Summer Symphony Third Movement

imagesThe third movement is up.

Unfortunately, you’ve all heard it before, as the Sextet, renamed Sunset Afternoons. Fortunately, you’ve not heard it quite like this.

I’ve been thinking of calling it a “Minuet and two-thirds,” since it’s written in a five beat (a Minuet is in three, so a minuet and two-thirds would be in five). I’ve also wondered about calling it a “Minuet and forty seconds,” which makes it an absolutely horrible (and obscure) pun.


Cultivating Compassion

I’ve found it hard to write, lately.

It isn’t that my thoughts have dried up. I recently finished two seriously eye-opening books: one on the history of the Mongols (yes, Genghis Khan and his sons), and the other Howard Zinn’s A People’s History of the United States. Cold fusion continues to heat up, and now NASA is investigating an effect that could — could — represent a violation of, or at least an extension to, the classical laws of momentum conservation, which could one day translate into a real “space drive” of the sort I read about in my uncle’s 1930’s space operas. I’ve been thinking a lot about the inevitable death of capitalism, and the closely-related issue of racism in the United States, and the rapid descent of American exceptionalism into an openly violent surveillance police-state, and what might replace the whole bloody mess. There’s always global warming to talk about, and the economics of oil. Then, of course, there’s the buffoonery of the American political system: despite two centuries of the Pageant of Idiots every two years, I think we’re scraping new lows this year; Gods help us next year as the now-perpetual Presidential campaign-and-money-pit turns into a full three-ring circus complete with flying pigs (wear a hat).

But somehow, it all seems distant. Noise. Like mosquitos farting.

The move to California has been a big part of this, I think; an anticipated effect, actually, which I’m glad to see. My chakras are re-aligning.

I’m happier. I’m starting to feel at ease in a way I was never at ease in Colorado. That makes it hard for me to write, because a large part of my desire to write in the past was discontent. I need to learn to write from a different place.

Maybe from a place of greater compassion, and hope. I’d like that.

A couple of weeks ago, someone wrote to the editor of the local paper with a long screed about how Social Security is a Ponzi scam, how it should be ended and its illegally-taxed money be returned to the rightful owners who paid into it, yada, yada.

About two days later, someone wrote a calm, well-reasoned response that basically boiled down to, “What are you smoking, man? It’s really bad for you.”

In Colorado, I would have been the fellow writing the response. And I’d have felt utterly alone, because this script — I call it the Ponzi script, and I suspect it comes to the masses through Fox News, though I think it’s actually older than television — is widely-believed by the hordes of Fox-watching “conservatives” of Colorado, even though it makes less sense than a rain umbrella for deep-sea divers. It isn’t merely that the “facts” are wrong; it’s that the whole narrative is incoherent, betraying a near-total ignorance of what Ponzi scams, Social Security, investment, retirement, and old-age support are about, to say nothing of exhibiting an apparent inability to think critically at all.

Here, someone else wrote that response, and I didn’t have to.

It seems minor, yet for me, it’s profound. Someone else wrote a response. Someone else gets it.

This isn’t about Social Security, nor is it about someone agreeing with me. It’s about the fact that, while facts and reasoning and mathematics perhaps can’t solve every problem, they can do a fine job of filtering out the complete lunatic bilge-water, on which any of us can so easily and unpleasantly drown. They can also lead two people who have never met and don’t listen to the same mind-numbing propaganda, to nevertheless come to a common understanding of how things work, entirely on their own.

It’s about sanity.

The Ponzi script is insane, and it’s only one of dozens, perhaps hundreds of equally insane scripts that permeate US culture, and dominate thought, discussion, and even legislation in many places in the US — Colorado most certainly among them.

So far, it doesn’t seem to include here, though I can’t speak for Sacramento or Orange County. This place seems sane. It isn’t just my head saying that, but my heart and … well, my chakras.

I have a good friend who is just back from six month in Bhutan, and she says that her return to US society in Boulder has been brutal and unspeakably lonely. I’ve encouraged her to write about the details of her daily life in Bhutan; I suspect that what will come through is an image of sanity.

I remember a therapist telling me once, a long time ago, that when you live in an insane environment, you end up questioning your own sanity.

It’s nice to know that here, I don’t have to question my sanity every time I argue against the Infallible Word of God (as delivered by Glenn Beck) that the sky is blue.

I will probably post less frequently for a while, as I try to find a different mode of writing. In the meantime, the third movement of the symphony is coming….


