idlethreat

It’s 4am. I can’t sleep. Too much stuff to think about. Here’s a quick sampling of the sort of thing that I think about at this time of day before I have to be up for work in four hours.

Lots of people say that we count in base 10 because we have 10 fingers. To which, I ask, If we can count from 0 to 10, then why do we need two digits to write down the highest number we can have with fingers?

A much more natural base for counting on your fingers is base 6. Here’s what I want you to try. Your right hand will serve as the ones digit, and your left hand serves as the tens. Start counting.

One is easy. Raise your right index finger. Two, raise the next one. Similarly through five. At six, it becomes slightly trickier, because six is now ‘ten’. Your left index finger goes up, and your right hand closes. Now again, counting from 11 to 15 is very simple. To go to 20, close your right hand and raise another finger.

In this manner, you can count up to 55 - which would be 35 in base 10 terms, far more than the paltry 10 you claim your ten fingers are for counting! Switching bases back and forth is a bit tedious, I’ll agree, but once you get used to it, it’s far more useful than a simple 10 fingers.

crickel Amusing, Muddling About

Are you now, or have you ever been, a member of the pornographic industry…

The 11th Circuit Court of Appeals recently ruled in the case of U.S. vs Little a dangerous precedent. They stated that obscenity is defined by the local community standard, not a national one.

I’d like to take a moment here to point out that what they are speaking of is obscenity. There’s some very peculiar laws surrounding that whole concept in the United States Code. The general idea, however, is that the law doesn’t define what is or isn’t obscene - that follows the Miller test

The reason this precedent is dangerous is because Paul Little is producing material in California, available for mail order over the internet, that people in Tampa, Florida found obscene. With the local community standard applied, Federal charges were able to be levied against him. The end result is that if any state law exists to specify obscenity, and a community holds something to be obscene, and it doesn’t look like art - its illegal. No matter where the work was produced or distributed.

The evidence was even gathered by a postmaster ordering the material in question and having it delivered online! If that doesn’t smack of entrapment and collusion, I don’t know what does.

What I really don’t understand is this: How hard is ‘Congress shall make no law… abridging the freedom of speech‘ to understand? It’s pretty clear. There’s no ambiguity there. So how did ‘except for obscenity’ slip in somehow?

One defense I haven’t seen used yet in these cases is one of the core principles of law: that laws must be consistently applied. If there are so many things that are obscene out there, why is this one man being singled out and targeted? Shouldn’t half the United States be in there with him for having possessed, transported, or distributed this material?

Why are we letting legal precedents regarding morality from the 1940’s persist? Why are we, as citizens, permitting this to occur? When did we let McCarthy into our bedrooms, and why aren’t we getting him out?

crickel Politics

I just finished Outliers, a book Malcolm Gladwell. The book is fascinating - yet has a rather depressing note to it.

The examples in the book are many and varied, and go from why most Canadian hockey league players are born in January to why most geniuses don’t actually get anywhere in life. It all comes down to one core argument, though: To be successful, be born in the right place, at the right time, to the right family, and then become obsessed with the right thing.

The statistics presented lead inexorably to the conclusion that it takes roughly 10,000 hours to become an expert in a field, and that to get this amount of experience at a young age, such as with Bill Gates, Oppenheimer, and several other individuals mentioned in the book, a person has to be brought up in a certain way, with enough resources to take advantage of that opportunity. Didn’t have the opportunity? Born to a poor family? Sucks to be you.

Looking at it from another perspective, you could take the view that the whole book is one giant apology from a genius for being smart, and that really feels like a slap in the face to someone like me, who centers a large part of their self-worth around being a geek. By golly, if just being smart isn’t good enough to make it, then what is?

In all of that uneasy, anti-intellectual sounding morass, though, there are two dimly shining lights in the text if you look hard enough. The first is that there’s a lot of squandered talent out there, and if we made some adjustments to our society and how we think about success, we could go from having a handful of Oppenheimers in a generation to having hundreds or even thousands.

The second is the idea that, so long as you have an iota of talent at something, it takes 10,000 hours of hard work to become an expert in a field. That’s it. The difference between world-class violinists and people who dabble in their spare time? 10,000 hours. As long as you put that much time into it, you can be an expert, regardless of your background or whatever. If you can forget the rest of the book about social background and ethnic influences, this is a pretty inspiring point. If you lived, ate, and breathed a topic, practicing for 16 hours a day, that means you could be an expert in something in just under two years.

On the other hand… this is also one of the points I take as rather contentious for one very simple reason: Tim Ferris.

Life Hackers

Tim Ferris is the author of ‘The Four-Hour Work Week’ and a reputed ‘life hacker’. He has a degree in neuroscience, is a world-class tango dancer, a national Chinese kickboxing champion, a best-selling author, and mastered the Japanese art of horseback archery, yabusame, in less than a single week. Not two years - five days.

As I underatand it, Tim draws on skills he’s learned from past experience, techniques he’s learned for body hacking, and a keen sense of observation to accomplish these feats. He relates drawing the arrows for reloading to scooping up a SCUBA respirator if you lose it, something he already has wel lingrained. He know that REM cycles ingrain short-term memory to long term, and that we have two per night, so waking up in the middle of the night for practice allows him to double his retention. And finally, he watches - really /watches/ - at what separates the experts from the amateurs. He breaks down their technique, and then just practices the key elements of the experts without going through the messy business of trial-and-error everyone else does.

