Libtards and Other Insults

There’s a meme running around the Internet right now mocking “political correctness,” comparing twenty-year-olds who fought in WWII to the twenty-year-olds on college campuses who want safe spaces from nasty old words.

A friend reposted an Internet bumpersticker to this effect that linked to a site where self-described conservatives gather to trash-talk the educated elites and other “libtards.” It’s the first time I’ve actually been to one of those places, and the comments — which contained some of the vilest language expressing the most sewer-worthy mental processes I’ve ever read — made me think. I wanted to respond to one of them, in particular, with something like the following:

Yes, things have certainly gone downhill a long way since 1945. In those days, conservatives were polite, well-spoken, and if they didn’t go to college, they went out and got jobs and did something productive with their lives, rather than hanging around in a public place showing off their dirty mouths. Had they made such a public nuisance of themselves, a police officer would have picked up the ringleader and taken him home to his father, who would have listened politely to the officer, then given his son an indelible lesson in civic pride. Had that failed to have the intended effect, the boy would have found himself in military school, in the hopes that a good master-sergeant could make a man and citizen out of him. Conservatism was, if nothing else, always polite. That is clearly no longer the nature of conservatism.

Or at least, the self-described “conservatism” that lives in these Internet ratholes, or on “conservative talk radio,” or in political campaigns like Donald Trump’s or Carly Fiorina’s, where “political correctness” is a code-word for “civility,” and is entirely absent.

You know, at least slavery was a real issue. I mean, if you’re going to tear apart civil society, set brother against brother in mortal combat, slavery is something worth fighting over. Insofar as any war is worth fighting.

But it seems we are now coming to a national crisis over the right to be foul-mouthed boors. The right to prance around in convenience stores decked out like Rambo-without-a-cause. The right to believe, and legislate upon, the idea that prayer to God to bring down gas prices is a sound national energy policy.

That is not conservatism. That is insanity.

Summer Symphony Third Movement

imagesThe third movement is up.

Unfortunately, you’ve all heard it before, as the Sextet, renamed Sunset Afternoons. Fortunately, you’ve not heard it quite like this.

I’ve been thinking of calling it a “Minuet and two-thirds,” since it’s written in a five beat (a Minuet is in three, so a minuet and two-thirds would be in five). I’ve also wondered about calling it a “Minuet and forty seconds,” which makes it an absolutely horrible (and obscure) pun.


Cultivating Compassion

I’ve found it hard to write, lately.

It isn’t that my thoughts have dried up. I recently finished two seriously eye-opening books: one on the history of the Mongols (yes, Genghis Khan and his sons), and the other Howard Zinn’s A People’s History of the United States. Cold fusion continues to heat up, and now NASA is investigating an effect that could — could — represent a violation of, or at least an extension to, the classical laws of momentum conservation, which could one day translate into a real “space drive” of the sort I read about in my uncle’s 1930’s space operas. I’ve been thinking a lot about the inevitable death of capitalism, and the closely-related issue of racism in the United States, and the rapid descent of American exceptionalism into an openly violent surveillance police-state, and what might replace the whole bloody mess. There’s always global warming to talk about, and the economics of oil. Then, of course, there’s the buffoonery of the American political system: despite two centuries of the Pageant of Idiots every two years, I think we’re scraping new lows this year; Gods help us next year as the now-perpetual Presidential campaign-and-money-pit turns into a full three-ring circus complete with flying pigs (wear a hat).

But somehow, it all seems distant. Noise. Like mosquitos farting.

The move to California has been a big part of this, I think; an anticipated effect, actually, which I’m glad to see. My chakras are re-aligning.

I’m happier. I’m starting to feel at ease in a way I was never at ease in Colorado. That makes it hard for me to write, because a large part of my desire to write in the past was discontent. I need to learn to write from a different place.

Maybe from a place of greater compassion, and hope. I’d like that.

A couple of weeks ago, someone wrote to the editor of the local paper with a long screed about how Social Security is a Ponzi scam, how it should be ended and its illegally-taxed money be returned to the rightful owners who paid into it, yada, yada.

About two days later, someone wrote a calm, well-reasoned response that basically boiled down to, “What are you smoking, man? It’s really bad for you.”

In Colorado, I would have been the fellow writing the response. And I’d have felt utterly alone, because this script — I call it the Ponzi script, and I suspect it comes to the masses through Fox News, though I think it’s actually older than television — is widely-believed by the hordes of Fox-watching “conservatives” of Colorado, even though it makes less sense than a rain umbrella for deep-sea divers. It isn’t merely that the “facts” are wrong; it’s that the whole narrative is incoherent, betraying a near-total ignorance of what Ponzi scams, Social Security, investment, retirement, and old-age support are about, to say nothing of exhibiting an apparent inability to think critically at all.

Here, someone else wrote that response, and I didn’t have to.

It seems minor, yet for me, it’s profound. Someone else wrote a response. Someone else gets it.

