Seth Woolley's Blog

Occasional Musings

amtrak feedback(0)

November 2, 2006

I arrived at Jack London Square at 9:24 for the late 527 San Jose train that was supposed to come at (estimated on-line when I left my apartment at 9:04am) 9:29.   At 9:29 a train showed up, but was labeled Sacramento (error 1).

No arrival announcement was made on the reader board in the waiting area outside (error 2).

No arrival announcement was made orally by station attendants (error 3).

No arrival announcement was made orally by the 527 (error 4) conductors despite their train being labeled 518 to sacramento (which I didn't realize was wrong and was from hours before until I checked the schedule).

The reader board continued to say that 527 was "delayed" for twenty minutes after the train left and included no arrival time in the delay notices before and after the train's actual arrival (error 5)!

The train showed up and left without me because no indication had been made that it was my train!

I've been doing this same exact commute daily since September 1 with monthly passes.  The price just went up five percent for the pass and now I get even less value out of it to the tune of another five percent (one day in twenty work days is totally messed up).

I can't assume that southbound trains are the correct train for a few reasons.  Trains other than my own show up late and out of order that are originating at okj or are continuing to oac and stopping or turning around.  The okj trains are few.  When I miss an okj train I have to wait hours for the next one.  The next one wasn't until the afternoon.

I bike nine miles a day for this commute and am a strong advocate of public transit.  For two years I was State Secretary of the Oregon Pacific Green Party, was on the Coordinating Committee for another two years, and was a local chapter secretary for another two years.  I helped run candidates whose platforms were to subsidize public transit for positions ranging from governor to senate to transit district representatives.

I even work at a company that's responsible for many of the multi-modality routing systems available and navigation systems you'd find in everything from cell phones to websites.  They even subsidize my train ticket through reimbursing most of the cost.

My faith in public transit will never waver, however, it's not my faith you should be concerned about.  I can excuse the lateness due to freight traffic since I know freight has priority on the Union Pacific lines ever since we privatized and subsidized the private train industry to the point of granting them human rights in the Southern Pacific v. Santa Clara decision the 1880s.

But, if conductors, station agents, and other employees are simply unable to do a crucial part of their job all at once, public transit is not feasible.

A system where people are irresponsible in assuming "somebody else" will communicate the proper train signage is not way to ensure train travel is usable.  All parts of the system should be working to high degrees of efficiency so that when the fallback communication methods are needed they fall into place and actually work.  If only half the time each component works, In riding the train over eighty times, assuming an equal distribution of error, a five factor redundancy system such that you have would require the probability of each component working to be around 58.37%.  Almost half the time, each part fails to participate. 58.37% is an F grade.  In reality train signage is almost never wrong.  The times it is wrong, I've seen once on bart, and a couple times on amtrak.  Thus the probability for the other contributing error events to happen is even higher, on the order of most of the time.

As I'm a participative individual, I expect a response on what corrective action has been taken to ensure that the probability that each element of the communication system works.  Personally, I think most of the problem can be attributed to the conductors simply not paying attention to their own train's signage and taking corrective action, however I'm at a loss to understand why all the other signage was void of information that could have given a hint that the train that was at the station was actually the 527 train.

If an expert and non-disabled user such as myself can't get on the correct train, what are we also to do about disabled people?

I look forward to your response and I am willing to help craft a solution that can improve service to the point that an error such as this is simply intractable.  There may have been a systemic problem that can be remedied that caused the cluster of errors to form, but I'd have to have detailed knowledge of how the communications infrastructure works to correct it.  I am curious to learn more so that I can assist the board and authority to come to a realistic solution to improve service.

Seth Woolley's Blog politics reallife

muir woods(0)

image updates from muir woods


new background image

I added a new title background image to my website of muir beach (the old one was mount hood: http://swoolley.org/greenscape-grey-small.png )

a maple tree nesled in redwoods in muir woods

An image of a maple tree in the Muir Woods redwood forest

a curved redwood tree in a stand of other redwoods

An image of a curved redwood in the Muir Woods redwood forest

a stand of redwoods toward the canopy

An image of the redwood canopy in the Muir Woods redwood forest

along redwood creek

An image of the redwood creek in the Muir Woods redwood forest

a big barky redwood

An image of a large redwood in the Muir Woods redwood forest

a blacktail mule deer grazing along the redwood creek

An image of a blacktail mule deer in the Muir Woods redwood forest

rickie and seth

An image of Rickie and Seth in the Muir Woods redwood forest

Seth Woolley's Blog photography reallife

old high school research(0)

