1000 Miles or Bust!

Take a Hike…

A Blurry Moose Lost on the Lake

Moose on Piney Ridge
Ah, those early morning hikes. We woke up early to try to get some miles in while the forest was still cool, even though we had camped at 8300 feet. Moose on Lost Lake TrailSetting off through swaths of mosquitoes, we surprised the elusive Central Colorado Moose taking an early morning mudbath in a wallow just off the Lost Lake Trail on Piney Ridge above Vail. Between the dim early morning light and camera shake resulting from having to shake off moose-sized mosquitoes, it was less than ideal photographic conditions. However you have to take your moose photos where you can–this is only second time I’ve ever seen moose in the state.

Submit to Digg

June 17th, 2007 Posted by Tim | 1000 miles, Every last post | no comments

Wilderness

Redundant Wilderness SignToday’s main hike was one of those picture perfect hikes on a picture perfect day days at a picture perfect place. For the aesthetically-impaired, I’ve composed this photograph. I still wonder who had the chutzpah to put up this sign–King Bluntman?

This photo was taken near Piney Lake on the Piney Creek trail outside of Vail, looking up into the Eagle’s Nest Wilderness. Wilderness it may be, but don’t expect solitude–at least until the trail gets steep a mile or two in! 6.25 miles on this hike–but one of three today on Piney Ridge.

Submit to Digg

June 16th, 2007 Posted by Tim | 1000 miles, Every last post | no comments

Gotta get away (from the ‘resort’)

Stag GulchI’m not one to spend much time at resorts. I dislike the encapsulated, packaged feel of ‘outdoor fun’ that one finds at such places. But Randi had a conference at Beaver Creek, and so up we went. After trying–and failing–to have any reasonably nice experience hiking right from the resort hotel, we went on a short drive down US 6 and found this marvelous trailhead at the end of a side road up a promising draw. A spectacular Friday afternoon with no other people on the trail, and certainly no trucks and front-end loaders sprucing up the resort for summer.

Submit to Digg

June 15th, 2007 Posted by Tim | 1000 miles, Every last post | no comments

Nextbus, but not the next RTD bus stop (Poor Design)

I’ll readily admit don’t ride the bus much. I much prefer point-to-point transportation, such as riding my bicycle. But occasionally I need to go to Denver for an event, and rather jump in my car and add to that single occupancy vehicle traffic jam known as the Boulder-Denver turnpike, a few months ago I thought I’d take try to take the bus.

There’s a nifty new web service called NextBus.com that offers realtime estimates of when the next bus will arrive for my local bus service provider, RTD. You just point your browser to the appropriate web page for your route and direction of travel, and bingo, an estimate of what time a bus will be at your stop. It’s even accessible from a cell phone browser. Great idea, right? But poorly designed.

NextBus screenshotYou can see from this screenshot that the NextBus service lists “Broadway at Ash Avenue” as a bus stop for the BX route (the Boulder-Denver express). But when I went to that bus “stop”, I watched a BX bus pass me by despite my attempts to flag it down. If a bus rider can’t figure out where to catch the bus, what good is a web service that tells you when it arrives there?

After an annoyed set of emails to RTD and NextBus about the matter, I discovered that “Broadway and Ash Ave” is not actually a bus stop for the BX or even the BL (Boulder-Denver Local) route, but only for other routes such as the Skip or AB. Apparently NextBus’s service only lists the time when the BX or BL bus passes a particular GPS location–not whether it is actually a bus stop for that particular route. So why is it listed as a bus stop on the BX/BL routes on NextBus?

The answer is poor design, particularly with respect to the interaction between the underlying information architecture and the user experience. One component of good user interface design is making sure that the information architecture of the system is accurate, and NextBus failed that test. Inaccurate information leads to a miserable user experience-such as having the bus you want to take pass you by and leave you stranded. That makes NextBus and RTD co-winners of the second Darwin Design Award for an interaction design that drives end-users nuts. I might have pulled back from giving them the award, but four months and several rounds of emails later they still haven’t bothered to fix the problem.

In fact, several more of the locations listed on the NextBus website “stop” selector are not actually located where the bus stops. So, for example, the stop at Broadway and 27th Way is probably the closest actual bus stop to the “Broadway at Baseline Rd” NextBus “stop”. However even that deduction remains uncertain, because the “Broadway at Service Rd” stop doesn’t even exist. Try googling such a location–or ask a native Boulderite like myself–there is no such intersection. Given that it is between “Broadway and Baseline Rd” and “Broadway at Ash Ave”, perhaps it refers to the old NIST (National Institute of Standards and Technology) entry across from Broadway and 27th Way, but the user is left twisting in the wind wondering how to interpret this nonsense.

