Blog: May 2023

Most of these posts were originally posted somewhere else and link to the originals. While this blog is not set up for comments, the original locations generally are, and I welcome comments there. Sorry for the inconvenience.

Magic: The Gathering card prices?

Dear Brain Trust,

I played a lot of Magic: The Gathering when the game was new, and through the first several expansion sets, before eventually drifting away for various reasons. At one point I sold a few valuable cards individually on eBay, and gave most of the rest away to young friends who were just getting into the game. I held back a few cards that I had a nagging feeling were or would be valuable, or that I just had sentimental attachment to, and that weren't going to make a difference to my friends anyway.

I got email from Origins (a gaming convention we'll be attending next month) that, among things, highlighted a dealer specializing in collectible card games (CCGs) who will have buyers at the con -- so, the email says, bring your cards if you're interested in selling, either individual cards or collections.

So hey, I said to myself, what are these cards actually worth? I looked up some of them on that dealer's site -- that is, what they are currently selling these cards for -- and my jaw dropped a little. But that's sale pricing.

What is a typical range for the difference between buying and selling prices? What should one reasonably expect a dealer to pay, as a fraction of the selling price?

I would have thought this would be something I could answer with a web search, but either it's not or, more likely, I'm not formulating my queries well, this not being the sort of thing I generally do.

Anybody have any advice that will help me evaluate price offers from a dealer?

(I know about grading as a concept, but I think that's orthogonal. Dealers sell cards that are near-mint and cards that are well-played and everything in between. The buy/sell ratios would be about the same across the board, wouldn't they?)

Sneaky malware vector

Huh, this is interesting. There are many top-level domains these days; we're way past the days when the world consisted of .com, .edu, .org, and .gov. I hadn't realized that one of those TLDs is .zip.

Yeah, really. That seems like asking for trouble. People sometimes do legitimately download ZIP files from sites they trust, like GitHub. But maybe you're not really talking to GitHub...

This post does a good job of explaining how a stray @ in a URL might ruin your whole day:

Can you quickly tell which of the URLs below is legitimate and which one is a malicious phish that drops evil.exe?

https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip

https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip

[...] As you can see in the breakdown of a URL below, everything between the scheme https:// and the @ operator is treated as user info, and everything after the @ operator is immediately treated as a hostname. However modern browsers such as Chrome, Safari, and Edge don’t want users authenticating to websites accidentally with a single click, so they will ignore all the data in the user info section, and simply direct the user to the hostname portion of the URL.

For example, the URL https://google.com@bing.com, will actually take the user to bing.com.

I didn't know that part about user info. Combined with Unicode fakes of characters you expect in URLs, this can send you somewhere very different from where you thought you were going.

We all know not to trust links or attachments from unverified sources (right?). But stealth URLs add extra risk; you might eyeball the URL in that email and decide "yeah, I trust GitHub/Dreamwidth/Google/whatever". Be careful out there.

Edit for info provided in a comment (thanks!): Also .mov. This post does a good job of demonstrating how this can be exploited and catch even people who are careful.

I might just edit my hosts file to wholesale block these domains.

Now pull the other one

There is an old joke about a man who is talking with his doctor after having surgery on his hands. He asks the doctor, "will I be able to play the piano when I recover?". The doctor says yes, he'll make a full recovery. "Great," the man says, "I've always wanted to know how to play".

This morning I got email -- sent through the contact form on my personal web site -- from someone with "hacker" in the address (yeah, right):

We have hacked your website cellio.org and extracted your databases. This was due to the security holes you had in your your site/server which have gained us remote control of everything that was on the server.

Our team is mostly interested in customer, administrative, and employee information which we have extracted through your databases once we got remote control over the server. It still needs to be sorted out but it will be well-organized once finished. First, we will be going through the emails/sms information and contacting the recipient how you held in disregard about their information being exposed to a hacking group when you could have stopped it. This would be detrimental to your personal image with these relationships with these people. Lastly, now that we have information not only will we be monetizing off it with our methods but made public or sold to other people that will do whatever they wish with the information also after we are done.

