It's time to have a grownup talk about hot sauce. If you go to a generic American restaurant and ask for hot sauce, you will be brought Tabasco. And it's a terrible choice, the worst kind of hot sauce.

Tabasco is a Louisiana hot sauce. Like its cajun brothers the primary flavour in Tabasco is vinegar. There's chile, too, but it's secondary. Vinegar sauces have their place, particularly in barbeque and cajun cooking. But Tabasco is the worst of the Louisana options: the vinegar is some industrial product with a one dimensional acid taste and the chile barely adds any flavour. If you want a Louisana style hot sauce try Crystal, Lousiana brand Hot Sauce, or Wintzell's sauce (made by Panola). They all have much better flavour: interesting vinegar and decent chile.

Vinegar is a poor seasoning for most American food, particularly anything with eggs and any of the Mexican-derived food we get in California. American restaurants should generally offer Mexican hot sauce. Mexican sauces are made primarily with chiles and water. There may be a little vinegar and spice for flavour but the acidity doesn't dominate. There's a zillion options for Mexican hot sauce but a few good common options are Tapatío, Melinda's, and Cholula.

I also want to give a shout out to Sriracha, the modern, Vietnamese-American hot sauce whose thickness, sweetness, and intense garlic flavour give an interesting third option. I find its seasoning too strong to use as a general condiment but it's a delicious alternative to ketchup or mustard for flavouring sandwiches.

Summary: you probably want Mexican hot sauce, not a vinegar sauce. If you want Louisana hot sauce, avoid Tabasco.

  2011-05-31 22:19 Z
The US military is on the Internet march. Obama said of two new military appointments "Between them they bring deep experience in virtually every domain ... Land, air, space, sea and cyber." Also today the WSJ reports "The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force."

I used to think "cyberwarfare" was an inflated threat. But in the past couple of years my thinking has reversed. Stuxnet was a big deal, presumably a deliberate act of cyberwarfare by the US and Israel against Iran. China's hacking of Google was also a big deal; aimed at individual activists, not nations, but still important. The recent attacks against RSA SecurID and now Lockheed Martin are troubling. We're beyond script kiddies stealing some Warcraft accounts, this is focussed espionage against the US military.

One of the problems with cyberwarfare is it's not clear how to apply international law. What is "proportionate response" to a network break-in that disables a radar installation? How do you even identify an attacker when the attack was a virus that was planted six months ago on USB sticks? These statements says the Pentagon is moving to take these questions seriously. It's about time.

This blog post was inspired by this Metafilter discussion
  2011-05-31 21:26 Z
There's a scary trend happening in computer hacking; it looks like the bad guys are escalating from attacking random weak sites to targeted attacks against companies that provide security infrastructure.

Back in March RSA disclosed that they had been compromised and their SecurID system had been targeted. SecurID is a product that's widely used by companies for login security. RSA never came clean on exactly what happened, but they did admit that the incident could "reduce the effectiveness" of SecurID. Now the other shoe has dropped with the NYT reporting that the recent Lockheed Martin compromise appears to be related to the RSA breach.

In May LastPass warned users they had a "network traffic anomaly" that they could not explain. LastPass is a password management tool that stores their customers' passwords. The company's disclosure was quite comprehensive but vague because they don't really know what was taken. I still trust them, but it makes me nervous.

There's been a lot of other recent high profile security incidents: the Gawker fiasco, the Google incident with China, the Sony outage. But the attacks on RSA and LastPass feel different. Those companies are not easy targets, they are sophisticated security companies. And they make security systems, a very valuable asset if you're in the business of attacking protected targets.

The buzzword for this kind of attack is Advanced Persistent Threat. The reassuring thing is these attacks are focussed and purposeful, not random vandalism. Personally I fear random Eastern European password hackers much more than I fear the Chinese government or a US / Israel cooperative. But it's a bad thing if our industry's most sophisticated security companies are no more effective at protecting their customers than a crappy PHP site.

The press is reporting "the attackers created duplicate SecureID devices".
  2011-05-30 14:09 Z
After reading up on Bitcoin I ran the software for a day and mined some coins. It's a fascinating decentralized system but has some significant practical flaws.

