Safari rejects Cookies with Version/Discard Attributes after Mac OS X 10.6.5 update

A few months ago while helping to debug a cookie character-encoding problem, I randomly suggested trying the Java J2EE javax.servlet.http.Cookie’s setVersion(1) call, based on the RFC 2109/RFC 2965 claims that cookies labeled version 1 would behave differently. This was a foolish idea, since the cookie RFCs have little or nothing to do with the de-facto cookie non-standard.

Cookie c = new Cookie('Key", "Value");

Unfortunately, what was meant to be a one-line experiment got checked in, and was silently adding the Version and Discard attribute to cookies for months (note, the Discard attribute signifies a session cookie according to RFC 2965). All the common browsers ignore the version/discard attributes, so no problems appeared. Some typical output from GAE‘s Jetty server:

Set-Cookie: Key=Value;Version=1;Path=/;Discard

However, the recent Mac OS X 10.6.5 update included a security patch to CFNetwork involving cookies and allowed domains. The patch has caused problems for web-developers using local IP-addresses. It also appears that this patch silently changed how Safari treats cookies with the version/discard attribute — rather then simply ignoring the attributes, Safari now actively rejects cookies with version/discard attributes.

Is this a bug in Safari? Or a cookie-validation feature? With no real standard to measure it by, there is no way to tell. Suffice it say, it is best to avoid calling setCookie(1)!

wfinger: WebFinger and command-line finger combined

WebFinger is a new protocol for mapping email addresses to public profile information. Despite being named after the classic finger protocol, there isn’t a version of the Unix finger command that supports the WebFinger protocol. So to fill this gap, I’ve cobbled together wfinger – the traditional finger command with WebFinger support.

  • Binary: (Mac OS X 10.6 Universal Binary)
  • Demo CGI Gateway:

    Or: curl

Example (using web-fingerling Blaine Cook):

% ./wfinger

[ - web finger]

Account:               Name: Blaine Cook
Organization: BT                        Title: Sociotechnologist
Email:                                  Phone:
Address: Belfast, Northern Ireland

            tel: http://tel:447595925264

Latest Tweet:
   #blogtalk2010 finished, really lots of fun. Thanks to @johnbreslin
   and everyone else here for a great event. :-D

The WebFinger-based output of wfinger is mainly fields extracted from the user’s profile using the hCard micro-format. To add some color, wfinger will also display the user’s latest tweet, if a Twitter account is detected. When WebFinger information can’t be found, wfinger falls back to using the traditional finger code/protocol. Thus, it still works with those who have keep the finger-protocol flame alive throughout the dark ages, like bzs and alexis at The World and Panix.

I also added code to look for a new “” relationship in account XRDs. The “hfinger” stand for HTTP Finger, and hfinger URLs should point to HTTP finger gateways that return text/plain finger output. This allows fingerd-like output to be tunneled via WebFinger resource discovery. You can see this in action by wfingering my account ( This will be useful for people who just want traditional finger output, but are on systems that don’t allow port 79 access.

I hope wfinger will generate some interest in the WebFinger protocol amongst the command-linerati and grumpy grey-beard sysadmins, who run the internet. Share and Enjoy!

14 Tesla Whirling Dervishes: Circular swimming in mice after exposure to a high magnetic field

Today* the latest collaboration of the Brothers Houpt has hit the scientific newstands! The boffins at the Houpt-Lab are proud to present:

Circular swimming in mice after exposure to a high magnetic field
by T.A. and C.E. Houpt

Paper and PDF can’t really show the effect directly, so here is a video of a mouse swimming immediately after exposure to the magnet. The output of Tracker is overlaid on the raw video to highlight the counter-clockwise looping. As the paper notes, the effect quickly wears off.

Tom did most of the work of designing, executing, analyzing, plotting and writing up of the experiment. On experiment days at FSU’s Magnet Lab, Tom’s mentor and long-time magneto-collaborator, Dr. Jim Smith, helped with the magnet rigging equipment. I helped with the camera setup and then wrote the Tracker program to extract data from the raw video. Lab Tech Breyda Ortega helped with mouse wrangling.

With this publication, I’m right on track for my goal of one scientific paper per decade!

*The publication date on the issue’s cover is today, June 16th, but it appears that P&B posts its issues a month ahead of time. You’d think that the scientific press would be above the crass ploys of the commercial magazine industry, but apparently not. If I can’t trust the date on the outside of a scientific journal, how can I trust the data inside?

