BoingBoing tells us How To Make A Van de Graaf Generator out of a tin can and a weasel.

Ok, you don’t really need a weasel.

Last night between 5:46:48AM and 5:50:02AM, the IP 209.50.238.122 attempted to SSH to the admin account of one of my boxes 318 times. At 5:50, DenyHosts noticed and shut the IP down.

Though the IP is doubtless a spoof, it’s amusing what happens if you hand it to hosts:

$ host 209.50.238.122
122.238.50.209.in-addr.arpa domain name pointer mail.harvard.com.

Yesterday, we caught some kiddie trying to log into one of our servers. He — or his script — tried a brute-force attack on SSH some 740 times in about 45 minutes. Based on the security profile of the machine, that sort of attack is wildly unlikely to bare fruit, but still: some jackoff is trying the locks, and we don’t like it.

Lots of Googling and guru-asking later, someone pointed us at DenyHosts, which rules. If you run an SSH server, you probably ought to look into this. It watches your logs; when it sees more than X invalid ssh attempts in Y time period from a given IP, it adds that IP to /etc/hosts.deny (or other appropriate file, depending on your flavor of *nix). It distinguishes between invalid logins (for accounts that don’t exist) and failed ones (for accounts that do), so it’s possible to allow 5 invalid attempts in 14d before lockout AND only 3 in 30d for actual accounts, for example. Also, the author was smart enough to incorporate a –purge option, which is key. The IP the script kiddie had yesterday might well be the one you have today, so a permanent ban list isn’t the way to go.

Nice work. It’s not quite ideal — by which we mean that if someone kept trying the locks on our HOUSE at night, well, eventually we’d get down the stairs with the Steyr in time to make short work of the miscreant; to the best of our knowledge DenyHosts does not in fact poke additional holes in the attacker — but it’s certainly a worthwhile extra step to take.

Is it rude to take out one’s notebook during dinner and tehn photograph it to post on Flickr?

This is Heathen’s 3,000th post. Enjoy.

Superheros. Dude, they’ve got Plastic Man!

We’re pretty sure we don’t want these, but it makes us happy that they exist.

We do wonder, though: If we got them, would we be entitled to a saving throw when pulled over?

Not like these, anyway. We want to build a Gauss rifle. Heh.

Or, at least, the BBC wishes they hadn’t. (NSFW; screencaps with boobies included in Sun article)

At Google they do, anyway. The search king’s enormous financial clout is turning Silicon Valley’s VC culture on its ear, which is sort of funny. The article has VCs complaining that now, a startup might just go from founder to Google without the VC step. Horrors!

Microsoft will open its Office file formats to all comers; they’re being submitted to Ecma for documentation.

Of course, around here we still prefer text files, so there you go.

Cringely thinks he knows. (Via /.)

Trust me.

We wonder what percentage of the Heathen would know this question from Jeopardy.

“Ok, who wants to explain statistics to me?”

No, seriously. I used to be a big math geek (though I was never a Mathlete). I expect to be able to understand these sorts of things; I just never got around to bothering with statistics. One concept that’s come up again and again that I have only just now looked up is standard deviation.

I’ve always understood, on a basic level, that standard deviation is a way of measuring how spread out your data is, on average. There are actually two ways to look at this, it turns out. There’s variance, which is the average of the squares of the distance to the mean of your data (which glosses over the difference between “mean” and “expected value,” which is also something I don’t understand), and standard deviation, which is the square root of the variance.

This is where I get somewhat confused, however, because the articles linked above mention that there are TWO formulae or methods for getting variance and standard deviation: one used when you’ve got the whole population (and these formulae are the basic versions you can derive from what I’ve written above), and one you use when you’ve only got a sample. Why is this?

The differences seem big; using Excel and the set (1, 2, 3, 4, 5), the variance for the whole population is 2, and the St Dev is 1.41.

We get there simply: the average is 3, so we add (3 – 1)^2 + (3 – 2)^2 + (3 – 3)^2 + (4 – 3)^2 + (5 – 3)^2 and get 10, and then divide the lot by the number of values (5) to get 2. The square root of 2 is 1.41.

However, Excel tells me that the sampled variance is 2.5, and the sampled St Dev 1.58. So I ask you, lazy Heathen, if someone might enlighten me. (Does it have something to do with assuming a normal distribution?)

