Allan is Missing
Posted by Daniel Lyons Sun, 10 Oct 2004 02:03:13 GMT
Allan Poindexter is missing. He’s been gone about 22 hours. I don’t have room for anything else in my head right now.
Elucidation
Posted by Daniel Lyons Fri, 08 Oct 2004 07:08:08 GMT
So, clan update.
By the way: when I say “it has been pointed out by many people that there are inaccuracies in the below entry” it means “bitch, be cool, don’t email me just yet I’m getting there.”
The Events
Bill didn’t drink. Mattax did, a little, but took off his top because that’s how he relaxes. So Bill has no excuse for what he was thinking about doing.
Bill deserves commendation, both for his extremely frank email to me, and also for realizing the error of his ways. As far as he’s concerned, a full ROLLBACK to the pre-Friday. So, no Erin, more Talia. Go Bill!
Mattax still dumped Julie in a rather nasty way. He may or may not wind up with someone else, when he’s good and ready.
Bill says there isn’t much drinking at the clan apartment. He says it’s just your normal college kid drinking. I say, fuck you Bill—we all know there was functionally zero clan drinking at the outset. Jarrod always drank, but never made it a Clan thing. Then you brought your booze over when you moved in from West, and occasionally drank with your old I6U buddies. Then Mattax wanted in. Then it was just you and Mattax. And now everyone does some. This offends me, but whatever. If you guys sell out, waste money, kill brain cells, and have a shitty time, that’s your business. You’re still my friends. Even if you all decide to wear no clothes but smear mud and pigshit all over yourselves, constantly jacking each other off in the filth while feasting on rotting entrails and scabs, you’re still my friends. I still care about you. “Your data is safe.”
Of course, I’d probably say these things either way.
To The Maligned
As far as I can reconstruct, nothing really of any importance occurred, apart from Julie catching Mattax half-naked with her perceived replacement. As of right now, all that’s really come of this is Julie (rightly so) feels slighted. I don’t think anything else will come of it.
Weiss: I find drinking distasteful. When I say “wait for corrections” I don’t mean “bitch about lack of corrections.” I mean, calm down or get your own blog. Your actions lately, however, are highly commendable. I’m glad you figured out that no sleep + 3 jobs + 17 credit hours + fucking Compilers + a girlfriend + gaming + (gee) a little booze equals “I’m fucking confused, and shouldn’t make important decisions right now.” You should consider teaching this to the rest of the gang.
Mattax: What you did to Julie is Wrong. I say this because I haven’t talked to anyone who thinks you did it the right way. You yourself said, you didn’t intend to break up with her, things just worked out that way. Well, next time, make them work out a better way. As for anything else—your prerogative. FWIW, I believe your story, and I don’t think you would really be stupid enough to expect anything to develop with Jenna. Now get a damn blog so others can get it from the source. This is, after all, what blogs are for and about. I’ll even help you install a spell-checker.
Everyone else: Y’all are a bunch of fucksacks for giving Allan shit. I spoke to Allan and Eric before making my first post, since then I spoke to Major, Bill and Mattax too. Nobody hid a damn thing from me. Which is good, because even if you were hiding it from me, I’d still be hearing it from Eric, who was hearing it from non-Clan people. That’s right, the hideous details of our social lives are such a non-secret, it’s difficult finding people who don’t know about them. So when I call, yeah, I want to know, and yeah, it’s probably going on the blog, and yeah, you shouldn’t give a fuck. Eric was right in calling it “Days of Our Spum.” Grow up.
Special Message to Brian, Jarrod et. al.
You were right, this shit should have been addressed before I left. I want to talk to you guys about implementing your plan for decentralizing this club, getting some fresh air in, and reducing the level of wack inbred antics before they actually start to become as interesting as I was lead to believe they were. I’ll be emailing you both about this soon. Anyone else who was party to this should let me know so they can get in on the emailings.
Things of Greater Importance: Lisp’s CLSQL
I discovered by far the best object-relational mapping system, unsurprisingly, for Lisp. It’s called CLSQL. It works via a slight modification to the class system and a reader macro for generating SQL. So you have basically two ways of interacting with it: proper row object instances, overloaded with whatever methods you like, and nifty Lispy SQL statements. You get complete database interoperability, including multi-value primary keys and foreign key constraints. This library is the shit. Check it out, if you know what’s good for you.