Last hit from Google China

Google has closed its search engine in China in a dispute over hacking and censorship. As an English/Japanese site, has never seen much traffic from Google China, so the last hit was in early March. Someone in Beijing searched for “mac os lynx“:

221.x.x.x - - [09/Mar/2010:09:18:29 -0800] "GET /lynxlet/ HTTP/1.1" 200 3355 "" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; zh-CN; rv:1.9.2) Gecko/20100115 Firefox/3.6"

Ironically, the second to last hit from Google China was using Google’s own Chrome browser, but it is likely a foreigner because the browser is using English:

121.x.x.x - - [24/Feb/2010:07:38:36 -0800] "GET /validator-sac/ HTTP/1.1" 200 3137 "" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-US) AppleWebKit/533.1 (KHTML, like Gecko) Chrome/5.0.322.2 Safari/533.1"

Cron Tip: Reboot Jobs

If you have an account at a managed hosting service (shared hosting, VPS, etc), system reboots can be unexpected and confusing events. Sysadmins need to reboot for a variety of reasons — hardware problems, security patches, vandalism — and they rarely inform users before or even after the reboot. All you might see are some confusing messages in your error logs, or gaps in the traffic logs.

One solution is to setup a reboot job in your cron table, like this:

@reboot         echo 'Uh oh, a Reboot!'

Now, every time the system is rebooted you will get an email, and you will be better able to interpret or fix any problems that show up.

One caveat is that @reboot jobs are run whenever the cron daemon starts, so false positives are possible. However, in practice the cron daemon is almost never restarted on its own.

HTML in 3D!

Boing Boing recently noted the satirical McSweeney’s piece “Leaping off the Page” by Ben Greenman that proposed a 3D typographic system, 3*TYPE, which would allow simple prose to meet the challenges of the Avatar-inspired 3D revolution. However, where would satire be without farce? So taking things to their natural extreme, I present “HTML in 3D!” which implements the 3*TYPE process for any web page.

HTML in 3D is a bookmarklet and CSS stylesheet that produce a anaglyph stereoscopic 3D effect for common HTML text elements (headers, links, etc). It should work in most modern browsers (i.e. probably not IE). Put on some anaglyph red-blue 3D glasses and click the link to see this post in headache-inducing 3D:


How to use the bookmarklet elsewhere:

  • Drag the 3D! link above to your browser’s bookmark bar
  • Load any web page
  • Don anaglyph red-blue 3D glasses
  • Click the 3D! bookmark, and watch the HTML pop!

Thanks to GEKE.NET for the CSS Bookmarklet Maker.

RSS Feeds for Full Episodes of The Colbert Report and The Daily Show

Recently Comedy Central yanked The Daily Show and The Colbert Report off of Hulu [update: in early 2011, the shows returned to Hulu]. I started watched these shows on Hulu because it provided RSS feeds for the full episodes, while Comedy Central has only ever had segment/clip feeds. Luckily, the shows’ sites have feed-like JSON AJAH pages that are easily massaged into a true RSS feeds, so here are substitute feeds. Share and enjoy:

The Daily Show Full Episodes RSS Feed

The Colbert Report Full Episode RSS Feed

The Nightly Show Full Episode RSS Feed

The feeds update every hour, although the shows only appear the morning after their cable broadcast. The Python (and mustache!) shell, XSL (and sed!) source can be viewed in the full-episode feed directory.

The Snout of Development

A resting Eurasian Lynx

Eurasian Lynx by Michaelphillipr

I finally got around to converting Lynxlet from Ye Olde CVS repository into Subversion. By default the cvs2svn tool uses the customary trunk/branch/tag naming. I’ve never much like this naming scheme, in part because “tag” breaks the botanical morphology theme (shouldn’t it be trunk/branch/leaf?)

Since Lynx are carnivores, I decided mammalian anatomy would be more appropriate. So now main development is done on the “snout”, speculative versions are on “tails” and snap-shots of individual releases are “paw-prints.” See where Lynxlet’s snout leads it at the Habilis Public Subversion Repositories.

An Offering to the Singularity: The Sheep Enterprise

Once the Singularity arrives and we have all been uploaded to androids, we will surely dream of electric sheep. But how will we take care of these virtual flocks? Luckily, “The Sheep Enterprise” from 1950 explains everything one needs to know about raising and maintaining sheep, electric or otherwise.

Cover of "The Sheep Enterprise"

The Sheep Enterprise: How to establish and maintain the farm flock
Circular 657 (revised version of Circular 534)
University of Illinois, College of Agriculture, Extension Service in Agriculture and Home Economics
By W. G. Kammlade and U. S. Garrigus
May, 1950

PDF with searchable text, 8 MB, 48 Pages, slightly chewed by mice.