John Gruber thinks I should get a new Powerbook this year, which has been my tentative plan — this one’s 3 years old and nearly out of Applecare, and having the expense against 2005 taxes would be good. The counterpoint is the possibility of faster Intel-based machines in 2006, but my gut — and Gruber’s — is that I’d rather have the last iteration of PowerPC hardware than the first iteration of Intel hardware.

This is the 2,900th post on Heathen. And boy are my fingers tired.

(Yeah, we know the header says 2,897; that’s the overnight count.)

It’s been pointed out to me again that I don’t have an RSS link on this page. This isn’t, however, because I don’t have a feed; I do. It’s just because that, heretofore, I was too lazy to put a link up about it.

Well, look over to the right. It’s got a link and everything now. Happy?

(If this doesn’t make any sense to you, don’t worry about it.)

If these rocks are not meteorites, they are clearly meteorwrongs.

Backups should include your fucking crontabs too, lest impolite installers accidentally run as root fuck everything up.

The de Young museum in Golden Gate Park re-opened on the last day of our honeymoon; we got close, but decided not to go in given the crowd. Reading now about their approach to art and technology, we wonder how quickly we can go back. (Related pix here.)

Someone has created a distributed file system built on top of TinyURL.

So, as the previous post probably makes clear, we’ve switched ISPs. Gone are the $50/month days of Earthlink (yeah, we know; we’ve just been paying the bill for five years without bothering to check other deals). Welcome to the $25/month days of SBC, with better than twice the bandwidth (3Mbps down, .5 up).

The sudden influx of speed made us wonder what the next step might be. For 15 years or more, we’ve thought of the T1 as the holy grail of bandwidth, but we realized we didn’t actually know how fast it was. Turns out, “T1 speed” is about half what we’re getting from SBC, but it’s symmetric (1.54Mbps both ways). As Mike pointed out, time was that a T1 made you an ISP (well, you’d also need a modem bank and a shitload of inbound lines); now, a T1 means 10-year-olds laugh at you.

Ah, life in the future.

Why do all ISPs suck? We’d happily pay more for a simple, competant install. Which is, if you think about it, sad.

It’s been about a year since we first fired up the (then-beta) World of Warcraft. We believe this is the first time we’ve ever played a game this long, especially with no signs of stopping soon. Neat.

BoingBoing points us to Set, a geektastic card game we really must try, but perhaps with a drinking rule component added.

NASA’s got a couple of great animations showing the development and path of every named storm this year (Arlene through Wilma).

The big ol’ pile of well-wishing comments on the last post reminded us we needed to fix something in the code so that said comments are actually legible.

Oh yes: we’re home.

What is that in the picture at right? Proper names only, please.

This post is HARD geeky, but I’m putting it out there for Googlejuice reasons.

Recently, some code over at Spacetaker stopped working, and I couldn’t figure out why. The salient bit of code is this:

  my $req = $m->make_subrequest( comp => '/httpdocs/newsletter.html',
                                 args => [ id => $ff->{id}, fridayfotoflag => 't' ],
                                 out_method => \$newsletter,
                                 autoflush => 0 );

  $req->exec;

  my $mail = MIME::Lite->new( From => $sender,
                              To => $where{$ARGS{do}},
                              Subject => "FridayFoto for $ff->{week}",
                              Type => "text/html",
                              Data => $newsletter);

  $mail->send('smtp', $server, Timeout => 60, Debut => 1);
  
  $m->out(qq{Success!
      Newsletter "$ff->{title}" for the week of $ff->{week} has 
      been sent to $where{$ARGS{do}}.);

Ideally, this assembles the newsletter itself with the $m->make_subrequest call, and then mails it with the calls to MIME::Lite to whomever it appropriate. It then went on to display a success message noting to whom the the mail (a weekly newsletter) had been sent. All good, right?

Well, no. All of a sudden (see below), the page in question would churn and churn and churn, but never actually load. The problem was clearly NOT the MIME::Lite calls, as (a) they continued to do their job even as the page churned and (b) the page churned endlessly even with those lines commented out. Under no circumstances did the text in the $m->out call get shown, but debugging output to STDERR would show up pretty much all the way through.