There is an important lesson to be learned here, however. Mislabeling the GPS locator stations as “stops” is a great example of the mistake of conflating the user’s point of view and the back-end point of view. NextBus GPS location points are not ontologically equivalent to actual bus stops; they are are approximations which must be mapped. It illustrates how an ontological mistake in the underlying information architecture leads to a poor design that is useless for the end user.

A good interaction designer would pay attention to where the bus actually stops and how the stops are named in the real world of bus riders. Pushing real-time bus arrival information across the web to a browser or cell phone is a great idea. But unfortunately a great idea poorly designed risks dying early, earning the RTD NextBus system a Darwin Design Award.

Submit to Digg

June 15th, 2007 Posted by Tim | Poor Design, Every last post | one comment

Deepest Sender can’t login–fix

Recently my server seems to have updated their modsecurity rules so that my blogging client for Firefox, Deepest Sender, didn’t work, returning a cryptic “TypeError: node has no properties” message. It took me one confusing hour to figure it all out, as naturally I was writing a post that fell into another modsecurity trap. But there was a relatively easy solution.

The most drastic would be to turn off the SecFilter setting in your .htaccess file completely, as some forums advise (bad idea–you open yourself up to lots of security issues if you turn off filtering for all the nasties your webhost’s sysadmins are trying to protect you against with modsecurity.

A better solution is to just turn SecFilterInheritance off for only the file xmlrpc.php. That’s much more selective, but it still leaves a security hole right where attackers expect it. And, as any analysis of raw access logs will tell you, there are plenty of scripted attacks on yourdomain.com/xmlrpc.php, yourdomain.com/wordpress/xmlrpc.php and so forth.

An even better solution to combine that with the Purloined Letter method. Hiding the publicly accessible xmlrpc.php by renaming it is much more secure.

First, copy xmlrpc.php to yourownrandomname.php within your WordPress directory. (Copying the xmlrpc.php file rather than just renaming it reduces the chances that some other plugin will fail obscurely.)

Second, use the .htaccess modification method to point to your (hopefully) unique filename. Since they don’t know the filename, the script-kiddies won’t know what file to attack. Modify (or create) an .htaccess file in the wordpress directory with the text editor of your choice and insert the following directive:

<Files yourownrandomname.php>
SecFilterInheritance Off
</Files>

Third, change DeepestSender or WindowsLiveWriter, Performancing or whatever blog client you use to point to yourdomain.com/yourwordpressdirectory/yourownrandomname.php rather than xmlrpc.php.

The only downside that I can think of is that you should repeat step 1 whenever you upgrade WordPress (if the xmlrpc.php file has been changed–and it is a target for attacks, so it does).

If you also run into Error 403/404 problems when posting content or comments containing filtered phrases like “xmlrpc.php” or “href=’javascript:’” as I did on another post, you may have to also modify the .htaccess settings for wp-admin/post.php or even wp-comments-post.php. Unfortunately it isn’t as simple to give a unique name to post.php as you’d have to change the filename throughout many WordPress program files. A better bet is to install WordPress in a non-obviously named subdirectory (not wordpress or blog or blogs or WordPress or so on and so forth…), but even then a script could pick up the install directory from the http_referrer variable, so a purloined letter solution isn’t as helpful for preventing spam attacks trying to exploit WordPress’s posting engine. So if this is a frequent problem, you’ll have to think of another solution–or just turn on and off security right before you post or edit a post containing the forbidden phrases.

Resources:

http://wordpress.org/support/topic/105391

Submit to Digg

June 12th, 2007 Posted by Tim | Hacking, Every last post | 4 comments

Making javascript hrefs work in Drupal

I wanted to add a quick print button to a Drupal page I was modifying the other day, as I have done in the past for other ordinary HTML/CSS sites. The code, which at its simplest reads something like:

<a href="ja vascript:window.print(); return false;">Print this page</a>

simply could not be entered into the Drupal editor. The reason? Apparently Drupal was performing some kind of regexp filter on the hrefs to ‘correct’ non-fully-qualified local addresses, replacing ‘href=’ with href=’http://LocalDrupalDomain’. Eventually I figured out I could enclose matters in the code tags and get the address tag to work and by setting the input type to PHP.

But that was only one problem. I kept getting a weird Error 403/404 whenever I tried to post the entry. My webhost’s Apache modsecurity module on my webhost also seemed to have a rule forbidding any posting matching ‘href-equals-javascript-colon’ (and yes, I have to spell that out or break up the word with an extraneous space as I did in the code above in order to sneak this past the modsecurity censors.) No doubt that rule is intended to prevent spammers and other attackers from hijacking the form processor. Some of the Drupal solutions suggest writing the javascript href using a PHP echo or print command… now that’s an ugly, but viable workaround thanks to all the slashed prefixing of quotes within quotes.

