bogen.org

We had a generally pleasant and low-key weekend.Saturday’s weather left plenty to be desired. It was one of those all-day fall rains with temperatures right around forty degrees. So, we spent most of the day indoors except for a pair of dog walks.

Saturday night, we went to the UW-Madison Men’s Hockey game against Michigan. We have season tickets to all the games this year, and had seen the Badgers lay and egg against Michigan St. on Friday night. UW was ranked No. 2 in the country going in to Friday night’s game while Michigan State was unranked. Michigan, Saturday night’s opponent was ranked No. 1 in the nation, which set up an intriguing matchup. As it turned out, Wisconsin gave Michigan all they could handle and then some. We both enjoyed watching the local team beat a Michigan team of any stripe.

Sunday afternoon, we went geocaching for the first time. We found one cache but failed in our attempts to locate another. I really enjoyed the process of geocaching and am already looking forward to partaking in the activity in different locations whenever I travel.

A couple of hours ago, we finished our Thanksgiving dinner with some of our friends. Rather than having the traditional Thanksgiving fare, we had a meal I labeled Pan Asian Thanksgiving.A few weeks ago, I decided that I was not really interested in cooking a turkey for Thanksgiving this year. It isn’t that cooking a turkey is particularly difficult or time consuming. Rather, the act of cooking a turkey is tedious and the net result is often uninspiring. The best part of turkey is the left overs the next day.

In addition to my relative indifference to turkey, most of the traditional Thanksgiving side dishes are not very high on my favorite foods list. Mashed potatoes have a history of literally making me gag. Homemade cranberry sauce: good. Cranberry “sauce” from a can: very, very bad. Sweet potatoes: better than starvation. Stuffing: Usually best stuffed somewhere other than my plate.

So, at the time we decided to have Thanksgiving at our house, I started vaguely looking around for something more interesting to have for dinner. Soon, I stumbled upon a recipe for Pho Ga, a Vietnamese chicken soup with wide rice noodles. So, I decided to make that for Thanksgiving instead of a turkey. After that, it just a matter of picking complementary dishes.

Thai fried rice was next on the menu, followed shortly by vegetable dumplings. However, Sheri and Bryan decided to make pork dumplings, so we canned the idea of vegetable dumplings. In addition, Sheri and Bryan brought over some good teriyaki steak.

So, our menu today was the following:

• Pho ga
• Thai fried rice
• Teriyaki Steak
• Stir-fried vegetables and seeds (another Thai dice Sarah made)
• Pork dumplings
• Cookies and ice cream (both supplied by Sheri and Bryan)

We all agreed that it was really refreshing to have a change from the traditional Thanksgiving routine.

Last night we had okra with our dinner. Sarah came up with by far the most colorful description of that unfortunate food: “vegetable mucus.”

Recently, an Apple iBook found its way into our home. Rather than spend all our time tethered to an Ethernet switch, we decided to go wireless between the laptop and our Internet gateway. However, given the woeful security record of WEP, the decision was made not to rely upon WEP to secure our data from prying eyes. While I used to be a very adept Macintosh user and admin, years or avoiding the platform (for a variety of reasons), and a major OS change on Apple’s part had conspired to render most of my Macintosh knowledge rusty and best and obsolete at worst. So, when choosing a good data encryption platform, my choices were between OpenVPN and IPSec. Having used OpenVPN in the past, it was my first choice. However, it would take some doing to get the OpenVPN tunnel up between the two systems and most of that doing would be on the Mac. I generally viewed this option as an extremely shallow to nonexistant VPN learning curve with a (possibly) very steep OS X learning curve. The other option was to use the IPSec support built in to both operating systems. Since Mac OS X draws much of its lineage from FreeBSD, it has a KAME derived IPSec support under the hood. If I went the IPSec route, I knew that I would get quick response since the encryption/decryption is all done in the kernel, high-quality crypto, and the hassle that comes with setting up an IPSec tunnel. However, that option would avoid the possibly steep Mac OS X learning curve.

In the end, I decided to go with the IPSec option, at least for the short term.

To help others avoid some of the hassle that I went through, I’m posting some notes about my experience below.

On my wireless LAN, the FreeBSD system acts as both a firewall and gateway to the Internet and my wired LAN. So, all my laptop traffic needed to pass through the BSD system at some point, regardless of its destination. In addition, I could not use the DHCP daemon on the wireless access point since it always handed out DHCP addresses with an incorrect default router (i.e., the access point always said that it was the default gateway when the FreeBSD system was the proper gateway). Therefore, it was important that whatever I used, it needed to allow DHCP packets to exist outside of the encrypted datastream.

