Semi-Random Neuron Firings

Planet Bike Plays Nice With its Customers

2009-02-20T14:42:00.001-05:00

Back in issue four of Make: magazine, Mister Jalopy published his initial "Maker's Bill of Rights," at the end of a wonderful article about being able to open, fix, explore, upgrade, and just in general tinker with the objects we buy. I wholeheartedly agree with the article, a mix of frustration (at being unable to order a simple replacement part) and a dreamy-eyed description of precisely how manufacturers could design and support their products. The article is full of quotable snippets, but I think the title is as good a motto as any: "If You Can't Open It, You Don't Own It."

Planet Bike is a bicycle accessory company, and an awesome one at that. Their products are well-made, and they "believe in the positive power of the bicycle," to the point of donating 25% of their profits to grassroots bicycle advocacy groups. Their packaging comes with their own version of the "three R's;"

Ride (your bike)
Rebuild (your stuff)
Recycle (this packaging)

The second bullet caught my eye, and there was a URL printed underneath, so I visited it. Why don't you go ahead and do that now? That's right, Planet Bike has a catalog of all their small parts, and they'll even ship them for free to encourage people to fix their stuff, instead of replacing it. Bravo Planet Bike!

I want to re-emphasize how awesome that is. Some companies are often accused of making parts hard to replace, so that their customers have to buy the entire product again when it breaks. Not so, Planet Bike! They want you to make your stuff last longer. They want you to fix their product instead of buying a new (profit-generating) one. They want it so bad that they will pay the cost of shipping the parts you need!

The Maker's Bill of Rights is a great idea, and has its place. The problem with a bill of rights, however, is that nobody actually thinks of it as so. It's less glamorous to call it what it really will be until there's a large shift in consumer mentality; the Maker's Wishlist. I would propose a Maker's Award of Recognition, to be presented to companies actively working with their customers, as opposed to against them.

I also nominate Planet Bike for one.

How Python's .pyc Files can Cause Trouble

2008-12-03T01:09:00.003-05:00

Just a quick story on this one. I was running into a problem with MoinMoin, and found that there was a quick and easy workaround (a two-line patch). After thinking it through, I went ahead and applied it to the server that was hosting the wiki of interest. Yes, I was applying a patch to a running, production server without testing it. Depending on your point of view, I'm either ballsy or stupid (or I looked at possible outcomes, realized that I couldn't cause any permanent damage, and that undoing the patch was no trouble, but that's the boring answer). Save the .py file and go back to my browser to try out the action that was failing before the patch.

And it still failed, in the same way. That wasn't right, in fact, the program state that led to the failure couldn't possibly be reached after the patch. I looked more closely at the relevant files, and found the problem. Background info: Python compiles each .py file into a .pyc bytecode file, and as a start-up time optimization, will execute that .pyc file if it is newer than the relevant .py file. In this case, it shouldn't be an issue, as I had just changed the .py file, and Python should re-compile the .pyc.

Actually, Python was doing what it should, it would look at request.pyc, and then request.py, and notice that request.pyc was younger. The modified time for request.py hadn't changed at all, actually. It turns out that request.py was a symlink that pointed to the real request.py (which is the one I modified, and did have a proper modified time), and the symlink hadn't been modified, so Python didn't think the actual code had either.

I deleted request.pyc and it all worked fine. This is why I insist on knowing how my tools work; knowing how and why Python creates the .pyc files, and how symlinks work, allowed me to get this patch running. Nothing groundbreaking here, earth was not shattered, but when so many people seem content to have the magic hidden from them, I thought I'd share my latest anecdotal evidence against that and for knowing how things work.

Canada's Internet: It's like... a highway. With trucks.

2008-11-20T15:07:00.002-05:00

Ted Stevens, some time ago, became internet famous for letting us all know that the internet is "not a big truck. It's a series of tubes!" In Canada, the Globe and Mail would seem to disagree:

"[Traffic shaping through protocol-based throttling] is similar to allocating certain lanes on a highway to slow moving trucks to ease the flow of traffic in other lanes."

I'm glad we've got that cleared up.

On a more serious note, this is about a CRTC ruling that was just released, favouring Bell over CAIP. There are many other problems with that ruling and the tone it sets, but I don't think I have the energy, time, and will to go through that right now. Those interested in actually reading the CRTC decision will find it here.

UI: Computers-Based Agents,

2008-11-18T00:50:00.002-05:00

I read a paper titled The Anti-Mac Interface a while back, and it stuck with me for a number of reasons. I strongly recommend reading it now, if you are at all interested in user interface design, especially user interfaces designed for people who know what they are doing. I'll warn you up front, I'm no fan of how Apple does their UI design these days (I'm displeased with many UIs now, seeing as they seem to insist on getting in my way, claiming that they want to help me), so the paper's title caught my eye. The gist of it is that the authors decided to systematically violate Apple's UI design guidelines to see what kind of UI they would end up with, and it turns out they got something that worked great for people already comfortable with computers.

This makes great sense in retrospect, if you ignore all the guidelines that ask you to treat your user as a total buffoon, the UI gets out of the way and lets the user actually get work done. One of the reasons I like to give for using Linux (and mostly command line programs) is that I don't have to fight it. I've used OSX and Vista briefly, and XP extensively, and I definitely feel like I am fighting an uphill battle against them all the time (the former two much more than the latter, but that may be a matter of experience).

One paradigm that caught my mind in the paper was computer-based agents and the idea of "delegation instead of direct manipulation." I envision myself telling my computer 'go find all my photos from last summer, and get back to me when you've tracked them all down and ordered them' instead of having to go in and select date ranges manually, across a smattering of directories. The interesting part (for me) is the idea of an agent that goes away and takes care of things, instead of the UI assuming I need to see everything happen, lest I get confused by all the shiny lights. (Don't start thinking about semantic interpretation or whatever, I'm not interested in requiring that my computer speak English. A find command is semantic enough for this task)

A bit of background info; on computers we often have bottlenecks, parts of an algorithm (basically, a set of instructions or steps to accomplish a task) that limit how fast the whole thing can run. Often, these can be split into, say, CPU-bound (we have to wait for the calculations to happen), memory-bound (CPU stays idle while waiting for data from RAM), or disk-bound (waiting on data from the horribly slow hard drive). Today, I realized that in UIs, we have another bottleneck, completely independent of computer performance. An operation can be user-bound.

What this means is that the fastest a task can be accomplished is limited by the UI's user. This might mean reading an essay, where even dial-up users can download text faster than they can read it. Another example would be watching videos: no matter how fast you can transfer them, decompress them, and convert them into bits of colour and sound, the number of people who can functionally watch a video any faster than normal playing speed is extremely small. Both those tasks are user-bound, as are many tasks that require user input or decision-making.

For now, I'm going to ignore user-bound tasks. Tying the two brain-threads I've put out there together, how would the anti-mac UI handle tasks that take long enough that the user experiences noticeable lack of responsiveness? When we send agents away to do something, we may want to work on something else while we wait, but also know when our agent comes back, smiling and proud, shouting 'all done!' Computers do this all the time, using a process called interrupts, and it's exactly what I thought of first. As soon as your agent is done, it pops up in your face and lets you know of such.

No thank you, I don't want my computer to remind me of some annoying jerk, interrupting my train of thought to throw some completely unrelated conversational turd at me. So now I think I want a queue, and as soon as something is complete, I see it show up in the 'complete' queue. This would be very useable with a 'in progress' queue as well, and some way of categorizing tasks, so that I can see all the complete tasks that are related to each other. Oh yeah, now we're talking; a small display at the edge of my screen that I can glimpse at whenever I find a natural mental break in whatever I'm doing. Much better, and I don't have to worry about the mentally jarring context-switch until I want to. I also don't need to be checking a half-dozen programs and progress bars to see where they are at either!

That was my big relevation for today; user-bound tasks, and that I would like dispatchable agents who would line up all polite like once they are done, silently waiting on me to call upon them to tell me what they have for me. If I were artistic, you'd get a mock-up here, but I'm not so you won't. Unfortunately, this type of UI element requires a much more tight-knit computing environment than available to me right now, so I'm filing this away for when I have way too much time on my hands.

*** I should probably note that I'm no UI pro, nor have I researched this in depth, and I'm not even going to claim that I'm the first person to think this up. It's just what I came up with while eating supper tonight, and it appeared novel enough to me to be worth sharing. If somebody knows of work done in this direction, please do share.

Carleton Campus Card Security Problems

2008-09-08T19:11:00.004-05:00

Oh boy, two security posts, back-to-back! First off, here's a copy of an e-mail I was sent from Carleton:

There has been a breach of Carleton University's Campus Card system.

