Media Break: 28/02/2016

I was meaning to do one of these every two weeks. That hasn’t really worked out, has it…

  • Out the serious Oscar contenders, I will be more than happy if Room wins. Really subtle and well done. Mad Max: Fury Road is of course the best film there, but it’s never going to get Best Picture or Best Director in a million years (even though it had as arduous a shoot as The Revenant did, only less talked about).
  • Idris Elba was robbed. So were Ryan Coogler and Michael B. Jordan: Creed is just a Rocky movie really, but it somehow manages to breathe life back into the old carthorse through the traditional means of quality direction, a mastery of screenplay structure, and beautifully realistic, low-key performance.
  • Deadpool is far more fun than it had any right to be and absolutely is the best X-Men spinoff by far (it does help that it’s the only one that’s been written with any form of a sense of humour involved). Suicide Squad will have a lot to live up to.
  • I liked The Hateful Eight a lot, probably more than a lot of critics did: only Tarantino and Robert Richardson can get away with filming a cramped single-location film in Ultra Panavision 70 and not have it feel entirely like a gimmick. Like always, it improved a lot in his redrafting and, looking at the final draft screenplay the Weinstein Company have published for Oscars season, in the edit too. Wish Entertainment hadn’t fallen out with Cineworld though; but I don’t regret having to pay extra for once. (Note: I saw it on digital, with an intermission, at a Vue.)
  • What on earth is going on with Batman v. Superman? The only way they seem to be promoting it in Britain at the moment is with some appalling Turkish Airlines commercials that are on every ad break on Food Network and most ad breaks on every other Freeview channel. I will probably see it, but still…
  • Rise of the Tomb Raider can be recommended to anyone who enjoyed 2013 Tomb Raider: it plays the same, but adds better tombs, better side missions, optional NPC quests and fewer quick-time events of doom. A better rounded game.
  • Musically, I am enjoying Not to Disappear by Daughter, SVIIB by School of Seven Bells, Adore Life by Savages, and absolutely loving Synthia by the Jezabels. Check all of these out on your streaming service of choice. New Underworld, Pet Shop Boys and PJ Harvey coming imminently too.
  • Blackstar is also brilliant, but what did we expect really? David Bowie is the biggest, most devastating loss of the year.

It’s the list-makingest time of the year

It’s that time of the year where everyone comes together on the Internet to argue about what everyone liked over the year and why they’re wrong. So it’s time for my contribution…


Here is a Spotify playlist I’ve made of some of my favourite stuff this year:

This playlist is actually incomplete: for the sake of track-to-track flow it’s missing anything from Floating Points’ Elaenia, Laura Marling’s Short Movie, Errors’ Lease of Life, Hot Chip’s Why Make Sense? and Purity Ring’s Another Eternity, all of which are very much worth your time. Purity Ring provided the best live show I’ve seen this year (at Metropolis in Montréal).

Best comeback of the year is of course New Order (but then I’m biased), and best collaboration of the year is F.F.S. (managing to be better than both the last Franz Ferdinand and Sparks records – there has to be a future for it.)

Addendum 22.12.2015: Forgot to mention or include in the playlist The Race for Space by Public Service Broadcasting, which is a pretty big omission; or No Cities to Love by Sleater-Kinney.


Best biopic so far this year is the exceptional Love & Mercy. Only just behind that is Straight Outta Compton, which did well to try to get a consistent narrative line into the complicated and multifaceted N.W.A. story with nicely kinetic direction from F. Gary Gray and the year’s best producer credit (Ice Cube p.g.a., because of course he’s in the union.)

It’s actually been quite a good year for spy and spy related stuff. Kingsman is by turns nasty, compelling, outrageous and very, very funny (even if Vaughan and Goldman didn’t quite manage to downplay the bad bits of Millar’s writing as much as they did with Kick-Ass.) The Man from U.N.C.L.E. is massively uneven but its 60s atmosphere is spot on and when it sparks, it really works (the scene where Napoleon Solo finds safety while a massive action scene goes on in the background is utterly unique).