Cash flow isn't private. The protocol requires all transactions are public: you can see them all on Block Explorer. Here's the transfer of 0.02 from the Bitcoin faucet to my account. Here's 50 bitcoins I helped mine along with some other random transactions in that block. Here's my miner's wages from slush's pool. You could do some fascinating visualizations of the flow of money. It's hard to remain anonymous: you can have multiple identities, but because every single coin is traceable if even one identity is known the rest can be discovered via traffic analysis. The Bitcoin wiki recommends laundering your money through a third party.

Latency is a problem. I received 4 payments last night; each took about 5 minutes to show up in my wallet. I made a payment of 0.02 today that showed up in about a minute, but I was required to pay an extra 0.01 transaction fee. Communication latency seems to be a result of the peer to peer network and presumably could be improved. But there's design latency, too. You can't really trust a payment is valid until it's been confirmed, which boils down to waiting for about an hour's worth of other transactions to be done after yours.

Scalability looks like a serious problem. The core innovation of Bitcoin is the block chain, a signed history of all transactions. Bitcoins are validated by tracing the history of a bitcoin all the way back to block 0, the Genesis Block from January 2009. I don't see any process for short-circuiting this validation. It's like every time you got a dollar bill, you had to talk to everyone whose hands that dollar ever passed through to work its path back to the bank that printed it. Also the current client needs a copy of every transaction ever. That takes a couple of hours to download but presumably could be optimized so you only keep the blocks you personally care about.

Coins are brittle. My money entirely exists in a file named wallet.dat on my hard drive. If I lose that file or it gets corrupted or it gets stolen, I lose all my money. That's no worse than real cash under your mattress but it's significantly worse than other online payment mechanisms like credit cards.

I don't mean to hate on Bitcoin, it's an impressive cryptocash system. And it actually functions: at market rates there's some $35 million in Bitcoins in circulation. That valuation may not last for economics reasons, but the crypto and decentralized system design is pretty sound. Still it's got some rough edges, interesting to see where they are.

  2011-05-21 14:05 Z
Digital currency Bitcoin is the subject of this week's hype. And while I agree with Adam Cohen's analysis that it's likely a scam, I don't think it's inherently a scam and it's an interesting implementation of cryptoanarchy.

The basic idea of Bitcoin is you have a file on your hardrive that, through the magic of cryptography, is unique and unforgeable and says essentially "Nelson owns 5 bitcoins". Bitcoins can be created by users out of thin air but via more math magic there will only be 21 million bitcoins ever. Bitcoins can be traded and verified and double spending is preventable (math, is there nothing it can't do?). As long as people agree that Bitcoins can be exchanged for dollars then we have a new currency. (At current rates, a Bitcoin is worth about 7 USD).

The economics and politics of the Bitcoin idea are anarchic. The primary advantage of cryptocash is it exists outside the control of any government. Untraceable, unregulated currency, I wonder who benefits most from that? The history of previous electronic currencies like e-gold suggests the main use of a cryptocurrency will be fraud. It didn't have to be that way. Back in the mid 90s when Internet commerce was just taking off, e-cash had a real chance to be an alternative to credit card payments. If things had gone differently, maybe we'd be buying our socks on Amazon with DigiCash instead of Visa.

But the credit card networks are expensive, scalping roughly 2% of every transaction. There's legitimate value in having a cash-like system for the Internet. And the Bitcoin technology seems to be an honest implementation. I didn't spend the time to understand the protocols, but at its core it's a fully decentralized system with peers exchanging signed messages about the flow of money. I fully believe the math can be made to work (although Bitcoin's protocols no doubt have problems).

The implementation has some drawbacks. The default Bitcoin client is not suitable for casual users. And there's a lot of latency. Two hours later I'm still waiting for the data to synchronize. I claimed my free 0.02 bitcoins from the Bitcoin Faucet but it took over 10 minutes for the transaction to show up on BlockExplorer. And the money still haven't arrived.

One fascinating bit of the tech is Bitcoin mining. It takes weeks or months for a single system to generate Bitcoins, so long the mining option is being hidden. Instead people pool their efforts and use GPUs to do the math. A GPU is some 200 times faster at the crypto than a CPU, using OpenCL code like poclbm.

