13 hours ago
Monday, September 29, 2008
Evolution: PG Plaza Commuters
We who walk to PG Plaza every day have experienced quite a few detours over the past 4 years. I've chronicled a few of them in this crudely drawn comic.
My Metro Map
I'm often heard bitching about metro when I arrive at work, so on one such day Greg pointed me to the Fantasy Metro Map. It's really neat, but I don't think it is too likely. It's a nice adventure in "what if we had unlimited funds, and people were willing to devote some amount to metro (they don't seem that willing at present).I have a much smaller change that I'd like to make and the biggest cost would be in reprinting all of the metro maps. Please excuse my lack of skill in The Gimp. Essentially I want to switch the green and yellow lines South of Fort Totten. The reason is inspired by selfish motives, but also by my observation that many of the people who get on with me at PG Plaza also get off with me at Crystal City (and also change trains with me at 7th St. Convention center). If you've ever been on the Green line traveling South in the morning, you know when you've gone too far because the cars get nice and roomy just after L'Enfant plaza.
Unfortunately it's usually too difficult to properly sanitize the data, but it would be really fun to have access to Metro ridership records. You should be able to run queries on the data to see what are the most heavily traveled routes that, for instance, involve a line change. You'd probably find people traveling from Northern Prince George's County to Virginia and back. There might even be enough support to make this color change.
Thursday, September 25, 2008
Django 1.0 + Psycopg = SQL Injection?
I recently upgraded my Django SVN checkout to 1.0 and found a really surprising problem. One of the nice new features of 1.0 is that Django uses unicode whenever it can. This should mean that your projects just automatically handle unicode too (for the most part) so most people won't even notice, except that they can suddenly communicate more effectively with their non-English speaking users. The surprise: apparently psycopg (or libpq maybe) doesn't support escaping of unicode strings by default, so I was kinda sorta open to SQL injection suddenly.
Observe the following:
Hopefully this is in the documentation somewhere and I just missed it.
Observe the following:
>>> sql = '''
... select * from information_schema.tables
... where table_name = %s'''
>>> curs.execute(sql, ("columns",))
>>> curs.execute(sql, (r"columns",))
>>> curs.execute(sql, (u"columns",))
Traceback (most recent call last):
File "", line 1, in
psycopg.ProgrammingError: ERROR: column "columns" does not exist
LINE 3: where table_name = columns
^
Hopefully this is in the documentation somewhere and I just missed it.
Sunday, September 21, 2008
Ubuntu + Compiz + Fast User Switch = Blank Screen
There are a number of people who want to quickly (or not) use my computer to check e-mail and otherwise browse the web when at my house. I tend to leave myself logged in, so they just use my open firefox. The downside to this is that I often come back and can't find the firefox status bar (I didn't even know you could turn it off) or there will be 20 new files on my desktop that don't belong there.
The obvious solution to this is to setup another account and use the fast user switcher. I gave it a whirl tonight and everything was looking great when I switched to the new user. I checked to see if that account could do everything it needed to and it seemed to be fine. So I logged out and went back to my main account. Except, all I get is a mouse cursor and a blank screen.
Thankfully my paranoid mind hits save in emacs every 30 seconds, so I wouldn't really lose anything if I had to Ctrl-Alt-Backspace my way out of X. A quick investigation of this new blank screen did reveal an interesting fact: if I move the cursor half way down the screen, it turns into the text box cursor. Ah, yes! This is the "input your password" screen from the fast user switcher. Typing blind is an old hobby of mine (if you admin enough boxes, you'll run into this situation), so I typed the password and hit enter and the blank screen faded away to reveal my desktop!
Since it's easy to blame compiz, I searched for bugs related to compiz and fast user switched and found ubuntu bug 160264. The conversation is actually blaming the NVIDIA drivers, so compiz gets away with it this time. What's even more surprising is that NVIDIA does not maintain a bug tracking system; they just watch their forums looking for people reporting problems and then don't really tell you what's going on after that.