The university immediately contacted the students affected, deactivated their accounts and re-issued new accounts.

The university continues to recommend that all students frequently change their Connect passwords to ensure sensitive information is protected.

Given that Campus Cards can provide access to some buildings if they are copied, the university is immediately increasing security at Frontenac and Lanark residences and the Nesbitt biology building.

Please note: It is not possible for anyone to enter residences rooms or suites. However, the university recommends students always remain vigilant and if you observe anything that causes you concern, please contact Campus Safety at 4444.

To change your Connect password visit the MyCarleton website. When selecting a new password, we recommend that you choose one that cannot be easily guessed. Never respond to email requests asking you to provide your password, even if the email appears to come from Carleton.

Finally, if you suspect that someone has attempted to gain unauthorized access to your computer, please call the CCS Service Desk immediately (Ext. 3700)

Sincerely,
University Communications
media@carleton.ca

Pretty slim on the details, so I fired off a quick web search, and pulled up this CBC article on the matter, which gives a bit more info and some cause for worry. A few important points to note are that Carleton stores way too much info on the Campus Cards, was told of this problem on August 29th, but didn't tell the students who weren't identified as attacked by "Kasper Holmberg" (obviously a pseudonym), and Carleton is being disgustingly slim on details (I assume because they hope for security through obscurity). Here we go, blow-by-blow, with another look at security problems that shouldn't be.

Data on the Card

First off, what exactly is stored on the cards? Apparently, it "contains data such as the student's identification number, computer and e-mail login name and password, and library card number," as a bare minimum. While I have wanted to for a while, I've not actually swiped my card through a reader that would allow me to read the data myself, so it's quite possible there's more to it. The big problem that jumps out at me is that it stores both a login name and a password! There is no reason, ever, anywhere, that anybody should store actual passwords, especially not on an easily lost/stolen device. (For the record, computers encrypt passwords using a one-way hash, so that even if the data is stolen, the password cannot be figured out easily)
Upon second glance, I would think the card does not store the computer account password, for the same reason as below, namely; there is no opportunity to write it to the card after the password is changed.

The Campus Card is used for identification, library loans, and physical access in many places throughout the school, but is also a sort of debit card, where you don't need a PIN. You can pay money to have it added to your card, and then have it swiped (ideally by a real live person who can check that it's the right person using it) to use that money for food, amongst other things. No, the actual balance is not stored on the card, as that would require a write to the strip after each purchase, and the debit is only done after the swipe. At least that part is done right, and I would hope that cloning cards without actually having a working original would be near impossible, but now I'm not sure. I would like to see someone check how much (and which) data can be wrong on a card and still allow a Campus Card payment. How about the same question, but applied to library loans, or building access?

Initial Carleton Reaction

Initially, Carleton quietly contacted the affected students, and told them to change their passwords, but apparently wouldn't say why. Those of us who weren't affected had no clue anything was amiss. Oh no, Carleton, we wouldn't want to let people know that there might be a problem, would we? I absolutely hate, hate, HATE the all-too-common belief that for some reason people shouldn't know how insecure the systems they are using or being included in are. If Carleton was trying to save face, it failed, and we were exposed to severe insecurities without knowing it. Carleton also, hopefully, will lose even more face now. ("Hopefully," you ask? Well, they may be able to spin this in their favour, so they may not lose face, and I do hope they get embarassed into not making a similar mistake in the future.)

Another common argument about not disclosing this type of problem is that it just weakens security. This is also wrong, and termed "security by obscurity." Basically, the attacker already knows it's a problem, and if one found it, others can and will, and at least one of those is going to be nefarious enough to abuse it and/or tell many other shady characters about the problem. All security by obscurity does is keep the victims and potential victims in the dark about the risk they run in using what they likely assume is a secure system.

Carleton's Later Reaction

Reportedly, after notifying Carleton about the problem and (I assume because of) not seeing any advisory to the general public, Holmberg contacted the victims he had snagged, but they were still not told what the real problem was. No later than 5:31PM today, CBC News broke the story online, and Carleton sent out the terse e-mail that starts off this post at 7:45PM. Even at that, the information delivered by Carleton to the students was extremely sparse. On the matter of Holmberg's disclosure, Carleton's spokesman is quoted as saying "This is a very odd way to draw attention to the security of a system."

I have heard nothing about Carleton doing anything to fix the problems, other than "increasing security" at the buildings affected. I assume this means they are posting more security staff for the moment, which makes fine sense, but I don't think there's much need nor room for more security, when students will already let strangers in if they work it right, and student cards can more easily (and cheaply) be revoked than security keys.

My Thoughts and Notes

It would seem that the attack consisted purely of dropping a keylogger into the print stations we have in some computer labs at school. These are computers hooked up to printers, where you swipe your card and then log in to release your print job. It is important to note that you do not log in to your user account, but instead a third party program that is already running on the system. This would allow a keylogger dropped onto the computer to record everybody's login, and disables the built-in protections against such attacks that Microsoft has included in Windows. The other obvious vector would be installing a hardware keylogger between the keyboard/card reader (it's one piece of hardware) and the print station itself.

I have not seen what is stored on my card, but here is what I hope I would find: A unique identifier (a combination of student number and library account number, which are not the same number, is fine), followed by a cryptographic signature so that, given a student's unique ID, an attacker would not be able to compute the rest of the data. That is all, and as much security you can realistically have on a card without puting a chip on it. Everything else should be stored server-side.

It would make so much more sense to me if print jobs are paid for from the student account that is logged in to print them, as opposed to needing to type passwords into a second computer. I don't see why it would be any harder than the current system either, it is how the DOE account printing works. I don't see much problem with using campus cards as access keys to buildings, as described earlier, but I would bet that those systems are being un-implemented anyway, as a knee-jerk reaction. The other problem I see so far is that a cloned card can be used to make purchases without any type of authentication. This is very easily fixed by implementing a PIN system, just like debit cards do.

As for Christopher Walter's statement that "This is a very odd way to draw attention to the security of a system." No, no it's not at all. A bit of history for Mr. Walters, from the annals of computer security. For a while, people would only send information about security problems to the company who's product was vulnerable. They hoped this would help the general populace, but in the end they just watched companies ignore the problems. To remedy this problem, some security researchers started posting full info about the vulnerabilities to shame the companies into patching them, as well as to inform the users of those vulnerable programs that they were at risk. Nowadays, most researchers inform a company first, and the fear of the problem going public without any visible response from the company makes them fix it fast, after which the vulnerability is revealed, allowing the researchers to take the credit they are due.

While Carleton may not have understood that was how things were happening, what Holmberg did was essentially standard practice. He informed them of the flaw, waited for them to fix it, and when they didn't, he informed the affected users. I will give Carleton the benefit of the doubt and assume that Holmberg didn't explain that this was how he planned to handle the issue, but I nonetheless would rather have heard from Carleton first about the issue, and what they plan to do to fix it.

Dear Thomson (formerly SpeedTouch): Get More Monkeys

2008-08-26T18:53:00.002-05:00

The title for this post is an allusion to the thought-experiment of having an infinite number of monkeys, at an infinite number of typewriters, eventually type out the collected works of Shakespeare. It looks like SpeedTouch took to programming their modems in a similar fashion.

While setting up my modem (a SpeedTouch ST516) with my new Teksavvy account, I had to enter an account name and password for both the admin account for the modem, and my actual service provider. Nothing out of the ordinary here, and while I guess it would be nice to have an encrypted connection, it would be pretty fair to ask the user to make sure they are the only device on the network during this step. It's also pretty fair to assume that, if an attacker is on your home network and eavesdropping on your modem setup, you're pretty hosed anyway.

I don't like that style of thinking too much myself, as security should be set up with maximum paranoia. That's not the point here though. The logins and passwords were entered in a form, and afterwards sent as parameters in the next GET URL. In plaintext.

Let me illustrate that, in case the full weight hasn't hit. Assume I make an account called "admin" with the password "supersecret" and then use my ISP account "patrick" and password "moresecrets". My browser lets the modem know that's what I want by visiting the following link:
http://speedtouch.lan/cgi/wizard/?(1,4,0,1,0,0)&&user.tpl&user.ini&0.35&PPP_over_Ethernet_(PPPoE)&admin&supersecret&supersecret&patrick&moresecrets&moresecrets&&&&&&&&&&&&&
(not linkified because there's no reason for you to click through)

That should have made a few eyes bug out there. Passwords passed in the clear are extremely sketchy to begin with, but an aditional problem exists here, with browser history. By searching through the history of whichever browser was used to configure the modem, an attacker can pull up the passwords used. This is a small problem when the administrator was ie. counting on using the modem as a content filter, but is much worse when we factor in the human condition. Most people tend to use the same passwords all over the place, as it's hard to memorize a whole pile of passwords.

