And thanks to those of you that stopped by last night. I'm going to go ahead and call the whole thing a big success. We suspect that our bathroom may have been host to both drug use and, uh, romance. If that's not the mark of a good party, I don't know what is.

I've spent today hungover & whining, but things are looking up — it may almost be time to venture out and get some food. While I steel myself for that, here are the non-terrible photos that I found on my camera this morning. I'm particularly fond of this shot of Michael and Emily, and this one of Spencer, who receives Party MVP status for his superlative karaoke performance (narrowly edging out Kriston, who ably assumed the mantle of DJ-dom when called to duty).

OH YEAH: There was also some knife fighting. Like I said, it was a good party.

One nice thing about last week's vacation from the plugged-in lifestyle was that there was a bunch of interesting tech news waiting for me upon my return. The most exciting bits:

• An open-source FLV transcoder. This may be old news — it was posted to the echoditto del.icio.us feed a little while ago. But it's still pretty exciting to me. Using it, an enterprising geek could grab content from YouTube (or any other Flash video source) and programmatically remix it however they want. Creating an automatic video montage based on a particular tag might be a fun project.
• The Xbox 360 may have been cracked. There have already been exploits related to the DVD drive's firmware that allowed burned DVD-Rs to be played, but that only facilitated piracy. Running alternate operating systems or homebrew games remained impossible. But now someone is claiming to have accomplished this feat.
  
  The presumed route of ingress? The shaders on a particular game. Shaders are small executable subprograms that are run extremely quickly by graphics hardware — they're not part of the game's main executable. Instead, they're responsible for things like drawing the surface of water, or making hair look more realistic. They also may be less protected on the 360 than the main executable — a demo disc that was distributed to stores over the internet contained shaders that weren't cryptographically protected and that could be modified and reburned to the disc. Once hackers realized this, the search was on to find exploits that let software authors get at the main system memory and proceed to bend the system to their will.
  
  Now someone has shown some sample video at a conference implying that they've succeeded (although the equipment they used implied that there may be a hardware aspect to the crack as well). Is this a real exploit or just a hoax? It's hard to say — when the route of attack is through a graphics-related subsystem, changing what's on the screen doesn't necessarily indicate that you've fully compromised the system in a useful way. But this is all pretty encouraging.
• Most interestingly, AACS may have been cracked, too. It's a little early to know for sure, but it looks like the copy protection on the new HD-DVD format may have suffered its first setback. A user calling himself muslix64 claims to have found a way to get the title keys for discs by extracting them from the PowerDVD software.
  
  Lots of folks are running around forums saying that this isn't a crack — and it's true, muslix64 didn't find a way to beat the AES encryption. But that's just semantics; if his claims are accurate, he's found a way to get the keys to it, which is the same thing that happened to the thoroughly-broken Content Scrambling System of the DVD format (flaws related to its implementation of the cryptography system were also found later, but only added insult to injury — the damage was done).
  
  AACS is better-designed than CSS, though, in that it allows for key revocation. Here's my understanding of how it works, in a nutshell: each disc's data content is encrypted with a title key that's unique to that disc. Along with the data, the title key is present on the disc — but it's also encrypted. Because it's short, a bunch of different copies of this encrypted title key can be placed on the disc, each encrypted with a different player key. If your company wants to manufacture an HD-DVD player (hardware or software), you must apply for and receive a player key from the HD-DVD format's governing body. Your player will use this key to get at the title key, which is in turn used to to unlock the content on the disc. It's sort of like those little boxes that realtors keeps on the doorknobs of houses that are for sale: if you want to look at the house, you enter a combination and get its key out. Each realtor could get a unique combination, but each property only needs one key. I may be drastically wrong about this analogy — I don't know that much about how realtors operate. But this is how HD-DVD does.
  
  The advantage of this system is that if one player is compromised, the format's protection isn't totally boned. Instead, the HD-DVD consortium identifies the player and stops putting the version of the title key encrypted with that player's key on all discs that are pressed in the future. So if a player is compromised, every disc created prior to that date can be cracked, but all the ones produced in the future won't be. And the player manufacturer will have to get a new key (assuming the HD-DVD consortium is willing to give them another one).
  
  Another thing to realize: you own your computer's RAM, and with the right software you can get at any of its contents. So when you run a program that plays an HD-DVD successfully, it means that somewhere in your system is that player's key, and, during the program's run, the disc's unencrypted title key. There are various ways of obscuring these keys and getting them out of memory as quickly as possible, but with enough monkeys nerds and typewriters debuggers, you'll eventually find it.
  