Things of Still Greater Importance: Paul Paquette’s Blog
More on the Clan, Film at Eleven
Posted by Daniel Lyons Tue, 05 Oct 2004 06:50:13 GMT
It has been pointed out by many people that there are inaccuracies in the below entry. I will be fixing the inaccuracies tomorrow when I have what I consider to be a fair and reasonable picture of everything that has occurred. In the mean time, all I really have to say is: disregard the comments about Brian, which are untrue (he was not involved in the Erin being topless portion) and note that Major has now decided to excommunicate himself. I believe he may be the only person involved more-or-less directly with the situation who has responded appropriately.
Lame, ill-informed, foolhardy actions are being taken by several members of the clan. I cannot talk them out of it, though I would like to. In fact, it’s really not my place to try. I will keep my harsh words limited to this forum because I don’t have any real reason to hide anything here, where basically no one reads.
I will try to remain friends on a personal level with as many members of my soon-to-be defunct clan as I can. I will try to make it 100%. I just know I can’t abide by the level of random stupidity which is now considered normal.
I’ll talk about this more tomorrow.
Failure
Posted by Daniel Lyons Sun, 03 Oct 2004 08:28:21 GMT
My clan apparently has devolved into a group of slobbering drunks. Don’t get me wrong, I still love ‘em, but Allan told me about Thursday night’s sexual weirdness and I think you’ll agree, it shows that stupid repressed sexual urges should probably stay stupidly repressed rather than revealed in the context of drunken shenannigans.
Evidently, everyone was drinking, which is now normal, and somehow Bill, Brian, Mattax and Erin wound up topless together in some room. This strikes me as doubly asinine because:
- Brian is married
- Bill and Mattax both have attractive girlfriends
- Erin is… Erin
Julie showed up, wasn’t allowed in the room, Jenna and Mattax left the room (apparently she could contain her excitement), Mattax goes back in the room, Allan wises up and leaves.
So the question of the hour is, by God, did you morons have any idea drinking could lead to this much fun? I bet I get a lecture from Brian about it being none of my business. He’ll be right, but goddamn. I can’t conceive of an explanation for this which will make it sound reasonable or understandable. The story itself just oozes with the kind of lame foppishness I don’t expect from my clan, the style of overblown sexual tension that makes theatrical British matrons giggle that shrill, soul-offending way. Imagine an X-rated, tit-out Jane Austin novel—gleefully retarded, socially reprehensible yet socially obsessed, and you may come close to what I’m picturing—a scenario in all ways deserving of immediate decimation with extreme prejudice.
Wake up, you tards. You aren’t having “more fun,” you just managed to dull your senses enough that you can’t tell that you aren’t. The glory of the old clan was that we could all be ourselves around each other. The most obvious symptom of a failure of this system is the need to inebriate to tolerate and converse. We used to like each other. We didn’t need to get drunk to socialize.
Insert Major-esque “I’ll feel bad about this in the morning and wish I hadn’t said this” disclaimer here.
On to the usual computer shit.
On Thursday, Michael and I spent 3 hours trying to get an SSL certificate installed from GeoTrust. For those who do not know, SSL is a complete and evil racket. The idea behind SSL is that you trust the host you connect to, because some certificate authority or CA signed the certificate. In actual fact, people trust SSL because it’s so hard to crack (ha! at Bill’s work they crack it every day). Meanwhile, in the real world, we treat SSL as being nothing more than an encryption mechanism, and rightly so.
Look at who created SSL: Netscape. Everyone liked their browser the best because, among other things, it gave very thorough security information. But the security information was used as a ploy, because Netscape more-or-less invented SSL, and if self-signed certificates were just as good as “official” certificates, nobody would pay $400 for them. Netscape knew the browser market was going to fall apart, it had to. Not-too-unfamiliarly, Netscape created a great deal of fear through the browser warnings, which were quickly replicated in IE; this fear propelling SSL certificate sales. Today, most people are unaware of the trust angle—because it’s irrelevant.
