Eagle's Path

Passion and dispassion. Choose two.

Larry Wall

2014-04-11: Accumulated haul

Wow, it's been a while since I've done this. In part because I've not had much time for reading books (which doesn't prevent me from buying them).

Jared Bernstein & Dean Baker — Getting Back to Full Employment (non-fiction)
James Coughtrey — Six Seconds of Moonlight (sff)
Philip J. Davis & Reuben Hersh — The Mathematical Experience (non-fiction)
Debra Dunbar — A Demon Bound (sff)
Andy Duncan & Ellen Klages — Wakulla Springs (sff)
Dave Eggers & Jordan Bass — The Best of McSweeny's (mainstream)
Siri Hustvedt — The Blazing World (mainstream)
Jacqueline Koyanagi — Ascension (sff)
Ann Leckie — Ancillary Justice (sff)
Adam Lee — Dark Heart (sff)
Seanan McGuire — One Salt Sea (sff)
Seanan McGuire — Ashes of Honor (sff)
Seanan McGuire — Chimes at Midnight (sff)
Seanan McGuire — Midnight Blue-Light Special (sff)
Seanan McGuire — Indexing (sff)
Naomi Mitchinson — Travel Light (sff)
Helaine Olen — Pound Foolish (non-fiction)
Richard Powers — Orfeo (mainstream)
Veronica Schanoes — Burning Girls (sff)
Karl Schroeder — Lockstep (sff)
Charles Stross — The Bloodline Feud (sff)
Charles Stross — The Traders' War (sff)
Charles Stross — The Revolution Trade (sff)
Matthew Thomas — We Are Not Ourselves (mainstream)
Kevin Underhill — The Emergency Sasquatch Ordinance (non-fiction)
Jo Walton — What Makes This Book So Great? (non-fiction)

So, yeah. A lot of stuff.

I went ahead and bought nearly all of the novels Seanan McGuire had out that I'd not read yet after realizing that I'm going to eventually read all of them and there's no reason not to just own them. I also bought all of the Stross reissues of the Merchant Princes series, even though I had some of the books individually, since I think it will make it more likely I'll read the whole series this way.

I have so much stuff that I want to read, but I've not really been in the mood for fiction. I'm trying to destress enough to get back in the mood, but in the meantime have mostly been reading non-fiction or really light fluff (as you'll see from my upcoming reviews). Of that long list, Ancillary Justice is getting a lot of press and looks interesting, and Lockstep is a new Schroeder novel. 'Nuff said.

Kevin Underhill is the author of Lowering the Bar, which you should read if you haven't since it's hilarious. I'm obviously looking forward to that.

The relatively obscure mainstream novels here are more Powell's Indiespensible books. I will probably cancel that subscription soon, at least for a while, since I'm just building up a backlog, but that's part of my general effort to read more mainstream fiction. (I was a bit disappointed since there were several months with only one book, but the current month finally came with two books again.)

Now I just need to buckle down and read. And play video games. And do other things that are fun rather than spending all my time trying to destress from work and zoning in front of the TV.

2014-04-11: Review: Cryptography Engineering

Review: Cryptography Engineering, by Niels Ferguson, et al.

Publisher Wiley
Copyright 2010
ISBN 0-470-47424-6
Format Kindle
Pages 384

Subtitled Design Principles and Practical Applications, Cryptography Engineering is intended as an overview and introduction to cryptography for the non-expert. It doesn't dive deeply into the math, although there is still a fairly thorough mathematical introduction to public-key cryptography. Instead, it focuses on the principles, tools, and algorithms that are the most concretely useful to a practitioner who is trying to design secure systems rather than doing theoretical cryptography.

The "et al." in the author summary hides Bruce Schneier and Tadayoshi Kohno, and this book is officially the second edition of Practical Cryptography by Ferguson and Schneier. Schneier's name will be familiar from, among other things, Applied Cryptography, and I'll have more to say later about which of the two books one should read (and the merits of reading both). But one of the immediately-apparent advantages of Cryptography Engineering is that it's recent. Its 2010 publication date means that it recommends AES as a block cipher, discusses MD5 weaknesses, and can discuss and recommend SHA-2. For the reader whose concern with cryptography is primarily "what should I use now for new work," this has huge benefit.

"What should I use for new work" is the primary focus of this book. There is some survey of the field, but that survey is very limited compared to Applied Cryptography and is tightly focused on the algorithms and approaches that one might reasonably propose today. Cryptography Engineering also attempts to provide general principles and simplifying assumptions to steer readers away from trouble. One example, and the guiding principle for much of the book, is that any new system needs at least a 128-bit security level, meaning that any attack will require 2128 steps. This requirement may be overkill in some edge cases, as the authors point out, but when one is not a cryptography expert, accepting lower security by arguments that sound plausible but may not be sound is very risky.

Cryptography Engineering starts with an overview of cryptography, the basic tools of cryptographic analysis, and the issues around designing secure systems and protocols. I like that the authors not only make it clear that security programming is hard but provide a wealth of practical examples of different attack methods and failure modes, a theme they continue throughout the book. From there, the book moves into a general discussion of major cryptographic areas: encryption, authentication, public-key cryptography, digital signatures, PKI, and issues of performance and complexity.

Part two starts the in-depth discussion with chapters on block ciphers, block cipher modes, hash functions, and MACs, which together form part two (message security). The block cipher mode discussion is particularly good and includes algorithms newer than those in Applied Cryptography. This part closes with a walkthrough of constructing a secure channel, in pseudocode, and a chapter on implementation issues. The implementation chapters throughout the book are necessarily more general, but for me they were one of the most useful parts of the book, since they take a step back from the algorithms and look at the perils and pitfalls of using them to do real work.