  That seems to be what's happened. With the DVD format it was Xing's player that leaked its key — and under the DVD protection scheme there was no way to revoke the key. With HD-DVD it appears to be the PowerDVD program that's been compromised, and its key can and probably will be revoked. So this crack probably won't work with discs released in the future.
  
  But it's also likely that more software players will have their keys stolen. The only way to avoid that is to stop issuing keys to software players, or to force everyone to use a trusted computing hardware platform, which would prevent users from indiscriminately accessing their systems' memory (this is why geeks hate & fear the idea of a TC initiative).
  
  The real fun will happen when a hardware player's key is leaked and revoked (it's considerably harder to get at hardware keys, but with the right equipment and expertise it can usually be done). Everyone who's bought the player in question will be left with a box that can't play any new movies. Odds are that consumers won't be very pleased with this development. If I had to put money on a single event decisively turning the public against DRM, I'd put it on this.

2006: ended badly.

2007: off to a bad start.

I'm sorry, but this is pretty stupid. BoingBoing and Gizmodo think that you can harvest cheap AAA batteries from 9V batteries (the kind with the snaps on top). If you crack open a 9V you'll find six 1.5V cylinders inside, and the 9V battery sells for a much lower price than six AAAs do at retail.

Here are some battery capacities. Let's use the Energizer Industrial Alkaline brand. Their 9Vs have a capacity of 625 milliamp-hours. Their AAAs have a capacity of 1250 milliamp-hours. Watts = volts x amps....

(1.25 amps) x (1.5 volts) x (6 AAA batteries) = 11.25 watts in 6 AAA batteries

(0.625 amps) x (9 volts) x (1 9V battery) = 5.625 watts in one 9V battery

Obviously a 9V and six AAAs aren't actually interchangeable. You can take apart a 9V and get six cylinders with the same voltage as AAA batteries, but nowhere near the same capacity.

A little more arithmetic and you realize that you're getting 6.211 watts per dollar from the AAAs, and 4.199 watts per dollar from the 9V batteries (based on the bulk prices). So this only makes sense for applications where you don't actually care about how much use you'll get out of the battery. For remote controls that you plan to lose before changing the batteries, it might be a good idea (assuming you're ready to carefully crack open a battery). Otherwise, it's not.

The moral: math continues to be useful, and secret battery-industry conspiracies (and free lunches in general) continue to be mostly nonexistent.

muslix64 has some responses to what people have been saying about his work cracking the HD-DVD copy protection scheme. In short, he thinks insecure software players will continue to exist, and will be used by crackers to extract and distribute volume keys, which are the keys specific to different titles, and which can't be revoked by the central AACS authority. You'll have to acquire a volume key before ripping a DVD and uploading it to the Bittorrent networks, but at just a few KB of (now easily-obtained) data, that shouldn't pose a significant barrier to pirates' efforts. And of course, once one unprotected copy is on the net, the jig is up...

I've now had a whopping three people tell me that they think the lightbox/flickr thing on this post is neat. So here's the script and the process for installing it, for anyone who'd like it (and is running their blog on a PHP-capable webhost).

Kriston's upset that Fairfax libraries are using their shelf space for popular flashes-in-the-pan, rather than stocking classics like The Sound and the Fury. And I guess I agree with him. Mostly. But the thing is, libraries shouldn't have to make this choice.

Before I go any further I should emphasize the considerable depths of my philistinism. When Kriston and I talk about art it usually goes like this:

K: Of course, all of the most important pieces from the last century have never actually been seen, in keeping with their creators' wishes. Observation is rape.

T: I don't understand why we can't just print out the wallpapers that come with Windows, throw 'em in some frames from Target and be happy with that.

Lisa is about to start teaching high school English and is a little surprised at what's on the reading list: out with the old, in with the new, broadly speaking. It sounds more familiar to me, I'm afraid. She and I are the same age, but this trend had already hit Arlington County schools when I went through them — and Washington-Lee High School in particular.

I remember reading Alas, Babylon and Cry, The Beloved Country and other non- or neo-classics instead of the canon. And I have to say that I'm a little pissed off about it: I enjoyed those books, but once I got to college I mostly spent my credit-hours on computer science, neuroscience and philosophy. I wasn't able to take a ton of literature classes to fill the holes in my Western education.

