I guess we do this:

Restoring Chizumatic‘s sidebar to its rightful place was a task worth pursuing, but since the Minx templates generate tag soup, standard validation tools produced too many errors to help much (W3C’s produced ~700 errors, compared to this page’s 16, 14 of which are parser errors in Amazon search URLs).

So I tried a different approach:

#!/usr/bin/perl
while (<STDIN>) {
    chomp;
    next unless /<\/?div/i;
    if (@x = /<div/gi) {
        print "[$l] $. ",@x+0," $_\n";
        $l += @x;
    }
    if (@x = /<\/div/gi) {
        print "[$l] $. ",@x+0," $_\n";
        $l -= @x;
    }
}
print "[$l]\n";

Skimming through the output, I saw that the inline comments started at level 6, until I reached comment 8 in the “Shingu 20” entry, which started at level 7. Sure enough, what should have been a (pardon my french) <tt></div></p></div></tt> in the previous comment was just a <tt></p></div></tt>.

[Update: fixing one bad Amazon URL removed 14 of the 16 validation errors on this page, and correcting a Movable Type auto-formatting error got rid of the other two. See, validation is easy! :-)]

I hate it when fixing one problem breaks something else, especially when it’s subtle.

A few weeks ago while testing our new IPSec VPN connections to external partners, we discovered that I could ssh/scp through the VPN from my Macs, but none of our Linux boxes could, and another Mac running allegedly-identical software had horrible performance issues.

The fix was a change in the OpenBSD firewall that also served as the IPSec endpoint: scrub reassemble tcp. The problem went away like magic.

Today, we found out that there’s a single external partner we have to post some data to via an HTTPS connection, and it worked fine from machines outside of our firewall, but failed about 50% of the time from all the machines inside our firewall.

…except for my Macs, which worked 100% of the time. I fired up a CentOS 5 Parallels session on one of them, and it failed 50% of the time. Surely it couldn’t be…

It was. Remove the scrub line, and the HTTPS post worked from everywhere, but now my IPSec VPNs were hosed again.

So:

scrub from any to $IPSEC1_INT reassemble tcp
scrub from any to $IPSEC2_INT reassemble tcp
scrub in

The root cause appears to be the partner’s IIS server failing to properly implement RFC 1323, causing some of the fragmented packets to be rejected during reassembly.

Lots of folks are piling on Tim O’Reilly for his efforts to create a kinder, gentler blogger. While my initial reaction consisted of three words, ending in “yourself”, I thought I’d actually read it and see if he says anything new or interesting on the subject. Short version: “can’t we all just get along?”.

1. We take responsibility for our own words and for the comments we allow on our blog.

Too wimpy. I take ownership of my words, and control over whether anyone else can say anything at all here. They’re responsible for what they say; I just decide if it annoys me enough to hit the delete button.

We are committed to the "Civility Enforced" standard: we will not post unacceptable content, and we'll delete comments that contain it.

We define unacceptable content as anything included or linked to that:
- is being used to abuse, harass, stalk, or threaten others
- is libelous, knowingly false, ad-hominem, or misrepresents another person,
- infringes upon a copyright or trademark
- violates an obligation of confidentiality
- violates the privacy of others

As much as I might agree with the individual points, I wouldn’t describe them all as “uncivil”. Some are unethical, some are criminal, but there’s a whole lot more to being “civil” than refraining from crimes and misdemeanors. Perhaps a section on “not redefining commonly-understood words” should be appended to this Code.

2. We won't say anything online that we wouldn't say in person.

I will, and I’m not even one of the many bloggers who obscures their identity to avoid some form of retaliation. There are things I’ll say here that I won’t say on the street, and things I won’t say here that I’ll cheerfully say to someone standing next to me at the local adult bookstore. Different places, different audience, different speech.

3. We connect privately before we respond publicly.

Once upon a time, I followed the ancient Usenet maxim “take it to email”. But that was long ago and far away, and besides, the wench is dead. Despite the common requirement for a valid email address on most comment forms, these days most people neither want nor expect an email response to a public comment or blog posting. And to be quite blunt, I often don’t want to talk privately to someone who’s being an ass.

There is one and only one person who’s been banned from commenting on this blog, and he was such a persistent nuisance that I simply blocked all of his university’s public labs in my firewall rules, completely cutting off everyone who used them from my words and pictures. I had no interest in discussing this with him; I made one public statement on the matter and he didn’t change his behavior, so I quietly erased him from my universe.

4. When we believe someone is unfairly attacking another, we take action.

They’re adults, let them deal with their own problems. If I don’t have any interest in either party, it’s none of my damn business.

5. We do not allow anonymous comments.

I do. I’m not fond of falsely-attributed comments, however, and reserve the right to decide whether or not you’re who you claim to be. Actually, I reserve all rights; it’s my site, after all.

6. We ignore the trolls.

[I disbelieve]

My favorite part is the two “certifiably something-or-other” graphics, which I’ll cheerfully swipe and snicker at:

I think these images are misleading and, frankly, silly. I think they should more openly reflect the desired audience by replacing the badge with a ballgag and the dynamite with goatse.

…I expect it to actually work correctly. The Luxor in Las Vegas fails this test. They redirect any outgoing port 25 connections to their server, which silently discards the messages, and they do something peculiar to SSL traffic that made it impossible for me to establish a secure IMAP session with my server. The server showed a connection attempt, but never saw the username and password, and my mailer took a long time to time out.

Why? Because if I have one, each visitor will request it once and cache it indefinitely. If I don’t, they’ll ask for it again and again (with some browsers, every time they load a page), crufting up my logs.

Okay, I’m on your web site. I’m in your online store. I’m even in your shopping cart, preparing to make a purchase. So why are you still hitting me with animated banner ads for your products? Do I seem somehow unmotivated as a customer?

Wouldn’t it be more useful to advertise your products on other sites? Perhaps if you informed people of the full range of your product line, distributors and retailers would actually order more than the five flavors they usually stock (only two of which are drinkable).

Given the glucose tolerance, I would cheerfully drink myself to death on your Lemon Tea and Arnold Palmer, but these days I need the Splenda-sweetened stuff, which I simply can’t buy in stores. I’d really like to try it once before ordering a case from an online dealer I’ve never heard of before (like the one whose employees seem to have been recruited from a phone-sex service).

The often amusing, usually gullible technophiles at BoingBoing have struck again, with Cory Doctorow’s stunned discovery that an organization that’s been attacking PETA for years receives funding from frequent PETA targets.

Never mind the factual truth of their claims about PETA and other lifestyle lobbies, or that PETA itself is about as “grassroots” as a concrete driveway; Cory Doctorow has done a “little digging”, and determined that The Center for Consumer Freedom has (gasp!) industry ties (oh noes!), and therefore must be a tool of The Man, spouting nothing but lies.

Welcome to 1997, Mr. Doctorow. Here, have a 30,000-calorie sandwich and a clue.