Detail oriented

Ed Fine's blog.

Irma L'acide

Tampa Bay Hurricane Irma blog

It’s not Irma La Douce; it’s Irma L’Acide (excuse my French). Nothing sweet about this Irma.

Monday September 11, 2017 0040 EDT

The remnants of the northern eyewall of the Category 2 hurricane hammered Lakeland and Bartow with 100+ mph winds and very heavy rain, moving more or less NNW.

Here in northwestern Hillsborough county, the heavy rain and winds have just passed us by, thankfully and almost unbelievably without known damage - we’ll see in the morning.

Here’s a radar image from Fox 13’s SkyTower radar app showing the tail end of the storm near us, and Lakeland due east in the danger zone of the Category 2 hurricane. Our thoughts are with those in the path of that eyewall.

Signing off until the morning for some well-earned sleep.

Sunday September 10, 2017 1842 EDT

Irma is expected to weaken to a Category 1 hurricane by the time it hits Tampa Bay. One of the reasons given is shear: winds blowing from east to west is pushing Irma to the west (again), disorganizing its circular pattern.

This is in addition to the weakening from having its heat engine removed by being over land.

But like Paul Dellagatto of Fox 13 says, you can’t just look at a number and know what a hurricane is going to do locally. Irma still has an eyewall that is on its way. Anything in its path is going to have a tough time. There are also bands of high, gusty winds and heavy rain to deal with.

Irma is a very unusual hurricane.

It has rain bands that span the entire state.

People who have lived in Tampa for multiple generations have never seen the water in the bay recede as far and fast as they did.

In fact, they receded so fast that some manatees around Sarasota were stranded. We saw video of people dragging a manatee on a tarpaulin into the water, where it swam off.

Residents of those areas near the coast are apprehensive about the return of the waters, which come rushing back fast enough to drown unfortunate people who underestimated the speed with which the storm surge travelled.

Irma is also causing flooding along the entire east coast of Florida and beyond, even though the eye is on the west coast. The winds were high enough in Miami to destroy the anemometers measuring then.

Here in Tampa, we didn’t exactly dodge a bullet: We dodged a cannon shell, but a smaller yet dangerous bullet is still on its way.

I feel much more optimistic than I did 24 hours ago. Then, I was fearing a catastrophic Category 4 storm; now I am expecting a Category 1. Speaking of which, the rain is picking up now, and I think the outer bands are arriving.

Updates here may be delayed when power and communications go out.

Sunday September 10, 2017 1635 EDT

Irma made landfall at Marco Island near Naples, at 130 mph. That’s really bad for Marco Island and Naples, and we should spare a thought for their misfortune.

Hurricanes seem to be zero-sum entities. Marco Island’s misfortune has improved our outlook in Tampa Bay. Its landfall is much further south than expected, meaning it is expected to weaken as it travels over land towards us. At the moment (and hurricanes are capricious things, so this is not cast in concrete), it is expected to be a Category 1 or maybe 2 when it gets here.

That’s a lot better than 4 or 5.

Irma is a hurricane of epic proportions.

It is so widespread that at the precise instant Irma made first landfall, Miami, 91 miles away from the eyewall of Irma, on the other coast of Florida, was getting 90+ mph winds and large storm surge, putting entire streets underwater and blowing over two cranes (hint: not birds) that were previously believed safe.

It is so big that it is causing heavy rain in Georgia - beyond the northern border of our state.

It’s still expected to dump 10-12 inches of rain over Tampa, and winds will still be a sustained 60+ mph, so it’s no picnic, and we will still be without power for anywhere from hours to days or weeks, but our outlook is much better.

Right now, anyway.

We’re waiting anxiously for midnight, the expected peak of the storm, but we are feeling more cheerful about our prospects.

Saturday September 9, 2017 1934 EDT

Well, at least Irma is not tracking directly over our house anymore, although the eye is so big it doesn’t make that much difference.

I’ve been talking to our neighbors and my wife about going to a shelter, and also looking on TV at the people who are going to the shelters. Many shelters are already full, and most of the people there seem to be those who live in mandatory evacuation areas and mobile or manufactured or structurally unsafe homes, or are elderly or unable to take care of themselves.

I also heard a response by the meteorologist to questions asked on Facebook to Fox 13 that asked: is it safe to shelter in place in a house that has no storm shutters or window protection?

