Research Chain E-mails in 30 Seconds

A friend or family member has just forwarded you a wonderful piece of propaganda: It’s filled with inflammatory bare assertions, stirring anecdotes, and a dare to pass it on to everyone you know! And no sources.

1. Find a phrase in the message that’s a) unlikely to appear in anything else on the web, and b) contains minimal or no punctuation.

Bad: “Really important!!! Will take thirty seconds to read+-+-+Aren’t you mad!?!?”

Good: “Many citizens had no idea that members of Congress could retire with the same pay after only one term”

2. Search for the phrase without surrounding quotes.

3. Look for results on sites with names like: Snopes, Urban Legends, Politifact, Truth or Fiction, Hoax Busters, etc.

4. If you can’t find any page debunking your forward, search again with quotes around it, try another phrase, or add “hoax” or “myth” to the search. E.g. the next phrase in the e-mail with “myth” added returns the same top three results, all to myth-busting sites.

If you still can’t find anything, you have scientifically proven the forward to be 100% true! If the message confirms your preexisting beliefs, it must be true.

Chords: The Flaming Lips “All We Have is Now”

[Song on YouTube] All the tabs I could find were crap, so I wrote up a guitar arrangement. The inverted voicings in the choruses made it tough to figure out, but capoing the 2nd fret gets it pretty close.

Capo 2nd fret. / = 1/4 note

  A    3-5-5-4-3-x  (2 bars) As logic stands you couldn't meet a man who's from the
  G#m  2-4-4-2-2-x  (2 bars) future.
  A    3-5-5-4-3-x  (2 bars) But logic broke as he appeared he spoke about the
  G#m  2-4-4-2-2-x  (2 bars) future.
  B    5-7-7-6-5-x  (1 bar)  "We're not gonna
  A    3-5-5-4-3-x  (1 bar)  make it."
  B    5-7-7-6-5-x  (1 bar)  He explained how the
  A    3-5-5-4-3-x  (1 bar)  end will come.
  A    3-5-5-4-3-x  (2 bars) You and me were never meant to be part of the
  G#m  2-4-4-2-2-x  (1 bar)  future.
  B          x-0-7-6-5-x  / /
  Bsus4add9  x-0-x-4-3-x  /
  Bmaj7      x-0-6-6-5-x  /

  Amaj7      3-2-0-0-0-2  (1 bar)     All we
  Dmaj7/F#   0-3-2-0-0-0  (1 bar)  have     is
  C#m7/G#    2-2-4-2-3-2  (1 bar)  now.
  F#7sus4    0-x-2-2-3-x  / /
  F#         0-x-2-1-0-0  / /

  All we've ever had is now.
  All we have is now.

  Amaj7      3-2-0-0-0-2  (1 bar)    All we've
  Dmaj7/F#   0-3-2-0-0-0  (1 bar)  ever had     i-
  G#m7       2-4-2-2-2-2  (2 bars) is now.

  F#m7       0-2-2-0-3-x  (1 bar)
  B7         x-0-2-0-2-0  (1 bar)

  I noticed that he had a watch and hat that looked familiar.
  He was me from a dimension torn free of the future.
  "We're not gonna make it." He explained how the end will come.
  You and me were never meant to be part of the future.


  F#m7       0-7-5-7-x-x  (2 bars)
  Emaj9      x-5-4-6-5-x  (2 bars)
  D9-5       8-x-8-7-7-x  (2 bars)
  A          3-x-0-0-0-3  (2 bars)
  Bm6/F#     0-0-2-2-1-2  (1 bar)
  E7/G#      2-0-0-2-1-2  (1 bar)

  Amaj7      3-2-0-0-0-2  (1 bar)     All we
  Dmaj7/F#   0-3-2-0-0-0  (1 bar)  have     is
  C#m7/G#    2-2-0-2-0-x  (end)    now.
  C#m9       x-2-0-2-2-x  (organ adds D#)
  C#m11      x-2-0-2-2-0  (synth adds F#)

MVC: M != the Database

Great article on the misunderstood scope of the “Model” in the Model-View-Controller architecture. The takehome: Models are commonly thought of as wrappers for database access/stored objects, but application state and business logic need to go in them, too. Otherwise you get bloated controller and/or views that clumsily try to take care of these concerns.

Earlier today I was building a multi-step wizard app—no DB storage—and found my controllers getting messy with session and state handling code. The solution was a Wizard class that encapsulated the steps through the forms and the maintenance/validation of the collected data, but until this article I might not have thought of it as a model.

Zend Framework kinda, sorta has a hack for making a wizard using “subforms” and what makes this an awkward construction is that a view helper is not the best place to maintain the state info that a wizard requires. A “Zend_Wizard” class would need to encapsulate several forms; requirements and behaviors for moving forward and backward through the forms; and methods to inc/dec the step state, fetching the active form injected with session data. Only a single controller would be needed with 2 next/back methods, rather than methods for each step.

