The End of Days

Throughout the ages, people have forecasted the end of days in various ways. In some distant corners of the globe, oracles smoked opium and foretold of the end of the world. Contemporary scholars count the number of letters in the Bible and divined when the world would cease to exist. They’ve all been wrong.

If my weather station is to be trusted, though, we’re in big trouble after Tuesday:

The End of Days

Mini-Review: pfSense

I’ve posted before about how I got sick of how much our Linksys router (for our home cable modem) stunk, so I ended up taking an old machine with dual NICs and building an OpenBSD firewall. It worked pretty well, but had a few flaws. Perhaps the biggest is something that’s not technically a flaw: it was a royal pain to configure. I don’t think ease of use was ever (or should ever be?) a design consideration with OpenBSD, but it was sufficiently painful to get it running, and sufficiently complex that I never quite had the amazing ruleset I wanted. Another problem was that it was, at times, too archaically strict. A “default deny” policy is, hands-down, the best way to do things, but ours never spoke the silly little LAN protocols like UPnP, which allow applications (e.g., direct file transfers over AIM) to request a port be opened and temporarily forwarded. Some would argue this is insecure, and, on some level, I’d agree. On the other hand, it was enough of a pain that it became tempting to poke holes all over the place so that these things worked. Plus it was just old: when OpenBSD 4.5 came out, I decided it was time for our OpenBSD 4.2 machine to see some changes, and a simple upgrade wasn’t going to cut it.

I downloaded the pfSense 1.2.3-RC1 beta. I think pfSense has a lot in common with why I love MacOS X so much: it’s a really slick user interface, super-easy-to-use, and yet it sits in front of what’s arguably one of the most rock-solid, full-featured platforms. pfSense is based on FreeBSD, which, while arguably not as “paranoidly” secure as OpenBSD, is still plenty solid and a little more mainstream.

So I said I’d give a mini-review. The installation was terrible. I think I drew the short straw here, as most people don’t seem to complain about the miserable experience I had. The installer was meant to be quick and helpful, but it auto-detected information about the cylinders, heads, and sectors of my hard drive and told me that the information was wrong and that the system wouldn’t boot. After a brief, “Are you serious? Is this 1994?” exchange with the computer, I let FreeBSD use the random values it wanted, and the install continued. Until fdisk blew up with an error that you can’t have 255 sectors; 63 is the max. So then use what the hard drive reported in the first place, which was 63? Oh, right, that won’t boot. After several rounds of this, I ended up just making up numbers to appease the process, and my 60GB hard drive has about 13GB of space visible to the operating system, with the rest vanishing due to the information being completely wrong. 13GB is enormous for a firewall anyway; pfSense can be installed on an SD/CF card.

It also includes a handy auto-detect tool, where you plug in your LAN and WAN and it will set them up. This was problematic for me, since I wanted to set the thing up by hand and then drop it in place. You can set it up manually, which I ended up doing, but I first tried the auto-detect, letting it think our “WAN” was my Ethernet drop, and my “LAN” was a crossover cable to my laptop. This never really worked; it wouldn’t detect a link on the NIC even though the NIC showed that the link was up. So I set the things manually and all was well. This, too, seems fairly atypical, and may have to do with the fact that we’re running two who-knows-what budget NICs.

After the hellish introduction to FreeBSD, though, pfSense suddenly became pleasurable. Almost as soon as it was installed, it was routing LAN over the WAN via NAT. I didn’t have to add rules to pf to make it do this manually. I hurriedly tried to figure out how to add a default deny policy, only to find out that this, too, was the default. It pretty much does what I wanted out of the box, and it does it well. I set up QoS-based packet queues, so that BitTorrent can’t take up more than 2 Mbps down and 1 Mbps up, and so that ssh and Remote Desktop (along with some other latency-sensitive stuff, e.g. IRC) get priority queueing. This took extensive research under OpenBSD and still didn’t ever seem to work right. I had a neat little wizard on pfSense that a 4th grader could have used. It creates “real” pf rules that I can go edit if I wanted to, except that I don’t have any reason to backend it because it just works as it should.

