More to follow, but at least I think I’ve got thee blog software all updated and working properly again now.
I need to do some microbiology and cooking this weekend….
More to follow, but at least I think I’ve got thee blog software all updated and working properly again now.
I need to do some microbiology and cooking this weekend….
FINALLY – with this vowel movement I am finally over this recent bout of podstipation. Episode 3 of “Stir-Fried Stochasticity” is finally up. Today’s paper is:
Bowden G, Thatcher W, Stein RS, Hudnut KW, Peltzer G:”Tectonic Contraction across Los Angeles after Removal of Groundwater Pumping Effects”; Nature; 2001; vol412; pp812-815
You can download the audio or (if you are using a modern-enough web browser) listen to this episode directly here.
I would appreciate any constructive or at least mildly witty feedback – please post in the comments below…
Episode 3 of Stir-Fried Stochasticity should be recorded and posted soon. I had intended to already have it done, but there have been…delays.
Most recently, I had to drop everything to take care of the Minister of Chew Toys here at the Asylum for the Sufficiently Nerdy. Cornelia (our dog) came down with her yearly sudden, extremely messy and foul diarrhea problem. After getting everything cleaned up, and a minimally-sleepful night of getting up every few hours to let the dog out to emit foul-smelling material and disgusting noises, I got her to the vet this morning and came home with the usual prescription for Metronidazole and special food. If previous years are any indication, the symptoms should be over by tomorrow.
But, even as I cleaned up the foul mess that greeted me when I got home, I found myself wondering if the slimy material was being produced by the dog or by whatever bug was causing the problem. (Despite Episode 2 of Stir-Fried Stochasticity, I did NOT consider whether it could be turned into a food additive. Even I have my limits…) And, despite not wanting to be anywhere near the mess I was cleaning up, I found myself wishing I had a microscope.
And today, after the veterinarian took a look at a sample under the microscope (and let me look, too), and tentatively suggested infection by a Clostridium species, I found myself wondering if I could culture it, obtain a phage that infects the bacteria, generate and purify a huge sample of the phage, and then save it for next year and try to treat next year’s infection with it. And then I thought “Hey, if I also culture up the bacteria to produce a lot of that slimy stuff and purify it, I could make phage-containing bio-boogers (go back and listen to Episode 2 if you don’t know what I mean), which might be more effective!” on the assumption that the bacteria in question might also secrete enzymes to break down the slime that I’m assuming it produces, thus releasing the phage particles around the active bacteria…
And then I realized that if I had the equipment, supplies, and time right now (and was willing to deal with regulatory hassles involved in playing with Potentially Pathogenic Prokaryotes), I would probably actually follow through and try it…though I’d probably stop short of actually testing the treatment on my dog without some sort of approval and supervision by a real veterinarian. Even now I’m resisting a slight urge to save a small dried “sample” (which would be full of long-lasting spores that I would probably be able to culture later). Don’t worry, it’s not hard to resist…the point is just that the temptation is actually there.
I still insist I have very little interest in medical microbiology. Really.
At least I know that between potential digestive-tract phage therapy and probiotics, if we end up having to move back to where we came from for financial reasons, I might at least find a place for some graduate work in the “poop group” (sic) at my previous college institution if nothing else.
Meanwhile – Episode 3 is coming, honest! It’s a rather small but dense paper that explains how it’s hard to monitor the tectonic activity in the Los Angeles area because Los Angeles sucks. I’m hoping to get that recorded this weekend, along with the other mass of stuff I need to do.
Any words of encouragement and/or threats (or other useful or allegedly witty comments) may be posted below in the meantime.
After getting rave reviews from nearly four people for the pilot episode, I’m hopeful that Episode Two will be even better. (Seriously – I don’t think more than a handful of people even know this project is going on, but the few people who’ve listened and commented to me have been very encouraging so far.)
You can listen to and/or download the audio directly in either they shiny new spiffy Ogg Vorbis format or old-school .mp3 by clicking right here. As always, I’d very much appreciate comments, suggestions, questions, amusing limericks on the subject of the paper, etc. – feel free to post below, or you can email me at the usual location: epicanis+sf at bigroom.org.
Oh, now this is interesting. I finally realized my RSS feed was Fupped Duck. Now that I have it fixed, the “Visual/HTML” mode switch on WordPress’ built-in post editor is working properly again, too. Most peculiar.