Mission: Impossible – Rogue Nation is the most consistent narratively since the first one and is brilliantly directed and constructed, even if there’s not a single overall sequence as good as the Dubai sequence in Ghost Protocol. Spectre is the third best Daniel Craig Bond film, but  I’d still be happy if Mendes came back on the condition that he brings back Roger Deakins and Stuart Baird and finds some better writers.

Out of the two Marvel films this year, Ant-Man is better (completely in inverse to my expectations): off the wall and willing to try new things, it is also the rare Marvel film that gets better and better as it goes on, although it’s a shame we didn’t get to see Edgar Wright’s version. It’s effectively a low-stakes version of Iron Man and all the better for it. Age of Ultron drags a bit and feels overly breezy and fluffy, although it’s still pretty and Elizabeth Olsen is great in it.

Since I haven’t seen Star Wars yet I can’t quite classify that. The Revenant should be interesting too: the trailers give an utterly unique feel.

Addendum 22.12.2015: The Force Awakens is very much worth watching. I missed The Martian, which was a lot of fun and Ridley Scott’s best film in years. And of course, how could I forget Fury Road, by far the best sequel of the year? (That piece is unblocked and I’m working on it again, by the way.)


I haven’t played that much this year – I have time constraints, I don’t play MMOs and I hate military FPS with the force of a thousand suns, so the only big budget games I’ve played through this year are the hilarious Saints Row IV (finally giving up any pretence of being a serious game and going for all out comedy) and the PC version of Arkham Knight. Because I have a 4790K, 16GB of RAM and a GTX970 I was just about able to run it acceptably, which continues to show that if the PC is not dead as a gaming platform, it’s at least in the resus room.

For the record, it played OK after the first patch and some of what it does is brilliant (and unfortunately its best element is a spoiler), but it is the least of Rocksteady’s Batman games. Still better than Arkham Origins and most other games though, and it still handles its No Man’s Land inspiration better than Dark Knight Rises. So I would recommend giving it a go if you have a machine that it it will work on, or one of the current-gen consoles.

I do not own any of the current consoles, so Rise of the Tomb Raider will be 2016 for me. Let’s hope Crystal don’t screw that port up.

Fitter, happier, more productive

Things I’ve enjoyed, or found interesting, recently:

  • The Wrestler is really, really good. Possibly more truth in it than in almost all documentaries about the actual wrestling scene, although Jon Ronson had a good go in his Guardian piece about the aftermath of Chris Benoit’s killing spree. Really a must see.
  • The Springsteen album (featuring the excellent and appropriate credits song from the above as a bonus track) is also pretty enjoyable. Excellent graphics for the DVD version, too; shame about getting the discs out.
  • I like the Franz Ferdinand album, and the end of Lucid Dreams is a gloriously unexpected moment that should not be spoiled by anyone. The dub album is also an interesting bonus.
  • Spotify is awesome, even after they took down a lot of the indie-label material; nothing much in my field of interest, thankfully. Nice that they gave us an OS X version too.
  • I have a Mac laptop running Leopard and a desktop dual-booting Windows 7 beta and various Linux distros-of-the-month. Soon I will also have a media centre box running 7 MCE and XBMC/Windows, when the parts come in. My email is shared over IMAP, so all I need is for my documents directory to be the same between the two. Unison is somewhat broken for synchronising between the two and pretty much isn’t developed any more… so what I find is Windows Live Sync, which has both Windows and OS X versions and quietly syncs my machines’ documents directories on the fly. Transparently. For a Microsoft product, it really does do the job it’s intended to really quite well…
  • My software development day job is developing back-end software (Linux, C++) to get data from format A to format B in the cleanest and least visible way possible, but occasionally I do get the opportunity to develop front-end utilities. Which I write in Python for command-line stuff whenever I can, tcsh when it’s extremely simple, C++ when I can’t and C++/Qt for GUI stuff. I’ve seen enough bad GTK code (not just in our codebase) to know what I like, and Qt is it. Python is even more it, but a lot of our code needs every bit of CPU it can get so heavily threaded C++ it is…
  • And since I’ve just put forward my position on GTK/Qt: vi over emacs, Python over perl, tcsh over bash, Firefox over any other web browser, fluxbox over KDE/GNOME, and painful death over PHP.

More soon.