I expect Bitcoin itself will be forgotten in five years or else consigned to being a currency largely used for fraudulent transactions. (Here's an interesting bet: $1000 in Bitcoins against $1000 in gold, to be paid in 5 years.) But I hope the idea of cryptocash continues to be developed and improved; it'd be nice to have a cash equivalent for the Internet that wasn't PayPal.

  2011-05-20 17:35 Z
It's finally happened: someone's made a World of Warcraft clone that's a credible competitor to Blizzard's megabusiness. A lot of companies have tried the MMO market and failed, most notably Warhammer Online, but Rift is a success. It's as good as WoW. And that's a disappointment.

Rift is a fantasy MMO game by Trion Worlds, a serious new company that's raised $100M in venture capital. It's been pretty successful since their launch two months ago. The buzz is good, a lot of people are enjoying it, and while it's a bit early to tell how big the game will be I think they've got enough momentum to recoup their investment.

I just finished a week free trial, levelling up a Cleric and a Rogue to level 13. It's fun. The graphics, networking, and user interface are all good. Not quite as solid as WoW but close enough. The game offers two big innovations. Rift Events are big impromptu battles against bad guys that pop up, basically Warhammer's public quests but with a dynamic element that means there's more likely to be people nearby to play with. And the flexible class system (souls) allows more choice in play style, although there's already a forming consensus of useful builds.

If I were picking a new MMO solely on the basis of gameplay I'd probably choose Rift over WoW. Unfortunately, Rift is so like WoW that there's nothing to distinguish it. Gameplay still boils down to pressing a button once a second to activate one of your forty abilities in the right order. Group play still is the basic tank/healer/DPS trinity. It's yet another bucket of gaming from the DikuMUD well and it's getting stale. I question whether the world really needs a WoW clone when WoW is still good enough.

$100M is a lot of investment and congratulations to Trion for producing an excellent product. But it's so expensive to make an MMO now, it's hard to see how a trully innovative and risky game can get funded. We need more odd innovative designs like Eve Online. I'll be curious to see how Glitch evolves.

  2011-05-17 17:12 Z
With the 2011 floods of the Mississippi river there's real concern that the Mississippi might jump its channel at the Old River Control Structure and take a shorter path through the Atchafalaya basin, changing the structure and economy of half of Louisiana. In the Internet discussion an astonishingly beautiful set of maps from 1944 keeps turning up.
The maps are from the "Geological Investigation of the Alluvial Valley of the Lower Mississippi River", a report by Harold Fisk (Geology Professor at LSU) for the Army Corps of Engineers. They did a huge amount of research on the history of the river course, tracing 20 "stages" of the river course going back some 2000 years. Accompanying 170 pages of sometimes dry text and tables are these fifteen beautiful maps, a tangle of ropes showing the historical Mississippi. Each colour (or stipple) is a former river path and with some squinting you can work out the specific flow of the river in, say, 1765. The real message is the aggregate of all those historical courses, the unmanageable chaos of river meanders.

The report and maps are available for download from the Army but the files are big and pretty unwieldy. I've resized the rectified TIFFs to 25% and uploaded them to Flickr: you can browse them in this Flickr set. The one single image I recommend is Plate 22 Sheet 13: it shows the adjacency of the Mississippi and the Atchafalaya, connected by the Old River where the current water control system is threatened. For a different perspective, check out all the maps assembled into one long picture. It'd be neat to see a zoomable version of this to full resolution.

Update: why yes, it would be neat to have a zoomable version. Try it!
  2011-05-16 15:49 Z
Please try my historical map of the Mississippi River courses!

I was so taken by the 1944 Army Corps of Engineers maps of the Mississippi River that I made my own zoomable map. It works well in Google Chrome, reasonably well in most browsers, and not at all in older versions of MSIE. (The tiles aren't perfect; I did this in about three hours' work.)

The map is truly a beautiful bit of geologic history. For more info on it, see my previous blog post. So many amazing swirls and details in the river's course. Rendering it as a slippy map makes it easy to see the map in great detail, for instance the Old River Control Structure, a site threatened by the floodwaters of 2011. (Interestingly, the modern channel was built on relatively dry land.) The opacity slider (or text box) in the upper right lets you look through the Fisk map to a contemporary Google map. Check out this flood plain, for example. The satellite view contains echoes of the various old meanders, too, like these curved fields.


