Here’s what I’m watching, listening to, reading etc. at the moment, in an article which I plan on posting at least once every few weeks:

  • Health’s “Death Magic” is still brilliant after however many listens: a massive improvement over much of the rest of their career (as they have discovered tunes). Recommended.
  • Tangentially related: Alice Glass has released a solo single called “Stillbirth”, produced with the aid of Health’s Jupiter Keyes. It’s industrial, angry, wrenching, emotionally draining and yet compulsively listenable – a real shout along. It bodes well for more, especially when compared with the unmemorable post-Glass Crystal Castles material.
  • The John Grant single, “Disappointing”, isn’t. Has a lovely duet with Tracey Thorn too.
  • Looking forward to the New Order album, and the ability to still frame Fury Road. (Article about Fury Road is coming up, along with one contrasting the Nolan Batman films with the Arkham games.)
  • I have Netflix at the moment, and by far the best original show I’ve seen so far is Bojack Horseman. A brilliant study of celebrity ennui, as handled by anthropomorphic animals. Fans of Venture Bros and Archer should look in. (Also, the Comic Sans-O-Matic tie in web site is nothing short of genius.)
  • The Great British Bake Off. Because. Plus University Challenge and Only Connect.

Let’s start again

I started The Hard Sell as a way of trying to write more often, and it was a success for a while. Like so many other things, it fell away when I went into full time employment; but also out of ennui at my own and at the general British political situation.

I have kept up tweeting, mostly, but Twitter isn’t really conducive to long form discussion. And I feel that’s been hurting the writing that I do in my spare time.

This blog has been defunct for a surprisingly long time. I feel that it’s probably time to bring it back, but with some differences: mainly, the new version of the blog has a distinct purpose. I intend to post media reviews, discussion of things that I find interesting, pieces about writing, and probably some more of what worked best on the old blog.

I want to have a way I can get used to writing again, and I feel that this may well be it.

The revamped blog is called Flickering Frame. A restyle focused around the new name will be forthcoming; I will not be removing or editing any old articles, but the new ethos should be happening from now on. I intend to post at least once per week and should post more often. It’s time to start again, and see what may happen – and I hope that those who read me will find it worthwhile.

Let’s start again, and do it right.

Reading the bills, because no-one else does

The Alcohol Bill appears to be being discussed by the Scottish media simply in terms of minimum pricing, which is exactly what the Government wants you to do. That there is other stuff in the bill that people might find objectionable (or not, of course) is simply not being mentioned anywhere other than in the last paragraph of every fifth BBC News Online article.

The good thing about the Scottish Parliament is that all new bills are uploaded online as PDFs (the bad thing is that the website is very poorly designed), so you can read it for yourself, with a full explanation also available. For those who don’t really want to because it’s written in jargon, here’s a summary interspersed with occasional ranting:

  • Minimum pricing for alcohol

The minimum price-per-unit is specified by ministers, and is calculated as a measure of (minimum price*(ABV percentage/100)*volume in litres*100). The explanatory document specifies that the minimum price could be 40p/unit, but of course it doesn’t have to be. Nevertheless, this won’t affect spirits or pub prices very much; taking a bottle of 12-year old Highland Park, this works out as 0.4*0.42*0.7*100 = £11.76. Highland Park usually sells for ~£20 in supermarkets.

The killer is that a multipack price must be at least (n items*minimum price), which means no more BOGOF/3-for-2 wine offers as well. So for a  12-pack of 440ml 5% Stella Artois, this would be (0.4*0.05*0.44*100)*12=(0.88)*12=£10.56, which is a bit more than this usually sells for.

What the bill does is make multipacks, for the most part, uneconomical.I find this somewhat annoying because I buy a large pack of beer, put a few cans in the fridge at a time and tend to drink even a 12-pack over a couple of months – it harms reasonable drinkers more than it harms those who are abusing it – but it’s not lethal.