The other option was to use the IPSec support built in to both operating systems. Since Mac OS X draws much of its lineage from FreeBSD, it has a KAME derived IPSec support under the hood. If I went the IPSec route, I knew that I would get quick response since the encryption/decryption is all done in the kernel, high-quality crypto, and the hassle that comes with setting up an IPSec tunnel. However, that option would avoid the possibly steep Mac OS X learning curve.

In the end, I decided to go with the IPSec option, at least for the short term.

To help others avoid some of the hassle that I went through, I’m posting some notes about my experience below.

On my wireless LAN, the FreeBSD system acts as both a firewall and gateway to the Internet and my wired LAN. So, all my laptop traffic needed to pass through the BSD system at some point, regardless of its destination. In addition, I could not use the DHCP daemon on the wireless access point since it always handed out DHCP addresses with an incorrect default router (i.e., the access point always said that it was the default gateway when the FreeBSD system was the proper gateway). Therefore, it was important that whatever I used, it needed to allow DHCP packets to exist outside of the encrypted datastream.

On the FreeBSD system, I setup the DHCP server daemon to always give the laptop the same IP address. I’m reasonably certain that the FreeBSD/Mac OS X IPSec implementation cannot function with dynamic addresses as tunnel endpoints. By giving the laptop the same IP address, I always know where to look for it on the wireless LAN.

Both systems will need to have racoon installed on them to manage the IKE process. You may need to use the port system on the FreeBSD system to install racoon if you have not previously done so. The Mac OS X system ships with racoon installed already.

You will also need to enable IPSec in your FreeBSD kernel. Do so by adding the following lines to your custom kernel configuration:


options IPSEC #IP security
options IPSEC_ESP #IP security (crypto; define w/IPSEC)


Many FreeBSD focused web pages say that you need to uncomment the gif device as well and spend time mucking around with the resulting devices. Whether or not that is true remains to be seen. I did uncomment the gif device in my kernel, but spent zero time mucking around with it.

Once you have your customer kernel configured, compile it via the instructions in the FreeBSD Handbook.

Now comes the interesting part: configuring IPSec.

There are two nodes that we will reference in this example. The first is the FreeBSD system. It has the IP address 172.18.1.1. The second is the Mac OS X system. It has the IP address 172.18.1.7.

Decide what you want to use as a pre-shared key on both systems to start the encryption process. For the sake of argument, I’m going to use ‘pskDemo‘ as my key. On the Mac OS X system, put the following line in /etc/racoon/psk.txt:


172.18.1.1 pskDemo


On the FreeBSD system, put the following into /usr/local/etc/racoon/psk.txt:


172.18.1.7 pskDemo


Now, make sure that the psk.txt file is read/write only for root on both systems by using a chmod command something like the following:


chmod 0600 /etc/racoon/psk.txt


Now, you’ll want to ensure that both systems are using the same racoon arguments for various negoiation and encryption processes. On the Macintosh, edit the file /etc/racoon/remote/anonymous.conf. My version of the file looks like the following:


remote anonymous
{
#exchange_mode main,aggressive;
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;

sainfo anonymous
{
lifetime time 60 min;
encryption_algorithm rijndael, blowfish, 3des ;
authentication_algorithm hmac_md5, hmac_sha1;
compression_algorithm deflate ;
}


Now, you will need a matching set of directives on the FreeBSD system. For the sake of better organization, I changed some of how the racoon port is installed. My /usr/local/etc/racoon/racoon.conf looks like this:


path include "/usr/local/etc/racoon" ;
include "anonymous.conf" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
path certificate "/usr/local/etc/cert" ;
log notify;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}

timer
{
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
phase1 30 sec;
phase2 15 sec;
}


I then created the file /usr/local/etc/racoon/anonymous.conf that contains the following:


remote anonymous
{
exchange_mode aggressive,main;
my_identifier address;
send_cert off;
send_cr off;
verify_cert off;
passive off;
lifetime time 24 hour;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
lifetime time 24 hour;
dh_group 2;
}
}

sainfo anonymous
{
lifetime time 60 min;
encryption_algorithm rijndael, blowfish, 3des ;
authentication_algorithm hmac_md5, hmac_sha1 ;
compression_algorithm deflate ;
}


Now that we have identical (or nearly identical) configurations on both ends of the tunnel, we can create the IPSec policy database directives. On the FreeBSD system, these go in /etc/ipsec.conf:


#delete all existing entries from the SAD and SPD databases
flush;
spdflush;

#add the policy to the SPD database
spdadd 172.18.1.1 0.0.0.0/0 any -P out ipsec
esp/tunnel/172.18.1.1-172.18.1.7/require ;
spdadd 0.0.0.0/0 172.18.1.1 any -P in ipsec
esp/tunnel/172.18.1.7-172.18.1.1/require ;
spdadd 172.18.1.7 0.0.0.0/0 any -P in ipsec
esp/tunnel/172.18.1.7-172.18.1.1/require ;
spdadd 0.0.0.0/0 172.18.1.7 any -P out ipsec
esp/tunnel/172.18.1.1-172.18.1.7/require ;
spdadd 172.18.1.1[500] 0.0.0.0/0[500] udp -P out none;
spdadd 0.0.0.0/0[500] 172.18.1.1[500] udp -P in none;
spdadd 0.0.0.0/0[67] 0.0.0.0/0[68] udp -P out none;
spdadd 0.0.0.0/0[68] 0.0.0.0/0[67] udp -P in none;


The first two lines ensure that the IKE packets are dropped onto the wireless LAN outside of the IPSec data stream. While I did not have trouble with that myself, others in the world have, so it seemed prudent to avoid the problems they had encountered.

The next two lines ensure that DHCP packets are also dropped onto the wireless LAN outside of the IPSec data stream. When these were stuck inside the IPSEC data stream, the laptop would always fail to renew its DHCP address which dropped the laptop off the LAN after roughly fifteen minutes.

The next lines all dictate how the tunnel is created. Some resources online will tell you that you only need the following configuration and that everything will “just work”:


spdadd 172.18.1.1 0.0.0.0/0 any -P out ipsec
esp/tunnel/172.18.1.1-172.18.1.7/require ;
spdadd 0.0.0.0/0 172.18.1.1 any -P in ipsec
esp/tunnel/172.18.1.7-172.18.1.1/require ;


That was very much not the case with me. When I used just those lines, I got all sorts of very helpful error messages from racoon like “pre-process failed” or “no policy found”. In the end, I needed all of the above lines on the FreeBSD side of the tunnel.

On the Mac OS X side of the tunnel, I put my SPD rules in /etc/ipsec.rules. Why the different name? No idea. Anyway, the contents of that file look like this:


flush;
spdflush;

spdadd 172.18.1.7[500] 172.18.1.1[500] udp -P out none;
spdadd 172.18.1.1[500] 172.18.1.7[500] udp -P in none;
spdadd 0.0.0.0/0[68] 0.0.0.0/0[67] udp -P out none;
spdadd 0.0.0.0/0[67] 0.0.0.0/0[68] udp -P in none;
spdadd 172.18.1.7 0.0.0.0/0 any -P out ipsec
esp/tunnel/172.18.1.7-172.18.1.1/require;
spdadd 0.0.0.0/0 172.18.1.7 any -P in ipsec
esp/tunnel/172.18.1.1-172.18.1.7/require;


Again, the top four lines serve to drop IKE and DHCP packets outside of the IPSec data stream. The bottom four lines serve to establish the data encryption policy between the client and the server.

Once I had those files in place, I did the following on the FreeBSD system:

# /usr/local/etc/rc.d/racoon.sh start
# setkey -f /etc/ipsec.conf


On the Mac OS X system, I did the following:

# /usr/sbin/racoon
# setkey -f /etc/ipsec.rules


In addition, you’ll need to adjust your firewall rules to accomodate the wireless LAN and the IPSec traffic. I use ipfilter, my Internet traffic flows out tun0, and my wireless LAN sits off of interface dc0, so my ipfilter rules look like the following:

/etc/ipf.conf:

block in on dc0
pass in quick on dc0 proto udp from any port = 68 to any port = 67
pass out quick on dc0 proto udp from any port = 67 to any port = 68
pass in quick on dc0 proto udp from any port = 500 to any port = 500
pass out quick on dc0 proto udp from any port = 500 to any port = 500
pass in quick on dc0 proto esp from any to any
pass out quick on dc0 proto esp from any to any


/etc/ipnat.conf:

map tun0 172.18.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map tun0 172.18.1.0/24 -> 0/32 portmap tcp/udp 10000:20000
map tun0 172.18.1.0/24 -> 0/32


Once I did that, everything worked for me.

Obviously, I glazed over some details and processes while covering portions of the above. However, there should be enough here to give people an idea of what I did to get everything working between the two systems.