Despite NVIDIA's lack of bug tracking, they do apparently talk to some free software developers. Mario Limonciello reported that NVIDIA has no near term plans to fix this bug since it's a big code change. But, being the slick Ubuntu developer that he is, he showed how to fix this by undoing some unnecessary patches to compiz. By looking through changelogs he was able to deduce that the patch was unnecessary, and by tinkering and recompiling, he was able to show that it worked. To top it all off, he made his changes available for everyone and even made it easy to install themselves, so that anybody affected by this bug can get the fix before Intrepid comes out.
And that is why Free Software works.
The obvious solution to this is to setup another account and use the fast user switcher. I gave it a whirl tonight and everything was looking great when I switched to the new user. I checked to see if that account could do everything it needed to and it seemed to be fine. So I logged out and went back to my main account. Except, all I get is a mouse cursor and a blank screen.
Thankfully my paranoid mind hits save in emacs every 30 seconds, so I wouldn't really lose anything if I had to Ctrl-Alt-Backspace my way out of X. A quick investigation of this new blank screen did reveal an interesting fact: if I move the cursor half way down the screen, it turns into the text box cursor. Ah, yes! This is the "input your password" screen from the fast user switcher. Typing blind is an old hobby of mine (if you admin enough boxes, you'll run into this situation), so I typed the password and hit enter and the blank screen faded away to reveal my desktop!
Since it's easy to blame compiz, I searched for bugs related to compiz and fast user switched and found ubuntu bug 160264. The conversation is actually blaming the NVIDIA drivers, so compiz gets away with it this time. What's even more surprising is that NVIDIA does not maintain a bug tracking system; they just watch their forums looking for people reporting problems and then don't really tell you what's going on after that.
Despite NVIDIA's lack of bug tracking, they do apparently talk to some free software developers. Mario Limonciello reported that NVIDIA has no near term plans to fix this bug since it's a big code change. But, being the slick Ubuntu developer that he is, he showed how to fix this by undoing some unnecessary patches to compiz. By looking through changelogs he was able to deduce that the patch was unnecessary, and by tinkering and recompiling, he was able to show that it worked. To top it all off, he made his changes available for everyone and even made it easy to install themselves, so that anybody affected by this bug can get the fix before Intrepid comes out.
And that is why Free Software works.
Thursday, September 18, 2008
Sed scripts in Crystal City
So our company has gone further down the road of geek advertisements and recently plastered this shell command all over the Crystal City underground:
Naturally, I have an improvement:echo 'howsmartu ?' \
| sed -e '1,/^END/{ y/usr?hmowat /cwimwowwt.o/; }' \
| sed -e '1,/^END/{s/\(wo\)/.\1/; s|m|m/jobs/|; }' \
| xargs wget
Why mine is better:echo 'howsmartRu ?' \
| tr 'what Rumors?' 'wwoio.cwwt.m' \
| sed 's|m|m/jobs/|' \
| xargs wget -O -
- it starts with a better initial message
- initial message actually translates to www.woti.com
- makes use of an anagram of that message
- uses tr
- prints output to stdout. I toyed with links, but sadly our jobs page only specifies the copyright message in text.
Speakeasy Forgets The Regulatory Compliance Fee
My bill was a little lighter this month, due to what is apparently a bug in the latest version of Speakeasy's billing platform. I wasn't charged the customary, and dubious, $5.35 "Regulatory Compliance Fee." Since I couldn't believe that they had actually gone and done the right thing by ditching this bogus fee, I opened a ticket with support. As always, speakeasy's support is a pleasure to deal with and they promptly answered that there was a known bug in their billing software and assured me that I would be charged the correct amount. Gee, thanks.
Wednesday, September 10, 2008
Google Wishlist
I like to look at FroogleGoogle Shopping in "Grid view" but as far as I can tell, it's not possible to add anything to your "Shopping List" unless you're in "List view." Bad Google, bad. But just in case we're in the parallel universe where people buy me everything in my wishlist, I filled it out a bit.
