Log in

No account? Create an account
There's a bill in Congress right now that would require that clinical trials funded by the government be published, whether the medicine was approved or not.

This is a good idea because when the information gathered in these trials is not disclosed, it means that other inquiries can waste time going down blind alleys that have already been explored.

There's a good article on the bill at Pharmalot, which goes into more detail about why disclosing clinical trial information is a good idea.

The bill is currently before the
House Committee on Energy and Commerce. If you have a representative on the committee, and you think requiring that this information be published is a good idea, you might want to drop them a line.


I'm a dyed-in-the-wool liberal, so it's really frustrating to watch liberal organizations get it wrong time and time again. Check out this call to action from Care2:

Our government is supposed to act on what the people want. So why is Chief of Staff Bill Daley saying he doesn't care that Americans want Environmental Protection Agency standards that protect our health from smog and global warming emissions?
According to polls, nearly 70 percent, a big supermajority, want the EPA to do its job and protect us from dangerous pollution. Yet, according to a Wall Street Journal article, Daley said "I don't give a [expletive] about the poll." Isn't it his job to care?

Notice the single quote, taken completely out of context. I don't know what Daley meant here. Maybe he really is just as bad a guy as they say he is. But they haven't established that. So I tracked down the article in the Wall Street Journal that contains the quote.
Read on for more whining...Collapse )


Okay, so I've been traveling in Asia since the week before last. I left Tuesday, landed in Tokyo Wednesday, spent Thursday and Friday in Tokyo, ostensibly to do some sales calls. On Saturday I flew from Narita to Taipei. Then I spent the week in Taipei at IETF, which was insanely busy. Today, Saturday, I got up at 5:15 am, caught up on my email, had breakfast as soon as the buffet opened, and then took the Taipei Metro from near the hotel (it's a bit of a walk to the nearest station from the Shangri-La hotel) to the Taipei main railway station.

From there I caught the High Speed Rail to Taoyuan station, and then discovered that it's a 20-minute bus ride from there to the airport. This worked out perfectly well, though. If I had it to do again I'd buy my tickets online, because they have a special set of machines that are just for picking up tickets purchased online. As it was, I faffed around a bit when I got to the station and wound up missing the 7:36 train. Hardly a tragedy—I caught the 8:00 instead. But that on top of the bus delay (I had figured about a five-minute bus ride) meant that I got to the airport only an hour and fifteen minutes before my flight, which was fine, but closer than I like to cut it.

The flight to Narita was relatively uneventful, and I cleared customs quickly. I'm flying home tomorrow, and I debated a bit whether to go back to Tokyo, or try staying in Narita. I absolutely love Tokyo, but it's expensive, and it would have been an extra two hours on the train, plus the expense of those train tickets.

I'd stayed in Narita once before in transit to Korea, and really did not have a good time at all. The hotel I stayed at was near-ish to Narita Airport, but not Narita town, so I was pretty much marooned there, and it was a fairly typical expensive corporate hotel. So I was really reluctant to stay in Narita, but I did a bit of web searching, and discovered that Narita is actually a bit of a tourist destination—there's a famous temple here.

With a little more searching, I found what looked like A reasonably cheap but nice hotel in the town of Narita, the Richmond Hotel. It gets very good reviews on TripAdvisor, so I figured it was worth a shot. I'm there now, in a "comfort double," which is costing about $100/night. It's quite small, but perfectly serviceable. There's a fridge in the room, and there's a Watson's next door (kind of like a 7-11, only with Japanese products instead of American, which means you won't get fat and die young eating them).

The hotel is pretty clearly not aimed primarily at western travelers, although they do try to accommodate us. The folks at the front desk speak enough english to check you in, but not enough to explain the inner workings of the hotel to you, so you have to be willing to cope with that in order to stay here, I think. It hasn't been a problem for me—I was able to figure out how to use the wifi, and so on. There's a FAQ online that answers most of the questions one might have.

To get here I just went downstairs to the train station at Narita Terminal 2, and instead of taking the Narita Express like I usually do, I took the Keisei line train one stop to Narita town, which was about a five minute ride. The trains were running about fifteen minutes apart, so this wasn't an insanely speedy ride, but it did the job, and I was able to spot the Richmond Hotel from the train before I got off (it's not visible from the platform once you've arrived).

There's a direct route out of the Narita station that leads to the hotel, but it's down many flights of stairs, so it's actually kind of a bad way to get there if you're towing luggage. Well, unless you're an attractive woman and are willing to impose upon some very nice Japanese guy who wants to be chivalrous (I witnessed this happening on my way down the stairs after dinner). I was very fortunate in deciding not to go this way— instead, I went out the east entrance, hung a sharp right, went down the hill, under the underpass, and back around to the hotel. There's an escalator on the way back. The Richmond Hotel actually has a free shuttle, but it doesn't run very often, and the train is almost certainly faster. Plus, it's a train.

