Jered's Journal [entries|friends|calendar]

[ userinfo | livejournal userinfo ]
[ calendar | livejournal calendar ]

LJ broken? [09 Nov 2012|12:31pm]
Is anyone else finding that LJ logins aren't working about 50% of the time?  I can log in successfully, but I don't have logged-in state when I go to a page (like update, or friends).

Does anyone use this thing anymore?
9 comments|post comment

I seem to be moving to Google+ [12 Jul 2011|01:19pm]
To the extent that I ever write long form stuff anymore, I seem to be moving it over to Google+. Let me know if you need an invite -- just send me your email address.
3 comments|post comment

Amazon EC2 Considered Harmful? [20 Dec 2010|01:59pm]
(Amazonians: If you think this concern holds water and want to look into it, I can give you my AWL db dumps for purported addresses.)

I've had a really weird spam filtering problem the last few weeks -- My Amazon order confirmations are getting discarded with really high scores from spamassassin (SA). It turned out that they were all getting eaten by the Auto Whitelist (AWL), which is really an "address history" mechanism, not a whitelist. Important addresses like "" have history that indicates 10 or more points of likely spamminess.

Spammers and scammers will routinely forge messages from addresses like because they're more likely to make it through filters and be opened. SA avoids this by making the key in the AWL database be the tuple of (from address, first two IP octets). But valid address ranges were getting very high scores! Why?

(Interlude: I solved the underlying problem with a "whitelist_auth *" since Amazon does DKIM sign mail.)

I have an interesting theory, although I cannot prove it. If anyone on my flist is still at Amazon, you may want to look into this further.

Amazon makes no secret that its Elastic Compute Cloud (EC2) service is a spin-out of technology originally built to scale the Amazon online shopping machinery. Demand varies seasonally, and Amazon needs the ability to scale different parts of the software infrastructure on demand. Most of the time they have tons of spare compute capacity, so they make this available via the EC2 service.

It's now the busy holiday season, which means that Amazon's infrastructure is scaled out significantly, making use of servers and IP addresses not recently used for shopping. However, these IP addresses have been in the EC2 pool, and thus occasionally used by spammers, and thus occasionally used by spammers faking addresses from (which will conveniently pass SPF checks too). Thus, by leasing out parts of their infrastructure for EC2, Amazon has inadvertently blacklisted themselves in anyone using SA AWL.

Of course, there are some potentially simpler explanations: perhaps Amazon has recently taken over a netblock that was previously used by spammers. I guess the question is, are EC2 resources shared between EC2 and internal customers?
post comment

Turducken 2010 [10 Dec 2010|02:47pm]

I haven't been posting here much; sorry about that. All the trivia has been ending up posted more ephemerally on Facebook, or as articles of note shared on Google Reader. I'd like to devote more than 140 characters to this topic, though.

Every year since we bought our house in Somerville we have hosted Thanksgiving and Mothers' Day, as our place is relatively convenient to all parents. I felt like Thanksgiving was getting into a bit of an auto-pilot rut, so this year I decided to make a Turducken. In case you're not already aware, this is a boneless chicken stuffed inside a boneless duck stuffed inside a boneless turkey. The concept of things stuffed within other things is timeless, but the current American obsession is generally credited to Chef Paul Prudhomme, and it was a variant of his recipe that I followed.

My knife skills are pretty good but not really up to lots of deboning, so I got the birds from Mayflower Poultry on Cambridge St. (You may know them better as "Live Poultry Fresh Killed" because of their landmark sign.) I avoided the place for years because it looked sketchy, but they're actually a great old-style butcher shop. They will sell you the three birds, deboned, for $80, which isn't a bad price. They also have fresh rabbit for Easter and Christmas (mmm, rabbit)... but that's a different cooking story.

If you've read through the recipe I linked to above, you'll notice that it calls for an outrageous amount of stuffing and gravy. I scaled it back slightly (3 recipes of the sausage stuffing, 3 recipes of the oyster stuffing, 4 recipes of the gravy), but it turns out that you really do want about that much. The scaled up recipes are a bit of a challenge as they do take longer and require really, really big cookware... availability of my biggest stockpot was the time-limiting aspect of all of this. Other than that, it pretty much goes as the recipe says.