And while I'm considering bad google UIs, I'd like to point out that blogger's tag completion feature (when adding tags to a post, they will try to complete them for you) is really annoying, since it uses the well known COMMA key as the completion key. What?
And while I'm considering bad google UIs, I'd like to point out that blogger's tag completion feature (when adding tags to a post, they will try to complete them for you) is really annoying, since it uses the well known COMMA key as the completion key. What?
WMATA Police Make Me Feel Safe
My e-mail to the WMATA Chief of Police:
OK well after using Metro Police's "Contact Us" page, I got this:
I resent to chiefofpolice@wmata.com (first hit on google). No dice. I hit up mtaborn@wmata.com and got an out-of-office reply which asked me to refer to Deputy Chief Jeff Delinski. Odds are good that jdelinski@wmata.com is valid, so I bounced it there. No reply as of yet.
Chief,
I'm a daily rider of metrorail and noticed this week that there are suddenly an inordinate number of officers visible in the system. Many of them are carrying a frightening amount of firepower (are those MP5 submachine guns?). What gives?
OK well after using Metro Police's "Contact Us" page, I got this:
Status : 502 Bad Gateway
Description : The origin web server encountered an unexpected condition which prevented it from fulfilling the request. Please try your request again.
I resent to chiefofpolice@wmata.com (first hit on google). No dice. I hit up mtaborn@wmata.com and got an out-of-office reply which asked me to refer to Deputy Chief Jeff Delinski. Odds are good that jdelinski@wmata.com is valid, so I bounced it there. No reply as of yet.
Thursday, September 4, 2008
TRC Capital Corporation Preys
Scottrade sent me this:
Confused, I sent a follow-up e-mail for details. They responded:
I think you'd have to be some kind of stupid to go for this. Not only are they offering 61% of the price (if you read the Internets, you'll find instances where TRC offers prices at a discount of 5%, not 40%) but scottrade will charge $25 to participate. Is TRC Capital Corp simply a scam to find investors who don't know the value of their stocks?
(I have a feeling that the Scottrade representative that responded to me might have typo'd the value. That's scary, but judging by some searching the real value might be $17.00 (the previous bad offer was $20.50, so $10.50 is a hybrid of the two.))
In fact, if you do search for information on the company you will find that they are skirting SEC regulation by carefully made mini-tender offers. And if you read the contract, TRC leaves itself the right to get out of the deal if the price goes lower or if it just feels like it. Got predatory?
Re. stock symbol GLW :
The above-listed stock is part of a non-mandatory reorganization or tender offer, which requires your timely attention. For details regarding this offer, contact your local branch office. Please note that failure to advise Scottrade of your intent may result in no action being taken, and we cannot be held responsible for any resulting loss.
Confused, I sent a follow-up e-mail for details. They responded:
The voluntary tender offer for symbol GLW is for clients to receive $10.50/share of GLW. The offeror, (TRC Capital Corp.), is not registered with the SEC. The offer is subject to proration. The offer expires on 9/10/08
I think you'd have to be some kind of stupid to go for this. Not only are they offering 61% of the price (if you read the Internets, you'll find instances where TRC offers prices at a discount of 5%, not 40%) but scottrade will charge $25 to participate. Is TRC Capital Corp simply a scam to find investors who don't know the value of their stocks?
(I have a feeling that the Scottrade representative that responded to me might have typo'd the value. That's scary, but judging by some searching the real value might be $17.00 (the previous bad offer was $20.50, so $10.50 is a hybrid of the two.))
In fact, if you do search for information on the company you will find that they are skirting SEC regulation by carefully made mini-tender offers. And if you read the contract, TRC leaves itself the right to get out of the deal if the price goes lower or if it just feels like it. Got predatory?
Subscribe to:
Posts (Atom)