The Substantially Similar Weblog

I just received what I guess is not a spam message about ConferenceBike. This is one of the strangest transportation-related things I’ve seen. Check out this QuickTime movie of people riding one around a park (you’d think it was actually the 1960’s).

The latest version of salonify allows the web user to download each entire photo album as a ZIP file; also has better error/sanity checking and reorganized documentation.

• tarball
• Sample Gallery

My friend Susan just moved to Boston from the Left Coast and is gradually learning the ropes. She wrote these two vignettes about her first couple of days in the city—anyone planning on moving here should check these out. Having lived here for the past six years (and being born here), I’ve forgotten what it looks like to see our city with “new eyes”:

I went to get my car insurance. This took a long time. First, I got lost. Second, no one at the AAA office seemed to be in much of a rush, despite the fact that it was going on 4:30pm and they closed at 5pm. The insurance agent had the typical Boston pace of getting things done (other than driving) in which every act seems to require a kind of measured heaviness. It is as though official acts in Boston bear the weight of history and that history weighs heavily. When Mr. X saw that the car was a gift, he explained to me, in an offhand tone, that we were going to say that the car was a gift from my mother or my sister, not from my aunt, because did I see this gift form? Aunt is not one of the seven family member options. “So we say sistuh — yuh see?” Then he checked with his supervisor.

“Jean, this girl heuh, the car is a gift from her ant, so we should say muthuh or sistuh right?”

The woman spoke in rapidfire Bostonese. “Oh yeuh. Remember how much trouble we had with that udduh one? They won’t take it! It kept getting sent back. Say sistuh.”

He turned back to me at a measured pace. “Okay, we’ll say sistuh. I mean, as long as the age difference isn’t too much, it should be fine.”

Jean yelled from her desk: “Say muthuh! If you say muthuh, they NEVER question it! NEVER!”

He turned back to me. “Well, they don’t ceuh. It doesn’t matter.”

I was confused, as I listened to two insurance professionals loudly discuss how to violate insurance law. I mean, granted, Massachusetts seems to have an inordinate number of rules and regulations, but I assumed that was because people LIKED rules and regulations. This appears not to be the case.

I can’t remember whether this was to save me a substantial amount of money on sales tax (gifts are not supposed to be taxed) or a 25.00 filing fee, but it didn’t seem to matter. What mattered was discussing the rules at great length and then figuring out the best way around them.

I imagined being called up by some insurance commissioner who noticed the discrepancy between the Massachusetts form that said “Sister” and the California form that says “Aunt”. What would I say? That my aunt is like a sister to me? That my insurance agent told me to lie?

---

After talking to the realtor, I called my mom and had a distracted conversation while desperately trying to eat dinner at 7pm while also waiting for the bus. I took the 66 bus all the way to Roxbury Crossing and successfully managed to get off (it helped that the bus said loudly “Roxburry Crossing”. And that someone else had hit the yellow strip to stop the bus). As promised by www.mbta.com, Roxburry Crossing is on the Orange Line (read: subway) to Forest Hills.

I decided I should get a “combo pass” — good for bus, subway, and commuter trains, and that this would help me feel calmer about Boston. Although it was still unclear to me whether work would pay for the pass or just let me pay with pre-tax dollars, I decided it was worth the 71.00 to be able to go anywhere I wanted to without the annoyance of constantly getting lost. So, I asked at the booth. The guy told me they didn’t sell them at Roxbury Crossing, they only sold them at Back Bay.

Then he complimented my necklace and we talked about it for a bit and he then refused to sell me a token, but told me to put .50 in the disabled/retired slot and go through. He asked me if I was going there now to buy a pass, and I said no, but once I reached the platform, I thought, “Why not?” I’d already eaten dinner and it had to get done, so why not do it? He wouldn’t have asked me if the place wasn’t open, right?

This turned out to be very wrong indeed. He probably asked me because he knew, along with everyone else in Boston, that monthly passes are only sold on the first 10 days of the month. After the 10th, no one can buy a monthly pass, at any price. All monthly passes are returned to MBTA and are no longer in circulation. Also, you cannot buy an annual pass, or have a pass automatically sent to you each month. No, no, no — each month you must buy a pass within the first 10 days of the month.

Boston is a major American city, by the way, just in case you were wondering.

The monthly pass rule was explained to me at the Back Bay station commuter rail window after I had been bounced around twice. I just looked at the man in disbelief as I tried to hear him over the very loud loudspeakers echoing through Back Bay at 9pm at night.

Susan: But WHY can’t I buy a pass for September? I’m willing to pay for the whole month!

Man at Booth: We return them all, like I told you. Honey, I’d GIVE you a pass, but I don’t have one.

Susan: But WHY would they DO that? Are they afraid that too many people will ride the subway? Are there a limited number of seats?