This brings me to thinking about one of the problems I have with CMS software packages like Drupal (or even blog software like Wordpress) versus hard-coded HTML/CSS websites. In an effort to make some things–like managing a large site–more convenient they frequently make other things less convenient; in this case, it took me the better part of an hour to figure out why entering a simple javascript href tag kept failing. And is a CMS really any simpler anyway? Sometimes, whether in Wordpress or in Drupal, I just want a way to have exactly the HTML I type get posted onto the CMS.

But then that’s where security concerns can still turn around and bite you. I can’t blame WordPress, Drupal or even TinyMCE for overapplicable Apache rules that protect against spammers trying to abuse the html form posting functions. Only the command-line can save us from such follies–time to go in and edit the SQL entry by hand. Oh, it is just like the days when it was just an actual file and I could use vi, in the days before every page was generated on the fly by a dynamic database… except I have to use even more obscure programs.

(Or just temporarily modify the .htaccess for the posting engine for just one moment, while I sneak a post past modsecurity, and then close the security hole back up when I am done…if I remember. But that’s another story…)

Man, what a pain. And CMS’s are supposed to make our lives simpler?

Submit to Digg

June 12th, 2007 Posted by Tim | Hacking, Every last post | no comments

Tancredo to change Colorado’s state name

Tancredo proposes legislation to translate state name into English

6 June 2007, Denver, CO (Bench Press)—Making good on his insistence that “only the English language can hold the union together” in last night’s Republican presidential debate, Rep. Tom Tancredo (R-Colorado) today announced that he will introduce legislation to change the Spanish name of the state of Colorado to its English equivalent, “Colored.”

“Changing our state’s name to Colored is simply a logical extension of my Official English policy. Colorado is a word that comes from the Spanish language and such Spanish-language terms should not be used by the United States government,” said the congressman. “Colorado” is the past participle of the Spanish verb “colorear”, meaning “to color”.

Tancredo is known for his extremist views on immigration, including reducing the number of new legal immigrants to zero and the immediate deportation of all immigrants illegally residing in the United States. Despite criticism from within his own party that his positions resemble those of the Know-Nothing politicians of Abraham Lincoln’s era, he has repeatedly denied that his views on immigration border on racism and xenophobia.

During that debate Congressman Tancredo also said he opposes biligualism, arguing that learning a second language or keeping alive a second language in the home is fundamentally “anti-American,” as all immigrants to this country must lose their identity and be “reborn” as Americans. The congressman had no answer when asked if his position applied to the Native American languages spoken by the original inhabitants of the United States.

Senator John McCain (R-Arizona) is expected to oppose Tancredo’s legislation on the grounds that it is simply absurd grandstanding, but sources close to the Senator privately admit that he is worried that Tancredo could expand his Official English legislation and propose that Arizona be renamed “Dry Zone.”

Republican presidential candidate Mitt Romney’s staff said they had no concerns that the renaming proposal could affect state names that are derived from Native American words, such as Romney’s former state of Massachusetts. “Frankly, I don’t even think anyone one knows what Massachusetts means any more,” said the staffer. Echoing one of the former governor’s most memorable answers in the debate, the staffer continued: “It is a null set, a non sequitur, a non-starter.”

In response, Tancredo said he would also try to ban Latin terms such as “non sequitur” from future presidential debates on the grounds that he can’t understand them.

Bench Press–“Light Matters for Heavy Minds”

At Bench Press, we do the heavy intellectual lifting for you.
Bench Press publishes hoaxes and satire.
Please cite with caution and laugh with gusto.

Submit to Digg

June 6th, 2007 Posted by Tim | Political Babble, Every last post | one comment

Comcast Censors Keith Olbermann, CSPAN

Comcast has finally silenced Keith Olbermann’s biting special comments that assail the foolishness of the Bush administration’s policies. Olbermann, the anchor of MS-NBC’s news program Countdown, has been airing a series of Edward R. Murrow-like special comments that have been an astonishing departure from the bland DoubleSpeak of network news broadcasts. Olbermann’s special commentaries exhibit a degree of critical thinking that is unmatched by any other news program on cable or broadcast television, excepting of course the satirical Daily Show and Colbert Report. While it is undoubtedly a sad commentary on the state of media that the most accurate and truthful television news shows are satires, Olbermann’s well-researched criticisms, delivered with genuine outrage, at least constituted a hopeful sign that the more traditional news media is beginning to abandon its cheerleadering of the Bush administration for a sobering look at reality. As a result, Countdown’s (and MSNBC’s) ratings have started to go through the roof.