Do you know where the trust comes into it? When buying a certificate, the CA is supposed to go to great length to verify your organization, your ownership of the domain in question, and all the other data you provide. In practice, they delay for a few minutes and then give you the certificate. There are tons of CAs that specialize in bargain-price certificates, but it doesn’t matter, because as long as your CA is signed by one of the toplevel CAs, all browsers will trust them.
Suppose I have some secret data. I give it to three people I trust: Alice, Bob and Oscar. Alice and Bob always verify who they give this data to by going to great lengths checking their character. Oscar, on the other hand, says “give me $20, and I’ll let you know.” Is it safe for you to assume that the secret is safe? Would it be reasonable to program all computers everywhere to trust in the secret data? Because that’s how SSL works.
Anyway, yesterday the main failure was seeing the guy pulled over in the left turn lane, standing in the door of his truck, taking a leak. In the middle of the road. During rush hour. God I hate this town.
There were other intermediate failures though. I was setting up Mail.app for Alex, and apparently it doesn’t take too well to being told where its folders are going to go unless you have two accounts set up in it. I was only setting up one. I tried to do a pvmove on my Linux box so I could free up a hard drive and install OpenDarwin, FreeBSD or OpenBSD on it. Well, the LVM2 implementation for Linux 2.6 doesn’t support ioctl msg 9, meaning doing a pvmove /dev/hda5 caused it to make a big temp logical volume but not actually move any data. I downloaded the newest version of LVM and 2.4 kernel, because they fucking don’t support 2.6 anymore. It did get done though, eventually.
At one point in time, I told all my friends to go with LVM. At the time, I was right. We’ll call this period of time “the Golden Age of LVM” and we’ll say it lasted basically from LVM 1.0 to when Linux 2.6 came out, a period of about a year. Then we had to upgrade to the new device-mapper/LVM 2.0 buttsex, which didn’t work for a while and then was painful to use. Apparently they never implemented pvmove in 2.0. Now they have, but they haven’t made it work on the modern 2.6 kernel. So fuck them, I was wrong, avoid Linux Logical Volume Manager like the plague. It is ass. You’re better off with RAID anyway, so just fucking do it. This was apparently a mistake along the same caliber as recommending XFS, and I apologize.
Why OpenDarwin, you ask? Because I’ll be taking this box in to work and using it as my own private staging server, and it will be helpful if it is running an OS comparable to Mac OS X. But it’s a PC. OpenDarwin is as close as I can get, and I think it will be just fine. All of my hardware is supported. I reserve the right to eat my words—I’m already expecting to put FreeBSD 5.3 on it instead.
Application Servers
Posted by Daniel Lyons Thu, 30 Sep 2004 06:30:45 GMT
I wonder if the concept of application server is also bunk. Plone appears to be Zope’s main excuse for existence these days—and I have serious difficulty discerning what it does from what Zope does based on the simple reading of the site.
For grins, I searched on Google for “open source application server,” then quickly realized what I really wanted to search for was “open source application server -java” to lose all the Java shit. I believe Java is fundamentally inefficient, as I may have mentioned before, because it was designed for the lowest common denominator of programmer.
I have narrowed down the search to these four rather strange app servers:
-
Based on a server-side JavaScript model, providing extremely tight PostgreSQL integration if you want it, or a template system that sits on top of it (if I understand correctly), it also uses XSLT for the display, which I’ve also mentioned recently I’m not very keen on.
-
Based on a strange but evidently cool language even I haven’t used called REBOL. It uses a snip/space metaphor which seems highly appropriate for designing a hypertext system.
-
OpenACS is built on AOL’s wacky but apparently now open source webserver, AOLServe. It’s scripted entirely in TCL, and integrated with PostgreSQL or Oracle, your choice. Unlike the others, it has been around for about 10 years and is billed as a really solid framework though a bitch to install. I wonder if this may be something like what I want.
-
This is some type of CMS which is wanting to fill the shoes of Access, so the developer says. So it seems to be a web-based system for making HTML reports and such on top of an SQL database backend (MySQL or PostgreSQL). Interesting, and very possibly nasty.