Colin Powell wants us to believe that Iran is working on how to deliver nuclear weapons.

…

Sorry, I’m laughing so hard, I can hardly see the screen to write.

Colin, a few words of advice.

First, you and pretty much everyone else in the Bush Administration have no credibility left when it comes to warning the world about countries that have weapons of mass destruction.

Remember that whole Iraq mess that we’re still muddling through? Remember how you went before the UN and presented detailed evidence about how the US knew just where all these weapons of mass destruction were located inside Iraq? Remember all the charts, graphs, reports, and other eye candy you presented as hard evidence of the fact? Remember how Dickie Cheney, Georgie Bush, Donny Rumsfeld, and yourself spent innumerable hours trying to convince anyone who would stand still long enough to listen that Iraq had oodles of weapons of mass destruction?

Does any of that ring a bell or five?

So why, exactly, should we believe you about Iran?

Beyond that, however, let’s assume for just a minute that Iran has nuclear weapons. Heck, let’s go crazy and assume for a minute that I have a nuclear weapon or two that I picked out of a “Free” box at a garage sale this summer.

Like most weapons, nukes are useless without some sort of delivery system. A bullet is nearly worthless without a gun.

An artillery shell won’t do much damage if you lack cannons. Infantry chucking 12″ shells at the enemy isn’t going to cause too many casualties. Some laughter, maybe. But casualties, no.

Bombs are nearly worthless without their delivery system, which we cleverly named “bombers” years ago.

Having really powerful conventional explosives doesn’t do you much good if those explosives cannot be delivered to the target. Imagine if the Navy had to drop blocks of plastic explosives on submaries by hand. Don’t delivery systems like torpedoes and depth charges sound more efficient?

The rules of the game become even clearer when we start talking about the big boys in the arsenal: fuel-air explosives; chemical weapons; nuclear weapons. These are depopulate-Rhode-Island-style weapons. If you think that someone is going to set off one of those weapons by pulling a pin, yelling “Fire in the hole!”, and running like Hell towards a trench to take cover, you’re wrong.

This is really basic stuff, Colin. As a former Chairman of the Joint Chiefs, I expect you at least got a briefing on this stuff at some point.

If the Iranians have nuclear weapons, you bet they’re going to work on a delivery system of some sort. They’d be stupid not to. Short of nuking a city in your own country, there isn’t much one can do with a nuke that lacks some sort of delivery system.

So, Colin. Save it. Even if you can be believed, your warning is worthless.

Sarah gave a presentation yesterday at the University of Wisconsin-Madison’s GISDay. The subject of her presentation was Geodatases, which are different way of working with geospatial data.

She gave a very good speech, complete with screenshots and whatnot. It was nice to overhear several people who said that they were looking forward to hearing what she had to say.

One of my favorite folk songs is “They’re Taking It Away” [sample mp3] by Ian Robb, a Canadian. Though the song was written years ago, and by a Canadian about conditions in Canada, it is very, very relevant to life in the United States at the present time.A sample of the lyrics:

If you're native, black or asian
If you're feminist or gay
If you're just a little different
from the most of us today
If you want to make your point
Or if you want to have your say
You can spit into the wind
Because they've taken it away

Ohhh, they're taking it away
They're taking it away
They are taking all the good things
You can hear the people say
And they'll take it all tomorrow
If they don't take it today
From the poor and sick and helpless
They are taking it away

If you're battered by your husband
And you need a place to stay
You'd best get down upon your knees
And quickly learn to pray
For the Women's Center's phone
Was disconnected yesterday
And there's no one left to talk to
Now they're taking it away

Earlier today, I found myself riding west on Dayton Street in Madison. Pedestrians were crossing Dayton at Dayton & Frances (near the Kohl Center — the arena where the UW-Madison basketball and hockey teams play) and traffic was (remarkably) stopped for them.

I pulled up to the intersection just in time to hear the following through an open window from the back seat of a car full of young males:
“This is bullshit! We have a car for Christ’s sake!”

There was then some wild gesticulation at the pedestrians peacefully crossing the street as the young males waited.

I was hungry and on my way to get calories. It seemed like a shouting match was the likely result such an action, so I resisted the urge to explain that while they had a car, they lacked common courtesy, common sense, and knowledge of traffic laws beyond “Red light: Stop. Green light: Go!”.