Seriously though – RSS throws a hissy-fit if there’s a single blank line at the beginning of the output? Really? Jeez.
Okay, enough whining from me for now. Let me know if everything still appears to be working and if the RSS feed is indeed fixed for all y’all. And listen to my podcast and let me know how it sounds, or either I’ll drive over to your house and kick your butt, or you’ll hurt my poor little feelings (pick whichever form of coercion works better for you.)
Now you, too, can feel right there with us as we brave the soul-sucking terrors!
I’ve been told more than once that I’ve got a good voice for radio. Or was that a good face for radio?
Last weekend we decided to go lake-spanking again, and this time I brought my little digital audio recorder… Continue reading Another paddle-map: Now with narration!
Now the T-Mobile cell tower that we were previously using for dial-up internet seems to be offline as well, so for the moment we can only get internet access if we drive to College Station (which we have just done to pick up some more clean-up supplies).
The weather seems to be getting back to a milder theme. It’s even supposed to cool off and be less humid starting sometime tomorrow afternoon, so hopefully there’ll be some time to go paddle out and check out how Lake Conroe handled Hurricane Ike.
Meanwhile, this has royally screwed up the return to Idaho to get things taken care of at House v1.0 there. I’ve had to make some alternate arrangements through some kind folks who are friends of ours up there who are going to be able to keep an eye on the place for us (and for whom I’m very grateful!) until I/we can finally get some time off to get up there in person. I’ll probably get in touch with my employer-to-be and see if I can or should start later this week instead of next Monday as originally planned to leave time for the trip.
More pictures to be posted at some point. Stay tuned (and tell the power and internet companies to get their butts in gear!)
Power has been out since 2am, and the cable(TV|internet) is out as well. It’s times like this I’m glad I can “tether” my cellphone to the computer and get internet access that way. It’s painfully slow by modern standards (56k dial-up) but it works even when the power’s out.
The region of Ike’s eye just went by a little while ago. We were near the western edge of it, according to the weather radar. Winds died down somewhat and we were able to get the dogs to go outside and drain themselves. Now the wind is picking up again as it heads north.
Fortunately, our house (as far as we can tell without close examination) seems to be intact. At least, there are no streams of water leaking in or trees sticking through a wall or shards of glass all over the floor. The yard’s not so lucky though – large sections of trees are everywhere, and several sections of the useless “rustic” ranch fence that surrounds the back yard are crushed. Maybe the homeowner’s association will let us put up a real fence now.
We should now have another 6-8 hours of slowly diminishing strong winds to sit through, and then the worst of it should be over. Hopefully it won’t take too long after that for them to get power restored – it’s kinda hot in here. Meanwhile, we’ll just sit and watch the wind playfully ripping chunks of tree loose and flinging them to the ground.
There ought to be some interesting things to see around the lake once the wind dies down enough for it to be safe to go paddling around again.
And now I’m signing off for a bit while I’ve still got some battery power left. Probably more updates later…
Busy, busy, busy. There’s quite a lot going on at the moment here, and a number of potentially interesting topics that I ought to be blogging. Still, we did manage to get back out on the water and spank the lake some more, so in addition to another map-and-pictures travelogue of kayak paddling on Lake Conroe (at the end of this post), here’s a map-related story that came up recently.
Mozilla Firefox 3 so far seems to be a nice improvement over the already-pretty-good Firefox 2, but in one particular respect it’s doing something that I think is very bad. As of Firefox 3, the Mozilla corporation apparently no longer believes that anyone can legitimately encrypt the traffic on their own servers without permission from a “professional”. A well-meaning attempt to protect “consumers” on the internet has gone a bit too far and crossed an important philosophical line, in my opinion. (Oh, and sorry for the long block of imageless text that is this post – I couldn’t find any appropriate images to sprinkle in here.)
This all has to do with the way Mozilla now has Firefox 3 treating a particular type of “SSL” encryption mechanism. To understand the problem it might help to have a little bit of possibly oversimplified background…
Imagine you want to exchange messages with someone else and you don’t want other people to eavesdrop on you. You might get a strong box and a lock for it. You get two keys for the lock, and give one to your friend. Then, you can just lock your messages in the box and send it to your friend, who uses their own copy of the key to unlock it (and can then place their reply back in the same box and send it back to you). This is the way it used to be done digitally – you and your friend would agree on a “password”, and that password would be used to encode and decode the messages. This is the “shared key” model of encryption.