The only two things I’m certain of are that I am uncertain, and that this is no surprise to the readership. I am trying to diagnose the problem and I’ve come up with this:
- Versioning must be maintained at all times and be correct
- Content must be uniformly accessable whether it comes from the URL, the environment of the server, the server’s own variables, the filesystem, the database, or the Sky God for all I care (I will define uniform accessibility in a moment)
- The URL must be translated into something I’m calling an IRL, or Internal Resource Locator, by some mechanism that can be customized depending on any of the state information of the server, configuration, or the URL itself
- Content must be ownable, editable, and viewable with at least UNIX-style permissions applied, or possibly something more fun if it’s not terribly bad to implement
- I am wanting to separate the handler of a request from the output generator of a request, but I’m not sure it’s reasonable to do this, or if it would be a serious gain for anyone, or if it would be trivial enough to implement that it is meaningless to spec it here.
- All of the objects and renderers in the system should be language-agnostic; I want to be able to use PHP, Ruby, and anything else as I see fit, preferrably without seeing a massive, CGI-like performance hit.
- Database abstraction may or may not be available, but it is fair to say that PostgreSQL or better will be required. Have little to no desire to complicate things with a lossy database abstraction that does away with concepts like foreign key and check constraints, multiple value primary keys, transactions, triggers, stored procedures, views or replication. I want the system to be flexible enough to find content just on the filesystem, but if a database is going to be involved, I want solid gold not semi-relational crap. (Did you know that SQLite is closer to a RDBMS than MySQL? It has views, transactions and foreign keys, just not actually valid types.)
My urge was to revisit struts and phrame to see if I can understand the whole MVC2 idea better. I like the idea, but it seems clear that if you need a degree to understand the config file, and everything else is magic that happens behind the scenes, there will be great confusion. I am sure it’s great, but I haven’t heard a good explanation of it that made sense yet, so I think I will continue to muddle around in the slime with the other piglets that think that what really happens during an HTTP transaction is this:
- A request is sent, essentially encapsulated in the URL + POST + headers
- Somebody on the server gets slapped awake and handed the request
- Sleepy moron scrambles some sort of text together and sloppily hands it back to the requester
The desktop application analogy isn’t very analogous, in my opinion, because you get to keep state (for what it’s worth). So I’m not entirely sure if something as complex as MVC2 is really warranted, because I don’t really have a strong desire to make web applications as complex or more than desktop apps. But I worry if a loss of generality at any stage is really justifiable.
For the record, in the “maybe someday might exist” “application server” I describe above, the only part that makes sense to me right now is the URL part.
In unrelated news, I think this weekend I may attempt to install PostgreSQL with Slony-I on a big stack of TCC computers and then hammer it, and then kill some of the instances, and see how it works and if a simple CGI for failover host detection is as easy as I suspect it is. I have two boxes here, someday they’ll both be on the network, but for right now it would probably be a hassle to set it up. I’m looking forward to discovering that Slony-I is the answer to most of my PostgreSQL prayers, but I have a few reservations and some general nervousness. We shall see.
Cat, Icons, and MaxDB
Posted by Daniel Lyons Wed, 29 Sep 2004 04:57:37 GMT
This morning I took the cat to get her stitches out. Which went fine, took about 5 minutes, and didn’t even make me late for work. When she got spayed, Ebony was hissing at her when she got back. It doesn’t look like that happened this time. It was probably because she stayed there for the whole day, all kinds of other cat and dog smells got on her.
I’ve asked Alex to make me an icon for Gravatar, the wacky icon service I’m interested in. It’s probably going to wind up being a band logo (probably Death or Mekong Delta, what a surprise) because it’s difficult to take a bunch of band logos, programming language names, the PostgreSQL elephant, pornography and the Anarchy symbol and bring them together in an 80×80 icon. Though I welcome people to try. :)
At work, we were talking about what we need (or want) in a database system, and that’s clustering, hot failover, and other high-end features. We found MaxDB, the new SAP DB, but in addition to strange commercial restrictions which miraculously don’t apply to us, it doesn’t build on the Mac nor is it ever expected to. The client libraries don’t even build on the Mac. So, fuck it. I just wish PostgreSQL would get these truly high-end features someday:
- Hot failover
- 2-way replication or clustering
- Incremental backups (suck, yes, but needed sometimes)
That’s about it.