The result has been a consistent annoyance. I'm sure that these books work just as well as the classics for teaching the sorts of things high school English students need to learn. Beloved, for example, was not only enjoyable but also uses some of the same narrative tricks as recent internet favorite The Sound and the Fury. But I would be much better equipped to get highbrow jokes, make pretentious bon mots, and complete the New York Times crossword puzzle if we had read the latter instead of the former. Ultimately, that's the real value of selecting one very good book instead of another. Either will suffice for the important stuff, but one will be more useful at cocktail parties.

I do think that teaching kids earnest liberal lessons about other cultures is a worthwhile goal, but I'm not convinced that novels are a very efficient way to do it. I suspect that better movie selection during those days when teacher is hungover could be just as effective. I think that the week in health class when we watched My Life would have been better spent on Roots. "How to die with dignity" is a lesson that can probably be delayed until sometime after graduation.

Of course, we did get some classics: I continue to enjoy making starvation and axe-murder jokes based on Crime and Punishment and The Grapes of Wrath. But I kind of had bad luck there, too, in that our prescribed classics tended to be either kind of shmaltzy (O Henry, lots more of the aforementioned Steinbeck) or redundant (we read a lot of Shakespeare, which is pretty much the only type of lit course that I did take again in college — my own fault, I guess) or just kind of beside the point (I'm convinced we only read this book because it was both Russian and short — a pretty rare combination — although other people insist I just missed the greatness of the novel).

Still, I have to give Arlington County Public Schools' reading list policy credit for one thing: it was pleasantly easy to subvert. Along with friends, I managed to get both Ender's Game and Snow Crash assigned to my classes, and it was awesome. What do you think YT's high-tech skateboard symbolizes?

Slotcars that you control by yelling into your phone, thanks to Asterisk and an Arduino. Pretty neat, and somewhat similar to a project that I finished not too long ago for our office's lobby (more on that soon). I wonder how he pulls apart the SIP VoIP stream...

The creator's other project is pretty cool, too — it uses Processing and cameraphones and image recognition to an interesting effect. I can't figure out how the hell one uses the mobot image recognition service that he refers to, though.

UPDATE: Check out this project, too, from the same show. With the number of bars and clubs that have prominent video displays, the low cost of the software (and VoIP service) and the ubiquity of cell phones, I really think a fun business could be made out of creating and selling machines that offer this kind of ad-hoc head-to-head gaming. I know I'd enjoy watching a projection of a few people play a game of Bomberman while waiting for the next band set up at a 9:30 show. Maybe the winner gets some money off his tab — it'd be great.

I just got back from the Post's blogger summit thingy. How was it? Well, there wasn't any booze. But it was pretty interesting. The Washington Post has plans for you, little blogger.

Among them:

• They've already launched and will be continuing to build upon a hyperlocal AdWords competitor that only shows ads when it can beat the AdWords CPM. The assembled bloggers seemed most interested in this, despite the fact that it'll likely mean a difference of a fraction of a cent per click. Nobody who was in that room is going to become rich off of this (although you'd never know it from the volume and pugnacity of the questions that it prompted). But it's interesting from the Post's perspective: it's a forward-thinking way of reclaiming ground from Craigslist. That's pretty smart.
• More interestingly, they plan to launch a directory of DC blogs. Of course, we've already got a good one. But the Post seems certain to become the canonical index. It'll be good to have this stuff in one high-profile place, and even better to have it exposed to the Post's massive readership. On the whole, it seems certain to be a win for the DC blogosphere.

But there are some downsides:

• They intend to rip off the already-much-ripped-off DCist Flickr pool idea. C'est la vie. But credit where due: I believe it was Rob's idea originally, and it was a great one. But they may get more than they're bargaining for: they're a family newspaper — I suspect spam and griefers will be a problem for something as high profile as this. I got the distinct impression that they don't have a full-time staffer available to run this thing.
• They didn't seem very receptive to the idea of providing an API. I think that's a shame — directories of this kind ought to be open and accessible. I suppose I'll write some Perl to turn it into an OPML file every day and serve it up somewhere. Still, it would be nice if they embraced the spirit of openness. They'll be offering some RSS feeds, but I don't think that's enough.
• Similarly, despite their goal of by-neighborhood categorization, they seemed nervous about precisely geocoding the participating blogs. Nikolas Schiller kept pushing for it, and I joined him, but they claimed to be worried about the privacy implications — and eventually turned the word "geocoding" into a running joke, as if they didn't know what it meant. Now, I do think that Nikolas is a bit map-happy, but he's absolutely right about this. There are pretty simple ways to collect and use precise data without exposing it to dangerous weirdos.