I consulted my MasonGuru for help, and we finally sat down to chase it this morning. Step one was upgrading Mason; I was a version or so behind. After upgrading from 1.28 to 1.3101, we started getting errors instead of silent failures, which is definitely a step in the right direction. Turns out, the subrequest call was failing (silently under 1.28, but with an error under 1.3101) for no apparent reason. Much Googling finally pointed out the issue, which we found referenced here and detailed here. For posterity, I’ll reproduce it:

There is a known problem in MasonX::Request::WithApacheSession 0.30, which is the most current release. Subrequests may work once, but after that they fail in a sort of endless loop condition for reasons I don’t understand.

To make this work, do this:

From: Derek Poon  OCF.Berkeley.EDU>
Subject: MasonX::Request::WithApacheSession 0.30 bug: subrequests
Newsgroups: gmane.comp.web.mason.devel
Date: 2005-07-10 02:03:23 GMT (12 weeks, 3 days, 12 hours and 14 minutes ago)

Hi,

There is a bug in MasonX::Request::WithApacheSession 0.30 that causes  
an error when executing subrequests.

I have this in my httpd.conf:

PerlSetVar MasonRequestClass MasonX::Request::WithApacheSession

When running  $m->subexec(...)  in Mason, I get this error in the  
browser:

error:
Can't call method "exec" on an undefined value at [...]/HTML/Mason/ 
Request.pm line 538,  line 2.

Trace begun at [...]/HTML/Mason/Exceptions.pm line 128
HTML::Mason::Exceptions::rethrow_exception('Can\'t call method "exec"  
on an undefined value at [...]/HTML/Mason/Request.pm line 538,   
line 2.^J') called at [...]/HTML/Mason/Request.pm line 538
HTML::Mason::Request::subexec([...]) called at [...]/autohandler line 58
[...]

Here's the fix:

--- MasonX-Request-WithApacheSession-0.30/lib/MasonX/Request/ 
WithApacheSession.pm.subrequest    2004-03-19 23:27:55.000000000 +0100
+++ MasonX-Request-WithApacheSession-0.30/lib/MasonX/Request/ 
WithApacheSession.pm       2005-07-10 03:52:35.000000000 +0200
     -74,7 +74,7     
      my $self = $class->SUPER::new(  _);
-    return if $self->is_subrequest;
+    return $self if $self->is_subrequest;
      # backwards compatibility
      $self->{session_param_name} =

For the unitiated, this means:

1. Find the Perl module named WithApacheSession.pm, which will be in a directory called MasonX/Request/ that is contained in one of the directories listed when you do a perl -V from your server’s command line. On my OS X server, it’s
   /Library/Perl/5.8.1/MasonX/Request/WithApacheSession.pm
2. Locate the line “return if $self->is_subrequest;“, which should be around/about 74.
3. Change it to “return $self if $self->is_subrequest;“
4. Stop and Start Apache (not a restart; do a full stop and start).
5. Bob’s your uncle.

The reason this mysteriously started breaking was that I installed the module in question to support sessions, and it steps in to handle all subrequests, causing the problem to occur in non-session-related code.

Replacing the rear brake rotors on a 1995 Porsche is much simpler than we expected, particularly when you have a good buddy with intimate knowledge of such things, but it is nevertheless kind of unpleasant when it’s 100 degrees outside; and

Bad nameservers in /etc/resolv.conf will prevent incoming SSH connections under BSD-derived *nices. Ergo, if your BSD-derived *nix server is hosted by boobs who take the rest of the colo down at the first sign of hurricanes — including their nameservers — you can expect all attempts to SSH thereto to fail. However, if your BSD-derived *nix server is one of these, you can fix this via this tool by adding some valid, non-boob-managed nameservers to /etc/resolv.conf.

This certainly cannot be original to me, but I keep quoting it to people anyway. It’s particularly apt in the wake of Katrina, and with Rita bound for Texas:

Measure your backups in spindles and timezones.

If that doesn’t make sense to you, think on it until enlightenment comes. (Or ask a geek.)