Now you can put a stop to this by paying a $3000 fee (0.11 BTC) in bitcoin. You can find our address by visiting [redacted] where you can copy and paste the address or scan the QR code. We will be notified of payment which we will then delete the information we have obtained, patch the hole in the site/server which we got in and remove you from any future targeting in the future. You have 72 hours in doing so after viewing this message or the series of steps will commence. You can obtain bitcoin through such services such [...]

<snark>

Gosh, I'd sure like to have that database full of employee and customer information. Wow, I have employees and customers! And a database! Maybe as a show of good faith you could tell me some of the information you "extracted"? Or if that's too hard, let's start with: what kind of database did you say that was? Surely you can tell me that.

I'm also curious about why you took the inefficient route here. Your email to webmaster got filtered as spam; I happened to notice it but could easily have missed it. Since you have my database full of contact information, why didn't you contact me directly? Just a helpful tip for reaching your future "customers" -- take the direct path.

Oh, and since you've got remote control of my server anyway, could you upgrade to the latest Emacs? I've been meaning to do that. You do want a good review for customer service, right?

Finally, since your proposal includes commitments to future actions on your part, please provide a verifiable contact address in case I need to make a claim.

</snark>

This year's garden

This year I am attempting to grow (in containers):

  • Roma tomatoes
  • slicing cucumbers (it was labelled as a "bush" and good for containers)
  • red bell peppers
  • orange "lunchbox" pepper
  • basil
  • chives
  • mint

I have a few more smaller pots, should I come across or think of anything else I want. Last year I had lots of herbs, and found that aside from basil I wasn't keeping up with them fresh and so dried a lot. I want more vegetables anyway, but many of them require more space than a container can provide.

I hope that whatever was eating my cherry tomatoes last year is not as fond of Roma.

The TOL murderer, capital punishment, and rabbinic law

Yesterday's torah portion, Emor, includes one of the "life for life" (death penalty for murder) passages. Locally, the trial for the murderer in the attack at Tree of Life in 2018 has just gotten started. We had a small discussion of the death penalty through that lens.

Many of the victims' families wanted the state to accept the murderer's offer to plead guilty in exchange for life in prison. Some family members pressed for the death penalty. I don't know how prosecutors decide these things, but they decided to have a capital trial instead of accepting the plea.

The systems around the death penalty in the US are badly broken in many ways ranging from injustice to impracticality. Through the lens of civil law and current judicial practice, I personally would prefer that they do the closest legal thing to dropping the guy into an oubliette, keeping him out of circulation while denying the opportunity for grandstanding and martyrdom. Through the lens of Jewish law, however, something struck me yesterday.

The rabbis of the mishna and talmud (in tractate Sanhedrin) were uncomfortable with the death penalty the torah calls for, so they nerfed it. It's very hard to qualify for the death penalty under rabbinic law. In addition to the requirements for eyewitnesses (who themselves face the death penalty for perjury), people must have warned the person beforehand that he was about to commit a capital offense, and he needs to acknowledge that warning. How likely is that? I used to wonder if anybody ever actually did that.

"Screw your optics, I'm going in". That's what the murderer posted on a site where he and others had been discussing the "problem" with Jews.

I don't know what else is in the transcript from that site; I haven't seen it. It sounds like people tried to stop him. Along with everything else -- his social-media activity, the obvious premeditation, the eyewitnesses to the murders, the lack of regret afterward -- it kind of sounds like the talmud's requirements might have been met. It's not a slam-dunk under rabbinic law, but if Jewish law rather than US law were governing this case, it strikes me that this could actually be the rare case that would qualify for the death penalty. And I'd be fine with that.

That's not vengeance talking, though this case is also personal to me (friends, not family). I can support the rabbinic rules for capital cases, theoretical as they seem, because of their many protections and focus on being careful. Example: did you know that a unanimous vote for capital conviction is overturned? Because if nobody had doubts, maybe the judges didn't look hard enough for factors in the accused's favor.