“The world that you need is wrapped in gold silver sleeves”

The Dresden Dolls covering “Two-Headed Boy” by Neutral Milk Hotel

Heartbleed for the Laity

As you may have heard, there’s a new security vulnerability currently effecting the Internet. It’s a damn big deal, so I wanted to write a quick overview, aimed at non-tech people, to explain what the exploit is, who can be effected, and what the potential impact will be.


Heartbleed is an exploit that effects secure websites on the Internet. Many sites that use a technology called SSL to keep customer information private and to prevent attackers from intercepting or stealing customer data. Heartbleed is a bug in the most common version of SSL, a library called OpenSSL. It allows attackers to read the memory of the effected website, potentially stealing information about other users who are using the website at the same time. Randall Munroe provides an excellent analogy to help you understand how the attack works in this XKCD comic.

The technical details are beside the point for this post, and are well covered elsewhere, but you can think of it like a hidden window that allows anyone to see what’s going on inside a website’s server, including any data it might be processing at the time.

How bad is it really?

Literally the worst security exploit the Internet has ever seen.

And worse than most people, even a lot of tech folks, realize. This exploit allows an attacker to steal information about the computer that runs a web site and also about every other user using the website at the same time. It also potentially opens up other, more targeted attacks against individual users or specific sites. It is currently undetectable and therefore largely untraceable. It is trivial to pull off. It potentially effects millions of sites.

There is a common assessment matrix, DREAD, used to assess the threat posed by a particular security vulnerability. DREAD is an mnemonic representing Damage, Reproducibility , Exploitability, Affected Users, and Discoverability. Heartbleed is the highest possible rating in all five categories and, for a few of them, is the worst bug to ever effect the web.

What can I do to stay safe?

Assume that any information you send to a website can be seen by an attacker unless and until you get confirmation from the owner of the website that the exploit is fixed. At this point a majority of sites appear to be patched and, thus, safe to use, but you shouldn’t assume that a site is safe until you confirm with the owner. When in doubt, call their customer service or tech support lines and inquire directly about Heartbleed.

DO NOT send any information you wouldn’t want to be known by the entire world to a website unless you have confirmed that the website is fixed.

Please note, this exploit effects sites that use HTTPS to secure traffic (that little lock icon you seen in the address bar of some browsers). It so severely damages the security of these websites that it makes them WORSE than normal, non-secure sites.

I used an effected website before it was patched. How fucked am I?

Unfortunately, it’s impossible to tell. It could be that no one was using the exploit at the time you were using the site. Or that they didn’t happen to read memory containing your private information. Or the server may not have had any of your information in memory at the time the attacker was using the exploit. You might be fine.

Or you might be completely hosed. The attacker might have every piece of information you’ve ever given that website, including SSN, credit card details, addresses, the contents of your middle school diary, etc.

It’s literally impossible to tell, which is part of what makes Heartbleed so insidious.

What now?

As I mentioned, a fix is available for Heartbleed and most site owners are working as fast as they can to patch their systems. Some, however, don’t really understand just how urgent this exploit is. If you don’t know if a website is safe, assume it isn’t until you hear from the site owner that they’ve fixed their systems. Don’t hesitate to call their tech support or customer service numbers. Once a website is once again safe to use, it might be a good idea to change your password.

I have more questions!

There’s tons of good info on the web about the bug. Unfortunately a lot of it is intended for a highly technical audience. If you have questions that you can’t find answers for via Google, feel free to post them to the comments and I’ll try to post non-tech answers to them to the best of my ability.

Update #1 – 2014.4.11

BDaddy in comments makes the excellent point that one way to limit damage from bugs like this is to use a different password for every website. That way, if an attacker manages to get your password for one website, they can’t use it to access your accounts on other websites. There are a number of tools and services that can help with this. I personally like LastPass, but there are a number of other solutions as well.

Additionally, I forgot to mention that it’s probably a good idea to change your passwords for websites that you use after you’ve determined that they’re patched against Heartbleed. I’ve updated the “What now?” section accordingly.

I’ve also updated the “Overview” section with a link to this excellent XKCD comic explaining the attack by analogy.

“Salvation will come and break our hearts”

MØ, “Dust Is Gone (Night Version)” from her excellent No Mythologies to Follow album.

Pace and Spin

There are certain essays that I keep coming back to time and again. I’m not usually one to reread novels or short stories, but I have a stable of essays that I read yearly, if not more often. I reread them to savor the text, but also to glean more of what they have to teach. I read them both as devotion and as education.

It will surprise no one who knows me that many of these recurrent essays are by David Foster Wallace.

One of them is his 2006 essay, “Federer Both Flesh and Not”. On the surface, it’s about Federer’s win at the 2006 Wimbledon Men’s tournament. It’s also about beauty, experience, and the impossibility of understanding ourselves or others. It’s the closest I’ve read in a long time to an operative proof of the divine.

More concretely, the essay is a wonderful crash course in many things, of which these five struck me most keenly on my most recent re-reading.

First is Tennis. Despite being the subject of the essay, though, Tennis is both the least interesting and least important thing about it.

Second is how to appreciate the beauty in a thing you may not, yourself, even really like. Despite two ill-fated years in Tennis myself in High School, I can’t claim to be a fan of the sport. But Wallace speaks with such glowing grace about Federer’s skill and strategy that one can’t help but marvel at the beauty of the man’s game. If you don’t like sports, this essay probably won’t change your mind, but it might make you more tolerant of those that do. It can, if nothing else, give incandescent expression to the passion they possess, but you lack. Wallace, here, plays the role of the fiery Baptist preacher, hypnotizing even the unbeliever.

