Blog

Most of these posts were originally posted somewhere else and link to the originals. While this blog is not set up for comments, the original locations generally are, and I welcome comments there. Sorry for the inconvenience.

New neighbor

A nest appeared just outside my back door a couple weeks ago. I saw an occupant early on, and then not for a long time, so I wondered if the nest were abandoned. Earlier this week I started seeing a bird in it again; I've tried to be careful in coming and going but she always flies away. This happened in the same spot several years ago and we eventually had a family of young robins, so I'm hopeful.

I managed to snap a picture of mom earlier today:

Image without description

Later I saw her fly away, startled by some small sound I guess, so I quickly confirmed my suspicion, holding a camera up at arm's length and shooting blind:

3 blue eggs

Yay, incipient chicks!

Eclipse

That was amazing. The difference between "most" and "total" really is significant.

We joined friends on a resort island in Lake Erie -- words I never expected to hear in the same sentence -- for a couple days. We had some clouds but they didn't impede seeing the main event.

I saw the "diamond ring". I might have seen a bead but I'm not sure. I saw the sun's corona with a big "black hole" in the middle with my naked eyes. I saw the "sort-of sunset" all around. So neat! Read more…

Glassdoor updates

Some updates on Glassdoor's privacy violations:

Use https://help.glassdoor.com/s/privacyrequest?language=en_US to request deletion of your data. Deactivating your account doesn't delete data. This might not either (no way to verify), but it's the strongest request you can make.

Media coverage: Ars Technica: Users ditch Glassdoor, stunned by site adding real names without consent, Wired: Glassdoor wants to know your real name. The Ars story is more detailed.

It seems that Glassdoor updated its terms of use on February 17, 2024. I did not receive email notification (my last TOS update from them was December 2022). Some salient bits from the current version:

We may update your Profile with information we obtain from third parties. We may also use personal data you provide to us via your resume(s) or our other services. You can read more about how we collect and process your data in our Privacy Policy.

I never provided a resume. I never typed my name into their site, nor did I use a social-media or Google identity. I created the account with an email address (~10 years ago). That part about "obtain from third parties" means they can try to match you up with LinkedIn, use your email headers if you should ever send them email, try to reconcile your account with Indeed if you're there (the same company owns both Glassdoor and Indeed), and whatever else they come up with.

Also, sometimes the information they add is incorrect. From Ars Technica:

As Monica's blog spread widely online, another Glassdoor user, Josh Simmons, commented to confirm that Glassdoor had "already auto-populated details" on his account, too. But instead of correcting Simmons' information, Glassdoor seemed to be adding mistakes to his profile.

Simmons, who requested to use his real name and share his employer information, is a managing director of Matrix.org Foundation. He discovered that Glassdoor had not only messed up his employer's name but also claimed that he was based in London, while he is actually located in California.

"It was bizarre, because I had never provided that information, and it was a somewhat incoherent mix of details," Simmons told Ars.

Back to the terms of use:

We may attempt to verify your employment history or status through various methods, including third party integrations or services. We may also utilize signals we receive from your current or former employer. Glassdoor is not responsible to you or any third party if we are unable to or inaccurately verify your employment history or status.

I don't know what "we may utilize signals we receive from your employer" means, but it sure sounds like "we might ask your employer if you work there", because your employer knowing you've posted Glassdoor reviews to prompt that question would be a "you" problem, not a "Glassdoor" problem.

(This information is repeated in the privacy policy.)

In order to provide you with access to features across our services, we may create and link different services’ accounts for you.

This is the part about them automatically creating a Fishbowl (social media) account on your behalf, without you explicitly doing anything and apparently without direct notification.

A portion of your Profile on our community and conversation services (e.g., Fishbowl and community and conversation features across our services) is always public. Therefore, your profile picture, company name, title, and other general information (but not including your semi-/anonymous Content submissions) will be visible to the public and available via search.. Content submitted with semi-/anonymous identifiers such as your company name or job title is not associated with the publicly-visible portion of your Profile.

So they added my name to my Glassdoor profile without consent, then propagated that to Fishbowl, and the Fishbowl profile was public?!

Glassdoor responded to Ars:

"We vigorously defend our users’ right to anonymous free speech and will appear in court to oppose and defeat requests for user information," Glassdoor's spokesperson said. "In fact, courts have almost always ruled in favor of Glassdoor and its users when we’ve fought to protect their anonymity. With the addition of Fishbowl’s community features to Glassdoor, our commitment to user privacy remains ironclad, and we will continue to defend our users from employers who seek to unmask their identity."