It also does all sorts of graphs, including RRDTool graphs of things like CPU load, but also traffic (kbps/Mbps) both ways per link, latency and packet loss (not entirely sure yet what the latency is to?), packets per second, and the breakdown of traffic in each of the queues. They went the extra mile and has a streaming graph drawn in-browser via Adobe SVG showing real-time bandwidth usage. I’d like a feature that tracked monthly (per calendar-month) bandwidth usage, but the month-wide bandwidth graphs do keep a running total. (And we’ve apparently downloaded 13GB since I set this up over the weekend???)

Port forwarding is dead-simple. It’s actually problematic, because I tried to make it hard going through the firewall setup, but it turns out that I just need to click “Port Forward” and plug in the details. Setting up real firewall rules are done via a pretty easy wizard, too.

The machine is being vastly underutilized. I’m not running a VPN server, though I have multiple options if I want to. I’m not using it as a proxy server (with a transparent proxy server being an option), much less one that scans incoming content for viruses and aborts the transfer of anything malicious.

In short: if you can get past the awful FreeBSD installation (which doesn’t seem to happen to everyone?), pfSense is pretty awesome, and turns an old dual-NIC PC into an enterprise-grade firewall/router/gateway. It’s designed for lower-end or embedded machines, too!


One of the tricky issues in terms of political correctness has been discrimination and when things aren’t discrimination. There was a student group called “Black United Body” at my college, definitely not racist. But if someone had started its logical complement, “Whites United,” it would have seemed horrifyingly racist.

After a bit of banter, I came to the conclusion that “discrimination” in its non-loaded definition (grouping people into buckets, with no hint of prejudice or value judgment) is generally considered okay when it’s “pro-something” (e.g., a “pro-African-American” group), and generally not okay when it’s anti-something (e.g., anti-gay).

A bit of a wrinkle is that a “pro-something” when that something has a sizable majority or innate perceived advantage can be construed as anti-something-else: a group to celebrate the culture of white people is not offensive in and of itself, but it seems to conspicuously exclude an oft-belittled minority, so pro-white comes across as anti-black, whereas a pro-black group may not have anti-white sentiments. I think this is kind of like how the SEC has rules that only kick in when you control an overwhelming majority of your industry: Alcoa and Microsoft have run into trouble, whereas if I forced you to buy a brownie if you wanted lemonade at my lemonade stand, the law isn’t applicable. Microsoft bundling IE was consdered to unfairly shut out Netscape, but me forcing brownies with lemonade doesn’t really shut anyone out, since no one would come to my lemonade stand anyway. Thus Caucasians, heterosexuals, and males have some “near-monopoly” special rules, and “monopoly” isn’t always clear. (Men and women are equal in percentage, yet a movement for women’s rights is a good cause, while a movement for men’s rights is nonsensical.)

Let’s say I start a company with some legitimate reason to consider religion. Let’s call it a Muslim dating site. All’s well and good. After a while, we say that only Muslims can sign up on our site for Muslims. Fair and not discriminatory, even if you say it as “all non-Muslims are banned.” It’s pro-Muslim, not anti-non-Muslim. But now say that the Muslim site decides to welcome their Christian and Hindu brethren, and just changes the rule to “No Jews allowed.” Suddenly, it’s shockingly offensive, because it’s gone from pro-Muslim to anti-Judaism.

A gay dating site makes sense, but a whites-only dating site would not. A lesbian-only site that precluded gay men and heterosexuals is okay, because you’re not anti-gay-male, but pro-lesbian. Pro-British is okay, because it leaves non-British, a giant category, whereas pro-white excludes only racial minorities. It’s about ensuring that the only group not included in your “pro-something” doesn’t happen to be a minority. Pro-female is okay, but pro-male may get into murky waters… In some cases, at least. A clothing store for men isn’t anti-female, but a male-only supermarket is suspect, since it appears to arbitrarily exclude females. (Plus it makes no sense, but you get the idea.)

I’m curious if this theory holds up. Some things around this sort of topic are controversial (consider gay rights or affirmative action), but I think there’s a lot of “I’ll know it when I see it,” so I like the idea of reducing it to two rules of thumb that seem to cover most situations. But does it work?

Technologies I Hate

When you’ve been a computer geek for a long time, you get to a point where you feel comfortable rushing to conclusions about technologies. The thing that fascinates me is that the majority of people I speak with hold the same prejudices. Even more curious, the more I’m forced to learn about the technologies, the more I realize how accurate my initial snap judgment was.