Rather than walking through the recipe, I'll just provide a short list of my observations/recommendations, and pictures at the end:

  • Except for the oyster stuffing, the stuffings and gravy are relatively spicy. I liked this a lot, although I left about one-third of the spice out of the gravy, but you may want to cut back on some of the cayenne for your guests.
  • All components were great, but the eggplant sweet-potato gravy is outrageously yummy.
  • Assembly was somewhat difficult. I think the turkey should have been larger, as sewing it shut was prone to tearing and took about 30 minutes. If I do this again I will either get a bigger turkey or just skip the chicken, because nobody really cares about chicken.
  • It took about 8 hours to reach 165 at the core in a 225 degree oven, just as the recipe said. Drippings did not start in earnest until about 90 minutes before the end, though, and if I had the time I would have left it in for another hour, because...
  • As you can see, I had structural integrity issues. It came part into messy goodness as it was sliced. I can point to a few reasons: 1) the >1lb of butter plus other liquids in the stuffings, 2) the duck fat had not yet melted, 3) it only rested for about 45 minutes after coming out of the oven, 4) I crisped the skin at 325 for 15 minutes at the end, which led to crispy skin but also shrinkage.

Overall, I consider it a success, maybe an 8.5 on a scale of 10.

Ready to go into the oven

Just out of the oven

Starting to carve

Getting to the duck...

A nice profile

The aftermath

8 comments|post comment

phones [28 Sep 2010|01:10am]
My iPhone was stolen over the weekend. Given that it was new in June, AT&T isn't going to give me a big subsidy for a replacement (so $400/$500 for 16/32 GB). If I want to switch carriers, my ETF would be a bit under $300. (Our drawer of spare iPhones has been depleted by multiple accidents by Brian and Richard.)

I still don't find the ease of use, application portfolio, and general integration of Android to be quite there yet, but it's gotten a ton better over the past year. Additionally, a carrier other than AT&T would solve the "your phone is not actually a data device in most of San Francisco" problem. The 4G devices are tempting, although my understanding is the Evo is a brick that lasts less than a day, but the Epic is decent. The ETF+new phone is the same price as getting a replacement on AT&T, and I would save at least $40/month as right now I have a separate 3G wireless modem (since iPhone tethering didn't exist, and is currently a joke).

The down sides are what I still feel is a less integrated user experience, loss of use of purchased apps (~$100 or so), loss of use of existing accessories and the convenience of iDevice compatible clock radios is most hotels. Another big downside is zero global roaming, since Sprint uses a US-only technology.

Anyone want to chime in with other pros/cons?
10 comments|post comment

Any info on current yahoo/gmail/etc exploits? [07 Sep 2010|12:01pm]
I've noticed a huge number of compromised yahoo accounts lately. Many of these have been sending email spam to all stored contacts, but I've also gotten a lot of IMs from long lost contacts that are just "hi" or "hey", with no follow-up response. This makes me wonder if there's a Yahoo IM buffer overrun exploit or something like that going around. Anybody know? Is there a good site for tracking these sorts of things?
post comment

Impressive phishing spam lately... [13 Aug 2010|10:50am]
I get a lot of spam which, thanks to SpamAssassin, I usually don't see. This past week some have been slipping through, though, and I'm pretty impressed. Most phishing is given away but bad spelling and grammar, and by describing unrealistic situations. These latest have been diverse, correct and coherent. I wonder what this indicates? Some examples behind the cut.

Read more...Collapse )
3 comments|post comment

How to Destroy Your Brand Value in One Easy Step [29 Jul 2010|01:43pm]
Earlier in the week we went to see "Inception" at the AMC Boston Common Theatre. We were planning on going up to the always reliable Jordan's IMAX in Reading, but AMC has been promoting their new IMAX screen at Boston Common so we decided to check it out as it's more convenient.

On the way over we were trying to figure out where they had managed to stuff a 70 foot IMAX screen in that space. Perhaps it was in the long closed restaurant on the second floor? When we got there, we found out.

AMC's "IMAX" screen is the same old theatre #2, with the same old 30 foot screen, with the same old aspect ratio, and crappy 2K digital projectors. That's right, no 15/70mm film to be found -- in fact, an image quality significantly worse than plain old 35mm. Oh, and did I mention that there's a $5 surcharge for their "IMAX Experience"?

When we got home, I did a web search and found out what the deal was. IMAX, desperate for revenue growth, decided to start whoring out their name. They decided to create a standard for digital projection in a normal theatre, and (apparently against the requests of their partners) did not brand it as anything different. Their CEO says, "We don't think of IMAX as the giant screen," despite what the rest of the world thinks.