They "vigorously defend" privacy, yet they collect and store information that violates privacy. Also, note that what they're saying is that they'll defend outside requests for data ("almost" always successfully), but they say nothing about their own proactive use of that data -- like selling it to employers.

That data-deletion link once again: https://help.glassdoor.com/s/privacyrequest?language=en_US.

Time to delete your Glassdoor account

Recently I contacted Glassdoor for an account-related issue. This led to them sending me email that I had to respond to. Big mistake.

The TL;DR is: Glassdoor now requires your real name and will add it to older accounts without your consent if they learn it, and your only option is to delete your account. They do not care that this puts people at risk with their employers. They do not care that this seems to run counter to their own data-privacy policies. Read more…

Pobox in the 21st century

I've been using pobox.com since (checks...) 1996, when I needed to change email addresses and wanted to avert the hassle of getting updates pushed out the next time I had to do that. Pobox does two things: it gives me an email address that I can redirect wherever I want, and it gives me URL forwarding: a Pobox account comes with the ability to redirect http://www.pobox.com/~your-name to wherever you want.

I got email from Pobox today announcing that URL redirection will be discontinued in a couple months:

[...] Pobox alias URLs once served the same purpose as Pobox email aliases: you could get one URL and have it follow you as your web page moved. Over time, though, personal domains have taken over this use case, and Pobox’s URL redirection service is almost entirely unused. Upcoming changes to our web interface make this feature much harder to continue offering, and we have decided to retire it.

Your account’s URL is one of the few that has seen traffic in the last six months. Maybe that’s a fluke, and you’ve stopped using this URL, and it redirects to some long-abandoned page you owned in the 1990s. On the other hand, you might still be using this URL. If that’s the case, you should begin updating links to your Pobox URL and instead link directly to the target resource, or some other redirection service. [...]

As it happens, I am using that URL, and updating links kind of depends on knowing where the links are. (I mean, updating my own links is easy, but that's not why one uses redirection.) I use the domain I acquired in 2017 for all new stuff, and I've been migrating old stuff intermittently. But I didn't finish and cut over, because there are links to my old SCA stuff (in particular) all over the place out there, and I couldn't figure out how to cleanly make all the URLs work -- Pobox gives me one top-level redirect, but if I can't exactly preserve the structure under that, I'm into the realm of individual redirects and that's a big hassle.

Well ok, then -- Pobox is forcing my hand (and I don't really blame them if usage is that low), so I'll just rip that band-aid off and not worry about making the soon-to-be-dead URLs work on the new site. I also hit the Wayback Machine and archive.today with some pages I know are linked, and I asked Pobox if they could give me referrer logs so I can see if there's anyone I ought to notify. Beyond that, I'll just have to assume that search engines will eventually index the new locations and anyone who really cares will search.

Tonight I migrated my SCA pages, which are mainly the page (and many pictures) for the Pennsic house, since Greg Lindahl is already hosting most of my music (and Joy & Jealousy). I also had a bunch of stuff related to the Board crisis of 1994; rather than port all the individual pages, I archived it online and then dropped a ZIP file on my site. It was 30 years ago; I suspect very few people are interested, and those who are won't mind downloading the bundle.

My Pobox account next renews in 2029. I have email through my domain but, again, a lot of people use my Pobox address and updates are hard. But perhaps in the next five years I should attempt to put that change in place, because who knows if email forwarding will go the way of URL redirection by then?

Breaking into a Mac?

Dear brain trust,

My father had a laptop, an old MacBook. My mother would like to know what's on it. It's password-protected. I've been unable to guess the password, even knowing some of his other passwords and some patterns he used.

I have the passwords to his two desktop computers (iMacs), but also can't get in via network share (access denied). I have his cell phone, which should let me get into his iCloud account (that's the second factor). I have the impression that none of that will help.

Is there any way I can override the laptop's password and get in anyway? Or connect an external drive and make a copy somehow? I'm willing to take the laptop and a copy of the death certificate to an Apple store, except that I don't know if it's technically possible to get in (without damaging the contents, which is the whole point of the operation). I mean, we'd all like security to actually be secure, so this shouldn't be easy, but is there something between "easy" and "impossible" that I can try?