But I'm sure that privacy is only part of their concern. Finding someone to write the API and geocoding stuff is probably the bigger stumbling block. They seem like they're building a pretty basic Yahoo-style directory (right down to trying to settle on a fixed taxonomy for participating bloggers to use), and I imagine they don't want to complicate anything. But the API could consist of a handful of simple REST calls, and geocoding is just a Google Maps mashup away (it's a lot easier than it looks). The front page will just be a little fun, flashy stuff thrown on top of their crawled RSS database.

As for their motivation, I think it must primarily be out of the goodness of their hearts — and wanting to be the center of the DC blogosphere. Other than attracting participants to their ad program, I don't see how they're going to monetize it. So call it a good thing for the blogs of DC — but not as good a thing as it could be.

Oh! They're also going to begin geocoding their RSS feeds soon. That was probably the most exciting thing I heard all night.

And I agree, it's pretty ugly. But the Christmas tree came down over the weekend, so it was time to lose the ornament-themed ornamentation. I'll try to come up with something a little more pleasant-looking soon.

This one's more topical: I'm heading off to the wilds of West Virginia with the rest of EchoDitto from this evening through Saturday for a company retreat. Will there be trust falls? Ropes courses? Or will we just cling desperately to each other as we erupt in sobbing emotional catharses? For the moment, it remains unclear. But I'm bringing the spare Wiimote.

Kyle was at the Post blogger summit last night, too, but he came away with some different impressions:

All the tech geeks in the room started tearing The Post's new feature apart (even though it's still in development and not online yet!) because it didn't have things like geocoding.

... Does anyone give a shit about geocoding? I certainly don't. Do I need to know what blogs about U Street are actually written in apartments on U Street? Seems like a tool for stalkers more than anything else.

Ah, but you should give a shit about it, Kyle, because it's great. Or at least it has the potential to be.

The point of assigning a precise latitude and longitude to a blog isn't to provide useless data like how far from U Street someone lives. It's to provide an objective, universal way of determining location.

Yes, the Post will split up its list of blogs by neighborhood. That'll be useful enough within the Post site. But what about when you want another system to talk to it? Does System X use the same boundaries for Shaw as the Post does? Do they call the area near the Verizon Center Chinatown or Gallery Place or both? Are any neighborhoods divided into north/south or east/west distinctions, and are those divisions the same across the platforms? Do either of them recognize Midcity as a real area?

Latitude and longitude are a language that every system can speak. Without them, you have to write code to account for the differences between each system — code that will break as soon as someone decides to make a minor change to their categorization system.

Hopefully you're convinced that geocoding is important for system interoperability. But why is interoperability important? Well, because the coming location-aware future is going to be really, really cool. Imagine that there's a fire in Columbia Heights, and bloggers located near it are instantly emailed and asked for any impressions they might have. Or think about Zillow providing links to blogs in a property's neighborhood. Or a geocoded story on washingtonpost.com featuring links to writers in the neighborhood. Or a survey of bloggers across the city asking how well a particular city service is delivered in their neighborhood. You might be able to accomplish some of these tasks with a combination of Google and patience, but geocoding would make them all simpler, faster and more reliable.

In short, geocoding is something that non-geeks don't have to worry about, but shouldn't belittle or fight. It's going to allow my fellow dorks to deliver a lot of fairly amazing applications. Geocoded information may not be interesting to humans in its raw form — I think we're all pretty sick of Google Maps mashups by now — but the things that computers can do with it are downright fascinating.

Well, I'm back. The retreat was fun, and surprisingly useful. I'm more hostile than most when it comes to what I call team-ology — the sort of unscientific time-wasters that arise when someone takes an ex-CEO's platitudes about proactivity (or whatever else) a little too seriously. A surprisingly large number of people can be convinced that a set of successories-style cliches nested in a simply-made-up dependency tree counts as a theory of something. Ropes courses and trust falls are infinitely more useful than that sort of bullshit.

Fortunately there was surprisingly little of that stuff on the ED retreat. Most of the exercises we did were useful or led to useful conversations. Still, for sheer team-building efficacy nothing can compete with drinking beer and playing DDR:

We had almost no internet access at the site, so I've been out of touch. That's led to me being a bad blogger, contenting myself over the weekend with adding useless Technorati widgets and archives to this site instead of content. I can't say that the trend of pointless but technically interesting effort is going to end anytime soon — here's a teaser for the latest useless thing that I'm trying to do with video:

But I realize that I've been putting my few long-suffering readers through a lot of technical mumbo jumbo lately. I promise I'll try to reengage the non-robotic part of my brain sometime soon.