Well, I certainly won't visit that theatre again, and from now on when I see "IMAX" attached to something I'll immediately think "is it IMAX, or is it another branding fraud"? I'll still go to the Jordan's screen in Reading because I know what I'll be getting, but the word "IMAX" has now lost all brand value to me.

I suggest you discard any expectations around the brand as well, and let everyone else know.
post comment

In re Bilski [29 Jun 2010|01:17am]
I just posted a comment on this elsewhere in a blog, and thought I should record it here as an attempt to jump-start my moribund blog.

The SCOTUS finally decided Bilski v. Kappos, in a very unsatisfying way. In particular, they said that the Bilski patent was invalid because it was an attempt to patent an abstract idea, but failed to establish new tests for patentability... in fact, they opened the door further to software and business process patents by affirming the "machine or transformation" test was not a requirement for an "Information Age" patent. Groklaw has a good summary analysis.

The "machine or transformation" test is reasonably clear and strongly limits software and business process patents, which makes it attractive to many people with opinions against software patents. However, in State Street v. Signature Financial the Federal Circuit Court of Appeals established a "useful, concrete, and tangible" test that more broadly allowed software and process patents. This ended up leading to the Bilski case.

The unsatisfying thing that happened was that the Court said that machine-or-transformation isn't an appropriate test for software and business process patents, that useful-concrete-tangible is also bad, but did not introduce any new guidelines. This points to the fundamental problem with software and business process patents today, and why they are so contentious.

If you believe that patents are good and serve a useful societal purpose by encouraging innovation, and I do, then there's a good chance you think software and process patents are good too... and they're good in theory, but terrible in practice. The problem, and pain, that we’re going through now is that through hundreds of years of legal precedent we finally figured out how to characterize what sort of physical things can be patented — this is the “machine or transformation” test. We finally got to the point where the patent office has the necessary expertise and rules, and doesn’t constantly screw things up.

This process has barely started for software and process patents, so for the next few hundred years we’re going to have lots of contradictory rulings, a smattering of legislation, and billions upon billions of dollars flowing to lawyers. All of these are terrible things (unless you're a lawyer), and serve the exact opposite purpose of what patents are intended to do... unclear software patent standards stifle innovation and represent a significant barrier to market entry for new and innovative businesses. The software patent landscape is so poorly defined and densely populated with questionable patents that nearly any product of any sort might be considered in violation of several. Large companies rarely sue each other, and generally enter broad cross-licensing agreements to avoid litigation. Small companies generally do not have large patent portfolios, and are frequently sued in order to eliminate competition from a better product. This is exactly the opposite of the intent of the patent system.

Hence the position that software and process patents should not be allowed. Now is not the time to stifle innovation by allowing courts and legislators to spend decades, if not centuries, sorting out what is and is not patentable. Software moves so quickly that by the time one domain has been decided, the technology frontier has moved on. It's a tempting argument; personally I remain ambivalent on the issue.

In the meantime, however, the patent groundhog has seen his shadow, and this ruling means we're in for at least another six decades of litigation winter.
post comment

NOTE: LiveJournal is currently link hijacking [01 Jun 2010|02:47pm]
This apparently started in March, but I've just noticed it now, and I haven't seen any buzz about it.

LiveJournal now loads JavaScript that rewrites any links that you include to sites with affiliate credit (like so that LiveJournal gets the referral credit instead of the journal author. It's hard to see this because it doesn't show up in "View Source", of course, but if you monitor the links everything that qualifies gets bounced through "".

WTG, LiveJournal!
4 comments|post comment

A Reminder Why Not To Build Your Own Security [09 Mar 2010|01:39am]
It's common knowledge that if you're using cryptography, you shouldn't build your own proprietary cipher or hash because you're going to do it wrong, in a way that will hurt you badly. I have a lesson today which shows why that should be generalized to security software in general, and is a warning in case you've put in place a similar practice... I think it's common.

I started getting spam blacklist rejections on a mail server that I am currently helping admin. First I requested delisting, but it popped up on the list again the next day. I then looked at message-ids on some reported messages... they did not match the sendmail logs. Hmm.

Using lsof I located programs connecting to port 25 on remote hosts. sendmail was... and so was sshd. Authenticated as a honeypot user on the server. That was enough to solve the mystery. Have you figured it out yet?

The owner of this server has a home-grown honeypot installed. There are several dictionary-attack accounts with the username and password the same. If you log in as one of the honeypot users, the login shell is a script that adds your IP address to a routing blackhole. Figure it out now?

