C; the current version is in JavaScript. I'll be packaging the pieces, thereby adding to the confoundingly cluttered chaos that is the npm package ecosystem. Last night's work was unit tests for the polytope classes. So those are working, and I'm learning more about JavaScript.

The security kerfuffle of the week was Facebook's announcement that 90 million accounts had been compromised. Think about that number for a moment. You can find out whether your account was compromised in this or any other breach by entering your email address at Have I Been Pwned. Think about the fact that Facebook is not on their list of the ten largest breaches.

The privacy kerfuffle of the week was the latest version of Google's Chrome browser, which automatically logs in the browser whenever you log in to any of Google's other properties, e.g. gmail, calendar, and maps. You can turn the "feature" off, but you'll have to google for the instructions. Irony intended.

It's worth noting that if you only have one Google account and keep Chrome logged in so that you can sync, , this doesn't affect you, and you might even consider it the convenience that Google says it is. And if you're on Android or ChromeOS, where Google is your login, or (like me) have already switched to Firefox for other reasons, this doesn't affect you either.

I went through the list of symptoms at Burning Out: 12 Real Signs That You’re Overdoing It, referring to my last couple of years at $A. Twelve out of twelve. The author says that "Burnout is [...] a sustained—yet unsustainable—pressure on yourself that causes a physical, mental, or emotional collapse. That collapse can cause you to make really drastic, and sometimes disastrous, decisions." Yeah. That.

Notes & links, as usual )

mdlbear: the positively imaginary half of a cubic mandelbrot set (Default)

Where the heck did this week go? Moderately productive, I guess, though I'm still worried about my ability to keep a full work schedule. The main things were a trip down to Rest Stop (the South end of the rainbow, in Seattle) on Monday, a take-home test for the job I had a phone screen for last week, and a physical therapy appointment Friday. My trigger thumb is, finally, doing noticably better. L is moved in, and most of her stuff is out of the cats' room. That's still going to become the guest room and office.

I made one curmudgeon post, a PSA about the latest Magecart breach, at Newegg. Used that to test cross-posting to computer-curmudgeon.com. Spent most of yesterday working on MakeStuff/page-to-template-data to make the process smoother. The ultimate goal, of course, is a script for cross-posting.

There was quite a lot of link-chasing, researching Javascript, Magecart, and Python; meanwhile I've been trying (with minimal success so far) to catch up on some of the fiction on my (DW) reading list. I try to stay current on the poetry.

The most interesting link other than those was this Linux status report by Linus Torvalds, in which he apologizes for his abusive behavior on the kernel mailing list, and says that he's taking a break from Linux to work on it. The last time he took a similar break, it was to write git.

I'd consider taking a similar break to work on my issues, but the main ones that need work are time-management and procrastination...

Notes & links, as usual )

mdlbear: (technonerdmonster)

TL;DR: if you bought anything from Newegg between August 14th and September 18th, call your bank and get a new credit card. You can find more details in these articles: NewEgg cracked in breach, hosted card-stealing code within its own checkout | Ars Technica // Hackers stole customer credit cards in Newegg data breach | TechCrunch // Magecart Strikes Again: Newegg in the Crosshairs | Volexity // Another Victim of the Magecart Assault Emerges: Newegg

The credit-card skimming attack appears to have been done by Magecart, the organization behind earlier attacks on British Airways and Ticketmaster. If you are one of the customers victimized by one of these attacks, it's not your fault, and there isn't much you could have done to protect yourself (but read on for some tips). Sorry about that.

This article, Compromised E-commerce Sites Lead to "Magecart", gives some useful advice. (It's way at the end, of course; search for "Conclusion and Guidance".) The most relevant for users is

An effective control that can prevent attacks such as Magecart is the use of web content whitelisting plugins such as NoScript (for Mozilla’s Firefox). These types of add-ons function by allowing the end user to specify which websites are “trusted” and prevents the execution of scripts and other high-risk web content. Using such a tool, the malicious sites hosting the credit card stealer scripts would not be loaded by the browser, preventing the script logic from accessing payment card details.

Note that I haven't tried NoScript myself -- yet. I'll give you a review when I do. They also advise selecting your online retailers carefully, but I'm not sure I'd consider, say, British Airlines to be all that dubious. (Ticketmaster is another matter.)

