Blog

Most of these posts were originally posted somewhere else and link to the originals. While this blog is not set up for comments, the original locations generally are, and I welcome comments there. Sorry for the inconvenience.

Magic: The Gathering card prices?

Dear Brain Trust,

I played a lot of Magic: The Gathering when the game was new, and through the first several expansion sets, before eventually drifting away for various reasons. At one point I sold a few valuable cards individually on eBay, and gave most of the rest away to young friends who were just getting into the game. I held back a few cards that I had a nagging feeling were or would be valuable, or that I just had sentimental attachment to, and that weren't going to make a difference to my friends anyway.

I got email from Origins (a gaming convention we'll be attending next month) that, among things, highlighted a dealer specializing in collectible card games (CCGs) who will have buyers at the con -- so, the email says, bring your cards if you're interested in selling, either individual cards or collections.

So hey, I said to myself, what are these cards actually worth? I looked up some of them on that dealer's site -- that is, what they are currently selling these cards for -- and my jaw dropped a little. But that's sale pricing.

What is a typical range for the difference between buying and selling prices? What should one reasonably expect a dealer to pay, as a fraction of the selling price?

I would have thought this would be something I could answer with a web search, but either it's not or, more likely, I'm not formulating my queries well, this not being the sort of thing I generally do.

Anybody have any advice that will help me evaluate price offers from a dealer?

(I know about grading as a concept, but I think that's orthogonal. Dealers sell cards that are near-mint and cards that are well-played and everything in between. The buy/sell ratios would be about the same across the board, wouldn't they?)

Sneaky malware vector

Huh, this is interesting. There are many top-level domains these days; we're way past the days when the world consisted of .com, .edu, .org, and .gov. I hadn't realized that one of those TLDs is .zip.

Yeah, really. That seems like asking for trouble. People sometimes do legitimately download ZIP files from sites they trust, like GitHub. But maybe you're not really talking to GitHub...

This post does a good job of explaining how a stray @ in a URL might ruin your whole day:

Can you quickly tell which of the URLs below is legitimate and which one is a malicious phish that drops evil.exe?

https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip

https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip

[...] As you can see in the breakdown of a URL below, everything between the scheme https:// and the @ operator is treated as user info, and everything after the @ operator is immediately treated as a hostname. However modern browsers such as Chrome, Safari, and Edge don’t want users authenticating to websites accidentally with a single click, so they will ignore all the data in the user info section, and simply direct the user to the hostname portion of the URL.

For example, the URL https://google.com@bing.com, will actually take the user to bing.com.

I didn't know that part about user info. Combined with Unicode fakes of characters you expect in URLs, this can send you somewhere very different from where you thought you were going.

We all know not to trust links or attachments from unverified sources (right?). But stealth URLs add extra risk; you might eyeball the URL in that email and decide "yeah, I trust GitHub/Dreamwidth/Google/whatever". Be careful out there.

Edit for info provided in a comment (thanks!): Also .mov. This post does a good job of demonstrating how this can be exploited and catch even people who are careful.

I might just edit my hosts file to wholesale block these domains.

Now pull the other one

There is an old joke about a man who is talking with his doctor after having surgery on his hands. He asks the doctor, "will I be able to play the piano when I recover?". The doctor says yes, he'll make a full recovery. "Great," the man says, "I've always wanted to know how to play".

This morning I got email -- sent through the contact form on my personal web site -- from someone with "hacker" in the address (yeah, right):

We have hacked your website cellio.org and extracted your databases. This was due to the security holes you had in your your site/server which have gained us remote control of everything that was on the server.

Our team is mostly interested in customer, administrative, and employee information which we have extracted through your databases once we got remote control over the server. It still needs to be sorted out but it will be well-organized once finished. First, we will be going through the emails/sms information and contacting the recipient how you held in disregard about their information being exposed to a hacking group when you could have stopped it. This would be detrimental to your personal image with these relationships with these people. Lastly, now that we have information not only will we be monetizing off it with our methods but made public or sold to other people that will do whatever they wish with the information also after we are done.

Now you can put a stop to this by paying a $3000 fee (0.11 BTC) in bitcoin. You can find our address by visiting [redacted] where you can copy and paste the address or scan the QR code. We will be notified of payment which we will then delete the information we have obtained, patch the hole in the site/server which we got in and remove you from any future targeting in the future. You have 72 hours in doing so after viewing this message or the series of steps will commence. You can obtain bitcoin through such services such [...]

<snark>

Gosh, I'd sure like to have that database full of employee and customer information. Wow, I have employees and customers! And a database! Maybe as a show of good faith you could tell me some of the information you "extracted"? Or if that's too hard, let's start with: what kind of database did you say that was? Surely you can tell me that.

I'm also curious about why you took the inefficient route here. Your email to webmaster got filtered as spam; I happened to notice it but could easily have missed it. Since you have my database full of contact information, why didn't you contact me directly? Just a helpful tip for reaching your future "customers" -- take the direct path.