The third part of the book is on key negotiation and encompasses random numbers, prime numbers, Diffie-Hellman, RSA, a high-level look at cryptographic protocols, and a detailed look at key negotiation. This will probably be the hardest part of the book for a lot of readers, since the introduction to public-key is very heavy on math. The authors feel that's unavoidable to gain any understanding of the security risks and attack methods against public-key. I'm not quite convinced. But it's useful information, if heavy going that requires some devoted attention.

I want to particularly call out the chapter on random numbers, though. This is an often-overlooked area in cryptography, particularly in introductions for the non-expert, and this is the best discussion of pseudo-random number generators I've ever seen. The authors walk through the design of Fortuna as an illustration of the issues and how they can be avoided. I came away with a far better understanding of practical PRNG design than I've ever had (and more sympathy for the annoying OpenSSL ~/.rnd file).

The last substantial part of the book is on key management, starting with a discussion of time and its importance in cryptographic protocols. From there, there's a discussion of central trusted key servers and then a much more comprehensive discussion of PKI, including the problems with revocation, key lifetime, key formats, and keeping keys secure. The concluding chapter of this part is a very useful discussion of key storage, which is broad enough to encompass passwords, biometrics, and secure tokens. This is followed by a short part discussing standards, patents, and experts.

A comparison between this book and Applied Cryptography reveals less attention to the details of cryptographic algorithms (apart from random number generators, where Cryptography Engineering provides considerably more useful information), wide-ranging surveys of algorithms, and underlying mathematics. Cryptography Engineering also makes several interesting narrowing choices, such as skipping stream ciphers almost entirely. Less surprisingly, this book covers only a tiny handful of cryptographic protocols; there's nothing here about zero-knowledge proofs, blind signatures, bit commitment, or even secret sharing, except a few passing mentions. That's realistic: those protocols are often extremely difficult to understand, and the typical security system doesn't use them.

Replacing those topics is considerably more discussion of implementation techniques and pitfalls, including more assistance from the authors on how to choose good cryptographic building blocks and how to combine them into useful systems. This is a difficult topic, as they frequently acknowledge, and a lot of the advice is necessarily fuzzy, but they at least provide an orientation. To get much out of Applied Cryptography, you needed a basic understanding of what cryptography can do and how you want to use it. Cryptography Engineering tries to fill in that gap to the point where any experienced programmer should be able to see what problems cryptography can solve (and which it can't).

That brings me back to the question of which book you should read, and a clear answer: start here, with Cryptography Engineering. It's more recent, which means that the algorithms it discusses are more directly applicable to day-to-day work. The block cipher mode and random number generator chapters are particularly useful, even if, for the latter, one will probably use a standard library. And it takes more firm stands, rather than just surveying. This comes with the risk of general principles that aren't correct in specific situations, but I think for most readers the additional guidance is vital.

That said, I'm still glad I read Applied Cryptography, and I think I would still recommend reading it after this book. The detailed analysis of DES in Applied Cryptography is worth the book by itself, and more generally the survey of algorithms is useful in showing the range of approaches that can be used. And the survey of cryptographic protocols, if very difficult reading, provides tools for implementing (or at least understanding) some of the fancier and more cutting-edge things that one can do with cryptography.

But this is the place to start, and I wholeheartedly recommend Cryptography Engineering to anyone working in computer security. Whether you're writing code, designing systems, or even evaluating products, this is a very useful book to read. It's a comprehensive introduction if you don't know anything about the field, but deep enough that I still got quite a bit of new information from it despite having written security software for years and having already read Applied Cryptography. Highly recommended. I will probably read it from cover to cover a second time when I have some free moments.

Rating: 9 out of 10

2014-04-07: Review: With Charity for All

Review: With Charity for All, by Ken Stern

Publisher Anchor
Copyright November 2013
ISBN 0-307-74381-0
Format Trade paperback
Pages 244

I've been reading a lot lately about how to measure charitable organizations and where best to give your money, which has already prompted a rethinking of which organizations I want to support. Most of that has been shorter, on-line blog posts, but I've been wanting a deeper analysis. This is the first of a couple of books I've found on the topic. (The second, an analysis of microfinance, is waiting for me to have more time to read.)

For this kind of book, the background of the author matters a lot. Stern was the former CEO of National Public Radio for eight and a half years, so he has practical experience in the business side of non-profits. He's credited with improving NPR's financial position and management and oversaw an era of rapid growth. In With Charity for All, he speaks frankly about his own personal experiences as well as his research. My impression is that he's typical of competent business managers of non-profits: not particularly radical, focused mostly on business issues, and the sort of person that a non-profit needs to turn a mission or cause into a sustainable organization.

It's worth noting in advance that With Charity for All is specifically about the United States charitable sector and US laws and approaches. Some of this may generalize to other countries, but non-profit and charity law is very different between different countries, and the US attitude towards government, non-profits, and the appropriate division of responsibilities between them often doesn't match the prevailing view elsewhere. This book may well be interesting to people outside the US, but only if they're curious about the US charitable sector.

The short summary of the message of this book is that we're not getting our money's worth out of charity, either as donors or as taxpayers who are indirectly subsidizing these organizations. This is not (usually) due to any outright fraud, although there certainly is some of that due to the almost total lack of oversight of charitable organizations. Rather, it's the result of a complex combination of history and institutional momentum, focus on the aspects of a charity that play well to potential donors, a concerted effort at feel-good marketing, well-intentioned but misguided donor dictates, adoption of approaches and business practices from the for-profit sector, and, above everything else, the almost complete absence of evidence-based evaluation of charities.