In the Elgg plugin ecosystem, there’s very little guidance/emphasis on creating models, so writers rarely encapsulate business logic at all. Instead it becomes spread out amongst controllers and—worse—views. Since views can easily be overridden depending on the order of plugins in a list, business logic can easily be mangled by logic from another plugin. That said, the view system does allow mods to mix behaviors in ways that would be difficult were views to be tied more closely to individual plugin models; a few exemplary mods—that store state and validation in a model rather than the controller/views—might help positively influence the culture.

Bass for Stereolab’s “Miss Modular”

“Miss Modular” has an amazing bass line. It’s probably looped on record, but they play it live…and usually faster than the recording. I’m fairly sure it’s capoed at the 7th fret—that’s how I’ve typed it up here.

Stereolab "Miss Modular"
Capo bass @ 7th fret.
spaces/numbers/hyphens = 1/16th notes.
/ = 1/4 notes.


  /       /       /       /       /
D                       2---
A         4---              4-
E                             4---
B 0-------    0---2-----          0-------------------------------


  /       /       /       /       /       /       /       /
D                       2---
A         4---              4-            4---    4---  2-
E                             4---                          5-2---
B 0-------    0h1h2-----          0-------    0---

  /       /       /       /       /       /       /       /
D                                                 2---
A                 4---  4-- 2-            4---          4-- 2-
E         5---2---            4---                            4---
B 0------/                        2-------    2---


  • Mute all the strings, but mostly the bottom 3.
  • At the beginning of the 3rd measure, by fretting the A on the 2nd string, you can slide the end of the low B up to meet it.
  • Chords are just Bm7 and C#m7 (the brass makes A and C#m9 chords)

Uh-Oh: Firefox’s Unique Session Cookie Behavior

By now, Opera’s invention of restoring tabs automatically is available in most browsers, but unlike every other browser, Firefox’s restored tabs retain session cookies for the domains of the saved tabs Firefox restores all session cookies as if the browser were never closed. This is handy in some ways, but dangerous in others:

It’s fooling web developers by breaking a very old and widely-known convention. Since Netscape’s original spec (around 1994) a cookie with an empty/missing expires was to be discarded “when the user’s session ends” (later clarified as “when the user agent exits” in RFC2109), and thousands of prominent web pages describe “session cookies” this way.

A common session design pattern uses a persistent cookie to establish low-level identity info and a session cookie for full authentication. Developers may not know that their full auth period may be lasting days or weeks, including trips to insecure wifi spots, browsing by multiple users, etc.

It’s fooling users. No one thinks of a single browsing “session” as encompassing several days of browser usage just because the same tabs were open, and users frequently read that they need to simply exit their browser to ensure their session is ended.


  • Be aware that Firefox session cookies can linger for days, despite the user having closed their browser.
  • Manage session timeouts on the server-side and/or via HMAC-signed timestamp values in the cookie contents (don’t let the client decide how long a session should last).
  • If you can, include secure in the cookie header. Firefox does not restore HTTPS session cookies. Realize that in later FF versions, “secure” cookies also are restored.
  • If you give out session cookies with unique names, have your application clean these up when they’re no longer needed. If you don’t, your Firefox users could suffer from…

Cookie Accumulation Torment

This annoying situation occurs when Firefox gains so many local cookies that the web server begins to deny all your requests. Deleting some or all these cookies is the only way to fix the issue because—yay—the problem session cookies persist across browser, and even OS, restarts.

Big Shibboleth Implications

If your Shibboleth-authenticating app maintains its own session, make sure that the “sign out” function searches for and deletes the local Shibboleth cookies (or that the SP sets only “secure” cookies). Otherwise this could happen:

  1. Jane “signs out”, closes Firefox, and lends her computer to Sally.
  2. Sally opens Firefox and clicks “sign in”.
  3. Sally is instantly authenticated into Jane’s account!

Jane’s application session was over, but Firefox allowed her Shibboleth session to live on.

Also, since Shibboleth gives out uniquely-named session cookies (prepended with _shibstate), failing to clean these up will lead Firefox users to the aforementioned torment. If the user has an app open all day every day, count on her gaining at least one cookie per day.

Bash script: recursive diff between remote hosts

This script will generate a recursive, unified diff between the same path on two remote servers. You set the CONNECT1 and CONNECT2 variables as necessary to point to your hosts/paths. Of course, the users you connect as must have read access to the files/directories you’re accessing.


# USAGE: ./sshdiff DIRECTORY
# E.g. ./sshdiff static/css
# Generates a recursive diff between /var/www/css/static/css
# on two separate servers.



mkdir "$TEMP1"
mkdir "$TEMP2"
scp -rq -P "$PORT1" "$CONNECT1" "$TEMP1"
scp -rq -P "$PORT2" "$CONNECT2" "$TEMP2"
echo -e "\n\n\n\n\n"
diff -urb "$TEMP1" "$TEMP2"
rm -r "$TEMP1"
rm -r "$TEMP2"

Elgg, ElggChat, and Greener HTTP Polling

At my new job, we maintain a site powered by Elgg, the PHP-based social networking platform. I’m enjoying getting to know the system and the development community, but my biggest criticisms are related to plugins.