Oh, and since you've got remote control of my server anyway, could you upgrade to the latest Emacs? I've been meaning to do that. You do want a good review for customer service, right?

Finally, since your proposal includes commitments to future actions on your part, please provide a verifiable contact address in case I need to make a claim.

</snark>

This year's garden

This year I am attempting to grow (in containers):

  • Roma tomatoes
  • slicing cucumbers (it was labelled as a "bush" and good for containers)
  • red bell peppers
  • orange "lunchbox" pepper
  • basil
  • chives
  • mint

I have a few more smaller pots, should I come across or think of anything else I want. Last year I had lots of herbs, and found that aside from basil I wasn't keeping up with them fresh and so dried a lot. I want more vegetables anyway, but many of them require more space than a container can provide.

I hope that whatever was eating my cherry tomatoes last year is not as fond of Roma.

The TOL murderer, capital punishment, and rabbinic law

Yesterday's torah portion, Emor, includes one of the "life for life" (death penalty for murder) passages. Locally, the trial for the murderer in the attack at Tree of Life in 2018 has just gotten started. We had a small discussion of the death penalty through that lens.

Many of the victims' families wanted the state to accept the murderer's offer to plead guilty in exchange for life in prison. Some family members pressed for the death penalty. I don't know how prosecutors decide these things, but they decided to have a capital trial instead of accepting the plea.

The systems around the death penalty in the US are badly broken in many ways ranging from injustice to impracticality. Through the lens of civil law and current judicial practice, I personally would prefer that they do the closest legal thing to dropping the guy into an oubliette, keeping him out of circulation while denying the opportunity for grandstanding and martyrdom. Through the lens of Jewish law, however, something struck me yesterday.

The rabbis of the mishna and talmud (in tractate Sanhedrin) were uncomfortable with the death penalty the torah calls for, so they nerfed it. It's very hard to qualify for the death penalty under rabbinic law. In addition to the requirements for eyewitnesses (who themselves face the death penalty for perjury), people must have warned the person beforehand that he was about to commit a capital offense, and he needs to acknowledge that warning. How likely is that? I used to wonder if anybody ever actually did that.

"Screw your optics, I'm going in". That's what the murderer posted on a site where he and others had been discussing the "problem" with Jews.

I don't know what else is in the transcript from that site; I haven't seen it. It sounds like people tried to stop him. Along with everything else -- his social-media activity, the obvious premeditation, the eyewitnesses to the murders, the lack of regret afterward -- it kind of sounds like the talmud's requirements might have been met. It's not a slam-dunk under rabbinic law, but if Jewish law rather than US law were governing this case, it strikes me that this could actually be the rare case that would qualify for the death penalty. And I'd be fine with that.

That's not vengeance talking, though this case is also personal to me (friends, not family). I can support the rabbinic rules for capital cases, theoretical as they seem, because of their many protections and focus on being careful. Example: did you know that a unanimous vote for capital conviction is overturned? Because if nobody had doubts, maybe the judges didn't look hard enough for factors in the accused's favor.

Avian socializing in the 21st century

How nifty!

Parrots are social creatures. However, most pet parrots are singletons. They get lonely and sometimes that leads to destructive behavior.

From the Smithsonian:

Once the birds had learned how to initiate video interactions, the second phase of the experiment could begin. In this “open call” period, the 15 participating birds could make calls freely; they also got to choose which bird to dial up. Over the next two months, pet parrots made 147 deliberate video calls to other birds. [...]

For starters, they found that the parrots took advantage of the opportunity to call one another, and they typically stayed on the call for the maximum time allowed during the experiment. They also seemed to understand that another live bird was on the other side of the screen, not a recorded bird, researchers say. Some of the parrots learned new skills from their virtual companions, including flying, foraging and how to make new sounds. [...]

The birds forged strong friendships, which researchers measured by how frequently they chose to call the same individual. Parrots who initiated the highest number of video calls also received the most calls, which suggests a “reciprocal dynamic similar to human socialization,” per the statement.

The article links to this ACM paper. Yes, ACM-CHI, meaning it's from a technical conference not an animal-behavior conference. (Also, I guess this stretches the boundaries of the 'H' in CHI, which stands for Computer-Human Interaction, or at least did the last time I attended that conference.)

Seasons

Making the rounds (I saw it here). Applies to Pittsburgh too:

Chicago actually has 12 seasons:
- Winter
- Fool's Spring
- Second Winter
- Spring of Deception
- Third Winter
- (you are here)
- The Pollening
- Actual Spring
- Summer
- Hell's Front Porch
- False Fall
- Second Summer
- Actual Fall

Frogs

Somebody said today is World Frog Day (who knew? not I!), and with Pesach coming up soon that led to some discussion of the second plague, and somebody linked to a passage in the talmud about it and I have questions:

Rabbi Akiva says: It was one frog, and it spawned and filled the entire land of Egypt with frogs. Rabbi Elazar ben Azarya said to him: Akiva, what are you doing occupying yourself with the study of aggada (stories)? This is not your field of expertise. [...] Rather, the verse is to be understood as follows: It was one frog; it whistled to the other frogs, and they all came after it. (Sanhedrin 67b)

(Convention: the parts in bold are in the original text; the rest is editorial elucidation. The talmud's discussions are often quite compact.)

