Lenny Domnitser’s
domnit.org

⇙ Jump to content

explicit

This is a static archive of the domnit.org blog,
which Lenny Domnitser wrote between 2006 and 2009.

So Much More

Today’s inbox:

Fondue invitation reads "Come celebrate Tu B'Shevat by dipping strawberries, bananas, pretzels and so much more into the chocolate fountain."

I don’t even want to know.

HOWTO Buy Cheap College Textbooks

I just started my 6th semester of college, and have built up some experience buying books. My advice to save money can be boiled down to 2 important points:

Even if you buy your books new, online retailers are usually discounted, while the campus book store probably sells at MSRP. An example from this semester: my campus store had Head First Design Patterns for $45—Amazon had it for $30. The only books I buy at the campus store are (overpriced) course packets published by the university. If you spend more than $25 on new books at Amazon, they will ship for free, so keep that in mind when choosing new vs. used.

Also, buying online gives you more used book options. Some sites sell international edition books, which have almost or exactly the same content, a soft cover, and a much lower price. Watch out, though: shipping from India or China can cost over $15. I also try to buy books from nearby because they will arrive sooner, and it puts fewer pollutants and greenhouse gases in the atmosphere. Even within the United States, I’d pay an extra $1 or 2 to order from NY or PA instead of CA.

The single best thing you can do when shopping for books online is to install Book Burro. It is a Firefox extension (you’re using Firefox, right?) that checks prices at almost a dozen online booksellers. It will even tell you the nearest library that has that book.

When you buy online, it might take a while for your books to arrive. You can usually get by the first week, but it sucks when it’s longer. I’ve had books lost in the mail. If you can find out which books you will need, order them ahead of time.

This brings me to the point about schmoozing—if you talk to people who have taken the class, you will know which books you need, and can order just those. Google and Wikipedia can often be as good as suggested reference books. Also, just be smart: for my programming languages class, I bought the required textbook and bought the suggested books on Haskell and Ruby, but skipped the Python and C books because I know that I am familiar enough with the latter two languages.

Better yet, you may be able to use a book for free. One semester my suitemate had the books for 2 of my classes—1 for a class we were both in, 1 book he had for reference. (Thanks for the ~$100, man!) The next semester I lent him my math text.

These tips have worked pretty well for my technical classes. I’ve taken a few literature and writing classes that require a bunch of small books. Paying shipping for these can outweigh the savings of used books, but if you get free shipping at Amazon, it’s probably cheaper than at the campus store. I’ve also taken a lit class that I dropped the first day, which would have cost quite a bit if bought all the books online right away. For this kind of class you can wait to see the syllabus, then buy the first book marked up and the rest online.

(Woo, I’m done! This is not one of those blowhard advice blog—please slap me if I start to write in this style consistently. The advice is legit, but I also wanted to confirm that I would hate myself if I became a pro blogger. [I mean the kind you see on Digg all the time, not like Kottke.] Actually, this is original content, better than most of those sites. If it felt right, which I’m even more sure now is not the case, I’d have tastefully sprinkled bookseller affiliate links throughout the post.)

Stay Hydrated when Swimming, Swim More

It makes sense, but was non-obvious to me (maybe to you, too) that you should drink water when you swim. I just swam 2.5X my usual, was more comfortable while doing it, and felt better at the end by stopping a few times to drink from a fountain.

Try it next time you’re at the pool—you might see that when you thought you were tired, you were really dehydrated. Actually, if you think about all those people sweating away their bodies’ water, maybe you won’t want to go swimming.

Choco-Almond Matzah

A delicious dessert:

  1. Melt dark chocolate. Double boil, natch.
  2. Spread almond butter on a matzah. Almond butter is like peanut butter only it’s twice as delicious and three times as expensive. It needn’t be said that it should be natural A-butt, just ground almonds.
  3. Sprinkle orange zest and nutmeg on the almond butter and spread it in. Living at home during winter break means I get to use stuff like my mom’s citrus zester.
  4. Spread chocolate over the top.
  5. Chill.

Eat the left over chocolate as a fondue with a delicious apple. Share it with your brother.

This is rather sweet, definitely to be had with coffee.

You can figure out amount of each ingredient from the photos, here.

Smash Lab, No

I caught an episode of Smash Lab, Discovery’s new science show, with 120% more violent titillation. I will now bitch about it.

The premise of the episode was to make soft aerated concrete highway medians. Aerated concrete is already used at the end of airport runways to stop overshooting planes. An Engineered Material Arresting System (EMAS) crumbles under the weight of a plane, which digs into the surface and stops. They wanted to use a similar material to prevent head-on-collisions and decrease impact. Sounds good.

They came up with 2 designs: to line a standard reinforced concrete barrier with aerated concrete, and to make an arrestor bed, a plane of aerated concrete similar to EMAS. Rather than discuss the merits of design, the 4 actors that conducted the experiments made a few handwavy, remarks along the lines of “we have to consider both mass and velocity; those together make kinetic energy”. It didn’t sound exactly scripted, more like they were given a list of facts to impart, like when sportscasters awkwardly read background info. It’s PowerPoint voice, rephrasing bullet points. The smashers split into teams of 2 based on superficial preferences and tried both designs. It’s not wrong to try it both ways, but there was no argument.