Shades of High School

Every couple years I google people I remember from long past.  Well, I finally got around to putting some of it up on the net!

http://swoolley.org/files/highschool.html

Seth Woolley's Blog reallife

new commute route(0)

Update

I've been doing the new commute for over a week now:

  • 3.5 miles to the Oakland Jack London Amtrak Station on bike, downhill.
  • 40 miles to the San Jose Amtrak Station.
  • 1 mile to work, Santa Clara and 2nd Street.
  • reverse, but uphill.

9 miles of biking has turned out to be 10mph downhill, 8 mph uphill, for about an hour total time, averaging 9 miles per hour, which is pretty good, given the stoplights and traffic I have to deal with.

I figure I burn about 300 calories on top of my existing 2200 calories base rate, for a total of 2500 calories.  I think I'm going to see how many calories I eat and track it in gnucash.

Seth Woolley's Blog reallife

the world of microsoft windows(0)

Windows Hell

I've had my new Windows laptop (from work) for one week.  One week of hell.  Just a few of the problems I've encountered are:

Windows and the pervasive VPN

Why do Windows people insist on using VPNs?  I'd much rather have an SSH tunnel bastion host so I can limit accesses to the boxes I care about and setup specific applications for connection through the tunnels I want them to go through.  My last place had both, one for Windows users, and the ssh for linux users.

In most unix programs, I can tell it to connect through a certain interface, say, my wireless connection, directly, for my ssh connection to my home box, and through the vpn.  Take ping, for example.  In ping, I can use -I on my linux box to specify an interface, or -j to specify a source routing.  I didn't see a -I on cygwin, so I just tried -j, to no avail, it didn't seem to work, and failed silently.  Yay for Windows being annoying.  I can start a connection before opening my VPN, but if the Venturi crap doesn't work, I end up disconnecting the VPN to reconnect to my home box, then reconnecting, which often messes up the default outlook install when it tries to connect to an address that doesn't exist.  This is just crap.  SSH tunnels have none of those problems.

I could setup pptp without giving it the default route, and setting up ssh tunnels to my work box, I guess -- when my desktop finally comes in.  For now I've been using my linux laptop at work and leaving it there since the battery finally died on it and it's useless mobilely (and I can't find any of its batteries new online).  This is much easier in linux than in Windows.  I suppose I could also add static routes for every destination too, but where do I put this, in a script I have to run after the stupid gui connects to the vpn?  My workaround has been to spawn rasphone in a script (rasdial I have as an option too), so I could put it in there, but it's a pretty dirty interface.

Windows still is unstable

Windows crashed trying to get it out of stanby.  Then, Explorer wouldn't open after coming out of hybernation until I did a cold reboot, not a warm reboot, for some reason (which was associated with the standby crash above and a chkdsk run).

Replacing the default shell

Blackbox for Windows doesn't support full maximization properly, so I'll just be using Blackbox auto-hide.  Other than that, Blackbox has really made my computing easier (workspaces on Windows, with one workspace containing a rootless X in cygwin -- nested blackbox).  I also loaded my http://swoolley.org/blog.cgi/miniature%20font%20updated miniature font for Windows, so it matches my linux installs.

Windows is always preloaded with crap and screen annoyances

  • Bluetooth systray icon, Volume Control ssytray icon, Eject systray icon -- Windows uses the system tray for both system and application crap.  They should have two trays, with the ability to hide system versus application notifications based on user preferences that can be quickly modified, such as a drop-down menu for system crap.
  • ZoneAlarm Pro
  • Norton Antivirus Corporate Edition
  • IBM Message Center (if you don't get the hint, I don't care about your messages IBM).
  • IBM ThinkVantage Access Connections in addition to the Windows Connections in the status tray (six icons this way).

Verizon cellular Internet Access

Venturi-something came with my VerizonAccess crap.  See http://www.venturiwireless.com/solutions/technology.html#aao -- it replaces TCP!  VTP advertizes preventing connection losses, but when I had it running on linux using straight TCP, I had fewer dropped connections and reconnections got the same IP, so my ssh connections ran just fine.