Third is how to craft an impeccable essay from the materials at hand. Every word, notion, comment, and footnote is in exactly the right place. Even seemingly cast aside details turn out to be of critical importance. And in the end, even the oblique commentary about the sick child flipping a coin to decide first serve ends up driving home the critical point.

Fourth, it is the single finest lesson in phenomenology available. No essay articulates the role and scope of human experience in our daily lives better than this. Being and Time might be a brilliant work, but a careful study of “Federer Both Flesh and Not” is almost as complete, equally as true, and vastly more compelling. Wallace’s discussion of three perspectives of pace alone is worth the first three weeks of any graduate seminar on the topic. Wallace’s description of Federer’s effortless drives and unconscious, intuitive play; his exegesis on the micrometer, microsecond decisions that go into making the right shot; and his thorough analysis of the experience of a hissing power drive, do more than two hundred pages of Husserl or Heidegger to tell you about the singular importance of perception.

Finally, Wallace’s awe at the being of light that is Federer well encapsulates the majesty of the rare mutant creatures that mankind sometimes produces. Federer is a species unto himself, just as Paul Erdős, Hunter S Thompson, or Juan Manuel Fangio were. Just as, in his own tragic way, David Foster Wallace was. The capstone of the essays sets Federer off against poor little William Caines, the coin tosser and survivor of liver cancer. This dichotomy neatly sums an ontology, metaphysics, and theosophy that underlies the rest of the essay. Namely, whatever you think of God, he created both cancer-wracked little boys, and the flesh-and-light glory of Roger Federer.

In a way, that dichotomy could only have been articulated by someone like Wallace. Someone who, we would come to learn two years later, lamentably embodied both extremes.

“These Twin City kisses, they sound like clicks and hisses”

Jaywalking as Magic Trick

Magic tricks are valuable because they define the borders of our map of the possible. They only work if they exist clearly beyond what we understand to be possible, but close enough to the boundaries of it that we can see it from the realm of the everyday. In fact, that’s probably a good abstract definition of magic: anything that happens just outside our mind’s Overton Window. This definition has several pleasing applications, not the least of which is that it explains why magic tricks work on dogs:

But this definition of magic as anything just outside the realm of the possible has more quotidian applications as well. Take, for instance, the bewildered looks I get whilst jaywalking. You see, Seattle, for all its pretensions at grunge iconoclasm, is a worryingly law-abiding town. This has an adverse reaction when combined with a population laden with a communal phobia for confrontation and an urge for conformity you can only get when the entire town is all trying hard to front as the exact same sort of rebel. The end result is punk rockers that won’t even cross against the light on a deserted one-way at four in the morning. Whether their reluctance is purely a fear of the constabulary or whether they’re worried someone might see them, deciding that jaywalking is for dorks, and judge them harshly, I can’t say.

One thing is for sure, the furtive glances they shoot me as I stride into the road tell me that this isn’t the same obeisance noted by Olufemi Terry when he described Germany as “…a country, … , in which even anarchists wait for the light to change before crossing the road.”

The average Seattlite’s reluctance to jaywalk has none of the volition or civic-mindedness of those Teutonic anarchists. Rather, it’s bred from a timidity that seems to view jaywalking as beyond the realm of the possible.

And so, about once a week, I’ll walk out into the street and see someone on the opposite curb shoot me with a brief look of wonderment. As if I’m walking on magma, rather than asphalt. Some will then timidly look left, look right, and deciding that if a policeman or a judging peer were to suddenly materialize to accost them they could always point me out as instigator, take a few tremulous steps into the street. Others will just wonder silently until, at long last, the light changes and they can safely proceed.

Most just catch my eye and then sheepishly look away. Not for shame of my jaywalking, mind you, that’s just how people in Seattle react to eye contact. It’s the Seattle way of saying “Howdy, stranger.”

Only once has any one of these onlookers ever spoken to me about my jaywalking. I was crossing Broadway against the light at Pine. In jaywalking-as-magic terms, this is the equivalent of sawing a lady in half and putting her back together again: a pretty common trick, but still one a confident magician can pass off as amazing. As I got to the other side, a young man in baggy sweatshirt and bondage pants glanced at me and said “hey man, cops’ll totally ticket you for that.”

“Pardon?” I said, looking him in the eye.

He muttered something and looked away.

“The reason for which humans have failed to develop a finely built social process assuring continuity and steady quality in leadership is probably that they did not have to. Most human societies are marked by the existence of a surplus above subsistence. The counterpart of this surplus is society’s ability to take considerable deterioration in its stride. A lower level of performance, which would mean disaster for baboons, merely causes discomfort, at least initially, to humans.

The wide latitude human societies have for deterioration is the inevitable counterpart of man’s increasing productivity and control over his environment. Occasional decline as well as prolonged mediocrity–in relation to achievable performance levels–must be counted among the many penalties of progress. A priori it would seem futile, therefore, to look for social arrangements that would wholly eliminate any sort of deterioration of polities and of their various constituent entities. Because of the surplus and the resulting latitude, any homeostatic controls with which human societies might be equipped are bound to be rough.” – Albert O Hirschman, Exit, Voice, and Loyalty

“Forever in debt to your priceless advice”

Kawehi covering Nirvana’s “Heart Shaped Box”

“Cat, run away, you better hope it’s a good day”

Mmmf, dat bass line.

Return top

Magic Blue Smoke

House Rules:

1.) Carry out your own dead.
2.) No opium smoking in the elevators.
3.) In Competitions, during gunfire or while bombs are falling, players may take cover without penalty for ceasing play.
4.) A player whose stroke is affected by the simultaneous explosion of a bomb may play another ball from the same place.
4a.) Penalty one stroke.
5.) Pilsner should be in Roman type, and begin with a capital.
6.) Keep Calm and Kill It with Fire.
7.) Spammers will be fed to the Crabipede.