I Hate XSLT Almost as Much as I Hate Bad Security Designs
Posted by Daniel Lyons Tue, 28 Sep 2004 05:18:04 GMT
I was going to write an article “XSL-T Considered Harmful,” but apparently someone got there before I did. However, I will address it some other time, mainly to go over these points in more detail:
- As XSLT has become very much an independent entity (much easier and more meaningful to implement than full XSL), it needs to be addressed separately, as a programming language. The above article does a very good job, but it’s been a few years, and we need to keep saying it just to keep saying it.
- XSL:fo has shown to be impossible to fully implement without serious commercial support. It should, therefore, be dropped, because that makes it useless to people like myself that occasionally like to print but can’t afford $1000 for the luxury.
Instead I thought I would talk about something gaining acceptance today, security through unnecessary complexity. I will begin with an example.
Authorize.net provides card-not-present credit card authorization. In other words, they are a gateway to which you can submit a credit card transaction and receive a response programatically. They have a bevy of interesting security measures, mostly for fraud protection, but also to secure your password. With every transaction you submit your username and something called a “transaction key,” which looks to me like some Base64 encoded random shit, and I hope that’s what it is. At any time, you can log onto their admin interface and generate a new tran key and start using that either in 24 hours or immediately. This increases security, obviously, because you aren’t passing the password over the wire with every transaction.
The feature I’m interested in discussing is the MD5 field of the response. This field is constructed by taking the MD5 hash of your login ID, the transaction ID, the amount, and a secret value you set in the admin interface. When you get the response, you cram these four values together, take the MD5, and see if you get the same value.
Neat security trick, and that’s all they really say about it in the manual. But what’s the practical effect? You’ve just given some poor asshole’s credit card to the wrong site or whatever, and you get back the response saying “all’s clear” and look at the MD5: it’s wrong. What do you do? You’ve already given away your login name, your tran key, and a credit card number. What do you do now?
What if something was compromised? You first instinct will be to go to the admin interface and see what’s going on. Unless you pick up the phone instead, you’re going to go give away your password. Which protects all the data for your merchant account, like (for example) your business’s bank account numbers. If you do call, what are you going to say? The MD5 sum failed? To the monkey on the phones? At 3 AM? The boat’s already hit the ice berg, you just caught it within the first gallon. You’re still sunk, and Authorize.net is still sunk.
Moreover, if something were to go drastically wrong, what else might be going wrong? The gateway is basically an HTTP POST with a CSV result. It goes over SSL for security. A problem here indicates a problem with SSL, which means the management interface is also compromised, which is where you send your infinitely more important password. Lots of businesses work like Matterform, and only do AUTH_ONLY requests, meaning, if there is money in this account, authorize it, and we’ll pick it up later (called “capturing”) or cancel (called “voiding”). We have an accountant whose sole function is to go through the admin interface capturing valid-looking transactions. Which means the password gets sent every day. As soon as I took over such a site, I would invalidate all of the logins, and get all the passwords that way. I bet at least 30% of businesses do something like us, which would amount to at least a few thousand Authorize.net account names and passwords, all linked to actual bank accounts.
So the purpose of the MD5 facility is really only to alert you to a shortcoming in SSL. I have no doubt that such a shortcoming exists in SSL, but I find the utility of being alerted to it directly after compromising myself to be less than the effort (meager though it may be) to implement the MD5 checking in our AIM API. I welcome criticisms of my argument, though I suspect that they will boil down to liability, for which (though I cannot be certain as I haven’t read the contract) I do believe Authorize.net is quite responsible for.
Thoughts?
Blog Stuff
Posted by Daniel Lyons Sun, 26 Sep 2004 11:27:31 GMT
I’ve enabled something called Gravatar on the blog. It’s another interesting technology designed to give people not using LiveJournal certain LiveJournal-like abilities; in this case it lets commenters have the same icon regardless of the site or software the blog is running on. I figured it sounded neat like TypeKey, so I went ahead and installed the plugin. The practical effect is that if you comment on my blog and haven’t registered a user icon (I’m sorry, Globally Recognized Avatar), you get Bob Dobbs instead. When they decide to sue me, I’ll make it my original thought, a text icon that just says:
i am lame
i have no icon
please forgivegravitar.com
I also worked on Alex’s LiveJournal a bit. I should post what I’ve done with the MTKeyValue plugin, because it’s interesting, and it lets her have (some, hacky) LJ functionality which she desires on the new MT blog. A “STACY” review should be forthcoming as well. Oh, and I finally copied all three of my album reviews from (ugly) musical_elitist. This is only really interesting because two of the three predate blogging for me.