  • Explicitly banning BOGOF/3 for 2 in off-sales

Just in case you didn’t notice the bit above.

  • Banning alcohol advertising outside designated areas

Almost certainly means that off-licenses will have to cover their windows (just after we finally admitted it didn’t help for bookies) and means that supermarkets won’t be able to promote in windows. The current alcohol laws mean that all alcohol offers must be in the designated area anyway, so all this’ll do is mean that offers can’t be promoted outside Row X. This doesn’t apply to non-alcoholic beer-branded merchandise, so supermarkets can sell you a Guinness glass in the glassware area.How thoughtful.

  • Requirement for age verification

Scottish licensees already do far too much age verification as it is; I was refused alcohol at an open-air Radiohead gig in Glasgow because I didn’t have any ID they found acceptable (despite being 23 at the time).

As I don’t drive and don’t carry my passport around with me, this is a perennial problem; I do carry quite a lot of identification, but no-one cares about my photo bus pass, credit cards (over 18 only, verified by your bank) or so on; it’s just passport, driving license, the national ID card that isn’t going to happen or the Portman Group give-us-your-personal-details blackmail card. The bill requires Challenge 21. As it’s already a crime to sell to someone under 18, quite harshly punishable, there is absolutely no need for this.

  • Allows ministers to add to and remove from the law at will

So they don’t have to shove any changes through the Parliament again. This is by far the sneakiest segment of the bill, a very New Labour-style measure fron the SNP. This will allow them to bring back the over-21s stupidity again…

  • Licensing boards can ban under-21s in their own area

…oh. Apparently this involves a “detrimental impact statement”, but section 9 gives them the power to do it unilaterally.

A thoroughly infantilising measure. Most of the worst thugs I’ve seen in pubs are Begbie types who are far older than 21, although that is of course a personal opinion rather than purest fact. Students can be annoying, but generally not too vicious; and in any case, a good proportion will be over 21 anyway. And how are you going to tell the difference between 21 and 18? It’s harder than 18/non-18.

See Challenge 21 for details. Grr.

  • “Social responsibility levy”

Licensing-board imposed fines for “bad” publicans, which could just be being in a “bad” area, or the Western Isles. A fine piece of spin from the Alistair Campbell Big Book Of Machiavellian Delights.

So there you go. Surprisingly, there isn’t a big Q&A article on the BBC News website with this information in it linked off every article about the Bill, without the ranting, as there is with most controversial Westminster issues. There’s certainly no excuse for the Herald or Scotsman, past the fact that Johnston Press don’t care about anything other than cash (most certainly not their website). I guess  that’s the Scottish media for you: media by press release, complacent and incompetent all.

A dilemma.

Am I wrong for wanting to see Star Trek as soon as possible? The trailers and the interviews have been encouraging, the new Enterprise is plain cool, I like the idea of Simon Pegg as Scotty and Sylar as Spock and then I think about it and realise that, from the information I know…

  • It’s time travel, again
  • The gimmick this time is that it’s destroying the entire Star Trek universe as we know it, except for Enterprise. I repeat: Enterprise is apparently valid continuity for the new Trek movie. If you’re going to retcon out a series, why couldn’t it be that one?
  • And this means that retcons Picard out of the universe as well.
  • And DS9 too, and even the first few series of Voyager.
  • It’s written by the people who ruined Transformers (excepting Michael Bay).
  • It’s at least partially a variant on the age-old ‘Starfleet Academy’ idea, which was repeatedly rejected during the Berman era as a lame idea.
  • And how can the tech difference…

…and so on, goes the reasoning side of my mind. But the geek side just goes “new Star Trek, cool spaceship, MUST SEE.” It feels wrong, somehow, but I’ll still go – eager in the hope it won’t suck as much as it sounds. And when I find out, I’ll get back to you…

Fitter, happier, more productive

Things I’ve enjoyed, or found interesting, recently:

  • The Wrestler is really, really good. Possibly more truth in it than in almost all documentaries about the actual wrestling scene, although Jon Ronson had a good go in his Guardian piece about the aftermath of Chris Benoit’s killing spree. Really a must see.
  • The Springsteen album (featuring the excellent and appropriate credits song from the above as a bonus track) is also pretty enjoyable. Excellent graphics for the DVD version, too; shame about getting the discs out.
  • I like the Franz Ferdinand album, and the end of Lucid Dreams is a gloriously unexpected moment that should not be spoiled by anyone. The dub album is also an interesting bonus.
  • Spotify is awesome, even after they took down a lot of the indie-label material; nothing much in my field of interest, thankfully. Nice that they gave us an OS X version too.
  • I have a Mac laptop running Leopard and a desktop dual-booting Windows 7 beta and various Linux distros-of-the-month. Soon I will also have a media centre box running 7 MCE and XBMC/Windows, when the parts come in. My email is shared over IMAP, so all I need is for my documents directory to be the same between the two. Unison is somewhat broken for synchronising between the two and pretty much isn’t developed any more… so what I find is Windows Live Sync, which has both Windows and OS X versions and quietly syncs my machines’ documents directories on the fly. Transparently. For a Microsoft product, it really does do the job it’s intended to really quite well…
  • My software development day job is developing back-end software (Linux, C++) to get data from format A to format B in the cleanest and least visible way possible, but occasionally I do get the opportunity to develop front-end utilities. Which I write in Python for command-line stuff whenever I can, tcsh when it’s extremely simple, C++ when I can’t and C++/Qt for GUI stuff. I’ve seen enough bad GTK code (not just in our codebase) to know what I like, and Qt is it. Python is even more it, but a lot of our code needs every bit of CPU it can get so heavily threaded C++ it is…
  • And since I’ve just put forward my position on GTK/Qt: vi over emacs, Python over perl, tcsh over bash, Firefox over any other web browser, fluxbox over KDE/GNOME, and painful death over PHP.

More soon.

Buttery my a…

So I’ve just flicked across onto MTV R and, as usual for an MTV channel, it’s running adverts. The one that got my attention was an ad for the spreadable margarine Flora Buttery fronted by Gary Rhodes, who must really need the money – at least Jamie Oliver and that berk doing the Aldi ads are fronting for decentish food products, not hydrogenated vegetable fats.

The main trick it does is the good old Pepsi Challenge format – Flora Buttery versus Lurpak Lighter Spreadable (not named in the voiceover but printed in an ultra-light Helvetica along the bottom) on crumpets. Lurpak Lighter Spreadable is, of course, the tasteless version. The ad then tries to make it look like most people preferred Flora Buttery in their taste test.

However, the best bit of the ad is where along the bottom of the screen (this must be an Ofcom mandate or something) it prints the true results:

Out of 200 people tested. 48% preferred Flora Buttery Taste, 45% Lurpak Lighter Spreaable, 7% had no preferences.

In other words, 96 people liked Flora Buttery better than Lurpak, but 90 people liked Lurpak better than Flora Buttery while 14 people couldn’t give a damn. Not only is the difference within the margin of error but it shows that in their own taste test, a very large number of people preferred the other brand anyway, and more people either did that or didn’t care than gave some preference, no matter how small, for Flora’s own product.

I believe the phrase is ‘epic fail’.

Avoiding DDOS: the PF way

I’ve run a FreeBSD server in my home for six years now. I love the capabilities home servers give you over your bog-standard wireless router – mine, for example, downloads all my POP3 email from various sources, runs it through a Bayesian-enhanced SpamAssassin and filters it through into various IMAP folders (on my boxes, usually Thunderbird or, on the laptop, But you’ve got to be very careful with this, and apart from a front-facing Postfix for email directed at my dynamic DNS domain I have had no regularly open ports. What if I want to access my email from work, for instance?