Evidence-based evaluation is currently a hot trend among charities. I heard about this book via one of the organizations that is focusing on this (GiveWell). This is not what sites like Charity Navigator do, and indeed Stern talks at some length about the serious limitations of the Charity Navigator approach. All that sites of that type can do is look at spending breakdowns. Stern makes a strong argument that a focus on reducing overhead, as measured by those financial forms, is misguided and leads to very ineffective and unorganized charities. Worse, all Charity Navigator can tell you is if the charity is spending money on something they declare to be in line with their goal, not whether that money did any good whatsoever.

The short and depressing news is that most of that money does little or no good, and worse, that most charities have no systematic way of measuring whether it does any good.

I'm particularly interested in how to ground charities in more concrete evidence, and Stern's discussion does not disappoint. But one of the things I liked about the book is that he doesn't stop there. Other topics include the dizzying variety of charities and the resulting confusion and dispersion of resources, the non-profits that are practically indistinguishable from for-profit companies except that they get huge tax breaks (sports organizations, as you might expect, are probably the worst offenders, but Stern has harsh commentary on the US hospital system), the mess of compensation in the non-profit sector, and the serious problems created by major donors who want to get directly involved and oversee how their money is spent. All of these topics are fascinating, if a bit depressing in the aggregate.

As is typical for a book of this sort, it's a lot easier to see the problems than to describe the solutions. Stern does try to offer his own prescriptions, most of which are variations on more oversight: more regulation, more effort put into measuring results, more concrete standards for success or failure, and a stronger culture of treating tax-exempt status as a privilege, not a right, that has to be defended by showing clear social benefit. I'm convinced those steps would be helpful, although less convinced that we're able to get there from here. One of his ideas I am already using on a small scale: pooling charitable donations with professional evaluators who can take the time to look deeper than financial breakdowns and do some independent measurement of results, or at least survey relevant studies done by others and possibly demand more be done. This model of a mutual fund for charitable giving has some promise, I think (more than a managed mutual fund, in fact), and is very similar to what GiveWell is doing.

This is an advocacy book, and one that's primarily focused on concrete, measurable deliverables and on the finances. There are a few places where I have reason to be dubious of the black-and-white conclusions Stern draws. For example, he makes much of the bill collecting practices of charitable hospitals, which I agree is a travesty, but doesn't mention that non-profit hospitals produce better health outcomes. I'm also not sure his analysis is as directly applicable to advocacy organizations, where measuring success is a much more challenging proposition. I think the Southern Poverty Law Center is one of the best charities in the United States (admittedly based largely on gut feeling and presentation), but the nature of their work is not amenable to the style of analysis that Stern is doing here. It's therefore worth taking this book with a grain of salt.

But, that said, Stern's conclusions are in line with things I've read elsewhere. I think he's pointing in the right direction, and I would recommend this book to anyone who gives regularly to charity. Hopefully it won't just cause you to stop. There are charities out there that are trying hard to measure their results and ensure they deliver social value for the money that we give them. Our system just doesn't support them very well, yet.

Rating: 8 out of 10

2014-04-06: Review: Fantasy & Science Fiction, September/October 2011

Review: Fantasy & Science Fiction, September/October 2011

Editor Gordon van Gelder
Issue Volume 121, No. 3 & 4
ISSN 1095-8258
Pages 258

Another review of a magazine that I finished quite some time ago. Apologies for any inaccuracies or lack of depth in the reviews.

There wasn't much in Charles de Lint's reviews in this issue that interested me, but Michelle West covers a great selection of books. Two of them (The Wise Man's Fear and The Quantum Thief) are already on my to-read list; the third, The Postmortal, sounded interesting and would go on my list to purchase if I didn't already have so many good books I've not read. Otherwise, this issue is short on non-fiction. The only other essay entry is a film review from Kathi Maio, which is the typical whining about all things film that F&SF publishes.

"Rutger and Baby Do Jotenheim" by Esther M. Friesner: Baby is a former pole dancer with a toy poodle named Mister Snickers, which warns you right away that this story is going to involve a few over-the-top caricatures and more use of the word "piddle" than one might ideally want. Rutger is a mythology professor who tolerates her for the standard reasons in this sort of pairing. They're travelling across country to Baby's sister's wedding when their car breaks down in Minnesota, prompting an encounter with frost giants.

As you might expect, this is a sort of fractured fairy tale, except based on Norse mythology instead of the more typical Grimm fare. The fun is in watching these two apparent incompetents (but with enough knowledge of mythology to clue in the reader) reproduce the confrontation between Thor and Utgard-Loki. The fight with old age is particularly entertaining. If you've read any of Friesner's other stories, you know what to expect: not much in the way of deeper meaning, but lots of fun playing with stereotypes and an optimistic, funny outcome. Good stuff. (7)

"The Man Inside Black Betty" by Sarah Langan: This story comes with a mouthful of a subtitle: "Is Nicholas Wellington the World's Best Hope?" It's also a story that purports to be written by a fictional character, in this case one Saurub Ramesh (with Langan credited as having done "research"). It's told in the style of first-person journalism, relating the thoughts and impressions of Ramesh as he interviews Nicholas Wellington. The topic is Black Betty: a black hole above Long Island Sound. Wellington is a scientific genius and iconoclast with radical theories of black holes that contradict how the government has been attempting to deal with Black Betty, unsuccessfully.