It's very reasonable, therefore, to assume that my password on another site would be "supersecret" or "moresecrets", or something similar. Those clues are available to anyone who can borrow my computer for just a moment, or have access to my browser history. I make the point about obly needing access to the browser history because some very smart people are working on accessing the browser history from areas they shouldn't really be able to.

On the whole, this isn't catastrophic. There isn't going to be widespread panic due to this problem, no huge worms or giant password heists. To exploit this vector, an attacker needs to be pretty deep in the first place, and for the most part will gain nothing new. On the other hand, security is a game of paranoia, and an area where the saying "a chain is only as strong as its weakest link" holds very true. This problem exposes a pretty weak link in a home user's "security chain", and could lead to a more advanced attack down the road.

The worst part of this is what it reveals about SpeedTouch and their products. This is a stupid, stupid, stupid way to attempt to even pretend you have any security, akin to asking everyone their name at a security check, but not following up to make sure they give a real name. I'm not bothering to look any deeper at the security available on this modem, but as far as I'm concerned, it offers precisely none. If the programmers can't be counted on to handle that password bit properly, they surely can't be expected to get system-wide security right.

If I were running a SpeedTouch machine in a security critical situation, I would for sure have tossed it now. I would strongly recommend avoiding their products in general, as even if some junior-now-left-the-company programmer made this gaffe, it should never, in no way, have made it through to production. To Thomson, the present owners of SpeedTouch, I would recommend hiring more monkeys, so that, hopefully, they can produce a higher-quality product in the same amount of time. Or you could just hire some programmers who know what they're doing.

The Incident

2008-08-20T17:43:00.002-05:00

A week prior, while talking to a friend about biking in the city, I made what turned out to be a mildly prophetic remark. I said that it wasn't really a matter about if I get hit, but when. I almost only get around by bike nowadays, very rarely taking a bus or a ride in a car, so I cover a fair bit of distance on city streets, and hence have alot of interaction with cars. This demands a very alert mindset, so I assume that none of the drivers see me, and that some of them are trying to hurt me. It's not quite that bad, but thinking it is keeps me (mostly) safe. Even so, every 10-15 kilometers, on average, I have to pull a heavily defensive maneuver. Until last Friday, I could proudly say I hadn't been injured riding in traffic.

On Friday, riding downhill at about 9:15 PM (headlight and taillight on, thankyouverymuch), I was headed towards an intersection, where I had a green light. A car was waiting to turn left from the opposite side of the intersection, but was obviously waiting for me (and presumably the cyclist I had just passed) to clear through, so I bombed down the hill. To put a guess on my speed, bombing ususally gets me up in the 40-45 km/h range. As I was about to hit the intersection, a second car across the intersection pulled up beside the one that was waiting to turn left (as if to turn right or go through the intersection), and, just as I was entering the intersection at full tilt, whipped left to cross through the intersection right in front of me! The jerk didn't even bother signalling his horrible turn!

He braked. I braked harder. As I passed in front of him, my rear wheel lifted, and as everyone can probably predict, I flew over the handlebars. I cleared a fair bit of the intersection, with the bike following me, and landed mostly on my chin, with my right hand, arm, and shoulder taking some damage as well. As I got up to clear my bike from the intersection, the car that caused this with his numbskulled left turn drove off! Yeah, didn't even ask if I was okay, he just bolted!

So the driver who caused the problem ran away, leaving me to deal with whatever injuries or damage to the bike (none, other than a broken headlight, thankfully) that were incurred on their account. Later, the police tell me that because there was no physical contact (so not technically a collision), no actual crime was comitted, and the driver had no legal responsibility to stick around, even though he was acting like a less-than-stellar member of the community (apparently "asshole" is pretty strong language for a man in uniform to use). Wonderful. If there had been a collision, I obviously had the right-of-way (had even been given the right-of-way by the car waiting in the left-turning lane), and this asshole would also be guilty of fleeing the scene of a collision, which is not taken lightly.

I learnt a lesson that day. It cost me four stitches in the chin, a tetanus shot, and a Friday night sitting in the ER instead of at the birthday party I was on my way to. If I'm in the right, avoid a collision, and get hurt in the process, it's tough shit for me. If I don't avoid the collision, I still get hurt and risk damaging the bike, but the driver also has to deal with some damage (which is almost guaranteed to cost more than the damage to the type of bike I ride) and stick around to be charged. Doesn't that sound wonderful?

After the whole incident, I'm still riding in the city. I'm no less aggressive in my riding, and I'm not going to act any more afraid of cars than before. I'm not giving up on something I love because one asshole got lucky and managed to hurt me. Now, I just expect one notch higher of assholery out of the average driver on the street, and I'm going to work more on dodging instead of braking.

And if I'm going to get hurt next time, I'll just let the car hit me anyway.

Wikia: Filling in where Wikipedia is sucking?

2008-07-21T03:58:00.002-05:00

I made a small discovery, and while I may be coming late to the party, please bear with me. Or, ignore me and click through here to be entertained and see what sparked the motions that lead to the discovery. After watching the clip of Beaker singing Ode to Joy, and then the other fresh Muppets material, I figured I would check the 'nets to see what the fans made of this comeback. I came across a fan-made Muppets wiki and the whole train of thought got completely de-railed.

A while ago I got completely fed up with all the useless crap going on behind the scenes at Wikipedia, and have made a promise to myself to not waste any time trying to improve it. The problems they are having are documented in much too much length elsewhere (try searching for "what's wrong with wikipedia" or look up deletionists), but basically the wrong people have too much say on what makes it in, bureaucracy rules, and articles suffer. Deletionism, the idea that if an article isn't "noteworthy," it is to be deleted, is the most common attitude, and that disgusts me.

Jason Scott puts it best, with the basic idea being [paraphrasing here] "if people are willing to put so much time into an article on any topic, it should be noteworthy." My dream of an alternative for Wikipedia was a bunch of wikis, where each one was run by fans of the topic, so that notability, truth-by-consensus, and bureaucracy weren't ruling the roost. It seems, at first glance, that Wikia's commmunities have a chance to do that. I sincerely hope they do (both have the chance, and succeed), because what that would give us is a proper depth of archived knowledge on many matters that somebody, somewhere, finds interesting.

An Offer of Free Bikes for my Friends

2008-04-18T00:19:00.004-05:00

In case you're not aware, I've become a huge fan of biking; I use my bike to get around pretty much all the time, and I thoroughly enjoy working on bikes too. Because I so strongly believe in how totally awesome bikes are, I'd like to extend an offer to everyone I know. In essence, if you want a bike, I'll bust my ass to get you out on a good one. Seriously! More details in a moment, but first a quick sales pitch on bicycling.

When you're living in a city, biking has honestly got to be the best way to get around, especially now that the good weather is showing up. Biking is great for the environment (exactly zero pollution) and we Canadians already have a horribly huge carbon footprint, because we use so much energy heating our homes half the year (and some use up just as much energy chilling their homes the other half). Biking keeps me fit, both physically (obviously) and mentally by offering a good relaxing release at the beginning and end of every work/school day, and if you're worried about getting sweaty, just don't pedal so hard and enjoy the ride.

Except for the long hauls (ie: Nepean to Orleans), I get my trips done in, at most, the same time it would take to bus a route. Usually it takes me less time, as I don't have to wait on the bus schedule, nor worry about making transfers. "Oh, but I can do that in my car," you say. Fair enough, but my bike parks for free, anywhere, cost me exactly nothing in insurance, licensing, and gas. I'm just saying... it's a pretty sweet deal on the wallet. By the way, those times that it takes three green/yellow/red light rotations to get you through an intersection? You'd better bet I'm flying through on the bike, traffic not even slowing me down. On top of all that, you're about to get an offer for a bike, for extremely cheap!

Here's my standing offer: If anybody I know wants a bike, and is actually planning on using it (for their daily commute, or just Sunday rides, it's all good by me), I will do any work to help them (you!) get it. For free! On top of that, if you need parts, almost anything out of my parts bins is free. If you need/want parts that I don't have, I'll source them for you, at exactly whatever it cost me, my time spent shopping is free. If you want to learn how to do the maintenance yourself, you guessed it, I'll show you (that'll cost you zip). This offer does not expire, I'm not going to ask you to trade me anything, not even feed me while I do the work.

There are a few conditions though. First off, this will happen at whatever pace I can handle, and not faster. I do (try to) have a life outside of this type of stuff. Secondly, please use the bike, if you find you don't want to, give it to someone who will. Thirdly, I only have a limited supply of bikes to work on, so if I don't have one to start for you, I just can't. If you see a beat up shell of a bike, and wonder if I could turn it into a ride for you, pick it up! Bikes pulled from the trash are what I've done the most of, by far.