Anyone who wonders why some people don’t feel safe walking or biking might look to this young man’s comment for possible inspiration. Clearly, there is a reasonably large segment of our population that believes driving a four wheeled vehicle makes right. Those behind the wheel can do no wrong while those of us with just two wheels or feet must look out because we don’t have cars and that makes us stupid, liable, targets, dead, or some combination of the above.

If you see a black Pontiac Grand Am inhabited by four young males cruising around the streets of Madison, don’t count on them to stop for you.

They have a car, after all.

It seems that most of my favorite radio programs are only aired on the weekends. And, since I am usually busy working around the house or doing something active somewhere else, I often miss my radio shows.

For some time, I had known about the Linux Radio Timeshift HOWTO but for various and sundry reasons, I never got around to playing with the software and hardware to make it all happen. Over the last week, I have been playing with the software and hardware here and there until I finally got a working system.

After playing around with the scripts provided on the HOWTO page, I decided to engage in a major re-write. Since I do not have a radio that can be controlled by the PC, I do not have to worry about tuning the radio. I just have to worry about taking in audio off of /dev/dsp and turning it into some sort of encoded output.

To my ear, the Ogg Vorbis encoding scheme sounds much better than MP3. So, the first change I made was to switch to oggenc from a LAME-based MP3 encoder.

The second change I made was to increase the quality of the recordings produced by the scripts. Why on earth should I record FM stereo broadcasts, only to immediately encode them such that they sound like AM-mono broadcasts?

Finally, I rationalized the scripts somewhat. I introduced some error checking in some locations. In other locations, I just rewrote the scripts so that they offer meaningful exit codes.
So, while these scripts are no longer anywhere near what I originally downloaded, they are certainly inspired by them.

If you are interested in using my scripts, you can download them here: linux_radio_time_shift.tgz

Hurricane Ivan has completely disappeared from the US media as a newsmaking event. However, those who live in the Caribbean and who experienced that particular category 5 hurricane for themselves find themselves living with the aftermath of the hurricane every day.

Some extended family of ours is hosting several refugees from the Cayman Islands at their Minneapolis area home. Last weekend, Sarah and I drove up to Minneapolis to make dinner for them.How are these folks related to me? The mother of the family is the sister of my uncle by marraige. The mother, in turn, is married to a man who originally hailed from Grand Cayman. They, in turn have three kids, including one set of twins.

The folks staying in Minnesota from Grand Cayman are all nieces and nephews of the father of the Minnesota family. The number of Caymanite (?) refugees still living in Minnesota has dwindled to six from a high of thirteen, so life is getting more sane for them. If you want to keep up with their daily lives, you can read their website.

The devastation of Grand Cayman by Hurricane Ivan was nearly complete. Winds were clocked at over 200 miles per hour when the storm blitzed the island. Almost no structure on the island survived without some damage. Power is still out to large parts of the island. Drinking water is scarce and most people are getting their water from wells. If you want to view pictures of the devastation, the Forbes’ website, listed above, has a page full of links to various photo collections. As an example, check out www.terrafutan.net.

The kids staying in Minnesota will most likely not go home until power has been restored, drinking water is once again available, and schools are open. Until then, they will be in Minnesota drinking clean water, attending public school, eating good food, and wearing clean clothes.

Of course, providing all those things for nine kids isn’t easy for most folks, so Sarah and I drove up to Minneapolis to give the parents a night off from cooking. We cooked too much chili. Apparently, I was expecting the 2nd Brigade of the 3rd Division to stop by for a light snack. In addition to chili, we cooked four loaves of cornbread, which were generally well received.

Recently, I picked up Ross Leckie’s Hannibal: A Novel from my local library branch. Hopefully, you will not replicate my error.

If you are one of those folks who really like the Faces of Death videoes, this book is for you. Most of the book seems to be Leckie trying to figure out how to bridge one depiction of torture to the next. Impalings, crucifixtions, suffocations, gential mutilation, strangulation, maiming, they’re all here. And not much else is.

Halfway through the book, I didn’t feel anything at all for any character in the book. It’s rather like reading a gruesome, badly written textbook that covers the so-called glory years of Carthage.

Life is too short for this type of trash. Get almost anything else from the library instead of this tome of torture.

Broken Angels by Richard K. Morgan is another book in the universe inhabited by Takashi Kovacs of Altered Carbon fame.Unlike Altered Carbon, Kovacs motivation in Broken Angels seems muddy and forced. It’s as though we can see Morgan pulling Kovacs strings; an unpleasant look behind the curtain, if you will.

Even after I finished the book, I never felt like I bought in to Kovacs’ motivation. And, if one fails to understand the motivation of the main character, just how good can the book be?