  2011-05-16 15:43 Z
I like maps. On my recent Texas trip I had my iPad with a good GPS and four different map applications. You can see two sets of screenshots from the various maps. Long story short, I'm impressed with You Need A Map (and it's free!).
The four apps I tried were MotionX, a GPS tracker with terrain maps from OpenCycleMap; OffMaps with their CloudMade/OpenStreetMap maps; You Need A Map with a variety of raster and vector sources; and ForeFlight, an aviation specific map with VFR sectional charts. All of these apps support cached offline map access, I store some 10 gigs of map data on the iPad. The two locations I compared are near the Guadalupe Pass in Texas and near the Cajon Pass in LA, California.

The main thing I learned is how different maps can be. MotionX's terrain layer is designed for hiking with very detailed countours. But the shading isn't very good and it's easy to lose the big picture zoomed out as much as I do in a plane. OffMaps spare road maps have served me well driving around Europe but don't convey much terrain. Oddly they do indicate airport positions very well. ForeFlight is showing AeroNav's excellent VFR charts; great for pilots, not so much for anyone else. The real generalist is You Need A Map, whose combination of a terrain raster map with vector layers gives some really impressive maps. I'm particularly impressed with their dynamic terrain shading.

Configurability is another interesting difference. You Need A Map is amazing: you have a choice of some 20 map layers to composite with different presets for emphasizing roads, natural features, points of interest, etc. It's the only iPad app I've seen to extensively use vector map data rendered in real time. MotionX, OffMaps, and ForeFlight all offer your choice of a handful of different raster layers but basically you take what they offer. Which can be perfect if, say, you're flying an airplane and using ForeFlight.

One final difference is extra features. OffMaps and You Need A Map basically display maps and nothing else. MotionX is really a very fine GPS track recorder; the maps are just gravy. And ForeFlight is a full flight planning system.

My conclusion from this experiment is that for flying trips, in addition to ForeFlight I'll be using You Need A Map. OffMaps will stay with me on my iPhone, its maps are really good for road navigation. I don't have much use for the MotionX maps but that'd change entirely if I were a hiker.

  2011-05-12 22:05 Z
One of Google's big announcements this week was the launch of Chrome Angry Birds, a port of the hugely popular mobile game to Google's browser. But calling it "Chrome Angry Birds" is missing the point because what's really interesting is that it's a real-time multimedia cross-platform HTML 5 app. It runs fine in MSIE 9 and Firefox on Windows (sound and save games included) and I've heard reports it works in Safari on Macs, too. And because the game is based on open browser technologies, we can easily pull it apart and see how it's built just like we've been pulling apart web pages since 1993 via the magic of "view source".

The key file is appcache.nocache.manifest: it contains a list of all the other stuff in the app. There's a whole lot of files: sound, art, levels. Here's the image sprite sheet for birds and pigs, here's the slingshot sound, here's the data file for level 1. The only thing that's opaque is the code itself, 390k of GWT compiled Javascript. People often call this style of code "obfuscated" but the compilation is as much about making it run faster as it is hiding the details.

The part that impresses me the most is the sound: that's been a weak point in browsers. Over on Metafilter someone pointed out that it was loading a small Flash shim, what appears to be gwt-voices. So still not a 100% Flash-free app, but very very close. The caching is quite sophisticated too.

  2011-05-11 20:27 Z
Last week I finished a 10 day flying trip to Houston and back. I grew up in Houston but hadn't been there in years. Part of my purpose was reconnecting with old friends and part was having a flying adventure on my own. 25 hours and 3000nm over some six days, worked out great. Here's some photos from the trip.
I followed a southern route. Overnights were in Palm Springs CA, El Paso TX, Houston TX, San Angelo TX, and Palm Springs CA again. Good weather most of the way, necessary since I'm not instrument rated yet. Lots of light chop which gets tiresome. Also some alarming mountain wave over Palmdale the first day: 40kt tailwind turned into dramatic up and downs, at one point I was at my best climb speed and still losing 500 feet per minute. Altitude is your friend! I also discovered after six hours of flying I'm pretty tired and not as sharp on the landing as I should be. Nothing unsafe, but I have a better of idea of my limits.