It also recompresses, caches, and compresses websites.  But good website designs already pre-compress, have integrated caching, and recompression is unneeded.  It's quite the hype, and for 99% of my use, it is dumb.

VZAccess also does connection choosing that ThinkVantage does (but ThinkVantage doesn't grok the wireless connection) and Windows already does.  It seems every piece of hardware has its own software value-add that just adds more code bloat.

Conclusion

Windows still isn't for me.  Despite my attempts to make it usable, I'll have to dump it or relegate it to a vmware session.  Ironically, what I have to support for Windows is automated in cygwin already, it just hasn't been ported yet to linux and run through conformance and quality assurance internally.  When that happens my company shouldn't need Windows to do anything.

Seth Woolley's Blog reallife

began work at deCarta(0)

Update


First day at deCarta

Yesterday was my first day at deCarta ( http://www.decarta.com/ ).  It looks like I'll be enjoying this work much more than my work at Panasas.  The team, at first glance, appears that it knows how to work together rather than against each other.

Commuting via Amtrak

I also bought a one month pass for Amtrak to do the Oakland to San Jose commute.  The big trains are much more enjoyable than the BART, which I've also used for a extended commuting.

New laptop

Moreover, I got a work laptop.  Just in time, as my personal laptop's unreplacable battery finally decided to die completely. :(  I now just have to configure it for dual booting until I can get xen working on it to host the windows install they gave me (I have to automate on both linux and windows).

New folding bicycle

My Dahon Piccolo D3 folding bicycle should be in on Monday.  Today I'm going down to the bike shop to test out folding bicycles to see if everything's how I want it to be.

Seth Woolley's Blog reallife

scanalert(0)

Recruitment

A couple weeks ago i received an email from the http://scanalert.com recruiter who saw my resume and invited me to interview at ScanAlert.  I emailed back and called the recruiter the next day to see what the position entailed.  It was for their "ethical hacker / penetration tester" position, which is still posted on their website.  I was curious so I thought I'd see what it's like there, having never worked in a "corporate" security environment, but instead for smaller businesses.  I talked to the Vice President of Engineering, Ben Tyler, and he offered a challenge on a fake website:

In our fictitious web site, one or more of the following
vulnerabilities may exist:

Cross Site Scripting
SQL Injection
Directory Listing
Path Disclosure

They wanted me to send an IP back to open up the url to me for 24 hours, but before I did that I was bothered by their apparent "find all the vulnerabilities and slap a sticker declaring it safe" mentality, so I took a look at their own website and in a few minutes happened upon an interesting XSS vulnerability that let me inject html attributes into a link.

https://www.scanalert.com/Link?url=http://scanalert.com%22+onclick=%22alert('hi');

Response

I replied back with the following:

Hi Ben,

In reaction to your challenge to break into a fictitious website, I
must challenge you to secure your own website:

<XSS exploit url here>

When your recruiter contacted me for a position as a Professional /
Ethical Hacker / Penetration Tester, I was curious about the idea of
being employed by scanalert, however, I have had some doubts when you
said "find the vulnerabilities".  The use of a definite article led me
to believe that there might be a culture of "finding all the
vulnerabilties" in websites, declaring them secure, and then slapping
stickers on them.  There is no question as to the value of security
auditing, but it is just that, an audit, not a guarantee.  Questioning
the efficacy of such a culture, I decided to test its value by checking
your website for basic vulnerabilities.  In a matter of minutes I
discovered the above vulnerability.  The "Hacker Safe" concept should be
thought of as "Hacker Safer".

Now, I do acknowledge that perhaps I read too much into your wording
and that indeed, a culture of progressive security may yet exist at
scanalert, so I'm still interested in pursuing this position, but I need
some reassurance that a culture of asymptotic security thrives at
scanalert, that the Hacker Safe logo really means, internally,
Hacker Safer, and that I too will be able to gain progressive experience
in novel and interesting security techniques while employed at
scanalert.

Seth

Confirmation

No reply came back, but five days later, I noticed they fixed it, but poorly.  The following link still worked:

https://www.scanalert.com/Link?url=javascript:alert('hi');

For a security website, I was disappointed that they couldn't fix the entire vulnerability, so I looked around for a few more vulns and sent them a more detailed report listing more things things they probably wouldn't want their code to be doing, including an information leakage vulnerability and how their login form works well with XSS vulns to promote privileges automatically.