Avoiding DDOS: the PF way

I’ve run a FreeBSD server in my home for six years now. I love the capabilities home servers give you over your bog-standard wireless router – mine, for example, downloads all my POP3 email from various sources, runs it through a Bayesian-enhanced SpamAssassin and filters it through into various IMAP folders (on my boxes, usually Thunderbird or, on the laptop, But you’ve got to be very careful with this, and apart from a front-facing Postfix for email directed at my dynamic DNS domain I have had no regularly open ports. What if I want to access my email from work, for instance?

For this, I’d like to use SSH forwarding; putting the IMAP port through to a local port on the machine I’m using, with the actual data transferred securely over the Internet and where no-one can listen in, even if I’m on some crappy open wireless somewhere. SSH is configured to only accept public key authentication, and to refuse all password access – if you try connecting from a normal SSH client without a relevant key, you get dumped back to your command line with my snidely worded banner, and a “No password access” message. The only public key is in my possession and, of course, is passworded.

Despite this, having open SSH attracts scumbags like paparazzi to Amy Winehouse and the system I use for my firewall (a 733MHz Pentium-III with 256MB RAM) simply can’t cope with thousands of individual connections doing ineffectual dictionary attacks on usernames over Virgin’s 20Mbit connection; it locks up with a massive load average somewhere in the “c”‘s. As an added bonus, this of course eats my “unlimited” download cap during that particular point of the day.

How, therefore, can I balance my security with my convenience? The answer is the same thing I use to do my NAT forwarding, the pf packet filtering firewall.

pf originated with OpenBSD, and was introduced into FreeBSD somewhere around 5.3: I switched from FreeBSD’s own ipfw2 when I upgraded from 4.x to 6.x. As a bonus, pf allows dynamic lists to be built up of IPs that trigger specific rules, allowing for dynamic blocking of SSH offenders.

After my initial “block in” rule in my pf.conf, I define a table:

block in

table <abusive_hosts> persist
block quick from <abusive_hosts>

This defines a list of abusive hosts, traffic from which is blocked without any further discussion (with pf, applicable rules lower down the list take precidence over rules further up unless ‘quick’ is provided, which cuts off further parsing.) You can manually add to this table like so:

pfctl -t abusive_hosts -Tadd <IP address>

Or, more interestingly, you can add to it programatically. After my catch-all NAT rules, I make a rule to allow access to the local SSH port – with a catch.

pass in on $ext_if proto tcp to ($ext_if) port ssh flags S/SA keep state \
        (max-src-conn 10, max-src-conn-rate 6/30, overload <abusive_hosts> flush global)

This allows up to ten simultaneous connections from a particular SSH port, or up to six within thirty seconds. flush kills the states for previously OK connections when it over-runs; global kills all connections from the IP. And the overload rule causes all those things which fail the rule to be pushed into the abusive_hosts table, meaning anything that’s bad and repeatedly connects to my SSH port end up going straight to null.

And this works, too. Using the pfctl command, you can view the contents of the table. I’ll pass it first through awk to remove the spacing, aiding with xargs for further piping, and then through “wc -l” to get the line count:

orpheus# pfctl -t abusive_hosts -Tshow | awk '{print $1}' | wc -l

Removing ‘| wc -l’ gets you a list of IPs, and putting ‘xargs -n 1 host’ there instead gets you a list of the hostnames associated with each of the IPs which can give you an interesting picture: at least a couple of them right now are IPs on American cable modems who are almost certainly compromised home users.

That’s twenty-two abusive hosts who’ve met my SSH blackhole since I last rebooted my machine, who would otherwise have been a problem: pfctl -sr -v (which is sent to you in your nightly root emails) tells me that right now I’ve blocked 5.3MB of unwanted traffic from these hosts since I last rebooted 18 days ago, and I’m sure I’d have got much more if they hadn’t started getting nothing but silence from my machines since the point of blocking.

I’ve found this immeasurably useful for increasing my box’s uptime and overall reliability, which helps prove that a PIII type machine is still good enough for quite a lot of things. And if you click the link to read further, I’ve posted my complete (and only slightly altered) pf.conf for anyone’s interest.