Some more details, if you're interested. I've rebuilt a half dozen bikes so far, five of which were thrown out by their previous owners, some with seized bearings, rusted out brakes, and worse. They all ride solid, smooth, quiet, and beautifully now. Even an originally low-quality bike feels good to ride when it's tuned properly and adjusted to fit the rider. When I don't know something, I can always find a few knowledgeable souls to fill in for me.

It takes an average (I'm guessing) of 6-8 hours for me to take in a beater and get it tweaked up to being a comfortable ride. Split that into evenings and days off, add in anybody else's bike that I might be working on (including my own project bike), and you can estimate how long it might take. That's really just a ballpark figure at best though. If you want to join in, it will likely go faster, and you'll learn a useful skillset too. If you want to learn, but don't want a whole bike built for you, I'll do that too.

In the same vein, if you have a bike, and just want something fixed, tuned, or replaced, hell yeah I'll do it! FREE! (in case you were suspicious) If you're not comfortable riding on the road, with traffic, I'll ride with you, on your commute or on some other route, as much as I can and until you're comfortable with it. I know that's a big issue for some, so take me up on the offer.

At the moment, I have more interested bikers than I do bikes, so if you're interested, you'll need to find a frame, maybe some wheels, or wait until I do. Anybody who is interested though, please get in touch, I'll start a list of people and bikes up, so I can get you out in the saddle as soon as possible. If you have a bike, and aren't using it, let me know. Even if I can't use it, I know some people who can. Finally, please don't think that biking would mean you'll be huffing and puffing away, never getting anywhere. That's what it was like when you were a kid, maybe, but with a well-tuned bike, you can cruise along at a good clip and be completely comfortable doing it.

Why am I doing this? In case you forgot, I think biking is a great thing for the planet, and for every individual who rides. I honestly think many people will be happier with a bike, so I'm offering to get you started as easily as possible. I also enjoy working on fixing these bikes up, so the time isn't exactly lost for me either. I, in all honestly, believe that the more people there are biking, the better it is for the city (less congestion, wear on the road, pollution filling our lungs...), for those people (healthier and saner), and for other bikers. Every extra biker on the road helps legitimize all the others, and encourages even more people to bike.

So what are you waiting for? Get a bike!

Holy Cannoli! Here Comes Assembly!

2007-11-29T00:48:00.000-05:00

So it's been done with Ruby, upped by Haskell, then came along Python, and someone did it in ML. That's right, it's the big code optimization-off, let's see which language can produce the Fibonacci sequence faster! I couldn't help but throw in my own shot at it, so here is the Fibonacci sequence, as done in assembly (old school)...


xor ax, ax
push ax
mov ax, 1
push ax
mov cx, 0x24 ; number of loops, in hex

crunch:

pop ax
pop bx
add sp, 4
add ax, bx
push ax
loop crunch

ret

I haven't tested it, I don't plan to until tomorrow at the earliest, if at all, and I'm not going to do timing comparisons. I'm pretty confident it's fast though. To make it more function like, push the number of values you want onto the stack before calling, then you can pop them all off when it returns.

I'm not going to make any comments on comparing languages here, except this one: it's flat out stupid, and especially so in this case. End of discussion.

Can't we just go back to comparing uptimes as a geek pissing contest?

If you've got nothing to hide, why are you worried about privacy?

2007-11-22T00:53:00.000-05:00

It's the most common response to my worries about privacy, and I'll hear it from people of all kinds of backgrounds or levels of intimacy on the subject. "Why are you so worried about your privacy? If you've done nothing wrong, you shouldn't have anything to hide." This usually causes me to twitch and cite whatever few recent news items I can recall off the top of my head, then go on about "the government." Of course, at that point, I get marked as one of those conspiracy nuts, and people are wondering where my end-of-days compound is. (I don't have one)

There are two big problems here. Firstly, whether I've done something wrong or not, I do have some things to hide. I'd rather not let strangers know my credit card number, social insurance number, home address, phone number, nor medical history. The list can go on, but you get the idea. There are some people who would also rather not share their religious or political beliefs or their sexual orientation, and I have no business poking my nose there anyway.

Of course, it must be okay for the government to know some things, and for responsible companies to know others right? I mean, seriously, do you need to hide from Canada? Sorry, but there are many many less responsible companies than we're led to believe, and I am afraid of who can get their hands on data held by my government.

Instead of launching into a long list of theoreticals, and a pile of pretend cases where giving up privacy can lead to serious repercussions, I'm just puting this post together to hold a list of times that things have gone horribly wrong. My goal is to keep it up to date as more stories pass by my eye, and next time someone asks me what I have to hide, I'll just send them to this link.

In no particular order, here they are:

The British department of Revenue and Customs loses discs containing details about every British child. The Guardian reports that a couple of discs "containing details of the 7.25 million families claiming child benefit" which "includes the names, addresses and dates-of-birth of the children and the national insurance numbers, and in some cases the bank details, of parents claiming child benefits" were lost somewhere in transit between offices. 25 million people affected. So much for a nice government not being a worry.
AOL released 3 months worth of search data, thinking it was appropriately anonymized by swapping out customer names and using meaningless numbers instead. Unfortunately, search queries tell alot about who's making them. Here are a follow-up article and a searcheable database of the leaked searches. Privacy leak by sheer stupidity.
Astroglide lets slip the names and addresses of 250,000 people who requested free samples, and Google finds and indexes them. Good thing none of these people could've possibly wanted to keep any details about their sex lives to themselves. (Chris Soghoian clued me in on this one through his blog)
Kevin Bankston was caught by Google Street View smoking a cigarette. This is of no real note until you find out this happened to him earlier too on Amazon's A9 service (not around anymore). It was an issue then, as he was trying to hide the smoking from his family.
Chris Soghoian (again!) released a technique (no longer working since Facebook fixed the hole) to find some data that was supposed to be private on Facebook profiles. An example: how about searching for all {insert religion} men interested in other men. It didn't matter if you thought your profile was "friends only," search results were a different beast.

I'll add some beyond those when I come across them. In the meantime, if you want to keep your ear open for similar happenings, Chris Soghoian is likely to mention them, as is Bruce Schneier. EPIC, the Electronic Privacy Information Center, is a good clearinghouse of information. Of course, you can always do a Google news search for privacy.

Edit 1 (Dec 7th, 2007):
I can't believe I forgot these first two when I did the first run:

Veterans Affairs had a laptop stolen from an analyst's home, and on it there was personal data for 26.5 million people. Encryption would have made this a non-issue right away, but that wasn't done.
Not to be outdone, a computer breach at TJX meant 47.5 million customer records were stolen. TJX tuns TJ Maxx and Marshall stores, amongst other chains.
More recently, an absolutely stupid and inexcusable programming fuck up meant that anybody could see any passport application on the Passport Canada website. There's yet another example of why I don't really trust the government.

Until next time...

Beer in Canada

2007-10-27T13:06:00.000-05:00

My good buddy sent me a question earlier today, regarding the math in a report about beer consumption in Canada. Basically, he had set out to calculate, I assume from this article, the amount of beer each Canadian had consumed last year. I figured I'd post my reply just in case anyone else is wondering...

(from the article, and basic statistics)
2.2 billion litres = 2200 million litres
(2200 million litres)/(33 million people) = 66.6... litres/person, which is also what my friend calculated.

However, check the population here and now assume nobody under 15 or over 80 is drinking beer. The number of drinkers is now about 25.8 million (and the real number is even lower, due to people who don't drink beer for religious, health, or lack-of-taste reasons). Now (2200/25.8) we're over 85 litres/person/year.

Or you can be boring, look here and read the "by the numbers" sidebar, which has 84.7 litres a person in 2002. To put that in perspective, a two-four has (24 * 0.355) 8.520 litres in it, so you're looking at around 10 two-fours a year, or just shy of one every 5 weeks. Again, on average. I've only barely been drinking due to school taking up so much of my time, focus, and money, and probably only had about 12 beers since September 1st. I sure do hope someone else is picking up the slack...

This Article's Neutrality is Disputed

2007-09-29T00:22:00.000-05:00

I'm sure many wikipedians would be upset with me for pulling a childish prank, and it'll get reverted fast enough, but that didn't stop me. Following a conversation I had earlier this week with my friend Rob, I just couldn't resist this (talk page). Nothing more to say on that topic, really.

Plausible Deniability with Tor?

2007-09-16T07:35:00.000-05:00

Plausible deniability with Tor? Not so fast, buddy!