The answer was unequivocally that, as long as you are not near windows, in an interior room with no windows on the lower floor (we will be - our laundry room), and the house has concrete block construction (it does), and is not in an evacuation zone (it is not), it will be ok.

None of our neighbors are leaving, even those who have no window protection. They are hunkering down in a windowless room and riding out the storm. They are not stupid people - the ones I talked to are intelligent professionals.

We’ve prepared as best as we can. We have flashlights and lots of batteries for them, charged battery packs for the cell phones, food and water for a while. I’ve uploaded insurance photos of the house and possessions, and most of our important documents, to the cloud. The computers in the house are all off and my work is now on a cloud server. My personal data is on a WD MyBook, which is too big to backup to the cloud, so it’s in my backpack with my MacBook and critical things.

Here’s the bottom line: given that we have a well-built, newer house, and enough drinking water and food for 3 days, we are better off than many people in our region who need shelter and would be displaced by us if we went and we didn’t absolutely have to.

And that is ultimately unacceptable.

As stupid as it might sound, it’s a calculated risk (in an admittedly very uncertain threat model), so we’re going to ride it out. We’ve told our neighbors where we’re going to be, and of course anyone reading this blog knows, too.

It is going to be really rough, with no power, no running water, no cooling, 4 people being stuck in a small room for at least 12 hours and maybe more, and a massive hurricane blowing outside.

It is what it is.

I’ll update as power and communications allows.

Friday September 8, 2017 2050 EDT

For Tampa Bay, the current storm track has worsened the local outlook considerably. No longer going up the middle of the state, the track has moved westwards, threatening the Gulf Coast. From storm winds earlier expected to top out at under 60 mph, the forecast has increased to maxima just under 90 mph, and conditions which were recently unfavorable for tornadoes have become favorable.

People in our neighborhood looked uneasily at my next door neighbor, who had had the foresight to have plywood shutters made (probably long ago), nailing them onto his home’s windows. Like us, they probably wished they had thought of that, too, but too late.

Being from southern Africa, where the only natural disasters are flood and famine, this is terra incognita for me (and there’s much terra).

A grim outlook indeed unless the track swings further away from the west coast out to sea, which seems unlikely.

Friday September 8, 2017 1300 EDT

All SunCoast CU branches closed until further notice:

Due to the effects of Hurricane Irma and the safety of our employees, ALL Suncoast Credit Union branches and the Members Care Center will be closed at 1:00 PM on Friday, September 8th through Monday, September 11, 2017. We will reopen on Tuesday, weather permitting; however, this may change based upon the storm’s progression and emergency management recommendations.

Friday September 8, 2017 1100 EDT

Irma’s track has shifted west around 11 PM EDT last night so that it drives up the middle of Florida. This is a worst-case scenario because nobody walks away unscathed. It all hinges on precisely when Irma makes its right turn, and what the conditions are at that time.

Thursday September 7, 2017

I have friends and relatives around the world who would appreciate knowing my family’s status as Hurricane Irma approaches, and hopefully bypasses, Florida. This blog seems like a good way to publish our status.

Boring Technical Stuff

I’ve set up my blog so that it lives on Amazon S3 and is replicated by Amazon Cloudfront. My blog source is on a private hosted git repository, and my publishing software (Octopress) is installed on a Linode that has read-only access to the git repo.

I have Working Copy and Byword on my iPad, so I can pull the git repo, update the blog and push it back to the git repo (if I have any Internet access).

To publish to S3, I’ll ssh to the Linode using Prompt, pull the git repo, and run Octopress to generate the update and push it to S3.

It’s probably overkill for a blog that almost nobody reads, but it’s good practice for me.

How VMware's Ovftool Password Handling Gave Me a Headache

ovftool is a command-line utility from VMware that lets one do useful things with VMs on ESXi and vSphere remote systems.

I had installed ovftool and was trying to use it copy a VM between two ESXi servers, based on this useful post from virtuallyGhetto. For various reasons, it’s often a better idea to use ovftool for copying VMs than by just using scp on the raw files.

Immediately, I ran into a WTF? moment.

$ ovftool vi://root@
Enter login information for source vi://
Username: root
Password: *******
Error: Could not lookup host: root

Error: Could not lookup host: root???

This confused the living daylights out of me. This has nothing at all to do with looking up a host.



