Juxtaposition, the Blog

Actually, the lack of a letter "s".

I hadn't noticed that Firefox had opened facebook up without SSL, but sure enough, the tip from this thread got everything working correctly (now have Older Posts back and the bottom toolbar).  Sheesh.

Problems in Facebook page when using Firefox 3.5.1

Excellent way to get data on just about anything and good graphs to visualize the balance of nutrients to fat.

Nutrition Facts and Analysis for Seeds, flaxseed

Bank of America nicely summarized some of the major changes coming due tot he Credit Card Accountability and Disclosure (CARD) Act.  In short, your credit card company can't be so much of a money-grubbing bastard anymore.  Although there are so many avenues not closed by this act, they actually still can be pretty evil.  For example, there is no regulation preventing credit card companies from charging whatever they want for interest rates. 

Here's some of the good stuff that should have been in place already were it not for a congress that is in bed with the financial sector:

• APRs can only be raised if you do not make at least the minimum payment within 60 days of your payment due date.  Previously, they would jack it up probably the next day after your payment was due.
• If your APR was raised due to missing a payment for > 60 days, your APR can be returned to the original rate if you pay your bill for the next 6 months by the due date.
• 45 days notice required for increasing your APR for any arbitrary reason.
• Amounts you pay over the minimum payment apply to the highest APR balances first.  Without this legislation, they would just apply it to whatever they wanted that maximized their profit and minimized your wallet.  Because they are mostly still evil, they are going to still apply the amount due to the lowest APR balance first.
  
• Payment due dates will always fall on the same date each month.  You will also get at least 25 days from the statement closing date for your payment due date.  I'm guessing that they changed your dates in the past to make you more likely to miss your payment so this is a nice catch.
• Paying more than your minimum amount due will actually reduce your interest costs because of changes in how finance charges (that B of A now says will be all called "interest charges") are calculated.
• Payment cutoff times are changing from just one timezone (e.g. Eastern) to be the actual timezone of the facility to where you mail your payments.  This helps you because a payment received on the Tuesday it is due, but after 5pm eastern, was actually counted as "late" prior to this law.  Unbelievable.
• Cash advance checks they mail to you will all have printed expiration dates and will not be honored after that date.  Sounds like a good security measure to me.  I hate that they send checks about every month; waiting for someone to steal them from my mail.
• So long as you pay at least the minimum amount due by the due date, your APR for existing balances will not be affected.
• In addition to your payment grace period (where you can carry a balance but not pay interest), if you have paid in full previously but on one statement do not pay in full (thus leaving a balance on your card), portions of your "Purchase balance" (I'm interpreting this to be stuff you just bought on your card this billing cycle) are eligible for an extended interest-free period.  Thus, you do not get dinged right away for finance charges on your entire card balance.  That was the really annoying thing.  If you had $1000 on your card, and missed a payment by even one day, you would get assessed a finance charge on -- not just the amount on your bill, but the total amount you owed on your card -- even stuff in the grace period.  So, you had no way of reliably knowing what you might have to pay.  This sounds like it's a game-changer for that practice.

But beware that you will be seeing some "novel" attempts by the card companies to return to excessive profitability at your expense at some time soon.  They are poring over the legislation to find the loopholes.

Best to have a kid get a cold here or there to reduce the chance of higher inflammation as adults and protect them from cardiovascular diseases.  We were just talking about this...

Everyday germs in childhood may prevent diseases in adulthood

I think it is a horrible waste that the US spends so much money to fund the National Center for Complementary and Alternative Medicine (NCCAM) which investigates non-scientific modalities, many of which have no prior plausibility so would not normally even qualify for scientific investigation.  I prefer the term Supplements and Complementary and Alternative Medicine for the category of woo because it has a better acronym (SCAM) -- thanks to Mark Crislip for that.

However, one good thing is that they have tested out many of the common "remedies" and supplements that many Americans take and have succeeded in disproving them.  The trash heap now contains at least:

• ginkgo
• glucosamine/chondroitin
  
• echinacea
• St. John’s wort
• shark cartilage

Other non-remedies to add to the list are:

• Vitamin C
(Too much can cause diarrhea or oxalate stones)

• "Probiotics"
• Antioxidants  They may actually harm systems that depend on free radicals
  

Oh, and Airborne is chock full of a bunch of woo and is not going to be effective so don't give those thieves any of your money.  Also, Airborne contains 100% of your RDA of Vitamin A, but if you take up to the maximum recommended "dose" of Airborne (every 3 hours, or 8 times/day) you will get 8 times the RDA of Vitamin A.  And excess vitamins can be harmful as a new study shows specifically with Vitamin A.