UPDATE: Here's a workplace philosophy that I wholeheartedly endorse (see final paragraph).

It's been two years, but scholars are still grappling with my revolutionary (and not at all self-serving) theory about the inevitability of women finding videogame players totally hot. Or Susan is, anyway. That's one entire scholar! I think that's pretty good.

If you missed the opportunity to call me an idiot back in March '05, here's your chance to make up for lost time: grab some journal references (any will do) and head on over to Sue's comments section.

Ars Technica reports that the first HD-DVD movie rip has shown up on the Bittorrent networks. It's Serenity, the same disc used in the AACS-cracking proof of concept that I discussed at length last week. There's a very small chance that Serenity's key was obtained through non-technical means, and that the breach is therefore confined to that disc. But I wouldn't bet on it.

So this makes it official: the genie is out of the bottle. What's more, it now looks like the use of PowerDVD in the the original cracker's demonstration video may have been a red herring. If that's the case, then the HD-DVD consortium is going to be scrambling to figure out what the vulnerability actually is so that they can revoke the appropriate key (assuming that key revocation can fix the vulnerability).

The HD-DVD folks may yet recover from this. But until they do, DRM on the HD-DVD format should be considered dead.

Well, that was kind of a waste of time. But it was fun, and I suppose I learned a few new things.

I decided, for no particular reason, to try turning a video clip into an ascii art version of itself. In theory, this can be easily accomplished via a number of different open source projects:

• Handbrake rips the video from the DVD
• ffmpeg pulls the video frames out, one-by-one, and turns them into JPEGs
• jp2a turns each frame into an HTML, ASCIIfied version of itself
• Something turns the resulting HTML back into a graphic file. I would have liked to use khtml2png, but I couldn't get it to work. I tried a few other things, but none of them worked, either. I ended up using webkit2png. But it was still a pain in the ass to get working, and it only works on OS X. Bah!
• Used the convert tool from the ImageMagick package to crop and convert the file back to a JPEG.
• ffmpeg puts everything back together

All of the above occurs in different phases on my mac and a linux machine, and various parts are held together by some Perl.

I chose the opening scene of The Big Lebowski for my test, but it ended up being a bad choice: I thought that the closeups of all the bowling paraphenalia would be easy to recognize, but something with a lot of human faces might've been a better idea. Also, ffmpeg seems to fail at putting audio back onto Flash video — I'm not sure what that's all about, since I was able to add the audio back when trying it with different formats. If anybody's got any idea what's going on, let me know.

At any rate, here are the fruits of my labor. It's somewhat neat, but probably not something I'll waste a lot more time on. The effect would probably look a lot better on fullscreen, uncompressed video — but that's not really my arena. For what it's worth, the effect works best during the scenes in the middle of the clip.

Oh! The embedded flash video player I'm using is from here, and seems to be fairly slick. Also: if you can't see the video, it's because I'm hosting it through the coral CDN. If your firewall at work doesn't let port 8090 through, you're SOL. Don't worry: like I said, it's not exactly life-changing.

I think I'd probably get much better results with a cartoon, especially if I did some preprocessing to crank up the video's saturation and brightness before feeding it to jp2a. But until I've got a clean linux system (or a genuine need) I don't think I'll bother — the khtml2png solution is the right way to do screencaps. webkit2png not only requires me to pull all the files onto a mac, it makes the system's dock undulate in an oddly sensual manner as the related icon pops in and out of it for every file that's processed. It's disturbing.

Why yes, I do enjoy being a small-minded jerk:

I mostly just like this because it makes me feel better about the many times when a typo of mine has made it onto DCist. Also, it provided a handy excuse to put Photoshop CS3 through the paces (Review: it works! But it doesn't use the right style of brush cursor when you're zoomed in.).

I almost forgot: be sure to check out the new Ted Leo track over at YANP. Shake The Sheets was a little disappointing to me, but this track takes me right back to 2004. It reminds me of watching Ted carom around the stage at Fort Reno, contained only by the venue's curfew, the peacefulness of the summer night and whatever little constraint his curly guitar cord afforded.