And the answer is… drum roll…

Locators. At least, the URI-flavored ones. A locator points to different resource types like VMs or hosts.

When ovftool gets a URI, it’s more or less of the form protocol://username:password@host:port/ or protocol://username@host:port/

(protocol can be one of the standard schemes like https or file, or VMware-specific ones like vi or vcloud.)

If ovftool gets a URI without the password - which I would imagine most security conscious people would prefer - it quite sensibly prompts for a password and captures it without displaying it.

At this point, it appears that ovftool forms the full URI - including password - and uses that to authenticate with the remote system.

You can see where this is going.

The ovftool PDF manual clearly notes (but not clearly enough, in my view):

Encoding Special Characters in URL Locators

When you use URIs as locators, you must escape special characters using %
followed by their ASCII hex value.  For instance, if you use a “@” in your
password, it must be escaped with %40 as in vi://foo:b%40r@hostname, and a
slash in a Windows domain name (\) can be specified as %5c.

Now I get it.

  1. ovftool captures the password from stdin and does not urlencode it.
  2. ovftool forms the URI with the unencoded password, and does not check it for validity.
  3. ovftool uses the URI to contact the remote system.
  4. The malformed URI is interpreted such that the user name - root in this case - is considered to be the remote system’s host name.
  5. The connection attempt dies with the oh-so-misleading message, Error: Could not lookup host: root.
  6. I get a headache.

This hypothesis can be proven as follows.

  • urlencode the failing password;
  • Feed the encoded password to ovftool at the Password: prompt;
  • Profit!!

What I think ovftool does wrong

  1. ovftool violates The principle of Least Astonishment. When a tool accepts a password for input, it is expected that the tool does any necessary transformations to it prior to using it. ovftool must urlencode the password if it obtains it via a password prompt.
  2. ovftool fails to check that the URI is well-formed. The characters that must be urlencoded in the various parts of a URI are well-known, and it should be fairly easy to test this.
  3. A more minor, yet valid quibble, is that ovftool echoes asterisks once the password has been entered, which is ok, except that it echoes the same number of asterisks as the number of characters in the password. Exact password length can give a useful clue to a would-be attacker (who would need to be looking over your shoulder, but still, it’s so easy to avoid this mistake).

A simple workaround

A simple workaround is to urlencode the password yourself on the command line. If you have access to a clipboard-copy-paste utility, the entire thing can be done without displaying the password.

Let’s say that your password is my@random pass/+?$#%^&*()-_+={}[]\|;:'”,/?.

This code snippet will prompt for the unencoded password, urlencode it, and put it into the clipboard, ready for pasting. The advantage of using this over the various command-line urlencoding utilities - that might or might not be available - is that Python is available just about everywhere these days. If not, there’s always Perl.

python -c 'import urllib; import getpass; print(urllib.quote_plus(getpass.getpass()))' | $CLIPUTIL

Clipboard utilities

Possible values of $CLIPUTIL include

  • Windows 10: clip (or redirect to /dev/clipboard in older versions)
  • macOS: pbcopy
  • Linux (X): xclip -selection c

Git Submodule Cheat Sheet

git submodule is powerful, error-prone, and often confusing unless it’s used pretty much daily.

Having a cheat sheet can be pretty useful, so here you go.

This cheat sheet is based on a post by Christophe Porteneuve (many thanks).

Erlang's Internal Data Representation

I find it interesting how the Erlang BEAM engine represents data in memory.

Quick look: An Erlang list

This is the in-memory layout of the Erlang list "phi".

[112, 104, 105]

How BofA Froze My Account for Supporting My Children

My open Dear Jane letter to Bank of America

Dear Bank of America,

Your MSB department believes I am a wicked money launderer or something, so you froze my personal account. If I hadn’t been paying attention, it could have been very nasty indeed, but I drained my accounts and left you only $27.08 in the one you subsequently froze. Don’t spend it all at once.

The Myth of the Fungible Resource

There is a pervasive myth amongst software development management types: the existence of the fungible resource.

A fungible resource is a human cog that managers and executives believe they can drop into a business machine to replace an existing cog. In other words, when developers part ways with a company, many managers believe that their replacements can quickly get up to speed and take over where their predecessors left off.

Pale Blue Dot

Let’s put things in perspective: we’re not all that in the grand scheme of things.