Yes, the book has some interesting action and plot points, but if you don’t care much for the characters, those two are just artifices. It’s somewhat like watching someone affix really fancy chrome parts to a rusty Pinto. Those chrome parts can only do so much for the rust bucket underneath it all.

So, if you enjoyed Altered Carbon, good for you. Stay clear of Broken Angels and wait for Morgan’s next book. Let’s hope it is better than this one.

Last week, I finished reading Peter F. Hamilton’s book, Pandora’s Star.The straightest, shortest dope on this book is this: If you don’t normally read science fiction, this book is not a good place to start.

Having said that, let’s get into the heart of the matter.

Some reviewers of this book complained because some of the aliens in the book powers that could only be explained by the use of “magic.” Of course, those reviewers forget Arthur C. Clarke’s famous quotation:

Any
sufficiently advanced technology is indistinguishable from magic

Think about what Victorians might make of modern computers. If you could show them a modern movie with plenty of computer generated graphics (Spiderman 2; X-Men 2; The Matrix; etc.) on a laptop, those Victorians would be absolutely convinced that some form of magic was present.

What would true Vikings think of a modern aircraft carrier conducting flight operations?

What would Alexander the Great or Genghis Khan make of a modern armored division?

All of these technologies would be so far beyond any sort of experience that those historical figures would have that they would most likely be forced to consider the technologies magical.

How then, can we judge the possibilities of future technology in the here and now? If someone asked Ben Franklin what he thought of the Internet, could he even begin to offer an informed opinion? Of course not. Even though Ben was a smart guy, the Internet was so far beyond his knowledge and experience that he would have nothing to offer us on that topic.

To then say that aliens performing tasks X, Y, and Z several thousand years in the future requires magic, is the act of a very small mind.
To say that humans would require magic to travel from point A to point B using technology C requires one to prejudge both practicality and possibility of technologies that we have not even envisioned yet, much less attempted to build.

The book itself is a good, solid read. There are sections that seem more than a bit, um, unnecessary. And when a book is 768 pages long, even a few extra subplots can seem like egregious padding. However, Hamilton has a reputation for tying those seemingly unrelated subplots into the larger whole, so I’m trying to reserve judgement until the second book arrives on the library’s shelves in 2005.

My father bought this sauce while visiting the 2004 Sturgis Motorcycle Rally. This was the same rally at which he purchased a bottle of South Dakota Habanero sauce. Unlike that sauce, to which I gave reasonably unfavorable reviews, this sauce is four-alarm hot.The first clue that this sauce is hot is the relatively low sodium content on the nutrition labeling. As a general rule, the more salt a sauce contains, the less heat it contains. Manufacturers put more salt in the sauce to compensate for the lack of heat and flavor in their milder sauces. So, a mere 48mg of sodium per teaspoon is a good sign.

The second clue that the sauce inside the bottle is hot is the thick viscous nature of the sauce. Thin, watery sauces are generally mild for some reason (maybe it is difficult to evenly distribute the seasoning in a thin sauce?). You’ll recognize a thin sauce right after opening the top because the bottle will have a shaker top.

Thick sauces, like this sauce, generally pour right out of the bottle without being hindered by a shaker top.

If you can find this sauce still (and it might be difficult, given its name), and if you like hot sauce, pick up a bottle. Whoo! It is hot. I got a bit frisky while dispensing it over some pasta (must have had a South Dakota Habanero flashback), and I almost made the pasta inedible.

If you are not a hot pepper junky, you’ll most likely think this sauce is way, way too hot.

Sarah and I usually do our grocery shopping on Wednesday evening. This week, we noticed that the Christmas candy was already on the store shelves. In addition, a ten-foot wall of Coca-Cola products in Christmas packaging was built around the dairy products area (don’t get me started on the symbolism of forcing people to confront and detour around a huge wall of Coca-Cola products to get to the milk).

Someone needs to tell those in charge of marketing that Christmas anytime before December is too much Christmas. Christmas functions like anything else: the more of it you have, the less valuable it is.

Yesterday morning, I got up well before dawn, hopped on my bicycle, and rode downtown to work as an election official for the election.

Even though I am just one small cog in a very, very large electoral machine, I really feel like I help make democracy possible when I am working at the polls.

For over seven hours yesterday, I helped college students and others new to the area register to vote for the election. Many of the people I registered had never voted before for a variety of reasons. Others hadn’t voted for years and years, but they felt that this year their vote really meant something.