But Comcast is now denying viewers the chance to see Olbermann speaking truth to power–unless we fork over an additional $50 a month or so for its digital service to receive MSNBC. Moreover, at the same time Comcast has yanked the public affairs channel C-SPAN from its Denver analog lineup.

Why does a licensed monopoly act with such callous disregard for the public’s right to be informed? Why do they censor not only Olbermann but Congress? Could it perhaps have something to do with the fact that with the tenor of the debate in Congress has changed after the election of the Democrats in 2006? Comcast may claim it was only a business decision, but then why were these two channels singled out–why not FakeNews (er–FoxNews) or the Christian Broadcasting Network? Does Comcast hope to influence the 2008 election cycle by limiting the news outlets available to hundreds of thousands of its subscribers?

Comcast’s transparent efforts at political censorship are despicable and should stop. Write Comcast and let them know that this move will make you consider switching to DirectTV or another alternative.

And in case you haven’t seen any of Olbermann’s special commentaries, they are still readily available online from MSNBC or on YouTube. For example, in one special comment he assails the president for equating criticism of his policies on terror and the conduct of the Iraq war as ’supporting terrorism.’ In another special comment he has asked whether the GOP’s cynical exploitation of the fear of terror in their campaign commercials amounts to legitimizing terrorism as a weapon: “Bin Laden puts out what amounts to a commercial of fear; The Republicans put out what is unmistakable as a commercial of fear. The Republicans are paying to have the messages of bin Laden and the others broadcast into your home.” While in a more recent special comment he argues that when Republican presidential candidate Giuliani invokes such fear-mongering in an attempt try to “terrorize the electorate into viewing a vote for a Democrat, not as a reasonable alternative and an inalienable right … but as an act of suicide,” he thereby undermines any reasonable discussion as to which party is better qualified to lead the country. Moreover, on the rest of the show Olbermann raises substantive issues frequently ignored or glossed over by other television news, such as in his recent segment (1 and 2) questioning whether the Department of Homeland Security press conferences are being timed to obscure the political news cycle when the competing ‘big’ news stories happen to be politically embarassing for the Republican party. When biting editorials and stories like these began to hit the airwaves I began to wonder how long it would be before someone caught on and censored Olbermann.

At least Comcast hasn’t yet censored the Comedy Central and the Daily Show with John Stewart. But can they be far behind? Comcast’s blind support of the Republican Party reminds me of what a Russian friend told me about the differences in the media before and after the fall of Communist Party: It is better now, because before we could only tell the truth by pretending to tell a joke.

Submit to Digg

June 4th, 2007 Posted by Tim | Political Babble, Every last post | 3 comments

Walking from Center

I may not personally know all of the readers of my blog, but I bet I know something about you. Your lower back hurts sometimes.

Mine too. And it hurt yesterday, because I did a lot of writing and otherwise staring at the computer–just as I do everyday. So when I went off on late afternoon hike, I wasn’t expecting to get far, especially trying to push up a steep bit of trail. But then an odd thing happened: I noticed what I was doing. I was literally pushing myself up the mountain with my legs, and pulling myself forward with my head. In one of those moments of external self-awareness, the sort where you step outside your body and look back at it, I pictured myself and started laughing at my pathetic posture.

We don’t normally think of walking as something that requires good form. Gymnastics, skiing, dancing, even running–we recognize that those are unusual activities, athletics, or sports that require consciously maintaining good form. But hiking or ordinary walking? Sure, once upon a time we learned to stand upright and manage gravity–at the age of about fifteen months. And we likely don’t have much of a conscious memory of learning to walk.

But when I noticed my sore back complaining a little about having to walk up a steep slope, I realized it was just pointing out that I was walking with poor form. I was tempted to just power through that section, lean into the mountain and force myself up that section as I usually do. Instead, this time I stopped a moment, straightened up and tried to walk from center. I imagined a string from my pelvis pulling me up the mountain, and kept my spine in tune with gravity as I walked. And poof! no back pain.

Submit to Digg

June 2nd, 2007 Posted by Tim | 1000 miles, Every last post | no comments

Why does my cell phone beep when I turn the ringer off? (Poor Design)

This is the first in a new series of posts on my blog in which I examine examples of poor design–whether product design, user experience/interaction design, software design generally or random other great moments in design idiocy. I call them the Darwin Design Awards, as homage to the most excellent Darwin Award series.