At first I was worried that the sshd was compromised, but I quickly remembered what else ssh is good for -- TCP connection tunneling. But if the spammer was connecting, they should be blackholed, right?

Except, ssh has this great option, -N, which says "don't run a command, I just want to tunnel". Which means the shell never executed. Which means the server has been acting as an open TCP relay if you knew how to exploit it.

The most amazing thing to me is that this particular honeypot has been in place for at least 10 years, and yet it was only exploited starting 2 days ago. If you run a similar sort of operation, I suggest you check for this exploit right away.
4 comments|post comment

Google Accounts [10 Feb 2010|12:31am]
This is mostly directed at Googlers on my friends list.

I have two Google accounts. One is a gmail account (that I do not use), and another is tied to my personal email address. The gmail/google one is used for a bunch of non-mail services. Both end up getting used, and calendar invites and groups are a disaster because of this.

Google does not support merging accounts. Ok, fine.

Google does support deleting accounts. If I delete the gmail account it says I cannot reuse/reclaim the address. That's ok. But, if I delete the non-gmail account, can I then add that as an alternate address to my gmail account?

I'd just try this, but if it doesn't work then I'll be screwed. Google doesn't offer phone, email or chat support, only forums which are more self-help than anything... anyone have an answer for me?
5 comments|post comment

CSA Fair next Monday [04 Jan 2010|11:26am]
I just got a note from my neighbor; he's organizing a CSA Fair on Monday at 6pm at the Somerville Library on Highland. They'll have a bunch of different Farm Share providers all presenting their offerings... looks interesting. The flyer for the event and subsequent film on community farming in Cuba is here.
post comment

Pests [30 Dec 2009|10:47am]
(UPDATED: with pictures)

I've come to the acceptance that I have some sort of pest living in my basement. I can't ignore it anymore, but I can't figure out what it is either. Help?

I've found shredded bits of fiberglass insulation on top of things in my pantry, suggesting that it's displacing stuff from the ceiling or from a previously cemented and insulation-filled oil fill-pipe hole. Bits of paper napkins have been shredded in place. The edge of a box of dog biscuits was shredded, but the dog biscuits were left untouched. Most annoyingly, soft vinyl tubing has been thoroughly consumed.

The only thing I saw in exploring and filling stuff with spray foam has been a single house centipede. I've set several mouse traps... none have been tripped, and the bait (chocolate and peanut butter) has not been eaten in weeks.

So, I have something that eats cardboard, fiberglass insulation, and soft PVC tubing, and does not eat chocolate, peanut butter, dog biscuits, pasta, etc. Uhm, help?

Pictures below, click for larger. 1) chewed PVC tubing and fiberglass "nest", 2) chewed PVC tubing, chewed wood, wood scrapings.

19 comments|post comment

Products I Like [22 Dec 2009|10:14pm]
This is a topic I really ought to post about more often, if only to support that small percentage of products that I buy that I find are competently designed and actually useful.

Top on my list right now: the Logitech Harmony Remotes. A few months ago I bought the Harmony One, and more recently I bought the Harmony 900 for a different room, which is basically the One plus an RF repeater.

These are expensive, though less so on Amazon, but if you can afford one then it's worth it. I got the first one because it was cheaper than buying replacements for the remotes the dog ate, but you don't need that excuse.

The value should be obvious, but I'll summarize. Most universal remotes suck, because all they do is let you have a single remote that can "chameleon" into multiple remotes. You still have to press five buttons to get everything working, but you only need one remote. This works fine by yourself, but when you have, say, your parents visiting, it becomes a disaster.

The Harmony Remotes are different. They are modal by activity. The desktop software (PC and Mac) is very slick and lets you describe the hardware you own. It then suggests and walks you through setup for activities like "Watch TV" or "Listen to iPod" or "Play Wii". Once the activities are configured, you choose one on the remote and it turns the right things on and sets the right input settings. If something goes wrong, it has built-in help to fix the problem.

That's pretty great, but beyond that it has a huge database of equipment and also lets you configure activities and buttons manually if something is missing. The 900 also comes with an RF device that the remote talks with, which repeats IR commands so your equipment doesn't have to be line-of-sight with the remote. (This helps in my bedroom where everything is in a closed closet.)

I've found a few problems with setup, but nothing the software hasn't allowed me to fix manually. This, to me, is a sign of a great product. When it doesn't work right, I can spend some time and fix it. Something that is possible far too rarely. If you have 3 or more AV components, get one of these things. It's totally worth it.

