Seven years ago I wrote about XML security problems, the XXE vulnerability. This flaw is the gift that keeps on giving: someone exploited Google with it this month.

XML is a ridiculously complicated data format. And XML parsers implement all the features, including the obviously dangerous and useless ones. And engineers keep forgetting to turn those features off. It’s just terrible.

techbad
  2014-04-11 18:29 Z

One of the few things I can cook competently is Tex-Mex chili. It’s basically a pot of meat cooked with red chile and onion. No beans, no tomato. Hearty and delicious with tortillas, sharp cheddar, fresh onion, and sour cream garnishes.

I’ve learned to make chili from scratch. But if you want to cheat, Wick Fowler’s 2 Alarm Chili Kit is a reasonable compromise. It’s not as good as making it the hard way but it’s still pretty good, particularly if you bump it up with some of your own chile powder.

To make it from scratch, I use this Homesick Texan recipe. I love her blog and cookbook. It’s a very fussy recipe but makes an excellent result. Over time I’ve modified it a bit.

  • Working with all those kinds of whole chile makes a well rounded flavor but is a lot of effort (and tricky shopping). I usually end up using some powdered New Mexican red chile instead of some or all of the varieties she calls for, you just dump it in like a spice (a lot of it; more than half a cup for 4 pounds of meat if that’s all the chile you use).
  • The chipotle in adobo is the most important extra flavor and is easy to add from a can. Beyond that you want dried chiles and the extra work that entails. Cayenne is for heat, not flavor.
  • The recipe calls for chuck roast. I use half ground beef for texture. You can also use 100% ground beef which saves a lot of preparation time.
  • Leave out the clove. Too much can ruin the dish and it’s not worth the risk.
  • The beer and coffee aren’t really necessary but are nice to add some bitterness. You just need enough liquid of some sort. I use boxed beef broth instead of water.

I grew up with this kind of food.

culturefood
  2014-04-09 16:31 Z

Unison is good software. It’s a command line program to synchronize filesystems, to keep a directory tree identical on multiple computers. I use it to sync about 40G of files across two Macs, to keep my home directory and source code and various applications in sync. The neat trick is I sync those two Macs through a portable hard drive so I don’t have to wait for hours for files to go over the Internet. Unison can also work online so changes are propagated automatically.

Unison is a lot like rsync. But Unison is designed to be bidirectional. Rsync always syncs one way: copy A to B. Unison will look at the differences between A and B and merge them, including a limited UI for conflict resolution. This protects me from the case where I modify something on both machines without syncing beforehand.

The main drawback with Unison is it’s slow, it takes many minutes to decide what files to sync. I also hate the interactive UI; it doesn’t work well when you have lots of files that changed in both places. I’m also a bit concerned that it’s no longer under active development but Unison is the rare software that’s a complete product, it’s not clear it needs many changes.

There are other tools solving similar file sync problems, none perfect. Dropbox is phenomenal but doesn’t have offline syncing of large files. Camlistore is promising but not quite ready for civilian use. git can be used to keep stuff in sync but is better suited for text files whose history you want to keepl. And CrashPlan is great for online backup but doesn’t really provide a second live copy.

techgood
  2014-04-07 16:32 Z

There’s good fine dining in California’s Central Coast. Cayucos is one of those tiny California beach towns from the 50s. A few dumpy motels, a surf shop, restaurants with names like The Salty Seagull and The Rusty Pelican you’d only ever eat at because you’re on vacation in a beach town. But there’s something special and unique in Cayucos, the Cass House, and as the Michelin folks say it is vaut le voyage.

Chef Jensen Lorenzen and his crew are turning out phenomenal fine dining, as good as anything I’d expect to find at San Francisco’s top restaurants. They are serving only one option, a 14 course tasting menu of delicate little plates. With excellent (but laid back) service and a good wine list and a lovely room that only seats about 30 people.

The key thing here is the cooking works. The kitchen knows its business and is producing excellent creative food with technique but not silly gimmicks. My favorite dish was a dessert, a fennel-based gelée that was delicate, deeply flavored, with a bit of candied fennel as a crunch accent. So elegant and precise. The cauliflower “curds & whey” were also phenomenal, a rich risotto-like texture with a deep butter and cheese flavor. A heavy dish, it came after a very delicate dashi bouillon. The main course (I chose chicken) was a satisfying solid portion, keeping the whole meal from being a bit too precious and dainty. We were also very impressed at how they handled my friend’s near-vegan diet, deftly substituting coconut milk and the like for the dairy that would have been in half the dishes. (Elegant cooking without butter!) I admit I was concerned going in that the menu was too demanding, but Cass House executed incredibly well.

They’ve been doing fine dining for a couple of years but jumped full in to the tasting menu program this February. It’s ambitious and risky and one service a night at a reasonable $85 caps their business. My impression is they’re doing this because they love this kind of cooking, like being in control and preparing food with art in the way they want. I was glad to be along for the ride and hope to return.

culturefood
  2014-04-03 23:41 Z

Mozilla, the creators of the Firefox browser and other important open web technologies, just appointed Brendan Eich as CEO. The problem is Brendan Eich donated $1000 to Proposition 8, the anti-gay marriage referendum that set back marriage equality in California for five years. And now there’s a shitstorm.

I held my tongue on this for a few days to give Eich and Mozilla time to give their side of the story. Well, they did and it’s a mealy-mouthed non-explanation where Eich desperately tries to sidetrack any questions about his politics with a confusing endorsement of “inclusiveness” and Indonesians. It ends with him questioning the world’s faith in Firefox because his colleagues are calling him out on failing a basic measure of human decency. The interview is dishonest and disgusting.