So the next big worry staying in Japan is what to eat. As a vegetarian, I'm basically a space alien here. There are Japanese people who are vegetarians, but it's way less common than in the U.S., as far as I can tell. It's also possible that it's more common than that, but that you need to be able to speak Japanese to negotiate. Be that as it may, the first time I came to Japan I basically ate veggie burgers at the Hard Rock Cafe every night for a week. Yuck.

Fortunately, it turns out that there's areally nice vegetarian cafe in Narita, the Easy Life Cafe. I had an early dinner there. Nom. I got their special, which included five little Japanese noshes artfully arranged around a centerpiece which happened to be deep fried taro root balls today. It also came with a drink, a bowl of rice, and a bowl of really good miso soup. There were many other vegetarian options. Dinner was 1000 yen, because I upgraded my drink to a yummy "vegetable juice."

I found myself remembering a dear old friend, Asako Takami, who passed away a few years ago after a long illness. When she stayed at the caretaker house at Diamond Mountain, she used to cook elaborate meals consisting of five or six tiny little piles of food with soup, pretty much just like the dinner I just had. It's funny how these memories leap out at us from the most unexpected places. I miss Asako. Crying now. Sigh.


I had this idea in the shower after my bike ride today, kind of in a flash. So many of my favorite science fiction authors like to pick apart future worlds with future governments. There's a push in the science fiction world to have some future fiction that isn't depressing, that talks about futures we'd like to see. But if you read my G+ comments, you can see that not everyone agrees on what the future ought to look like, or at least how it ought to operate.

There are various sorts of futures that people talk about. Libertarian futures (read Vernor Vinge if you want the Libertarian Manifesto future, or Snow Crash if you want the post-revolutionary dystopian version). Communist futures (Ken McLeod, for instance). Too-cheap-to-meter futures (Charlie Stross did a good one in Glasshouse, and of course managed to turn it into a paranoid totalitarian fantasy). But in these stories, the authors are using the setting as a backdrop. That's good—you can't really have a story about a future government.

But what I want to see is for a bunch of my favorite authors to come up with stories set in their ideal future world, assuming that somehow we get to that world in, say, twenty years time. You can have innovations, if you can describe how they happened, but no undiscovered physics (e.g., ansibles), and the economics has to be plausible (e.g., no interstellar chemical rockets). It should be a future based on an ideology the author understands well, and can describe in a way that holds together and works as a setting for a real story. Short story to novella length, describe the homes of various characters and how they make a living (no time porn, thank you).Read on...Collapse )

11 advices about HTML5

An article just hit the /. front page, claiming to tell us 11 hard truths about HTML5. Parts of the article are written in an extremely fear-positive tone. The article also implies that the problems it describes are specific to HTML5 when, first of all, they are really largely specific to AJAX, and secondly, they exist only for programming teams that simply don't bother to think about security.

It's probably worth reading the article, but I have a couple of observations to make about it from a programmer's perspective, and also a bit of lampooning to do.

Read on...Collapse )

A tangle of cables...

What happens when you put a geek and a JTAG debugging board in the same room with each other? Mayhem, that's what.

It turns out that gentoo's support for ARM is a bit exaggerated: every time I tried to emerge a new package, it turned out not to be supported on ARM. I don't know enough about gentoo's culture to know why this is, or what it means, but the bottom line was that after bypassing the missing or excluded keywords on about five packages, I came to the conclusion that I was barking up the wrong tree: if gentoo requires me to customize and debug every package I install, why am I bothering with a distribution? Why not just build everything from source ad hoc?

I decided that it was worth seeing if NetBSD would boot on the machine. So I checked out -current and built it on my somewhat sluggish old AMD system. It turned out, after I'd finished building NetBSD from source, that in fact NetBSD does not boot on the machine. But heck, I've got the source, and I've got a JTAG board, and there's no reason not to at least try to figure out why it's not booting, right?

That's when the mayhem started...Collapse )

Low power liliputing...

We've been thinking a lot about power consumption, and it turns out one of our big power drains is a server I have sitting in the living room. It's a fairly ancient amd64 machine, and it's been chugging along like a champ for years, running various versions of Ubuntu.

The problem is that it runs pretty warm, and the processor is a typical Intel instruction set processor, meaning that it's pretty inefficient in terms of power. Plus, it's quite noisy. So my goal for a while has been to replace it with something that consumes less power. Recently, I bought a Dreamplug, which is a computer about the size of a large power supply brick with an ARM cpu and a claimed maximum draw of 15 watts.