The first Darwin Design Award recipient is my Motorola Razr V3 cell phone. It’s sleek, stylish, thin, and fits in a chest pocket so nicely I often forget it is there. So why is the Razr an example of poor design?

The damn thing beeps when I try to turn the ringer to silent using the side button.

Of course I can flip the phone open and hunt through three or four levels of menus in order to turn the ringer to silent quietly, but then the display lights up a darkened room.

Now how dumb is that? What design idiots were sitting around drinking in Motorola design laboratory and said “Hey, wouldn’t it be great if your cell phone beeped whenever you tried to change the ring setting? Wouldn’t that be great to annoy other people in a crowded movie theater? Great to impress your date at a concert? Wow, wouldn’t beeping to go silent impress the boss in a boring corporate meeting?” I guess it beats playing buzzword bingo at meetings–we could just play count beeps until we go to sleep.

And while we’re at it, why can a phone with enough acres of memory to download mp3 snippets to make customized ringtones can’t store more than the past ten calls received or dialed? 25 would be reasonable, but give me 100. I actually use my phone–it’s not just some objet d’arte that looks nice.

Now that’s doing your Ux (user experience) homework, Motorola.

If there was a Darwin Design Award for cellular phones, you guys would win one. But don’t worry, you won’t be alone in cellphone design hell. There’s plenty of other Darwin Design Award finalists out there in the cell phone field.

Submit to Digg

June 1st, 2007 Posted by Tim | Poor Design, Every last post | no comments

House concerts go before the county again!

Greg Ching has asked me to blog again in support of the Chings’ Aspen Meadows house concert series, at which he and his wife invited folk musicians to perform in their living room and asked those attending to donate funds toward the musician’s traveling costs. As I blogged earlier, their house concert series was shut down due to a poorly reasoned decision by the Boulder County land use Board of Adjustment. Among other Humpdty-Dumpty-isms, the county land use director claimed that suggested donations were synonymous with mandatory fees (and I can’t wait for my next chance to try to pay my county permit fees with a donation based on what I think the county’s performance will be worth!). According to the county land use director, any organized attempt to share costs by non-resident guests converts the event from a private party into a business.

Now Greg is asking that supporters attend the public comment period at the June 5th meeting of the County Commissioners (11 a.m., Boulder County Courthouse, 14th and Pearl Street) when he plans to ask that the commissioners expedite adopting an amendment to the land use code that specifically allows house concerts. If you wish to speak at the meeting, you’ll probably have to sign up beforehand to speak during the public comment period starting at 11 a.m. (call to check); however, your presence simply filling the meeting room would also be appreciated. Writing supportive letters to the editor addressed to the Daily Camera, the Colorado Daily and Boulder Weekly are also an option if you can’t attend a public comment period scheduled in the middle of a day on a Tuesday.

Moreover, note the county’s reasoning could be applied to virtually any social activity in which the guests make a financial contribution toward the cost of the entertainment. So the county could:

  • prevent five friends who chip in to purchase a series of Japanese animation DVDs from gathering to watch them together at a home in the county where one of them has a home theater setup
  • prevent my siblings and I from hosting a 50th anniversary party for my parents at their home in the county if we kids agreed to share the costs of paying for a chamber quartet
  • prevent two neighbors from throwing a joint birthday party for their kids at one of their homes in the county if they shared in the cost of paying for a clown or similar entertainment

So even if you’ve never been to a house concert or prefer clowns or movies to live music, please consider coming out in support of house concerts and standing up against this absurd decision. For more background, you can read about the Aspen Meadows house concert series history on the Chings’ website, complete with links to local and national press coverage such as this excellent article.

Submit to Digg

June 1st, 2007 Posted by Tim | Political Babble, Every last post | one comment

Moving along at last in May

May is the first month in which I actually exceeded the number of miles I needed to hike in a month. As you can see from the spreadsheet below, I managed only about 4 extra miles, but each of those are starting to make up the miles I fell short in past months. Moreover, by hiking a little extra I managed to hit the 300-mile milestone!

Now that the weather is pleasant and summer-like, I can see the miles really beginning to rack up. I’m about at about 74% of pace right now, which is a big ten-point improvement over the 64% mark I hovered at the end of the last month. For the 30 days in June, I’m hoping to get around double the miles I need in–In other words 5 to 6 miles a day on average. If I can do that, I’ll make up around 50 to 80 miles in June. Since I’m more than 100 miles off pace, that would put me much closer to catching up by the halfway point. Fortunately, the weather in the fall is usually much better than the in the winter and spring, so I’m not too concerned as long as I start making my move.

Submit to Digg

June 1st, 2007 Posted by Tim | 1000 miles, Every last post | no comments