On the basis of “keeping the core light”, almost all functionality is outsourced to plugins, and you’ll need lots of them. Venturing beyond the “core” plugins—generally solid, but often providing just enough functionality to leave you wanting—is scary because generally you’re tying 3rd-party code into the event system running every request on the site. Nontrivial plugins have to provide a lot of their own infrastructure and this seems to make it more likely that you’ll run into conflict bugs with other plugins. With Elgg being a small-ish project, non-core plugins tend to end up not well-maintained, which makes the notion of upgrading to the latest Elgg version a bit scary when there have been API changes. Then there’s the matter of determining in what order your many plugins sit in the chain; order can mean subtle differences in processing and you just have to shift things around hoping to not break something while fixing something else. Those are my initial impressions anyway, and no doubt many other open source systems relying heavily on plugins have these problems. There’s a lot of great rope to hang yourself with.

Jeroen Dalsem’s ElggChat seems to be the slickest chat mod for Elgg. Its UI more or less mirrors Facebook’s chat, making it instantly usable. It’s a nice piece of work. Now for the bad news (as of version 0.4.5):

  • Every tab of every logged in user polls the server every 5 or 10 seconds. This isn’t a design flaw—all web chat clients must poll or use some form of comet (to which common PHP environments are not well-suited)—but other factors make ElggChat’s polling worse than it needs to be:
  • Each poll action looks up all the user’s friends and existing chat sessions and messages and returns all of that in every response. If the user had 20 friends, a table containing all 20 of them would be generated and returned every 5 seconds. The visible UI would also become unwieldy if not unusable.
  • The poll actions don’t use Elgg’s “action token” system (added in 1.6 to prevent CSRFs). This isn’t much of a security flaw, but in Elgg 1.6 it fills your httpd logs with “WARNING: Action elggchat/poll was called without an action token…” If you average 20 logged in users browsing the site, that’s 172,800 long, useless error log entries (a sea obscuring errors you want to see) per day. Double that if you’re polling at 5 seconds.
  • The recent Elgg 1.7 makes the action tokens mandatory so the mod won’t work at all if you’ve upgraded.
  • Dalsem hasn’t updated it for 80 days, I can’t find any public repo of the code (to see if he’s working on it), and he doesn’t  respond to commenters wondering about its future.

The thought of branching and fixing this myself is not attractive at the moment, for a few reasons (one of which being our site would arguably be better served by a system not depending on the Elgg backend, since we have content in other systems, too), but here are some thoughts on it.

Adding the action token is obviously the low hanging fruit. I believe I read Facebook loads the friends and status list only every 3 minutes, which seems reasonable. That would cut most of the poll actions down to simply maintaining chat sessions. Facebook’s solution to the friends online UI seems reasonable: show only those active, not offline users.

“Greener” Polling

Setting aside the ideal of comet connections, one of the worst aspects of polling is the added server load of firing up server-side code and your database for each of those extra (and mostly useless) requests. A much lighter mechanism would be to maintain a simple message queue via a single flat file, accessible via HTTP, for each client. The client would simply poll the file with a conditional XHR GET request and the httpd would handle this with minimal overhead, returning minimal 304 headers when appropriate.

In its simplest form, the poll file would just be an alerting mechanism: To “alert” a client you simply place a new timestamp in its poll file. On the next poll the client will see the timestamp change and immediately make another XHR request to fetch the new data from the server-side script.

Integrating this with ElggChat

In ElggChat, clicking a user creates a unique “chatsession” (I’m calling this “CID”) on the server, and each message sent is destined for a particular CID. This makes each tab in the UI like a miniature “room”, with the ability to host multiple users. You can always open a separate room to have a side conversation, even with the same user.

In the new model, before returning the CID to the sender, you’d update the poll files of both the sender and recipient, adding the CID to each. When the files are modified, you really need to keep only a subset of recent messages for each CID. Just enough to restore the chat context when the user browses to a new page. The advantage is, all the work of maintaining the chat sessions and queues is only done when posts are sent, never during the many poll requests.

Since these poll files would all be sitting in public directories, their filenames would need to contain an unguessable string associated with each user.

Guitar Tuning By Ear

(This is edited from an answer I posted to KeyMinor, a music Q&A site. They need more users!)

A lot of recordings end up slightly higher/lower than standardized pitch (I always called this “in the cracks” but don’t google it!), and this is the quickest way I’ve found to tune a guitar to them.  This method seems simplistic but has several advantages going for it:

  • All strings are tuned to the same reference pitch, so there’s no accumulation of error as you move from string to string (and you can tune any of the top 5 in any order).
  • The higher the frequency, the easier it is to notice the beat when two identical notes differ slightly in pitch. Matching high pitches yields lower error.
  • All pitch matching is done with notes in the same octave; this also helps you notice the beat

Here it is. Continue reading  

Bash: unbom (to remove UTF-8 BOMs)

Tests for and removes UTF8 BOMs.

for F in $1
  if [[ -f $F && `head -c 3 $F` == $'\xef\xbb\xbf' ]]; then
      # file exists and has UTF-8 BOM
      mv $F $F.bak
      tail -c +4 $F.bak > $F
      echo "removed BOM from $F"

USAGE: ./unbom *.txt

The magic is tail -c +4 which strips the first 3 bytes.