I spent some time this weekend configuring the dreamplug. I wanted to run Ubuntu on it, but for some reason Ubuntu has dropped support for kirkwood-based ARM CPUs. So I wound up installing gentoo on it instead. This wasn't trivial, and it isn't done, but it was totally do-able, and I wanted to write down what I'd done here so that people could benefit from it.

Read moreCollapse )

More on Flash

Just now I was playing a round of Wordscraper with a friend of mine on Facebook. Wordscraper is a game like Scrabble, only Hasbro can't charge rent on it because it's not identical. Don't get me started.

Anyway, I noticed that Wordscraper was going really slowly. It turned out that of the three (!) Flash applications on that page, one of them was a really stupid ad with a busy wait in it. A busy wait is the computer programming equivalent of a track stand. Suppose you are on your bicycle and you come to a stop light. You can't go until it turns green (or at least until there's no cross traffic, depending on your proclivities). So you have to wait, there at the light, probably for a minute or so.

You could step out of your pedals and onto the pavement, and just stand there waiting. Or, you could try to balance on your bike, with great effort and concentration, for the entire time until the light changes. Busy waiting is like that. While your computer is busy waiting, it can't do anything else, because it's busy. On a multitasking system, like the Mac, the computer will periodically interrupt the busy wait and let other programs work, but the busy wait will take up a substantial amount of computer time, because the program looks busy. So the rest of the computer will be really sluggish.

On top of this, remember that computers use less power when they are idle. This didn't use to be the case, but it's the case with practically every modern computer. Why? Because computers actually draw a significant amount of power. If you don't want your computer to be a total power hog, you have to carefully conserve energy when it's not needed, by slowing down the CPU. But if the CPU is doing a busy wait, it's going to be running at 100% utilization all the time, drawing the maximum amount of power continuously.

What does this have to do with Flash in particular? Just this: Flash programs are written with authoring tools that make it so easy to write them that the person writing them doesn't have to have any training or experience at all, and indeed may not even realize that he or she is writing a program. These programs are then foisted on your web browser without any vetting by anyone who would be competent to detect a serious programming error like this. There's nothing wrong with amateurs writing programs. Indeed, it's really good for them to do so. But when their programs get run on millions of computers, that's not so good.

Steve Jobs mentioned in an interview a while ago that if you enable Flash, your battery life goes down by about 30%. This is why. It's because Flash programs are big, and inefficient, and often written by people who don't know what they are doing, and don't know not to make tyro mistakes like putting in a busy wait. It doesn't even matter if Flash is a good technology or not. What matters is that automatically running programs written by advertising executives on your computer is a bad idea.

Just think. This particular Flash App, when it's deployed, probably adds several megawatts of power to the developed world's power draw, because it's on Facebook, and everyone uses Facebook. It uses enough power for me to notice individually. Multiply that by a hundred million Facebook users. Ouch.

The iPad doesn't support Flash. And I routinely get ten hours out of the battery. Coincidence? I think not.


I'm writing this up here because I didn't find any detailed documentation on the web, and it's not very intuitive. The situation:

1. I have a web service that I'm delivering using the python tornado web server.
2. It needs to be authenticated.
3. The authentication backend I have to use is kerberos.

I am not a big fan of http basic authentication. In order for it to be at all safe, it has to be done over SSL, because it sends the password in the clear. Also, Kerberos isn't intended to be used this way--one of Kerberos' strengths is that it doesn't require you to send passwords to the agent you are authenticating with, meaning that your password can't be compromised simply because that agent has been compromised. Using Kerberos the way I'm using it in this example throws out that advantage, and I'm hoping to fix that at some point. But for now, I needed to get something working. Expedience is the mother of insecurity, or something.

So the way that I'm doing the authentication is that the user visits a URL that's password protected. The browser doesn't send any authentication header, because it doesn't know it has to. The tornado server needs to send back an HTTP 401 response, which says "authenticate, please." It also needs to send an auth header that specifies the authentication realm.

At this point the browser throws up a dialog box prompting the user for a username and password. They type in their kerberos username, and their kerberos password. The browser sends the username and password to the tornado server.

The tornado server now contacts the kerberos server and acquires a ticket for my service (we'll call it tor in the example code I'm going to provide). The tornado server then checks to see that the ticket actually works to authenticate to the tor service. If it does, the user's in; otherwise, tornado sends another 401 error.

In order to make this work, the first thing I needed was a kerberos instance for my service. The Kerberos principal name for a server instance generally looks like this:


service is the name of the service. hostname.example.com is the name of the host on which the service is running. @EXAMPLE.COM is the kerberos realm (I always wanted a kerberos realm called STRAUMLI, but that's another story).