Summer Symphony Second Movement

Children_Playing_with_Balloons_1I am in danger of letting the perfect become the enemy of the good.

Two things have impelled me to release the second movement, though I am still (and will forever be, I suspect) unsatisfied with the mix.

The first was the happy occasion of attending my first symphony concert in Ukiah. They did several rather unpopular works by Beethoven — the Lenore Overture #1 (Beethoven was so unhappy with this that he rewrote it three times, and #4 is the one normally performed with the opera it belongs to, as the Overture to Fidelio), the Ruins of Athens Overture, and the King Stephen Overture — and then the Bruch Violin Concerto, with Philip Santos up from San Francisco as the soloist.

It was not perfect. And that didn’t matter even a little bit. It was beautiful and inspiring, and Marta and I were thrilled. A valuable reminder to not let the perfect become the enemy of the good.

The other is that my niece’s water just broke this evening, and she’s delivering her first child as I write. It’s the first continuation of my father’s family line in their generation. Of his five siblings, only one had children, a boy and a girl (my cousins), and neither of them had children. Of the five surviving children between my sister and me, this is the first “grandchild” — though technically, she would be my great-niece (and yes, it’s a girl).

She is giving birth. So it’s time for me to give birth to this movement, which is (after all) a children’s movement. I’d like to dedicate it to my great-niece, though I’m not going to write her name here until I’ve double-checked the spelling, and the kids have other things on their minds right now. All in good time. [NB: it’s Kairi Eve Dunn, 7 lb 5 oz, born 10/11/2015 at 2:01 am in Casper, Wyoming]

The movement is subtitled “Variations on a Theme of Nanny-Nanny-Boo-Boo.” That’s technically incorrect — it is actually “Variations on a Theme of Nyah-Nyah-na-Nyah-Nyah,” but that just … doesn’t … quite work when you say it.

As it opens, I picture a little girl skipping down the sidewalk, or the road, in the early morning sun. You know she’s aware of a boy — a little brother, or perhaps a boy who is sweet on her — shadowing her, and they are sticking out their tongues and making faces when they think the other isn’t looking. And then….

Well, let the music speak from there.



images-1I’ve been getting a lot of e-mail, lately, from one of my websites.

I mean that quite literally: I’m not receiving e-mail through one of my websites, I’m receiving it from one of my websites.

It seems someone is attempting a brute-force password attack on the site. After a certain number of attempts, the website generates an e-mail and sends it to me, warning of a brute-force attack. At first, I got one or two e-mails a day. Now, it’s up to five or six e-mails per hour.

Time to take some action, and then blog about it. (Used to be you’d take action, then brag about it, usually at the local pub — we do live in an isolated world.)

I’m not really worried about a successful hack. I use reasonably “strong” passwords — random jumbles of letters, numbers, and punctuation. These brute-force hacks go after dictionary words and obvious guesses, like ‘password’ and ‘1234’. They aren’t getting in with a brute force attack.

But the e-mails are annoying. I could just turn them off, but the hack attempts are also using up bandwidth. I’d like to discourage them.

Turns out that they’ve been using something called the system.multicall exploit. Someone back in 2001 proposed a method of getting around website round-trip latency by packaging multiple requests, and the system.multicall PHP object on the server would field the package and execute all of the requests. If the requests required login to the site, each such request would have a login name and a password — and there’s the exploit. You package up a thousand requests in a single blob, containing a thousand different login names and brute force password guesses, fire it off at the site, and let it work.

Normally, password interfaces get twitchy if you fail too many login requests in a row, and lock you out for anywhere from several minutes to several hours. Since you have to get through billions of guesses before you hit gold, even a small delay of ten seconds is enough to frustrate the brute force hackers. But with this system.multicall exploit, there’s only one request with a thousand attempts in it, and it doesn’t even go through the login prompt (which is where all the lockout delays are placed). So these attempts get executed as quickly as the server can process them.

The notice I got from one of the security services said that the system.multicall service has almost no legitimate uses in the real world. So they suggested that we “disable” system.multicall. But their method, to the extent that they describe it at all, involves signing up for their web proxy service and paying them $9.95 per month. I decided to take a more direct approach.