The fantasy/medieval-themed MMORPG known as World of Warcraft is the most popular such game ever for good reason. It’s friendly to the casual player as well as the hardcore, and breaks new ground in terms of how immersive and detailed the virtual world can be. Now publisher Blizzard has (deliberately or inadvertantly) introduced another staple of medieval life: a communicable plague (all errors in the original; [comments added] for clarity:

Heres the skinny: Blizzard adds in a new instance [Ed.: special dungeon zone], Zul’Gurub. Inside is the god of blood, Hakkar. Well, when you fight him he has a debuff [magical curse] called Corrputed Blood. It does like 250-350 damage to palyers and affects nearby players. The amazing thing is SOME PLAYERS have brought this disease (and it is a disease) back to the towns, outside of the instance. It starts spreading amongst the genral population including npcs [non-player characters, such as shopkeepers, trainers, quest givers, etc], who can out generate the damage [meaning the NPC doesn’t die, but does continue to spread the plague via proximity]. Some servers have gotten so bad that you can’t go into the major cities without getting the plague (and anyone less than like level 50 nearly immediately die). [WoW only goes to level 60] GM’s even tried quarantining players in certain areas, but the players kept escaping the quarentine and infect other players. ShackNews forums

The official forums have word of it as well. It seems likely they meant at least some of this to happen, but it’s clearly gotten out of hand on some servers (8MB Windows Media with poorly written text).

(via MeFi)

JWZ points us to this discussion of monotremes. Monotremes are a sort of pre-mammal; they’re weirder even than marsupials. One species, for example, is poisonous. Both — there are only two — lay eggs, whereas live birth is the rule for true mammals. It gets freakier:

The platypus is one of two surviving types of creature called monotremes, which, in case you were unaware, are kind of marsupials plus, or maybe minus. They have fur, and some of them sometimes have pouches in which their young develop, but they also lay eggs and have bills, sort of like birds, and in the case of male platypuses poisonous ankles also. They also have teeth, but only when young. The platypus is the famous monotreme; less well known for some reason (though even weirder in my opinion) is the echidna, also known more descriptively as the spiny anteater. Together, they are the only surviving examples of the oldest mammals ever to exist. Echidnas and platypuses, as well as several extinct species of monotreme, shared the Earth with the dinosaurs. Monotremes are really weird. Everything about them seems to have been thought up past some kind of deadline. Take the method by which they reproduce: after mating, the female lays an egg (echidna) or two (platypus). Then she carries them around until they hatch. Monotremes are mammalian, even if what they have is a kind of free demo version of mammalianism without the really useful features like live birth, so they lactate. But they have no nipples. The milk just leaks right out of glands in their skin, and the baby monotreme laps it up with sweeps of its tiny bill. (A baby echidna is called a puggle. There is no official name for a baby platypus, though “platypup” has been suggested.) The platypus doesn’t even have a pouch, so after the eggs hatch — after the female has incubated them by pressing them to her belly with her tail — the babies must lap up these rivulets of milk while clinging to her fur for dear life. Not that having a pouch simplifies the process any. The echidna (which comes in three varieties, short-beaked, long-beaked, and cyclops long-beaked) doesn’t usually have a pouch but grows one as necessary. After mating there is a gestation period of about three weeks, and then the female lies down on her back, doubles over, and lays her egg right into her own temporary pouch. After a while the egg hatches in the pouch. And echidnas are covered with aggressive spines, which adds a new wrinkle, as the mother cannot carry her puggle once these start to develop. So she buries it. (Echidnas are good diggers; if you startle one it will sink as if by magic into the ground until only its spines are exposed. In this position it is all but unassailable.) Alternately, she hides it under a bush. Every five to ten days she unburies it and lets it nurse for a while before burying it again. Keep in mind that the puggle, like a joey, is still somewhat fetal while this is going on. It’s a half-fetus half-baby thing buried in the dirt. The echidna is therefore “born” three times — once as an egg, once when the egg hatches, and once when the puggle is evicted from the pouch and hidden by its mother. It’s a good thing placentalism came along, or we’d all have to go through something like this. Echidna mating is mysterious and primordial. It is also rarely observed, but the following seem to be the basics. It begins when the female goes into estrus. Males, usually three or four of them, but sometimes as many as eleven, start following her around in a long single-file line called an “echidna train” (or even “echidna love train”). It seems very civilized, though it can go on for as long as six weeks, during which time the otherwise solitary animals eat and sleep in each other’s company, and the males nip the female’s tail, which seems to be a kind of foreplay. Eventually the female echidna climbs partway up a tree, or buries part of herself in the dirt, leaving the males to walk around and around her until they have created a circular rut in the ground. (Sometimes there’s only one male, in which case, nothing daunted, he kind of walks back and forth by himself until he has created a little ditch.) Then they engage in a shoving contest. The males that get shoved out of the ditch acknowledge defeat and leave peacefully until only one, the best shover, is left. He gets to mate with the female — very carefully, because they are both covered with spines. (Understandably, echidnas do it face to face, so don’t listen to anyone who tells you that this is a uniquely human behavior.) The male’s four-headed penis, which he does not use to urinate, emerges only during the act of mating; the rest of the time he is indistinguishable from a female echidna, as his testicles are also inside his body. Basically what I’m trying to say is HOLY CRAP MONOTREMES ARE WEIRD WHY DO THEY EVEN EXIST. Also that I really admire them, these life-forms that seem to be built out of spare parts, that refuse to be daunted by the convoluted systems they must use to propagate themselves, that seem as if by rights they really ought to have died out millions of years ago but haven’t. Life just won’t give up! Life has webbed feet, a bill, a pouch that comes and goes, waterproof fur, spines, poisonous ankles — whatever it takes.