The idea here is that by running a Tor exit node (which the subject of the article posted does, puting through 40 GB of traffic a day!), you get plausible deniability if the Feds come banging on your door, nattering on about how you downloaded the latest Hollywood blockbuster. "It wasn't me, must've been someone through Tor!"

There are still a few ways they can build up a case for the download being yours. Most of them have to deal with monitoring network traffic and drawing some conclusions from those observations, so Big Brother would need access to some of the network hardware at your ISP. And we all know that there's no way that'll ever happen, so consider this a little theoretical. Or paranoid, take your pick.

The simplest would just be to monitor traffic rates, especially if you're downloading from a server (as opposed to P2P). Let's say you've got a more or less steady upload and download rate of 200K/s (I haven't looked deeply enough into it to be absolutely sure, but it only seems logical to me that Tor traffic that isn't your own has to be more or less equal amounts upstream and downstream) and all of a sudden, you jump up to 500K/s download, while your upload only increases a little bit. At the same time, the watchers notice someone grabbing a large file off illegalmoviedownloads.com, and it's heading straight towards your IP! That's a pretty damning hint that the 200K extra is all you, grabbing a movie for the weekend. It at least seems more likely than it being all kinds of random network use that I would assume you see from a Tor exit node.

Well, how about something P2P? Setup bittorrent properly, and you'll have the same increase in upload rate and download rate, so no way to show that it was you, right? Unfortumately, no, not for any reasonably sized download. As per the EFF's quick overview on how Tor works, Tor will choose a new path through the network roughly every minute or so. Ten minutes (or even much longer) of the same torrent going through your node? Very suspicious, and very hard to blame on Tor. ("Honest judge, must've been alot of people, one after the other, going through my node, all after the same torrent...")

So, is there no hope? Well, you could always route your less-than-legal activities through Tor itself. One warning on that matter; as we've seen recently, even Tor can't protect you if you post personally identifying information. All the anonymous routing in the world won't help me if my digital camera has left its serial number in the EXIM data stored in the photos I'm sharing. God forbid should I sign a post using my real name.

Another potential trick could be to have your exit node drop traffic when you start using it up yourself. In this way, the traffic rates still appear the same to an outside observer. It would be horribly bad form, and I would expect Tor to intelligently stop sending you connections anyway, but done in short bursts, it adds one more layer of disguise. (I think that, in theory, a similar, but more difficult traffic analysis job could, with much, much less certainty, could hint that you're dropping Tor traffic.) Again, for longer communications, you have the issue of persistent connections originating from your IP address.

Finally, is it proper to use Tor to hide your illegal file-sharing? That's up to every individual to decide for themselves, but I would start by asking a few questions; "Is my filesharing using more resources than I am giving back?" "Should I be bogging down the network so that I can save 5$ on a movie, when others need it to protect themselves from repressive governments (some would argue that filesharing in and of itself is an act of resistance :-P )?" "Will a judge understand what's going on, or assume that I sympathize with terrorists and child pornographers due to my running of an exit node?"

Does that last one sound weird? Not everyone understands technology, as can be seen when this judge considers data passing through RAM (by definition: volatile, extremely temporary memory) the same as 'electronically storing' it.

One last parting shot. I only know about the technical side here. As far as what would be legal, what the cops could get away with anyway, if anything would pass in court, or at least allow for a search warrant, and whether any of that matters in our current world of disappearing freedoms are all matters I can't speak with any authority about. I just want people to realize that there are other ways to figure out what you're doing than just the absolutely most direct observation, just like all the non-verbal cues we pick up on in a conversation.

Play safe.

Real-Life Science-Fiction

2007-06-23T00:50:00.000-05:00

A real short post while I try and convince myself to start blogging again. I'm also going to try something new here: I'm simulcasting this on Facebook, the other trendy web thing I said I wouldn't start up with...

Tonight, while carrying a cup of coffee in to work with me (no lid), I saw, as we often will, the coffee threatening to spill over the edge onto my hand. What causes this is known as simple harmonic motion in the physics world. Whenever the coffee is moving in one direction, my steps are also pushing it in that direction. The same thing happens wheneve you pump your legs on a swing, or try to rock a car out of whatever it's stuck in. SHM can be very useful, but in this one case, it's an evil that was threatening to burn my hand.

Usually, the proper reaction would be to limit my walking speed so that the coffee sloshes around a little but never makes it over the rim of the cup. This is a little risky, as it's hard to keep your speed that exact, and this cup was especially full. Additionally, that puts a restriction on my walking speed, and that's just inacceptable.

As I wondered how I would defeat this, I discarded my first idea, which was rocking the cup back in forth to try and keep the surface of the coffee level with the rim, because it was too hard to time right and would lead to me making bigger and bigger gestures, raising the cost of failure higher and higher. My second possible solution brought a gleeful smile to my face: I had to learn not to attract sandworms.

Errr, what?!

I suspect there are a choice couple readers who are familiar with the writings of Frank Herbert and they know what I mean. The rest of you should hang your heads in shame and go read Dune. One group in the Dune universe is the Fremen, a hardy people who eke a living out of the desert that is populated by enormous sandworms. These sandworms are attracted to the sound of regular, plodding, footsteps, so the Fremen walk through the desert by randomly changing their gait, dragging a foot, shuffling the other, hopping, and pausing so as to sound as little like a tasty meal as possible.

While I wasn't too afraid of running in to a sandworm at work, random (or at least irregular) walking would break up the simple harmonic motion that was threatening my poor hand. I tried it, without increasing my speed, and the coffee wasn't so close to the rim anymore! I sped up a little, and still the coffee wasn't as threatening as when SHM was affecting it. Success! Of course, this walk was a little different than how I imagined the Fremen walking, but we both had different problems to solve.

There you have it, real-life science-fiction.

The Great Code Update

2007-03-28T05:58:00.000-05:00

This post will be short, and a little technical, so feel free to skip it. You've been warned. I just wanted to share my joy at the completion of one massive task; updating a huge pile of code to compile under the latest version of gcc (4.1.2). This stuff was originally written to compile under gcc 3.2.x rules, and there have been many changes since then, including a huge list of changes to g++ in version 3.4 that made for a nice pile of work for me. How much of a pile? Here's the results of trying to build the original code:

pat@localhost ~/workspace/sourceforge/cd++ $ make -k all 2>&1 | grep -c "error"
11355

Yeah, you read that right, 11355 errors. Hot damn! I should clarify that these aren't errors in the source code, per se, they're just errors that arose from changing functionality in gcc as it evolved (although some would claim those are both the same thing). As of 7AM this morning, I can make -k all and not turn up a single error! Take that result, over 28 hours of logged time working on these issues... just over 391.5 errors an hour.

Of course, that's not entirely fair, the majority (~89%) of the errors were gone in the first 4 hours of work, due simply to my updating the #include directives. The rest of them were cleaned up over a handful of marathon sessions, where I (re-)learnt the grimy details of c++, and read alot of example code, header files, and gcc documentation. Oh, and I didn't sleep last night.

Now it's time to attack a parallel task; bringing a similar codebase up-to-date...

pat@localhost ~/workspace/yu/npCD++ $ make -k all 2>&1 | grep -c "error"
4366

Ugh.

Non-Redhat Cell SDK Install

2007-02-26T23:42:00.000-05:00

Yes, I just got back from Algonquin, and I'll post up my trip log as soon as I can sit down and type it. For now, here's a slightly geekier story...
I've recently gotten a job at my school porting a simulator over to IBM's Cell processor. I'm psyched about this, it's a great opportunity to work at something I enjoy, increase my programming skills, and learn something about a new technology while I'm at it. For those of you who don't know, the Cell is touted as a supercomputer-on-a-chip (some slight hyperbole there) and is the powerhouse behind the PS3.
As I'm sure you can imagine, the simulations department is a little iffy on providing me with a 5000$ piece of hardware (yes, that's how much an actual Cell-based computer costs, not the PS3) to do some development work on, but there is an alternative: IBM's full-system Cell Simulator (and the Cell SDK for developpers). The bad news is, it's only officially supported on Red Hat. Yeech! So here's how I got it running on my computer:

