The Perfect Bag

Satchel

I’ve been on a search for the perfect bag for quite some time.

I carry a lot of stuff, and I hate having my pants pockets loaded down. There’s the wallet and phone and pens and ipod, for starters. But there’s also the keys and knife and … Am I becoming Ken Coar?

I want something that’s small – I already carry a backpack most places – but big enough for the stuff listed above. And it needs to be neither effeminate and purse-like, nor have the uber-geek-ness of a fanny pack.

I finally found The Ultimate Bag. It’s awesome. It’s got everything. It really has only one drawback – the price tag.

Now, with a 100 year warranty, and such an aura of awesomeness, perhaps $115 is in fact pretty reasonable. But I don’t actually have it at this moment. But what I do have is an awesome brother who lives in the place where they have amazing leather artisans on every street corner. I showed him the picture, and he arrived last week with The Perfect Bag.

At first, I thought it was a little small, because my Moleskine didn’t fit in it, but the more I use it, the more I love it. I think it might actually be the perfect size. It’s really well made. The stitches are small. The stress points are riveted. The inside has a nice lining. And the whole thing is that wonderful honey-brown color that will, I’m sure, darken with time and use. It doesn’t have any zippers or snaps to break or wear out, so I think it’s going to last a long time.

Whether they’ll fight over it when I’m dead, I’m not sure, but that’s a concession I’m willing to make.

Slowloris

No doubt you’ve heard of Slowloris, the HTTP DOS tool that will take down an Apache web server. I recommend reading the update at that site, which describes in some detail how it works.

Note that this condition is also covered in the Apache documentation, and, according to svn, that was put in:

r369825 | slive | 2006-01-17

So we’ve known about it for a *long* time.

What I can’t figure out is whether it’s really not that big a deal, or if I’m dismissing the importance because I’ve known about it for so long. I’ve known for a *long* time that you can take down an Apache server with nothing more than a telnet client. You telnet to port 80, issue a partial HTTP request, and then bg the process, then do it again.

The way that the attack works is that Apache then waits for the rest of the request, until it hits the timeout (configurable with the Timeout directive). This completely ties up that listener, so that it can’t answer any other inbound requests. Unfortunately, by default, Timeout is set to 300. And Apache only has a finite number of available waiting processes (Configurable by MaxClients.) So you do that MaxClient times within Timeout seconds, and, viola, the server is now no longer able to respond to inbound requests.

That’s exactly what the slowloris tool does, in a more automated fashion.

So, what to do about it?

Well, set Timeout lower. And use mod_evasive to limit the number of connections from one host. And use mod_security to deny requests that look like they were issued by this tool. However, that last one doesn’t really help, because it’s trivial to change the signature of requests from this tool.

On the other hand, this attack – or exploit, if you want to call it that – has been around for years, and hasn’t been a very popular attack vector. What this tool has done is not so much discovering an attack – we already knew about it – but let the larger number of script kiddies know about it. So presumably we’ll see it happen more often than we used to.

So, what to do about it longer term? Well, in Apache 3.0, or 2.4, with the event mpm and asynchronous IO, it will apparently be a non-issue. Another of the *many* compelling reasons to upgrade to 2.4 just as soon as it releases – something else that I need to write more about in the coming days.

Additional resources:

Niq’s response
Apache security documentation
Slowloris website
mod_evasive

OS 3, CalDav: update

In addition to Shep’s helpful comment, right after I posted my last entry I discovered that the settings at m.google.com/sync apply to the Exchange sync. Apparently the Exchange sync worked in OS 2.2, so there was no reason to upgrade at all, if I had just known that.

Of course, there are some nice additional features that I got, and it was only $10, but it’s rather irritating to me that I have to set up 10 different accounts to sync my 10 different Google calendars. That seems odd, to say the least.

Anyways, perhaps this is an enhancement that will come along shortly. Meanwhile, I’ll probably just keep using the Exchange connector.

OS 3.0 and CalDAV

I had one single motivation for upgrading my iPod Touch to OS 3.0 – CalDAV. According to very vague reports I had read before, it would “support CalDAV”, although the actual explanations of what that meant varied somewhat.

But iCal on the Mac started supporting CalDAV – actually allowing editing of CalDAV calendars – a while back, so I figured maybe the iPod/iPhone would too. And, hey, it’s only $10.

I found several conflicting instructions on how to configure CalDAV for Google Calendars. The best ones were here and here, suggesting that you set it up either as an Exchange account or a CalDAV account. While CalDAV seems more probable, the one that says to do it as Exchange is at Google. Weird.