For this, I’d like to use SSH forwarding; putting the IMAP port through to a local port on the machine I’m using, with the actual data transferred securely over the Internet and where no-one can listen in, even if I’m on some crappy open wireless somewhere. SSH is configured to only accept public key authentication, and to refuse all password access – if you try connecting from a normal SSH client without a relevant key, you get dumped back to your command line with my snidely worded banner, and a “No password access” message. The only public key is in my possession and, of course, is passworded.

Despite this, having open SSH attracts scumbags like paparazzi to Amy Winehouse and the system I use for my firewall (a 733MHz Pentium-III with 256MB RAM) simply can’t cope with thousands of individual connections doing ineffectual dictionary attacks on usernames over Virgin’s 20Mbit connection; it locks up with a massive load average somewhere in the “c”‘s. As an added bonus, this of course eats my “unlimited” download cap during that particular point of the day.

How, therefore, can I balance my security with my convenience? The answer is the same thing I use to do my NAT forwarding, the pf packet filtering firewall.

pf originated with OpenBSD, and was introduced into FreeBSD somewhere around 5.3: I switched from FreeBSD’s own ipfw2 when I upgraded from 4.x to 6.x. As a bonus, pf allows dynamic lists to be built up of IPs that trigger specific rules, allowing for dynamic blocking of SSH offenders.

After my initial “block in” rule in my pf.conf, I define a table:

block in

table <abusive_hosts> persist
block quick from <abusive_hosts>

This defines a list of abusive hosts, traffic from which is blocked without any further discussion (with pf, applicable rules lower down the list take precidence over rules further up unless ‘quick’ is provided, which cuts off further parsing.) You can manually add to this table like so:

pfctl -t abusive_hosts -Tadd <IP address>

Or, more interestingly, you can add to it programatically. After my catch-all NAT rules, I make a rule to allow access to the local SSH port – with a catch.

pass in on $ext_if proto tcp to ($ext_if) port ssh flags S/SA keep state \
        (max-src-conn 10, max-src-conn-rate 6/30, overload <abusive_hosts> flush global)

This allows up to ten simultaneous connections from a particular SSH port, or up to six within thirty seconds. flush kills the states for previously OK connections when it over-runs; global kills all connections from the IP. And the overload rule causes all those things which fail the rule to be pushed into the abusive_hosts table, meaning anything that’s bad and repeatedly connects to my SSH port end up going straight to null.

And this works, too. Using the pfctl command, you can view the contents of the table. I’ll pass it first through awk to remove the spacing, aiding with xargs for further piping, and then through “wc -l” to get the line count:

orpheus# pfctl -t abusive_hosts -Tshow | awk '{print $1}' | wc -l

Removing ‘| wc -l’ gets you a list of IPs, and putting ‘xargs -n 1 host’ there instead gets you a list of the hostnames associated with each of the IPs which can give you an interesting picture: at least a couple of them right now are IPs on American cable modems who are almost certainly compromised home users.

That’s twenty-two abusive hosts who’ve met my SSH blackhole since I last rebooted my machine, who would otherwise have been a problem: pfctl -sr -v (which is sent to you in your nightly root emails) tells me that right now I’ve blocked 5.3MB of unwanted traffic from these hosts since I last rebooted 18 days ago, and I’m sure I’d have got much more if they hadn’t started getting nothing but silence from my machines since the point of blocking.

I’ve found this immeasurably useful for increasing my box’s uptime and overall reliability, which helps prove that a PIII type machine is still good enough for quite a lot of things. And if you click the link to read further, I’ve posted my complete (and only slightly altered) pf.conf for anyone’s interest.

Continue reading “Avoiding DDOS: the PF way”

I can apparently add polls now!

Hmm. didn’t tell me about this one. And it doesn’t do transparency properly. But, oh well, it could be a bit of fun…

Create a free website or blog at

Up ↑