And if you thought that Zicam was safe, watch out.  It can cause a complete loss of smell and taste.  So although it _may_ have a modest affect for the common cold, I don't think that the risk may outweigh the benefits.

Also, if any substance has a pharmacological effect on the human body, then _it is a drug_  And you should tell your doctor when you are taking these things because they can have drug interaction effects just like any prescription drug.  Some can be very dangerous to not tell your doctor about.  And as with any drug, they can have side effects.

A brand new study out shows that using sinus rinsing as a prophylactic may actually have the opposite effect of increasing your rate of sinus infections.  Significantly.  As much as 50-60+ % more sinus infections. 

They did not test efficacy of using sinus irrigation when you actually have a cold or sinus infection so until hard data is out there, it may still be okay. 

Long-Term Neti Pot Use May Backfire

As I recently wrote about the security issues with rooting your android phone.  Fortunately, this should spark some discussion about how to securely jailbreak or root your phone.

BBC NEWS | Technology | Worm attack bites at Apple iPhone

The best guide I found for reliably getting root access to your android HTC Hero device is here:  How To: Root Your CDMA HTC Hero (Sprint/Verizon) | The Unlockr

However, as a security guy, I notice that none of the guides discuss anything about the implications of the process from a security perspective, so I will add a bit of extra tips and observations and explain how it works.

By default, Android devices run applications as low privileged user accounts on the underlying Linux operating system.  If you have the application RoboTop installed, you can actually see the users that each process runs as.  For example, the robotop process and its child 'top' processes all run as 'app_60'.

This is a good secure-by-default design for the operating system, however there are some things that you must do as root to have enough rights at the OS level to complete your task.  For my case, I needed to be able to clean the /data/boot-cache directory to work around an annoying defect on the HTC Hero that was preventing application upgrades from persisting across a reboot.  Some applications (SSH server, I believe) also need to run as root.

But, Google does not provide any means for getting root access as an end user.  But the community has come up with all kinds of ways to get around this on various devices.  If you have physical access to a device, it is generally pretty easy to gain full access to it _somehow_.  In the case of the Hero, it essentially involves:

1. Running a Linux kernel exploit that allows you to run arbitrary programs as root.  Discouragingly, the program to do this is a binary with no source code.  But it is claimed to be based on this kernel bug:  Sprint Hero HAS BEEN ROOTED@! - Android Forums
2. Using the exploit to launch a shell as root. 
3. Using the root shell to create a setuid root shell so that you can gain root anytime in the future without the exploit.

However, there are some serious security implications of doing this:

1. The procedures don't tell you to delete /data/local/asroot2, so you end up leaving a program that can run arbitrary code as root on your system in a known location
2. The procedures have you create a setuid root shell as /system/bin/su.  However, this allows anyone or any application to run arbitrary code on your phone as the highest privilege user using a binary at a known location.

So, you may have root but you have absolutely no way to control it.  And applications that require root now expect to find a setuid root shell in /system/bin/su to gain root.  Any application can now do anything it wants, including replace parts of your operating system for whatever nefarious purpose (malicious, wireless worm, extortion, annoyance, etc.)

But, all is not lost.  You can get control back with the Superuser application.  I've read through the design and it sounds on the face of it to be a reasonable approach:  My Brain Hurts: Fixing the "setuid su" security hole on Modified Android RC30 Instructions on installing it and download of the files (source code is available as well):  http://www.koushikdutta.com/2008/11/update-to-superuser.html

The install.bat file did not work for me though.  I got a permission denied trying to write a file as a non-root user into /sysadmin/bin.  Actually, the low user privileges cannot write to many places on the filesystem.  Instead of copying the bin/su file directly, I copied it to /data/local/tmp and then _as root_ on the phone, I copied it into /sysadmin/bin and changed the permissions.

The next step is to first run the Superuser application on the phone so that it can replace the files and set the permissions properly to implement the protection.

After you do this, you will now get a visible request each time an application tries to execute /system/bin/su.  You got control and auditing back.

Oh, and what you also need to remember to do is delete /data/local/asroot2.  You don't need it anymore and it only makes your system vulnerable to keep it around.  If you ever needed it again, you can copy it back.

FYI.  Kind of annoying since I have to look in my mail logs to double-check if a critical message actually went out.

I use Gmail-Googlemail, but I can't tell if any of my messages have been posted to the list - Documentation - Confluence

This was played at the end of Reasonable Doubts podcast e55 and I loved it.  Had to find the high-fidelity version.  I think I might have my new ringtone...every call will be awe-inspiring.

Very cool trance mix with wonderful clips from Sagan and Hawking masterfully woven in.

Colorpulse: Youtube goodies