Today started off on an exciting note, with police sirens screeching and officers screaming at a couple of gentlemen about 150 feet from my bedroom window. "Get down and put your hands up!" seemed to be the core message, but the officers tried out a number of different variations (consistent delivery, though). My real camera's battery had run down, so this is the best picture I could manage; you'll have to take my word for the fact that it was kind of awesome (or at least loud).

I really don't think I did, but I was out drinking that night, so I suppose I should just go ahead and ask. Michael, Matt, Ezra, Sam, Sarah and everyone else who was out on Friday: did we get drunk at Townhouse and then go grocery shopping in Michigan? Normally I wouldn't ask, but Bank of America sent me an email on Saturday morning wondering about these charges:

I've gone ahead and ordered a new card, but man oh man will I ever feel sheepish if I find a cancelled and beer-stained Kroger receipt lying around the apartment a week from now.

More seriously, this has been surprisingly easy to deal with — I had the whole thing wrapped up and a temporary ATM card in hand within about an hour of getting the initial alert email. It's a real credit to Bank of America, I think, and even more noteworthy when you consider how essentially evil an organization they are.

The obvious question to ask is how the crook got my number at all. I haven't been patronizing internet retailers particularly much in the last week or two, but I did make a few suspect purchases:

• A while ago I ordered something from SparkFun Electronics. But those guys are great, and I've ordered from them once before. I don't think it could be them.
• I bought a new cellphone battery from a somewhat shady Ebay retailed not too long ago. But I made the payment through PayPal (or Yahoo stores; I forget which), so I kind of doubt it was them.
• The final and most troubling possibility is the Wii: I bought Super Mario 64 about an hour before leaving the house on Friday night, and did so by using the Wii's integrated store. But surely Nintendo processes payments securely, right? Right?

My childlike faith in the internet makes it hard for me to believe that it's any of these candidates. I haven't gone through my back statements to check for earlier fraud, so it could have happened before these three candidates — I just don't know. There's also a non-electronic possibility: it could've been stolen when I opened a tab at DC9 on Thursday night, too. I did end up with a suspiciously low bar tab.

Anyway, it's all very mysterious, but for now the danger seems to have passed.

UPDATE: Here's the context behind the graffiti in the shot, for anyone reading who isn't aware of Shaw businesses' ongoing clashes with Shiloh Baptist Church.

I got mentioned in a Newsweek piece about the Wii, thanks to a connection of Sommer's (she's quoted in the article). Yay media conspiracy!

UPDATE: I got some quotes in the author's associated blog entry.

I wouldn't normally beat a dead horse like this, but this is not only a subhead, but from the same issue as the last quote I bitched about (the issue's been lying around the office, and I've been slowly flipping through it). The prominence of this apparent typo is giving me pause, making me wonder if either a) I'm badly confused about the proper use of the verb "got"; or b) this reflects some new and wholly intentional editorial policy at Time. Anyway: huh.

It's slightly ridiculous, but I have to confess that I've only recently discovered Hype Machine. I've been aware of its existence for a while, but my previous attempts to use it always met with failure. The flash player didn't work right on my old laptop, and the HM iTunes link never has and still doesn't work properly for me. With those functions unavailable, I didn't see a compelling-enough reason to use the site.

But, spurred by references to it in an Unfogged thread, I gave it another shot, got the flash player to work, and found out that it's unbelievably great. There's one major downside, though: I seem to run into buffering problems with the player on a pretty regular basis. This is an infuriating way to listen to music, and particularly bad when I try to use the app through the Wii web browser (the console is hooked up to my stereo, after all — in theory, this could make for a great at-home radio station).

The HM flash player uses the open-source XSPF Music Player, so I'm optimistic that I'll be able to crack it open and implement some more stringent buffering. Unfortunately, my initial explorations revealed that the site uses some irritating redirects and is going to require me to do stupid things like fake my HTTP referer and user agent string. I realize that's gibberish to many of you, but trust me when I say that it's totally lame.

So it may be a little while before I really get my hands dirty with this project. In the meantime, I can't resist posting these two tracks, both of which I'm a little obsessed with (the latter despite not really liking CYHSY):

Modest Mouse – Dashboard
Clap Your Hands Say Yeah – Mama, Won't You Keep Those Castles In The Air & Burning?

The Register reports that the Blu-Ray format has been compromised by the same guy that cracked HD-DVD's copy protection.