I had some good food. Bad weather made me drive to Austin but on the way I enjoyed Black's Barbecue in Lockhart with excellent brisket and some of the best smoked sausage I've ever had. Then that night I had phenomenal nouveau sushi at Uchi in Austin. Houston Tex-Mex wasn't as good as I remembered, but El Real Tex-Mex was quite good. Danton's in Houston was good for fancy-pants Creole and Ragin Cajun was good down home bayou cooking, including a bucket of crawdads.

The best thing of the trip was reconnecting with old friends, particularly high school buddies. Amazing to reconnect with people for the first time in twenty years and feel perfectly comfortable. They all turned out to be interesting and nice people, too! I also had a good time meeting some new people, including a hilarious gay night out in San Angelo, TX with some friends-of-friends that turned a dreaded West Texas overnight into a real hoot.

  2011-05-09 23:54 Z
I've moved my linkblog to Pinboard. If you follow it already you'll want to update your RSS subscription. If you don't follow it, you should! My linkblog has better content than this text blog. Links are on the sidebar at left but best enjoyed via your RSS reader of choice.

Many thanks to the Delicious and Yahoo crew; they served me well for hosting for four years. I decided not to follow along with the AVOS purchase, not for any particular reason but because it seemed uncertain. A big thank you to Joshua and Delicious for having a fantastic, easy export of all my data. That's an important user right more sites should support and more users should demand.

Pinboard works great and is simple. I like that I'm a (modestly) paying customer. I particularly appreciate that the search function works so well: Yahoo never got that right. I was also impressed by Maciej's postmortem when the site got crushed after the Delicious shutdown rumour. He's a smart engineer. All the cool kids seem to be on Pinboard now, I'm in good company.

  2011-05-09 18:33 Z
Awhile back I wrote about the religious debate about operating airplane engines. I finally got a chance to run lean of peak on my recent Texas trip. Compared to rich of peak, LOP was 20% more fuel efficient, 5% slower, and about 20° cooler. But I'm still running ROP.

The plane is only now capable of running lean of peak thanks to our engine monitor, fuel totalizer, and GAMIjectors. The stock injectors had one cylinder peaking 1.0 to 1.5gph sooner than others; now our "GAMI spread" is 0.4gph, a win whether we ever run lean of peak or not.

On my recent flight I was at 9500', 20.5" manifold pressure, 2400 RPM. Flying at my typical 50 ROP I was getting 140kts TAS, burning 10.3gph, with EGTs at 1357/1378/1352/1324 and CHTs at 303/332/337/290. Leaning out to 40 LOP I was getting 132kts TAS, burning 8.3GPH, with EGTs at 1401/1441/1416/1352 and CHTs at 281/316/311/271. So the difference there is running lean of peak I saved 2gph, ran my engine 20°C cooler, and gave up about 8kts to do it.

Saving gas but going slower: is LOP really a win? Cessna didn't publish performance tables for lean of peak, but they did publish tables for saving gas at the recommended 0.5gph ROP. At 10,000' Cessna says full power gives 145kts TAS at 9.2gph. If you want to save 2 gph they have you dial way back on power to get 126kts TAS at 7.1gph, for a 19kt slowdown. So roughly speaking, LOP saves me just as much gas as going slow ROP, but makes me 11kts faster.

Despite the good results I still flew over the hard, unforgiving mountains of the Southwest running ROP. The engine feels wrong in the transition to LOP, you can feel the sluggishness. I've also had various salt-of-the-earth mechanics all warn me against running LOP, and while their reasoning doesn't make sense it still makes me nervous. And of course LOP really does make you slower and with four hours of West Texas ahead of you, you want every knot. The cooler operation seems like a real benefit though.

(A caveat: those EGT numbers are a bit wonky. The actual measured peaks with some experimenting were 1462/1494/1466/1410 at 8.8/9.1/8.9/9.2 gph, so it's possible I was running more like 90 ROP than 50 ROP and could have saved a bit of gas while ROP. There's some lag in the EGT response time, I was doing stuff too quickly.)

  2011-05-08 00:17 Z
One of the amazing things about visiting Texas is how every single person I've seen has offered me a place to stay. Whether an old friend I hadn't seen in 20 years or someone I barely knew, pretty much everyone offered me a guest room in their house. Such lovely hospitality! I think that offer is much less common in San Francisco; homes are too small to have a guest room and people generally seem too busy to casually offer that kind of sharing. That's too bad.
  2011-05-03 14:59 Z