As I said, we're going to call the service tor and we'll call the hostname tornado.example.com. So we need to create a principal called tor/tornado.example.com@EXAMPLE.COM on the Kerberos master for the EXAMPLE.COM realm. Once this is created, we need to extract a keytab file containing the Kerberos key for tor/tornado.example.com@EXAMPLE.COM.

I'm not going to tell you how to do this, because I actually didn't do it myself—I asked one of our nice sysadmins to do it, and they just did it and gave me the keytab file. If you are in a situation where you need to do this, you probably have similar resources, so go use them. If you don't, it's not too painful, but I haven't done it myself in years, so you'll have to RTFM.

Beware: the keytab file is an actual password. If it gets out, an attacker could use it to spoof your service. So keep it safe—it should be owner-readable, with no other permission bits set.

The second step that's necessary here is to set up pykpass. Pykpass actually does the whole kerberos authentication process and authenticator validation process for you, so you don't need to think very hard—you just have to pass in the right information. You can find pykpass on the python.org web site, and presumably you know how to install python packages, right?

So here's the code:

#!/usr/bin/env python

from kpass import kpass, KpassError
import tornado.httpserver
import tornado.ioloop
import tornado.web
import base64

class torRequestHandler(tornado.web.RequestHandler):
    def get(self, line):
        auth_hdr = self.request.headers.get('Authorization')
        if auth_hdr == None:
            return self.request_basic_auth()
        if not auth_hdr.startswith('Basic '):
            return self.request_basic_auth()
        auth_decoded = base64.decodestring(auth_hdr[6:])
        username, password = auth_decoded.split(':', 2)

            if kpass(unicode(username + "@EXAMPLE"),
                     password, "tor", "tornado.example.com",
                     "FILE:/etc/tor.keytab") != 1:
                return self.request_basic_auth()
        except KpassError, diag:
            return self.request_basic_auth()

        # put the rest of your get handler here.
    def request_basic_auth(self):
        if self._headers_written: 
            raise Exception('headers have already been written')
        self.set_header('WWW-Authenticate','Basic realm="%s"' % "EXAMPLE.COM")
        return False

urls = [        
    (r"/tor/(.*)", torRequestHandler),

application = tornado.web.Application(urls)

# Don't even *think* about not using SSL.
ssl_options = { "certfile": "/etc/torcert.crt",
                "keyfile": "/etc/torcert.key" };

if __name__ == "__main__":
    http_server = tornado.httpserver.HTTPServer(application,

As I stated earlier, I don't particularly recommend this as a long-term solution. If nothing else, putting the authentication where I've done is inconvenient. But if you need to do this for testing or prototyping purposes, hopefully this will be of some use to you.

By the way, I shamelessly copied some of the above code from an article on using python decorators to do authentication with tornado. The reason I didn't just use the example from that blog entry is that it doesn't actually work—it throws an exception because the authenticator gets called after the http response has been sent. I wasn't able to figure out why this was happening, and frankly I hate code that's complicated an opaque, which python decorators are, so I just got rid of the decorator and the interceptor and hard-coded my solution.

More on the Comcast/Level 3 dispute.

There's a really good article on the Comcast/Level 3 dispute that came out today. It turns out that I understood part of the problem, but not the whole problem.

It is possible to frame this as a network neutrality issue, but I think it's actually a bad idea to frame it that way. The situation is that Comcast is using their ability to choose who they peer with, in combination with their customers' inability to switch to other providers, to essentially blackmail Level 3 into paying more for peering than is customary.

Because Comcast has control over access to all of its customers, Level 3 has no choice but to pay whatever they ask; if they do not pay, they are not going to be able to connect directly to Comcast, and hence are not going to be able to offer a service to their customers (e.g., Netflix) that is worth paying for.

But what this really is is a regulatory situation, pure and simple. Comcast is a monopoly. The FCC is in charge of regulating telecom monopolies. The FCC should be regulating Comcast. But it's not. What Comcast is doing wrong here is providing semi-bad service for its customers, who are a captive audience. I don't have another provider I can go to in Brattleboro--it's Comcast, or no high-speed Internet. And I've noticed that Comcast service has been sucking pretty badly recently--its backbone is horribly congested.

I happen to know people at Comcast, and I really doubt that they *want* to provide bad service. But there is no economic downside for them in providing bad service, until their service gets so bad that dialup would be better. So this isn't really a net neutrality issue. It's a no feedback-loop issue.

That's why I think the FCC needs to go back to regulating ISPs as telecom providers. And what I didn't like about the analyses I was flaming about yesterday was that they framed this as "Comcast is Evil," and didn't really tell me anything useful about the situation.

Comcast isn't evil. They are just not in a situation where they have an incentive to be better. And I'm really tired of people who are not evil being called evil in order to scare me into taking action.