This isn’t about Social Security, nor is it about someone agreeing with me. It’s about the fact that, while facts and reasoning and mathematics perhaps can’t solve every problem, they can do a fine job of filtering out the complete lunatic bilge-water, on which any of us can so easily and unpleasantly drown. They can also lead two people who have never met and don’t listen to the same mind-numbing propaganda, to nevertheless come to a common understanding of how things work, entirely on their own.

It’s about sanity.

The Ponzi script is insane, and it’s only one of dozens, perhaps hundreds of equally insane scripts that permeate US culture, and dominate thought, discussion, and even legislation in many places in the US — Colorado most certainly among them.

So far, it doesn’t seem to include here, though I can’t speak for Sacramento or Orange County. This place seems sane. It isn’t just my head saying that, but my heart and … well, my chakras.

I have a good friend who is just back from six month in Bhutan, and she says that her return to US society in Boulder has been brutal and unspeakably lonely. I’ve encouraged her to write about the details of her daily life in Bhutan; I suspect that what will come through is an image of sanity.

I remember a therapist telling me once, a long time ago, that when you live in an insane environment, you end up questioning your own sanity.

It’s nice to know that here, I don’t have to question my sanity every time I argue against the Infallible Word of God (as delivered by Glenn Beck) that the sky is blue.

I will probably post less frequently for a while, as I try to find a different mode of writing. In the meantime, the third movement of the symphony is coming….


Summer Symphony Second Movement

Children_Playing_with_Balloons_1I am in danger of letting the perfect become the enemy of the good.

Two things have impelled me to release the second movement, though I am still (and will forever be, I suspect) unsatisfied with the mix.

The first was the happy occasion of attending my first symphony concert in Ukiah. They did several rather unpopular works by Beethoven — the Lenore Overture #1 (Beethoven was so unhappy with this that he rewrote it three times, and #4 is the one normally performed with the opera it belongs to, as the Overture to Fidelio), the Ruins of Athens Overture, and the King Stephen Overture — and then the Bruch Violin Concerto, with Philip Santos up from San Francisco as the soloist.

It was not perfect. And that didn’t matter even a little bit. It was beautiful and inspiring, and Marta and I were thrilled. A valuable reminder to not let the perfect become the enemy of the good.

The other is that my niece’s water just broke this evening, and she’s delivering her first child as I write. It’s the first continuation of my father’s family line in their generation. Of his five siblings, only one had children, a boy and a girl (my cousins), and neither of them had children. Of the five surviving children between my sister and me, this is the first “grandchild” — though technically, she would be my great-niece (and yes, it’s a girl).

She is giving birth. So it’s time for me to give birth to this movement, which is (after all) a children’s movement. I’d like to dedicate it to my great-niece, though I’m not going to write her name here until I’ve double-checked the spelling, and the kids have other things on their minds right now. All in good time. [NB: it’s Kairi Eve Dunn, 7 lb 5 oz, born 10/11/2015 at 2:01 am in Casper, Wyoming]

The movement is subtitled “Variations on a Theme of Nanny-Nanny-Boo-Boo.” That’s technically incorrect — it is actually “Variations on a Theme of Nyah-Nyah-na-Nyah-Nyah,” but that just … doesn’t … quite work when you say it.

As it opens, I picture a little girl skipping down the sidewalk, or the road, in the early morning sun. You know she’s aware of a boy — a little brother, or perhaps a boy who is sweet on her — shadowing her, and they are sticking out their tongues and making faces when they think the other isn’t looking. And then….

Well, let the music speak from there.



images-1I’ve been getting a lot of e-mail, lately, from one of my websites.

I mean that quite literally: I’m not receiving e-mail through one of my websites, I’m receiving it from one of my websites.

It seems someone is attempting a brute-force password attack on the site. After a certain number of attempts, the website generates an e-mail and sends it to me, warning of a brute-force attack. At first, I got one or two e-mails a day. Now, it’s up to five or six e-mails per hour.

Time to take some action, and then blog about it. (Used to be you’d take action, then brag about it, usually at the local pub — we do live in an isolated world.)

I’m not really worried about a successful hack. I use reasonably “strong” passwords — random jumbles of letters, numbers, and punctuation. These brute-force hacks go after dictionary words and obvious guesses, like ‘password’ and ‘1234’. They aren’t getting in with a brute force attack.

But the e-mails are annoying. I could just turn them off, but the hack attempts are also using up bandwidth. I’d like to discourage them.

Turns out that they’ve been using something called the system.multicall exploit. Someone back in 2001 proposed a method of getting around website round-trip latency by packaging multiple requests, and the system.multicall PHP object on the server would field the package and execute all of the requests. If the requests required login to the site, each such request would have a login name and a password — and there’s the exploit. You package up a thousand requests in a single blob, containing a thousand different login names and brute force password guesses, fire it off at the site, and let it work.