The laptop is at my mom's house, so I can't test things immediately, but I'm looking for any clues that could help on my next visit.

Bo (the last plague)

I gave a d'var torah a couple weeks ago on shortish notice and forgot to post it then. This is for Bo, the parsha that contains the last three plagues and the actual exodus from Egypt.

--

The pattern is familiar: Moshe goes to Paro to demand freedom, Paro refuses, Moshe announces the next plague, and God carries it out. Paro says he's sorry and asks for relief, God lifts the plague, and then Paro hardens his heart and we start all over again. There's no change; the oppression never seems to end.

Rabbi Mordechai Kamenetzky points out that for most of the plagues these negotiations are strained but civil. Moshe and Paro are on opposite sides of an argument, but nobody is throwing tantrums as far as we can tell. But their last meeting is different: after telling Paro what is to come, the torah tells us that Moshe went out from Paro in hot anger.

Was he angry about Paro's stubborn refusal to let the people go? That doesn't seem likely; they've had that well-worn exchange many times before. No, what is different this time is the cost of Paro's recalcitrance.

The first nine plagues caused extensive damage to Mitzrayim, to the point where even Paro's advisors are urging him to give up because Egypt is surely lost. The first nine plagues destroyed crops and livestock, caused injury and sickness, and massively inconvenienced people -- but they weren't fatal to anyone who heeded the warnings to come in out of the hailstorm.

The last plague is different: there is an unavoidable human cost. The last plague targets based on who you are, not on what wrongs you did, and it kills. It's not individual punishment; it's a tax on those living in Egypt. Surely not all of the dead deserved it, even in a society with many evildoers and oppressors.

God does not want the death of sinners, our prophets tell us, but that they should repent. God wouldn't be sending this last plague if there were an alternative. Moshe sees this, Rabbi Kamenetzky points out, and it fills him with anger at the Paro who causes widespread death. This could have been avoided. These deaths are Paro's fault.

But wait, one might say -- it is God who sends this plague, and thus God could avert this widespread loss of human life. It's God's fault, not Paro's, right?

My father, of blessed memory, taught me many things. One of them is that we solve problems with words, not with fists. Another of them is that giving bullies what they demand does not end the bullying. There was a kid in my grade who, starting in kindergarten, was physically abusive to me, and in the many parental conferences that followed, his parents told my parents that boys will be boys and if I didn't react he would probably stop. My father said that was unacceptable. This went on for years, until I was given permission to respond. The bullying ended the day I decked that kid with my large-print dictionary. We don't solve problems with violence, except that sometimes we have to.

I hit the kid; did that make it my fault he got hurt? Absolutely not, according to me, my parents, and the school principal. Lesser interventions had failed. Now my attack didn't do permanent damage, didn't even break his nose -- nothing like the last plague in that regard. But the principle is the same: the oppressor is culpable for the consequences of his behavior. The blood of the victims of collateral damage is on the hands of the evildoers who refuse to resolve conflicts peacefully.

Rabbi Elie Kaunfer from Hadar points out a surprising passage near the end of the parsha, after the final plague, when Paro asks Moshe and Aharon to pray for him. Say what now? The Paro who has done so much damage asks his victims to pray for his welfare? Why would they do that?

Rabbi Kaunfer points out a rabbinic tradition that Paro did not die at the Sea of Reeds with his army. Through the midrashic principle of the conservation of biblical personalities (that's not Rabbi Kaunfer's label), Paro went on to become the king of Nineveh. When Yonah comes to Nineveh to announce their impending destruction, it is the king who asks for forgiveness and leads his nation in teshuva to avert the decree.

Perhaps Moshe and Aharon did pray for Paro like he asked. More specifically, perhaps they prayed that he repent and do teshuva, like we pray our enemies will do in the daily Amidah. That's a prayer I can get behind -- that oppressors big and small soften their hearts, stop doing harm, and turn toward the right path. Ken y'hi ratzono.

Swiss-cheese security

Cory Doctorow's How I got scammed was a fascinating read. Phishing has gotten more sophisticated, but also, even people whose security practices are way above the norm can get hit when the stars (mis)align just so.

There's a name for this in security circles: "Swiss-cheese security." Imagine multiple slices of Swiss cheese all stacked up, the holes in one slice blocked by the slice below it. All the slices move around and every now and again, a hole opens up that goes all the way through the stack. Zap!