The structure here was well-handled, reminding me a lot of a Michael Lewis article during the financial collapse. Langan has a good feel for how journalism of this type mixes personalities, politics, and facts. But it's all setup and no story. We get some world building, and then it's over, with no resolution except pessimism. Meh. (4)

"A Borrowed Heart" by Deborah J. Ross: Ross starts with the trappings of urban fantasy transplanted into a Victorian world: supernatural creatures about, a protagonist who is a high-class prostitute, and sex and a sucubus by the second page. It evolves from there into a family drama and an investigation, always giving the reader the impression that a vampire will jump out at any moment. But the ending caught me entirely by surprise and was far more effective due to its departure from the expected path. Well done. (7)

"Bright Moment" by Daniel Marcus: The conflict between terraforming and appreciation for the universe as we find it is an old story pattern in science fiction, and Marcus doesn't add much here. I think the story would have been stronger if he'd found a way to write the same plot with a pure appeal to environmental beauty without the typical stakes-raising. But he does sprinkle the story with a few interesting bits, including a pod marriage and a futuristic version of extreme sports as a way of communing with nature. (6)

"The Corpse Painter's Masterpiece" by M. Rickert: This is typical of my reaction to a Rickert story: shading a bit too much towards horror for me, a bit too cryptic, well-written but not really my thing. It's about a corpse painter who does the work of an informal mortician, improving the appearance of bodies for their funerals, and the sheriff who brings him all the dead bodies. It takes an odd macabre twist, and I have no idea what to make of the ending. (4)

"Aisle 1047" by Jon Armstrong: Armstrong is best known for a couple of novels, Grey and Yarn, which entangle their stories in the future of marketing and commerce. One may be unsurprised, then, that this short story is on similar themes, with the intensity turned up to the parody point. Tiffan3 is a department-store saleswoman, spouting corporate slogans and advertising copy while trying to push customers towards particular products. The story follows the escalation into an all-out brand war, fought with the bubbly short-cut propaganda of a thirty-second commercial. For me, it fell awkwardly between two stools: it's a little too over-the-top and in love with its own bizarre alternate world to be effective satire, but the world is more depressing than funny and the advertising copy is grating. More of a curiosity than a successful story, I think. (5)

"Anise" by Chris DeVito: Stories that undermine body integrity and focus on the fascinated horror of violation of physical boundaries aren't generally my thing, so take that into account in this review.

Anise's husband died, but that's not as much of a problem as it used to be. Medical science can resurrect people via a sort of permanent, full-body life support system, making them more cyborg than human. "Anise" is about the social consequences of this technology in a world where a growing number of people have a much different relationship with their body than the typical living person today. It's a disturbing story that is deeply concerned with the physical: sex, blood, physical intimacy in various different forms, and a twisted type of psychological abuse. I think fans of horror will like this more than I did, although it's not precisely horror. It looks at the way one's perception of self and others can change by passing through a profound physical transformation. (5)

"Spider Hill" by Donald Mead: I liked this story a lot better. It's about witchcraft and farm magic, about family secrets, and a sort of coming-of-age story (for a girl rather than a boy, for once). The main character is resourceful, determined, but also empathetic and aware of the impact of her actions, which made her more fun to read about. I doubt I'll remember this for too long, but when skimming through it again for a review, I had fond memories of it. (6)

"Where Have All the Young Men Gone?" by Albert E. Cowdrey: Cowdrey in his paranormal investigation mode, which I like better than his horror mode. For once, the protagonist isn't even a lower-class or backwoods character. Instead, he's a military historian travelling in Austria who runs across a local ghost story. This is a fairly straightforward ghost investigation that follows a familiar path (albeit to an unusual final destination), but Cowdrey is a good story-teller and I liked the protagonist. (7)

"Overtaken" by Karl Bunker: This is the sort of story that delivers its moral with the force of a hammer. It's not subtle. But if you're in the right mood for that, it's one of the better stories of its type. It's about a long-journey starship, crew in hibernation, that's overtaken by a far newer and faster mechanized ship from Earth that's attempting to re-establish contact with the old ships. The story is a conversation between the ship AIs. Save this one until you're in the mood for an old-fashioned defense of humanity. (8)

"Time and Tide" by Alan Peter Ryan: Another pseudo-horror story, although I think it's better classified as a haunting. A wardrobe recalls a traumatic drowning in the childhood of the protagonist. As these things tend to do in stories like this, reality and memory start blurring and the wardrobe takes on a malevolent role. Not my sort of thing. (3)

"What We Found" by Geoff Ryman: Any new Geoff Ryman story is something to celebrate. This is a haunting story on the boundaries between the scientific method and tribal superstition, deeply entangled with the question of how one recovers from national and familial trauma. How can we avoid passing the evils and madness of one generation down to the next? Much of the story is about family trauma, told with Ryman's exceptional grasp of character, but the science is entangled in an ingenious way that I won't spoil.

As with Air, this is in no way science fiction. The science here would have fascinating and rather scary implications for our world, but clearly is not how science actually works. But as an insight into politics, and into healing, I found it a startlingly effective metaphor. I loved every bit of this. By far the best story of the issue. (9)

Rating: 7 out of 10

2014-04-06: control-archive 1.6.1

control-archive is the software that maintains the archive of Usenet control messages and the "canonical" list of newsgroups maintained on ftp.isc.org. There's nothing particularly exciting in this release, but there were some accumulated metadata changes and it had been nearly a year since the previous release.

This is one of my few packages that uses a three-part version number, since I figured there would be metadata-only releases and wanted a way to designate those. And then, of course, I almost always made code changes. So this is only the second metadata-only release (which is part of why I did a release now, to be honest).

At some point, I still want to rewrite the underlying signature validation code and then redo all the code in this package to match my current coding style and be quite a bit cleaner. But the hours to do projects like that aren't particularly forthcoming at the moment.