Also, if you go to m.google.com/sync on your iPhone, you get a thing that lets you select which of your calendars you wish to connect to.

So far, sounds pretty good.

Yes, I said “which of your calendars.” I have a dozen calendars on my Google calendar account, because I share calendars with several people. It’s the only way to fly. But the iPhone seems to assume that I’ve only got one. As far as I can tell, it is syncing quite happily with one, but the other ones are being entirely ignored, despite what I configured on m.google.com.

Is this expected? I vaguely remember reading somewhere that I’d have to create a “new account” for each calendar, but that’s so completely ludicrous that I must have misunderstood, right? In that case, why would there be this tool at Google for saying what calendars I want to sync?

I *think* I have it set up right now, but now m.google.com says that my iPod hasn’t sync’ed since yesterday at 15:46, so … apparently something is still not set up right.

So. Frustrating.

mod_rewrite misinformation

rewrite.jpgI wrote a book about mod_rewrite. Perhaps you have a copy. If so, thanks.

Additionally, I spend a lot of time on IRC (freenode.org, #httpd) answering mod_rewrite questions. And I speak at various conferences, frequently on the topic of mod_rewrite.

mod_rewrite isn’t in fact, terribly difficult. However, it is made more difficult by two factors.

First, regular expressions are universally perceived as being difficult. Thus, even people who haven’t even tried to learn about them already *know* that they are difficult, because someone else communicated this dread to them in a weird tribal knowledge rear-brain kind of way.

Second, and perhaps more damaging, is the ENORMOUS quantity of misinformation that exists online about mod_rewrite. If you search for a rewrite recipe to do X, you’ll find a hundred of them, and at least 75% of them will be Just Plain Wrong, while 20% of them will be either misleading, or confusing, or actually work, but do it in such a way that enormously obfuscates things to the point that nobody can understand what’s actually going on.

The other 5% will make the observation that the task in question doesn’t actually require mod_rewrite, but that there’s another, more efficient and simple, configuration directive that does exactly what is being requested. Such as Redirect, or SetEnvIf, or Alias, or UseCanonicalName.

I became interested in mod_rewrite primarily because of regular expressions. Having read Jeffrey’s marvelous book from cover to cover back in the first edition, and using regex extensively in Perl, I figured, how hard could it really be? The secret answer is, not very hard at all. But since people go pretty far out of their way to make it hard, I’ve been guaranteed a speaking spot at any conference I want to submit a paper to, because people say, Oh, mod_rewrite is HARD!! Lucky me.

So, once again, a huge thank you to Ralf for creating this beast.

I will now resume my eternal quest to find and gently correct all of the bad mod_rewrite examples out there on the web.

William Purvis and Fountain Pens

Today I saw an ad for the UNCF that indicated that the fountain pen was invented by an African American, William Purvis. This struck me as wildly improbable, since fountain pens have been around considerably longer than there were non-native persons living on the North American continent, and certainly before there were persons of African descent here.

Another website made the same claim, giving a date in 1890 for the invention, but lacked any useful information to indicate what, exactly, Mr. Purvis invented. Strangely, Wikipedia doesn’t mention Mr. Purvis at all, and gives a date in 953 for the invention of the fountain pen, in Egypt. For the purposes of this claim, “fountain pen” is defined to be a device with an ink reservoir and some kind of gravity-fed ink delivery to a nib. And, further, there are surviving fountain pens from the 1700’s, which would make an 1890 invention date impossible.

As a huge fan of fountain pens, my curiosity was piqued, and I wanted to know what in fact he did invent and patent in 1890.

After a little more poking around, I found that Mr. Purvis invented improvements to existing technology, making a fountain pen that didn’t leak as much, and which was more affordable to most people, ushering in an era where everybody could own one. He also invented a number of other very cool things, including self-inking hand stamps, electric railway track switchers, and machines for making paper bags.

Edit: Here’s another great resource on the history of fountain pens.

All of this leaves me wondering why a respectable organization like the UNCF would make such a claim which is so trivially debunked. And yet, even as I write this, I know that folks will accuse me of being racist by even pointing out such a thing. If the goal here is to celebrate the accomplishments of African American inventors, there’s certainly no shortage of those without making any up.