The fraudster who tricked me out of my credit card number had Swiss cheese security on his side. Yes, he spoofed my bank's caller ID, but that wouldn't have been enough to fool me if I hadn't been on vacation, having just used a pair of dodgy ATMs, in a hurry and distracted. If the 737 Max disaster hadn't happened that day and I'd had more time at the gate, I'd have called my bank back. If my bank didn't use a slightly crappy outsource/out-of-hours fraud center that I'd already had sub-par experiences with. If, if, if. [...]

The following Tuesday, I called my bank and spoke to their head of risk-management. I went through everything I'd figured out about the fraudsters, and she told me that credit unions across America were being hit by this scam, by fraudsters who somehow knew CU customers' phone numbers and names, and which CU they banked at. This was key: my phone number is a reasonably well-kept secret. You can get it by spending money with Equifax or another nonconsensual doxing giant, but you can't just google it or get it at any of the free services. The fact that the fraudsters knew where I banked, knew my name, and had my phone number had really caused me to let down my guard.

Years ago, I got a call on a weekend from someone claiming to be from my credit card and was just plausible enough for me to not hang up. (Also a claimed fraud alert.) But I got suspicious when the caller started asking me for private information and then claimed it was necessary to authenticate me (at my own phone number). So I said "I also need to authenticate you; what's my mother's maiden name?" Oh no, the caller said, we can't give you that information... but with all the data breaches we've seen, that technique is no longer safe. The phisher might have my mother's maiden name [1]. Doctorow's phisher had his unpublished phone number. Secrets aren't.

[1] Helpful tip: don't use the actual answers for security questions that people might be able to research or guess. As far as your bank is concerned, your mother's maiden name can be QjFVa6ufeqr_7.

Personal database with web front end 101?

I've been using RateBeer to track beers I've tasted and how much I liked them. This is helpful to pull up on a phone in a restaurant or store. But it relies on their database; if they haven't heard of a beer (and I don't want to do very cumbersome editing to add it on the fly), I can't rate it. Untapped seems to have a larger database but a terrible mobile site.

Fundamentally, this is the wrong approach for me anyway. Sites like RateBeer and Untapped exist to collect and aggregate user-contributed content. I don't care about that. I'm not interested in "social beer". I just want to keep track of things I've tried. And this isn't really just about beer; in days of yore when I bought more books on paper, I wanted to be able to look up what I already own while standing in a bookstore, but GoodReads is not really the interface for that. Similarly, keeping track of board games I like (and variants) is not really a job for BoardGameGeek.

What I need is my own private little database, with a web front end to support both queries (searches) and data entry. I'm the only user, so I don't need anything fancy. (Web, not app, because while I'll do some data entry on the phone, anything non-trivial is going to be done on a computer with a real keyboard.)

This sure feels like a solved problem, but I'm not quite sure what to search for. (Or rather, my searches are leading me to pages like "how to use .NET to build your web form".) My web hosting comes with CPanel links to set up both MySQL and Postgres databases. I think I know the basics of raw HTML forms but I don't yet know how to hook one up to a running database, nor how to access-protect it. I'm comfortable with the SQL to create and query the tables, and while every database is a little different on this I assume I can figure out data import from CSV.

Or maybe I should be looking for something hosted, like Google Sheets but for an actual database. (I've tried importing this data into Google Sheets. Using that on my phone is pretty terrible and it doesn't really support search anyway.) So long as I can export data from someone else's service, I don't need to self-host. But if self-hosting is easy I'd prefer that.

Out of curiosity I asked ChatGPT, and it gave me some PHP with a username and password baked in and a suggestion to do better security. The code doesn't do quite what it said it would do (based on inspection), but it's broadly plausible and ChatGPT even pointed out the problems with security, input sanitation, and validation.

Any advice from my readers?

Sh'loshim

My dad's funeral was 30 days ago. For some reason, Judaism counts the first days of mourning from the funeral not from the death, even though the annual commemoration (yahrzeit) counts from the death. Dad wasn't Jewish but I am, and I find our markers in time to be helpful.

Dad was part of a small music group for many years. They were all friends, as you expect in small long-running groups, and the director spoke at the funeral. Later, when I started going through his email looking for things that require action, I found out she has a newsletter and had posted about him. I recognize a lot of that, so I think this is what she read at the funeral.

My dad made a huge difference in my life and in the lives of my mom, sister, and niece -- and I'm learning about some of the other people he also touched deeply.