Next Up: I got a Moxi DVR + Moxi Mates because I've given up on TiVo ever innovating again. After the next software update I hope that I will be able to recommend. Right now there are still some rough edges, but I've been told by support they are being fixed soon.
10 comments|post comment

Episode n in: The only person negatively affected by DRM is the honest user [10 Dec 2009|10:14pm]
I just got some new AV equipment.

I have a Pioneer VSX-1019AH-K AV Receiver, connected to a Samsung UN46B8500 television.

When I turn on the TV it shows a few seconds of video and then the AV Receiver says "HDCP Error" and stops. Because, you know, my TV is TOTALLY TRYING TO STEAL HOLLYWOOD'S VALUABLE CONTENT.

This is going to be so fun to try to get the vendors to debug or fix. Of course, when I plugged in the TV to the network (it has an Ethernet port), it said "A software update is available for your television. Do you want to download and install?" Interesting future we live in.
3 comments|post comment HTML layout fail [10 Dec 2009|01:18pm]

3 comments|post comment

A price too dear... [09 Nov 2009|11:17pm]
I was going to use Priceline's Name Your Own Price feature to get a good deal on a hotel room, but I'm not sure I can afford the going rate:
1 comment|post comment

SFO [07 Nov 2009|10:45am]
I'll be in San Francisco from this Wednesday to the following Tuesday for vacation; anyone want to get together or anything interesting going on?
2 comments|post comment

Wherein I call it quits on "Infinite Jest" [05 Nov 2009|12:55pm]
Sorry literary hipsters, but I'm calling it quits on Infinite Jest. David Foster Wallace, your quirky post-modern writing has exceeded my threshold for style over substance. I think I did pretty well -- I got about 25% through -- but the book has become like eating an unending buffet of unflavored porridge.

In retrospect, I should have returned it immediately upon reading Dave Eggers' grandiose preface in which he praised Infinite Jest as a perfect crystalline jewel of work, where no word was out of place, where no editor could hope to touch the work without destroying it, where skipping even a single word would damage the enjoyment of the piece. Eggers strongly implied that anyone who did not gush over the book is an uncultured plebeian, and that if you did not feel the same that you best keep it to yourself lest you look like a fool.

I took this to be standard Eggers commentary, and indeed Eggers and Wallace are two peas in a pod. Given two short essays, one from each, I think I would be hard pressed to tell them apart. Eggers, however, generally appears to know when to stop. The same cannot be said for, as he is called by devotees, DFW.

It wasn't the apparent lack of plot that turned me off, although plot is certainly a strong motivating factor for continuing to read a book. The book starts off with a number of disconnected but interesting anecdotes that after a hundred pages or so coalesce into the beginnings of a plot. I thoroughly enjoy Neal Stephenson (although I must admit that Anathem was a bit trying at first), so clearly I have no problem with 40 page detours through the details of a dental operation with no attachment to the story beyond developing details of a lead (or even incidental) character. No, DFW's meandering style may have made it hard to read more than 40 pages before bed without falling asleep, but it did not prevent me from enjoying the book.

Slightly more to blame, although again not a deal breaker, is DFW's signature writing style, often described as "why use 10 words, when 100 will do"? To explain this, I can do no better than to point you at the fantastic Growing Sentences with David Foster Wallace by James Tanner. I strongly suggest that you go read this before attempting to read any Wallace. Every sentence in the entire book is put through this process. Used sparingly, it can be endearing. Slathered like too much mayonnaise over the entire book…. it is a very heavy meal indeed.

But no, the items so far were still not enough to make me (figuratively, since I have thankfully for my back been reading this on a Kindle) toss the book out the window. The worst offense, the thing that makes Infinite Jest unworthy of being read, is that DFW is one of the most astonishingly and utterly unoriginal authors I have ever encountered.

Unoriginal? But isn't he regarded as a creative genius? Apparently so, but barely ten pages pass where he does not take an old chestnut, rewrite it in his own words, and excrete it onto the page. This is not uncommon for authors, but the frequency with which he brazenly does this is astonishing. The straw that broke the camel's back, at least had the camel been carrying a printed copy of the book, was when I encountered in a section of what I can only call "filler", an entire chapter that was the classic Barrel of Bricks story printed verbatim.

When you steal from one author, it's plagiarism. When you steal from many, it's research. And when you steal from all of them, you're David Foster Wallace.
15 comments|post comment

[ viewing | most recent entries ]
[ go | earlier ]