I got into my own site via ssh — that’s the way I get onto the site for deep maintenance and code development — and ran a search for the system.multicall function in the WordPress code. It turned up in:


which is more-or-less where I would have expected it to be. Here’s the relevant snippet from that file.

    function setCallbacks()
        $this->callbacks['system.getCapabilities'] = 'this:getCapabilities';
        $this->callbacks['system.listMethods'] = 'this:listMethods';
        $this->callbacks['system.multicall'] = 'this:multiCall';

    function listMethods($args)
        // Returns a list of methods - uses array_reverse to ensure user defined
        // methods are listed before server defined methods
        return array_reverse(array_keys($this->callbacks));

    function multiCall($methodcalls)
        // JCN - disabling this
        return array();

        // See$1208
        $return = array();
        foreach ($methodcalls as $call) {
            ... build up $return array items ...
        return $return;

Now, the nice way to fix this would be to remove the line that assigns ‘this:multiCall’ to the callbacks array. That means the method won’t even show up in the listMethods() call, so anyone trying to use system.multicall would be politely informed that system.multicall isn’t supported on this WordPress site.

I wasn’t in a nice mood.

So instead, I left system.multicall in the callbacks list, but I broke it, using the inserted line commented with JCN.

As explained here,  the $methodcalls argument is an array of requests that ask for something that requires a login, and each request provides the login name and password to be used, which are the hack attempts. The response is supposed to be an array with one response for every request, and they look like this:

{‘faultCode': 403, ‘faultString': ‘Incorrect username or password.‘},
{‘faultCode': 403, ‘faultString': ‘Incorrect username or password.‘},
{‘faultCode': 403, ‘faultString': ‘Incorrect username or password.‘},
{‘url': ‘’, ‘isAdmin': True, ‘blogid': ‘1’, ‘xmlrpc': ‘’, ‘blogName': ‘wpxxx’},

The line that isn’t a fault code indicates they successfully hacked the site. The response doesn’t have the user and password in it, so that means they have to match up the responses with the requests to find out which user/password combination actually worked. I thought it might be interesting to fake up a response like this:

{'url': '', ..., 'blogName': 'you_are_fucked'}

Not that there is such a site. The idea is just to make the hacker’s blood run cold, since my guess is that whoever is using this hacking software probably doesn’t know much about how it works — a lot of hackers just used canned software they pick up on hacker sites, and have no idea what the code actually does.

So when this popped up in their results, they’d pee themselves and spend the next month looking over their shoulders, not knowing if their hacking software (which they don’t understand) actually called the URL and activated a trap that backtraced their real IP address, right through the IP anonymizer they’re using. After all, it’s the FBI, right? They can do that sort of thing, right?

Yes, I have a mean streak. I don’t let it out to play very often.

I didn’t let it out this time. Instead, I decided to just return an empty array, in the hopes that it might actually break their hacking code. I don’t know how fault-tolerant their code is, but since they have to match requests with responses, and there aren’t enough responses for the requests, it could crash poorly-written code.

If it’s kids getting into mischief, they’ll have to work pretty hard to learn enough about their hacking code to get it to run at all against my site without crashing. It’s a challenge and some good training for them. Eventually, they’ll give up, and go away.

If it’s some amateur hacker ring in Russia or China, it’s going to piss them off: they’re probably hacking hundreds or thousands of sites, simultaneously, and selling the cracked passwords to some broker, who then sells the information for a substantial markup to people who want to take over domains that can’t be traced back to them. Crashing their code means they’re losing money. They’ll have to spend time trying to figure out which site tripped them up. In the meantime, they’re down — every time they start their code, as soon as it hits my site, they go down again. Boo-hoo. They’ll eventually find that my site is messing them up, and stop poking at it.

If it’s a more professional ring, with more competent software (and developers who know what they’re doing), they’ll just scrub my site from their list and move on. In fact, it’s probably automatic: that’s how I’d design it. First sign of trouble, and you drop the attacks. Every attack they make on an aware site carries an exposure risk for them, and there’s no point in that. Plus, an aware site means strong passwords, so the brute-force attack is a waste of time. They’ll move on.

Regardless of which scenario (if any of these) is true, the system.multicall door is closed, and whoever was doing this will move on, like any parasite when the feeding is poor.

But I’d like to think that somewhere in the world, some hacking code is, at this very moment, choking to death on (literally) nothing.

Harvest Festival Time

Yesterday was tough for Marta and me; work for me, family and work for her. We both wanted to collapse. But we’d been invited by our neighbors, Dave and Leslie, to the Ukiah Chili Cook-Off downtown, a fund-raiser for the Boys-and-Girls Club, and — according to Dave — one of the best parties Ukiah puts on. So we dragged ourselves out.