After all the talk about ‘another Florida’ and lawsuits, lawsuits, lawsuits, it was very uplifting to see people lining up at 6:45 AM to vote (our polls in Wisconsin did not open until 7:00 AM). We had lines of over 100 people waiting to vote, at times during the day. Generally, everyone was understanding and in a good mood.

After I got home, I made a point of avoiding all news coverage of the election. Even as the night wore on, I made it a point of not turning on the TV and not listening to the radio. When Sarah wanted to check the election returns right before bed, I asked her to do so with the sound off and then I went to another room so I wouldn’t have to see the inevitable red and blue map.

I was really relishing the idea of so many people turning out to vote. I really, really wanted Bush to lose the election and I hoped that the high turnout meant that people had seen through his lies and misdirection and were casting him out of office on a tidal wave of ‘one very pissed-off person, one vote.’ I was envisioning a more moderate Supreme Court as Kerry got to appoint a replacement for Rehnquist. I envisioned different party hacks at the head of the various government agencies.

Before I went to bed, I turned on my alarm clock, but forgot to change the time it was set to go off.

This morning, my alarm went off at 5:00. I hit the snooze unthinkingly. It went off again. Same actions, same result. Finally, it went off again and it registered in my brain what the folks on NPR were saying: “John Kerry refuses to concede Ohio.” That slipped through my media filters and caused my brain to fully awake, there in the dark of the bedroom.

So, there I was. Fully awake and trying to determine any way that Kerry could win the election by losing Ohio. It just did not seem possible. My mind kept churning and churning, trying vainly to distort that one fact in such a way as to make it fit the known realities of the election and a possible Kerry victory.

It goes without saying that it was with a heavy feeling of dread that I pulled the newspapers from the box at the curb. George Bush’s detestable smirk looked out at me through the translucent blue plastic newspaper bag.

Well, here’s to the next four long, dark, stillborn years. Hopefully, everyone who voted for George W. Bush, who bought into the shiny, plastic packaging, who exercised their brand loyalty, will get plenty of rewards on their frequent Republican voter cards. Lord knows, they’re not likely to get anything else one would actually want from the Bush administration.

Though the stock market may have fallen yesterday during the election, the stocks of the big, corporate, alcoholic drink manufacturers should have been rising.

After all, how else will we numb the pain of yet another four years of Bush and a Republican Congress?

For the last year or so, I’ve used CVS to keep my home directory under some sort of version control. However, once it became obvious that CVS was perhaps not the best package for my needs I started looking around for something better.

It did not take long for Subversion to appear on my short-list and, ultimately, be selected to replace CVS.

Why was I switching from CVS? Primarily because everything about it felt either woefully inadequate or clumsy or both.

• If I felt like renaming a file, it was time to head into the respository itself to do the dirty deed.
• If I wanted to add a directory and everything in it with just one command, CVS had no way to accomodate me.
• The branching and tagging were something that I never bothered to figure out.
• Deleting files always seemed like a clumsy process.
• etc., etc., etc.

Subversion makes performing many of these tasks much easier. For instance, I can move a directory or file by issuing the command:

svn move FILENAME NEW_FILENAME

No mucking around in the repository required.

Of course, due to the structure of the Subversion repository mucking around in the same is execessively difficult. Whereas CVS kept a directory tree that mirrored that of the source files, Subversion keeps everything in a set of Berkeley DB version 4 files. So, if something goes wrong in the database, you had better hope that

svnadmin recover REPOSITORY_PATH

can recover it or your bacon is cooked.

Using the cvs2svn tool, I was able to put all of my CVS history and repository relatively easily into a brand spankin’ new Subversion repository.

Some notes and information if you find yourself contemplating a move from CVS to Subversion:

1. Do Not under any circumstances delete your old CVS repository until a long while (a month, at least) after you’ve been using Subversion. cvs2svn has some funky options, and if you don’t use them correctly, it will helpfully corrupt some of your binary files. If something does go wrong, you’ll want that repository so that you can restore your working tree.
2. Try the cvs2svn conversion a few times before going live with a Subversion repository. You’ll want to make sure that your conversion command line is doing what you expect it to do and nothing else.
3. The command line I used to successfully convert my CVS repository to a Subversion repository (after some experimentation was):

   cvs2svn -v -s SVN_REPOSITORY_PATH --existing-svnrepos --trunk-only
   --no-default-eol --mime-types=PATH_TO_APACHE2_MIME.TYPES_FILE CVS_REPOSITORY_PATH

   If you are not using Apache2 to serve up for svn repository, you do not need to worry about assigning MIME types. What will seemingly hose your binary files is EOL translation. Use the option I used above unless you know what you are doing.