You can get the latest release from the control-archive distribution page.

2014-03-31: Review: Asimov's, September 2011

Review: Asimov's Science Fiction, September 2011

Editor Sheila Williams
Issue Volume 35, No. 9
ISSN 1065-2698
Pages 112

Due to various other life priorities, it's been quite a while since I read this magazine. Let's see if I can remember the contents well enough to review it properly.

The editorial this issue was about the Readers' Awards. Vaguely interesting, but Williams didn't have much to add beyond announcing the winners. I'm very happy to see Rusch's "Becoming One with the Ghosts" win best novella, though.

The Silverberg column was more interesting: some musings and pop history about the Japanese convention of a retired emperor and how that fit into national politics. Di Filippo's book review column is all about short story collections, continuing the trend of Di Filippo mostly being interested in things I don't care about.

"The Observation Post" by Allen M. Steele: A bit of alternate history set during the Cuban Missile Crisis, but with airships. The protagonist was a radioman aboard a blimp that was patrolling the ocean for Russian vessels sailing to Cuba. A storm forces them down on an island, resulting in an encounter with some claimed tourists who may be Russian spies.

The SFnal twist is unlikely to come as much surprise to an experienced reader, and the barb at the end of the story suffers from the same problem. I appreciate the ethical dilemma, but I've also seen it in lots of stories and have a hard time getting fully invested in another version of it. But the story is otherwise competently written. (6)

"D.O.C.S." by Neal Barrett, Jr.: Everyone has an author or two that they just don't get. Barrett is one of mine, although this story is a bit less surreal than most of his. I'm fairly sure it's an odd twist on the "death panel" conspiracy theory given a fantastic twist, but it's not entirely forthright about what's going on. Possibly of more interest to those who like Barrett better. (5)

"Danilo" by Carol Emshwiller: Emshwiller's stories are always distinctive and not quite like anyone else's, involving odd outsiders and their attempts to make sense of their world. This one involves, as is common, an out-of-the-way village. Lewella claims that she's going to be married to a stranger from the north. No one believes her, although they give her bridal gifts anyway, and then one day she takes her gifts and leaves. The protagonist follows her, to look after her. The rest of the story walks the boundary that Emshwiller often walks, leaving the reader unsure whether the characters are in touch with some deeper reality or insane and suffering, but the ending is even more ambiguous than normal and, at least for me, entirely unsatisfying. (4)

"Shadow Angel" by Erick Melton: This is another retread of an old SF idea. This time, it's that piloting through hyperspace involves alternate modes of consciousness and has profound effects on the pilot. The risk of this sort of story is that it turns hallucinatory and a bit incoherent, and I think that happened here. I like the world-building; the glimmers of future politics and trade and the way he weaves alternate timelines into the story caught my interest. But the story wasn't quite coherent enough (although part of this may be reviewing it quite some time after I originally read it). Promising, but not clear, and without quite enough agency for the protagonist. (6)

"The Odor of Sanctity" by Ian Creasey: I found this story more memorable. The conceit is that a future society has developed technology that allows the capture and replay of scents, which has created a huge market for special scent experiences and the triggering of memories. The story is set in the Philippines and revolves around a Catholic priest who takes the mission to the poor seriously. He's dying, and several people wonder if it is possible to capture the mythical odor of scantity: the sweet scent said to follow the death of a saint rather than the normal odor of human death.

Creasey handles this idea well, blending postulated future technology, the practical and cynical world of the poor streets, and a balance between mystical belief and practical skepticism. Nothing in the story is that surprising, but I was happy with the eventual resolution. (7)

"Grandma Said" by R. Neube: This story's protagonist is a cleanser on a frontier planet made extremely dangerous by a virulent alien fungus. It is almost always fatal and very difficult to eradicate. Vic's job is to completely sanitize anything that had been in contact with a victim and maintain the other rules of strict quarantine required to keep the fungal infection from spreading uncontrolled. Nuebe weaves world-building together with Vic's background and adds a twist in the form of deeply unhealthy responses to the constant stress of living near death. Well told, if a bit disturbing. (7)

"Stalker" by Robert Reed: Reed has a knack for fascinating and disturbing stories, and this is an excellent example of the type. The protagonist is a manufactured companion who is completely devoted to its owner. Their commercial name is Adorers, but everyone calls them Stalkers. In this case, the protagonist's owner is a serial rapist and murderer; given that, and given how good Reed is at writing these sorts of stories, you can probably imagine how chilling it is. As usual, there is a sharp barb in the ending, and not the one I was expecting. Good if you can handle the graphic violence and disturbing subject material. (7)

"Burning Bibles" by Alan Wall: This is an interesting twist on the spy thriller. A three-letter agency in charge of investigating possible terrorist plots becomes suspicious after a warehouse of Bibles burns in mysterious circumstances. The agent they send in is a deaf-mute with special powers of intuition. This prompted some eye-rolling, and there's a lot of magic disability powers here to annoy, but it's played mostly straight after that introduction. The rest is a fairly conventional spy story, despite special empathic powers, but it's one I enjoyed and thought was fairly well-written. (7)

Rating: 6 out of 10

2014-03-30: Review: Sundiver

Review: Sundiver, by David Brin

Series Uplift #1
Publisher Bantam
Copyright February 1980
Printing September 1995
ISBN 0-553-26982-8
Format Mass market
Pages 340

Sundiver is the first book of Brin's Uplift series, which I think it's fair to say are the books that made his reputation as an author. It's less well-known than the later sequels Startide Rising and The Uplift War for reasons that I'll get into in a moment. This was a re-read; I've read the first Uplift series before (and Startide Rising separately before that), but not in many years, and I wanted to re-read them and review them. I haven't finished doing that yet, several months after I re-read Sundiver, largely because this book wasn't as enjoyable as I remembered.