As the saying goes (and the first commenter to JWZ’s entry reminds us), “The universe is not only queerer than we suppose, but queerer than we can suppose” (JBS Haldane). I mean, come ON: poisonous ankles and a four-headed penis?

Go watch this.

N.B. the new tagline under the page title, which will be updated every night with a running total of posts.

In this NYT story (local PDF link) on the online gaming market, they discuss in some detail how subscriber growth has exploded in the last couple years — not so long ago, for example, half a million Everquest users was a huge number, but now World of Warcraft boasts better than twice that (come say hi; Heathen play on Silver Hand).

At the end of the article, though, after all the commentary about how the market has trended upward for years, and about how online gaming has gotten better and more accessible to the casual player, they quote a clueless analyst:

“I don’t think there are four million people in the world who really want to play online games every month,” said Michael Pachter, a research analyst for Wedbush Morgan, a securities firm. “World of Warcraft is such an exception. I frankly think it’s the buzz factor, and eventually it will come back to the mean, maybe a million subscribers.” “It may continue to grow in China,” Mr. Pachter added, “but not in Europe or the U.S. We don’t need the imaginary outlet to feel a sense of accomplishment here. It just doesn’t work in the U.S. It just doesn’t make any sense.”

No, Mr Pachter, there’s no reason anyone will ever want to hear actors talk. And we’re sure you can forsee a time when every town might have a telephone, too.

I just got a renewal notice for Nogators.com from Register.com, Verisign’s domain registrar.

“Hrm,” I thought, “I was sure I transferred that to GoDaddy last year!” So I checked. And I did. Register.com has no hold on that domain, as they are no longer the registrar for it, and haven’t been since October of 2004. It would therefore be useless for me to renew the domain with Register.com — except, of course, to Register, who would get my payment in exchange for nothing. Furthermore, it’s trivial to discover who the registrar is for any given domain — it has to be for the Internet to function correctly. Ergo, there are two possible conclusions we may draw from this:

• Possibility A: Verisign knows they don’t have the domain anymore, but elected to send out the renewal notice anyway just in case doing so would extract additional funds from me without having to provide any service in return; or
• Possibility B: Verisign do not realize they no longer have this domain, and consequently are demonstrably so out of touch as to call into question why any educated consumer might want to do business with them.

Either way: Charming.

It’s a movie made from the pictures Mercury Messenger sent back when doing a flyby, i.e., it’s totally real.

Dance Dance Immolation.

Absolutely brilliant and accurate, via Ms LeMay.

“Mother of FUCK I am editing goddamn ZPL in a fucking .java file in fer-crissakes EMACS running in a cocksucking TERMINAL window. Somebody get me some motherfucking WHISKEY.”

No, not that kind.

Since last year, we Heathen have joined a cult. Not the Atkins one, or its reform cousin, South Beach — though in truth we experimented with SB for a while — but a wholly different, far more geeky cult: the First Church of the Cerulean Bicuspid.