Normally, password interfaces get twitchy if you fail too many login requests in a row, and lock you out for anywhere from several minutes to several hours. Since you have to get through billions of guesses before you hit gold, even a small delay of ten seconds is enough to frustrate the brute force hackers. But with this system.multicall exploit, there’s only one request with a thousand attempts in it, and it doesn’t even go through the login prompt (which is where all the lockout delays are placed). So these attempts get executed as quickly as the server can process them.

The notice I got from one of the security services said that the system.multicall service has almost no legitimate uses in the real world. So they suggested that we “disable” system.multicall. But their method, to the extent that they describe it at all, involves signing up for their web proxy service and paying them $9.95 per month. I decided to take a more direct approach.

I got into my own site via ssh — that’s the way I get onto the site for deep maintenance and code development — and ran a search for the system.multicall function in the WordPress code. It turned up in:


which is more-or-less where I would have expected it to be. Here’s the relevant snippet from that file.

    function setCallbacks()
        $this->callbacks['system.getCapabilities'] = 'this:getCapabilities';
        $this->callbacks['system.listMethods'] = 'this:listMethods';
        $this->callbacks['system.multicall'] = 'this:multiCall';

    function listMethods($args)
        // Returns a list of methods - uses array_reverse to ensure user defined
        // methods are listed before server defined methods
        return array_reverse(array_keys($this->callbacks));

    function multiCall($methodcalls)
        // JCN - disabling this
        return array();

        // See$1208
        $return = array();
        foreach ($methodcalls as $call) {
            ... build up $return array items ...
        return $return;

Now, the nice way to fix this would be to remove the line that assigns ‘this:multiCall’ to the callbacks array. That means the method won’t even show up in the listMethods() call, so anyone trying to use system.multicall would be politely informed that system.multicall isn’t supported on this WordPress site.

I wasn’t in a nice mood.

So instead, I left system.multicall in the callbacks list, but I broke it, using the inserted line commented with JCN.

As explained here,  the $methodcalls argument is an array of requests that ask for something that requires a login, and each request provides the login name and password to be used, which are the hack attempts. The response is supposed to be an array with one response for every request, and they look like this:

{‘faultCode': 403, ‘faultString': ‘Incorrect username or password.‘},
{‘faultCode': 403, ‘faultString': ‘Incorrect username or password.‘},
{‘faultCode': 403, ‘faultString': ‘Incorrect username or password.‘},
{‘url': ‘’, ‘isAdmin': True, ‘blogid': ‘1’, ‘xmlrpc': ‘’, ‘blogName': ‘wpxxx’},

The line that isn’t a fault code indicates they successfully hacked the site. The response doesn’t have the user and password in it, so that means they have to match up the responses with the requests to find out which user/password combination actually worked. I thought it might be interesting to fake up a response like this:

{'url': '', ..., 'blogName': 'you_are_fucked'}

Not that there is such a site. The idea is just to make the hacker’s blood run cold, since my guess is that whoever is using this hacking software probably doesn’t know much about how it works — a lot of hackers just used canned software they pick up on hacker sites, and have no idea what the code actually does.

So when this popped up in their results, they’d pee themselves and spend the next month looking over their shoulders, not knowing if their hacking software (which they don’t understand) actually called the URL and activated a trap that backtraced their real IP address, right through the IP anonymizer they’re using. After all, it’s the FBI, right? They can do that sort of thing, right?

Yes, I have a mean streak. I don’t let it out to play very often.

I didn’t let it out this time. Instead, I decided to just return an empty array, in the hopes that it might actually break their hacking code. I don’t know how fault-tolerant their code is, but since they have to match requests with responses, and there aren’t enough responses for the requests, it could crash poorly-written code.

If it’s kids getting into mischief, they’ll have to work pretty hard to learn enough about their hacking code to get it to run at all against my site without crashing. It’s a challenge and some good training for them. Eventually, they’ll give up, and go away.

If it’s some amateur hacker ring in Russia or China, it’s going to piss them off: they’re probably hacking hundreds or thousands of sites, simultaneously, and selling the cracked passwords to some broker, who then sells the information for a substantial markup to people who want to take over domains that can’t be traced back to them. Crashing their code means they’re losing money. They’ll have to spend time trying to figure out which site tripped them up. In the meantime, they’re down — every time they start their code, as soon as it hits my site, they go down again. Boo-hoo. They’ll eventually find that my site is messing them up, and stop poking at it.

If it’s a more professional ring, with more competent software (and developers who know what they’re doing), they’ll just scrub my site from their list and move on. In fact, it’s probably automatic: that’s how I’d design it. First sign of trouble, and you drop the attacks. Every attack they make on an aware site carries an exposure risk for them, and there’s no point in that. Plus, an aware site means strong passwords, so the brute-force attack is a waste of time. They’ll move on.

Regardless of which scenario (if any of these) is true, the system.multicall door is closed, and whoever was doing this will move on, like any parasite when the feeding is poor.

But I’d like to think that somewhere in the world, some hacking code is, at this very moment, choking to death on (literally) nothing.