The Uplift series is set in a heavily populated galaxy with a multitude of alien races. It follows the SF alien life pattern where the galaxy was well-populated and fully developed long before humans discovered it. The Earth is a relatively obscure backwater, and humans are expected to adopt to and follow the rules and restrictions that the other races had long-since established. This primarily means a complex and very formal system of caste and patronage: species brought to sapience by the technology of their patrons are expected to serve their patron races for millennia, and one's status in the galaxy is determined by the length of those patronage chains and the number of species one has fostered in turn.

As is typical for stories of this sort, humans break the rules in unexpected ways. They have no known patrons, having apparently evolved sapience entirely on their own (although the galactic races are quite dubious of this theory). And they have uplifted two species to sapience (chimpanzees and dolphins) before their discovery by the rest of galactic civilization, although in fairly primitive ways and not properly by galactic standards.

Set against this background, Sundiver is a science fiction puzzle story of a fairly old style. The protagonist, Jacob Demwa, is a scientific investigator who retired after a tragedy that killed his love. He's recruited out of that retirement and into this plot by an alien who is sympathetic to humans. A human exploration mission into the chromosphere of the Sun, treated as ridiculous by most of the galactics since the shared Library Institute certainly contains more information about stars than human technology could possibly uncover, has found strange and apparently sapient creatures living there: flocks of cattle-like creatures that are apparently being herded. There is no reference to such star-dwellers in the Library, which raises the possibility that humans have discovered something novel. That would be quite a coup against the galactics. But after the destruction of one of the solar exploration ships, it starts looking like these creatures are hostile.

Jacob reminded me of a mix between a Larry Niven short story protagonist, working through the practical impact of a physics puzzle, and Isaac Asimov's Elijah Baley. What exactly is going on, both scientifically and politically, remains unclear for nearly the entire book. Both Jacob and the reader are constantly forming and then discarding hypotheses as events overtake them. The stakes are more interesting than a lot of science fiction novels: rather than survival or war, the stakes are prestige, influence, and status, with subtle but possibly vital effects on what position humans will take among the other species of the galaxy.

All this sounds promising, and is why I remembered this book fondly. Unfortunately, re-reading it was a disappointing experience on several fronts.

First, the characterization varies between trite and stereotyped. The aliens suffer from the standard alien characterization problem: each of them is an exemplar of their species, and all of the aliens feel like archetypes. While there are some twists in the inter-alien politics, one never gets a sense of the aliens as varied and complex societies in their own right.

The humans are more varied, but that primarily means varieties of irritating. The worst is Peter LaRoque, a journalist who is set up as a villain of the story, and who is such an unremitting and over-the-top stereotype of everything possibly bad about journalists (and French people) that every scene containing him felt like someone scraping fingernails on a chalkboard. The other characters are a bit better, but not by much. Jacob himself has a bizarre, semi-mystical psychological problem from trauma that seems to give his amoral subconscious a life of its own. Brin appears to be setting this up to have major plot significance, but it never made any sense to me, didn't matter much in the end, and seems to mostly be an excuse for Jacob's hypercompetence.

Sundiver's treatment of female characters also annoyed me enough to be worth a mention. The primary female character, Helene, is clearly intended to be a strong character with her own agency (she's both station commander and a starship captain), and Brin makes a lot of the humans switching to different words than male and female as a sign of a more egalitarian future. But this all feels skin-deep. The inevitable romance is all about Helene's attractiveness and ability to listen to Jacob, her logic is described as unscientific, and I got more and more annoyed by her portrayal as the book went along. She's not entirely without agency in the story, but she's much closer to a damsel in distress than the independent character Brin appeared to be trying for. It's hard to shake the feeling that she's being persistently belittled by the story.

But this is a scientific puzzle story more than a mystery; characterization would be nice, but isn't strictly required. On re-read, the part of Sundiver that annoyed me the most was how much of a letdown the plot resolution was. I'm going to avoid any specific spoilers here, but I found the ending of both quite disappointing and a sign of the major problem with this series as a whole. The setup over-promises and Brin fails to deliver, a pattern that will repeat itself in this series.

We get tantalizing hints of a new solar species, of revelations about the past of humanity, of deep galactic politics, and of vast knowledge contained in the Library that humans don't yet have access to. We get superficial archetypes for characters, politics that seem more like the bickering of children, plot twists that persistently take the story in more mundane and less interesting directions, and a sense of wonder, or lack thereof, that feels more like a Scooby Doo story than what I expect from science fiction. Some of the plot twists are unexpected and almost add some interest to the story, but don't make enough sense in the context of the story to be satisfying. And, of course, there's an climactic action sequence involving physical combat, as is required of all good Star Trek (original series) episodes. (I was waiting for Jacob's shirt to fall off.)

The problem I have always had with Brin as a writer is that his ideas are far better than his ability to write characters and plots. In the hands of a better author, the Uplift universe background has so much potential. And I think Brin is a better author a few years later; my recollection is that both Startide Rising and The Uplift War do a better job of delivering on their promises. But Sundiver is deservedly forgettable. The good ideas rarely go anywhere beyond the obvious, the characters are irritating and often don't make sense, and the story is disappointing. I can't say I'm sorry to have read it, since my memory edited it down into a much better story, but I can only recommend it as background for later, better books.

Rating: 4 out of 10

2014-03-26: krb5-strength 3.0

krb5-strength is the password strength checking code that we use at Stanford for our primary Kerberos realm.