Impacts of a Hack on a Magento Ecommerce Website, which talks about an attack on a site using the very popular Magento platform, gives some additional advice:

Shy away from sites that require entering payment details on their own page. Instead prefer the websites that send you to a payment organization (PayPal, payment gateway, bank, etc) to complete the purchase. These payment organizations are required to have very strict security policies on their websites, with regular assessments, so they are less likely to be hacked or miss some unauthorized modifications in their backend code.

They also suggest checking to see whether the website has had recent security issues, and using credit cards with additional levels of authentication (e.g. 2FA -- two-factor authentication).

 

Things are more difficult for retailers, but the best advice (from this article, again) is

Stay away from processing payment details on your site. If your site never has access to clients’ payment details, it can’t be used to steal them even if it is hacked. Just outsource payments to some trusted third-party service as PayPal, Stripe, Google Wallet, Authorize.net, etc.

Which is the flip side of what they recommend for shoppers. If the credit card info isn't collected on your site, you're not completely safe, but it avoids many of the problems, including Magecart. Keep your site patched anyway.

If you insist on taking payment info on your own site, and even if you don't, the high-order bit is this paragraph:

E-commerce site administrators must ensure familiarity and conformance to recommended security controls and best practices related to e-commerce, and particularly, the software packages utilized. All operating system software and web stack software must be kept up to date. It is critical to remain abreast of security advisories from the software developers and to ensure that appropriate patch application follows, not only for the core package but also third-party plugins and related components. [emphasis mine]

Be careful out there! links )

Another fine post from The Computer Curmudgeon, cross-posted to computer-curmudgeon.com.

mdlbear: Wild turkey hen close-up (turkey)

Today I am grateful for:

  • People who post interesting things on their journals,
  • A mostly-recovered thumb (I hope; not pushing -- or bending -- it much right now),
  • Music, especially after doing something stressful,
  • My singing teacher,
  • Getting stuff done, even if it's only a fraction of what needs doing,
  • My (gradually) increasing command of Javascript and related front-end topics.

mdlbear: the positively imaginary half of a cubic mandelbrot set (Default)

Ysabetwordsmith's Poetry Fishbowl is Open!. Go feed the fish! This is a bonus fishbowl; the theme is The Big One.

mdlbear: the positively imaginary half of a cubic mandelbrot set (Default)

I guess the last week was... I don't know. Not awful? I got some things done. My new website, computer-curmudgeon.com, saw enough work to make it at least presentable; I'll want to do some more work on the content before I go public. Comments welcome.

Some other things accomplished included sorting through, and mostly shelving, a box of songbooks. There's at least one more, and the convention songbooks and other stuff without covers isn't shelved and probably shouldn't be. Damned if I know what I should do with them, though.

Friday I had a phone screen for a front-end job; we'll see how well I survive the coding test that's the next step. I don't have a whole lot of hope for that one, but it would be fun if I got it. For certain values of fun -- I still have no idea whether I'll have the discipline to pull off a full-time job again. I put in four other job apps.

I also realized that maybe my biggest problem is fear of making decisions. It's not surprising, considering how many of my decisions over the last couple of decades have been wrong, in some cases disastrously so.

In other news, things have been happening. Our new household member, L, arrived yesterday and all of her stuff is at least in the house, if not in its eventual target locations. The office, also known as "the cats' room", was the staging area and still has a lot of stuff in it. I'll suggest having (housekeeper) T', do most of the lifting when she comes on Tuesday. T' also came Sunday to move stuff in the apartment to prepare a space for the second bed box, which arrived Monday. And my Oval-8 thumb brace finally arrived, Tuesday, dropped off by the neighbor it had been misdelivered to. Cecil, the neighbor's cat we briefly took in a couple of weeks ago, is back in circulation. He's sporting a collar now, so he won't be mistaken for a stray again.

Okay, I think I have to upgrade this to a good week. How long has it been? (*goes to look*) Well, the last three have been sort of acceptable. Several don't have assessments, and there have been a few "moderately productive" weeks. The last weekly post in which I actually used the word "good" (preceeded by "pretty") was 20171008Su - 14Sa. So there's that.

In the links, a couple of programming language intros -- JavaScript for Cats and The Hitchhiker’s Guide to Python -- and one scary and extremely effective weather report.