If I'm reading this correctly, Rabbi Elazar's objection to Rabbi Akiva's statement isn't the claim that there was one frog that then produced more. Rabbi Elazar is fine with the "one original frog" idea. No, he's disputing how the other frogs got there; Akiva says the first frog spawned them, while Elazar says it summoned them.

Rashi elaborates Elazar's complaint: Akiva should refrain from stories about frogs and focus on more serious stuff, like laws of plagues and afflictions, that Akiva actually knows something about. Which makes me wonder what any of them are saying about Elazar's knowledge, since it's apparently ok for Elazar to talk about this stuff. This is Elazar ben Azariah, who at the age of 18 was miraculously given white hair overnight so that the other sages would take him seriously as (briefly) the head of the Sanhedrin. It's not like he's some nobody who doesn't know more "serious" stuff and is only equipped for stories.

What a peculiar passage.

And also: world frog day? Really? (Search engines produce hits. And I found it on a list on Wikipedia, for what that's worth.)

Free to good home: Pennsic house or parts thereof

Please share a link to this post with any SCA (etc) or tiny-homes people you think might be interested.

I have a house on a flatbed trailer. It lives at Cooper's Lake in western PA, where Pennsic is held. When I set out to build it, I first got Dave Cooper's approval of the plans so there would be no issues with using and storing it there. All was good. But times have changed, there are new people with new business interests running Cooper's Lake now, and many of the "old" trailers, including mine, have been evicted. In my case, my trailer has to be gone after Pennsic 50, this August.

The trailer is not road-legal; it's only been driven on Cooper roads for the last 20 years. Legality aside, I doubt the trailer would be safe at real road speeds. (The campground has bumpy dirt roads and traffic moves at 5-10MPH.) It's not practical for me to disassemble the house and rebuild a smaller version of it to take to and from Pennsic every year: I don't have the storage, the towing vehicle, or the fortitude. I don't think I'll go to enough more Pennsics to justify all those costs.

Perhaps you have those things, and interest? Or perhaps there are parts you can use?

Parts of the house are in good to very good condition and could perhaps be reused for a different building project. The roof was new in 2019, put on a month before I got the eviction notice (sob). It's made of ABS pipe, cut to look like tiles, and it does a good job of both protecting and cooling the house. I can talk more about its construction. The loft floor is made of 2x4 tongue-and-groove whitewood and, being interior, has not been exposed to the elements. The doors are in good shape (you probably want to refinish them). Some other lumber can probably be reused for the right project.

I would be sad to trash all this if there's someone who can make use of it and who can come collect it in August. I'm not looking for money; I want to reduce waste.

If you're interested, please get in touch -- click through to the Dreamwidth post for some contact options or use the "contact" link on this site or use any other path you know to reach me.

A few pictures: Read more…

Pixel fail: followup

The replacement phone arrived Wednesday (faster than they said, good). I'd already done a manual backup on top of the automatic one, but migration from one phone to another of the exact same type and OS version is easier: connect them via a cable and wait. Basic data transfer happened within an hour, though it took a few hours for apps to get installed and Chrome was being especially finicky for some reason.

My settings were almost all there; I expected to have to do more manual configuration (including re-laying out the icons where I wanted them). Nope, that was all fine. I had to set up each individual app again, though; sometimes that was just a matter of logging in (for example, Tusky or Authy), but sometimes it required redoing everything (email client for my non-Gmail accounts). Chrome had a weird bug where tabs didn't work (!) but the update ("new version available", it kept saying) would hang; after a few reboots it sorted itself out.

There was a feeling of trepidation as I kept asking myself "are you sure you have everything you need?" before doing the factory reset on the old phone, but I finally did that today. It started doing the flashing-display thing during the reset, so I just left it for a while. The documentation says a factory reset can take an hour, so after a couple hours I power-cycled to see where it was.

I was greeted by the "new phone" setup screen, so that worked.

And then it started flashing again. Ha.

Yes, support person, I was right: that's a hardware problem. After another power-cycle (so I could see what I was doing) I shut it down and boxed it up, and tomorrow I will take it to FedEx.

The replacement they sent me was marked as "refurbished", but they are holding the price of a new phone against my credit card, which feels wrong. It's only a problem if the package doesn't arrive in time (which is why I will hand it to a human at FedEx and get a proper receipt), but it's still sleazy. And yes, if they were to charge the card they would add shipping charges, so it's not to offset that.

I've never had to make a warranty claim on a phone before, so I don't know how my experience with Google compares to what I would have had with other vendors. It's something I should try to find out before I buy my next phone, which I hope will be several years from now.