Java is the prime example. Without knowing a lot, I formed the impression that it wasn’t well-suited for small applications, both because everything was treated like it was a giant enterprise project, and because it gobbled up RAM like a crack addict. As I entered the world of professional web development, I’ve found that a lot of my peers hate it more than I do.

I hate Perl for the same reason. It was actually among the first “real” languages I learned. If you know it, it’s handy. But if you kind of knew it a few years ago, it’s a GIANT pain to work with. My prejudiced opinion? Perl is intentionally obfuscated and confusing to write, and the people who know Perl well take pride in writing enigmatic code. A Perl script by a veteran developer has more symbols than comprehensible phrases, and it has a lot of variables (like $_) that are used all over the place for all sorts of things.

JavaScript is another. Part of why I hate it is because it’s vaguely like Java, which is a bad start. But it’s more a two-fold thing: the stuff that can be done easily is really obnoxious (open a window and move it around my screen, or pop up multiple alert boxes). The stuff that’s useful always seems unreasonably different and counter-intuitive. I may hate it less as I get better at it, but as it is, I’m yet to work with it and not get a headache trying to figure out why the simplest thing that 4936 tutorials all mention doesn’t actually work.

XML. I like the concept. In reality, it’s extremely bloated, extremely dense, and rarely lends itself to being something I can sit down and understand as a schema. There are much more “readable” technologies. That said, XML does win points over the “some format I dreamt up while I was high that turns out to not even be consistent” configuration schema that some utilities used to be infamous for.

JPG. It’s good for photographs. If you’re not using it for a photograph, you probably shouldn’t be using it. If you have (rasterized) ‘vector’ graphics or text, use a PNG unless you like your stuff looking really crappy.

BMP. Seriously, I have never, ever seen a good use for it. It’s usually ridiculously bad graphics done in MS Paint, which shouldn’t even be saved, much less saved in a format that defines the values for every pixel sans compression. The good news is that it could be worse: a Java application that saves each pixel’s value as an entry in an XML file.

GIF. If you need transparency, use a PNG. If you need animation… Please reconsider using animation. 😉 And if you don’t need animation, there’s no reason to use a GIF.

Java applets, Silverlight, and proprietary codecs. Here’s the thing: your Java applet gives me some cool functionality, your Silverlight app is really neat, and your Ogg audio stream with weird compression sounds better and is more efficient. But you see, you’re probably not important enough to me that I’d be willing to take the time to install something special for your silly site. If you make a five-figure hardware device with a web GUI that requires I install a Java applet that’s slow and prone to crashing, you’ve got me! But Brocade, you should know that I curse under my breath when I click “Install,” and that I have dreams about redoing our architecture with iSCSI over commodity Ethernet. Never mind that your equipment is rock-solid and probably vastly superior. The Java applet is the only time I “use” your equipment, and it’s like pulling teeth.

SNMP. I’m a stats freak. We must graph 500 stats at work. It’s an integral part of any IT monitoring setup. But it’s one of those technologies that never works as it should. I try to monitor something simple and it just doesn’t work. I do an snmpwalk and get literally thousands of lines back. And MIBs, meant to give SNMP pretty names, somehow make managing SNMP an even bigger headache.

IPv6. Here’s the thing: I used to be a big fan of the idea. But now it’s just useless crap that networks try to set up, and it gets in the way. I need to change my mind on this, but it’d be a lot easier if I knew a single person that actually uses IPv6.

Twitter. I use it. It’s neat. But I mention it to a non-user, who invariably replies, “I just don’t GET Twitter.” And I’m forced to admit that I don’t. It takes information I don’t care about and assaults me with it all day long. And that’s really the best description of Twitter I’ve ever heard.

Captcha. A good technology, but for two things. The first is that spammers have been able to defeat it for quite some time. The second is that captchas are getting to the point that I can’t figure out what the heck they’re supposed to say. It’s like a Rorscharc test.

Usenet. I experimented with it a while back. It’s nothing but viruses pretending to be warez and lots and lots of spam. It may have been great once, but these days it’s a festering wasteland accessible over the equivalent of Gopher.