Now, I’m certain that many of the inventions attributed to white men were in fact invented by someone of, shall we say, lower social class at the time of invention, either for reasons of race, nationality, or gender, and the white man in question took credit for them, because he knew that the actual inventor lacked the clout to do anything about it. I’ve heard this claim about Edison repeatedly. The controversy we know about is that of Nikola Tesla who was Serbian. But he was white, and so he got some little recognition at the time, and a lot more since his death.

But revisionist history doesn’t help anyone. We should celebrate William Purvis for what he did invent – which was some very cool stuff – without making up claims that he invented other things, which not only opens the claims up to debunking, but also undervalues the cool things he did accomplish.

Out Of Touch Lexingtonians

3-090608Sidewalksacb012.embedded.prod_affiliate.79.jpg

Once again the rich folks in Lexington are talking out of both sides of their mouths, and it really irritates me.

They claim that they oppose the sidewalks on Tates Creek Road because it will spoil the grass, because it will be dangerous for people to walk there, and because the people will be exposed to exhaust fumes. But we know better, don’t we?

The truth is that they don’t want *that kind* of people walking in front of their million dollar homes.

Whenever there’s something proposed in Lexington that benefits the low-income folks who don’t drive SUVs and don’t own horses, it gets shot down. And the sidewalk proposal will probably fail in the city council tonight, because the city council is a bunch of spoiled rich kids who are more interested in having direct flights to Las Vegas and Martha’s Vineyard than they are about whether their less advantaged neighbors are able to walk to work without ruining their clothes.

It’s not even like there’s a cost involved – this is a federal grant.

The number of completely ludicrous statements made in opposition to the sidewalk would be funny if it wasn’t so disgusting.

“Sidewalks would destroy the greenery of the corridor and increase storm-water run off,” said Steve Kesten,

… leaning against the side of his Lexus SUV that gets 7 miles to the gallon, downhill.

“I see no good reason for sidewalks out here, and neither do my neighbors.”

…. Presumably because they all have SUVs, too, and so don’t need to walk anywhere.

“My constituents don’t see people walking along the road,” Beard said, adding that when he drives along Tates Creek, “I never, I mean never, have seen anyone walking.”

… Presumably because he was talking on his cell phone and drinking his Starbucks at the time.

Lexington is increasingly a divided society, with a widening gap between the rich folks that run the show and the poor folks who make up the majority of the population. Here’s hoping I’m wrong about the council meeting tonight. At least this is a good sign.

Sveasoft vs Cisco

I have a WRT54G, the ancient 2.2 version of the hardware, back before there was an L edition. I’ve been running the Sveasoft Alchemy firmware on it for years and years. I don’t even remember when I installed it.

Yeah, I know, there are some folks with ideological reasons why I shouldn’t run Sveasoft. Whatever. That’s not the point.

Anyways, for the last few months, we’ve had to reset the device on a nearly daily basis, otherwise the DHCP server just stops handing out addresses.

This weekend, we got fed up, and I downloaded the latest firmware from Linksys/Cisco. It seems to have all the same features as the Sveasoft firmware I was running. Or, at least, if it’s missing any, it’s ones I wasn’t using. Presumably I could run a ssh server on it, so that I could ssh in and … um … do something … I’m not sure why I would want to do that, actually.

Anyways, we haven’t had that problem since we did that, and it makes me wonder, not for the first time, how it is that software can suddenly take it into its mind, after years and years of functioning correctly, to just suddenly quit.

So strange.

Tandoori Chicken

We spent most of yesterday afternoon making dinner – tandoori chicken, chapatis, and aloo gobi. Although we usually make tandoori chicken with a mix, yesterday we made it from scratch, which is always better, and a lot more fun.

There are lots of recipes online for tandoori chicken, but none of them are quite what I remember from a cookbook I used to have, but seem to have misplaced in some dark corner.

So we took several of the recipes as inspiration, and came up with something all our own. Like all good recipes, I’m not entirely sure what I put in it. Yoghurt, fresh-pressed garlic, grated fresh ginger, cumin, cardamon, coriander, black pepper, cloves, cayenne, garam masala that we already had, and lots of chopped cilantro. As to the quantities of each, I really couldn’t say. Which is a shame, because it was some of the best I’ve ever made.

We’ll have to try that again some day. Maybe that time I’ll write down the amounts. But, realistically, I doubt that I will.

The aloo gobi recipe is the one that’s at the end of the “Bend it like Beckham” DVD.

The chapatis are my own interpretation of the technique that my brother taught me.

Maybe we’ll make it for you next time you visit.

The Margin Is Too Narrow