1. Install Debian etch (testing branch). I like Debian, it tends to be really stable, and it allows me to keep my machine nice and lean.
2. Download the SDK .iso from IBM's website.
3. Make a directory for it, mount the .iso, and run the install script, as the installation guide says to do.
4. Let it download the RPMs it needs. These are the GNU toolchain for the Cell processor.
5. The site hosting the toolchain sucks, so manually force some downloads with wget.
6. The script spits out a warning, so make sure I've got the following installed:

freeglut
freeglut-devel
gcc
make
perl
rsync
byacc
tk-8.4.*
tcl-8.4.*

aptitude took care of all those.
7. Install all the RPMs I need that the script downloaded. Done by going to /tmp/CellSDK-2.0 and running

alien --to-deb rpm_file.rpm
dpkg --install deb_file.deb

for *.noarch.rpm and *.i686.rpm
8. Copy the /software directory of the SDK .iso over to my home directory so that I can edit the install script, then edit it so that every instance of "-vh" became "-vh --nodeps" so that rpm wouldn't check for dependencies in an rpm database I don't have.
9. Find out I should be running make 3.80, so download that from GNU, build it, and patch the install script so that every instance of "make -k" is now "/root/make-3.80/make -k"
10. Run the install script. Again.
11. Wrap up, as instructed in the install guide. Yay! I have a working copy of the simulator!
12. Install Eclipse so that I can use the SDK and IDE to its full potential.
13. Install CDT for Eclipse.
14. Install the Cell IDE add-on.
15. Oh no! spu-gcc (one of the compilers) is yelling at me, it needs glibc 2.4, Debian only offered 2.2 (I believe).
16. Download glibc 2.4 from GNU. Compile it (no small task). Install it.
17. Screw up that last step. No longer have a working Debian install.
18. Go back to an old friend, Gentoo.
19. Spend a weekend installing that and getting back up to speed.
20. Repeat steps 2-6, emerging as necessary. Simply skip the middle man and use rpm for step 7. Repeat steps 8-14, with more emerging. Do some magic with the PATH environment variable so that all the tools are discovered.
21. I win! Instead of actually getting to work, write a blog post.

Admittedly, not the most enjoyable experience, but I did learn a fair bit, and that's always a plus. Those of you wanting to get the SDK running yourselves may see a shortcut, starting somewhere in the late teens. The following two sites and the IBM Developer's Forum did help me a fair bit.
Debian Cell Simulator Port (for SDK 1.1, still some handy info)
Cellperformance.com article on installing SDK 1.1 on Ubuntu.

I've just given an overview, if anybody comes across this and wants some more specific help, drop me a line. I'm also considering trying to put together an ebuild for Gentoo, but I'm not sure I have the time to learn what I need so that I can do that at the moment. Otherwise, it's time for me to dig in on some parallel processing goodness.

Call for Adventurers

2007-01-01T23:12:00.000-05:00

Picture this. It's an early morning in late February, and all you can see around you are trees, maybe a frozen lake, the tent you just emerged from, and the embers from last night's cooking fire. As you get ready to prepare your breakfast, you try and shake out the cold from having slept the night in a sleeping bag, with no source of warmth other than your own body and those of your fellow adventurers. You've been hiking through un-groomed trails for two or three days, and you'll be doing the same for two or three more.
After you break camp and pack the tent away, everyone gears up. It's your day to start off dragging the sled with your group's extra gear, so you strap into your snowshoes, sling your backpack over your shoulders, and throw on the harness for the sled. After spending the day hiking through the woods, the crew pitches camp as the sun sets. Another campfire-cooked meal, an evening of comradery, and you retreat to your sleeping bag, thoroughly worn out and rest up for tomorrow, where more trails await.
Does this sound like hell to you? Better stop reading now then. If it sounds like heaven, as it does for me, this call is for you. I'm talking about a 4-6+ day outing to a provincial or national park (the Algonquin interior is top of my list right now) during the last week of February where we'd be relying solely on ourselves to haul everything around, set up shelter, and do all those other hiking/camping things.
I cannot stress enough that this isn't just a simple stroll in the park. We're talking about spending the better part of your day hiking, with a loaded pack on your back and, at times, a sled to drag behind you. Weather can hit all kinds of extremes, so you'll have to tough that. We'll be sleeping in sleeping bags in tents, no huts or baseboard heaters here. Food will be cooked over a fire or eaten cold, and it'll all be carried in, there's no convenience store in the interior. There aren't any outhouses in the interior either, so be ready for that. Most of your easy comforts won't be available to you and it's quite possible you won't see anyone except for the other group members for the entirety of the trip.
If you're mildly interested, but not sure, don't come. There won't be any easy way to chicken out if your legs are sore after the first couple hours of walking. I'm only interested in going with people who will genuinely enjoy every bit of this trip, and that includes the trudging along in knee-deep snow and feeling so cold you're not sure that you'll ever be able to feel warm again. It sounds harsh, but it's in everyone's best interest that I make the difficulties clear right now and scare off the people who think camping involves an RV, hook-ups at your site, and a warm shower every morning. It sure as hell doesn't, by the way.
I'm just looking to see who expresses interest right now, and I'm going to start running through the logistics of the whole expedition this week. I'll have a drop-dead date and lots more info about how things will be done as I figure them out. For now, if you're interested, start looking up info on winter camping, keep February 17th-25th open on your calendars, and join in on the mailing list I've just set up to keep everyone up to date. That is, if you can handle it.

--Edit: Apparently you need to make a Google Groups account to join the mailing group. Please do so and sign up. Don't whine to me, you'd have to make a new account to join any forum.

Dinner Conversation

2006-12-11T03:30:00.000-05:00

I was at my parents' house this past weekend for my father's birthday, and I figured I would share a snippet of the conversation with you, the dear reader. Just so you know, this conversation was leading out of a quick talk about cows. Apparently, I'm told, cows can walk up stairs, but not down stairs. This was the basis for a prank somebody pulled in their highschool that had no elevator, only stairs. No, not me, but I wish I could lay claim to it, believe me. Anyway, my reaction to hearing about this prank was quite simply, "beef." As in, "the solution to a cow that won't walk down the stairs is simply: alot of hamburgers."

Dad: "What?"
Me: "Yeah, beef. It comes from cows. Where did you think it came from?"
(he knows full well that cows lead to beef, he grew up on a dairy farm.)
"...Beef-alo!"
Mom: "Right, the mighty beef-alo."
"Alright, and in french, it'd be a boeuf-alo, right?"
"Yeah, a boeuf-à-l'eau."
"Hey, that'd be the water-buffalo, right?"

Hilarity ensued. This is the environment I was raised in. So, next time I say or do something that strikes you as, well, downright odd, don't be quick to judge me. There's not much I can do about it, I grew up in a house where that little talk right there is considered perfectly normal dinner conversation. I can't help it anymore.

Security Fails Again

2006-11-30T23:30:00.000-05:00

Holy Cow. A month and a half since my last post. It's a good thing I don't have any readers, because if I did, I'd assume they'd be pretty pissed that I haven't posted in the last 45 bloody days. If people complained though, I'd tell them I'm busy, school's been rough to me, and they could just sod off.

I got a letter from the bank the other day, in it was a brand spanking new credit card, attached to a new credit account, of course. For now, we'll ignore the matter that I asked for a raise on my current limit, not a whole new account, and focus on a larger problem. Security.

To activate this account, all I needed was info on the card itself, and the answer to a question that only I would know, obviously that would be my mother's maiden name. I have a major problem with the standard "security" questions, such as your mother's maiden name, your pet's name, or your favourite flavour of ice cream. Most of them can be found out with very little research by an attacker, and then the weakest point in your security model (and therefore the most likely to fail) is that security question. It doesn't matter how secure your password is if anybody who wants in to your account can get at it by simply doing the minimum amount of digging necessary to find out your mother's maiden name.

My solution is pretty simple: I make bloody well sure I don't forget my passwords, and I enter gibberish for those security questions. This way, the weakest part of the security (under my control, at least) is back to being my password. Not perfect, but secure enough that I'm comfortable with it. This came back to bite me in the ass this time.

As I said earlier, to activate my card, the bank asked me for my mother's maiden name. I put in a string of gibberish, assuming it was just in case I lost my password in the future. Oops, they're checking it against the name I've provided sometime in the past. That's OK, I'll just put in my mother's actual maiden name. I'll bet some of you are already seeing the problem here. Whenever I set up the security with this bank, I already provided something for my mother's maiden name, and it was just random typing. Damn.

I called up the phone number to activate my card, and explained the issue. The woman I talked to was helpful, and I got the card activated after some extra identity checks (birthdate, questions about my accounts with the bank in general, etc). She then proceeded to tell me she was switching the "mother's maiden name" field over to my actual mother's maiden name, which I had given at the beginning of the conversation. The idea is that now I won't have this problem again. Sigh. Back to square one I guess, with the weakest point of failure in my bank's security being that (not very hard to acquire) name. Even after I explained why I hadn't given her actual maiden name the first time around.

Oh well, thankfully credit cards have this "zero-fault liability" about them, which means if they're stolen, or I'm defrauded through my card, it's never my fault. And if anyone is actually planning on targetting me, you may as well not bother. There's very little money in it for you, and I'd rather be able to buy groceries next week, please and thanks.