Strict validation. It’s good to write syntactically valid HTML and CSS. I don’t mean to imply that I should be able to cobble out utter garbage and act offended when a validator complains. But when I look at a well-formed page that works well in all browsers, and see that it has over a thousand validation errors, I can’t help but reach the conclusion that getting truly valid HTML is literally impossible.

Bad errors. Don’t tell me that error 7604 happened. Don’t tell me that my 2,000-line controller can’t be used because of an unexpected kEND. Tell me what’s wrong, where, and what I can do to fix it. And Java, giving me a stack trace and hundreds of debug lines doesn’t make up for the fact that errors always fail to convey what actually went wrong.

Calendar standards. We have more calendar standards than I can name. And I haven’t met anyone who’s achieved “calendar zen.” I can sync my desktop app to Exchange (kind of), and my iPhone to Google Calendar, but what if I want to use my work calendar and my personal calendar together, and treat them like they’re one? I’ve looked at dozens of solutions, and not a single one really supports having read-write-modify access to multiple calendars in multiple places. Lots kind of do it, but have gotchas that render them useless. Stop inventing new calendar standards, please. No, seriously. Just make yours work with theirs.

Hybrids in Transit

I know a few people who drive hybrids, and who’ve been quite happy with them. It’s less of a big deal today than it was a year or so ago when gas cost twice what it does now, but I’ve estimated that I spend $10 a day in gas on my commute, so I’m still pretty sensitive to gas mileage. (Doubling my mileage, from 20 to 40 mpg, would save me $5 a day, or $100/month.)

True or not, there’s a perception that hybrids are a new, untested technology, and thus a fear that they might not last long. I’ve noticed a few taxis in Boston that are hybrids, which is probably the ideal use case, since they’re on the road all the time. And now there’s this article about a California taxi fleet that’s starting to have hybrids hit 300,000 miles. (That number alone is impressive?) They mention that they’ve had to replace two hybrid batteries: one was “operator error” (which raises more questions than it answers), and the other was under warranty… This is out of a fleet of almost 200. They also mention that, because of the way the braking works, the brakes tend to last about three times longer than on non-hybrids. (Which means that I’d have surprise thousand-dollar brake jobs one-third as often!)

The durability is really reassuring, and the savings are impressive: assuming gas was an average of $1.75/gallon over the 300,000 life of some of these hybrids, and that a hybrid doubles the mileage of a non-hybrid, I’m calculating that they’ve saved $262,500 in gasoline costs per hybrid. That probably offsets the $5-10,000 extra upfront cost. Though for me, about $27,000 for a Camry Hybrid is still a bit too much….

SC AG Threatens Craigslist

One giant pet peeve of mine is when Internet news sources mention things happening online and yet never provide any links. So here’s a link-rich summary:

Anyone who’s really explored Craiglist knows that it sometimes has a seedy underbelly. There are sometimes-flagrant ads for prostitutes, and sometimes-flagrant posts about people in the marijuana market. Craigslist seems to do the best it can in taking down egregious violations, but it’s not capable of having a human review every post. The Philip Markoff case surely brought this to a head, and Craiglist made some changes, like changing is “Adult Services” category to be more heavily-moderated.

South Carolina’s Attorney General, Henry McMaster, has been grandstanding by threatening to hold Craigslist criminally liable for the illicit postings on the site. (McMaster just so happens to be positioning himself for a gubernatorial race.)

Today, Craiglist’s CEO, Jim Buckmaster, fired back, pointing out that the charges are completely baseless, and that McMaster (the SC AG) himself praised Craiglist’s earlier policies on cracking down on illicit material. I’m not doing the post justice; it’s really a must-read for anyone interested, because it really hammers home the point.

iPhone Hacks

For a long time, I’ve known that the iPhone stores its text messages as a SQLite database. This matters a lot to me, because I have thousands of text messages, since our server monitoring pages me whenever anything fails, and a bad failure means hundreds of texts at once. It’s to the point where it feels slow loading them now.

In theory, this should be a simple query. In reality, the iPhone is locked down so that there’s no way to get to that file unless you jailbreak your iPhone.