Notes & links, as usual )

mdlbear: Wild turkey hen close-up (turkey)

Today I am thankful for...

  • My Oval-8 thumb brace,
  • Colleen's medical pass, that gets us to the front of the ferry line,
  • Cheap fares for seniors and cars under 14' long,
  • A slowly improving grasp of CSS,
  • Having read through git's source code when it was still small,
  • Rain,
  • Cats,
  • Capos.

mdlbear: the positively imaginary half of a cubic mandelbrot set (Default)

Another largely unproductive week, though I did put in three job applications (it seems to take me a huge amount of mental energy to write a cover letter, not to mention a lot of time) and got a rejection for another one. One of the job applications, for GitHub, had a really fun set of additional questions. I should probably post those, with my answers, at some point.

I also wrote two (rather small) curmudgeon posts, a PSA and a DW tip, and wrote and tested an alternative method for uploading a Jekyll website using git with a production branch. (The previous methods were simply pushing it to GitHub, which is trivial but only works if it's using GitHub's somewhat restricted version of Jekyll, and uploading it with rsync.) This method, which puts the build artifacts on a separate branch, could easily be generalized to anything else that has to be built locally. I had to do something, because I don't have a good way of running Jekyll (the static site builder used on GitHub) on my web host.

I did get off my arse and make two phone calls following up on healthcare referrals (one of which has been sitting on my desk since last December). One, the PT appointment for my trigger thumb, actually had an opening for Friday. So progress is being made there -- I've been doing exercises, and my Oval-8 thumb splint should be arriving in the mail later today.

I also did some mail sorting, which turned up a fairly sizeable check that I hadn't cashed (and didn't remember receiving!). So there's that.

I was less successful setting up a home office in our unused bedroom. The problem is that the cats have been using that room, and Desti in particular quite reasonably regards it as hers. If I shut her out, she scratches at the door, and if I let her in she promptly jumps up on my keyboard, which kind of defeats the purpose. Not sure what I'm going to do about that; hopefully I can persuade her that a cat tree next to the desk is more comfortable. That may require getting a new cat tree.

Notes & links, as usual )

mdlbear: Wild turkey hen close-up (turkey)

Today I'm grateful for:

  • Having enough motivation to get a few things done.
  • Colleen, her caregiver, and home-made banana bread.
  • GNU Make.
  • My ability to learn programming languages quickly.
  • My singing teacher.

mdlbear: (technonerdmonster)

Actually two PSAs.

First: Especially if you're running Windows, you ought to go read The Untold Story of NotPetya, the Most Devastating Cyberattack in History | WIRED. It's the story of how a worldwide shipping company was taken out as collateral damage in the ongoing cyberwar between Russia and the Ukraine. Three takeaways:

  1. If you're running Windows, keep your patches up to date.
  2. If you're running a version of Windows that's no longer supported (which means that you can't keep it patched, by definition), either never under any circumstances connect that box to a network, or wipe it and install an OS that's supported.
  3. If at all possible, keep encrypted offline backups of anything really important. (I'm not doing that at the moment either. I need to fix that.) If you're not a corporation and not using cryptocurrency, cloud backups encrypted on the client side are probably good enough.

Second: I don't really expect that any of you out there are running an onion service. (If you had to click on that link to find out what it is, you're not.) But just in case you are, you need to read Public IP Addresses of Tor Sites Exposed via SSL Certificates, and make sure that the web server for your service is listening to 127.0.0.1 (localhost) and not 0.0.0.0 or *. That's the way the instructions (at the "onion service" link above) say to set it up, but some people are lazy. Or think they can get away with putting a public website on the same box. They can't.

If you're curious and baffled by the preceeding paragraph, Tor (The Onion Router) is a system for wrapping data packets on the internet in multiple layers of encryption and passing them through multiple intermediaries between you and whatever web site you're connecting with. This will protect both your identity and your information as long as you're careful! An onion service is a web server that's only reachable via Tor.

Onion services are part of what's sometimes called "the dark web".

Be safe! The network isn't the warm, fuzzy, safe space it was in the 20th Century.

Another public service announcement from The Computer Curmudgeon.

Most Popular Tags

Syndicate

RSS Atom

Style Credit

Page generated 2019-02-16 03:16 pm
Powered by Dreamwidth Studios