Continue reading “Avoiding DDOS: the PF way”

First Google Chrome impressions

It’s BSD licensed. It seems to be fairly fast. It imported my current Firefox 3.0 profile without a hitch. The tabs support middle-click close and are very fast to do so. It even fits into Vista’s Glass style properly, which the screenshots previously shown didn’t make obvious:

Google Chrome on Vista with tabs open
Google Chrome on Vista with tabs open

In fact, I’ve already run into an annoying issue with it – if you delete all the text from the WordPress text field, it deselects the field – but it’s not exactly lethal.

Chrome’s multiprocessing isn’t a joke either. Right now, I have seven tabs open – with nine processes showing in Task Manager. Close one and it goes down to eight. Total memory usage appears to be about 150% that of Firefox, but process size appears to depend on how complex the page is – a new Firefox 3.0 on my desktop machine with the same tabs open as Chrome uses 63MB while Chrome uses a total of 98MB, with some of the page process sizes being as low as 1MB and the biggest appearing to be the main application (36MB). HQ Youtube videos play absolutely fine in the background. It doesn’t experience the same slowdown as Firefox when opening multiple pages at the same time either and trying to work with another. It’s a very competent beta.

It even has a rather nice object inspection window that reminds me of Firebug:

The inspector in Google Chrome - looking at my WordPress page.
The inspector in Google Chrome - looking at my WordPress page.

This includes a time/size graphing facility too, and you can edit those CSS properties in-line. They have been thorough.

Remember when Safari came out for the Mac and was a step ahead of almost everything else? Chrome is like that for Windows and it’ll be like that for any platform it comes out on. It’s quick, slim-looking and uses animation sparingly and well. It’s obviously had a whole lot of thought put into it and, being open source, it should hopefully have so much more.

(Poking around in its install directory – incredibly, it installs direct to your local profile on Vista, which is probably a violation of something – reveals a “Themes” directory with a single .dll in it, a “Resources” directory with the JavaScript-based inspector in it, Google Gears as a .dll plugin and an updater. No doubt there’s more goodies deep in there.)

But in short, what it needs is Adblock Plus (or equivalent) and a Mac version for my laptop and it’ll be my main browser. Come on, Google, do your best.

Get it while you can

Maplin are offering an unusually good cheap soundcard right now: £19.99 gets you what is effectively the Chaintech AV-710 in a white box with a two-page manual and an old copy of PowerDVD. I’ve just got one from my local branch in Edinburgh (code A46CC); there’s still a few on the shelf.

This is properly 24/96 capable, has a high quality Wolfson DAC on the rear surround out, and has absolutely no Creative Labs circuitry on board (hence, it works fine on Vista.) And since there’s no clicking noise on my headphones whenever I do anything with my hard drives, it’s already some way superior to the Realtek onboard AC-97 and worth every penny.If you, like me, have no need for EAX et al but want quality music out, get one while Maplin are still doing them.

Here’s a useful setup guide.

Rock Band pricing takes ripoff Britain to a new dimension

Rock Band is going to cost £179. £179. It’s $169 in the States for an identical package, that is to say £85. No way that VAT can explain this one.

I was actually considering buying an Xbox 360 and Rock Band was one of the main reasons. Paying £100 to Electronic Arts’ special party fund means that that pretty big reason has now been taken away. They won’t have a good explanation for this either, I’m betting…

When asked why the game will be so much more expensive in the UK than it is in the US, Kay cited VAT and the higher price of consumer electronics generally. “These are definitely not excuses so much as contributing reasons,” he stated.

“I can’t talk to the explicit pricing – how it gets split down between retailers and distributors and the whole chain – because I don’t actually know that much about it.”

In other words, no.

A warning

PHP’s date generation function is mktime(second,minute,hour,month,day,year). AAARGH. If you’re going to put a date function in a language mostly designed for doing web database work, at least do it using ISO style year-month-day-hour-minute-second increasing significance dates; say, in the same style as MySQL. The mktime function as it is now is hideously counter-intuitive for anyone who isn’t American. Worse, the format to convert dates from strings strtotime isn’t configurable and is fixed as m/d/y except where the first parameter is above 13, so I had to write a parser to convert strings from British d/m/y and put them in the mktime function manually.

Still, I’ve got to use it so might as well deal with it.

Blog at

Up ↑