We've had quite a lot of difficulty deciding exactly what password strength checking we want to do and how we want to handle password history. The good part is that this is to the advantage of everyone else, since now more flexible password strength checking code is available.

The major change in this release is the addition of a password history implementation for Heimdal. Implemented as an external password quality check program, it can stack with other password quality check programs, such as the one included in this distribution. Previous passwords are hashed with PBKDF2 with SHA-2. Note that this has somewhat extensive Perl module dependencies, since it was originally written as a separate project.

Also in this release is yet another password dictionary type: SQLite. This is probably a bit slower than straight lookups in CDB, and it's definitely less space-efficient since it stores each word both forward and reversed, but it can reject any password that is within edit distance one of a dictionary word. (Edit distance one means that the word can be formed from the password by adding, removing, or changing a single character.)

The cdbmake-wordlist utility has been renamed to krb5-strength-wordlist and can now generate the SQLite dictionary as well as the CDB dictionary.

Finally, another configuration option has been added: minimum_different. If set, passwords must contain at least this many different characters. This can be used to reject passwords that are long strings of the same character or short repeating patterns, which are otherwise difficult to detect with a straight dictionary-driven approach.

You can get the latest release from the krb5-strength distribution page.

2014-03-25: rra-c-util 5.4

Further improvements to the shared infrastructure I use for my various packages.

This release adds new Autoconf macros for detecting SQLite. These use the same strategy that I used for libevent, and which I'm slowly adopting for all libraries that support pkg-config. pkg-config is tried first if available, and unless the Autoconf flags to point to particular install paths for the library are given. Autoconf then falls back on manual probing.

Also in this release are all the changes to the Perl support modules for test programs and the various generic Perl tests to implement the change that I started in the last Term::ANSIColor release: using the Lancaster Consensus environment variables to control whether tests run when they don't directly test package functionality, and skipping a lot more tests for the average end user who doesn't really care if, say, the POD syntax is correct or all the supporting Perl scripts past strictness checks.

You can get the latest release from the rra-c-util distribution page.

2014-03-23: Term::ANSIColor 4.03

This is a fairly small Perl module that provides a more convenient interface to the ANSI color escape sequences.

The primary change in this release is interesting for me but not so much for anyone else. It's the first of my core Perl modules that I've converted to Module::Build and to the new Perl test infrastructure that's now maintained in rra-c-util. (Yes, I know that Module::Build is apparently going to be dropped from Perl core, but the package also generates a Makefile.PL for backward compatibility.)

Starting with this release, all my subsequent package releases will start using the Lancaster Consensus environment variables to control whether to run non-default tests (namely AUTOMATED_TESTING, RELEASE_TESTING, and AUTHOR_TESTING). Hopefully this won't cause me too many problems. I'm currently setting AUTHOR_TESTING unconditionally, since I really want to see the results of those tests for all my code, but it's possible that will cause me too many problems with other people's code. (It would have been nice if the spec for AUTHOR_TESTING would let you set the value of the variable to the identity of the author whose tests you want run.)

I like having all my release tests run by automated testing so that I can identify any problems with the code to conditionally skip them, so I enable all the release tests when AUTOMATED_TESTING is set. This is probably peculiar to me.

The other changes in this release are all documentation and test suite fixes. There are no code changes in this release. Thanks to Olivier Mengué and David Steinbrunner for various bug reports.

You can get the latest release from the Term::ANSIColor distribution page.

2014-03-18: WebAuth 4.6.0

I was going to put out some of these changes in a 4.5.6 release late last year, but that didn't happen, and then more things kept coming up. So this release is rather large.

The major new feature is a new WebAuthCookiePath directive for mod_webauth, which allows path-scoped WebAuth cookies so that different portions of a site can maintain separate authentication credentials. There are various caveats, and support will get better later, but it's a beginning.

There are two bug fixes from Benjamin Coddington: WebAuthOptional should now work with Apache 2.4, and internal notes management in the module is now done better, which should prevent some cases where the user was redirected to WebLogin twice. Eventually, the things WebAuth uses notes for should become request context data, but that's for a later change.

There are multiple changes to keyring handling to let mod_webauth and mod_webkdc work properly with the ITK Apache MPM, which allows each virtual host to run as a different user. Previously, all virtual hosts shared one in-memory keyring, which meant leaking authentication keys between virtual hosts. Now, each virtual host gets its own, lazily loaded from the keyring on disk when it's first needed. This allows ITK users to configure separate keyrings for each virtual host. To make this easier, keyring files are now locked for write, and writing a keyring preserves the ownership and permissions if possible.

WebLogin now supports a new remctl-based password change protocol, which I developed for Stanford to work around some problems with the kpasswd when password change takes too long. All the tools for this will eventually be available outside of Stanford when I have a chance to polish them up and release them.

There are a few other, more minor bug fixes. mod_webauth and WebLogin are now more aggressive about telling web browsers to really not cache pages. WebLogin also now uses the authenticated identity returned by the WebKDC for multifactor, since it may have canonicalized the user's identity. The correct template variable is now set when the user doesn't enter a code on the WebLogin multifactor page. Better error messages are returned for invalid principals and unknown realms. The workaround for invalid XML returned by the WebKDC should now actually work. And WebLogin logs a more detailed error message on password change failures.

You can get the latest release from the official WebAuth distribution site or from my WebAuth distribution pages.

2014-03-18: rra-c-util 5.3

The lack of journal updates recently is due to a lot of work chaos combined with getting obsessed with various leisure activities (to blunt the work stress) that don't result in public writing. Normalcy seems to be slowly returning, but it will be a while yet.