There are two problems with this, though – first, if there are more than two of you exchanging messages, either everyone has to have a copy of the same key, or you have to keep track of a very large keyring full of keys for every person you communicate with. The second problem is the fact that at some point while setting this up, you have to convey the key to everyone in an insecure manner. You have to tell the other people the password on the phone, or out loud in person, or written plainly on a piece of paper, or whatever. This presents an opportunity for someone else lurking nearby to find out about it. What’s worse, since the key/password is “shared”, not only can the lurker now read the messages you send to your friend if he or she can just intercept the box temporarily, they can also read messages sent in reply, or to anyone else who’s using the same key.
The alternative is “Public Key Infrastructure” (“PKI”). SSL is an implementation of the concept, as is PGP (See also Mozilla Thunderbird’s enigmail extension for PGP encryption support for your email). In this much more secure scheme, you only send your friend enough to let them encode the message, but not to decode it. By analogy, it’s like sending them a lockable box with an open lock attached, while you keep the only key. They put the message in, lock it, and send it to you. Nobody between them and you can read the message. You send your replies to them in a similar box that they send to you with their own lock attached. Digitally, you generate a complicated “private key” code that you use to decode messages sent to you, and from THAT you generate a “public key” – the equivalent of the box with the open lock. You can safely give this out to anyone, since it can only be used to send secret messages TO you: messages encoded with the “public” key can only be decoded with the “private” key.
That does leave one potential problem though – what if someone ELSE manages to masquerade as the message-box carrier, and he makes and delivers to you a box that looks just like the one that belongs to your trusted friend, maybe with a message saying “Hey, it’s urgent, I REALLY need to borrow $20, but I’ll pay you back tomorrow – please put $20 in the box”? It looks an awful lot like your friend’s box, so you stick $20 in it and send it off, and the fraudster in the messages stream between you and your friend walks off with it. This is referred to as a “Man in the Middle” attack.
The solution to that is “signatures” – every public key is “signed” by someone who is assumed to have somehow confirmed that the person with the public key is who they claim to be – as though the lock on our metaphorical message box is now engraved with: “Joe Schmoe paid us $25, so we checked his driver’s license and sure enough it was him. You have our word on that for 365 more days after which point we’ll have him come in and pay us another $25 to do it again. Signed, Verisign®”. Assuming you trust Verisign to verify this, you can feel confident that it really is Joe Schmoe sending you the message asking you to let him borrow your car keys. The digital version is slightly more complicated than this and much harder to forge, but the analogy will serve.
If Joe Schmoe doesn’t care about needing your car keys or credit cards or whatever, though, he can just engrave the lock himself. “Joe Schmoe didn’t pay anybody anything, but take my word for it, this lock really does belong to Joe Schmoe. Signed, Joe Schmoe.” Many times, you’re really not worried about anything more than deterring casual snooping. Nobody’s going to go to the trouble of crafting a fake “Joe Schmoe Message Lockbox” and finding a way to intercept your messages in order to steal your precious Secret Ginger Cookies Recipe or to see if you and Joe are maybe sending dirty jokes to each other or whatever, but maybe you don’t want your message carrier to read your messages and find out either way. There’s no point in paying some Internet Public Notary once a year to “verify” that the person asking you to tell him “how the one about the Pokemon™ character and Minnie Mouse™ goes” really is your dorky friend Joe Schmoe and not an imposter.