This isn't a huge surprise, since both formats use the same underlying copy protection system. Still, it's good to see. Sony can't be trusted with media formats — their instinct is to lock consumers into them for the greater glory of Sony. I was worried that the downside to the HD-DVD crack would be greater enthusiasm for Blu-Ray. Now that both have been cracked, it's a fair fight once again.

Via Slashdot I see that the man who cracked AACS has given an interview. Stridently anti-DRM and humble to boot! Be still my heart.

I've begun screwing around with my attempt at a larger-buffer Hype Machine player, and became aware of HTTP dereferers in the process. Want to provide a link to a site, but not have the site's owner track it back to you? Then use one of these things.

Here's an example. First, the normal link, which will go to a page showing your HTTP referer information on the third line from the top:

http://c2.com/cgi/test/

and now the same link, passed through a dereferer:

http://ultimod.org/?url=http://c2.com/cgi/test/

Handy!

Of course, it's no help on my particular project — what I was actually looking for was a proxy that will spoof my HTTP referer string on the fly. Unfortunately, referer spoofing seems to be constrained to the realm of the browser plugin (it's commonly used to get free porn from protected sites), and even the excellent Squid Proxy doesn't seem to have this functionality (or at least it's not written up in an easy-to-find manner). But I think I can get by without this workaround.

There's recently been a lot of discussion on the Gothamist tech list about fighting comment spam, and it's prompted me to revisit and further develop some thoughts I had about the problem. Since I regularly get approached by friends who are hoping to eliminate their comment spam woes, I thought I'd write up my thoughts.

I should be clear, though, that the methods I'll be outlining aren't endorsed or in use by the folks at Gothamist. They've got their own tech staff who are working on the problem. And because of the -ist sites' high profiles, high traffic and multi-server architecture, some of what I'll be discussing wouldn't really be relevant or appropriate for them anyway. But if you've got your own installation of Movable Type running on a webhost where you can run PHP (most can), read on...

Kyle and Jeff rightly pointed out that yesterday's bout of MT-theorizing (aka part 1) — however marginally interesting it might have been — wasn't all that helpful. They're right. I didn't write it in a practically-minded sort of way. So here's a shot at explaining how you'd use the stuff I discussed. And, happily enough, some of these steps are necessary for you to use the upcoming method that I alluded to at the end of the last post — so I would've had to write a large part of this anyway.

We've made some good progress. In part one I talked about how comment spammers operate and some theoretical ways to stop them. In part two I offered a little more practical advice, providing a walkthrough on how to convert an MT site from static HTML pages to PHP and offering more specific instructions on how to hide where your comment script lives. I know that at least one person has seen a reduction in comment spam as a result, which makes me pretty pleased.

Sadly, what we've covered so far isn't enough. Spammers will find your renamed mt-comments.cgi no matter how much Javascript you bury it under. If users can use the form, so can spammers. They'll find the new location of mt-comments.cgi sooner or later, and then we'll be back at square one.

But what if mt-comments kept changing its location? We can write a script that renames the file every time it runs, then set it to run at a regular interval. That way even when a spammer manages to find it they'll only be able to send spam until the next time the script runs. It'll be great! There are a couple of problems with this approach, though:

Okay. Last one, I promise. Now that you've gone through all of these steps, here are the things that you probably should have tried before listening to me:

• Ben's querystring-based twist on JS obfuscation has apparently been highly successful. It's simple and clever — give it a try. It also makes me realize that my rotating-mt-comments solution could've been implemented with .htaccess files, eliminating the need for FTP nonsense and allowing us to avoid making changes to mt-config.cgi. That'd be a better way to do it, but the benefits aren't enough to make me rewrite the script. Plus, not everyone has mod_rewrite enabled, so the original solution will work on slightly more systems.
• MT-Akismet is a Movable Type plugin that brings the power of Wordpress's Akismet spam-blocking system to MT. I installed it a few weeks ago and it seems to have helped, although in my case it didn't completely eliminate the flow of spam. Considering that I don't get all that much comment spam at this domain, that makes me disinclined to pimp MT-Akismet as a magic bullet. But it seems to do something, and does so without needing supervision. Also, lots of people swear by it. You might as well give it a try.
• Captchas are probably the most foolproof method of stopping spam. But users don't like them, and in my experience they're a pain in the ass to install. Still, if you want to stymie the spammers, this is probably the best way to do it.
• There's always TypeKey, MT's unified login solution. In my experience, it's terrible. Admittedly, the situation at DCist was worse than normal because Gothamist's server architecture meant that comments had to be submitted across a few different domain names, which made TypeKey's cookies go crazy. But overall, I came away deeply unimpressed.
• Finally, there are a couple of plugins that will close comments on older entries. There are downsides — people wandering in from Google won't be able to leave their thoughts on your old entries — but if you don't mind them, it should help.