Today, I had one of those days when I did a lot of stuff, and feel like I learned a lot, but I’m back where I started. This great post talks more about the SMS database and its table structure, from someone having the exact same problem I am. Unfortunately, they’ve jailbroken their iPhone, and I have not.

What I think might have potential is recovery mode. I’ve seen a few references to how recovery mode allows unfettered access to the iPhone’s filesystem. It’s pretty easy to enter recovery mode, but I got nowhere: Linux didn’t seem to want to find any filesystems. (Maybe the iPhone is HFS?) “lsusb” showed an Apple device, but that’s as far as I got.

The good news is that recovery mode is easy to exit out of. There are some people saying you need complicated programs to get out of it. Nonsense. Power the phone off, and then power it back on. Viola.

So sadly, I can’t confirm whether or not recovery mode actually gives full filesystem access. I’m growing more and more tempted to jailbreak my iPhone, but I’m so dependent on it that I’m not sure I’m willing to take the risk.


I finally got Google Analytics working right. Some interesting stats:

  • Resolutions are all over the place, but 1024×768 is the most popular. 1920×1200 is in third place.
  • 84% of visits came from Firefox. IE picked up 13%, and Safari and Chrome duked it our for the remainder.
  • It’s not just me visiting. 63% Windows, 31% Mac, 6% Linux.
  • 71 visits, 26 unique visitors, 97 pageviews. This is simultaneously pathetic and pretty good.
  • Many of the views that aren’t to the main page are to old entries found via Google. Most were searches for technical things.

It hasn’t been collecting data for long, so it’ll be interesting to see if these trends persist.

Obama and Notre Dame

The news is making it sound like an overwhelming majority of people at Notre Dame oppose Obama coming to speak because of his pro-choice stance, which leaves me wondering why the college invited him in the first place, and why they haven’t canceled. If graduation is going to be marred by protesters, wouldn’t it be better to bring in a pro-life speaker, even if it’s not the President of the United States? And I’m entirely serious when I say it: why don’t they just cancel?

But this bring up another pet peeve of mine. For eight years, “pro-life” President Bush was in office, and even after appointing conservatives to the Supreme Court in what’s generally seen as a 5-4 conservative lead, and even after issuing sweeping Executive Orders giving himselves powers his predecessors never had, abortion is still legal in America. So in terms of abortion in America, nothing is different with Obama than with Bush. I suspect the argument is probably more about attitude and the Presidents’ personal moral convictions, but I think that’s even worse: Bush thought abortion was murder and yet did nothing to stop it.

I usually try to stay out of the abortion debate, but right now it’s not making a whole lot of sense to me.

Resetting the Maintenance Light on Toyotas

I’ve probably said before that, if I were a politician, I’d make it illegal for car manufacturers to have a “Maintenance Required” light that comes on to “remind” you to take your car in for service when nothing’s wrong. I’d do that right after I ended the racket that is contact lenses needing prescriptions re-issued every year.

But if you drive a fairly recent Toyota, it seems that there’s a trick to reset the service monitor. With the ignition on, make sure the odometer is showing your total mileage (not a trip odometer). Turn the key off, push in the odometer reset button, and hold it in while turning the car back on. It should start by showing “—–“, and decrementing until it shows “-,” and then it’ll reset your maintenance reminder as if you’ve just had your car serviced.

I haven’t personally confirmed this (I drive an ’03, which was made before they started their racket), but I saw it mentioned and poked around, finding several other sites that corroborate this method. YMMV (no pun intended!), but I know plenty of people who find the light a major nuisance.

(You know what else is a racket? I decided to change my own oil instead of bringing the car in for its 75,000 mile tuneup, but in the course of figuring out how the heck I have to do it, I’ve seen that the oil filter is right under the exhaust manifold, and getting to that, or draining my oil, apparently requires undoing a billion screws underneath the car to remove the skid plate… And most places recommend jacking up the front of the car so you have enough room. It’s as if they went out of their way to make sure drivers couldn’t easily do maintenance on their own, so that you have to take it in for service. And if your car is newer than mine, they display their maintenance advertisement light to make sure you do.)

Edit: Just found another source suggesting that, for some newer Highlanders, you have to be on Trip A, not the overall odometer, for this to work. And it seems as if you can just turn the car to “Acc” or similar, rather than actually starting the engine.