This brings us to Firefox 3. It used to be that self-signed encryption certificates popped up a simple message letting you know that although your connection was encrypted and safe from eavesdropping between you and the server, you only had the sending site’s word that they were who they said they were, so are you sure you want to connect anyway? As far as I know, every other major web browser still behaves that way, but Firefox 3 has gotten overzealous about being “more secure” than everyone else, and now claims that self-signed certificates are “invalid”, presenting the user with a misleading scary popup box full of jargon about the “invalid” certificate possibly being fraudulent. If you know what you’re doing, you can click your way through a few layers of windows at this point and tell Firefox 3 “Yes, shut up, I know it’s self-signed, I don’t think Al Qaeda set up a fake web-site to steal the ‘list of 10 things I’d do with a stale twinkie if I was stranded alone on a desert island with one’ that I’m posting to the ‘naughty junk food stories’ discussion board. I just don’t want everybody else in the hotel knowing that I’m doing it.” Of course, Firefox 3 acts all along as though it’s your butler and you’re telling him that you want him to open the front door for a stranger there carrying a bag and a gun and wearing panty-hose over his head. If you don’t know what you’re doing, the messages scare you away, and you just use an unencryted link to avoid the scary message, and hope nobody else in the hotel happens to be watching the wireless network traffic…
In short, if you are running your own server, Mozilla insists that you must go ask permission from Verisign or one of the other “trusted” corporations that Firefox knows about if you want your users to be able to use encryption. You cannot possibly be using encryption legitimately unless you’ve paid one of them for their signature, apparently.
My problem with this isn’t the money, really. In fact, apparently at least one of the corporations on Mozilla’s list of approved “Certificate Authorities” offers basic service for no charge, and even the ones that charge you often don’t charge more than a buck or two per month. It’s not even much of a technical issue, since it doesn’t look like it’s too much more of a hassle to get a certificate from an “approved” Certificate Authority than to generate one’s own self-signed one. If this were being done by Microsoft Internet Explorer or Apple Safari or some other proprietary browser I doubt I’d even blink. But Mozilla Firefox? Darling of the “Free and Open Source Software” world (and in my opinion, aside from this one issue perhaps the best browser available), where the desire for freedom from third-party restrictions prompts efforts against proprietary multimedia schemes, Digital Restrictions Management (DRM), and the use of patents to prevent innovation? THEY are effectively suggesting that you can’t be legitimately enabling encrypted connections to your servers unless you’ve asked for authorization from an approved third party? Seriously? That seems like a pretty serious deviation from what the “Free and Open Source” philosophy is supposed to be.
I kind of doubt that’s what they intend to be doing here, but they are. I believe the core problem is that Mozilla has fallen into the trap of thinking about the “consumer” internet rather than the “participant” internet. I most certainly would expect, say, Amazon.com to present some additional verification to me before I send them my credit card information over the internet in exchange for “Oprah’s latest book pick” or something, but the same should not necessarily apply to someone who just wants to set up a casual message board, or whistleblower discussion site, or political dissident site (and the latter two cases might very well be worried about trying to contact a Central Authority for permission to set up the site’s encryption.) In their eagerness to show off how harsh they’re willing to be to protect Joe and Jane Netshopper from a fake paypal site, they’ve effectively said “if you don’t get permission from one of our Trusted Authorities, you’d better hope your Firefox 3 users are geeky enough to understand what’s going on if you don’t want their whole apartment complex to be able to spy on what they’re telling you.” For “Free Software”, that’s just wrong.
If I were Supreme Overlord of Mozilla, I’d be demanding one of two corrections – either correct the interface for dealing with self-signed certificates to quit trying to scare people away from them…or at least don’t treat such servers as any less secure than ordinary (unencrypted) pages with no certificate at all (i.e. encrypt the traffic, but don’t display the happy little Green Lock of Security icon that pages encrypted with “authorized” certificates get.) Since I’m not Supreme Overlord, though, I’ll have to settle for whining on my blog. Don’t worry, I only plan to do it this once and get it out of my system.
Executive Summary: Self-signed certificates mean “not authenticated”, not “fraudulently authenticated”, but Mozilla no longer believes the distinction matters if Firefox 3’s behavior is an indication of this.
Additional note: so far, the developers seem like they’re clinging to the new “OMG WTF HACKERS COME TO STEAL YOUR PRECIOUS! CLICK SEVERAL TIMES ON CONFUSING MESSAGES TO CONTINUE BUT DON’T COME CRYING TO US WHEN THEY RAPE YOUR HARD DRIVE!” user interface for this, so as of right now I predict that other than some minor changes to the wording to maybe explain slightly better what’s really going on there will be no real corrections any time soon. There is, however, another way around this mess, even if you want no third parties involved in setting up your encryption at all – you can run your own certificate authority. Your users will still have to deal with a popup, but only once for all the certificates you may want to generate for yourself in the future. If anybody cares, I can try putting together a post on how that can be done.
Bad Behavior has blocked 282 access attempts in the last 7 days.