Tetsuo II: Body Hammer
Posted by Daniel Lyons Sun, 26 Sep 2004 05:01:55 GMT
Alex and I are really getting into Japanese Horror movies. Tetsuo II is one of the more highly-referenced of the genre. Unfortunately, I didn’t find it to be particularly enjoyable.
The cinematography was annoying—blurry, weird angles, bad color (no red apart from fruity volcano and workout stock footage) poor film quality all combined to make it very difficult to even tell what was going on. I guess this is part of the point, but I didn’t care for the low-end MTV format at all.
The plot was interesting, if sort of hard to get a grip on. The main character can’t remember much of his past, and then his kid get kidnapped, and then weird mechanical things happen. The story is entertaining, but even the moments of frank elucidation on the part of the arch villain didn’t really reconcile all of the weird threads. This movie was made to be pretty first, and make sense second.
The special effects were quite good, probably seeming better than they were due to the overall poorness of film quality. It’s hard to tell what technique someone is using for a particular effect when it’s hard to tell what effect is going on.
I found the music enjoyable, but as seems to be the norm nowadays, the quiet moments were far too quiet, and the loud moments were pretty damn loud.
Visually, there were many moments I definitely could have lived without seeing (killing a dog, gun/sex play). They will probably stick out in my mind for some time, and I guess the director gets points for making me queasy (it is a horror movie, after all).
I’m having a difficult time putting a rating on it, because it was pretty effective, but at the same time I’m not sure I’m going to want to see it again. Not wanting to see a movie twice generally reduces the score (for example, American History X is a good film, but I don’t recommend it because I don’t want to ever see it again). Hmm.
If you really want to see weird special effects of people having guns and such crawl out of their skin (which I did), you should see it at least once. If you want to see something that will leave you with a generally weird feeling, you should probably see it. Otherwise, you should probably pass on it.
The Icorse Files
Posted by Daniel Lyons Sat, 25 Sep 2004 04:04:00 GMT
A few weeks back, some telemarketer called at work and wanted to speak to a man named Icorse. We told them he wasn’t there—could we take a message? No, and they called back several times. We eventually traced the call and discovered who it was. It was the Republican Party.
Today, someone else called. They wanted to talk to Icorse. I told Michael to give the phone to me whenever someone called for Icorse, so pretty soon I had been handed a phone.
| Me: | Icorse here |
| Her: | Hi, I’m with Disabled Workers of America, how are you doing today Mr. Icorse? |
| Me: | Fine fine, what can I do for you? |
| Her: | Well as I said I’m with Disable Workers of America, and I wanted to ask you today how your lighting is in your home? Today I’m selling lightbulbs, and I’d like to ask you, what sort of wattages do you use in your home? 100 watts? |
| Me: | I’m sorry, I’m really sorry to say, but the Firefighters Union called me yesterday and I already bought their lightbulbs for my home |
| Her: | Oh, the Firefighters, hmm? But I’d like to ask you, did they come with a 10 year full replacement guarantee? |
| Me: | Actually, they came with a 15 year guarantee. |
| Her: | Well, did they come with full replacement guarantee? |
| Me: | No, but I’m sure it’s not worth the money to get yours, since they’re going to be good for an extra 5 years, and they’re backed by the Firefighters. |
| Her: | Mr. Icorse, I’m here with the Disabled Workers of America. My husband used to beat me. I had to get out of that situation. If you buy my lightbulbs, it gives me a job for four hours. |
| Me: | Are you saying, they fire you if you don’t sell enough light bulbs? |
| Her: | Yes, that’s correct. |
| Me: | What organization did you say you were with? |
| Her: | Disabled Workers of America. |
| Me: | Wuh, wh- I’m a big name in the Republican party, and when news about this gets out, big things are going to happen! whisper whisper I’m sorry, I have to go right now, a meeting. Bye. click |
Michael and I looked it up online, apparently they’re prohibited from calling in Pennsylvania, and they’re a pretty well known scam.
About Me
Links
Syndicate