I don’t think there should be a political litmus test for CEOs, even CEOs of mission-driven non-profits. It’d be fine with me if Eich were an NRA supporter or a no-tax Tea Partier or some other debatable position. But this isn't politics. Gay marriage is a civil right and Eich unapologetically contributed to deny me and my friends equal citizenship in the United States. It’s unacceptable and makes him unfit to be the CEO of Mozilla.

Apparently he doesn’t intend to apologize or recant. Fine. But it’s particularly appalling that he doesn’t even want to explain his position. I’d respect him more if he said “I oppose gay marriage because of my religious beliefs” or whatever, at least then he’d have some integrity. Instead he just wants us all to ignore his demonstrated anti-gay stance, a dishonesty and lack of courage. Unexamined bigotry is the most dangerous kind.

Brendan Eich must go. His position as CEO is threatening Mozilla’s future. Sadly there’s a crisis in the board of directors too. This kind of chaos destroys organizations.

politics
  2014-04-02 15:37 Z

Ken is the family chef but I enjoy cooking in Grass Valley. Partly because it’s a huge kitchen with plenty of room to work. And also because we outfitted it from scratch with high quality kitchen tools. Here’s some of the stuff I particularly like using.

Wüstoff Classic Ikon knives
Solid European knives, holds an edge a long time when properly sharpened, and I love the synthetic handles. The 6” chef’s knife is what I use 90% of the time, along with a 9” for big jobs and a paring knife for detail work. Worth testing in person, you want to see if the balance feels right.
OXO Good Grips Cutting Board
I like plastic cutting boards because I can throw them in the dishwasher. This brand has the right design with rubber edges so the board doesn’t slide around.
All-Clad Stainless pots and pans
Excellent, durable, heavy cookware. The aluminum core construction is essential for heat distribution. The stainless surface is bulletproof, or at least steel-wool-proof. Expensive but they last forever and sometimes you can get a good deal on a set. The 12” fry pan, 1.5qt sauce pan, and 8 quart stock pot get the most use.
T-Fal nonstick pan
Nonstick pans are disposable, so might as well skip the All-Clad and buy a cheap one. (As careful as you try to be after a year you have a laminate of burnt grease that ruins the surface.) The good thing about T-Fal is they have a thick metal bottom that spreads heat.
OXO Good Grips stuff
For odds and ends like vegetable peelers, cooking spoons, etc. I look to Good Grips first. Most of it is nothing special (other than the cutting board I called out) but it’s well made and the grip is, indeed, good.

Neither the knives or pans are particularly cheap. But if you can afford the initial cost they’ll pay for themselves in longevity. Also most have generous warranties. In my salad days I threw out cheap pans about once every two years; we have All Clad that’s 20 years old and still in great shape.

Apologies for the spammy-sounding Amazon links; they’re for your convenience, but I do pocket a few bucks a year from affiliate fees

culturefood
  2014-04-01 19:56 Z
Gfycat (and CloudFlare) has a fantastic error page for when they have a server error.
Such a clear, simple statement of what the error is and what the user can do. One of my pet peeves is software that blames the user when it's not their fault, like the "your Internet is down" message Steam displays when their client can't connect to their server. This kind of message is much more honest and useful.

BTW, Gfycat is an awesome service. They host animated GIFs for sharing. And they transcode the bloated source GIF to much smaller HTML 5 video, then serve the smaller file to browsers who can handle it. The hosting is good, the 95% bandwidth savings is great.

techgood
  2014-04-01 15:56 Z
A slide from NSA's program to record all voice calls.
politics
  2014-03-19 23:54 Z

The 1983 movie Brainstorm is worth seeing, or maybe revisiting if you last saw it decades ago. It fits in with Tron, WarGames, and Videodrome as early 80s imaginings of what the near-future of technology will look like. Great performances by Christopher Walken and Louise Fletcher.

The reason to watch Brainstorm now is is the production design, the imagination of consumer products and user interfaces for the near future. It feels like totally relevant, modern commentary on product design for things like the iPhone, Google Glass, Tesla, or a Microsoft Kinect. Dialed up to 11 with a sci-fi flight of fancy, of course, but well done for that. I’ll be honest and say the plot is sort of silly, a combination of military-industrial complex paranoia and some fairly hokey spiritualism. That’s partly redeemed by Louise Fletcher’s role as the head of the research project, a totally badass lady scientist. But mostly watch it for the animation sequences and the industrial design.

culturemovies
  2014-03-18 22:59 Z

League of Legends has a serious security problem: denial of service attacks. Some of these attacks are against the game as a whole and bring down the whole system. Presumably Riot can eventually protect their servers from that. Worse are targeted DDoS attacks against single players; it’s not clear they can defend themselves

The motivation for attacking individual players is ugly. The game is very competitive at the highest levels of play, with prize money and pro careers on the line. Knocking an opponent offline or just lagging them is enough to get a win. Even if the game is thrown out as invalid a DDoS is still way for a losing game to be converted into a tie.

There are guides on how to avoid being a DDoS victim. They boil down to “don’t reveal your IP address”, which in practice means “don’t use Skype from your real IP”. VPNs, playing only from Internet cafes, etc are other options. But these are minimal solutions at best; hiding your location from the world is really difficult. There’s new rumors the whole IP identification part is entirely automated and foolproof.

I don’t really know how a normal Internet consumer can protect his ISP from being knocked offline with a DDoS. It’s an ugly situation.

techbad
  2014-03-11 21:35 Z