2015-09-11 18.01.57 HDRIt was, indeed, a sweet party on the green. The Mendocino Animal Hospital chose a Cat In The Hat theme — you see Thing One and Thing Two here. The Rainbow farm supply store chose a theme of turkeys, one booth had a New Orleans theme, and there was even a Mad Scientist theme, complete with a home-built Tesla coil (“Just a little one,” the owner said, modestly). The music wasn’t live, but was well-selected and well-mixed, the chilis were awesome, and there was plenty of beer and wine, as well as a free drive-home service for those who imbibed a bit too much.

As you can see in the pictures, the light is starting to grow heavy and golden, but the weather remains warm and dry.

It was a perfect way to shake off the blues of a long week.

2015-09-11 17.55.212015-09-11 17.59.07 HDR2015-09-11 17.57.09 HDR











This morning, Marta took me to breakfast at Stan’s Maple Cafe, and we walked over to the farmer’s market afterward. We spent some time chatting with the vendors.

We talked about lambs, sheep, and wool with the lamb merchant. Wool is made from the long-haired sheep, not the sheep they raise for slaughter. She said they can’t even give the wool from their sheep away. No one wants it. We bought some chops.

2015-09-12 12.24.34We bought oyster mushrooms from the mushroom lady, and listened as she explained to another customer about how they raise the mushrooms; the life-cycle and harvesting schedule. They’re beautiful: they grow in clusters with the gills facing forward, or at least that’s how they’re presented: perhaps they grow against a wall, then lay sideways on the table. Marta asked about preparation and collected some ideas. I asked about Chanterelles, which are wild and native to the area, and which I’d read about in Kate’s book on the wild oaks.

“Oh, Kate’s book!” the mushroom lady enthused. “I love her book. The Oak Woodlands, right?” But she had no Chanterelles, as they can’t sell wild mushrooms in California, by law. However, you can get them in various renegade markets in the area, and she said they are delicious.

“How do they get around the law?” I asked.

She shrugged. “They’re renegade markets. They sell all sorts of things.”

The apple merchant was intrigued by Marta’s story about my experience with Tyrolean apple soup, and wanted the recipe. We exchanged e-mail addresses, and bought a bag of fresh-picked Jonathan apples.

One of the produce farmers had various squashes, and Marta talked with him about recipes for the big orange guy shown above, which is a variety of Hopi Squash. The chili cook-off inspired her, and she is inventing new chili recipes in her head.

The produce farmer mentioned that he grows these in the traditional mounds of the “three sisters” — squash, beans, and maize — and I asked him if he minded a strange question. I asked if he could raise enough food to live for a year this way. He thought about it, then shook his head. He said, “You might raise enough food, but you can’t keep going. You need the full life-cycle, including animals. I looked into getting a cow at one point. It takes seven acres too keep a cow. Goats are better, but they still take land. You really need a village to survive on your own produce.”

We had a conversation about the village, and he said the natural size of the village unit is about thirty people, in which each person has his or her specialized job. He said they even need one troublemaker, or indigent — someone who didn’t do what was expected of him or her: the town drunk, the village idiot, the farmer who falls apart because his wife died. He said it teaches the village empathy.

2015-09-12 13.31.16 HDRI bought some local honey. I asked what pollen the bees had used, and he gave a long list: he told me the bees worked a particular piece of farmland that had all of those things. The spring honey was more uniform, and milder. As I write, now, I’ve forgotten all the details, but the vendor knew the bees, and the honey.

I think it’s time to start a jug of mead. There are no local brewing supply stores, and I’m debating whether I even want to buy a packet of yeast through Amazon. This is wine country, and the grape yeasts are everywhere. Vintners — some of them, at least — don’t add anything to their musts. No sulfites, no water, no yeast. The grapes are already covered with yeasts, and the grape juices will ferment on their own. I’m sure the yeasts suffuse the air, as well. You can smell the grapes; the harvest is already well underway, a little early this year because of the drought and the heat.

2015-09-12 15.09.31After the farmer’s market, Marta and I took a drive up into Redwood Valley, about fifteen minutes away, and found a little hole-in-the-wall Mexican restaurant with the best food. Then, driving back to town, we stopped at the Barra tasting room, where I bought a wonderful Pinot Noir and an even more excellent Muscat dessert wine.

It has been a beautiful weekend.