2006-10-15T03:43:00.000-05:00

I promised a list of links related to my previous post, and here it is. While my guide was meant to be humourous, I hope that reading over this list is a bit more sobering. I haven't included every instance of abuse of "terrorism laws," false alarms, stereotyping, or anything else of the sort. That list would be much much too long. What I have kept here is a list of the stories that I had in mind while writing the guide. Honestly, reading through these scare me, they seem so unrealistic, so unlikely... It's a fucked up world out there.

Men considered suspicious for speaking arabic
Doctor removed from plane for reciting evening prayers
Enjoying The Clash makes you a terrorist
Hat + backpack + cell phone = terrorist
Architect assaulted for being tan and having an iPod
Tamil: the official language of terrorists
Another iPod threat
American views on Muslims (and how cell phones make Palestinian-Americans terrorists)
Amnesty International on Gauntanamo Bay
Amnesty International on Abu Ghraib and the rest of Iraq
Maher Arar's story (sent to Syria, tortured, and now there's no reason for it)

How to Spot a Terrorist

2006-10-13T01:00:00.000-05:00

School's pretty intense this semester, so the time I spend on projects that (hopefully) would result in original material up here is virtually non-existant. To top it off, I've had a couple false starts, so the couple of things I thought I'd have done by now have been put on a bit of a hold. Instead, I bring you a guide to help keep us all safe. (And before you respond to it, I should suggest you read what I've tagged this post with)
We live in pretty scary and dangerous times, with a constant threat upon our lives and our very way of living by the unending evil of terror. In hopes to help stem this onslaught, I offer a guide on spotting terrorists, based on what our governments and trusted news outlets have provided as terrorist-like attributes.

Visual Clues
Terrorists, as we all know, come from the Middle-East. The men you need to spot as threats will have a brown, or tanned, skin colour. Most likely, they will also have a beard. However, in recent years these terrorist groups have spread their influence to other ethnicities, resulting in not only brown, but white and black terrorists as well. Some may not have the traditional beard, as it has been known to attract unwanted suspicion. Therefore, any person, of any skin colour, bearded or clean-shaven, must be viewed as a potential terrorists.
Some activities that terrorists often partake in may give them away. Has the suspect been speaking in a language you don't understand? Have they said prayers (remember, terrorists are all religious fanatics)? Have you heard them sing along to a "subversive" song? Have they used ane electronic device, especially an iPod? Do they have any liquids on them they could turn into a bomb? Are they acting nervous when you watch/inspect/interrogate them? Be warned: some of these terrorists are very good and may be able to stay completely calm when under pressure. We can assume that anybody exhibiting any of those characteristics, and who is acting either nervous or calm is most likely a terrorist.

Interrogation
Now that you have the terrorist in custody (and because the authorities may be too slow to act in time, do not be afraid to take matters into your own hands), you must begin interviewing him to be able to get any useful information out of him. The standard procedures for interrogating a terrorist have been under contention recently, so here's a quick guide:

1. Establish that the suspect is, in fact, a terrorist.
- The most basic and first line of questioning should be "Terroristsayswhat?!" Should our terrorist respond with "what?" (as terrorists will), you now have an admission of guilt.
- Secondary methods of ascertaining guilt are association (if the suspect knows a terrorist, through any type of connection, they themselves are therefore a terrorist), and referring back to evidence you have, but cannot share with anyone, as it is too sensitive. But honestly, you've got it. And it's good stuff.
- If both those methods fail, an admission of guilt will need to be gotten out of the second part of the interrogation, as well as any other intel you can gather.

2. Collect intelligence through interrogation.
- Ask questions and demand answers from your (now self-admitted) terrorist. If he says he doesn't know, he's lying. Let him know you know he's lying, and don't give up. He'll have to crack and give you answers eventually.
- Deprive the terrorist of sleep. This makes him confused and disoriented, and therefore more likely to slip up and spill the beans. Collect said beans.
- Solitary confinement. Most people go batshit-crazy in solitary. This makes them great sources of information in the daily interrogations you (as the only soul they'll meet) will conduct.
- If nobody's looking, degrade the terrorists. Insult and degrade them as best you can (get creative!), threaten them with torture, electric shocks, and vicious dogs, mock-execute them. Do anything that is necessary to get intelligence (which is obviously still valid) from the terrorist.
- If all the above methods fail, ie: the terrorist still lies and claims not to be a terrorist, or they have not given any useful information, deport them to another country, where you can get away with much worse torture.

3. Post-interrogation
- Obviously, the terrorist, once drained of information, will need to be kept seperate from society, as to not pose a threat. Keep them in a jail set up just for terrorists.
- Refuse to bring the terrorist to court. Create a classification for the terrorists so that you don't have to follow normal rule of law. Better yet, use the one already in place; "enemy combatant."
- Do not set the terrorist free. By keeping the terrorist in this state of limbo, you do not need to present any evidence for what you have done. The terrorist can not argue in his defence either, as he has no charge to defend against. Due to the 'enemy combatant' label, you do not need to take the terrorist to court in case. He is in your hands as long as you wish him to be.

And there we have it. Hopefully, you will follow these rules and help keep our world safe.

And, yes, everything in that bit was written based on the real world. It's 3AM, so I'm in no state to research the backing stories, but I hope my next post (soon!) will be made up of the stories that back up all I just wrote. I hope I've presented the problems with racial profiling (and other types of profiling that have no proper basis) and with the current techniques used to handle "terrorists."

Cop-out

2006-10-07T12:26:00.000-05:00

Right, so I said I'd try to have something up. Unfortunately, this is going to be another filler post. Instead of getting any projects done, I'm dedicating my weekend to schoolwork (in which I'm mightily behind) and cleaning up my sorely neglected lab (oh yes, dear readers, I have a laboratory!)

I just finished up with the lab, it's probably about 95% clean, which is as good as it'll get and plenty satisfactory for me. Once I add some features I want, I may just dedicate an entire post to this room... Either way, it gives me alot more space to get through some things that need doing.

As if I didn't have enough excuses, the materials I'm planning on using for my speaker stands aren't nearly as co-operative as I'd expect, so that's going to take longer too. Hopefully I'm through my sickness soon and I can dedicate my whole days to accomplishing something constructive. As for now, that's it for me, I need a nap.

Zero-Dollar Budget

2006-10-03T16:18:00.000-05:00

I'm trying to stick to a reasonable posting schedule, so I'm puting up a filler post today. Real content will return sometime.

I was running numbers last week, and, unfortunately, it seems I have even less money than expected. However, that's never really something new. It simply means that I am now on what I call a zero-dollar budget. I pay for what I have to (bills, food, rent) and otherwise not spend a dollar. This means there is no money for my pass-times (although I'm pushing myself and making an exception for rock climbing) the main one being the random projects I put together, like the Zombie Emergency Preparedness Kit I made for the CAN. Projects of one type or another are what I'd like to makje the main focus of this blog.

Hopefully, this won't mean more filler posts, I'll just have a narrower range of options for the projects I pick up. I do have a large collection of... "stuff" that I've been planning to make into various projects or fix in various ways, and now I'm simply forced to use that stuff instead of spending a bit of dough on more interesting projects. I've already got a pair of speaker stands on the way and (hopefully) some DIY rackmount gear to show off in the relatively near future.

The second limit in the near future (and possibly extending long beyond the "near" future) is school, and the time it sucks out of me. I'm hoping the current crunch I'm put under will pass soon, otherwise I'll have very little spare time (lim t -> 0 for you nerdy types). Hopefully I'll be able to steal away a few hours a week here and there.

Assuming my time opens up and I can keep up a medium- to highly-productive attitude, what can you expect from me? I already mentioned the speaker stands and DIY rackmount gear. I'm also looking to do some audio gear, garbage-electronics repairs, a bike-stereo, lots of shelving (and playing around with shelf designs), and if time really opens up, there's a fair bit of programming I want to get to.

Basically, I've got lots on my plate. Good thing I'm a hungry guy.

The Liquor Wall

2006-09-30T01:23:00.000-05:00

A couple years ago, five starry-eyed young men (some would say merely boys) moved in to a house in Nepean and set off a chain of events that changed the world. That chain has yet to be understood, most events have not yet happened, and one can only imagine the changes, but the house still stands. While the housemates have come and gone, the atmosphere changed a few times over, and the set-up is in constant flux, one thing hasn't changed. This house was originally named the ELPAC, an acronym taken from the original five's names, and while only two of those five are still tenants, the name has stayed.

The "P" in ELPAC stands for Patrick. I am that Patrick.