4. Your fingers may be in the habit of typing cvs to access the repository. If you are using bash you may want to add the following line to your ~/.bashrc file:

   alias cvs='svn'

5. Keywords in files placed under Subversion control are not expanded by default. Hence, you may with to add the following to your ~/.subversion/config file:

   [miscellany]
   enable-auto-props = yes
   global-ignores = *.o .*~ *~ *.log *.core
   
   [auto-props]
   *.pl = svn:keywords=Id;svn:eol-style=native;mime-type=text/plain
   *.sh = svn:keywords=Id;svn:eol-style=native;mime-type=text/plain
   *.txt = svn:keywords=Id;svn:eol-style=native;mime-type=text/plain
   *.plx = svn:keywords=Id;svn:eol-style=native;mime-type=text/plain
   *.html = svn:keywords=Id;svn:eol-style=native;mime-type=text/html
   *.css = svn:keywords=Id;svn:eol-style=native;mime-type=text/css
   *.pm = svn:keywords=Id;svn:eol-style=native;mime-type=text/plain
   *.cgi = svn:keywords=Id;svn:eol-style=native;mime-type=text/plain
   *.xml = svn:keywords=Id;svn:eol-style=native;mime-type=text/plain
   *.bat = svn:mime-type=text/plain;svn:eol-style=native
   *.bmp = svn:mime-type=image/bmp
   *.c = svn:mime-type=text/plain;svn:eol-style=native
   *.css = svn:mime-type=text/css;svn:eol-style=native
   *.cpp = svn:mime-type=text/plain;svn:eol-style=native
   *.cxx = svn:mime-type=text/plain;svn:eol-style=native
   *.gif = svn:mime-type=image/gif
   *.h = svn:mime-type=text/plain;svn:eol-style=native
   *.htm = svn:mime-type=text/html;svn:eol-style=native
   *.html = svn:mime-type=text/html;svn:eol-style=native
   *.ico = svn:mime-type=image/x-icon
   *.java = svn:mime-type=text/plain;svn:eol-style=native
   *.jpeg = svn:mime-type=image/jpeg
   *.jpg = svn:mime-type=image/jpeg
   *.m4 = svn:mime-type=text/plain;svn:eol-style=native
   *.pdf = svn:mime-type=application/pdf
   *.png = svn:mime-type=image/png
   *.py = svn:mime-type=text/plain;svn:eol-style=native;svn:executable
   *.rc = svn:mime-type=text/plain;svn:eol-style=native
   *.sgm = svn:mime-type=text/sgml;svn:eol-style=native
   *.sgml = svn:mime-type=text/sgml;svn:eol-style=native
   *.spec = svn:mime-type=text/plain;svn:eol-style=native
   *.sql = svn:mime-type=text/plain;svn:eol-style=native
   *.tif = svn:mime-type=image/tiff
   *.tiff = svn:mime-type=image/tiff
   *.text = svn:mime-type=text/plain;svn:eol-style=native
   *.xhtml = svn:eol-style=native
   *.sxw = svn:mime-type=application/vnd.sun.xml.writer
   *.stw = svn:mime-type=application/vnd.sun.xml.writer.template
   *.sxc = svn:mime-type=application/vnd.sun.xml.calc
   *.stc = svn:mime-type=application/vnd.sun.xml.calc.template
   *.sxd = svn:mime-type=application/vnd.sun.xml.draw
   *.std = svn:mime-type=application/vnd.sun.xml.draw.template
   *.sxi = svn:mime-type=application/vnd.sun.xml.impress
   *.sti = svn:mime-type=application/vnd.sun.xml.impress.template
   *.sxg = svn:mime-type=application/vnd.sun.xml.writer.global
   *.sxm = svn:mime-type=application/vnd.sun.xml.math
   *.doc = svn:mime-type=application/msword
   *.xls = svn:mime-type=application/vnd.ms-excel
   *.ppt = svn:mime-type=application/vnd.ms-powerpoint
   *.ogg = svn:mime-type=application/ogg
   *.gpg = svn:mime-type=applicaton/pgp
   *.gz  = svn:mime-type=application/x-gzip
   *.tgz = svn:mime-type=application/x-gzip
   *.tar = svn:mime-type=application/x-tar
   *.zip = svn:mime-type=application/zip
   *.mp3 = svn:mime-type=audio/mpeg