3 concrete densities were made, 15% air, 25% air, and 40% air. Team Barrier set up a standard highway barrier, lined it with equally thick walls of each concrete, and smashed a fresh taxi into each at the same speed and (unrealistic) angle. And that’s it. There was no control experiment. ROOAAAAR! USE FUCKING SCIENCE! The lighter concretes decreased the force of the impact, but only the heaviest kept the car from going over the barrier. The design was deemed a failure, without seeing what happens when a car hits a barrier without an aerated concrete wall.

Team Arrestor Bed only tested 1 concrete, which given that it’s a novel design, the other concretes were judged too hard or too brittle in the lab, and it’s obvious that a car won’t stop without an arrestor bed, is OK for an initial experiment. The 25%-air mama bear concrete was formed into a strip, with a small ramp leading up to it. The test failed, and it probably would have even if the ramp hadn’t caused the car to bounce in and out of the concrete.

I wasn’t too bothered by the lack of realism (most roads can’t fit arrestor beds, and those that can probably have ditches; and brittle concrete on a large road system is totally unmaintainable; compare to a sturdy, battle-scarred barrier), it was the lack of thought. Maybe I was expecting too much from a show called Smash Lab, but that “lab” part must be worth something. A proper arrestor bed is pretty complicated, but the only expert they had in was a stunt driver. I’d rather see 1 or 2 fewer crashes to make time for a quantitative test of compressive strength and a calculation of whether they could even possibly succeed.

If real science is too boring, just show me a montage of car crashes in front of Beethoven’s Ninth instead of this non-attempt at science.

Bananas

All I do now is photograph my food.

Smoothie

Banana Sandwich

BBQ

steak, unglazed

Sauce:

  1. Puree prunes
  2. Mix
  3. Reduce until it feels like barbecue sauce.

This recipe isn’t the result of several trials and error, just a trial. I used half a cup of sugar, but 1/4 would probably be enough. There were about 3 whole cloves, maybe a teaspoon of each other spice.

I salted and marinated steak in this sauce overnight, then grilled it and re-glazed.

steak, glazed

We had 1 rare, 1 medium. Medium was better, though it might have been a better piece of meat to begin with. Here’s the rare:

rare cut

Nothing was wasted:

dog eating bone

The sauce is pretty potent, not quite for dipping. I’d like to try it on ribs or pork. Dad said no more store-bought BBQ sauce.

UnsafeWindow Considered … Unsafe

Greasemonkey, software that lets users reprogram web pages normally out of their control, has changed the nature of Web browsing. It puts much power on the client side, and carries corresponding security risk. Like with all software, one must beware malicious user scripts, but because user scripts are typically written one-off, but run in a trusted environment, well-intentioned scripts can be rather dangerous.

There are specific poor practices I will describe, which I am prompted to do by a case study, Google Account Multi-Login. The script, which does just the sort of thing Greasemonkey is ideal for, lets people with several Gmail accounts switch between them instantly.

(Here I had warned not to install the script. However, I emailed with the script author while I was writing this, and we decided to hold off on publication until he posted a safe version. Anything from before 13 January 2008 is not safe.) If you have an old version of the script, here’s a scary proof-of-concept attack. Now go uninstall the old one and freshly install the new one.

The combination of 2 sloppy practices allow any website you visit to steal your Google logins. Since most services will send a password reminder when requested, if your Gmail is compromised—what’s a nice word for “you’re fucked”?

Here are the first few lines of the script:

// ==UserScript==
// @name           Google Account Multi-Login
// @namespace      http://eveningnewbs.googlepages.com
// @description    Replaces "Sign out" link on Google pages with a select box of accounts.
// @include        http*://*.google.com*
// @include        http*://google.com*
// @exclude        http*://mail.google.com/*ui=1*
// ==/UserScript==

// Load persistent user data
if (!GM_getValue)
    {alert("You need the newest version of Greasemonkey to run this script. Please upgrade."); return;}
unsafeWindow.gmAUTOLOGIN = GM_getValue("autologin");
unsafeWindow.gmUSERNAMES = GM_getValue("usernames", "").split(",");
unsafeWindow.gmPASSWORDS = GM_getValue("passwords", "").split(",");

And these are the 3 lines that do the damage:

// @include        http*://*.google.com*
unsafeWindow.gmUSERNAMES = GM_getValue("usernames", "").split(",");
unsafeWindow.gmPASSWORDS = GM_getValue("passwords", "").split(",");

As you may guess, the object called “unsafeWindow” is part of the problem. Normally, Greasemonkey scripts run in a special “sandbox,” isolated from untrusted web pages, but unsafeWindow is a way to access the untrusted context. By setting these properties on unsafeWindow, the web page can read the login information.

The include line is not actual code—it is metadata that tells Greasemonkey which pages to run the script on. The asterisks match any string of characters. With relaxed include rules, the logins are not just written to the web page context of Google pages, but any page that matches http*://google.com*. See how my proof-of-concept attack works? http://domnit.org/misc/be-careful-with-greasemonkey.google.com.html matches.

You can avoid problems by minding your includes and using alternatives to unsafeWindow. Scripters can learn more about Greasemonkey at the Greasespot wiki, and absolutely must read Mark Pilgrim’s Greasemonkey Talmud, Avoid Common Pitfalls in Greasemonkey.

Thanks to Jarett for his fast reply and fix. The upside of picking on him in this post is that now I recommend his script.

Randall Munroe Died in a Blogging Accident

Let’s flip this graph.