We get some really excellent toys in the office. It's almost entirely Nicco's fault (although I've been lobbying to get one of these ever since April told me they can be run from Linux).

This one's probably my favorite so far. Unfortunately the cranking mechanism isn't timed quite right, and the donuts usually end up sliding off Homer's mouth instead of down his gullet and into the collection tray. It's still pretty great, though.

The assuredly-distinct-from-me Tim Lee has a post about videogame piracy over at the excellent Tech Liberation Front that doesn't seem quite right to me. I started to leave this as a comment, but it sort of got out of hand.

So, Boston's gone crazy because Outsiders harnessed the fire from the sky to make graven images. Here's the part that really gets me:

The first device was found under Interstate 93, and the state police bomb squad was called and detonated the package in Sullivan Square just before 10 a.m. Officials said it contained an electronic circuit board with some components that were "consistent with an improvised explosive device," but they said it had no explosives.

Consistent with an IED. Right. So, assuming that these Cartoon Network signs weren't any more complex than they had to be, what components made them IED-equivalents?

• power source (battery)
• light source (LEDs)
• wires
• timer/controller (cheap IC or microcontroller)
• maybe a light sensor (photodiode or photoresistor)
• not explosives

I have two qualifying devices on my person right now. Drop the photodiode requirement and I've got another three in my backpack. I count twelve in my line of sight.

I get that it's sort of fun to follow federal protocols and act all serious. But c'mon — the number of mysterious electronic devices that come into our day to day lives is not going to suddenly begin declining. These signs were in several other towns for weeks without the cops freaking out and shutting down the city. Bostonians are just going to need to learn to deal with this kind of stuff. And I really don't like that CNN has inexplicably dragged my beloved MAKE Magazine into this mess.

I don't mean to voice support for the ad campaign, of course, despite my affection for Aqua Teen Hunger Force. Guerilla marketers like Interference Inc. (who appear to be behind this scheme) are scumbags and thieves, helping themselves to our public spaces and ripping off other people's art. But I'm even less fond of the humorless morons who shut down Boston and seem likely to drag Williams Street into court.

Other than that, the whole thing's pretty funny. And I'm looking forward to hearing more about this from two outlets in particular: Bruce Schneier, and Adult Swim's black & white bumps.

UPDATE: It's worse than I thought! From CNN:

"It had a very sinister appearance," Coakley told reporters. "It had a battery behind it, and wires."

Holy shit! I think I've got some sort of chronometric doomsday device looming over me right now!

UPDATE 2: Check out alpha-geek Bunnie Huang's response to the incident.

UPDATE 3: MAKE has close-up shots of one of the signs. There's a few AA batteries, a voltage regulator, a small microcontroller, an inductor, what I think is an LED driver, a photoresistor, and a bunch of diodes, capacitors, resistors and LEDs. You could comfortably hold all of these components in your cupped palm. None of them costs much more than a dollar, and most are only a few cents. And, based on my admittedly amateur knowledge of electronics, none could destroy a major American city.

UPDATE 4: Justin sent along this analysis of the campaign from a marketing perspective. The bizsolutions blogger thinks that making the campaign higher profile (by involving alternative media, among other things), these problems could have been avoided. I agree that putting a phone number on the signs for law enforcement (not the public) to call could have saved everyone a lot of trouble, but otherwise I disagree with this analysis. The whole point of the campaign is to evoke the subversive work of people like Shepard Fairey and Graffiti Research Labs. Thinking of this as just another illuminated billboard totally misunderstands the Adult Swim brand and how it has been presented up to this point. AS viewers like the idea that they're in on a secret. The ideal outcome for this campaign was to get people talking and a bunch of threads started on message boards. Issuing directions, treating the campaign like a scavenger hunt and interviewing sign-finders on the HOT! 99.n Morning Show runs completely contrary to that idea. Cartoon Network's huge success is in part due to a huge amount of respect for its audience. It doesn't strike me as the sort of relationship that's compatible with traditional marketing techniques.

The photos of Williams Street belong to Catherine, who I assume won't sue me for using them. They're of the tour of Adult Swim HQ that we were lucky enough to be given back in July.

The first Wii modchips are on their way to the public. Via Engadget.