The house has many stories to tell, but today, one picture will have to say it all. From the first day onwards, the ELPAC has had a shelf for empty liquor bottles, a trophy case, for all intents and purposes. After the initial settling-in, three clear rules were established for a bottle's inclusion:

The bottle must have been drank in the ELPAC, or by a tenant.
The bottle must be unique. (none of the same kind and size)
Except for very rare exceptions (two, so far), the bottle must be liquor.

These bottles were originally lined up on a ledge by the stairs that would seem to be an architectural feature of the house. As the collection grew, "families" were formed and expanded, and finally the ledge could hold no more. Shelves were built, the bottles arranged properly by liquor type and brand, and the collection was brought to its full glory. Today, the collection stands proud at 63 bottles (+2 exceptions) and a whopping 37.81 litres (just shy of 10 US gallons).

Some quick math tells me we've averaged over 1.5 litres a month, and we're nearing 1300 shots of pure liquor. I'm not going to bother with actually calculating average costs and such, but I'd estimate over 12 litres of pure alcohol, between 1600$ and 2000$ (ouch!), and too many killer hangovers. All this achieved while everyone was either working full-time, a full-time student, or a combination of both. I didn't even think we were heavy drinkers, and mostly we're beer guys, but the proof is on those shelves.

I'll drink to that!

CAN-Opener!

2006-09-24T22:43:00.000-05:00

A week ago, the boys who have moved into the CAN had a couple parties to welcome themselves to their new house. We here at the ELPAC are very close to the CAN guys (two are ex-ELPACians) so we thought we'd bring them a gift. I built this over the preceeding couple of weeks, from scratch out of wood, metal, glass, and paint. The original idea is all here.

The Emergency Zombie Preparedness Kit! We didn't really think they were safe without one. A couple of asides: bending metal sucks if you don't have some of the basic gear (I don't), and Krylon spray paint absolutely rocks.

Hope the CAN survives you boys.

Quantum Leaps (and tumbles) in the English Language

2006-09-21T00:58:00.000-05:00

How many times do we hear about a "quantum leap" forward in a field (usually science or technology) when an announcement is made about a groundbreaking discovery, invention, or experiment? It's such a catchy term, and so closely linked in our minds with great advances in science, that I'm sure it would be hard for a journalist to avoid using the term. However, do they really know what they are saying? For that matter, do we (the public) know exactly what a "quantum leap" is, and if so, have we ever stopped to think about what a reporter is actually, unintentionally, saying?

The term "quantum" describes the smallest, indivisable, measurement of a property. The simplest example would be money, a quanta of Canadian money (we use dollars, with 100 cents to the dollar) would be the penny (one cent). There is no way to have a portion of a cent, not according to an accountant, at least. A quantum leap is a change by this smallest unit, in the case of money, gaining or losing a cent. The terms come from a breakthrough in physics in the early 20^th century where it was shown that energy levels of electrons in an atom are discrete steps (like a stairway) and not a continuous range (similar to a ramp).

This breakthrough led to what we know as quantum mechanics, which was a huge leap forward for physics. It is that scientific leap that people think they are referring to when they say "quantum leap." Unfortunately for them, if you know where the term comes from, you know that they are actually saying that their subject is the smallest possible advancement. Ooops.

Maybe it's because I come from a highly scientific-oriented educational background that this "quantum leap" business bothers me so much. I'm always annoyed to the end of my wits by inaccuracy in written word, and abuse of science or math bothers me even more. Quantum leaps aren't even the only time this happens.

Some brilliant people, ideas, and innovations are described as "light-years ahead of their time." Sounds pretty impressive, doesn't it? Well, kind of. A light-year is the distance light travels in one standard year, or 9.461x10¹⁵ meters. That's 9,461 followed by 12 zeroes. Does anyone see where the problem lies? Ahhh yes, time isn't measured in meters. Measuring time in light-years is about as useful as my telling you it's "24 kilometers past noon." You don't have to have taken physics to understand how wrong that one is.

So please people, I beg of you, stop abusing those scientific terms in attempts to jazz up your own writing. It's not only inaccurate in that it's untruthful, but the author doesn't even know how far off they are (or I hope not). A little part of me dies inside everytime I hear or read these phrases. Violently.

Why the Return of DiY?

2006-09-19T22:47:00.000-05:00

Lately, as in "during the last few years", I've noticed a the DiY culture creeping back towards the mainstream. Reality TV shows have sprouted up all around building things, fixing them, or modifying them. American Chopper, Pimp My Ride, Holmes on Homes, Monster Garage, Monster House, Junk Brothers, the list goes on. TV isn't the only medium that's showing this trend, more books are being published that help everyday people learn what they need to take care of their own fixing, building, and modifying. Most notably (in my mind) is the publishing of Make: magazine and the phenomenal following it has amassed.

DiY stands for "Do it Yourself" and encapsulates the philosophy of exploring, learning, tinkering, and building what you need instead of letting someone else do it for you. This used to be the way for pretty much everything, especially for folk in the country. A farmer couldn't wait for someone from town to come fix his wagon, so he did it himself. In the '50s, Popular Mechanics was actually all about projects kids (and kids-at-heart) could assemble themselves to explore how things worked. Somewhere since then, we've had a shift in perception.

At some point in the latter half of the 20^th century, DiY was pushed to the fringe. I'm guessing that the advent of the technological age, with its seemingly more complex devices, contributed to that. At some point, it became cheaper to buy new things than to actually get the old ones repaired. Consumerism is now king and it's always better to buy something than to try and fix or make something on your own.

Not everyone bought into that line of thinking, thankfully, and now the DiY attitude is finally coming back to life in the mainstream. I definitely see this as a good thing, for way more reasons than I could list here. The two most prominent ones are simple: DiY is extremely fun and intellectually stimulating (problem solving skills, creativity, visualization, motor skills, and so on are all exercised). Of course, I got to wondering, what spurred on this resurgence of the DiY attitude?

I blame Survivor.

Hold up. That show where people need to compete in sorta-survivalist challenges? Shelters, video crews, drama, and the-tribe-has-decided-now-put-out-your-torch Survivor?!! Yeah, you read correctly.

Survivor was a breakthrough idea in television; it focussed on (mainly) unscripted "real(-ish) life" situations people were thrust into. You can't get much more realistic than actual (well, kinda) reality. The ratings demonstrated that this was what people wanted too, this show was huge! The TV networks did exactly what any industry put into this situation would do; they copied the idea over and over in an attempt to make money from it. By and large, they succeeded.

Following the initial flash of Survivor, two things happened at roughly the same time. One, networks tried taping any "reality", in hopes that they'd get the next big show. Most inportantly here, they sometimes made shows about building things. Second, people looking for a dose of reality, and possibly tipped off by reality-building shows, started watching home renovation channels.

Now, watch the repercussions. Viewers see what great things can be achieved through doing it themselves, and how easy it can (seem to) be. They decide to do some home renovation (or other similar activity) themselves. Networks see this and reply by puting more DiY reality TV on. The cycle continues, and the attitude spreads.

The present; doing things yourself is now cool. Even those who don't actually pick up any creative hobbies are part of the phenomenon, as they experience DiY (albeit produced and packaged) through their TV. Make:zine has exploded in its first couple years of publishing, and represents the epitome of DiY. The internet, of course, allows all of these DiY communities to form across great distances and exchange their ideas. Things are looking pretty rosy for the returned DiY spirit.

Where does it go from here? I don't know. I never would have predicted TV to be the cause of this (unless people all decided it sucked, turned it off, and picked up hobbies). I would be willing to say that this is more than a fad right now, that DiY has a bit more staying power than, say, devil sticks. I guess the best outcome, in my mind, would be for the people who are developing now and will shape the world in the future, to reject the extreme consumerism we currently see, due to spending their developmental years embracing DiY. I think these same children will also be more intelligent, in both traditional (school smart) and less traditional (street smart) ways.

We'll have to wait and see. For now, I'm enjoying the DiY scene as it grows and expands.

I Feel Dirty

2006-09-16T03:59:00.000-05:00

This will be my second attempt at starting a blog, and at least fourth or fifth at a web page. Blogging seems to be the cool thing to do these days, so it's with great unease from my anti-cool that I give this a second shot. My first round was on a home server with my own software. It was a slow connection, features were limited, and content was pretty hit-or-miss. Now I'm trying Blogger out, as LiveJournal/MySpace are way too hip for me, and between a service run by Microsoft, or one run by Google, I'll put my trust in Google's programming.

I'm not going to pretend that I have a plan for regular updates, nor promises regarding type of content, just that if I like what I'm puting out, it'll continue to happen. We'll have to wait and see.

::Edit: I'm now trying Blogger2.0 Beta, let's hope it works well.