Some people might say he’s faking it, or that he’s not a ‘real’ expert because he didn’t go up through the ranks like everyone else. But you can’t argue with results. In his final run, he performed flawlessly, riding at a full gallop with a Japanese longbow without holding onto the reins, and hit every single one the targets dead-on.

Has Tim Ferris spent 10,000 hours practicing the skills of a yabusame without realizing it? Or is he an expert at acquiring new skills? Or is the statistical fact that people who have mastered a skill spent 10,000 hours in practice the result of other social-biased, preconceived notions about learning?

What if we could all learn a new skill in a single week? And what if we could provide every student in the world with the same skills at learning, and the same opportunity to learn?

crickel Muddling About

I got a Kindle 2 for Christmas.

Did you know that Google has books in the public domain scanned in, and you can download them in EPUB format, load them right on and go to town? Isn’t that just awesome?!

Consider this: Right now, Google has over 7.5 million books scanned written in English and in the public domain. If I could read those at a rate of one per minute, for 16 hours a day, I’d be finished in… roughly 21 years. And that’s just the free ones I actually can understand. I’ve been threatening to learn to read Japanese and Russian for a while, but if occurs to me now that if I do, I’ll have yet more books to read.

As it is, I already have over 200 books on the thing. Most of them science fiction paperbacks. If you stacked them one on top of another, they’d reach 12.5 feet high. I haven’t had to charge it in a month. Pretty impressive for something that’s only a third of an inch thick.

In a single copy of the New York Times, there is more information than your average medieval peasant was exposed to in their entire life. In the Information Age, you will not be characterized by the amount of information you have available to you. You will be characterized by the quality of information you receive, the choices of what you take in.

Think about that next time somebody sends you another email with a LOLcat in it.

crickel Amusing

Hi everyone! A friend of mine convinced me that I should be putting technical items up on a blog. So without further ado:

Everyone knows that transmitting private data using https is far more secure than using http. But how secure is it, really? There are many different encryption methods that https has available to it, especially in a default configuration. Sometimes, however, you may not have the configuration available to check. And even if you have access, even when you’ve modified your default configuration to be secure, rogue included configuration files may change the ciphers settings on a site-per-site basis. The best way to be sure that your website is configured to use strong ciphers is to test it.

There are many fine tools out there that already fill this need. Some of them, such as Foundstone’s SSLDigger, can even generate and save attractive reports to hand to the administrators. (Red ink is optional.) The fastest way to test your cipher strength, though, is right within your reach at the command line.

There are two applications I’m going to cover here, curl and openssl.

openssl

openssl has many useful commands when it comes to using ciphers. Right now, I’m only going over the two we’re concerned with. The first, of course, is the ‘openssl ciphers’ command, which can fetch you a list of ciphers available on the server. If the cipher isn’t in this list, you can’t even configure your system to use it, so doublecheck what LOW, MEDIUM, and HIGH ciphers you have available first!

openssl cipers -v 'HIGH'

The second command is the openssl s_client. It has a couple quirks. Here’s an example:

echo 'GET HTTP/1.0' | openssl s_client -connect gmail.com:443

Notice that the line starts with an ‘echo’. When s_client connects to a host, it then waits for user input for what it sends to the remote host. It needs to send an appropriate ‘GET’ string in order to fetch data. So we feed that input to it in a pipe, it’s happy, the remote server’s happy, and everybody gets what they’re looking for.

This little command is quite versitile and robust. For instance, you can fetch a remote certificate and check the dates on it like this:

echo 'GET HTTP/1.0' | openssl s_client -connect www.google.com:443 2>/dev/null |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |\
openssl x509 -noout -subject -dates

What we’re interested in, though, is testing out ciphers.

echo 'GET HTTP/1.0' | openssl s_client -cipher HIGH -connect gmail.com:443

The -cipher option takes a cipherlist and uses only those ciphers. For the the nitty gritty details about what constitutes a cipher list, check ‘man ciphers’ - but you should already have a good idea on this. Remember to make sure and use ‘openssl ciphers’ to check your server specifically if you’re having problems!

curl

One thing that’s important to note is that we’ve found through testing on multiple servers that the curl command does not always use the ciphers given in the arguments. Sometimes it fails and simply continues on with the strongest ciphers available instead. That said, if it DOES use the proper ciper (and you can tell if it does in the verbose output!) it’s more convenient since you don’t have to pipe things at it.

curl --ciphers HIGH -v https://www.google.com

Note that if you’re trying to pipe output to a file, more or less, curl uses STDERR for all its verbose output, and STDOUT for all the. You’ll need to redirect both of them in order to get the whole story.

curl --ciphers HIGH -v https://www.google.com &> test.txt

Using the pipe is even more fun. This redirects STDERR to STDOUT and then lobs them both through the pipe:

curl --ciphers HIGH -v https://www.google.com 2>&1 | less

There are many more options available to curl that can be found in the manual, including authenticating with usernames and passwords, POST variables, change the user agent and even limit the speed to simulate real user scenarios.

Using these commands, you can quickly and easily test your webpage performance under realistic scenarios and record results from ciphers on the command line directly, without having to break out your GUI and get your hands dirty.

crickel Code