They still haven't completely fixed the vulnerability, despite it being five days later, again, so I'm publishing this blog entry to expose their inability to manage their own security.

Seth Woolley's Blog webdevel reallife security

memorial day update(0)

Update

It's memorial day here, and I'm trying to avoid remembering the current spate of wars of aggression that we're in.

So to distract me, I thought I'd post a picture of the time I got my leg cut up by guitar string ends on a guitar from some punk band in Oakland who decided that moshing crazily outside of the mosh pit (where I wasn't) was cool.

Seth's Cut Up Leg You can download it in three sizes:

tiny
http://swoolley.org/cutlegtiny.jpg
small
http://swoolley.org/cutlegsmall.jpg
large
http://swoolley.org/cutleg.jpg

Seth Woolley's Blog reallife

rickie has a teaching job(0)

Update

My wife now has an offer from the Oakland Unified School District to teach this fall.  What building she's in is undetermined yet, but I'm hoping for Oakland High School.  It's fairly close.

Oakland has a 58% graduation rate.  There's a city called Piedmont inside the city of Oakland that has a 99.8% graduation rate (1 dropped out), but it also has money and is virtually all white.  That's over a thousand kids a year for Oakland who are left behind.  Consider the state takeover, as well, that's the worse figure since numbers go back to '91.

Check it out for yourself here: http://data1.cde.ca.gov/dataquest/

Seth Woolley's Blog reallife

olympic mountains, strait of juan de fuca, and the puget sound(0)

Update

Now that I can inline images in my blog too, I thought I'd show you one of my favorite panoramas I've taken.

A panorama of the olympic peninsula You can download it in four sizes:

thumbnail
http://swoolley.org/trip/IMG_WIDE_thumb.jpg
tiny
http://swoolley.org/trip/IMG_WIDE_tiny.jpg
small
http://swoolley.org/trip/IMG_WIDE_small.jpg
large
http://swoolley.org/trip/IMG_WIDE.jpg

Seth Woolley's Blog photography reallife

life at panasas(0)

Update

So I'm finally settling down to life in the Bay Area.  I'm living in Oakland, carpooling with my former boss to Fremont (Will, the one who hired my at my current job).  He got a new job directing QA over at http://www.xensource.com/ .  Meanwhile, I'm doing his work and then some.  I'd like to thank Andrew for getting me this job, even though he decided to move over to http://telcontar.com/ to work on their Linux deployment.  If you know anybody who would like to work at http://panasas.com/ , knows or can learn TCL, and is very logical, let me know and I'll see if their resume's any good and forward it up the chain of command if so.

Seth Woolley's Blog reallife

new job(0)

Update

I've taken a position with Panasas, Inc. in Fremont, California (Southeast SF Bay Area) as a Software Engineer.  I'll be flying in on Jan 2.

Most of my time lately has been planning for the move and finding and training my replacement at Broadway Medical Clinic, so I haven't done much around Source Mage as I would have liked.  When I get settled in, things should start to pick up again.

I'm looking for places to stay permanently around Piedmont.  I'll be renting out my house when Rickie finishes her ESOL program for an additional endorsement to her teaching license in the coming months, probably around April, so if you're interested in renting a home in Portland, Oregon's inner NE, let me know.

Seth Woolley's Blog reallife

internet is back(0)

Update

I'm back on the Internet and I've upgraded my net connection to 5mbit download / 1mbit upload, from 1.5mbit download / 1mbit upload.  That should take effect Monday.

A really cool hack would be if nano respected backslash line continuation with the justification command and line wrapping when given a switch on startup.  I've poured over the code and it doesn't look like too difficult a hack, although I must postpone it for lack of time.  Instead, I'll make the blog support line continuation first.

Seth Woolley's Blog reallife

internet outage(0)

Update

As I type this, I am disconnected from the Internet.  A server at Qwest has gone out and my DSL is inactive.

At 10:30 or so this morning the Internet sort of started dying from home, while I was reading my email from work.  Slowly.

At first, I had 60% packet loss, with sporadic total failures.  Then around three or four o'clock, I completely lost access and it wouldn't come back.

So now, with nothing to do or read, I sit here making this entry to memorialize the shamed feeling of disconnectedness, when instant access to the library of information known as the Internet is gone.

Seth Woolley's Blog reallife