Like most technology people, we’re heavy cellphone users. (My bills in 1997 alone would have purchased a nice used car, but fortunately they were (a) paid by the company and (b) reduced by an order of magnitude by the adoption of digital service.) Also unsurprising is our preference for the “earbud” hands-free device sold with every decent phone since about the time the average phone became impossible to hold on one’s shoulder. The only real problems with these things were (a) sound quality (they sucked) and (b) how tangled the damned cable got in your briefcase or pocket when you weren’t using it.

Late last year, though, we took the plunge and picked up our first Bluetooth headset, a Logitech. We carefully selected it using a matrix of features, functions, and value. Actually, that’s a damned lie: we bought it because it was the only one they had at Fry’s in an unopened box. It worked okay with the Sony/Ericsson phone we had then, and then worked much better with the Blackberry 7290 we tried before ultimately adopting a Treo 650, where it also worked quite well. Sound quality exceeded the cheapier wired models, and the tangled cord was a thing of the past! Score!

Except, well, the Logitech made us look like Garth Brooks without the hat. Its boom-mic style made for great voice quality, but also served as a critical flaw. See, most of these things are simple, with no moving parts aside from the ear loop. The boom mic, on the other hand, made the Logitech much larger (strike one) and easier to break (strike two) — which is precisely what happened during a trade show in Chicago in April. We reached into our bag for it, and found it in two pieces. Ooops. Lifespan: 6 months, or about $13 a month.

Next up was a Motorola HS820. Everyone had a Motorola, it seems, so we felt pretty good about the choice. It’s compact — it easily rides in a shirt pocket — has no moving parts, and kept us from looking like Garth. On the other hand, the sound quality wasn’t quite as good (mostly, it was too quiet), and it never seemed particularly happy working with the Treo. Periodically, it would fail to answer a call, and we’d have to cycle Bluetooth on and off on the Treo, or power cycle the headset, in order to make it play nice again. Then this started happening a lot, and the battery life started sucking, and last week we only narrowly escaped throwing it out the window of the car on I-45. Lifespan: 4 months, or about $20 a month.

This time, we’re going with the actual Palm-branded Treo headset. It’s roughly the same form factor as the Motorola, so we’re still safe from Brooks-ism. On the plus side, it also uses the same charger as the phone, which will be nice when travelling. On the down side, it’s still charging as we type this, so we won’t know how well it works for about an hour or so. We’re hoping for more than half a year of use, though. This is getting expensive.

We had no idea until JUST NOW that you can’t use a CNAME as an authoritative name server; it’s totally got to be an A record.

One of the remarkable things about this study is the fact that the children did not find it at all surprising that a machine could miniaturize objects. Or that it might need privacy to do so.

From this article on toddler cognitive development that’s actually quite interesting. Via MeFi.

So, as we’ve seen, sometimes invertebrates eat vertebrates. This prepares us somewhat, then, for another such case: bugs eating birds. (Photo via link, at Bird Watcher’s Digest. Found on several places this morning.)

Sort of a companion piece to the top-ten-tech thing, CNet gives us their picks for the Top Ten dot-com flops. Ah, those were the days.

So, this aquarium moved a large octopus into a bigger tank, assuming that its strength and stealth would keep it safe from the other critters in the new environment — a population that included sharks in the 3 to 4 foot range.

Something weird happened. They kept discovering shark carcasses at the tank bottom each morning, so they stayed up to see what happened (link to embedded RealVideo at PBS). As it happens, the shark turns out not to be the indisputed food chain king in this particular tank. (Link via MeFi.)

Spot on, particularly number 10, but not for the reasons they cite. It’s only with the Treo that Palm devices approach the intelligence of the Newton 10 years ago, and even now they fall short of some of its abilities. Of course, the market moved toward “small and cheap” and away from “big and expensive,” and Steve wasn’t about to keep a Sculley product around, but the Newt was (and is) seamless and friendly in a way that Palms still aren’t.

OS X is making significant inroads in corporate America. Sure, the hardware costs a little more, but how valuable is stability? How valuable is total immunity to Outlook viruses? How valuable is just-plain-better platform security?