Man at Booth:

Susan: Is there ANY KIND of a pass I could buy?

Man at Booth: Well, they have this weekly pass.

Susan: Okay, great! I’ll take one.

Man at Booth: But we don’t sell them here. Here.

Susan: Okay. Thank you very much.

I look at the paper about the weekly pass. It gives the hours they are sold. It informs me that passes for the current week are sold on Monday, Tuesday, and Wednesday. On Thursday and Friday, I can buy passes for the coming week, but no longer for the current week. The weekly pass is only sold at two stations — the two stations furtherest away on the Red Line (ie, nowhere near where I ever need to go).

I throw the piece of paper away, give up, and take the Orange Line back to Forest Hills, where at least I know how to get home, and where Adam and Rachele can very patiently listen to me rant about Boston.

A couple of annoyances that have appeared with recent upgrades—any suggestions? A quick scan of debian-user archives suggest others have similar problems but I haven’t seen a clear solution:

• udev no longer creates CD-ROM symlinks. /proc/sys/dev/cdrom/info and /etc/udev/scripts/cdsymlinks.sh are in place, and everything appears to be configured properly, but it’s just not happening. Why aren’t they created under the default configuration?
• NFS drives no longer automount at boot-up. I have no idea why this is happening—they mount fine manually. Any clues?

Yesterday, Esther, Rachele, and I attented the Jamaica Plain World’s Fair. This is an annual street party in our former neighborhood (just a couple miles from where we live now). Lots of street vendors, live music, arts and crafts, and people dancing in the streets.

This Latin/African diaspora band, zili roots, was great:

You’ll notice that Turkey Hill, the provider of the cow, had a big presence at the festival. We also got a huge plate of Indian food from India Palace for $3:

Unfortunately, most of the food is obscured by the chappatis, but rest assured there was a lot of it. My daughter Esther slept through the whole thing:

Toward the end, I saw a dreadlocked Jamaican Rastafarian driving a big van who needed to get past a road block into the pedestrian area. A crew-cut Boston cop approached the van, and I was bracing myself for racial profiling and intense scrutiny. I was pleasantly surprised when the cop just waved the guy on after he indicated where he was headed.

This is what I like so much about Jamaica Plain—it’s as progressive as any of the more lefty areas of the country (Ann Arbor, Madison, Berkeley), but quite racially and socioeconomically diverse.

(By the way, if you’d like to see more photos of Esther, drop me a line—she has her own blog but I decided to keep it out of public scrutiny, at least until she’s old enough to decide for herself).

I’ve released randomplay 0.47. randomplay is my command-line ‘itch a scratch’ music player. It is most useful for maintaining a random shuffle over many sessions—for example, I use it to make sure I don’t ever hear the same song in any three month period.

The new version announces the current track and artist using xosd, if you have it installed. See this screenshot to see the effect (see lower right hand corner).

If you’re using the ssh_login_blocker script I posted on Monday, please upgrade to the current version. I actually posted an old version by accident. The primary differences are that the current version works even when your auth.log file is rotated, and the “bad username” and “bad password” checks both reset after an arbitrary time period (by default 5 minutes). If you don’t have this “reset time” set, ten bad passwords over a week could lock you out.

Sorry for posting the wrong version before!

A couple of bits on the hurricane disaster I want to highlight:

• An Open Letter to the President published in the Times Picayune (you’ll have to scroll down a bit to reach the editorial):
  

  Dear Mr. President:

  We heard you loud and clear Friday when you visited our devastated city and the Gulf Coast and said, “What is not working, we’re going to make it right.”

  Please forgive us if we wait to see proof of your promise before believing you. But we have good reason for our skepticism.

  […]

  In a nationally televised interview Thursday night, he said his agency hadn’t known until that day that thousands of storm victims were stranded at the Ernest N. Morial Convention Center. He gave another nationally televised interview the next morning and said, “We’ve provided food to the people at the Convention Center so that they’ve gotten at least one, if not two meals, every single day.”

  Lies don’t get more bald-faced than that, Mr. President.

  (read the whole thing)

• Two captioned photos on Yahoo! news — one showing a white person swimming through the flood, having “found” bread and soda, the other an African American who “looted” a grocery store. Yahoo! has yanked the captions, but several people saved images, including this flickr site.

  While I agree that the captions probably reflected racism, I think the blogosphere “amplifying” effect is at least as notable here. I know I’m not the first person to notice this phenomenon, but it is interesting that ten years ago a few people might have noticed the incongruity of the captions but their concern wouldn’t extend beyond themselves and maybe a few people they talked to. Now, it only took a couple of days for this to propagate and for Yahoo! to actually remove the controversial captions. It’s also interesting that Yahoo! having yanked the captions doesn’t make it any harder to find them—Yahoo! even links to the flickr site that shows the originals.