This release of my collection of utility libraries and scripts only has updates to some of the Perl test infrastructure.

Testing Perl scripts for strictness, warnings, and syntax errors now supports listing a set of modules required for meaningful script testing. This converts failures to skipped tests if the reason for the syntax check failure is that a required module is not installed.

This release also works around two problems with Perl::Tidy 20130922 related to its new log (mis)feature. Perl::Tidy now attempts to create a log file in the current directory whenever it runs unless this is explicitly turned off, and the Perl::Critic policy doesn't know to do that. (Debian bug #742004) I now unlink that file if it exists, after the test completes, and skip the Perl critic testing if the source directory is read-only (since failure to create the log file is treated by Perl::Tidy as a fatal error).

You can get the latest version from the rra-c-util distribution page.

2014-02-28: Review: Air Apparent

Review: Air Apparent, by Mark Monmonier

Publisher University of Chicago
Copyright 1999
Printing 2000
ISBN 0-226-53423-5
Format Trade paperback
Pages 232

Subtitled "how meteorologists learned to map, predict, and dramatize the weather," Air Apparent is a history of weather maps. Mapping the weather is a surprisingly new field, dating only from the early 19th century when a combination of scientific understanding and the ability to combine scattered observations made it practical. They're also a particularly tricky problem since weather is inherently three-dimensional, and even to the present day nearly all of our maps are two-dimensional. Monmonier starts with the earliest observational maps and the attempts to use them for prediction and tracks developments up to the late 1990s, with TV weathermen and (simple) interactive web data viewers.

I got a copy of this book after Paul Krugman mentioned it. I don't know a lot about weather forecasting or weather maps, but I remembered finding the science of weather fronts and maps of them fascinating in high school, and I hoped I'd get the same feeling from this. Unfortunately, I probably need to stop reading Monmonier's books; they always sound interesting, but I don't enjoy reading them.

One thing that's important to know is that this is not a history of meteorology. One can't hold that against the book, of course, because it never claimed to be. But it has just enough of a history of meteorology mixed into its history of map-making to make at least this reader wish he were reading that other book. I like maps, I really do, but I was hoping for either a book that melded a history of the science of weather forecasting with the maps that were used in that science, or a book that dove deep into the effective and ineffective ways to make weather maps (ideally, Edward R. Tufte for maps). This is neither; it's little more or less than a detailed history of the making of weather maps. Each time it gets close to a clear explanation of the underlying meteorology, it finds a map to examine and skips the rest of the explanation.

I kept almost understanding the underlying science, but not enough to really understand the goals of the map makers, or why one presentation was better than another, or how those presentations were used to make forecasts or track weather data. I think I would have found this book more interesting in conjunction with a full history of meteorology, but I suspect that a history of meteorology would include enough about the maps to render this book largely redundant for the casual reader.

The other problem I had with this book is that it's very dry. Monmonier is clearly trying, and clearly cares a lot about his topic, but the book has no flow. I kept getting lost in the barrage of names, arguments over technique, and struggles for government funding. It's hard to put a finger on why the book didn't grab me; the closest I can come is that it's a book stuffed full of facts. Monmonier did exhaustive historical research on weather map making, saved numerous quotes from original documents, and laid it all out chronologically. That's fine if you just want the information, but I was looking to be entertained in the process, and that didn't happen.

I think the problems get worse in the second half of the book, when weather satellites and computers enter the picture and the laborious, manual map-making fall out, although maybe I was just exhausted with the book by then. The early history of weather maps at least has the benefit of showing the logistical struggles behind creating an effective weather service: insufficient observation points, slow communication methods, and the need for skilled map-makers to turn measurements into visual representations. Once computers and satellite photography enter the picture, the science matters even more, and I think the reader needs a better understanding of the underlying science to make sense of the results. Air Apparent has a tendency to provide a brief introduction to the type of data, a detailed chronological history, and then a discussion of the ways of presenting and representing that data, without ever getting the reader to care about the data itself or see how it ties into forecasting.

Part of the problem, I suspect, is that the history of meteorology seems to be full of sensible, careful people who largely did sensible, careful things with the data they had available at the time. This is great for the advancement of science, and not so helpful at making a history engrossing.

I wish I could say that I was glad I read this book for the information, if not the presentation, but unfortunately I didn't retain much. I needed some sort of structure or frame on which to hang all of the specifics, some sense of story or controversy or at least scientific understanding, and I didn't get it. It took me a couple of months to finish this book because I kept setting it down to read other things, and I only finished it out of a combination of stubbornness and knowledge that other people liked it.

If the topic sounds interesting, well, this book exists, and it's gotten several good reviews. But I'm afraid I can't recommend it.

Rating: 4 out of 10

2014-02-07: Things I learn from reading Reddit

I am apparently an Ent.

I think that's one of the nicest things that anyone has said about me this year. I'm feeling quite delighted by it. I'm not sure it's the character from Lord of the Rings that fits me the best, and for personal reasons I have to default to identifying with Gwaihir, but it definitely captures a substantial component of my personality.

Hoom.

2014-02-06: New init system feature!

The Debian Technical Committee has concluded that all of the available init systems were missing a key technical feature, and, in the spirit of free software, has gone ahead and fixed that lack. All init systems currently packaged for Debian can now double as test case generators for Condorcet vote analysis.

I'm not sure if this counts as an NMU.

In the event that the Debian project votes on a General Resolution on the default init system, this blog post should be considered striken in its entirety and replaced by the most complex email message from Anthony Towns that the reader can find.

Last spun 2014-04-13 from thread modified 2008-08-13