Update: a few more interesting points.

• Pelican has some interesting comments from a public health perspective — particularly on how the billions spent on “bioterrorism preparedness” were a waste. He concludes:
  

  The notion that the time and money that the federal government has spent in preparedness for terrorism has actually made anyone prepared is complete horse shit. If you ask anyone who works in this area they will tell you the simple truth: It is not the bureaucracy’s fault. It is not the fault of state and local governments. It is the fault of the political levels of government. This is perhaps one of the most corrupt administrations and there should be a prompt discussion on actively terminating it.

  See also his other entry, Katrina is not a Natural Disaster.

• And then this bit about PayPal entirely obstructing a good hurricane-relief fundraising effort.
• I’ve been waiting for Bruce Schneier to weigh in—and he finally has, albeit briefly, with security lessons of the response to Hurricane Katrina.

A few months ago, I blogged about a bad experience I had with U-Haul that indicated the company has serious systemic problems. A few weeks later, a U-Haul employee posted two pseudonymous responses to my critique, apparently not realizing that their U-Haul IP address would reveal the true author. For some reason, my “consumer complaint” blog entries tend to get high rankings in Google and attract poorly crafted rebuttals.

Just now, the entry received two more comments. Both are from the same IP address, apparently again a U-Haul employee who didn’t realize their posts were easily traceable. I won’t respond specifically to these comments, but I thought it would be worth highlighting them here. I hope consumers (and perhaps U-Haul management) see these:

The first one is entitled “loved uhaul”:

all of you suck. i hate people like you. you see it’s people like you who actually hold there trucks up and mess up the schedule process. i moved 4 times with u-haul in the past year and only had a problem once but it was because people like you. you people who wanted to be given more time and not return it on time. while making a reservation over the phone i was told my move was being held up because a person tried to pull a trail that they were not supposted to causing it to overheat. these are trucks they do break-down, just like cars to. muck-mucks.

The second, “hey there” (remember, from the same author):

I’m a current U-Haul employee and I must say you’ve all had some really bad experiences with our company. It is very unfortunate, but really is venting out your problems really the answer? I’m responding to this very dim-witted website because I think your cause is in vain. We are the largest self-moving company in North America. While you may want to think that you’re hurting our business, your not. If anything you give us employees something to laugh about on our breaks. Hundreds of thousands of reservations our made throughout our thousands of locations everyday and we fill about 95%. For you unfortunate saps I petty you because when you get alate pick-up you can blame the person who had the truck ahead of you. Ask them why they felt like it was at their own leisure to bring the truck/trail back when ever they felt like it, to which every location they wanted to. Ask them whey they thought our trucks were built for speeding down highways or to move dirt or trash. We do and say things for a reason. And please don’t forget about all the good stuff we do like give free storage to families of hurricane victims or support various charities. So in the end, please keep up the log coming because we like reading them. Ha Ha Ha Ha.

Anyone who has a run a GNU/Linux server on the Internet for more than a few weeks has probably noticed that they will occasionally get “hammered” by a robot attempting to make an ssh connection using common usernames and passwords. Usually these are not truly “brute force” attacks—they try 20-30 times, rather than thousands—but either way they are annoying.

These attacks are rarely successful with a properly configured system, but they can use up bandwidth and system resources, and perhaps more troublesome is that they clog your log files so it is more difficult to detect a bona fide system attack. I suspect that at least some of these random ssh login attempts are accompanied by attacks on other known vulnerabilities, with the hope that the sysadmin won’t notice the more devious attack because the stupid attack is going on at the same time.

Strangely, there is no “canonical” solution to guarding against these attacks. A few people have written up their own hack solutions, and here is mine.

It’s called ssh_login_blocker. It’s very simple—just drop it in /etc/init.d and make symlinks to the proper /etc/rc?.d directories (or just start it running from the command line). It must be run as root. You can configure it to allow a certain number of bad passwords or bad usernames before it blocks an IP address. You can also configure it to “reset” the bad username/password count after a certain amount of time has passed. Just look at the first few lines of code and adjust the settings accordingly.

If you are running it on a system to which you don’t have physical access, you should whitelist at least one IP address where you will be able to get in from in case something goes awry.

• See the code
• Download it here

There are many improvements I’d like to make. For example, it should use libfile-tail-perl rather than running a shell for tail. It should have a “temporary blacklist” feature in addition to the current “permanent blacklist” feature. It should have an auto-whitelist function such that “known good” IP addresses get marked up. It should use something other than /etc/hosts.deny to block ip addresses—for example, iptables. It doesn’t do any of these things, but it works pretty well, and it makes me happy that my log files are not currently clogged with spurious login attempts.